From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nftables,v2 0/7] ruleset optimization infrastructure
Date: Sun, 2 Jan 2022 23:14:45 +0100 [thread overview]
Message-ID: <20220102221452.86469-1-pablo@netfilter.org> (raw)
Hi,
This patchset adds a new -o/--optimize option to enable ruleset
optimization. Two type of optimizations are supported in this batch:
* Use a set to compact several rules with the same selector using a set,
for example:
meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept
meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.6 accept
into:
meta iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.6, eth1 . 1.1.1.2 . 2.2.2.5 , eth1 . 1.1.1.3 . 2.2.2.6 } accept
* Use a verdict map to compact rules with same selectors but different
verdicts, for example:
ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept
ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
into:
ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop }
Updates since last patch series:
- display information on the rule merges that are proposed, this can be
combined with -c to inspect the proposed ruleset updates.
# nft -c -o -f ruleset.nft
This allows sysadmins to review the proposed optimization without actually
loading the ruleset, in case they prefer to manually edit their rulesets
to apply the proposed optimizations (requested by Arturo).
- tests/py and tests/shell run fine after this new iteration.
- fix error reporting with /dev/stdin, which is a prerequisite for this
series.
- fixes.
Pablo Neira Ayuso (7):
erec: expose print_location() and line_location()
src: error reporting with -f and read from stdin
src: remove '$' in symbol_expr_print
src: add ruleset optimization infrastructure
optimize: merge rules with same selectors into a concatenation
optimize: merge same selector with different verdict into verdict map
optimize: merge several selectors with different verdict into verdict map
doc/nft.txt | 5 +
include/erec.h | 5 +
include/nftables.h | 5 +
include/nftables/libnftables.h | 7 +
include/rule.h | 1 -
src/Makefile.am | 1 +
src/erec.c | 87 ++-
src/expression.c | 33 +-
src/libnftables.c | 109 ++-
src/libnftables.map | 5 +
src/main.c | 9 +-
src/optimize.c | 698 ++++++++++++++++++
src/scanner.l | 2 +-
.../optimizations/dumps/merge_stmts.nft | 5 +
.../dumps/merge_stmts_concat.nft | 5 +
.../dumps/merge_stmts_concat_vmap.nft | 5 +
.../optimizations/dumps/merge_stmts_vmap.nft | 5 +
.../shell/testcases/optimizations/merge_stmts | 13 +
.../optimizations/merge_stmts_concat | 13 +
.../optimizations/merge_stmts_concat_vmap | 13 +
.../testcases/optimizations/merge_stmts_vmap | 12 +
21 files changed, 992 insertions(+), 46 deletions(-)
create mode 100644 src/optimize.c
create mode 100644 tests/shell/testcases/optimizations/dumps/merge_stmts.nft
create mode 100644 tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft
create mode 100644 tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft
create mode 100644 tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft
create mode 100755 tests/shell/testcases/optimizations/merge_stmts
create mode 100755 tests/shell/testcases/optimizations/merge_stmts_concat
create mode 100755 tests/shell/testcases/optimizations/merge_stmts_concat_vmap
create mode 100755 tests/shell/testcases/optimizations/merge_stmts_vmap
next reply other threads:[~2022-01-02 22:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-02 22:14 Pablo Neira Ayuso [this message]
2022-01-02 22:14 ` [PATCH nftables,v2 1/7] erec: expose print_location() and line_location() Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 2/7] src: error reporting with -f and read from stdin Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 3/7] src: remove '$' in symbol_expr_print Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 4/7] src: add ruleset optimization infrastructure Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 5/7] optimize: merge rules with same selectors into a concatenation Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 6/7] optimize: merge same selector with different verdict into verdict map Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 7/7] optimize: merge several selectors " Pablo Neira Ayuso
2022-01-03 10:41 ` [PATCH nftables,v2 0/7] ruleset optimization infrastructure Pablo Neira Ayuso
2022-01-03 13:33 ` Nicolas Dichtel
2022-01-15 17:29 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220102221452.86469-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).