[PATCH nft 1/2] rule: collapse set element commands

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nft 1/2] rule: collapse set element commands
@ 2022-06-13 15:37 Pablo Neira Ayuso
  2022-06-13 15:37 ` [PATCH nft 2/2] intervals: do not report exact overlaps for new elements Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-13 15:37 UTC (permalink / raw)
  To: netfilter-devel; +Cc: phil

Robots might generate a long list of singleton element commands such as:

  add element t s { 1.0.1.0/24 }
  ...
  add element t s { 1.0.2.0/23 }

collapse them into one single command, ie.

  add element t s { 1.0.1.0/24, ..., 1.0.2.0/23 }

Since 3da9643fb9ff9 ("intervals: add support to automerge with kernel
elements"), the new interval tracking relies on mergesort. The pattern
above triggers the set sorting for each element.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/rule.h    |  1 +
 src/libnftables.c |  2 ++
 src/rule.c        | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 42 insertions(+)

diff --git a/include/rule.h b/include/rule.h
index e232b97afed7..5d7a6da4a5e7 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -728,6 +728,7 @@ extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
 			     const struct handle *h, const struct location *loc,
 			     void *data);
 extern void nft_cmd_expand(struct cmd *cmd);
+extern void nft_cmd_collapse(struct list_head *cmds);
 extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type,
 				    const struct handle *h,
 				    const struct location *loc, struct obj *obj);
diff --git a/src/libnftables.c b/src/libnftables.c
index 6a22ea093952..48cff3fb0e1f 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -512,6 +512,8 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
 
 	nft_cache_filter_fini(filter);
 
+	nft_cmd_collapse(cmds);
+
 	list_for_each_entry_safe(cmd, next, cmds, list) {
 		struct eval_ctx ectx = {
 			.nft	= nft,
diff --git a/src/rule.c b/src/rule.c
index 7f61bdc1cec9..47a8c24a6b0e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1379,6 +1379,45 @@ void nft_cmd_expand(struct cmd *cmd)
 	}
 }
 
+void nft_cmd_collapse(struct list_head *cmds)
+{
+	struct cmd *cmd, *next, *elems = NULL;
+
+	list_for_each_entry_safe(cmd, next, cmds, list) {
+		if (cmd->op != CMD_ADD &&
+		    cmd->op != CMD_CREATE) {
+			elems = NULL;
+			continue;
+		}
+
+		if (cmd->obj != CMD_OBJ_ELEMENTS) {
+			elems = NULL;
+			continue;
+		}
+
+		if (!elems) {
+			elems = cmd;
+			continue;
+		}
+
+		if (cmd->op != elems->op) {
+			elems = cmd;
+			continue;
+		}
+
+		if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
+		    strcmp(elems->handle.set.name, cmd->handle.set.name)) {
+			elems = cmd;
+			continue;
+		}
+
+		list_splice_init(&cmd->expr->expressions, &elems->expr->expressions);
+		elems->expr->size += cmd->expr->size;
+		list_del(&cmd->list);
+		cmd_free(cmd);
+	}
+}
+
 struct markup *markup_alloc(uint32_t format)
 {
 	struct markup *markup;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH nft 2/2] intervals: do not report exact overlaps for new elements
  2022-06-13 15:37 [PATCH nft 1/2] rule: collapse set element commands Pablo Neira Ayuso
@ 2022-06-13 15:37 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-13 15:37 UTC (permalink / raw)
  To: netfilter-devel; +Cc: phil

Two new elements that represent an exact overlap should not trigger an error.

   add table t
   add set t s { type ipv4_addr; flags interval; }
   add element t s { 1.0.1.0/24 }
   ...
   add element t s { 1.0.1.0/24 }

result in a bogus error.

 # nft -f set.nft
 set.nft:1002:19-28: Error: conflicting intervals specified
 add element t s { 1.0.1.0/24 }
                   ^^^^^^^^^^

Fixes: 3da9643fb9ff ("intervals: add support to automerge with kernel elements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/intervals.c                            |  3 +--
 tests/shell/testcases/sets/exact_overlap_0 | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100755 tests/shell/testcases/sets/exact_overlap_0

diff --git a/src/intervals.c b/src/intervals.c
index bc414d6c8797..89f5c33d7a6e 100644
--- a/src/intervals.c
+++ b/src/intervals.c
@@ -540,8 +540,7 @@ static int setelem_overlap(struct list_head *msgs, struct set *set,
 		}
 
 		if (mpz_cmp(prev_range.low, range.low) == 0 &&
-		    mpz_cmp(prev_range.high, range.high) == 0 &&
-		    (elem->flags & EXPR_F_KERNEL || prev->flags & EXPR_F_KERNEL))
+		    mpz_cmp(prev_range.high, range.high) == 0)
 			goto next;
 
 		if (mpz_cmp(prev_range.low, range.low) <= 0 &&
diff --git a/tests/shell/testcases/sets/exact_overlap_0 b/tests/shell/testcases/sets/exact_overlap_0
new file mode 100755
index 000000000000..1ce9304a7455
--- /dev/null
+++ b/tests/shell/testcases/sets/exact_overlap_0
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+RULESET="add table t
+add set t s { type ipv4_addr; flags interval; }
+add element t s { 1.0.1.0/24 }
+add element t s { 1.0.2.0/23 }
+add element t s { 1.0.8.0/21 }
+add element t s { 1.0.32.0/19 }
+add element t s { 1.1.0.0/24 }
+add element t s { 1.1.2.0/23 }
+add element t s { 1.1.4.0/22 }
+add element t s { 1.1.8.0/24 }
+add element t s { 1.1.9.0/24 }
+add element t s { 1.1.10.0/23 }
+add element t s { 1.1.12.0/22 }
+add element t s { 1.1.16.0/20 }
+add element t s { 1.1.32.0/19 }
+add element t s { 1.0.1.0/24 }"
+
+$NFT -f - <<< $RULESET || exit 1
+
+$NFT add element t s { 1.0.1.0/24 }
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH nft 1/2] rule: collapse set element commands
@ 2022-06-13 16:05 Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-13 16:05 UTC (permalink / raw)
  To: netfilter-devel; +Cc: phil

Robots might generate a long list of singleton element commands such as:

  add element t s { 1.0.1.0/24 }
  ...
  add element t s { 1.0.2.0/23 }

collapse them into one single command, ie.

  add element t s { 1.0.1.0/24, ..., 1.0.2.0/23 }

Since 3da9643fb9ff9 ("intervals: add support to automerge with kernel
elements"), the new interval tracking relies on mergesort. The pattern
above triggers the set sorting for each element.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/rule.h    |  1 +
 src/libnftables.c |  2 ++
 src/rule.c        | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 42 insertions(+)

diff --git a/include/rule.h b/include/rule.h
index e232b97afed7..5d7a6da4a5e7 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -728,6 +728,7 @@ extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
 			     const struct handle *h, const struct location *loc,
 			     void *data);
 extern void nft_cmd_expand(struct cmd *cmd);
+extern void nft_cmd_collapse(struct list_head *cmds);
 extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type,
 				    const struct handle *h,
 				    const struct location *loc, struct obj *obj);
diff --git a/src/libnftables.c b/src/libnftables.c
index 6a22ea093952..48cff3fb0e1f 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -512,6 +512,8 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
 
 	nft_cache_filter_fini(filter);
 
+	nft_cmd_collapse(cmds);
+
 	list_for_each_entry_safe(cmd, next, cmds, list) {
 		struct eval_ctx ectx = {
 			.nft	= nft,
diff --git a/src/rule.c b/src/rule.c
index 7f61bdc1cec9..47a8c24a6b0e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1379,6 +1379,45 @@ void nft_cmd_expand(struct cmd *cmd)
 	}
 }
 
+void nft_cmd_collapse(struct list_head *cmds)
+{
+	struct cmd *cmd, *next, *elems = NULL;
+
+	list_for_each_entry_safe(cmd, next, cmds, list) {
+		if (cmd->op != CMD_ADD &&
+		    cmd->op != CMD_CREATE) {
+			elems = NULL;
+			continue;
+		}
+
+		if (cmd->obj != CMD_OBJ_ELEMENTS) {
+			elems = NULL;
+			continue;
+		}
+
+		if (!elems) {
+			elems = cmd;
+			continue;
+		}
+
+		if (cmd->op != elems->op) {
+			elems = cmd;
+			continue;
+		}
+
+		if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
+		    strcmp(elems->handle.set.name, cmd->handle.set.name)) {
+			elems = cmd;
+			continue;
+		}
+
+		list_splice_init(&cmd->expr->expressions, &elems->expr->expressions);
+		elems->expr->size += cmd->expr->size;
+		list_del(&cmd->list);
+		cmd_free(cmd);
+	}
+}
+
 struct markup *markup_alloc(uint32_t format)
 {
 	struct markup *markup;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-06-13 18:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-13 15:37 [PATCH nft 1/2] rule: collapse set element commands Pablo Neira Ayuso
2022-06-13 15:37 ` [PATCH nft 2/2] intervals: do not report exact overlaps for new elements Pablo Neira Ayuso
  -- strict thread matches above, loose matches on Subject: below --
2022-06-13 16:05 [PATCH nft 1/2] rule: collapse set element commands Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).