[PATCH nft 1/2,v2] cache: check for NFT_CACHE_REFRESH in current requested cache too

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: nhofmeyr@sysmocom.de
Subject: [PATCH nft 1/2,v2] cache: check for NFT_CACHE_REFRESH in current requested cache too
Date: Tue, 28 May 2024 17:28:16 +0200	[thread overview]
Message-ID: <20240528152817.856211-1-pablo@netfilter.org> (raw)

NFT_CACHE_REFRESH is set on inconditionally by ruleset list commands to
deal with stateful information in this ruleset. This flag results in
dropping the existing cache and fully fetching all objects from the
kernel.

Set on this flag for reset commands too, this is missing.

List/reset commands allow for filtering by specific family and object,
therefore, NFT_CACHE_REFRESH also signals that the cache is partially
populated.

Check if this flag is requested by the current list/reset command, as
well as cache->flags which represents the cache after the _previous_
list of commands.

A follow up patch allows to recycle the existing cache if the flags
report that the same objects are already available in the cache,
NFT_CACHE_REFRESH is useful to report that cache cannot be recycled.

Fixes: 407c54f71255 ("src: cache gets out of sync in interactive mode")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: cache filtering, eg. list table inet test, could result in partial
    cache that cannot be recycle, use NFT_CACHE_REFRESH to signal that
    cache cannot be reused.

 src/cache.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/cache.c b/src/cache.c
index c000e32c497f..e88cbae2ad95 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -297,6 +297,7 @@ static unsigned int evaluate_cache_reset(struct cmd *cmd, unsigned int flags,
 		flags |= NFT_CACHE_TABLE;
 		break;
 	}
+	flags |= NFT_CACHE_REFRESH;
 
 	return flags;
 }
@@ -1177,9 +1178,10 @@ static bool nft_cache_is_complete(struct nft_cache *cache, unsigned int flags)
 	return (cache->flags & flags) == flags;
 }
 
-static bool nft_cache_needs_refresh(struct nft_cache *cache)
+static bool nft_cache_needs_refresh(struct nft_cache *cache, unsigned int flags)
 {
-	return cache->flags & NFT_CACHE_REFRESH;
+	return (cache->flags & NFT_CACHE_REFRESH) ||
+	       (flags & NFT_CACHE_REFRESH);
 }
 
 static bool nft_cache_is_updated(struct nft_cache *cache, uint16_t genid)
@@ -1207,7 +1209,7 @@ int nft_cache_update(struct nft_ctx *nft, unsigned int flags,
 replay:
 	ctx.seqnum = cache->seqnum++;
 	genid = mnl_genid_get(&ctx);
-	if (!nft_cache_needs_refresh(cache) &&
+	if (!nft_cache_needs_refresh(cache, flags) &&
 	    nft_cache_is_complete(cache, flags) &&
 	    nft_cache_is_updated(cache, genid))
 		return 0;
-- 
2.30.2

next             reply	other threads:[~2024-05-28 15:28 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-28 15:28 Pablo Neira Ayuso [this message]
2024-05-28 15:28 ` [PATCH nft 2/2,v2] cache: recycle existing cache with incremental updates Pablo Neira Ayuso
2024-07-22 20:48   ` Eric Garver
2024-07-22 21:34     ` Pablo Neira Ayuso
2024-07-23  5:29       ` Phil Sutter
2024-07-23 11:56       ` Phil Sutter
2024-07-23 12:19         ` Pablo Neira Ayuso
2024-07-23 12:57           ` Pablo Neira Ayuso
2024-07-23 15:09             ` Phil Sutter
2024-07-24  7:51               ` Pablo Neira Ayuso
2024-07-23 14:34           ` Phil Sutter
2024-07-23 19:30             ` Eric Garver
2024-07-23 20:56               ` Phil Sutter
2024-07-24  7:44               ` Pablo Neira Ayuso
2024-07-24 11:51                 ` Eric Garver

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c000e32c497 dfblob:e88cbae2ad9 )
 OR (
bs:"[PATCH nft 1/2,v2] cache: check for NFT_CACHE_REFRESH in current requested cache too" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240528152817.856211-1-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=nhofmeyr@sysmocom.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).