[nft PATCH 0/5] Enhance cache filter for list commands

[nft PATCH 0/5] Enhance cache filter for list commands

[Phil Sutter]

Reducing the amount of data fetched from kernel improves performance
with large rule sets but also reduces adverse side-effects if multiple
versions of nftables access the same kernel rule set. Being able to
ignore parts of the rule set one is not interested in allows for (more or
less) safe coexistence if each tool is operating on the data it created
itself only.

This series reduces caching for list commands which specify a family
and/or table. To help testing this, patch 1 extends netlink debug output
to include chains, flowtables and objects so a test case may check if
they are fetched or not.

The remaining patches actually increase filter use.

Phil Sutter (5):
  cache: Include chains, flowtables and objects in netlink debug output
  cache: Respect family in all list commands
  cache: Relax chain_cache_dump filter application
  cache: Filter for table when listing sets or maps
  cache: Filter for table when listing flowtables

 src/cache.c                                 | 11 ++--
 src/mnl.c                                   | 60 ++++++++++++++++++---
 tests/shell/testcases/listing/cache_filters | 53 ++++++++++++++++++
 3 files changed, 113 insertions(+), 11 deletions(-)
 create mode 100755 tests/shell/testcases/listing/cache_filters

-- 
2.51.0

[nft PATCH 1/5] cache: Include chains, flowtables and objects in netlink debug output

[Phil Sutter]

In order to test cache filter effectiveness, netlink debug output is
useful as it shows what is actually received from the kernel and maybe
discarded immediately by user space. Therefore add dump calls for these
rule set elements as well.

While at it, move the netlink_dump_rule() call to an earlier spot,
namely into the nft_mnl_talk() callback to match other netlink dump
calls.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/cache.c |  1 -
 src/mnl.c   | 60 ++++++++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 52 insertions(+), 9 deletions(-)

diff --git a/src/cache.c b/src/cache.c
index bb005c10f9990..62eccef991933 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -698,7 +698,6 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *data)
 	    (h->chain.name && strcmp(chain, h->chain.name) != 0))
 		return 0;
 
-	netlink_dump_rule(nlr, ctx);
 	rule = netlink_delinearize_rule(ctx, nlr);
 	assert(rule);
 	list_add_tail(&rule->list, &ctx->list);
diff --git a/src/mnl.c b/src/mnl.c
index eb6cb12c6ae21..4893af8322ae6 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -653,9 +653,15 @@ int mnl_nft_rule_del(struct netlink_ctx *ctx, struct cmd *cmd)
  * Rule
  */
 
+struct rule_cb_args {
+	struct netlink_ctx *ctx;
+	struct nftnl_rule_list *list;
+};
+
 static int rule_cb(const struct nlmsghdr *nlh, void *data)
 {
-	struct nftnl_rule_list *nlr_list = data;
+	struct rule_cb_args *args = data;
+	struct nftnl_rule_list *nlr_list = args->list;
 	struct nftnl_rule *r;
 
 	if (check_genid(nlh) < 0)
@@ -668,6 +674,8 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
 	if (nftnl_rule_nlmsg_parse(nlh, r) < 0)
 		goto err_free;
 
+	netlink_dump_rule(r, args->ctx);
+
 	nftnl_rule_list_add_tail(r, nlr_list);
 	return MNL_CB_OK;
 
@@ -685,6 +693,7 @@ struct nftnl_rule_list *mnl_nft_rule_dump(struct netlink_ctx *ctx, int family,
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nftnl_rule_list *nlr_list;
 	struct nftnl_rule *nlr = NULL;
+	struct rule_cb_args args;
 	struct nlmsghdr *nlh;
 	int msg_type, ret;
 
@@ -716,7 +725,9 @@ struct nftnl_rule_list *mnl_nft_rule_dump(struct netlink_ctx *ctx, int family,
 		nftnl_rule_free(nlr);
 	}
 
-	ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, rule_cb, nlr_list);
+	args.list = nlr_list;
+	args.ctx  = ctx;
+	ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, rule_cb, &args);
 	if (ret < 0)
 		goto err;
 
@@ -1036,9 +1047,15 @@ int mnl_nft_chain_del(struct netlink_ctx *ctx, struct cmd *cmd)
 	return 0;
 }
 
+struct chain_cb_args {
+	struct netlink_ctx *ctx;
+	struct nftnl_chain_list *list;
+};
+
 static int chain_cb(const struct nlmsghdr *nlh, void *data)
 {
-	struct nftnl_chain_list *nlc_list = data;
+	struct chain_cb_args *args = data;
+	struct nftnl_chain_list *nlc_list = args->list;
 	struct nftnl_chain *c;
 
 	if (check_genid(nlh) < 0)
@@ -1051,6 +1068,8 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data)
 	if (nftnl_chain_nlmsg_parse(nlh, c) < 0)
 		goto err_free;
 
+	netlink_dump_chain(c, args->ctx);
+
 	nftnl_chain_list_add_tail(c, nlc_list);
 	return MNL_CB_OK;
 
@@ -1066,6 +1085,7 @@ struct nftnl_chain_list *mnl_nft_chain_dump(struct netlink_ctx *ctx,
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nftnl_chain_list *nlc_list;
 	struct nftnl_chain *nlc = NULL;
+	struct chain_cb_args args;
 	struct nlmsghdr *nlh;
 	int ret;
 
@@ -1089,7 +1109,9 @@ struct nftnl_chain_list *mnl_nft_chain_dump(struct netlink_ctx *ctx,
 		nftnl_chain_free(nlc);
 	}
 
-	ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, chain_cb, nlc_list);
+	args.list = nlc_list;
+	args.ctx  = ctx;
+	ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, chain_cb, &args);
 	if (ret < 0 && errno != ENOENT)
 		goto err;
 
@@ -1797,9 +1819,15 @@ int mnl_nft_obj_del(struct netlink_ctx *ctx, struct cmd *cmd, int type)
 	return 0;
 }
 
+struct obj_cb_args {
+	struct netlink_ctx *ctx;
+	struct nftnl_obj_list *list;
+};
+
 static int obj_cb(const struct nlmsghdr *nlh, void *data)
 {
-	struct nftnl_obj_list *nln_list = data;
+	struct obj_cb_args *args = data;
+	struct nftnl_obj_list *nln_list = args->list;
 	struct nftnl_obj *n;
 
 	if (check_genid(nlh) < 0)
@@ -1812,6 +1840,8 @@ static int obj_cb(const struct nlmsghdr *nlh, void *data)
 	if (nftnl_obj_nlmsg_parse(nlh, n) < 0)
 		goto err_free;
 
+	netlink_dump_obj(n, args->ctx);
+
 	nftnl_obj_list_add_tail(n, nln_list);
 	return MNL_CB_OK;
 
@@ -1829,6 +1859,7 @@ mnl_nft_obj_dump(struct netlink_ctx *ctx, int family,
 	uint16_t nl_flags = dump ? NLM_F_DUMP : NLM_F_ACK;
 	struct nftnl_obj_list *nln_list;
 	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct obj_cb_args args;
 	struct nlmsghdr *nlh;
 	struct nftnl_obj *n;
 	int msg_type, ret;
@@ -1857,7 +1888,9 @@ mnl_nft_obj_dump(struct netlink_ctx *ctx, int family,
 	if (nln_list == NULL)
 		memory_allocation_error();
 
-	ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, obj_cb, nln_list);
+	args.list = nln_list;
+	args.ctx  = ctx;
+	ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, obj_cb, &args);
 	if (ret < 0)
 		goto err;
 
@@ -2192,9 +2225,15 @@ int mnl_nft_setelem_get(struct netlink_ctx *ctx, struct nftnl_set *nls,
 	return nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, set_elem_cb, nls);
 }
 
+struct flowtable_cb_args {
+	struct netlink_ctx *ctx;
+	struct nftnl_flowtable_list *list;
+};
+
 static int flowtable_cb(const struct nlmsghdr *nlh, void *data)
 {
-	struct nftnl_flowtable_list *nln_list = data;
+	struct flowtable_cb_args *args = data;
+	struct nftnl_flowtable_list *nln_list = args->list;
 	struct nftnl_flowtable *n;
 
 	if (check_genid(nlh) < 0)
@@ -2207,6 +2246,8 @@ static int flowtable_cb(const struct nlmsghdr *nlh, void *data)
 	if (nftnl_flowtable_nlmsg_parse(nlh, n) < 0)
 		goto err_free;
 
+	netlink_dump_flowtable(n, args->ctx);
+
 	nftnl_flowtable_list_add_tail(n, nln_list);
 	return MNL_CB_OK;
 
@@ -2221,6 +2262,7 @@ mnl_nft_flowtable_dump(struct netlink_ctx *ctx, int family,
 {
 	struct nftnl_flowtable_list *nln_list;
 	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct flowtable_cb_args args;
 	struct nftnl_flowtable *n;
 	int flags = NLM_F_DUMP;
 	struct nlmsghdr *nlh;
@@ -2245,7 +2287,9 @@ mnl_nft_flowtable_dump(struct netlink_ctx *ctx, int family,
 	if (nln_list == NULL)
 		memory_allocation_error();
 
-	ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, flowtable_cb, nln_list);
+	args.list = nln_list;
+	args.ctx  = ctx;
+	ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, flowtable_cb, &args);
 	if (ret < 0 && errno != ENOENT)
 		goto err;
 
-- 
2.51.0

[nft PATCH 2/5] cache: Respect family in all list commands

[Phil Sutter]

Some list commands did not set filter->list.family even if one was given
on command line, fix this.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/cache.c                                 |  6 ++-
 tests/shell/testcases/listing/cache_filters | 46 +++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100755 tests/shell/testcases/listing/cache_filters

diff --git a/src/cache.c b/src/cache.c
index 62eccef991933..82efd476e3698 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -246,10 +246,12 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 			flags |= NFT_CACHE_FULL;
 		break;
 	case CMD_OBJ_CHAINS:
+		filter->list.family = cmd->handle.family;
 		flags |= NFT_CACHE_TABLE | NFT_CACHE_CHAIN;
 		break;
 	case CMD_OBJ_SETS:
 	case CMD_OBJ_MAPS:
+		filter->list.family = cmd->handle.family;
 		flags |= NFT_CACHE_TABLE | NFT_CACHE_SET;
 		if (!nft_output_terse(&nft->output))
 			flags |= NFT_CACHE_SETELEM;
@@ -257,12 +259,12 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 	case CMD_OBJ_FLOWTABLE:
 		if (cmd->handle.table.name &&
 		    cmd->handle.flowtable.name) {
-			filter->list.family = cmd->handle.family;
 			filter->list.table = cmd->handle.table.name;
 			filter->list.ft = cmd->handle.flowtable.name;
 		}
 		/* fall through */
 	case CMD_OBJ_FLOWTABLES:
+		filter->list.family = cmd->handle.family;
 		flags |= NFT_CACHE_TABLE | NFT_CACHE_FLOWTABLE;
 		break;
 	case CMD_OBJ_COUNTER:
@@ -301,6 +303,8 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 		obj_filter_setup(cmd, &flags, filter, NFT_OBJECT_TUNNEL);
 		break;
 	case CMD_OBJ_RULESET:
+		filter->list.family = cmd->handle.family;
+		/* fall through */
 	default:
 		flags |= NFT_CACHE_FULL;
 		break;
diff --git a/tests/shell/testcases/listing/cache_filters b/tests/shell/testcases/listing/cache_filters
new file mode 100755
index 0000000000000..37c8f845dd4c7
--- /dev/null
+++ b/tests/shell/testcases/listing/cache_filters
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+fail() {
+	echo "$*"
+	exit 1
+}
+
+$NFT -f - <<EOF
+table ip ip_t {
+	flowtable ip_t_ft {
+		hook ingress priority 0
+	}
+	set ip_t_s {
+		type inet_service
+		elements = { 22, 80, 443 }
+	}
+	chain ip_t_c {
+		tcp dport 22 accept
+	}
+	chain ip_t_c2 {
+	}
+}
+EOF
+
+$NFT --debug=netlink list ruleset | \
+	grep -q 'payload load' || fail "broken list ruleset"
+$NFT --debug=netlink list ruleset ip6 | \
+	grep -q 'payload load' && fail "broken list ruleset family filter"
+
+$NFT --debug=netlink list chains | \
+	grep -q 'ip ip_t ip_t_c' || fail "broken list chains"
+$NFT --debug=netlink list chains ip6 | \
+	grep -q 'ip ip_t ip_t_c' && fail "broken list chains family filter"
+
+$NFT --debug=netlink list sets | \
+	grep -q 'family 2 ip_t_s ip_t' || fail "broken list sets"
+$NFT --debug=netlink list sets ip6 | \
+	grep -q 'family 2 ip_t_s ip_t' && fail "broken list sets family filter"
+
+$NFT --debug=netlink list flowtables | \
+	grep -q 'flow table ip_t ip_t_ft' || fail "broken list flowtables"
+$NFT --debug=netlink list flowtables ip6 | \
+	grep -q 'flow table ip_t ip_t_ft' && fail "broken list flowtables family filter"
+exit 0
-- 
2.51.0

[nft PATCH 3/5] cache: Relax chain_cache_dump filter application

[Phil Sutter]

While populating chain cache, a filter was only effective if it limited
fetching to both a table and a chain. Make it apply to 'list chains'
command as well which at most specifies a family and table.

Since the code is OK with filter->list fields being NULL, merely check
for filter to be non-NULL (which is the case if nft_cache_update() is
called by nft_cmd_enoent_chain()).

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cache.c b/src/cache.c
index 82efd476e3698..13d4cb19eb4f6 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -625,7 +625,7 @@ chain_cache_dump(struct netlink_ctx *ctx,
 	const char *chain = NULL;
 	int family = NFPROTO_UNSPEC;
 
-	if (filter && filter->list.table && filter->list.chain) {
+	if (filter) {
 		family = filter->list.family;
 		table = filter->list.table;
 		chain = filter->list.chain;
-- 
2.51.0

[nft PATCH 4/5] cache: Filter for table when listing sets or maps

[Phil Sutter]

Respect an optionally specified table name to filter listed sets or maps
to by populating the filter accordingly.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/cache.c                                 | 1 +
 tests/shell/testcases/listing/cache_filters | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/src/cache.c b/src/cache.c
index 13d4cb19eb4f6..f86d000690929 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -252,6 +252,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 	case CMD_OBJ_SETS:
 	case CMD_OBJ_MAPS:
 		filter->list.family = cmd->handle.family;
+		filter->list.table = cmd->handle.table.name;
 		flags |= NFT_CACHE_TABLE | NFT_CACHE_SET;
 		if (!nft_output_terse(&nft->output))
 			flags |= NFT_CACHE_SETELEM;
diff --git a/tests/shell/testcases/listing/cache_filters b/tests/shell/testcases/listing/cache_filters
index 37c8f845dd4c7..7a89330d2b6c0 100755
--- a/tests/shell/testcases/listing/cache_filters
+++ b/tests/shell/testcases/listing/cache_filters
@@ -22,6 +22,8 @@ table ip ip_t {
 	chain ip_t_c2 {
 	}
 }
+table ip ip_t2 {
+}
 EOF
 
 $NFT --debug=netlink list ruleset | \
@@ -38,6 +40,8 @@ $NFT --debug=netlink list sets | \
 	grep -q 'family 2 ip_t_s ip_t' || fail "broken list sets"
 $NFT --debug=netlink list sets ip6 | \
 	grep -q 'family 2 ip_t_s ip_t' && fail "broken list sets family filter"
+$NFT --debug=netlink list sets ip ip_t2 | \
+	grep -q 'family 2 ip_t_s ip_t' && fail "broken list sets table filter"
 
 $NFT --debug=netlink list flowtables | \
 	grep -q 'flow table ip_t ip_t_ft' || fail "broken list flowtables"
-- 
2.51.0

[nft PATCH 5/5] cache: Filter for table when listing flowtables

[Phil Sutter]

Respect an optionally specified table name to filter listed flowtables
to by populating the filter accordingly.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/cache.c                                 | 1 +
 tests/shell/testcases/listing/cache_filters | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/src/cache.c b/src/cache.c
index f86d000690929..bad8275326c76 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -266,6 +266,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 		/* fall through */
 	case CMD_OBJ_FLOWTABLES:
 		filter->list.family = cmd->handle.family;
+		filter->list.table = cmd->handle.table.name;
 		flags |= NFT_CACHE_TABLE | NFT_CACHE_FLOWTABLE;
 		break;
 	case CMD_OBJ_COUNTER:
diff --git a/tests/shell/testcases/listing/cache_filters b/tests/shell/testcases/listing/cache_filters
index 7a89330d2b6c0..e3d0e5e5a7217 100755
--- a/tests/shell/testcases/listing/cache_filters
+++ b/tests/shell/testcases/listing/cache_filters
@@ -47,4 +47,7 @@ $NFT --debug=netlink list flowtables | \
 	grep -q 'flow table ip_t ip_t_ft' || fail "broken list flowtables"
 $NFT --debug=netlink list flowtables ip6 | \
 	grep -q 'flow table ip_t ip_t_ft' && fail "broken list flowtables family filter"
+$NFT --debug=netlink list flowtables ip ip_t2 | \
+	grep -q 'flow table ip_t ip_t_ft' && fail "broken list flowtables table filter"
+
 exit 0
-- 
2.51.0

Re: [nft PATCH 2/5] cache: Respect family in all list commands

[Pablo Neira Ayuso]

On Wed, Mar 11, 2026 at 12:11:12AM +0100, Phil Sutter wrote:
> Some list commands did not set filter->list.family even if one was given
> on command line, fix this.
> 

Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")

> Signed-off-by: Phil Sutter <phil@nwl.cc>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [nft PATCH 3/5] cache: Relax chain_cache_dump filter application

[Pablo Neira Ayuso]

On Wed, Mar 11, 2026 at 12:11:13AM +0100, Phil Sutter wrote:
> While populating chain cache, a filter was only effective if it limited
> fetching to both a table and a chain. Make it apply to 'list chains'
> command as well which at most specifies a family and table.
> 
> Since the code is OK with filter->list fields being NULL, merely check
> for filter to be non-NULL (which is the case if nft_cache_update() is
> called by nft_cmd_enoent_chain()).

Fixes: 17297d1acbbf ("cache: Filter chain list on kernel side")

> Signed-off-by: Phil Sutter <phil@nwl.cc>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [nft PATCH 4/5] cache: Filter for table when listing sets or maps

[Pablo Neira Ayuso]

On Wed, Mar 11, 2026 at 12:11:14AM +0100, Phil Sutter wrote:
> Respect an optionally specified table name to filter listed sets or maps
> to by populating the filter accordingly.
> 

Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")

> Signed-off-by: Phil Sutter <phil@nwl.cc>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [nft PATCH 5/5] cache: Filter for table when listing flowtables

[Pablo Neira Ayuso]

On Wed, Mar 11, 2026 at 12:11:15AM +0100, Phil Sutter wrote:
> Respect an optionally specified table name to filter listed flowtables
> to by populating the filter accordingly.

Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")

> Signed-off-by: Phil Sutter <phil@nwl.cc>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [nft PATCH 2/5] cache: Respect family in all list commands

[Phil Sutter]

On Wed, Mar 11, 2026 at 10:34:59AM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 11, 2026 at 12:11:12AM +0100, Phil Sutter wrote:
> > Some list commands did not set filter->list.family even if one was given
> > on command line, fix this.
> > 
> 
> Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")

Hmm. At that point, we didn't have 'filter' parameter in
evaluate_cache_list(). Struct nft_cache_filter was introduced later, in
commit 3f1d3912c3a6b ("cache: filter out tables that are not
requested").

Assuming that Fixes: tags are used for semi-automated backporting (at
least I do ;), pointing at that commit will cause trouble.

Do you still think we should add that tag?

> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> 
> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Thanks for reviewing!

Re: [nft PATCH 2/5] cache: Respect family in all list commands

[Pablo Neira Ayuso]

On Wed, Mar 11, 2026 at 11:19:58AM +0100, Phil Sutter wrote:
> On Wed, Mar 11, 2026 at 10:34:59AM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Mar 11, 2026 at 12:11:12AM +0100, Phil Sutter wrote:
> > > Some list commands did not set filter->list.family even if one was given
> > > on command line, fix this.
> > > 
> > 
> > Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")
> 
> Hmm. At that point, we didn't have 'filter' parameter in
> evaluate_cache_list(). Struct nft_cache_filter was introduced later, in
> commit 3f1d3912c3a6b ("cache: filter out tables that are not
> requested").
> 
> Assuming that Fixes: tags are used for semi-automated backporting (at
> least I do ;), pointing at that commit will cause trouble.

Good point.

Helping identify backporting in a semi-automated way is good,
specially for small fixes like this.

At least for me, it helps me identify if it is an
update/enhancement/feature or fix, it is just a bit more context
information.

> Do you still think we should add that tag?

I get your point that tags need to be right if we use them.

Re: [nft PATCH 2/5] cache: Respect family in all list commands

[Phil Sutter]

On Wed, Mar 11, 2026 at 01:11:56PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 11, 2026 at 11:19:58AM +0100, Phil Sutter wrote:
> > On Wed, Mar 11, 2026 at 10:34:59AM +0100, Pablo Neira Ayuso wrote:
> > > On Wed, Mar 11, 2026 at 12:11:12AM +0100, Phil Sutter wrote:
> > > > Some list commands did not set filter->list.family even if one was given
> > > > on command line, fix this.
> > > > 
> > > 
> > > Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")
> > 
> > Hmm. At that point, we didn't have 'filter' parameter in
> > evaluate_cache_list(). Struct nft_cache_filter was introduced later, in
> > commit 3f1d3912c3a6b ("cache: filter out tables that are not
> > requested").
> > 
> > Assuming that Fixes: tags are used for semi-automated backporting (at
> > least I do ;), pointing at that commit will cause trouble.
> 
> Good point.
> 
> Helping identify backporting in a semi-automated way is good,
> specially for small fixes like this.
> 
> At least for me, it helps me identify if it is an
> update/enhancement/feature or fix, it is just a bit more context
> information.
> 
> > Do you still think we should add that tag?
> 
> I get your point that tags need to be right if we use them.

How about:

Fixes: b3ed8fd8c9f33 ("cache: missing family in cache filtering")

Re: [nft PATCH 0/5] Enhance cache filter for list commands

[Eric Garver]

On Wed, Mar 11, 2026 at 12:11:10AM +0100, Phil Sutter wrote:
> Reducing the amount of data fetched from kernel improves performance
> with large rule sets but also reduces adverse side-effects if multiple
> versions of nftables access the same kernel rule set. Being able to
> ignore parts of the rule set one is not interested in allows for (more or
> less) safe coexistence if each tool is operating on the data it created
> itself only.
> 
> This series reduces caching for list commands which specify a family
> and/or table. To help testing this, patch 1 extends netlink debug output
> to include chains, flowtables and objects so a test case may check if
> they are fetched or not.
> 
> The remaining patches actually increase filter use.
> 
> Phil Sutter (5):
>   cache: Include chains, flowtables and objects in netlink debug output
>   cache: Respect family in all list commands
>   cache: Relax chain_cache_dump filter application
>   cache: Filter for table when listing sets or maps
>   cache: Filter for table when listing flowtables
> 
>  src/cache.c                                 | 11 ++--
>  src/mnl.c                                   | 60 ++++++++++++++++++---
>  tests/shell/testcases/listing/cache_filters | 53 ++++++++++++++++++
>  3 files changed, 113 insertions(+), 11 deletions(-)
>  create mode 100755 tests/shell/testcases/listing/cache_filters

I ran this series against the firewalld testsuite. All green.
Thanks Phil!

For the series:

Tested-by: Eric Garver <eric@garver.life>

Re: [nft PATCH 0/5] Enhance cache filter for list commands

[Phil Sutter]

On Wed, Mar 11, 2026 at 11:06:52AM -0400, Eric Garver wrote:
> On Wed, Mar 11, 2026 at 12:11:10AM +0100, Phil Sutter wrote:
> > Reducing the amount of data fetched from kernel improves performance
> > with large rule sets but also reduces adverse side-effects if multiple
> > versions of nftables access the same kernel rule set. Being able to
> > ignore parts of the rule set one is not interested in allows for (more or
> > less) safe coexistence if each tool is operating on the data it created
> > itself only.
> > 
> > This series reduces caching for list commands which specify a family
> > and/or table. To help testing this, patch 1 extends netlink debug output
> > to include chains, flowtables and objects so a test case may check if
> > they are fetched or not.
> > 
> > The remaining patches actually increase filter use.
> > 
> > Phil Sutter (5):
> >   cache: Include chains, flowtables and objects in netlink debug output
> >   cache: Respect family in all list commands
> >   cache: Relax chain_cache_dump filter application
> >   cache: Filter for table when listing sets or maps
> >   cache: Filter for table when listing flowtables
> > 
> >  src/cache.c                                 | 11 ++--
> >  src/mnl.c                                   | 60 ++++++++++++++++++---
> >  tests/shell/testcases/listing/cache_filters | 53 ++++++++++++++++++
> >  3 files changed, 113 insertions(+), 11 deletions(-)
> >  create mode 100755 tests/shell/testcases/listing/cache_filters
> 
> I ran this series against the firewalld testsuite. All green.
> Thanks Phil!

Thanks for testing, Eric! Shame on me for not putting you in Cc as you
asked for. Next time I'll probably best add a Cc: tag to one of the
commits immediately. ;)

Cheers, Phil

Re: [nft PATCH 0/5] Enhance cache filter for list commands

[Phil Sutter]

On Wed, Mar 11, 2026 at 12:11:10AM +0100, Phil Sutter wrote:
> Reducing the amount of data fetched from kernel improves performance
> with large rule sets but also reduces adverse side-effects if multiple
> versions of nftables access the same kernel rule set. Being able to
> ignore parts of the rule set one is not interested in allows for (more or
> less) safe coexistence if each tool is operating on the data it created
> itself only.
> 
> This series reduces caching for list commands which specify a family
> and/or table. To help testing this, patch 1 extends netlink debug output
> to include chains, flowtables and objects so a test case may check if
> they are fetched or not.
> 
> The remaining patches actually increase filter use.
> 
> Phil Sutter (5):
>   cache: Include chains, flowtables and objects in netlink debug output
>   cache: Respect family in all list commands
>   cache: Relax chain_cache_dump filter application
>   cache: Filter for table when listing sets or maps
>   cache: Filter for table when listing flowtables

Series applied after inserting suggested Fixes: tags.

Re: [nft PATCH 0/5] Enhance cache filter for list commands

[Pablo Neira Ayuso]

On Wed, Mar 18, 2026 at 05:23:16PM +0100, Phil Sutter wrote:
> On Wed, Mar 11, 2026 at 12:11:10AM +0100, Phil Sutter wrote:
> > Reducing the amount of data fetched from kernel improves performance
> > with large rule sets but also reduces adverse side-effects if multiple
> > versions of nftables access the same kernel rule set. Being able to
> > ignore parts of the rule set one is not interested in allows for (more or
> > less) safe coexistence if each tool is operating on the data it created
> > itself only.
> > 
> > This series reduces caching for list commands which specify a family
> > and/or table. To help testing this, patch 1 extends netlink debug output
> > to include chains, flowtables and objects so a test case may check if
> > they are fetched or not.
> > 
> > The remaining patches actually increase filter use.
> > 
> > Phil Sutter (5):
> >   cache: Include chains, flowtables and objects in netlink debug output
> >   cache: Respect family in all list commands
> >   cache: Relax chain_cache_dump filter application
> >   cache: Filter for table when listing sets or maps
> >   cache: Filter for table when listing flowtables
> 
> Series applied after inserting suggested Fixes: tags.

Uoh.

I did not even get here to review.

Re: [nft PATCH 0/5] Enhance cache filter for list commands

[Pablo Neira Ayuso]

On Wed, Mar 18, 2026 at 05:58:25PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 18, 2026 at 05:23:16PM +0100, Phil Sutter wrote:
> > On Wed, Mar 11, 2026 at 12:11:10AM +0100, Phil Sutter wrote:
> > > Reducing the amount of data fetched from kernel improves performance
> > > with large rule sets but also reduces adverse side-effects if multiple
> > > versions of nftables access the same kernel rule set. Being able to
> > > ignore parts of the rule set one is not interested in allows for (more or
> > > less) safe coexistence if each tool is operating on the data it created
> > > itself only.
> > > 
> > > This series reduces caching for list commands which specify a family
> > > and/or table. To help testing this, patch 1 extends netlink debug output
> > > to include chains, flowtables and objects so a test case may check if
> > > they are fetched or not.
> > > 
> > > The remaining patches actually increase filter use.
> > > 
> > > Phil Sutter (5):
> > >   cache: Include chains, flowtables and objects in netlink debug output
> > >   cache: Respect family in all list commands
> > >   cache: Relax chain_cache_dump filter application
> > >   cache: Filter for table when listing sets or maps
> > >   cache: Filter for table when listing flowtables
> > 
> > Series applied after inserting suggested Fixes: tags.
> 
> Uoh.
> 
> I did not even get here to review.

Oh sorry, it looks good to me.

I thought you applied the one to fix "list table ...; list table ...;".

That other series I would like to have a closer look.

Re: [nft PATCH 0/5] Enhance cache filter for list commands

[Phil Sutter]

On Wed, Mar 18, 2026 at 05:59:41PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 18, 2026 at 05:58:25PM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Mar 18, 2026 at 05:23:16PM +0100, Phil Sutter wrote:
> > > On Wed, Mar 11, 2026 at 12:11:10AM +0100, Phil Sutter wrote:
> > > > Reducing the amount of data fetched from kernel improves performance
> > > > with large rule sets but also reduces adverse side-effects if multiple
> > > > versions of nftables access the same kernel rule set. Being able to
> > > > ignore parts of the rule set one is not interested in allows for (more or
> > > > less) safe coexistence if each tool is operating on the data it created
> > > > itself only.
> > > > 
> > > > This series reduces caching for list commands which specify a family
> > > > and/or table. To help testing this, patch 1 extends netlink debug output
> > > > to include chains, flowtables and objects so a test case may check if
> > > > they are fetched or not.
> > > > 
> > > > The remaining patches actually increase filter use.
> > > > 
> > > > Phil Sutter (5):
> > > >   cache: Include chains, flowtables and objects in netlink debug output
> > > >   cache: Respect family in all list commands
> > > >   cache: Relax chain_cache_dump filter application
> > > >   cache: Filter for table when listing sets or maps
> > > >   cache: Filter for table when listing flowtables
> > > 
> > > Series applied after inserting suggested Fixes: tags.
> > 
> > Uoh.
> > 
> > I did not even get here to review.
> 
> Oh sorry, it looks good to me.

Yes, you gave your Reviewed-by: for all but the first patch! O:-)

> I thought you applied the one to fix "list table ...; list table ...;".
> 
> That other series I would like to have a closer look.

Yes, I also appreciate some review of that one. Also I wanted to try
implementing cache update per command, if only to see how troublesome
that will be.

Thanks, Phil