[nft,3/7] libnftables: Introduce nft_ctx_flush_cache()

This allows an application to explicitly flush caches associated with a
given nft context.

Note that this is a bit inconsistent in that it releases the global
interface cache, but nft_ctx_free() does the same so at least it's not a
regression.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 include/nftables/nftables.h | 1 +
 src/libnftables.c           | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

On Thu, Oct 19, 2017 at 10:18:43AM +0200, Phil Sutter wrote:
> This allows an application to explicitly flush caches associated with a
> given nft context.
> 
> Note that this is a bit inconsistent in that it releases the global
> interface cache, but nft_ctx_free() does the same so at least it's not a
> regression.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
>  include/nftables/nftables.h | 1 +
>  src/libnftables.c           | 9 +++++++--
>  2 files changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> index 052a77bfb5371..fbc6fd4252a97 100644
> --- a/include/nftables/nftables.h
> +++ b/include/nftables/nftables.h
> @@ -77,6 +77,7 @@ enum nftables_exit_codes {
>  struct nft_ctx *nft_ctx_new(uint32_t flags);
>  void nft_ctx_free(struct nft_ctx *ctx);
>  FILE *nft_ctx_set_output(struct nft_ctx *ctx, FILE *fp);
> +void nft_ctx_flush_cache(struct nft_ctx *ctx);
>  
>  int nft_run(struct nft_ctx *nft, struct mnl_socket *nf_sock,
>  	    void *scanner, struct parser_state *state,
> diff --git a/src/libnftables.c b/src/libnftables.c
> index 187747c66af21..0de50c854d572 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -146,13 +146,18 @@ struct nft_ctx *nft_ctx_new(uint32_t flags)
>  	return ctx;
>  }
>  
> +void nft_ctx_flush_cache(struct nft_ctx *ctx)
> +{
> +	iface_cache_release();
> +	cache_release(&ctx->cache);
> +}

This flush allows us to release the cache, but nft_ctx_alloc()
populates it. I'm missing something here, can we force a context
repopulation?

If there is no usecase for this yet, I would keep this behind by now.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Hi,

On Fri, Oct 20, 2017 at 02:13:26PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 19, 2017 at 10:18:43AM +0200, Phil Sutter wrote:
[...]
> > +void nft_ctx_flush_cache(struct nft_ctx *ctx)
> > +{
> > +	iface_cache_release();
> > +	cache_release(&ctx->cache);
> > +}
> 
> This flush allows us to release the cache, but nft_ctx_alloc()
> populates it. I'm missing something here, can we force a context
> repopulation?

No, nft_ctx_alloc() does not populate the cache, but just initialize
cache list head (which is not undone by cache_release()). Cache
population happens during command execution depending on whether a cache
is needed or not.

> If there is no usecase for this yet, I would keep this behind by now.

The use-case for the above is cli_complete(), which
explicitly drops the cache after execution of every command (probably
because it's potentially long-lived and therefore things might change in
background).

Cheers, Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Fri, Oct 20, 2017 at 07:05:13PM +0200, Phil Sutter wrote:
> Hi,
> 
> On Fri, Oct 20, 2017 at 02:13:26PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Oct 19, 2017 at 10:18:43AM +0200, Phil Sutter wrote:
> [...]
> > > +void nft_ctx_flush_cache(struct nft_ctx *ctx)
> > > +{
> > > +	iface_cache_release();
> > > +	cache_release(&ctx->cache);
> > > +}
> > 
> > This flush allows us to release the cache, but nft_ctx_alloc()
> > populates it. I'm missing something here, can we force a context
> > repopulation?
> 
> No, nft_ctx_alloc() does not populate the cache, but just initialize
> cache list head (which is not undone by cache_release()). Cache
> population happens during command execution depending on whether a cache
> is needed or not.

I see.

I think cache population should happen from nft_ctx_alloc(), caches
are context after all.

> > If there is no usecase for this yet, I would keep this behind by now.
> 
> The use-case for the above is cli_complete(), which
> explicitly drops the cache after execution of every command (probably
> because it's potentially long-lived and therefore things might change in
> background).

I see. If we follow the approach I'm describe above, then we need
something like nft_ctx_reset(), where we reset all context and we get
a fresh cache.

Makes sense to you?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Fri, Oct 20, 2017 at 09:10:31PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 20, 2017 at 07:05:13PM +0200, Phil Sutter wrote:
> > Hi,
> > 
> > On Fri, Oct 20, 2017 at 02:13:26PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Oct 19, 2017 at 10:18:43AM +0200, Phil Sutter wrote:
> > [...]
> > > > +void nft_ctx_flush_cache(struct nft_ctx *ctx)
> > > > +{
> > > > +	iface_cache_release();
> > > > +	cache_release(&ctx->cache);
> > > > +}
> > > 
> > > This flush allows us to release the cache, but nft_ctx_alloc()
> > > populates it. I'm missing something here, can we force a context
> > > repopulation?
> > 
> > No, nft_ctx_alloc() does not populate the cache, but just initialize
> > cache list head (which is not undone by cache_release()). Cache
> > population happens during command execution depending on whether a cache
> > is needed or not.
> 
> I see.
> 
> I think cache population should happen from nft_ctx_alloc(), caches
> are context after all.
> 
> > > If there is no usecase for this yet, I would keep this behind by now.
> > 
> > The use-case for the above is cli_complete(), which
> > explicitly drops the cache after execution of every command (probably
> > because it's potentially long-lived and therefore things might change in
> > background).
> 
> I see. If we follow the approach I'm describe above, then we need
> something like nft_ctx_reset(), where we reset all context and we get
> a fresh cache.

I think it's worth keeping the current logic of when to populate the
cache. Remember when I added a call to cache_update() for echo output
support which caused an unnecessary slowdown you later complained about?
Populating the cache unconditionally upon context creation would cause
the same issue again if we follow my plan of making 'nft' binary the
first user of libnftables.

Right now, we only explicitly clear the cache in CLI, and my patch
allows applications to do that if they think it's necessary. Cache
population is completely pointless if an application just wants to e.g.
add a new table to the rule set, so I'd prefer to leave it this way. We
spoke about possible performance implications of cache updates at NFWS
already, keeping the existing (and well defined) logic will at least
limit the impact of this potential bottleneck.

Cheers, Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html