[iptables,10/14] nft: Fetch rule cache only if needed

Message ID	20190916165000.18217-11-phil@nwl.cc
State	Changes Requested
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Phil Sutter <phil@nwl.cc> To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 10/14] nft: Fetch rule cache only if needed Date: Mon, 16 Sep 2019 18:49:56 +0200 Message-Id: <20190916165000.18217-11-phil@nwl.cc> In-Reply-To: <20190916165000.18217-1-phil@nwl.cc> References: <20190916165000.18217-1-phil@nwl.cc> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	Improve iptables-nft performance with large rulesets \| expand [iptables,00/14] Improve iptables-nft performance with large rulesets [iptables,01/14] tests/shell: Make ebtables-basic test more verbose [iptables,02/14] tests/shell: Speed up ipt-restore/0004-restore-race_0 [iptables,03/14] DEBUG: Print to stderr to not disturb iptables-save [iptables,04/14] nft: Use nftnl_*_set_str() functions [iptables,05/14] nft: Introduce nft_bridge_commit() [iptables,06/14] nft: Fix for add and delete of same rule in single batch [iptables,07/14] nft Increase mnl_talk() receive buffer size [iptables,08/14] xtables-restore: Avoid cache population when flushing [iptables,09/14] nft: Rename have_cache into have_chain_cache [iptables,10/14] nft: Fetch rule cache only if needed [iptables,11/14] nft: Allow to fetch only a specific chain from kernel [iptables,12/14] nft: Support fetching rules for a single chain only [iptables,13/14] nft: Optimize flushing all chains of a table [iptables,14/14] nft: Reduce impact of nft_chain_builtin_init()

diff --git a/iptables/nft.c b/iptables/nft.c index 1483664510518..82c892ad96f34 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -894,8 +894,10 @@ static void flush_chain_cache(struct nft_handle *h, const char *tablename) if (!h->have_chain_cache) return; - if (flush_cache(h->cache, h->tables, tablename)) + if (flush_cache(h->cache, h->tables, tablename)) { h->have_chain_cache = false; + h->have_rule_cache = false; + } } void nft_fini(struct nft_handle *h) @@ -1276,6 +1278,14 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table, nft_xt_builtin_init(h, table); + /* Since ebtables user-defined chain policies are implemented as last + * rule in nftables, rule cache is required here to treat them right. */ + if (h->family == NFPROTO_BRIDGE) { + c = nft_chain_find(h, table, chain); + if (c && !nft_chain_builtin(c)) + nft_build_rule_cache(h); + } + nft_fn = nft_rule_append; r = nft_rule_new(h, chain, table, data); @@ -1602,6 +1612,7 @@ retry: fetch_chain_cache(h); fetch_rule_cache(h); h->have_chain_cache = true; + h->have_rule_cache = true; mnl_genid_get(h, &genid_stop); if (genid_start != genid_stop) { @@ -1618,11 +1629,19 @@ void nft_build_cache(struct nft_handle *h) __nft_build_cache(h); } +void nft_build_rule_cache(struct nft_handle *h) +{ + if (!h->have_rule_cache) { + fetch_rule_cache(h); + h->have_rule_cache = true; + } +} + void nft_fake_cache(struct nft_handle *h) { int i; - if (h->have_chain_cache) + if (h->have_chain_cache && h->have_rule_cache) return; /* fetch tables so conditional table delete logic works */ @@ -1636,10 +1655,14 @@ void nft_fake_cache(struct nft_handle *h) h->cache->table[type].chains) continue; + if (h->cache->table[type].chains) + continue; + h->cache->table[type].chains = nftnl_chain_list_alloc(); } mnl_genid_get(h, &h->nft_genid); h->have_chain_cache = true; + h->have_rule_cache = true; } static void __nft_flush_cache(struct nft_handle *h) @@ -1675,7 +1698,10 @@ struct nftnl_chain_list *nft_chain_list_get(struct nft_handle *h, if (!t) return NULL; - nft_build_cache(h); + if (!h->have_chain_cache) { + fetch_chain_cache(h); + h->have_chain_cache = true; + } return h->cache->table[t->type].chains; } @@ -1760,6 +1786,8 @@ int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format) if (!list) return 0; + nft_build_rule_cache(h); + iter = nftnl_chain_list_iter_create(list); if (!iter) return 0; @@ -1981,6 +2009,10 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain, if (list == NULL) return 0; + /* This triggers required policy rule deletion. */ + if (h->family == NFPROTO_BRIDGE) + nft_build_rule_cache(h); + if (chain) { c = nftnl_chain_list_lookup_byname(list, chain); if (!c) { @@ -2242,6 +2274,8 @@ nft_rule_find(struct nft_handle *h, struct nftnl_chain *c, void *data, int rulen struct nftnl_rule_iter *iter; bool found = false; + nft_build_rule_cache(h); + if (rulenum >= 0) /* Delete by rule number case */ return nftnl_rule_lookup_byindex(c, rulenum); @@ -3062,6 +3096,8 @@ int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, if (!c) return 0; + nft_build_rule_cache(h); + if (!strcmp(policy, "DROP")) pval = NF_DROP; else if (!strcmp(policy, "ACCEPT")) @@ -3339,6 +3375,8 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, if (list == NULL) goto err; + nft_build_rule_cache(h); + if (chain) { c = nftnl_chain_list_lookup_byname(list, chain); if (!c) { @@ -3445,6 +3483,8 @@ bool nft_is_table_compatible(struct nft_handle *h, const char *tablename) if (clist == NULL) return false; + nft_build_rule_cache(h); + if (nftnl_chain_list_foreach(clist, nft_is_chain_compatible, h)) return false; diff --git a/iptables/nft.h b/iptables/nft.h index 11b2d4e3be6ff..718acdbf0c55d 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -54,6 +54,7 @@ struct nft_handle { struct nft_cache __cache[2]; struct nft_cache *cache; bool have_chain_cache; + bool have_rule_cache; bool restore; bool noflush; int8_t config_done; @@ -74,6 +75,7 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, int nft_init(struct nft_handle *h, const struct builtin_table *t); void nft_fini(struct nft_handle *h); void nft_build_cache(struct nft_handle *h); +void nft_build_rule_cache(struct nft_handle *h); void nft_fake_cache(struct nft_handle *h); /*

[iptables,10/14] nft: Fetch rule cache only if needed

Commit Message

Patch