[iptables,05/14] nft: Introduce nft_bridge_commit()

Message ID	20190916165000.18217-6-phil@nwl.cc
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Phil Sutter <phil@nwl.cc> To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 05/14] nft: Introduce nft_bridge_commit() Date: Mon, 16 Sep 2019 18:49:51 +0200 Message-Id: <20190916165000.18217-6-phil@nwl.cc> In-Reply-To: <20190916165000.18217-1-phil@nwl.cc> References: <20190916165000.18217-1-phil@nwl.cc> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	Improve iptables-nft performance with large rulesets \| expand [iptables,00/14] Improve iptables-nft performance with large rulesets [iptables,01/14] tests/shell: Make ebtables-basic test more verbose [iptables,02/14] tests/shell: Speed up ipt-restore/0004-restore-race_0 [iptables,03/14] DEBUG: Print to stderr to not disturb iptables-save [iptables,04/14] nft: Use nftnl_*_set_str() functions [iptables,05/14] nft: Introduce nft_bridge_commit() [iptables,06/14] nft: Fix for add and delete of same rule in single batch [iptables,07/14] nft Increase mnl_talk() receive buffer size [iptables,08/14] xtables-restore: Avoid cache population when flushing [iptables,09/14] nft: Rename have_cache into have_chain_cache [iptables,10/14] nft: Fetch rule cache only if needed [iptables,11/14] nft: Allow to fetch only a specific chain from kernel [iptables,12/14] nft: Support fetching rules for a single chain only [iptables,13/14] nft: Optimize flushing all chains of a table [iptables,14/14] nft: Reduce impact of nft_chain_builtin_init()

Message ID

20190916165000.18217-6-phil@nwl.cc

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [iptables PATCH 05/14] nft: Introduce nft_bridge_commit()
Date: Mon, 16 Sep 2019 18:49:51 +0200
Message-Id: <20190916165000.18217-6-phil@nwl.cc>
In-Reply-To: <20190916165000.18217-1-phil@nwl.cc>
References: <20190916165000.18217-1-phil@nwl.cc>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

Improve iptables-nft performance with large rulesets | expand

Commit Message

Phil Sutter Sept. 16, 2019, 4:49 p.m. UTC

No need to check family value from nft_commit() if we can have a
dedicated callback for bridge family.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft.c                   | 8 ++++++--
 iptables/nft.h                   | 1 +
 iptables/xtables-eb-standalone.c | 2 +-
 iptables/xtables-restore.c       | 2 +-
 4 files changed, 9 insertions(+), 4 deletions(-)

Comments

Pablo Neira Ayuso Sept. 20, 2019, 10:36 a.m. UTC | #1

On Mon, Sep 16, 2019 at 06:49:51PM +0200, Phil Sutter wrote:
> No need to check family value from nft_commit() if we can have a
> dedicated callback for bridge family.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 81d01310c7f8c..77ebc4f651e15 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3069,11 +3069,15 @@  static void nft_bridge_commit_prepare(struct nft_handle *h)
 
 int nft_commit(struct nft_handle *h)
 {
-	if (h->family == NFPROTO_BRIDGE)
-		nft_bridge_commit_prepare(h);
 	return nft_action(h, NFT_COMPAT_COMMIT);
 }
 
+int nft_bridge_commit(struct nft_handle *h)
+{
+	nft_bridge_commit_prepare(h);
+	return nft_commit(h);
+}
+
 int nft_abort(struct nft_handle *h)
 {
 	return nft_action(h, NFT_COMPAT_ABORT);
diff --git a/iptables/nft.h b/iptables/nft.h
index 5e5e765b0d043..43463d7f262e8 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -147,6 +147,7 @@  uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag);
  * global commit and abort
  */
 int nft_commit(struct nft_handle *h);
+int nft_bridge_commit(struct nft_handle *h);
 int nft_abort(struct nft_handle *h);
 int nft_abort_policy_rule(struct nft_handle *h, const char *table);
 
diff --git a/iptables/xtables-eb-standalone.c b/iptables/xtables-eb-standalone.c
index fb3daba0bd604..a9081c78c3bc3 100644
--- a/iptables/xtables-eb-standalone.c
+++ b/iptables/xtables-eb-standalone.c
@@ -51,7 +51,7 @@  int xtables_eb_main(int argc, char *argv[])
 
 	ret = do_commandeb(&h, argc, argv, &table, false);
 	if (ret)
-		ret = nft_commit(&h);
+		ret = nft_bridge_commit(&h);
 
 	if (!ret)
 		fprintf(stderr, "ebtables: %s\n", nft_strerror(errno));
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 601c842feab38..f930f5ba2d167 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -463,7 +463,7 @@  static int ebt_table_flush(struct nft_handle *h, const char *table)
 
 struct nft_xt_restore_cb ebt_restore_cb = {
 	.chain_list	= get_chain_list,
-	.commit		= nft_commit,
+	.commit		= nft_bridge_commit,
 	.table_new	= nft_table_new,
 	.table_flush	= ebt_table_flush,
 	.do_command	= do_commandeb,

[iptables,05/14] nft: Introduce nft_bridge_commit()

Commit Message

Comments

Patch