diff options
author | Phil Sutter <phil@nwl.cc> | 2021-11-29 15:28:33 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2021-12-03 12:50:18 +0100 |
commit | a37212f2fd90739e17f3dbb96ea6284d7755bf5f (patch) | |
tree | c508b297db88ff2e2ff0e76f408173c0b33041d6 | |
parent | 49ac868a0d5b99bad5dbf5603ebf02237a37459d (diff) |
cache: Filter tables on kernel side
Instead of requesting a dump of all tables and filtering the data in
user space, construct a non-dump request if filter contains a table so
kernel returns only that single table.
This should improve nft performance in rulesets with many tables
present.
Signed-off-by: Phil Sutter <phil@nwl.cc>
-rw-r--r-- | include/mnl.h | 2 | ||||
-rw-r--r-- | include/netlink.h | 3 | ||||
-rw-r--r-- | src/cache.c | 9 | ||||
-rw-r--r-- | src/mnl.c | 22 | ||||
-rw-r--r-- | src/netlink.c | 12 |
5 files changed, 33 insertions, 15 deletions
diff --git a/include/mnl.h b/include/mnl.h index 68ec80cd..344030f3 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -50,7 +50,7 @@ int mnl_nft_table_add(struct netlink_ctx *ctx, struct cmd *cmd, int mnl_nft_table_del(struct netlink_ctx *ctx, struct cmd *cmd); struct nftnl_table_list *mnl_nft_table_dump(struct netlink_ctx *ctx, - int family); + int family, const char *table); int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd, unsigned int flags); diff --git a/include/netlink.h b/include/netlink.h index a692edcd..0e439061 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -135,7 +135,8 @@ extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h); extern struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, const struct nftnl_chain *nlc); -extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h); +extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, + const struct nft_cache_filter *filter); extern struct table *netlink_delinearize_table(struct netlink_ctx *ctx, const struct nftnl_table *nlt); diff --git a/src/cache.c b/src/cache.c index 6d20716d..66da2b34 100644 --- a/src/cache.c +++ b/src/cache.c @@ -772,19 +772,12 @@ static int cache_init_tables(struct netlink_ctx *ctx, struct handle *h, struct table *table, *next; int ret; - ret = netlink_list_tables(ctx, h); + ret = netlink_list_tables(ctx, h, filter); if (ret < 0) return -1; list_for_each_entry_safe(table, next, &ctx->list, list) { list_del(&table->list); - - if (filter && filter->list.table && - (filter->list.family != table->handle.family || - strcmp(filter->list.table, table->handle.table.name))) { - table_free(table); - continue; - } table_cache_add(table, cache); } @@ -1016,10 +1016,12 @@ err_free: } struct nftnl_table_list *mnl_nft_table_dump(struct netlink_ctx *ctx, - int family) + int family, const char *table) { char buf[MNL_SOCKET_BUFFER_SIZE]; struct nftnl_table_list *nlt_list; + struct nftnl_table *nlt = NULL; + int flags = NLM_F_DUMP; struct nlmsghdr *nlh; int ret; @@ -1027,11 +1029,25 @@ struct nftnl_table_list *mnl_nft_table_dump(struct netlink_ctx *ctx, if (nlt_list == NULL) return NULL; + if (table) { + nlt = nftnl_table_alloc(); + if (!nlt) + memory_allocation_error(); + + nftnl_table_set_u32(nlt, NFTNL_TABLE_FAMILY, family); + nftnl_table_set_str(nlt, NFTNL_TABLE_NAME, table); + flags = NLM_F_ACK; + } + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, - NLM_F_DUMP, ctx->seqnum); + flags, ctx->seqnum); + if (nlt) { + nftnl_table_nlmsg_build_payload(nlh, nlt); + nftnl_table_free(nlt); + } ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, table_cb, nlt_list); - if (ret < 0) + if (ret < 0 && errno != ENOENT) goto err; return nlt_list; diff --git a/src/netlink.c b/src/netlink.c index ab90d0c0..f74c0383 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -664,11 +664,19 @@ static int list_table_cb(struct nftnl_table *nlt, void *arg) return 0; } -int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h) +int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, + const struct nft_cache_filter *filter) { struct nftnl_table_list *table_cache; + uint32_t family = h->family; + const char *table = NULL; - table_cache = mnl_nft_table_dump(ctx, h->family); + if (filter) { + family = filter->list.family; + table = filter->list.table; + } + + table_cache = mnl_nft_table_dump(ctx, family, table); if (table_cache == NULL) { if (errno == EINTR) return -1; |