diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-09-22 20:41:03 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-09-23 20:28:22 +0200 |
commit | a72315d2bad47d99a18376290dd62336ca94ed95 (patch) | |
tree | f0c194f4ac38b1363b58fc33cd83c2b547b52bcb /include/mnl.h | |
parent | e391b72b611403d184bbb26e3d076d543c7ea7c6 (diff) |
src: add rule batching support
This patch allows nft to put all rule update messages into one
single batch that is sent to the kernel if `-f' option is used.
In order to provide fine grain error reporting, I decided to
to correlate the netlink message sequence number with the
correspoding command sequence number, which is the same. Thus,
nft can identify what rules trigger problems inside a batch
and report them accordingly.
Moreover, to avoid playing buffer size games at batch building
stage, ie. guess what is the final size of the batch for this
ruleset update will be, this patch collects batch pages that
are converted to iovec to ensure linearization when the batch
is sent to the kernel. This reduces the amount of unnecessary
memory usage that is allocated for the batch.
This patch uses the libmnl nlmsg batching infrastructure and it
requires the kernel patch entitled (netfilter: nfnetlink: add batch
support and use it from nf_tables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/mnl.h')
-rw-r--r-- | include/mnl.h | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/include/mnl.h b/include/mnl.h index bd244898..fe2fb400 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -1,6 +1,31 @@ #ifndef _NFTABLES_MNL_H_ #define _NFTABLES_MNL_H_ +#include <list.h> + +struct mnl_socket; + +uint32_t mnl_seqnum_alloc(void); + +struct mnl_err { + struct list_head head; + int err; + uint32_t seqnum; +}; + +void mnl_err_list_free(struct mnl_err *err); + +void mnl_batch_init(void); +bool mnl_batch_ready(void); +void mnl_batch_reset(void); +void mnl_batch_begin(void); +void mnl_batch_end(void); +int mnl_batch_talk(struct mnl_socket *nl, struct list_head *err_list); +int mnl_nft_rule_batch_add(struct nft_rule *nlr, unsigned int flags, + uint32_t seqnum); +int mnl_nft_rule_batch_del(struct nft_rule *nlr, unsigned int flags, + uint32_t seqnum); + int mnl_nft_rule_add(struct mnl_socket *nf_sock, struct nft_rule *r, unsigned int flags); int mnl_nft_rule_delete(struct mnl_socket *nf_sock, struct nft_rule *r, |