diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-19 12:18:04 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-19 12:18:06 +0200 |
| commit | 337636fc670eaed5c7146f99af8719018f63fe3b (patch) | |
| tree | 7ddacf7ef5052951706748180432e6c0605319b7 /include | |
| parent | ef184c4e844eac8c3eda0c8c6fc1370078a9d66a (diff) | |
src: add set netlink message to the batch
This patch moves the netlink set messages to the batch that contains
the rules. This helps to speed up rule-set restoration time by
changing the operational. To achieve this, an internal set ID which
is unique to the batch is allocated as suggested by Patrick.
To retain backward compatibility, nft initially guesses if the
kernel supports set in batches. Otherwise, it falls back to the
previous (slowier) operational.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/mnl.h | 11 | ||||
| -rw-r--r-- | include/netlink.h | 3 | ||||
| -rw-r--r-- | include/rule.h | 2 |
3 files changed, 16 insertions, 0 deletions
diff --git a/include/mnl.h b/include/mnl.h index ece7ee7f..f25dd533 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -53,16 +53,24 @@ int mnl_nft_table_get(struct mnl_socket *nf_sock, struct nft_table *nlt, int mnl_nft_set_add(struct mnl_socket *nf_sock, struct nft_set *nls, unsigned int flags); +int mnl_nft_set_batch_add(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags, uint32_t seq); int mnl_nft_set_delete(struct mnl_socket *nf_sock, struct nft_set *nls, unsigned int flags); +int mnl_nft_set_batch_del(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags, uint32_t seq); struct nft_set_list *mnl_nft_set_dump(struct mnl_socket *nf_sock, int family, const char *table); int mnl_nft_set_get(struct mnl_socket *nf_sock, struct nft_set *nls); int mnl_nft_setelem_add(struct mnl_socket *nf_sock, struct nft_set *nls, unsigned int flags); +int mnl_nft_setelem_batch_add(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags, uint32_t seq); int mnl_nft_setelem_delete(struct mnl_socket *nf_sock, struct nft_set *nls, unsigned int flags); +int mnl_nft_setelem_batch_del(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags, uint32_t seq); int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nft_set *nls); struct nft_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock, @@ -70,4 +78,7 @@ struct nft_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock, int mnl_nft_event_listener(struct mnl_socket *nf_sock, int (*cb)(const struct nlmsghdr *nlh, void *data), void *cb_data); + +bool mnl_batch_supported(struct mnl_socket *nf_sock); + #endif /* _NFTABLES_MNL_H_ */ diff --git a/include/netlink.h b/include/netlink.h index eca4a483..4ef7365f 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -30,6 +30,7 @@ struct netlink_ctx { struct set *set; const void *data; uint32_t seqnum; + bool batch_supported; }; extern struct nft_table *alloc_nft_table(const struct handle *h); @@ -153,4 +154,6 @@ struct netlink_mon_handler { }; extern int netlink_monitor(struct netlink_mon_handler *monhandler); +bool netlink_batch_supported(void); + #endif /* NFTABLES_NETLINK_H */ diff --git a/include/rule.h b/include/rule.h index da604a54..ebdafe8a 100644 --- a/include/rule.h +++ b/include/rule.h @@ -14,6 +14,7 @@ * @set: set name (sets only) * @handle: rule handle (rules only) * @position: rule position (rules only) + * @set_id: set ID (sets only) * @comment: human-readable comment (rules only) */ struct handle { @@ -23,6 +24,7 @@ struct handle { const char *set; uint64_t handle; uint64_t position; + uint32_t set_id; const char *comment; }; |