diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-08-22 11:33:27 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-08-23 19:16:50 +0200 |
commit | 70d99ce8bf8bd3dab84ea0a6249812b04ec95b8c (patch) | |
tree | ec0657b962a09a7c9595a66e98489adef3d8b94b /src/cache.c | |
parent | c791765cb0d62ba261f0b495e07315437b3ae914 (diff) |
cache: chain listing implicitly sets on terse option
If user specifies a chain to be listed (which is internally handled via
filtering options), then toggle NFT_CACHE_TERSE to skip fetching set
content from kernel for non-anonymous sets.
With a large IPv6 set with bogons, before this patch:
# time nft list chain inet raw x
table inet raw {
chain x {
ip6 saddr @bogons6
ip6 saddr { aaaa::, bbbb:: }
}
}
real 0m2,913s
user 0m1,345s
sys 0m1,568s
After this patch:
# time nft list chain inet raw prerouting
table inet raw {
chain x {
ip6 saddr @bogons6
ip6 saddr { aaaa::, bbbb:: }
}
}
real 0m0,056s
user 0m0,018s
sys 0m0,039s
This speeds up chain listing in the presence of a large set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/cache.c')
-rw-r--r-- | src/cache.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/cache.c b/src/cache.c index b6a7e194..db9a9a75 100644 --- a/src/cache.c +++ b/src/cache.c @@ -212,6 +212,10 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd, filter->list.family = cmd->handle.family; filter->list.table = cmd->handle.table.name; filter->list.chain = cmd->handle.chain.name; + /* implicit terse listing to fetch content of anonymous + * sets only when chain name is specified. + */ + flags |= NFT_CACHE_TERSE; } flags |= NFT_CACHE_FULL; break; |