cache: chain listing implicitly sets on terse option

If user specifies a chain to be listed (which is internally handled via filtering options), then toggle NFT_CACHE_TERSE to skip fetching set content from kernel for non-anonymous sets. With a large IPv6 set with bogons, before this patch: # time nft list chain inet raw x table inet raw { chain x { ip6 saddr @bogons6 ip6 saddr { aaaa::, bbbb:: } } } real 0m2,913s user 0m1,345s sys 0m1,568s After this patch: # time nft list chain inet raw prerouting table inet raw { chain x { ip6 saddr @bogons6 ip6 saddr { aaaa::, bbbb:: } } } real 0m0,056s user 0m0,018s sys 0m0,039s This speeds up chain listing in the presence of a large set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2023-08-22 11:33:27 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2023-08-23 19:16:50 +0200
commit: 70d99ce8bf8bd3dab84ea0a6249812b04ec95b8c (patch)
tree: ec0657b962a09a7c9595a66e98489adef3d8b94b /src/cache.c
parent: c791765cb0d62ba261f0b495e07315437b3ae914 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/cache.c b/src/cache.c
index b6a7e194..db9a9a75 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -212,6 +212,10 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 			filter->list.family = cmd->handle.family;
 			filter->list.table = cmd->handle.table.name;
 			filter->list.chain = cmd->handle.chain.name;
+			/* implicit terse listing to fetch content of anonymous
+			 * sets only when chain name is specified.
+			 */
+			flags |= NFT_CACHE_TERSE;
 		}
 		flags |= NFT_CACHE_FULL;
 		break;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2023-08-22 11:33:27 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2023-08-23 19:16:50 +0200
commit	70d99ce8bf8bd3dab84ea0a6249812b04ec95b8c (patch)
tree	ec0657b962a09a7c9595a66e98489adef3d8b94b /src/cache.c
parent	c791765cb0d62ba261f0b495e07315437b3ae914 (diff)