diff options
| author | Arturo Borrero <arturo.borrero.glez@gmail.com> | 2014-09-23 14:05:15 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-09-29 12:33:37 +0200 |
| commit | 90a0f8c443bbe33676aeff4e9782aa6b0e6c0894 (patch) | |
| tree | c5c9dd78ed5423f093fe997db595bddbee8df6e3 /src/rule.c | |
| parent | 013dbc6b0a8490ba24805a8ae35d7707183b9615 (diff) | |
src: add set optimization options
This patch adds options to choose set optimization mechanisms.
Two new statements are added to the set syntax, and they can be mixed:
nft add set filter set1 { type ipv4_addr ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; policy memory ; }
nft add set filter set1 { type ipv4_addr ; policy performance ; }
nft add set filter set1 { type ipv4_addr ; policy memory ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; size 1024 ; policy memory ; }
nft add set filter set1 { type ipv4_addr ; policy performance ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; size 1024 ; policy performance ; }
Also valid for maps:
nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
[...]
This is the output format, which can be imported later with `nft -f':
table filter {
set set1 {
type ipv4_addr
policy memory
size 1024
}
}
In this approach the parser accepts default options such as 'performance',
given they are a valid configurations, but aren't sent to the kernel.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
| -rw-r--r-- | src/rule.c | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -90,6 +90,8 @@ struct set *set_clone(const struct set *set) newset->datatype = set->datatype; newset->datalen = set->datalen; newset->init = expr_clone(set->init); + newset->policy = set->policy; + newset->desc.size = set->desc.size; return newset; } @@ -134,6 +136,18 @@ struct print_fmt_options { const char *stmt_separator; }; +static const char *set_policy2str(uint32_t policy) +{ + switch (policy) { + case NFT_SET_POL_PERFORMANCE: + return "performance"; + case NFT_SET_POL_MEMORY: + return "memory"; + default: + return "unknown"; + } +} + static void do_set_print(const struct set *set, struct print_fmt_options *opts) { const char *delim = ""; @@ -153,8 +167,22 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts) printf("%s%stype %s", opts->tab, opts->tab, set->keytype->name); if (set->flags & SET_F_MAP) printf(" : %s", set->datatype->name); + printf("%s", opts->stmt_separator); + if (!(set->flags & (SET_F_CONSTANT))) { + if (set->policy != NFT_SET_POL_PERFORMANCE) { + printf("%s%spolicy %s%s", opts->tab, opts->tab, + set_policy2str(set->policy), + opts->stmt_separator); + } + + if (set->desc.size > 0) { + printf("%s%ssize %u%s", opts->tab, opts->tab, + set->desc.size, opts->stmt_separator); + } + } + if (set->flags & (SET_F_CONSTANT | SET_F_INTERVAL)) { printf("%s%sflags ", opts->tab, opts->tab); if (set->flags & SET_F_CONSTANT) { |