From 20f1c60ac8c88be3bdf3096083b24ada06570a77 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 23 Oct 2024 11:43:58 +0200 Subject: src: collapse set element commands from parser 498a5f0c219d ("rule: collapse set element commands") does not help to reduce memory consumption in the case of large sets defined by one element per line: add element ip x y { 1.1.1.1 } add element ip x y { 1.1.1.2 } ... This patch reduces memory consumption by ~75%, set elements are collapsed into an existing cmd object wherever possible to reduce the number of cmd objects. This patch also adds a special case for variables for sets similar to: be055af5c58d ("cmd: skip variable set elements when collapsing commands") This patch requires this small kernel fix: commit b53c116642502b0c85ecef78bff4f826a7dd4145 Author: Pablo Neira Ayuso Date: Fri May 20 00:02:06 2022 +0200 netfilter: nf_tables: set element extended ACK reporting support which is already included in recent -stable kernels: # cat ruleset.nft add table ip x add chain ip x y add set ip x y { type ipv4_addr; } create element ip x y { 1.1.1.1 } create element ip x y { 1.1.1.1 } # nft -f ruleset.nft ruleset.nft:5:25-31: Error: Could not process rule: File exists create element ip x y { 1.1.1.1 } ^^^^^^^ since there is no need to relate commands via sequence number anymore, this allows also removes the uncollapse step. Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Pablo Neira Ayuso --- include/cmd.h | 7 ++++--- include/expression.h | 1 - include/list.h | 11 +++++++++++ include/rule.h | 1 - 4 files changed, 15 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/cmd.h b/include/cmd.h index 92a4152b..0a8779b1 100644 --- a/include/cmd.h +++ b/include/cmd.h @@ -2,12 +2,13 @@ #define _NFT_CMD_H_ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc); +struct mnl_err; void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd, struct mnl_err *err); +bool nft_cmd_collapse_elems(enum cmd_ops op, struct list_head *cmds, + struct handle *handle, struct expr *init); + void nft_cmd_expand(struct cmd *cmd); -void nft_cmd_post_expand(struct cmd *cmd); -bool nft_cmd_collapse(struct list_head *cmds); -void nft_cmd_uncollapse(struct list_head *cmds); #endif diff --git a/include/expression.h b/include/expression.h index 8982110c..da2f693e 100644 --- a/include/expression.h +++ b/include/expression.h @@ -255,7 +255,6 @@ struct expr { enum expr_types etype:8; enum ops op:8; unsigned int len; - struct cmd *cmd; union { struct { diff --git a/include/list.h b/include/list.h index 857921e3..37fbe3e2 100644 --- a/include/list.h +++ b/include/list.h @@ -348,6 +348,17 @@ static inline void list_splice_tail_init(struct list_head *list, #define list_first_entry(ptr, type, member) \ list_entry((ptr)->next, type, member) +/** + * list_last_entry - get the last element from a list + * @ptr: the list head to take the element from. + * @type: the type of the struct this is embedded in. + * @member: the name of the list_head within the struct. + * + * Note, that list is expected to be not empty. + */ +#define list_last_entry(ptr, type, member) \ + list_entry((ptr)->prev, type, member) + /** * list_next_entry - get the next element in list * @pos: the type * to cursor diff --git a/include/rule.h b/include/rule.h index 5b3e12b5..a1628d82 100644 --- a/include/rule.h +++ b/include/rule.h @@ -718,7 +718,6 @@ struct cmd { enum cmd_obj obj; struct handle handle; uint32_t seqnum; - struct list_head collapse_list; union { void *data; struct expr *expr; -- cgit v1.2.3