From 95781fcbddcd6524f67a3357c0cf91f13be24053 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Mon, 29 Nov 2021 15:36:45 +0100 Subject: cache: Filter rule list on kernel side Instead of fetching all existing rules in kernel's ruleset and filtering in user space, add payload to the dump request specifying the table and chain to filter for. Since list_rule_cb() no longer needs the filter, pass only netlink_ctx to the callback and drop struct rule_cache_dump_ctx. Signed-off-by: Phil Sutter --- src/cache.c | 23 +++-------------------- src/mnl.c | 21 +++++++++++++++++++-- 2 files changed, 22 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/src/cache.c b/src/cache.c index 66da2b34..484efdb9 100644 --- a/src/cache.c +++ b/src/cache.c @@ -441,16 +441,9 @@ struct chain *chain_cache_find(const struct table *table, const char *name) return NULL; } -struct rule_cache_dump_ctx { - struct netlink_ctx *nlctx; - const struct nft_cache_filter *filter; -}; - static int list_rule_cb(struct nftnl_rule *nlr, void *data) { - struct rule_cache_dump_ctx *rule_ctx = data; - const struct nft_cache_filter *filter = rule_ctx->filter; - struct netlink_ctx *ctx = rule_ctx->nlctx; + struct netlink_ctx *ctx = data; const struct handle *h = ctx->data; const char *table, *chain; struct rule *rule; @@ -465,12 +458,6 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *data) (h->chain.name && strcmp(chain, h->chain.name) != 0)) return 0; - if (filter && filter->list.table && filter->list.chain && - (filter->list.family != family || - strcmp(filter->list.table, table) || - strcmp(filter->list.chain, chain))) - return 0; - netlink_dump_rule(nlr, ctx); rule = netlink_delinearize_rule(ctx, nlr); list_add_tail(&rule->list, &ctx->list); @@ -481,13 +468,9 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *data) static int rule_cache_init(struct netlink_ctx *ctx, const struct handle *h, const struct nft_cache_filter *filter) { - struct rule_cache_dump_ctx rule_ctx = { - .nlctx = ctx, - .filter = filter, - }; struct nftnl_rule_list *rule_cache; - rule_cache = mnl_nft_rule_dump(ctx, h->family); + rule_cache = mnl_nft_rule_dump(ctx, h->family, filter); if (rule_cache == NULL) { if (errno == EINTR) return -1; @@ -496,7 +479,7 @@ static int rule_cache_init(struct netlink_ctx *ctx, const struct handle *h, } ctx->data = h; - nftnl_rule_list_foreach(rule_cache, list_rule_cb, &rule_ctx); + nftnl_rule_list_foreach(rule_cache, list_rule_cb, ctx); nftnl_rule_list_free(rule_cache); return 0; } diff --git a/src/mnl.c b/src/mnl.c index 21b98e34..26f643fb 100644 --- a/src/mnl.c +++ b/src/mnl.c @@ -653,20 +653,37 @@ err_free: return MNL_CB_OK; } -struct nftnl_rule_list *mnl_nft_rule_dump(struct netlink_ctx *ctx, - int family) +struct nftnl_rule_list *mnl_nft_rule_dump(struct netlink_ctx *ctx, int family, + const struct nft_cache_filter *filter) { char buf[MNL_SOCKET_BUFFER_SIZE]; struct nftnl_rule_list *nlr_list; + struct nftnl_rule *nlr = NULL; struct nlmsghdr *nlh; int ret; + if (filter && filter->list.table) { + nlr = nftnl_rule_alloc(); + if (!nlr) + memory_allocation_error(); + + nftnl_rule_set_str(nlr, NFTNL_RULE_TABLE, + filter->list.table); + if (filter->list.chain) + nftnl_rule_set_str(nlr, NFTNL_RULE_CHAIN, + filter->list.chain); + } + nlr_list = nftnl_rule_list_alloc(); if (nlr_list == NULL) memory_allocation_error(); nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, NLM_F_DUMP, ctx->seqnum); + if (nlr) { + nftnl_rule_nlmsg_build_payload(nlh, nlr); + nftnl_rule_free(nlr); + } ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, rule_cb, nlr_list); if (ret < 0) -- cgit v1.2.3