From e2883c5531e6ee269845a8a11e09dd07efa2088f Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 25 Sep 2019 13:49:19 +0200 Subject: nft-cache: Support partial cache per table Accept a builtin_table pointer in __nft_build_cache() and pass it along when fetching chains and rules to operate on that table only (unless the pointer is NULL). Make use of it in nft_chain_list_get() since that accepts a table name and performs a builtin table lookup internally already. Signed-off-by: Phil Sutter Acked-by: Pablo Neira Ayuso --- iptables/nft-cache.c | 82 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 57 insertions(+), 25 deletions(-) (limited to 'iptables/nft-cache.c') diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c index afb2126b..822d6f20 100644 --- a/iptables/nft-cache.c +++ b/iptables/nft-cache.c @@ -11,6 +11,7 @@ #include #include +#include #include #include @@ -105,13 +106,19 @@ static int fetch_table_cache(struct nft_handle *h) return 1; } +struct nftnl_chain_list_cb_data { + struct nft_handle *h; + const struct builtin_table *t; +}; + static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data) { - struct nft_handle *h = data; - const struct builtin_table *t; + struct nftnl_chain_list_cb_data *d = data; + const struct builtin_table *t = d->t; struct nftnl_chain_list *list; + struct nft_handle *h = d->h; + const char *tname, *cname; struct nftnl_chain *c; - const char *cname; c = nftnl_chain_alloc(); if (c == NULL) @@ -120,10 +127,15 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data) if (nftnl_chain_nlmsg_parse(nlh, c) < 0) goto out; - t = nft_table_builtin_find(h, - nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE)); - if (!t) + tname = nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE); + + if (!t) { + t = nft_table_builtin_find(h, tname); + if (!t) + goto out; + } else if (strcmp(t->name, tname)) { goto out; + } list = h->cache->table[t->type].chains; cname = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); @@ -140,30 +152,41 @@ err: return MNL_CB_OK; } -static int fetch_chain_cache(struct nft_handle *h) +static int fetch_chain_cache(struct nft_handle *h, + const struct builtin_table *t) { + struct nftnl_chain_list_cb_data d = { + .h = h, + .t = t, + }; char buf[16536]; struct nlmsghdr *nlh; int i, ret; - for (i = 0; i < NFT_TABLE_MAX; i++) { - enum nft_table_type type = h->tables[i].type; + if (!t) { + for (i = 0; i < NFT_TABLE_MAX; i++) { + enum nft_table_type type = h->tables[i].type; - if (!h->tables[i].name) - continue; + if (!h->tables[i].name) + continue; - if (h->cache->table[type].chains) - continue; + if (h->cache->table[type].chains) + continue; - h->cache->table[type].chains = nftnl_chain_list_alloc(); - if (!h->cache->table[type].chains) + h->cache->table[type].chains = nftnl_chain_list_alloc(); + if (!h->cache->table[type].chains) + return -1; + } + } else if (!h->cache->table[t->type].chains) { + h->cache->table[t->type].chains = nftnl_chain_list_alloc(); + if (!h->cache->table[t->type].chains) return -1; } nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, h->family, NLM_F_DUMP, h->seq); - ret = mnl_talk(h, nlh, nftnl_chain_list_cb, h); + ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d); if (ret < 0 && errno == EINTR) assert(nft_restart(h) >= 0); @@ -224,10 +247,14 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data) return 0; } -static int fetch_rule_cache(struct nft_handle *h) +static int fetch_rule_cache(struct nft_handle *h, const struct builtin_table *t) { int i; + if (t) + return nftnl_chain_list_foreach(h->cache->table[t->type].chains, + nft_rule_list_update, h); + for (i = 0; i < NFT_TABLE_MAX; i++) { enum nft_table_type type = h->tables[i].type; @@ -241,7 +268,8 @@ static int fetch_rule_cache(struct nft_handle *h) return 0; } -static void __nft_build_cache(struct nft_handle *h, enum nft_cache_level level) +static void __nft_build_cache(struct nft_handle *h, enum nft_cache_level level, + const struct builtin_table *t) { uint32_t genid_start, genid_stop; @@ -260,12 +288,12 @@ retry: break; /* fall through */ case NFT_CL_TABLES: - fetch_chain_cache(h); + fetch_chain_cache(h, t); if (level == NFT_CL_CHAINS) break; /* fall through */ case NFT_CL_CHAINS: - fetch_rule_cache(h); + fetch_rule_cache(h, t); if (level == NFT_CL_RULES) break; /* fall through */ @@ -279,14 +307,18 @@ retry: goto retry; } - h->cache_level = level; + if (!t) + h->cache_level = level; + else if (h->cache_level < NFT_CL_TABLES) + h->cache_level = NFT_CL_TABLES; + h->nft_genid = genid_start; } void nft_build_cache(struct nft_handle *h) { if (h->cache_level < NFT_CL_RULES) - __nft_build_cache(h, NFT_CL_RULES); + __nft_build_cache(h, NFT_CL_RULES, NULL); } void nft_fake_cache(struct nft_handle *h) @@ -385,7 +417,7 @@ void nft_rebuild_cache(struct nft_handle *h) __nft_flush_cache(h); h->cache_level = NFT_CL_NONE; - __nft_build_cache(h, level); + __nft_build_cache(h, level, NULL); } void nft_release_cache(struct nft_handle *h) @@ -396,7 +428,7 @@ void nft_release_cache(struct nft_handle *h) struct nftnl_table_list *nftnl_table_list_get(struct nft_handle *h) { - __nft_build_cache(h, NFT_CL_TABLES); + __nft_build_cache(h, NFT_CL_TABLES, NULL); return h->cache->tables; } @@ -410,7 +442,7 @@ struct nftnl_chain_list *nft_chain_list_get(struct nft_handle *h, if (!t) return NULL; - __nft_build_cache(h, NFT_CL_CHAINS); + __nft_build_cache(h, NFT_CL_CHAINS, t); return h->cache->table[t->type].chains; } -- cgit v1.2.3