diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-08-29 12:42:14 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-08-30 12:34:10 +0200 |
| commit | 4984da8cc427974ea63796fa60a791b714a71440 (patch) | |
| tree | d9de077cfc25fbe7dec510a12e1f12c2bab708bf | |
| parent | 53a503ad4a1abfa0374b3d12e884b69dc6df4b4f (diff) | |
cache: relax requirement for replace rule command
No need for full cache, this command relies on the rule handle which is
not validated from userspace. Cache requirements are similar to those
of add/create/delete rule commands.
This speeds up incremental updates with large rulesets.
Extend tests/coverage for rule replacement.
Fixes: 01e5c6f0ed03 ("src: add cache level flags")
Tested-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/cache.c | 4 | ||||
| -rwxr-xr-x | tests/shell/testcases/rule_management/0004replace_0 | 8 | ||||
| -rw-r--r-- | tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft | 49 | ||||
| -rw-r--r-- | tests/shell/testcases/rule_management/dumps/0004replace_0.nft | 11 |
4 files changed, 66 insertions, 6 deletions
diff --git a/src/cache.c b/src/cache.c index fce71eed..b738a633 100644 --- a/src/cache.c +++ b/src/cache.c @@ -494,8 +494,8 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, case CMD_CREATE: flags = evaluate_cache_add(cmd, flags); break; - case CMD_REPLACE: - flags = NFT_CACHE_FULL; + case CMD_REPLACE: /* only for rule */ + flags = NFT_CACHE_TABLE | NFT_CACHE_SET; break; case CMD_DELETE: case CMD_DESTROY: diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0 index c3329af5..18dc4a9f 100755 --- a/tests/shell/testcases/rule_management/0004replace_0 +++ b/tests/shell/testcases/rule_management/0004replace_0 @@ -6,5 +6,9 @@ set -e $NFT add table t $NFT add chain t c -$NFT add rule t c accept # should have handle 2 -$NFT replace rule t c handle 2 drop +$NFT 'add set t s1 { type ipv4_addr; }' +$NFT 'add set t s2 { type ipv4_addr; flags interval; }' +$NFT add rule t c accept # should have handle 4 +$NFT replace rule t c handle 4 drop +$NFT replace rule t c handle 4 ip saddr { 1.1.1.1, 2.2.2.2 } +$NFT replace rule t c handle 4 ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 } diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft index 5d0b7d06..767e80f1 100644 --- a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft @@ -23,6 +23,27 @@ } }, { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + }, + { "rule": { "family": "ip", "table": "t", @@ -30,7 +51,33 @@ "handle": 0, "expr": [ { - "drop": null + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "3.3.3.3", + "4.4.4.4" + ] + } + } } ] } diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft index e20952ef..803c0deb 100644 --- a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft @@ -1,5 +1,14 @@ table ip t { + set s1 { + type ipv4_addr + } + + set s2 { + type ipv4_addr + flags interval + } + chain c { - drop + ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 } } } |