diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-09-22 20:41:03 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-09-23 20:28:22 +0200 |
commit | a72315d2bad47d99a18376290dd62336ca94ed95 (patch) | |
tree | f0c194f4ac38b1363b58fc33cd83c2b547b52bcb /src/rule.c | |
parent | e391b72b611403d184bbb26e3d076d543c7ea7c6 (diff) |
src: add rule batching support
This patch allows nft to put all rule update messages into one
single batch that is sent to the kernel if `-f' option is used.
In order to provide fine grain error reporting, I decided to
to correlate the netlink message sequence number with the
correspoding command sequence number, which is the same. Thus,
nft can identify what rules trigger problems inside a batch
and report them accordingly.
Moreover, to avoid playing buffer size games at batch building
stage, ie. guess what is the final size of the batch for this
ruleset update will be, this patch collects batch pages that
are converted to iovec to ensure linearization when the batch
is sent to the kernel. This reduces the amount of unnecessary
memory usage that is allocated for the batch.
This patch uses the libmnl nlmsg batching infrastructure and it
requires the kernel patch entitled (netfilter: nfnetlink: add batch
support and use it from nf_tables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 19 |
1 files changed, 8 insertions, 11 deletions
@@ -454,16 +454,11 @@ void cmd_free(struct cmd *cmd) static int do_add_chain(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, struct chain *chain) { - struct rule *rule; - if (netlink_add_chain(ctx, h, loc, chain) < 0) return -1; if (chain != NULL) { - list_for_each_entry(rule, &chain->rules, list) { - if (netlink_add_rule(ctx, &rule->handle, rule, - NLM_F_APPEND) < 0) - return -1; - } + if (netlink_add_rule_list(ctx, h, &chain->rules) < 0) + return -1; } return 0; } @@ -523,8 +518,8 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd) return do_add_chain(ctx, &cmd->handle, &cmd->location, cmd->chain); case CMD_OBJ_RULE: - return netlink_add_rule(ctx, &cmd->handle, cmd->rule, - NLM_F_APPEND); + return netlink_add_rule_batch(ctx, &cmd->handle, + cmd->rule, NLM_F_APPEND); case CMD_OBJ_SET: return do_add_set(ctx, &cmd->handle, cmd->set); case CMD_OBJ_SETELEM: @@ -539,7 +534,8 @@ static int do_command_insert(struct netlink_ctx *ctx, struct cmd *cmd) { switch (cmd->obj) { case CMD_OBJ_RULE: - return netlink_add_rule(ctx, &cmd->handle, cmd->rule, 0); + return netlink_add_rule_batch(ctx, &cmd->handle, + cmd->rule, 0); default: BUG("invalid command object type %u\n", cmd->obj); } @@ -554,7 +550,8 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_CHAIN: return netlink_delete_chain(ctx, &cmd->handle, &cmd->location); case CMD_OBJ_RULE: - return netlink_delete_rule(ctx, &cmd->handle, &cmd->location); + return netlink_del_rule_batch(ctx, &cmd->handle, + &cmd->location); case CMD_OBJ_SET: return netlink_delete_set(ctx, &cmd->handle, &cmd->location); case CMD_OBJ_SETELEM: |