diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-06-16 22:47:57 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-06-23 18:55:22 +0200 |
| commit | 5001be3b324d982a57af3dc90f421db4bffacf71 (patch) | |
| tree | b8da598487bd7c89c2e80ba9c3ffcb3891ec9a16 /src | |
| parent | 640312b1529c548790117635c91886a6c83e83f2 (diff) | |
src: use constant range expression for interval+concatenation sets
Expand 347039f64509 ("src: add symbol range expression to further
compact intervals") to use constant range expression for elements with
concatenation of intervals.
Ruleset with 100k elements of this type:
table inet x {
set y {
typeof ip saddr . tcp dport
flags interval
elements = {
0.1.2.0-0.1.2.240 . 0-1,
...
}
}
}
Memory consumption for this set:
Before: 123.80 Mbytes
After: 80.19 Mbytes (-35.23%)
This patch keeps the workaround 2fbade3cd990 ("netlink: bogus
concatenated set ranges with netlink message overrun") in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/evaluate.c | 7 | ||||
| -rw-r--r-- | src/netlink.c | 11 |
2 files changed, 15 insertions, 3 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index cc35f884..b00344a0 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1740,6 +1740,7 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr) break; case EXPR_RANGE: case EXPR_PREFIX: + case EXPR_RANGE_VALUE: /* allowed on RHS (e.g. th dport . mark { 1-65535 . 42 } * ~~~~~~~~ allowed * but not on LHS (e.g 1-4 . mark { ...} @@ -1763,7 +1764,6 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr) case EXPR_SET_REF: case EXPR_MAPPING: case EXPR_SET_ELEM_CATCHALL: - case EXPR_RANGE_VALUE: case EXPR_RANGE_SYMBOL: return expr_error(ctx->msgs, i, "cannot use %s in concatenation", @@ -1939,6 +1939,7 @@ static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr) switch (elem->key->etype) { case EXPR_PREFIX: case EXPR_RANGE: + case EXPR_RANGE_VALUE: key = elem->key; goto err_missing_flag; case EXPR_CONCAT: @@ -1946,6 +1947,7 @@ static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr) switch (key->etype) { case EXPR_PREFIX: case EXPR_RANGE: + case EXPR_RANGE_VALUE: goto err_missing_flag; default: break; @@ -2426,9 +2428,8 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp) left = range->left; right = range->right; - /* concatenation and maps need more work to use constant_range_expr. */ + /* maps need more work to use constant_range_expr. */ if (ctx->set && !set_is_map(ctx->set->flags) && - set_is_non_concat_range(ctx->set) && left->etype == EXPR_VALUE && right->etype == EXPR_VALUE) { constant_range = constant_range_expr_alloc(&expr->location, diff --git a/src/netlink.c b/src/netlink.c index b5c092b4..31fe8b72 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -286,6 +286,17 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i, i = expr; break; + case EXPR_RANGE_VALUE: + if (flags & EXPR_F_INTERVAL_END) + mpz_init_set(value, i->range.high); + else + mpz_init_set(value, i->range.low); + + if (expr_basetype(i)->type == TYPE_INTEGER && + i->byteorder == BYTEORDER_HOST_ENDIAN) + byteorder_switch_expr_value(value, i); + + break; case EXPR_PREFIX: if (flags & EXPR_F_INTERVAL_END) { int count; |