summaryrefslogtreecommitdiffstats
path: root/src/optimize.c
Commit message (Collapse)AuthorAgeFilesLines
* optimize: do not merge raw payload expressionsPablo Neira Ayuso2022-01-261-0/+3
| | | | | | | | | | | Merging raw expressions results in a valid concatenation which throws: Error: can not use variable sized data types (integer) in concat expressions Disable merging raw expressions until this is supported by skipping raw expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: check for payload base and offset when searching for mergersPablo Neira Ayuso2022-01-261-0/+4
| | | | | | Extend the existing checks to cover the payload base and offset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merge verdict maps with same lookup keyPablo Neira Ayuso2022-01-261-12/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Merge two consecutive verdict maps with the same lookup key. For instance, merge the following: table inet x { chain filter_in_tcp { tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 931 : accept, 5001 : accept, 5201 : accept, } tcp dport vmap { 6800-6999 : accept, 33434-33499 : accept, } } } into: table inet x { chain filter_in_tcp { tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 931 : accept, 5001 : accept, 5201 : accept, 6800-6999 : accept, 33434-33499 : accept, } } } This patch updates statement comparison routine to inspect the verdict expression type to detect possible merger. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: add __expr_cmp()Pablo Neira Ayuso2022-01-261-46/+52
| | | | | | Add helper function to compare expression to allow for reuse. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: silence compiler warningsFlorian Westphal2022-01-151-1/+1
| | | | | | | | | | | | cache.c:504:22: warning: ‘chain’ may be used uninitialized in this function [-Wmaybe-uninitialized] cache.c:504:22: warning: ‘table’ may be used uninitialized in this function [-Wmaybe-uninitialized] erec.c:128:16: warning: ‘line’ may be used uninitialized in this function [-Wmaybe-uninitialized] optimize.c:524:9: warning: ‘line’ may be used uninitialized in this function [-Wmaybe-uninitialized] Fixes: 8ad4056e9182 ("erec: expose print_location() and line_location()") Fixes: afbd102211dc ("src: do not use the nft_cache_filter object from mnl.c") Fixes: fb298877ece2 ("src: add ruleset optimization infrastructure") Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: merge several selectors with different verdict into verdict mapPablo Neira Ayuso2022-01-151-1/+56
| | | | | | | | | | | | | Transform: ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop into: ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merge same selector with different verdict into verdict mapPablo Neira Ayuso2022-01-151-15/+147
| | | | | | | | | | | | | Transform: ct state invalid drop ct state established,related accept into: ct state vmap { established : accept, related : accept, invalid : drop } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merge rules with same selectors into a concatenationPablo Neira Ayuso2022-01-151-1/+43
| | | | | | | | | | | | | | | | | This patch extends the ruleset optimization infrastructure to collapse several rules with the same selectors into a concatenation. Transform: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.6 accept into: meta iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.6, eth1 . 1.1.1.2 . 2.2.2.5 , eth1 . 1.1.1.3 . 2.2.2.6 } accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ruleset optimization infrastructurePablo Neira Ayuso2022-01-151-0/+478
This patch adds a new -o/--optimize option to enable ruleset optimization. You can combine this option with the dry run mode (--check) to review the proposed ruleset updates without actually loading the ruleset, e.g. # nft -c -o -f ruleset.test Merging: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept into: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept This infrastructure collects the common statements that are used in rules, then it builds a matrix of rules vs. statements. Then, it looks for common statements in consecutive rules which allows to merge rules. This ruleset optimization always performs an implicit dry run to validate that the original ruleset is correct. Then, on a second pass, it performs the ruleset optimization and add the rules into the kernel (unless --check has been specified by the user). From libnftables perspective, there is a new API to enable this feature: uint32_t nft_ctx_get_optimize(struct nft_ctx *ctx); void nft_ctx_set_optimize(struct nft_ctx *ctx, uint32_t flags); This patch adds support for the first optimization: Collapse a linear list of rules matching on a single selector into a set as exposed in the example above. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>