From 94a945ffa81b7f1db250e519f0b4b808428ab223 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 25 Oct 2017 13:40:29 +0200 Subject: libnftables: Get rid of explicit cache flushes In the past, CLI as a potentially long running process had to make sure it kept it's cache up to date with kernel's rule set. A simple test case is this: | shell a | shell b | | # nft -i | # nft add table ip t | | | nft> list ruleset | | table ip t { | | } | # nft flush ruleset | | | nft> list ruleset | | nft> In order to make sure interactive CLI wouldn't incorrectly list the table again in the second 'list' command, it immediately flushed it's cache after every command execution. This patch eliminates the need for that by making cache updates depend on kernel's generation ID: A cache update stores the current rule set's ID in struct nft_cache, consecutive calls to cache_update() compare that stored value to the current generation ID received from kernel - if the stored value is zero (i.e. no previous cache update did happen) or if it doesn't match the kernel's value (i.e. cache is outdated) the cache is flushed and fully initialized again. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/mnl.h | 2 +- include/netlink.h | 2 +- include/nftables.h | 2 +- include/nftables/nftables.h | 2 -- 4 files changed, 3 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/mnl.h b/include/mnl.h index 3df71467..84c362a2 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -15,7 +15,7 @@ struct mnl_socket *netlink_open_sock(void); void netlink_close_sock(struct mnl_socket *nf_sock); uint32_t mnl_seqnum_alloc(uint32_t *seqnum); -void mnl_genid_get(struct mnl_socket *nf_sock, uint32_t seqnum); +uint16_t mnl_genid_get(struct mnl_socket *nf_sock, uint32_t seqnum); struct mnl_err { struct list_head head; diff --git a/include/netlink.h b/include/netlink.h index 2ca6f345..b30c05f8 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -191,7 +191,7 @@ extern void netlink_dump_obj(struct nftnl_obj *nlo, struct netlink_ctx *ctx); extern int netlink_batch_send(struct netlink_ctx *ctx, struct list_head *err_list); -extern void netlink_genid_get(struct mnl_socket *nf_sock, uint32_t seqnum); +extern uint16_t netlink_genid_get(struct mnl_socket *nf_sock, uint32_t seqnum); extern void netlink_restart(struct mnl_socket *nf_sock); #define netlink_abi_error() \ __netlink_abi_error(__FILE__, __LINE__, strerror(errno)); diff --git a/include/nftables.h b/include/nftables.h index 97a04366..d69079fe 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -16,7 +16,7 @@ struct output_ctx { }; struct nft_cache { - bool initialized; + uint16_t genid; struct list_head list; uint32_t seqnum; }; diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h index 449f9e4e..4211be76 100644 --- a/include/nftables/nftables.h +++ b/include/nftables/nftables.h @@ -70,8 +70,6 @@ FILE *nft_ctx_set_output(struct nft_ctx *ctx, FILE *fp); int nft_ctx_add_include_path(struct nft_ctx *ctx, const char *path); void nft_ctx_clear_include_paths(struct nft_ctx *ctx); -void nft_ctx_flush_cache(struct nft_ctx *ctx); - int nft_run_cmd_from_buffer(struct nft_ctx *nft, char *buf, size_t buflen); int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename); -- cgit v1.2.3