* [PATCH nft v3] src: restore interface to index cache
@ 2015-04-11 13:11 Pablo Neira Ayuso
2015-04-11 13:12 ` Patrick McHardy
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2015-04-11 13:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
From: Pablo Neira <pablo@netfilter.org>
nftables used to have a cache to speed up interface name <-> index lookup,
restore it using libmnl.
This reduces netlink traffic since if_nametoindex() and if_indextoname() open,
send a request, receive the list of interface and close a netlink socket for
each call. I think this is also good for consistency since nft -f will operate
with the same index number when reloading the ruleset.
For the interactive mode, we fall back on if_nametoindex() and if_indextoname()
to make sure that we always get fresh interface name to index mappings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v3: Fall back to if_nametoindex() and if_indextoname() in interactive mode.
include/Makefile.am | 1 +
include/iface.h | 16 ++++++
include/nftables.h | 1 +
src/Makefile.am | 1 +
src/iface.c | 140 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/main.c | 7 ++-
src/meta.c | 5 +-
7 files changed, 168 insertions(+), 3 deletions(-)
create mode 100644 include/iface.h
create mode 100644 src/iface.c
diff --git a/include/Makefile.am b/include/Makefile.am
index f22561b..465d804 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -4,6 +4,7 @@ noinst_HEADERS = cli.h \
datatype.h \
expression.h \
gmputil.h \
+ iface.h \
mnl.h \
nftables.h \
payload.h \
diff --git a/include/iface.h b/include/iface.h
new file mode 100644
index 0000000..ecfcc09
--- /dev/null
+++ b/include/iface.h
@@ -0,0 +1,16 @@
+#ifndef _NFTABLES_IFACE_H_
+#define _NFTABLES_IFACE_H_
+
+struct iface {
+ struct list_head list;
+ char name[IFNAMSIZ];
+ uint32_t ifindex;
+};
+
+unsigned int nft_if_nametoindex(const char *name);
+char *nft_if_indextoname(unsigned int ifindex, char *name);
+
+void iface_cache_update(void);
+void iface_cache_release(void);
+
+#endif
diff --git a/include/nftables.h b/include/nftables.h
index cf19de8..aa8d219 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -29,6 +29,7 @@ extern unsigned int numeric_output;
extern unsigned int ip2name_output;
extern unsigned int handle_output;
extern unsigned int debug_level;
+extern bool interactive;
extern const char *include_paths[INCLUDE_PATHS_MAX];
enum nftables_exit_codes {
diff --git a/src/Makefile.am b/src/Makefile.am
index 2410fd3..fd63219 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -44,6 +44,7 @@ nft_SOURCES = main.c \
utils.c \
erec.c \
mnl.c \
+ iface.c \
scanner.l \
parser_bison.y
diff --git a/src/iface.c b/src/iface.c
new file mode 100644
index 0000000..e68fbf4
--- /dev/null
+++ b/src/iface.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <net/if.h>
+#include <time.h>
+#include <string.h>
+#include <errno.h>
+
+#include <libmnl/libmnl.h>
+#include <linux/rtnetlink.h>
+
+#include <nftables.h>
+#include <list.h>
+#include <netlink.h>
+#include <iface.h>
+
+static LIST_HEAD(iface_list);
+
+unsigned int nft_if_nametoindex(const char *name)
+{
+ struct iface *iface;
+
+ if (interactive)
+ return if_nametoindex(name);
+
+ list_for_each_entry(iface, &iface_list, list) {
+ if (strncmp(name, iface->name, IFNAMSIZ) == 0)
+ return iface->ifindex;
+ }
+ return 0;
+}
+
+char *nft_if_indextoname(unsigned int ifindex, char *name)
+{
+ struct iface *iface;
+
+ if (interactive)
+ return if_indextoname(ifindex, name);
+
+ list_for_each_entry(iface, &iface_list, list) {
+ if (iface->ifindex == ifindex) {
+ strncpy(name, iface->name, IFNAMSIZ);
+ return name;
+ }
+ }
+ return NULL;
+}
+
+static int data_attr_cb(const struct nlattr *attr, void *data)
+{
+ const struct nlattr **tb = data;
+ int type = mnl_attr_get_type(attr);
+
+ if (mnl_attr_type_valid(attr, IFLA_MAX) < 0)
+ return MNL_CB_OK;
+
+ switch(type) {
+ case IFLA_IFNAME:
+ if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0)
+ netlink_abi_error();
+ break;
+ default:
+ return MNL_CB_OK;
+ }
+ tb[type] = attr;
+ return MNL_CB_OK;
+}
+
+static int data_cb(const struct nlmsghdr *nlh, void *data)
+{
+ struct nlattr *tb[IFLA_MAX + 1] = {};
+ struct ifinfomsg *ifm = mnl_nlmsg_get_payload(nlh);
+ struct iface *iface;
+
+ iface = xmalloc(sizeof(struct iface));
+ iface->ifindex = ifm->ifi_index;
+ mnl_attr_parse(nlh, sizeof(*ifm), data_attr_cb, tb);
+ strncpy(iface->name, mnl_attr_get_str(tb[IFLA_IFNAME]), IFNAMSIZ);
+ list_add(&iface->list, &iface_list);
+
+ return MNL_CB_OK;
+}
+
+void iface_cache_update(void)
+{
+ char buf[MNL_SOCKET_BUFFER_SIZE];
+ struct mnl_socket *nl;
+ struct nlmsghdr *nlh;
+ struct rtgenmsg *rt;
+ uint32_t seq, portid;
+ int ret;
+
+ nlh = mnl_nlmsg_put_header(buf);
+ nlh->nlmsg_type = RTM_GETLINK;
+ nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
+ nlh->nlmsg_seq = seq = time(NULL);
+ rt = mnl_nlmsg_put_extra_header(nlh, sizeof(struct rtgenmsg));
+ rt->rtgen_family = AF_PACKET;
+
+ nl = mnl_socket_open(NETLINK_ROUTE);
+ if (nl == NULL)
+ netlink_init_error();
+
+ if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0)
+ netlink_init_error();
+
+ portid = mnl_socket_get_portid(nl);
+
+ if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0)
+ netlink_init_error();
+
+ ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+ while (ret > 0) {
+ ret = mnl_cb_run(buf, ret, seq, portid, data_cb, NULL);
+ if (ret <= MNL_CB_STOP)
+ break;
+ ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+ }
+ if (ret == -1)
+ netlink_init_error();
+
+ mnl_socket_close(nl);
+}
+
+void iface_cache_release(void)
+{
+ struct iface *iface, *next;
+
+ list_for_each_entry_safe(iface, next, &iface_list, list) {
+ list_del(&iface->list);
+ free(iface);
+ }
+}
diff --git a/src/main.c b/src/main.c
index 4590c30..8f51b4a 100644
--- a/src/main.c
+++ b/src/main.c
@@ -17,6 +17,7 @@
#include <getopt.h>
#include <fcntl.h>
#include <sys/types.h>
+#include <net/if.h>
#include <nftables.h>
#include <utils.h>
@@ -25,6 +26,7 @@
#include <netlink.h>
#include <erec.h>
#include <mnl.h>
+#include <iface.h>
#include <cli.h>
unsigned int max_errors = 10;
@@ -34,6 +36,7 @@ unsigned int handle_output;
#ifdef DEBUG
unsigned int debug_level;
#endif
+bool interactive;
const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH };
static unsigned int num_include_paths = 1;
@@ -253,7 +256,6 @@ int main(int argc, char * const *argv)
LIST_HEAD(msgs);
char *buf = NULL, *filename = NULL;
unsigned int len;
- bool interactive = false;
int i, val, rc = NFT_EXIT_SUCCESS;
while (1) {
@@ -357,8 +359,11 @@ int main(int argc, char * const *argv)
exit(NFT_EXIT_FAILURE);
}
+ iface_cache_update();
if (nft_run(scanner, &state, &msgs) != 0)
rc = NFT_EXIT_FAILURE;
+
+ iface_cache_release();
out:
scanner_destroy(scanner);
erec_print_list(stderr, &msgs);
diff --git a/src/meta.c b/src/meta.c
index ad57228..bfc1258 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -30,6 +30,7 @@
#include <gmputil.h>
#include <utils.h>
#include <erec.h>
+#include <iface.h>
static struct symbol_table *realm_tbl;
static void __init realm_table_init(void)
@@ -138,7 +139,7 @@ static void ifindex_type_print(const struct expr *expr)
int ifindex;
ifindex = mpz_get_uint32(expr->value);
- if (if_indextoname(ifindex, name))
+ if (nft_if_indextoname(ifindex, name))
printf("%s", name);
else
printf("%d", ifindex);
@@ -149,7 +150,7 @@ static struct error_record *ifindex_type_parse(const struct expr *sym,
{
int ifindex;
- ifindex = if_nametoindex(sym->identifier);
+ ifindex = nft_if_nametoindex(sym->identifier);
if (ifindex == 0)
return error(&sym->location, "Interface does not exist");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nft v3] src: restore interface to index cache
2015-04-11 13:11 [PATCH nft v3] src: restore interface to index cache Pablo Neira Ayuso
@ 2015-04-11 13:12 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2015-04-11 13:12 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On 11.04, Pablo Neira Ayuso wrote:
> From: Pablo Neira <pablo@netfilter.org>
>
> nftables used to have a cache to speed up interface name <-> index lookup,
> restore it using libmnl.
>
> This reduces netlink traffic since if_nametoindex() and if_indextoname() open,
> send a request, receive the list of interface and close a netlink socket for
> each call. I think this is also good for consistency since nft -f will operate
> with the same index number when reloading the ruleset.
>
> For the interactive mode, we fall back on if_nametoindex() and if_indextoname()
> to make sure that we always get fresh interface name to index mappings.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> v3: Fall back to if_nametoindex() and if_indextoname() in interactive mode.
That seems like a good way. One more suggestions - how about only doing
a cache fill on the first invocation? That way we can avoid it in many
cases, f.i. set listings, some times for rulesets as well, flushing, ...
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-04-11 13:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-11 13:11 [PATCH nft v3] src: restore interface to index cache Pablo Neira Ayuso
2015-04-11 13:12 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.