[PATCH nft v2] src: evaluate: Show error for fanout without balance

[PATCH nft v2] src: evaluate: Show error for fanout without balance

[Shivani Bhardwaj]

The idea of fanout option is to improve the performance by indexing CPU
ID to map packets to the queues. This is used for load balancing.
Fanout option is not required when there is a single queue specified.

According to iptables, queue balance should be specified in order to use
fanout. Following that, throw an error in nftables if the range of
queues for load balancing is not specified with the fanout option.

After this patch,

$ sudo nft add rule ip filter forward counter queue num 0 fanout
<cmdline>:1:46-46: Error: fanout requires queue num range to be specified
add rule ip filter forward counter queue num 0 fanout
                                             ^

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
Changes in v2:
	Update the description with error that is going to show up

 src/evaluate.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index 473f014..f3fe13d 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2000,6 +2000,11 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt)
 		if (!expr_is_constant(stmt->queue.queue))
 			return expr_error(ctx->msgs, stmt->queue.queue,
 					  "queue number is not constant");
+		if (stmt->queue.queue->ops->type != EXPR_RANGE &&
+		    (stmt->queue.flags & NFT_QUEUE_FLAG_CPU_FANOUT))
+			return expr_error(ctx->msgs, stmt->queue.queue,
+					  "fanout requires queue num range"
+					  " to be specified");
 	}
 	return 0;
 }
-- 
1.9.1

Re: [PATCH nft v2] src: evaluate: Show error for fanout without balance

[Pablo Neira Ayuso]

On Thu, Apr 07, 2016 at 10:58:54PM +0530, Shivani Bhardwaj wrote:
> The idea of fanout option is to improve the performance by indexing CPU
> ID to map packets to the queues. This is used for load balancing.
> Fanout option is not required when there is a single queue specified.
> 
> According to iptables, queue balance should be specified in order to use
> fanout. Following that, throw an error in nftables if the range of
> queues for load balancing is not specified with the fanout option.
> 
> After this patch,
> 
> $ sudo nft add rule ip filter forward counter queue num 0 fanout
> <cmdline>:1:46-46: Error: fanout requires queue num range to be specified
> add rule ip filter forward counter queue num 0 fanout
>                                              ^

Thanks, I'm applying this with updates, basically adding this chunk to
your patch:

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4b7c1f5..444ed4c 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1722,6 +1722,7 @@ queue_stmt_args           :       queue_stmt_arg
 queue_stmt_arg         :       QUEUENUM        stmt_expr
                        {
                                $<stmt>0->queue.queue = $2;
+                               $<stmt>0->queue.queue->location = @$;
                        }
                        |       queue_stmt_flags
                        {

I'm basically reseting the location here.

So the error printing look like:

    $ sudo nft add rule ip filter forward counter queue num 0 fanout
    <cmdline>:1:46-46: Error: fanout requires a range to be specified
    add rule ip filter forward counter queue num 0 fanout
                                             ^^^^^

which seems slightly better.

We can probably use expr_binary_error() instead expr_error() so we get
something like:

    $ sudo nft add rule ip filter forward counter queue num 0 fanout
    <cmdline>:1:46-46: Error: fanout requires a range to be specified
    add rule ip filter forward counter queue num 0 fanout
                                             ^^^^^ ~~~~~~

But this requires revisiting the parser to convert the flags to
expressions, let's have a look at this later.