From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [iptables PATCH v2 09/18] nft: remove cache build calls
Date: Tue, 28 Apr 2020 14:10:04 +0200 [thread overview]
Message-ID: <20200428121013.24507-10-phil@nwl.cc> (raw)
In-Reply-To: <20200428121013.24507-1-phil@nwl.cc>
From: Pablo Neira Ayuso <pablo@netfilter.org>
The cache requirements are now calculated once from the parsing phase.
There is no need to call __nft_build_cache() from several spots in the
codepath anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Drop now unused nft_build_cache() function.
---
iptables/nft-cache.c | 20 --------------------
iptables/nft-cache.h | 1 -
iptables/nft.c | 21 ---------------------
3 files changed, 42 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 38e353bd7231f..6db261fbba4b3 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -460,20 +460,6 @@ __nft_build_cache(struct nft_handle *h, enum nft_cache_level level,
fetch_rule_cache(h, t, chain);
}
-void nft_build_cache(struct nft_handle *h, struct nftnl_chain *c)
-{
- const struct builtin_table *t;
- const char *table, *chain;
-
- if (!c)
- return __nft_build_cache(h, NFT_CL_RULES, NULL, NULL, NULL);
-
- table = nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE);
- chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
- t = nft_table_builtin_find(h, table);
- __nft_build_cache(h, NFT_CL_RULES, t, NULL, chain);
-}
-
void nft_fake_cache(struct nft_handle *h)
{
fetch_table_cache(h);
@@ -619,8 +605,6 @@ void nft_release_cache(struct nft_handle *h)
struct nftnl_table_list *nftnl_table_list_get(struct nft_handle *h)
{
- __nft_build_cache(h, NFT_CL_TABLES, NULL, NULL, NULL);
-
return h->cache->tables;
}
@@ -633,8 +617,6 @@ nft_set_list_get(struct nft_handle *h, const char *table, const char *set)
if (!t)
return NULL;
- __nft_build_cache(h, NFT_CL_RULES, t, set, NULL);
-
return h->cache->table[t->type].sets;
}
@@ -647,8 +629,6 @@ nft_chain_list_get(struct nft_handle *h, const char *table, const char *chain)
if (!t)
return NULL;
- __nft_build_cache(h, NFT_CL_CHAINS, t, NULL, chain);
-
return h->cache->table[t->type].chains;
}
diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h
index cf28808e22c72..8c63d8d566c19 100644
--- a/iptables/nft-cache.h
+++ b/iptables/nft-cache.h
@@ -5,7 +5,6 @@ struct nft_handle;
void nft_cache_level_set(struct nft_handle *h, int level);
void nft_fake_cache(struct nft_handle *h);
-void nft_build_cache(struct nft_handle *h, struct nftnl_chain *c);
void nft_rebuild_cache(struct nft_handle *h);
void nft_release_cache(struct nft_handle *h);
void flush_chain_cache(struct nft_handle *h, const char *tablename);
diff --git a/iptables/nft.c b/iptables/nft.c
index 9771bcc9add02..f9e53316ab7cf 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1367,14 +1367,6 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
nft_xt_builtin_init(h, table);
- /* Since ebtables user-defined chain policies are implemented as last
- * rule in nftables, rule cache is required here to treat them right. */
- if (h->family == NFPROTO_BRIDGE) {
- c = nft_chain_find(h, table, chain);
- if (c && !nft_chain_builtin(c))
- nft_build_cache(h, c);
- }
-
nft_fn = nft_rule_append;
if (ref) {
@@ -1599,7 +1591,6 @@ int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format)
c = nftnl_chain_list_iter_next(iter);
while (c) {
- nft_build_cache(h, c);
ret = nft_chain_save_rules(h, c, format);
if (ret != 0)
break;
@@ -1807,10 +1798,6 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data)
fprintf(stdout, "Deleting chain `%s'\n",
nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));
- /* This triggers required policy rule deletion. */
- if (h->family == NFPROTO_BRIDGE)
- nft_build_cache(h, c);
-
/* XXX This triggers a fast lookup from the kernel. */
nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c);
@@ -2093,8 +2080,6 @@ nft_rule_find(struct nft_handle *h, struct nftnl_chain *c,
struct nftnl_rule_iter *iter;
bool found = false;
- nft_build_cache(h, c);
-
if (rulenum >= 0)
/* Delete by rule number case */
return nftnl_rule_lookup_byindex(c, rulenum);
@@ -2979,8 +2964,6 @@ int ebt_set_user_chain_policy(struct nft_handle *h, const char *table,
else
return 0;
- nft_build_cache(h, c);
-
nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, pval);
return 1;
}
@@ -3333,8 +3316,6 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data)
return -1;
}
- nft_build_cache(h, c);
-
iter = nftnl_rule_iter_create(c);
if (iter == NULL)
return -1;
@@ -3471,8 +3452,6 @@ static int nft_is_chain_compatible(struct nftnl_chain *c, void *data)
enum nf_inet_hooks hook;
int prio;
- nft_build_cache(h, c);
-
if (nftnl_rule_foreach(c, nft_is_rule_compatible, NULL))
return -1;
--
2.25.1
next prev parent reply other threads:[~2020-04-28 12:11 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 12:09 [iptables PATCH v2 00/18] iptables: introduce cache evaluation phase Phil Sutter
2020-04-28 12:09 ` [iptables PATCH v2 01/18] ebtables-restore: Drop custom table flush routine Phil Sutter
2020-04-28 12:14 ` Florian Westphal
2020-04-28 12:09 ` [iptables PATCH v2 02/18] nft: cache: Eliminate init_chain_cache() Phil Sutter
2020-04-28 12:14 ` Florian Westphal
2020-04-28 12:09 ` [iptables PATCH v2 03/18] nft: cache: Init per table set list along with chain list Phil Sutter
2020-04-28 12:15 ` Florian Westphal
2020-04-28 12:09 ` [iptables PATCH v2 04/18] nft: cache: Fetch sets per table Phil Sutter
2020-04-28 12:17 ` Florian Westphal
2020-04-28 12:10 ` [iptables PATCH v2 05/18] ebtables-restore: Table line to trigger implicit commit Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 06/18] nft: split parsing from netlink commands Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 07/18] nft: calculate cache requirements from list of commands Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 08/18] nft: restore among support Phil Sutter
2020-04-28 12:10 ` Phil Sutter [this message]
2020-04-28 12:10 ` [iptables PATCH v2 10/18] nft: missing nft_fini() call in bridge family Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 11/18] nft: cache: Simplify rule and set fetchers Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 12/18] nft: cache: Improve fake cache integration Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 13/18] nft: cache: Introduce struct nft_cache_req Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 14/18] nft-cache: Fetch cache per table Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 15/18] nft-cache: Introduce __fetch_chain_cache() Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 16/18] nft: cache: Fetch cache for specific chains Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 17/18] nft: cache: Optimize caching for flush command Phil Sutter
2020-04-28 12:10 ` [iptables PATCH v2 18/18] nft: Fix for '-F' in iptables dumps Phil Sutter
2020-04-29 21:36 ` [iptables PATCH v2 00/18] iptables: introduce cache evaluation phase Pablo Neira Ayuso
2020-04-30 13:53 ` Phil Sutter
2020-04-30 15:08 ` Pablo Neira Ayuso
2020-04-30 15:26 ` Phil Sutter
2020-04-30 15:44 ` Pablo Neira Ayuso
2020-04-30 15:48 ` Pablo Neira Ayuso
2020-04-30 15:52 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200428121013.24507-10-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.