[PATCH nft,v2 1/2] cache: move list filter under struct

[PATCH nft,v2 1/2] cache: move list filter under struct

[Pablo Neira Ayuso]

Wrap the table and set fields for list filtering to prepare for the
introduction element filters.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: new in this series.

 include/cache.h |  6 ++++--
 src/cache.c     | 22 +++++++++++-----------
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/include/cache.h b/include/cache.h
index 0523358889de..7d61701a02b5 100644
--- a/include/cache.h
+++ b/include/cache.h
@@ -39,8 +39,10 @@ enum cache_level_flags {
 };
 
 struct nft_cache_filter {
-	const char		*table;
-	const char		*set;
+	struct {
+		const char	*table;
+		const char	*set;
+	} list;
 };
 
 struct nft_cache;
diff --git a/src/cache.c b/src/cache.c
index 0cddd1e1cb48..58397551aafc 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -134,19 +134,19 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 	switch (cmd->obj) {
 	case CMD_OBJ_TABLE:
 		if (filter && cmd->handle.table.name)
-			filter->table = cmd->handle.table.name;
+			filter->list.table = cmd->handle.table.name;
 
 		flags |= NFT_CACHE_FULL;
 		break;
 	case CMD_OBJ_SET:
 	case CMD_OBJ_MAP:
 		if (filter && cmd->handle.table.name && cmd->handle.set.name) {
-			filter->table = cmd->handle.table.name;
-			filter->set = cmd->handle.set.name;
+			filter->list.table = cmd->handle.table.name;
+			filter->list.set = cmd->handle.set.name;
 		}
 		if (nft_output_terse(&nft->output))
 			flags |= (NFT_CACHE_FULL & ~NFT_CACHE_SETELEM_BIT);
-		else if (filter->table && filter->set)
+		else if (filter->list.table && filter->list.set)
 			flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | NFT_CACHE_SETELEM;
 		else
 			flags |= NFT_CACHE_FULL;
@@ -183,8 +183,8 @@ unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
 	struct cmd *cmd;
 
 	list_for_each_entry(cmd, cmds, list) {
-		if (filter->table && cmd->op != CMD_LIST)
-			memset(filter, 0, sizeof(*filter));
+		if (filter->list.table && cmd->op != CMD_LIST)
+			memset(&filter->list, 0, sizeof(filter->list));
 
 		switch (cmd->op) {
 		case CMD_ADD:
@@ -377,9 +377,9 @@ static int set_cache_cb(struct nftnl_set *nls, void *arg)
 	if (!set)
 		return -1;
 
-	if (ctx->filter && ctx->filter->set &&
-	    (strcmp(ctx->filter->table, set->handle.table.name) ||
-	     strcmp(ctx->filter->set, set->handle.set.name))) {
+	if (ctx->filter && ctx->filter->list.set &&
+	    (strcmp(ctx->filter->list.table, set->handle.table.name) ||
+	     strcmp(ctx->filter->list.set, set->handle.set.name))) {
 		set_free(set);
 		return 0;
 	}
@@ -637,8 +637,8 @@ static int cache_init_tables(struct netlink_ctx *ctx, struct handle *h,
 	list_for_each_entry_safe(table, next, &ctx->list, list) {
 		list_del(&table->list);
 
-		if (filter && filter->table &&
-		    (strcmp(filter->table, table->handle.table.name))) {
+		if (filter && filter->list.table &&
+		    (strcmp(filter->list.table, table->handle.table.name))) {
 			table_free(table);
 			continue;
 		}
-- 
2.30.2

[PATCH nft,v2 2/2] cache: do not populate cache if it is going to be flushed

[Pablo Neira Ayuso]

Skip set element netlink dump if set is flushed, this speeds up
set flush + add element operation in a batch file for an existing set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: use a hashtable.

 include/cache.h | 14 +++++++++++--
 src/cache.c     | 56 ++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 65 insertions(+), 5 deletions(-)

diff --git a/include/cache.h b/include/cache.h
index 7d61701a02b5..33c9ab66905b 100644
--- a/include/cache.h
+++ b/include/cache.h
@@ -38,11 +38,23 @@ enum cache_level_flags {
 	NFT_CACHE_FLUSHED	= (1 << 31),
 };
 
+struct nft_filter_obj {
+	struct list_head list;
+	const char	*table;
+	const char	*set;
+};
+
+#define NFT_CACHE_HSIZE	8192
+
 struct nft_cache_filter {
 	struct {
 		const char	*table;
 		const char	*set;
 	} list;
+
+	struct {
+		struct list_head head;
+	} obj[NFT_CACHE_HSIZE];
 };
 
 struct nft_cache;
@@ -66,8 +78,6 @@ static inline uint32_t djb_hash(const char *key)
 	return hash;
 }
 
-#define NFT_CACHE_HSIZE 8192
-
 struct table;
 struct chain;
 
diff --git a/src/cache.c b/src/cache.c
index 58397551aafc..e86a2d867f55 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -96,13 +96,46 @@ static unsigned int evaluate_cache_get(struct cmd *cmd, unsigned int flags)
 	return flags;
 }
 
-static unsigned int evaluate_cache_flush(struct cmd *cmd, unsigned int flags)
+static void cache_filter_add(struct nft_cache_filter *filter,
+			     const struct cmd *cmd)
+{
+	struct nft_filter_obj *obj;
+	uint32_t hash;
+
+	obj = xmalloc(sizeof(struct nft_filter_obj));
+	obj->table = cmd->handle.table.name;
+	obj->set = cmd->handle.set.name;
+
+	hash = djb_hash(cmd->handle.set.name) % NFT_CACHE_HSIZE;
+	list_add_tail(&obj->list, &filter->obj[hash].head);
+}
+
+static bool cache_filter_find(const struct nft_cache_filter *filter,
+			      const struct handle *handle)
+{
+	struct nft_filter_obj *obj;
+	uint32_t hash;
+
+	hash = djb_hash(handle->set.name) % NFT_CACHE_HSIZE;
+
+	list_for_each_entry(obj, &filter->obj[hash].head, list) {
+		if (!strcmp(obj->table, handle->table.name) &&
+		    !strcmp(obj->set, handle->set.name))
+			return true;
+	}
+
+	return false;
+}
+
+static unsigned int evaluate_cache_flush(struct cmd *cmd, unsigned int flags,
+					 struct nft_cache_filter *filter)
 {
 	switch (cmd->obj) {
 	case CMD_OBJ_SET:
 	case CMD_OBJ_MAP:
 	case CMD_OBJ_METER:
 		flags |= NFT_CACHE_SET;
+		cache_filter_add(filter, cmd);
 		break;
 	case CMD_OBJ_RULESET:
 		flags |= NFT_CACHE_FLUSHED;
@@ -181,6 +214,10 @@ unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
 {
 	unsigned int flags = NFT_CACHE_EMPTY;
 	struct cmd *cmd;
+	int i;
+
+	for (i = 0; i < NFT_CACHE_HSIZE; i++)
+		init_list_head(&filter->obj[i].head);
 
 	list_for_each_entry(cmd, cmds, list) {
 		if (filter->list.table && cmd->op != CMD_LIST)
@@ -219,7 +256,7 @@ unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
 			flags |= NFT_CACHE_FULL;
 			break;
 		case CMD_FLUSH:
-			flags = evaluate_cache_flush(cmd, flags);
+			flags = evaluate_cache_flush(cmd, flags, filter);
 			break;
 		case CMD_RENAME:
 			flags = evaluate_cache_rename(cmd, flags);
@@ -659,7 +696,7 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
 	struct table *table;
 	struct chain *chain;
 	struct set *set;
-	int ret = 0;
+	int ret = 0, i;
 
 	if (flags & NFT_CACHE_CHAIN_BIT) {
 		chain_list = chain_cache_dump(ctx, &ret);
@@ -685,6 +722,9 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
 		}
 		if (flags & NFT_CACHE_SETELEM_BIT) {
 			list_for_each_entry(set, &table->set_cache.list, cache.list) {
+				if (cache_filter_find(filter, &set->handle))
+					continue;
+
 				ret = netlink_list_setelems(ctx, &set->handle,
 							    set);
 				if (ret < 0) {
@@ -694,6 +734,9 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
 			}
 		} else if (flags & NFT_CACHE_SETELEM_MAYBE) {
 			list_for_each_entry(set, &table->set_cache.list, cache.list) {
+				if (cache_filter_find(filter, &set->handle))
+					continue;
+
 				if (!set_is_non_concat_range(set))
 					continue;
 
@@ -765,6 +808,13 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
 	}
 
 cache_fails:
+	for (i = 0; i < NFT_CACHE_HSIZE; i++) {
+		struct nft_filter_obj *obj, *next;
+
+		list_for_each_entry_safe(obj, next, &filter->obj[i].head, list)
+			xfree(obj);
+	}
+
 	if (flags & NFT_CACHE_CHAIN_BIT)
 		nftnl_chain_list_free(chain_list);
 
-- 
2.30.2