From patchwork Thu Aug 15 11:37:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1972736 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3306-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wl35S4hFBz1yXZ for ; Thu, 15 Aug 2024 21:37:48 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D17641C23A43 for ; Thu, 15 Aug 2024 11:37:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C461317ADE0; Thu, 15 Aug 2024 11:37:28 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 29B5E1714C4 for ; Thu, 15 Aug 2024 11:37:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721848; cv=none; b=fRWN/ex/q6MYm0Kc4XeK4w206bzwpr0OEZhVUt9JpvoZoEPCUnOdO7UUrfx8CO56nmpyjtLpOZf8P4GQZlFFuOWlxz045/fvpKlL1UnQsSkATHE8rL4U6gnY5mXT8dO8od81ms/nZd2JkygxuE8XE/m+GoLH4g5JoWRdpFyq2dQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721848; c=relaxed/simple; bh=YDrObgj+/VLxpomSFs4QCiLuTveQ8yfKRfiBhPeDmmg=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=NktJa8ab2MjgtfOzOPqgqWYHhcMrt8yJ2cfYsZYWG7CiK3DrQG8PhcKmSIXkM7zdLDC0zIsTdlD7UCcq4zTLtXwsOPBjrDmP+f+enQ8ZXWEhB/l7JTr/jdgLrkiXeyt3b2c/s4LDNFOzeuVwf0uw1kzyQ1fMpOo7kcS1LI/vUWU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: nhofmeyr@sysmocom.de, eric@garver.life, phil@nwl.cc, fw@strlen.de Subject: [PATCH nft 1/5] cache: rule by index requires full cache Date: Thu, 15 Aug 2024 13:37:08 +0200 Message-Id: <20240815113712.1266545-2-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240815113712.1266545-1-pablo@netfilter.org> References: <20240815113712.1266545-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In preparation for on-demand cache population with errors, set on NFT_CACHE_FULL if rule index is used since this requires a full cache with rules. This is not a fix, follow up patches relax cache requirements, add this patch in first place to make sure index does not break. Signed-off-by: Pablo Neira Ayuso --- src/cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cache.c b/src/cache.c index e88cbae2ad95..42e60dfa1286 100644 --- a/src/cache.c +++ b/src/cache.c @@ -68,7 +68,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) if (cmd->handle.index.id || cmd->handle.position.id) - flags |= NFT_CACHE_RULE | NFT_CACHE_UPDATE; + flags |= NFT_CACHE_FULL | NFT_CACHE_UPDATE; break; default: break; From patchwork Thu Aug 15 11:37:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1972737 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3307-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wl35X0bjyz1yXZ for ; Thu, 15 Aug 2024 21:37:52 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A088D1F24C85 for ; Thu, 15 Aug 2024 11:37:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2D89F1714D5; Thu, 15 Aug 2024 11:37:29 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 29BA51714C5 for ; Thu, 15 Aug 2024 11:37:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721848; cv=none; b=PSL11dobi4Q6HaVUbXctxV28GaGCuYnGYMpjFMPP3NlJe/uA9lXBM1b+G0qN1L1+fUM5H29SvxgVavifGPhw2rbQul5kKyMSCuxsKN8w6mo3RGOtw416bQeb8Nlt/YOjVdX6KHHepSwsXqi3S/miroNPe2WJVLFtgIdD8iZIwZY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721848; c=relaxed/simple; bh=PpJ3aT3C+CkXXvd2dZNh+h54IyOAiqSp+v5zk8ek7Zw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=sHrdaQ63Jmo9x3j45VJZnFgJzYIfautjWpBQf5bSxugFkugSWJ2PyEIGU9qSRtSsZ+mz66/pvUYgGzhKVF7PLFDE+2bIjwhi6w7tVY0xX/lbXJ7fdr9cov2BD5Zs5aWcSiYYBFqfu1mX7CIq82v0GoVPf3Hj124g2vW1eR26iV0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: nhofmeyr@sysmocom.de, eric@garver.life, phil@nwl.cc, fw@strlen.de Subject: [PATCH nft 2/5] cache: populate chains on demand from error path Date: Thu, 15 Aug 2024 13:37:09 +0200 Message-Id: <20240815113712.1266545-3-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240815113712.1266545-1-pablo@netfilter.org> References: <20240815113712.1266545-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Updates on verdict maps that require many non-base chains are slowed down due to fetching existing non-base chains into the cache. Chains are only required for error reporting hints if kernel reports ENOENT. Populate the cache from this error path only. Similar approach already exists from rule ENOENT error path since: deb7c5927fad ("cmd: add misspelling suggestions for rule commands") however, NFT_CACHE_CHAIN was toggled inconditionally for rule commands, rendering this on-demand cache population useless. before this patch, running Neels' nft_slew benchmark (peak values): created idx 4992 in 52587950 ns (128 in 7122 ms) ... deleted idx 128 in 43542500 ns (127 in 6187 ms) after this patch: created idx 4992 in 11361299 ns (128 in 1612 ms) ... deleted idx 1664 in 5239633 ns (128 in 733 ms) Signed-off-by: Pablo Neira Ayuso --- v2: fetch cache for EOPNOTSUPP errors too. update nft_slew results. include/cache.h | 1 - src/cache.c | 4 ---- src/cmd.c | 11 +++++++++++ 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/include/cache.h b/include/cache.h index 8ca4a9a79c03..44e8430ce1fd 100644 --- a/include/cache.h +++ b/include/cache.h @@ -31,7 +31,6 @@ enum cache_level_flags { NFT_CACHE_SET_BIT | NFT_CACHE_SETELEM_BIT, NFT_CACHE_RULE = NFT_CACHE_TABLE_BIT | - NFT_CACHE_CHAIN_BIT | NFT_CACHE_RULE_BIT, NFT_CACHE_FULL = __NFT_CACHE_MAX_BIT - 1, NFT_CACHE_TERSE = (1 << 27), diff --git a/src/cache.c b/src/cache.c index 42e60dfa1286..36c6f12d8720 100644 --- a/src/cache.c +++ b/src/cache.c @@ -30,7 +30,6 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) break; flags |= NFT_CACHE_TABLE | - NFT_CACHE_CHAIN | NFT_CACHE_SET | NFT_CACHE_OBJECT | NFT_CACHE_FLOWTABLE; @@ -54,14 +53,12 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) break; case CMD_OBJ_ELEMENTS: flags |= NFT_CACHE_TABLE | - NFT_CACHE_CHAIN | NFT_CACHE_SET | NFT_CACHE_OBJECT | NFT_CACHE_SETELEM_MAYBE; break; case CMD_OBJ_RULE: flags |= NFT_CACHE_TABLE | - NFT_CACHE_CHAIN | NFT_CACHE_SET | NFT_CACHE_OBJECT | NFT_CACHE_FLOWTABLE; @@ -435,7 +432,6 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, case CMD_DELETE: case CMD_DESTROY: flags |= NFT_CACHE_TABLE | - NFT_CACHE_CHAIN | NFT_CACHE_SET | NFT_CACHE_FLOWTABLE | NFT_CACHE_OBJECT; diff --git a/src/cmd.c b/src/cmd.c index 37d93abc2cd4..381f404266de 100644 --- a/src/cmd.c +++ b/src/cmd.c @@ -75,6 +75,10 @@ static int nft_cmd_enoent_chain(struct netlink_ctx *ctx, const struct cmd *cmd, if (!cmd->handle.chain.name) return 0; + if (nft_cache_update(ctx->nft, NFT_CACHE_TABLE | NFT_CACHE_CHAIN, + ctx->msgs, NULL) < 0) + return 0; + chain = chain_lookup_fuzzy(&cmd->handle, &ctx->nft->cache, &table); /* check table first. */ if (!table) @@ -271,6 +275,13 @@ static int nft_cmd_chain_error(struct netlink_ctx *ctx, struct cmd *cmd, return netlink_io_error(ctx, &chain->priority.loc, "Chains of type \"nat\" must have a priority value above -200"); + if (nft_cache_update(ctx->nft, NFT_CACHE_TABLE | NFT_CACHE_CHAIN, + ctx->msgs, NULL) < 0) { + return netlink_io_error(ctx, &chain->loc, + "Chain of type \"%s\" is not supported, perhaps kernel support is missing?", + chain->type.str); + } + table = table_cache_find(&ctx->nft->cache.table_cache, cmd->handle.table.name, cmd->handle.family); if (table) { From patchwork Thu Aug 15 11:37:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1972734 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3304-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wl35N4jXgz1yXZ for ; Thu, 15 Aug 2024 21:37:44 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D0A9A1C23A38 for ; Thu, 15 Aug 2024 11:37:42 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6BEDB17AE0A; Thu, 15 Aug 2024 11:37:27 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 29B167DA7A for ; Thu, 15 Aug 2024 11:37:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721847; cv=none; b=j3/t+AhDpHt1qq8nUFRNzwGZ5ZbrbVbaRBZTLriEioi7cTwCthp1omdoPIEC/Vc/4U79Rn8ZEE3lV/I5f512LE6KyBCFWHasshDv6AIDdjvThIsszNPJRrLpPCfo63Conzw7ycwkCEd+5lH9aWEKEWnZ1lJjJAgxeWEtMNNHTa4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721847; c=relaxed/simple; bh=XK3u6QP8Eo0zYfOvc8Y0kN0H9J17crWwDy7kRml3n5w=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=gP06gtWo2qVlt9V+e6rf/d+ECqUc6GWtHSBsEhr5Z/MWfp3AyfQuIV4eu9W/IK/0H637fztSGpgwYL0ehVGgp3Cx09M9AzXLX2lekg5oMZDWj5idsHMWhFkHmVSqKaGvYDFdQ9yx9gyOTeq4iT5zog8YVTinJnItw/cV97G7CRQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: nhofmeyr@sysmocom.de, eric@garver.life, phil@nwl.cc, fw@strlen.de Subject: [PATCH nft 3/5] cache: populate objecs on demand from error path Date: Thu, 15 Aug 2024 13:37:10 +0200 Message-Id: <20240815113712.1266545-4-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240815113712.1266545-1-pablo@netfilter.org> References: <20240815113712.1266545-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Objects are only required for error reporting hints if kernel reports ENOENT. Populate the cache from this error path only. Signed-off-by: Pablo Neira Ayuso --- src/cache.c | 6 +----- src/cmd.c | 4 ++++ 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/cache.c b/src/cache.c index 36c6f12d8720..6ad8e2587806 100644 --- a/src/cache.c +++ b/src/cache.c @@ -31,7 +31,6 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | - NFT_CACHE_OBJECT | NFT_CACHE_FLOWTABLE; list_for_each_entry(set, &cmd->table->sets, list) { if (set->automerge) @@ -54,13 +53,11 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) case CMD_OBJ_ELEMENTS: flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | - NFT_CACHE_OBJECT | NFT_CACHE_SETELEM_MAYBE; break; case CMD_OBJ_RULE: flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | - NFT_CACHE_OBJECT | NFT_CACHE_FLOWTABLE; if (cmd->handle.index.id || @@ -433,8 +430,7 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, case CMD_DESTROY: flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | - NFT_CACHE_FLOWTABLE | - NFT_CACHE_OBJECT; + NFT_CACHE_FLOWTABLE; flags = evaluate_cache_del(cmd, flags); break; diff --git a/src/cmd.c b/src/cmd.c index 381f404266de..507796bdd6a8 100644 --- a/src/cmd.c +++ b/src/cmd.c @@ -169,6 +169,10 @@ static int nft_cmd_enoent_obj(struct netlink_ctx *ctx, const struct cmd *cmd, if (!cmd->handle.obj.name) return 0; + if (nft_cache_update(ctx->nft, NFT_CACHE_TABLE | NFT_CACHE_OBJECT, + ctx->msgs, NULL) < 0) + return 0; + obj = obj_lookup_fuzzy(cmd->handle.obj.name, &ctx->nft->cache, &table); /* check table first. */ if (!table) From patchwork Thu Aug 15 11:37:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1972735 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3305-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wl35Q4KxRz1yXZ for ; Thu, 15 Aug 2024 21:37:46 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C0B771C23909 for ; Thu, 15 Aug 2024 11:37:44 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EF17C17AE1E; Thu, 15 Aug 2024 11:37:27 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C34251AC8B4 for ; Thu, 15 Aug 2024 11:37:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721847; cv=none; b=e3maaeQo7Xg9DkqsQ3pB7q9x0SIJqV4v6KcAAAn0SqD+a6ye45qb9pmRh31uUIYYHEh/P66AaLs284iaPNNdT3WKPOZZv2AjQ3Wit3Njc9Ez7U8bdUrSxcOstNLVOn1OXJsgKbgpwv3GgLv5PsaT0LWYCJuMxV2Ea2cnlnOWsMY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721847; c=relaxed/simple; bh=H3qeJxro9rRL5LsjXc3CyanbgmmdQRx6VD4xQHq7NNk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=kWyadFXVU5W0nWZxtJ7JW2lMKN0CpxZ+oFcumR8I8e8N6HTkfPe7uN/qL4n6teuNoIGRQBZXp1IV/eIl0JQwxOVQ04usZe1v8yFSZZrR5TQBBxi/T3NideuHLq5PhPXiT1Vlo4AcMeSh42NB7XJEArlXn/QH8zK4Rxwv9oBkQ40= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: nhofmeyr@sysmocom.de, eric@garver.life, phil@nwl.cc, fw@strlen.de Subject: [PATCH nft 4/5] cache: populate flowtable on demand from error path Date: Thu, 15 Aug 2024 13:37:11 +0200 Message-Id: <20240815113712.1266545-5-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240815113712.1266545-1-pablo@netfilter.org> References: <20240815113712.1266545-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Flowtables are only required for error reporting hints if kernel reports ENOENT. Populate the cache from this error path only. Signed-off-by: Pablo Neira Ayuso --- src/cache.c | 9 +++------ src/cmd.c | 4 ++++ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/cache.c b/src/cache.c index 6ad8e2587806..1fc03f2bbe50 100644 --- a/src/cache.c +++ b/src/cache.c @@ -30,8 +30,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) break; flags |= NFT_CACHE_TABLE | - NFT_CACHE_SET | - NFT_CACHE_FLOWTABLE; + NFT_CACHE_SET; list_for_each_entry(set, &cmd->table->sets, list) { if (set->automerge) flags |= NFT_CACHE_SETELEM_MAYBE; @@ -57,8 +56,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) break; case CMD_OBJ_RULE: flags |= NFT_CACHE_TABLE | - NFT_CACHE_SET | - NFT_CACHE_FLOWTABLE; + NFT_CACHE_SET; if (cmd->handle.index.id || cmd->handle.position.id) @@ -429,8 +427,7 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, case CMD_DELETE: case CMD_DESTROY: flags |= NFT_CACHE_TABLE | - NFT_CACHE_SET | - NFT_CACHE_FLOWTABLE; + NFT_CACHE_SET; flags = evaluate_cache_del(cmd, flags); break; diff --git a/src/cmd.c b/src/cmd.c index 507796bdd6a8..e64171e7c4df 100644 --- a/src/cmd.c +++ b/src/cmd.c @@ -201,6 +201,10 @@ static int nft_cmd_enoent_flowtable(struct netlink_ctx *ctx, if (!cmd->handle.flowtable.name) return 0; + if (nft_cache_update(ctx->nft, NFT_CACHE_TABLE | NFT_CACHE_FLOWTABLE, + ctx->msgs, NULL) < 0) + return 0; + ft = flowtable_lookup_fuzzy(cmd->handle.flowtable.name, &ctx->nft->cache, &table); /* check table first. */ From patchwork Thu Aug 15 11:37:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1972738 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3308-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wl35X0mZ1z1yfL for ; Thu, 15 Aug 2024 21:37:52 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 87AEB28333F for ; Thu, 15 Aug 2024 11:37:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5F7DC17BEA4; Thu, 15 Aug 2024 11:37:29 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 71D8617A5A4 for ; Thu, 15 Aug 2024 11:37:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721849; cv=none; b=Kbjo4STP/bdrK8y7iCmdeDnYXWIEHXwovuUziCG+lcOS9DaXNg149DuiVpxyxHIL3BXnHHgF+Lot6Fzgu6CYXkxxv8BjMwB6u9UvwhQR91N0+bovp2Gshw1o9Fs+aPtsL9uXHG7PpAqhUrUpBI2RPq4F9Sao+0BwsSBdYjVI2iI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723721849; c=relaxed/simple; bh=rbe+hrkDq8QAY5p3ZvJn3qoUelMZZaYQxIpr6aLLbao=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=epKIjiItaSWTAjJd7o8pdVPJ6J2r/sasDWrdqBmgsiAznZibUA9rZ1JpUELnOLUA1baqlxI/rCet9WZZme0/osGAheP8Rof7yuEhQnuVZRkhGg0VrrY2q6WtxMRBGPuBfvyNz/HzhxIgC/bgrtLYXXOAQ1NebRfUe3r6N7lZgDs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: nhofmeyr@sysmocom.de, eric@garver.life, phil@nwl.cc, fw@strlen.de Subject: [PATCH nft 5/5] cache: do not fetch set inconditionally on delete Date: Thu, 15 Aug 2024 13:37:12 +0200 Message-Id: <20240815113712.1266545-6-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240815113712.1266545-1-pablo@netfilter.org> References: <20240815113712.1266545-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This is only required to remove elements, relax cache requirements for anything else. Signed-off-by: Pablo Neira Ayuso --- src/cache.c | 6 +++--- src/cmd.c | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/cache.c b/src/cache.c index 1fc03f2bbe50..233147649263 100644 --- a/src/cache.c +++ b/src/cache.c @@ -73,7 +73,8 @@ static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags) { switch (cmd->obj) { case CMD_OBJ_ELEMENTS: - flags |= NFT_CACHE_SETELEM_MAYBE; + flags |= NFT_CACHE_SET | + NFT_CACHE_SETELEM_MAYBE; break; default: break; @@ -426,8 +427,7 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, break; case CMD_DELETE: case CMD_DESTROY: - flags |= NFT_CACHE_TABLE | - NFT_CACHE_SET; + flags |= NFT_CACHE_TABLE; flags = evaluate_cache_del(cmd, flags); break; diff --git a/src/cmd.c b/src/cmd.c index e64171e7c4df..9a572b5660c7 100644 --- a/src/cmd.c +++ b/src/cmd.c @@ -140,6 +140,10 @@ static int nft_cmd_enoent_set(struct netlink_ctx *ctx, const struct cmd *cmd, if (!cmd->handle.set.name) return 0; + if (nft_cache_update(ctx->nft, NFT_CACHE_TABLE | NFT_CACHE_SET, + ctx->msgs, NULL) < 0) + return 0; + set = set_lookup_fuzzy(cmd->handle.set.name, &ctx->nft->cache, &table); /* check table first. */ if (!table)