From patchwork Thu Aug 29 11:31:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1978378 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3575-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WvfK122dNz1yZ9 for ; Thu, 29 Aug 2024 21:32:37 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 23A2A1F22BB9 for ; Thu, 29 Aug 2024 11:32:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 53491193081; Thu, 29 Aug 2024 11:32:01 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2602218A6D1 for ; Thu, 29 Aug 2024 11:31:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931121; cv=none; b=aYDmX+IRz+n83rPAX8CptX5CP3CmJjU834nO4ozdyHHRVh2r1dQfeufhrIgvWUu4eL71gl4mrsf1SA+huBUm0t3ISxOs+Oy5Rjn3DxLAG2b9uOhCkp0Foqf97kEeB8QXnNmNa760SthKKuNeO5mVb/HZenkaEYBkGI2Vkk1eLmM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931121; c=relaxed/simple; bh=LKvAjwyRIEJ1+bjpdLTIlYg48nqkj1QLYWyCFc7NVps=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=HHfZZsQVYKZQfhOBT3Lutg+VyTtj/SxWcpuczVYmrkV0mGaGSSii17rMwvVgMC4HUt38QBWe1rcqB9saE73LXdfglQ6rjeZv8qNAPadiGy693amTMHRNGEHxeydGMGvqE2hh+PuYYg3fP18lxZ8PILa2jOecOfzEXfN6UCOiIQs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: eric@garver.life Subject: [PATCH nft 1/5] cache: assert filter when calling nft_cache_evaluate() Date: Thu, 29 Aug 2024 13:31:49 +0200 Message-Id: <20240829113153.1553089-1-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 nft_cache_evaluate() always takes a non-null filter, remove superfluous checks when calculating cache requirements via flags. Note that filter is still option from netlink dump path, since this can be called from error path to provide hints. Fixes: 08725a9dc14c ("cache: filter out rules by chain") Fixes: b3ed8fd8c9f3 ("cache: missing family in cache filtering") Fixes: 635ee1cad8aa ("cache: filter out sets and maps that are not requested") Fixes: 3f1d3912c3a6 ("cache: filter out tables that are not requested") Signed-off-by: Pablo Neira Ayuso Tested-by: Eric Garver --- src/cache.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/cache.c b/src/cache.c index 72f2972f0259..8cddabdb7b98 100644 --- a/src/cache.c +++ b/src/cache.c @@ -212,18 +212,17 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd, { switch (cmd->obj) { case CMD_OBJ_TABLE: - if (filter) - filter->list.family = cmd->handle.family; + filter->list.family = cmd->handle.family; if (!cmd->handle.table.name) { flags |= NFT_CACHE_TABLE; break; - } else if (filter) { + } else { filter->list.table = cmd->handle.table.name; } flags |= NFT_CACHE_FULL; break; case CMD_OBJ_CHAIN: - if (filter && cmd->handle.chain.name) { + if (cmd->handle.chain.name) { filter->list.family = cmd->handle.family; filter->list.table = cmd->handle.table.name; filter->list.chain = cmd->handle.chain.name; @@ -236,7 +235,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd, break; case CMD_OBJ_SET: case CMD_OBJ_MAP: - if (filter && cmd->handle.table.name && cmd->handle.set.name) { + if (cmd->handle.table.name && cmd->handle.set.name) { filter->list.family = cmd->handle.family; filter->list.table = cmd->handle.table.name; filter->list.set = cmd->handle.set.name; @@ -256,8 +255,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd, flags |= NFT_CACHE_SETELEM; break; case CMD_OBJ_FLOWTABLE: - if (filter && - cmd->handle.table.name && + if (cmd->handle.table.name && cmd->handle.flowtable.name) { filter->list.family = cmd->handle.family; filter->list.table = cmd->handle.table.name; @@ -314,8 +312,6 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd, static unsigned int evaluate_cache_reset(struct cmd *cmd, unsigned int flags, struct nft_cache_filter *filter) { - assert(filter); - switch (cmd->obj) { case CMD_OBJ_TABLE: case CMD_OBJ_CHAIN: @@ -482,6 +478,8 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, unsigned int flags, batch_flags = NFT_CACHE_EMPTY; struct cmd *cmd; + assert(filter); + list_for_each_entry(cmd, cmds, list) { if (nft_handle_validate(cmd, msgs) < 0) return -1; From patchwork Thu Aug 29 11:31:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1978379 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3576-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WvfK65tvHz1yZ9 for ; Thu, 29 Aug 2024 21:32:42 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 46E182842C0 for ; Thu, 29 Aug 2024 11:32:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DE09F194094; Thu, 29 Aug 2024 11:32:01 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0D97A191F99 for ; Thu, 29 Aug 2024 11:31:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931121; cv=none; b=KeBRiRoI3A4m8htY3PJVECC717hy8n/ajvdcJEb51/VZcrkcII03DU3XGX1dEP74mSh1zLVAZHf61rkjL0kVn6a3ggvvXo/oY0tVPW/fcPI/26mb9f8Me1EMzI5OpSQ1fHR04xtNtjncZrTVIxj2qUwSIEfm8AAC1F0NegJCAIM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931121; c=relaxed/simple; bh=kslY2IlgHraG2AcJZGwYcto6ogTjyWdWeSoZS+8EKfM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=CX7vfoyOQ3Ey8bxZyf+yLlGwZR7kKyMjuI3Sl2FN7Xma8KX6xTwTgmP/E/+sSZc/4BU/luKvFBtqHGoOFeEM7A4uwbr4zJXej46rHlbrjetvEeVtmPzOiXlw4FJKsP69mOHqFjaGr5KmqV1Mlcx64rIQo4anc47SUfGODvpJ9Fc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: eric@garver.life Subject: [PATCH nft 2/5] cache: clean up evaluate_cache_del() Date: Thu, 29 Aug 2024 13:31:50 +0200 Message-Id: <20240829113153.1553089-2-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240829113153.1553089-1-pablo@netfilter.org> References: <20240829113153.1553089-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move NFT_CACHE_TABLE flag to default case to disentangle this. Signed-off-by: Pablo Neira Ayuso --- src/cache.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/cache.c b/src/cache.c index 8cddabdb7b98..bed98bb71655 100644 --- a/src/cache.c +++ b/src/cache.c @@ -77,6 +77,7 @@ static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags) NFT_CACHE_SETELEM_MAYBE; break; default: + flags = NFT_CACHE_TABLE; break; } @@ -500,8 +501,6 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, break; case CMD_DELETE: case CMD_DESTROY: - flags |= NFT_CACHE_TABLE; - flags = evaluate_cache_del(cmd, flags); break; case CMD_GET: From patchwork Thu Aug 29 11:31:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1978381 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3578-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WvfKJ4n5Cz1yZ9 for ; Thu, 29 Aug 2024 21:32:52 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id EECBC1F21EDC for ; Thu, 29 Aug 2024 11:32:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9685919413F; Thu, 29 Aug 2024 11:32:02 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 22D4B1922D0 for ; Thu, 29 Aug 2024 11:31:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931122; cv=none; b=I1SRBtTHfDixRhxHj73luwul/oelOzPGeT2mHlPCcK2yV2v4zk0qAV6Cnp9r/RkM3Zi5bV1EQJakacsuUwSWZh5K07SF0KG5SytQ8ddFl4GvIausEOE5hh1uR9Z/sF4GUTcimUZfm4BJU2c/ys3vhPsXj7WE+ihOwnyVYNhdvsA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931122; c=relaxed/simple; bh=Ux2Ere/pZ8lOIqa3LQtstoXn+PnMNp+cTw5fC8lTz10=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=hLgdsos0+g4zsAX9BclITA5RITswsocVKi6maEBs+2kXtQ+J1odKU6xe2CLuZLYj6pLB3P6ZwtXtqFbI4sZMXbAxdQm8M6Lo9Yz6RLL553dYfF10zipvbKVgTTZA6W2z1Gxp1zkejn3Fg+rRm2rwVXqWQ+RsB0HYi5zk7m68jgc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: eric@garver.life Subject: [PATCH nft 3/5] cache: remove full cache requirement when echo flag is set on Date: Thu, 29 Aug 2024 13:31:51 +0200 Message-Id: <20240829113153.1553089-3-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240829113153.1553089-1-pablo@netfilter.org> References: <20240829113153.1553089-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The echo flags does not use the cache infrastructure yet, it relies on the monitor cache which follows the netlink_echo_callback() path. Fixes: 01e5c6f0ed03 ("src: add cache level flags") Signed-off-by: Pablo Neira Ayuso --- src/cache.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/cache.c b/src/cache.c index bed98bb71655..fce71eed3452 100644 --- a/src/cache.c +++ b/src/cache.c @@ -493,8 +493,6 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, case CMD_INSERT: case CMD_CREATE: flags = evaluate_cache_add(cmd, flags); - if (nft_output_echo(&nft->output)) - flags |= NFT_CACHE_FULL; break; case CMD_REPLACE: flags = NFT_CACHE_FULL; From patchwork Thu Aug 29 11:31:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1978382 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.48.161; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3579-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [147.75.48.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WvfKK3Zb1z1yZ9 for ; Thu, 29 Aug 2024 21:32:53 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 11B40B26998 for ; Thu, 29 Aug 2024 11:32:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D59541946A1; Thu, 29 Aug 2024 11:32:02 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F1BEE1922FB for ; Thu, 29 Aug 2024 11:31:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931122; cv=none; b=LqOBH74E/tXZ5bXQlJtx6EHQ16hlRxYO/A1Rdw9e7zbZxRgm+4OuI/7M8Ewdx73knZ88lAA2iygUjQE0fiYajUk4YiVaRXIN06HKNVQwK2dROyMKDxa8TT7tPObjy/uMmRgI4AVnFnQdxbnv0jnFCiVl8uM1gwSpImx2Gc08dnc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931122; c=relaxed/simple; bh=6AkAV5BZNNPjMkOXTpLpwChmF2ARrC/Z21WhDMqESBs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=tBPISueTv8L2Omy3ZKEkYIb048Oaqp819YMj+Z1TAcGC0McXcqwTcyV5ytRGsbUNUu4HMAhhyKM5kaRQN7sOFp8dQaCiVLt1w0xEJdMgN827m1fDz9fIwYLglibzbv9fajpdjRFw49Pw5sx/PfYXjGk7QtrN6HzC8RSgLuHqOnY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: eric@garver.life Subject: [PATCH nft 4/5] cache: relax requirement for replace rule command Date: Thu, 29 Aug 2024 13:31:52 +0200 Message-Id: <20240829113153.1553089-4-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240829113153.1553089-1-pablo@netfilter.org> References: <20240829113153.1553089-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 No need for full cache, this command relies on the rule handle which is not validated from userspace. Cache requirements are similar to those of add/create/delete rule commands. This speeds up incremental updates with large rulesets. Extend tests/coverage for rule replacement. Fixes: 01e5c6f0ed03 ("src: add cache level flags") Signed-off-by: Pablo Neira Ayuso --- src/cache.c | 2 +- .../testcases/rule_management/0004replace_0 | 8 ++- .../dumps/0004replace_0.json-nft | 49 ++++++++++++++++++- .../rule_management/dumps/0004replace_0.nft | 11 ++++- 4 files changed, 65 insertions(+), 5 deletions(-) diff --git a/src/cache.c b/src/cache.c index fce71eed3452..db7dfd96081d 100644 --- a/src/cache.c +++ b/src/cache.c @@ -495,7 +495,7 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, flags = evaluate_cache_add(cmd, flags); break; case CMD_REPLACE: - flags = NFT_CACHE_FULL; + flags = NFT_CACHE_TABLE | NFT_CACHE_SET; break; case CMD_DELETE: case CMD_DESTROY: diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0 index c3329af500d3..18dc4a9fe30b 100755 --- a/tests/shell/testcases/rule_management/0004replace_0 +++ b/tests/shell/testcases/rule_management/0004replace_0 @@ -6,5 +6,9 @@ set -e $NFT add table t $NFT add chain t c -$NFT add rule t c accept # should have handle 2 -$NFT replace rule t c handle 2 drop +$NFT 'add set t s1 { type ipv4_addr; }' +$NFT 'add set t s2 { type ipv4_addr; flags interval; }' +$NFT add rule t c accept # should have handle 4 +$NFT replace rule t c handle 4 drop +$NFT replace rule t c handle 4 ip saddr { 1.1.1.1, 2.2.2.2 } +$NFT replace rule t c handle 4 ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 } diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft index 5d0b7d066e83..767e80f14ff2 100644 --- a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft @@ -22,6 +22,27 @@ "handle": 0 } }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + }, { "rule": { "family": "ip", @@ -30,7 +51,33 @@ "handle": 0, "expr": [ { - "drop": null + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "3.3.3.3", + "4.4.4.4" + ] + } + } } ] } diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft index e20952ef573e..803c0debb737 100644 --- a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft @@ -1,5 +1,14 @@ table ip t { + set s1 { + type ipv4_addr + } + + set s2 { + type ipv4_addr + flags interval + } + chain c { - drop + ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 } } } From patchwork Thu Aug 29 11:31:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1978380 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3577-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WvfKC2j4cz1yZ9 for ; Thu, 29 Aug 2024 21:32:47 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1575A282B40 for ; Thu, 29 Aug 2024 11:32:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 49253192B9C; Thu, 29 Aug 2024 11:32:02 +0000 (UTC) X-Original-To: netfilter-devel@vger.kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F1C391922FC for ; Thu, 29 Aug 2024 11:31:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931122; cv=none; b=kTmB/+u+QONDP81dggLwQJQLVRxd8CDzGXLSPz6CzvBt2ht/0AetFZ3nHP1SymD1yny+5kNgzdlSKwhTz3Gjt053p1PLIzTySrDZ9MaBu8JB1QNw0C4032sZNJStvevUY3pMiwphsFRtrR94IaPcYfGCYZoWLLC/Lr73SwrUCFw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724931122; c=relaxed/simple; bh=g8hSIChQB4/xJbtJCOJNdFJZxs42oJVlaaaFpeCJUfw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=NttJa5rwSX66Yt+sLXsc40VF1joLTLXrrT9/Y1q76r10OZ3dD1KZniO/Ek4D16bcopOjB68eXh2YDZH1Deu1tEtkXhvKJHkeyeLJ5DiZsICM5P/DaTEORltQw9fuOxXWJ9LNbsDSsOebBhtVHMcCUuN6rtCzdLeb/zz83Q3pFmM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: eric@garver.life Subject: [PATCH nft 5/5] cache: position does not require full cache Date: Thu, 29 Aug 2024 13:31:53 +0200 Message-Id: <20240829113153.1553089-5-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240829113153.1553089-1-pablo@netfilter.org> References: <20240829113153.1553089-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 position refers to the rule handle, it has similar cache requirements as replace rule command, relax cache requirements. Commit e5382c0d08e3 ("src: Support intra-transaction rule references") uses position.id for index support which requires a full cache, but only in such case. Fixes: 01e5c6f0ed03 ("src: add cache level flags") Signed-off-by: Pablo Neira Ayuso --- src/cache.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/cache.c b/src/cache.c index db7dfd96081d..3f1324a2f98b 100644 --- a/src/cache.c +++ b/src/cache.c @@ -58,8 +58,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) flags |= NFT_CACHE_TABLE | NFT_CACHE_SET; - if (cmd->handle.index.id || - cmd->handle.position.id) + if (cmd->handle.index.id) flags |= NFT_CACHE_FULL | NFT_CACHE_UPDATE; break; default: