netfilter: nf_tables: use new transaction infrastructure to handle sets
This patch reworks the nf_tables API so set updates are included in the same batch that contains rule updates. This speeds up rule-set updates since we skip a dialog of four messages between kernel and user-space (two on each direction), from: 1) create the set and send netlink message to the kernel 2) process the response from the kernel that contains the allocated name. 3) add the set elements and send netlink message to the kernel. 4) process the response from the kernel (to check for errors). To: 1) add the set to the batch. 2) add the set elements to the batch. 3) add the rule that points to the set. 4) send batch to the kernel. This also introduces an internal set ID (NFTA_SET_ID) that is unique in the batch so set elements and rules can refer to new sets. Backward compatibility has been only retained in userspace, this means that new nft versions can talk to the kernel both in the new and the old fashion. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso
parent
b380e5c733
commit
958bee14d0
4 changed files with 133 additions and 18 deletions
|
|
@ -246,6 +246,7 @@ enum nft_set_desc_attributes {
|
|||
* @NFTA_SET_DATA_LEN: mapping data length (NLA_U32)
|
||||
* @NFTA_SET_POLICY: selection policy (NLA_U32)
|
||||
* @NFTA_SET_DESC: set description (NLA_NESTED)
|
||||
* @NFTA_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
|
||||
*/
|
||||
enum nft_set_attributes {
|
||||
NFTA_SET_UNSPEC,
|
||||
|
|
@ -258,6 +259,7 @@ enum nft_set_attributes {
|
|||
NFTA_SET_DATA_LEN,
|
||||
NFTA_SET_POLICY,
|
||||
NFTA_SET_DESC,
|
||||
NFTA_SET_ID,
|
||||
__NFTA_SET_MAX
|
||||
};
|
||||
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
|
||||
|
|
@ -293,12 +295,14 @@ enum nft_set_elem_attributes {
|
|||
* @NFTA_SET_ELEM_LIST_TABLE: table of the set to be changed (NLA_STRING)
|
||||
* @NFTA_SET_ELEM_LIST_SET: name of the set to be changed (NLA_STRING)
|
||||
* @NFTA_SET_ELEM_LIST_ELEMENTS: list of set elements (NLA_NESTED: nft_set_elem_attributes)
|
||||
* @NFTA_SET_ELEM_LIST_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
|
||||
*/
|
||||
enum nft_set_elem_list_attributes {
|
||||
NFTA_SET_ELEM_LIST_UNSPEC,
|
||||
NFTA_SET_ELEM_LIST_TABLE,
|
||||
NFTA_SET_ELEM_LIST_SET,
|
||||
NFTA_SET_ELEM_LIST_ELEMENTS,
|
||||
NFTA_SET_ELEM_LIST_SET_ID,
|
||||
__NFTA_SET_ELEM_LIST_MAX
|
||||
};
|
||||
#define NFTA_SET_ELEM_LIST_MAX (__NFTA_SET_ELEM_LIST_MAX - 1)
|
||||
|
|
@ -484,12 +488,14 @@ enum nft_cmp_attributes {
|
|||
* @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING)
|
||||
* @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers)
|
||||
* @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers)
|
||||
* @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
|
||||
*/
|
||||
enum nft_lookup_attributes {
|
||||
NFTA_LOOKUP_UNSPEC,
|
||||
NFTA_LOOKUP_SET,
|
||||
NFTA_LOOKUP_SREG,
|
||||
NFTA_LOOKUP_DREG,
|
||||
NFTA_LOOKUP_SET_ID,
|
||||
__NFTA_LOOKUP_MAX
|
||||
};
|
||||
#define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue