Re: [nft 3/3] src: add set optimization options

Patrick McHardy <kaber@xxxxxxxxx> · Fri, 19 Sep 2014 19:24:12 +0200

On 19. September 2014 09:04:17 MESZ, Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> wrote:
>On 18 September 2014 20:39, Patrick McHardy <kaber@xxxxxxxxx> wrote:
>> On 18. September 2014 20:18:20 MESZ, Arturo Borrero Gonzalez
><arturo.borrero.glez@xxxxxxxxx> wrote:
>>>This patch adds options to choose set optimization mechanisms.
>>>
>>>Two new statements are added to the set syntax, and they can be
>mixed:
>>>
>>> nft add set filter set1 { type ipv4_addr ; size 1024 ; }
>>> nft add set filter set1 { type ipv4_addr ; policy memory ; }
>>> nft add set filter set1 { type ipv4_addr ; policy performance ; }
>>>nft add set filter set1 { type ipv4_addr ; policy memory ; size 1024
>;
>>>}
>>>nft add set filter set1 { type ipv4_addr ; size 1024 ; policy memory
>;
>>>}
>>>nft add set filter set1 { type ipv4_addr ; policy performance ; size
>>>1024 ; }
>>>nft add set filter set1 { type ipv4_addr ; size 1024 ; policy
>>>performance ; }
>>>
>>>Also valid for maps:
>>>
>>>nft add map filter map1 { type ipv4_addr : verdict ; policy
>performace
>>>; }
>>> [...]
>>>
>>>
>>>This is the output format, which can be imported later with `nft -f':
>>>
>>>table filter {
>>>       set set1 {
>>>               type ipv4_addr
>>>               policy memory
>>>               size 1024
>>>       }
>>>}
>>
>> Conceptually this looks good, I'll have a look at the implementation
>after dinner.

Sorry, late nicht after dinner, but I'll get to it tommorrow :)

>> What my patch did was only handle the case where limits can be
>determined automatically, IOW literal sets. Both is needed.
>>
>
>Do you mean to give the size parameter a value when we know the set
>has a concrete number of elements?
>For example:
>add rule tcp dport {1 , 2 , 3} counter --> then add a set with fixed
>size 3.

Yes, this is what my patch is doing, and some further analysis of common prefixes etc for an unfinished feature.

>I realize now the patch includes some newlines included by mistake. So
>a v2 is likely to be needed.

Yeah. I've only read it on my mobile so far, but I also noticed some changes which aren't needed, so please hold off with a V2 until tommorrow.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html