On Thu, Sep 18, 2014 at 08:18:20PM +0200, Arturo Borrero Gonzalez wrote:
> This patch adds options to choose set optimization mechanisms.
>
> Two new statements are added to the set syntax, and they can be mixed:
>
> nft add set filter set1 { type ipv4_addr ; size 1024 ; }
> nft add set filter set1 { type ipv4_addr ; policy memory ; }
> nft add set filter set1 { type ipv4_addr ; policy performance ; }
> nft add set filter set1 { type ipv4_addr ; policy memory ; size 1024 ; }
> nft add set filter set1 { type ipv4_addr ; size 1024 ; policy memory ; }
> nft add set filter set1 { type ipv4_addr ; policy performance ; size 1024 ; }
> nft add set filter set1 { type ipv4_addr ; size 1024 ; policy performance ; }
>
> Also valid for maps:
>
> nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
> [...]
I'd suggest to also add a global option which is the default unless
overridden by a specific set instantiation. Doesn't have to be done
in this patch however.
> @@ -1103,6 +1114,14 @@ static int netlink_add_set_batch(struct netlink_ctx *ctx,
> }
> set->handle.set_id = ++set_id;
> nft_set_attr_set_u32(nls, NFT_SET_ATTR_ID, set->handle.set_id);
> +
> + if (set->attr_flags & (1 << NFT_SET_ATTR_POLICY))
> + nft_set_attr_set_u32(nls, NFT_SET_ATTR_POLICY, set->policy);
> +
> + if (set->attr_flags & (1 << NFT_SET_ATTR_DESC_SIZE))
> + nft_set_attr_set_u32(nls, NFT_SET_ATTR_DESC_SIZE,
> + set->desc.size);
> +
As in the kernel, the size definitely doesn't need an attribute, the policy
can be argued about.
> @@ -965,6 +975,7 @@ set_block : /* empty */ { $$ = $<set>-1; }
> $1->init = $4;
> $$ = $1;
> }
> + | set_block set_mechanism stmt_seperator
> ;
>
> set_flag_list : set_flag_list COMMA set_flag
> @@ -1018,6 +1029,26 @@ map_block : /* empty */ { $$ = $<set>-1; }
> $1->init = $4;
> $$ = $1;
> }
> + | map_block set_mechanism stmt_seperator
> + ;
> +
> +set_mechanism : set_policy_spec
> + {
> + $<set>0->attr_flags |= (1 << NFT_SET_ATTR_POLICY);
> + $<set>0->policy = $1;
> + }
> + | set_size_spec
> + {
> + $<set>0->attr_flags |= (1 << NFT_SET_ATTR_DESC_SIZE);
> + $<set>0->desc.size = $1;
> + }
> + ;
> +
> +set_policy_spec : POLICY PERFORMANCE { $$ = NFT_SET_POL_PERFORMANCE; }
> + | POLICY MEMORY { $$ = NFT_SET_POL_MEMORY; }
> + ;
> +
> +set_size_spec : SIZE NUM { $$ = $2; }
We usually have rules like this:
set_policy: PERFORMANCE ...
MEMORY
and the keyword POLICY one level above.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
