Re: RFC: Designing per chain rule cache support in libnftnl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 23, 2018 at 07:49:49AM +0100, Florian Westphal wrote:
> Phil Sutter <phil@xxxxxx> wrote:
> > In order to improve performance in 'nft -f' as well as xtables-restore
> > with very large rulesets, we need to store rules by chain they belong
> > to. In order to avoid pointless code duplication, this should be
> > supported by libnftnl.
> 
> Unfortunately we still need to change lookup algorithm as well
> (hash, tree?), linear list scan is too expensive.
> 
> We might even need multiple internal ways to keep track of the chains,
> e.g. to accelerate insert/delete-by-index :-/

That's right. I would "hide" these details within struct nftnl_rule_list
though and provide appropriate lookup routines.

For now, I'm focussing on the API, if we get it right the data structure
behind it is replaceable/extensible at will.

> > Looking into the topic, it seems like extending struct nftnl_chain is
> > the most straightforward way to go. My idea is to embed an
> > nftnl_rule_list in there, though I'm unsure how to best do that in
> > practice:
> > 
> > We could either add a field of type struct nftnl_rule_list which would
> > have to be initialized/cleared in nftnl_chain_alloc() and
> > nftnl_chain_free(). This would be accompanied by a function to retrieve
> > the pointer to that field so the existing rule_list routines may be used
> > with it.
> > 
> > Another option would be to add a pointer to a struct nftnl_rule_list.
> > Having a function to retrieve a pointer to that pointer, the rule_list
> > could be initialized/cleared by users on demand.
> > 
> > What do you consider more practical? Is there a third option I didn't
> > think of yet?
> 
> I'd vote for the former (embed nftnl_rule_list).

OK, thanks.

> If user doesn't want it cleared at nftnl_chain_free() time they can
> always allocate a new nftnl_rule_list and splice to that list.

Good point. What do you think about the simple approach of introducing:

| struct nftnl_rule_list *nftnl_chain_get_rule_list(const struct nftnl_chain *);

This would allow to reuse nftnl_rule_list routines from libnftnl/rule.h.
One potential problem I see is that users may try to call
nftnl_rule_list_free(). Can we prevent that somehow?

A more fool-proof (but somewhat tedious) solution would be to duplicate
nftnl_rule_list API for use on an nftnl_chain. But I don't quite like
that.

Cheers, Phil



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux