On Fri, Nov 23, 2018 at 07:49:49AM +0100, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > In order to improve performance in 'nft -f' as well as xtables-restore > > with very large rulesets, we need to store rules by chain they belong > > to. In order to avoid pointless code duplication, this should be > > supported by libnftnl. > > Unfortunately we still need to change lookup algorithm as well > (hash, tree?), linear list scan is too expensive. > > We might even need multiple internal ways to keep track of the chains, > e.g. to accelerate insert/delete-by-index :-/ That's right. I would "hide" these details within struct nftnl_rule_list though and provide appropriate lookup routines. For now, I'm focussing on the API, if we get it right the data structure behind it is replaceable/extensible at will. > > Looking into the topic, it seems like extending struct nftnl_chain is > > the most straightforward way to go. My idea is to embed an > > nftnl_rule_list in there, though I'm unsure how to best do that in > > practice: > > > > We could either add a field of type struct nftnl_rule_list which would > > have to be initialized/cleared in nftnl_chain_alloc() and > > nftnl_chain_free(). This would be accompanied by a function to retrieve > > the pointer to that field so the existing rule_list routines may be used > > with it. > > > > Another option would be to add a pointer to a struct nftnl_rule_list. > > Having a function to retrieve a pointer to that pointer, the rule_list > > could be initialized/cleared by users on demand. > > > > What do you consider more practical? Is there a third option I didn't > > think of yet? > > I'd vote for the former (embed nftnl_rule_list). OK, thanks. > If user doesn't want it cleared at nftnl_chain_free() time they can > always allocate a new nftnl_rule_list and splice to that list. Good point. What do you think about the simple approach of introducing: | struct nftnl_rule_list *nftnl_chain_get_rule_list(const struct nftnl_chain *); This would allow to reuse nftnl_rule_list routines from libnftnl/rule.h. One potential problem I see is that users may try to call nftnl_rule_list_free(). Can we prevent that somehow? A more fool-proof (but somewhat tedious) solution would be to duplicate nftnl_rule_list API for use on an nftnl_chain. But I don't quite like that. Cheers, Phil
