Hi Pablo, As promised, here's a revised version of your cache rework series from January. It restores performance according to my tests (which are yet to be published somewhere) and passes the testsuites. Patches 1-3 are code simplifications which are not directly related to the actual caching changes. Patch 4 enhances set fetching by adding support for passing a table name to kernel but no set name. Not a big deal for iptables but it aligns the code with chain fetching. Patch 5 is a respin of a patch submitted a few weeks ago, namely adding implicit commits to arptables- and ebtables-restore tools which don't support explicit COMMIT lines in input. Big benefit here is that we won't see consecutive commands for different tables anymore, so selective cache fetching doesn't have to deal with too many odd cases. Patches 6-10 are yours, I rebased and revisited them. Any changes are recorded in per-patch changelogs. Patch 11 simplifies fetch_set_cache() and fetch_rule_cache() functions as they no longer have to be aware of previous invocations. Patch 12 improves NFT_CL_FAKE integration considerably, easily possible now that there is nft_cache_level_set() function. Patch 13 introduces an embedded struct into struct nft_handle which holds cache requirements collected from parsed commands. At first there is just the desired cache level, further patches extend it. Patches 14-16 re-establish per table/chain cache. Patch 17 reduces cache requirements for flush command by making nft_xt_builtin_init() cache-aware. Patch 18 fixes the segfault reported in nfbz#1407. Pablo Neira Ayuso (5): nft: split parsing from netlink commands nft: calculate cache requirements from list of commands nft: restore among support nft: remove cache build calls nft: missing nft_fini() call in bridge family Phil Sutter (13): ebtables-restore: Drop custom table flush routine nft: cache: Eliminate init_chain_cache() nft: cache: Init per table set list along with chain list nft: cache: Fetch sets per table ebtables-restore: Table line to trigger implicit commit nft: cache: Simplify rule and set fetchers nft: cache: Improve fake cache integration nft: cache: Introduce struct nft_cache_req nft-cache: Fetch cache per table nft-cache: Introduce __fetch_chain_cache() nft: cache: Fetch cache for specific chains nft: cache: Optimize caching for flush command nft: Fix for '-F' in iptables dumps iptables/Makefile.am | 2 +- iptables/nft-arp.c | 5 +- iptables/nft-bridge.c | 18 +- iptables/nft-cache.c | 318 +++++++------- iptables/nft-cache.h | 6 +- iptables/nft-cmd.c | 387 ++++++++++++++++++ iptables/nft-cmd.h | 79 ++++ iptables/nft-shared.c | 6 +- iptables/nft-shared.h | 4 +- iptables/nft.c | 369 ++++++++++++----- iptables/nft.h | 62 ++- .../testcases/ip6tables/0004-return-codes_0 | 1 + .../testcases/iptables/0004-return-codes_0 | 6 + .../testcases/nft-only/0006-policy-override_0 | 29 ++ iptables/xtables-arp.c | 26 +- iptables/xtables-eb-standalone.c | 2 + iptables/xtables-eb.c | 26 +- iptables/xtables-restore.c | 126 +----- iptables/xtables-save.c | 3 + iptables/xtables.c | 57 ++- 20 files changed, 1100 insertions(+), 432 deletions(-) create mode 100644 iptables/nft-cmd.c create mode 100644 iptables/nft-cmd.h create mode 100755 iptables/tests/shell/testcases/nft-only/0006-policy-override_0 -- 2.25.1
