Work in this series centered around Harald's complaint about seemingly
random custom chain ordering in iptables-nft-save output. In fact,
nftables returns chains in the order they were created which differs
from legacy iptables which sorts by name.
The intuitive approach of simply sorting chains in tables'
nftnl_chain_lists is problematic since base chains, which shall be
dumped first, are contained in there as well. Patch 15 solves this by
introducing a per-table array of nftnl_chain pointers to hold only base
chains (the hook values determine the array index). The old
nftnl_chain_list now contains merely non-base chains and is sorted upon
population by the new nftnl_chain_list_add_sorted() function.
Having dedicated slots for base chains allows for another neat trick,
namely to create only immediately required base chains. Apart from the
obvious case, where adding a rule to OUTPUT chain doesn't cause creation
of INPUT or FORWARD chains, this means ruleset modifications can be
avoided completely when listing, flushing or zeroing counters (unless
chains exist).
The first 14 patches are mostly just preliminary work and some
distinct optimizations found while working on the actual features.
Patch 15 introduces the mentioned base chain array and updates related
routines to be aware of the potential other location a given chain name
may be found in.
Patch 16 enables custom chain sorting at cache population time (or when
new chains are created by the user). It depends on my recent patch sent
for libnftnl.
Patch 17 drops the various workarounds from tests/shell dealing with
differing iptables-save output. This implicitly also enables testing of
the sorting feature.
Patch 18 Changes nft_xt_builtin_init() to accept a specific chain which
should be created, adds nft_xt_builtin_table_init() to create just the
table and no chains at all and nft_xt_fake_builtin_chains() to populate
empty base chain slots with fake entries for ruleset listing commands.
Phil Sutter (18):
nft: Make table creation purely implicit
nft: Be lazy when flushing
nft: cache: Drop duplicate chain check
nft: Drop pointless nft_xt_builtin_init() call
nft: Turn nft_chain_save() into a foreach-callback
nft: Use nft_chain_find() in two more places
nft: Reorder enum nft_table_type
nft: cache: Fetch only interesting tables from kernel
nft: Use nftnl_chain_list_foreach in nft_rule_list{,_save}
nft: Use nftnl_chain_list_foreach in nft_rule_flush
nft: Use nftnl_chain_foreach in nft_rule_save
nft: Fold nftnl_rule_list_chain_save() into caller
nft: Implement nft_chain_foreach()
nft: cache: Introduce nft_cache_add_chain()
nft: Introduce a dedicated base chain array
nft: cache: Sort custom chains by name
tests: shell: Drop any dump sorting in place
nft: Avoid pointless table/chain creation
iptables/nft-cache.c | 107 ++--
iptables/nft-cache.h | 3 +
iptables/nft-cmd.c | 5 -
iptables/nft.c | 466 +++++++++---------
iptables/nft.h | 15 +-
.../ebtables/0002-ebtables-save-restore_0 | 2 +-
.../firewalld-restore/0001-firewalld_0 | 17 +-
.../ipt-restore/0007-flush-noflush_0 | 4 +-
.../ipt-restore/0014-verbose-restore_0 | 2 +-
iptables/xtables-restore.c | 3 -
iptables/xtables-save.c | 8 +-
11 files changed, 335 insertions(+), 297 deletions(-)
--
2.27.0
