This adds a new option, -O/--optimize, to enable/disable ruleset
transformations.
First two supported optimizations are:
1. Allow removal of implicit dependencies on 'list ruleset'.
2. Allow automatic replacement of anonymous sets with only one
element.
There is currently no exported libnftables function to provide
access to the internal settings.
If there is a use case it can be added later on.
Florian Westphal (6):
src: add proto ctx options
src: allow to turn off dependency removal
main: add -O help to dump list of supported optimzation flags
evaluate: optionally kill anon sets with one element
tests: add test case for -O no-remove-dependencies
tests: add test case for removal of anon sets with only a single
element
include/nftables.h | 12 +++
include/proto.h | 10 +-
include/rule.h | 6 ++
src/evaluate.c | 25 ++++-
src/libnftables.c | 10 ++
src/main.c | 100 ++++++++++++++++++
src/netlink.c | 2 +-
src/netlink_delinearize.c | 16 ++-
src/proto.c | 4 +-
.../optimizations/dumps/payload_meta_deps.nft | 10 ++
.../dumps/payload_meta_deps.no-remove-deps | 10 ++
.../optimizations/dumps/single_anon_set.nft | 12 +++
.../single_anon_set.replace-single-anon-sets | 12 +++
.../testcases/optimizations/payload_meta_deps | 33 ++++++
.../testcases/optimizations/single_anon_set | 30 ++++++
15 files changed, 282 insertions(+), 10 deletions(-)
create mode 100644 tests/shell/testcases/optimizations/dumps/payload_meta_deps.nft
create mode 100644 tests/shell/testcases/optimizations/dumps/payload_meta_deps.no-remove-deps
create mode 100644 tests/shell/testcases/optimizations/dumps/single_anon_set.nft
create mode 100644 tests/shell/testcases/optimizations/dumps/single_anon_set.replace-single-anon-sets
create mode 100755 tests/shell/testcases/optimizations/payload_meta_deps
create mode 100755 tests/shell/testcases/optimizations/single_anon_set
--
2.26.3
