On Mon, Jun 20, 2022 at 11:03:46AM +0200, Pablo Neira Ayuso wrote:
> Robots might generate a long list of singleton element commands such as:
>
> add element t s { 1.0.1.0/24 }
> ...
> add element t s { 1.0.2.0/23 }
>
> collapse them into one single command before the evaluation step, ie.
>
> add element t s { 1.0.1.0/24, ..., 1.0.2.0/23 }
>
> this speeds up overlap detection and set element automerge operations in
> this worst case scenario.
>
> Since 3da9643fb9ff9 ("intervals: add support to automerge with kernel
> elements"), the new interval tracking relies on mergesort. The pattern
> above triggers the set sorting for each element.
>
> This patch adds a list to cmd objects that store collapsed commands.
> Moreover, expressions also contain a reference to the original command,
> to uncollapse the commands after the evaluation step.
>
> These commands are uncollapsed after the evaluation step to ensure error
> reporting works as expected (command and netlink message are mapped
> 1:1).
>
> For the record:
>
> - nftables versions <= 1.0.2 did not perform any kind of overlap
> check for the described scenario above (because set cache only contained
> elements in the kernel in this case). This is a problem for kernels < 5.7
> which rely on userspace to detect overlaps.
>
> - the overlap detection could be skipped for kernels >= 5.7.
>
> - The extended netlink error reporting available for set elements
> since 5.19-rc might allow to remove the uncollapse step, in this case,
> error reporting does not rely on the netlink sequence to refer to the
> command triggering the problem.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Acked-by: Phil Sutter <phil@xxxxxx>
