[libnftnl PATCH v2] set: Export nftnl_set_list_lookup_byname()

Rename and optimize internal function nftnl_set_lookup() for external use. Just like with nftnl_chain_list, use a hash table for fast set name lookups. Signed-off-by: Phil Sutter --- Changes since v1: - Adjust LIBVERSION according to libtool documentation. --- Make_global.am | 2 +- inc

Re: [PATCH nft] tests: shell: fix failed tests due to missing quotes

On Tue, Oct 08, 2019 at 08:06:32PM +0200, Eric Jallot wrote: > Add double quotes to protect newlines when using <<< redirection. > > See also commit b878cb7d83855. > > Signed-off-by: Eric Jallot Applied, thanks!

[iptables PATCH v3 06/11] nft-cache: Cover for multiple fetcher invocation

Preparing for partial caches, it is necessary to make sure these functions don't cause harm if called repeatedly. * Use h->cache->tables pointer as indicator for existing table cache, return immediately from fetch_table_cache() if non-NULL. * Initialize table's chain list only if non-NULL. * S

[iptables PATCH v3 03/11] nft: Extract cache routines into nft-cache.c

The amount of code dealing with caching only is considerable and hence deserves an own source file. Signed-off-by: Phil Sutter --- iptables/Makefile.am | 2 +- iptables/nft-cache.c | 376 + iptables/nft-cache.h | 17 ++ iptables/nft.c

[iptables PATCH v3 01/11] nft: Pass nft_handle to flush_cache()

This allows to call nft_table_builtin_find() and hence removes the only real user of __nft_table_builtin_find(). Consequently remove the latter by integrating it into its sole caller. Signed-off-by: Phil Sutter --- iptables/nft.c | 28 +++- 1 file changed, 11 insertions(+

[iptables PATCH v3 11/11] nft: Optimize flushing all chains of a table

Leverage nftables' support for flushing all chains of a table by omitting NFTNL_RULE_CHAIN attribute in NFT_MSG_DELRULE payload. The only caveat is with verbose output, as that still requires to have a list of (existing) chains to iterate over. Apart from that, implementing this shortcut is pretty

[iptables PATCH v3 00/11] Improve iptables-nft performance with large rulesets

Third approach at caching optimizations implementation. The goal of reducing scope of cached data remains the same: First, optimize cache depth (i.e., omit caching rules or chains if not needed). Second, optimize cache width (i.e., cache only required chains). Changes since v2: * Move all cache-

[iptables PATCH v3 07/11] nft-cache: Support partial cache per table

Accept a builtin_table pointer in __nft_build_cache() and pass it along when fetching chains and rules to operate on that table only (unless the pointer is NULL). Make use of it in nft_chain_list_get() since that accepts a table name and performs a builtin table lookup internally already. Signed-

[iptables PATCH v3 08/11] nft-cache: Support partial rule cache per chain

Accept an additional chain name pointer in __nft_build_cache() and pass it along to fetch only that specific chain and its rules. Enhance nft_build_cache() to take an optional nftnl_chain pointer to fetch rules for. Enhance nft_chain_list_get() to take an optional chain name. If cache level doesn

[iptables PATCH v3 10/11] nft: Support nft_is_table_compatible() per chain

When operating on a single chain only, compatibility checking causes unwanted overhead by checking all chains of the current table. Avoid this by accepting the current chain name as parameter and pass it along to nft_chain_list_get(). While being at it, introduce nft_assert_table_compatible() whic

[iptables PATCH v3 05/11] nft-cache: Fetch only chains in nft_chain_list_get()

The function is used to return the given table's chains, so fetching chain cache is enough. Add calls to nft_build_cache() in places where a rule cache is required. Signed-off-by: Phil Sutter --- iptables/nft-cache.c | 2 +- iptables/nft.c | 20 2 files changed, 21 i

[iptables PATCH v3 09/11] nft: Reduce cache overhead of nft_chain_builtin_init()

There is no need for a full chain cache, fetch only the few builtin chains that might need to be created. Signed-off-by: Phil Sutter --- iptables/nft.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 775582aab7955..7e019d54ee475

[iptables PATCH v3 04/11] nft-cache: Introduce cache levels

Replace the simple have_cache boolean by a cache level indicator defining how complete the cache is. Since have_cache indicated full cache (including rules), make code depending on it check for cache level NFT_CL_RULES. Core cache fetching routine __nft_build_cache() accepts a new level via parame

[iptables PATCH v3 02/11] nft: Avoid nested cache fetching

Don't call fetch_table_cache() from within fetch_chain_cache() but instead from __nft_build_cache(). Since that is the only caller of fetch_chain_cache(), this change should not have any effect in practice. Signed-off-by: Phil Sutter --- iptables/nft.c | 3 +-- 1 file changed, 1 insertion(+), 2

[PATCH] checksum: Fix TCP/UDP checksum computation on big endian arches

On big endian arches UDP/TCP checksum is incorrectly computed when payload length is odd. Signed-off-by: Alin Nastac --- src/extra/checksum.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/extra/checksum.c b/src/extra/checksum.c index 4d52a99..42389aa 100644 -

Re: [PATCH libnetfilter_queue 0/5] clang and documentation updates

On Tue, Oct 08, 2019 at 11:49:43AM +1100, Duncan Roe wrote: > This series is a mixture of patches to enable clang build and correct / insert > doxygen comments. It ended up that way after git merges of local branches > where > they were originally developed. > > Hopefully they are all uncontrover