From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 22 Aug 2023 09:33:27 +0000 (+0200)
Subject: cache: chain listing implicitly sets on terse option
X-Git-Tag: v1.0.9~194
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=70d99ce8bf8bd3dab84ea0a6249812b04ec95b8c;p=thirdparty%2Fnftables.git

cache: chain listing implicitly sets on terse option

If user specifies a chain to be listed (which is internally handled via
filtering options), then toggle NFT_CACHE_TERSE to skip fetching set
content from kernel for non-anonymous sets.

With a large IPv6 set with bogons, before this patch:

 # time nft list chain inet raw x
 table inet raw {
        chain x {
                ip6 saddr @bogons6
                ip6 saddr { aaaa::, bbbb:: }
        }
 }

 real    0m2,913s
 user    0m1,345s
 sys     0m1,568s

After this patch:

 # time nft list chain inet raw prerouting
 table inet raw {
        chain x {
                ip6 saddr @bogons6
                ip6 saddr { aaaa::, bbbb:: }
        }
 }

 real    0m0,056s
 user    0m0,018s
 sys     0m0,039s

This speeds up chain listing in the presence of a large set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/cache.c b/src/cache.c
index b6a7e194..db9a9a75 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -212,6 +212,10 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 			filter->list.family = cmd->handle.family;
 			filter->list.table = cmd->handle.table.name;
 			filter->list.chain = cmd->handle.chain.name;
+			/* implicit terse listing to fetch content of anonymous
+			 * sets only when chain name is specified.
+			 */
+			flags |= NFT_CACHE_TERSE;
 		}
 		flags |= NFT_CACHE_FULL;
 		break;