git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 21 Jan 2026 00:08:45 +0000 (01:08 +0100)
committer	Florian Westphal <fw@strlen.de>
	Thu, 22 Jan 2026 16:18:13 +0000 (17:18 +0100)
commit	7e43e0a1141deec651a60109dab3690854107298
tree	46e943032883960dfc6bc4288a8afded6ffde214	tree
parent	f175b46d9134f708358b5404730c6dfa200fbf3c	commit \| diff

netfilter: nft_set_rbtree: translate rbtree to array for binary search

The rbtree can temporarily store overlapping inactive elements during
the transaction processing, leading to false negative lookups.

To address this issue, this patch adds a .commit function that walks the
the rbtree to build a array of intervals of ordered elements. This
conversion compacts the two singleton elements that represent the start
and the end of the interval into a single interval object for space
efficient.

Binary search is O(log n), similar to rbtree lookup time, therefore,
performance number should be similar, and there is an implementation
available under lib/bsearch.c and include/linux/bsearch.h that is used
for this purpose.

This slightly increases memory consumption for this new array that
stores pointers to the start and the end of the interval.

With this patch:

# time nft -f 100k-intervals-set.nft

real    0m4.218s
user    0m3.544s
sys     0m0.400s

Without this patch:

# time nft -f 100k-intervals-set.nft

real    0m3.920s
user    0m3.547s
sys     0m0.276s

With this patch, with IPv4 intervals:

  baseline rbtree (match on first field only):   15254954pps

Without this patch:

  baseline rbtree (match on first field only):   10256119pps

This provides a ~50% improvement in matching intervals from packet path.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>