Phil Sutter <p...@nwl.cc> wrote: > In order to improve performance in 'nft -f' as well as xtables-restore > with very large rulesets, we need to store rules by chain they belong > to. In order to avoid pointless code duplication, this should be > supported by libnftnl.
Unfortunately we still need to change lookup algorithm as well (hash, tree?), linear list scan is too expensive. We might even need multiple internal ways to keep track of the chains, e.g. to accelerate insert/delete-by-index :-/ > Looking into the topic, it seems like extending struct nftnl_chain is > the most straightforward way to go. My idea is to embed an > nftnl_rule_list in there, though I'm unsure how to best do that in > practice: > > We could either add a field of type struct nftnl_rule_list which would > have to be initialized/cleared in nftnl_chain_alloc() and > nftnl_chain_free(). This would be accompanied by a function to retrieve > the pointer to that field so the existing rule_list routines may be used > with it. > > Another option would be to add a pointer to a struct nftnl_rule_list. > Having a function to retrieve a pointer to that pointer, the rule_list > could be initialized/cleared by users on demand. > > What do you consider more practical? Is there a third option I didn't > think of yet? I'd vote for the former (embed nftnl_rule_list). If user doesn't want it cleared at nftnl_chain_free() time they can always allocate a new nftnl_rule_list and splice to that list.
