build: consume specific tables/chains via go-nft
This go-nft version allows its users to only read particular tables/chains when invoking `ReadConfig`, instead of the entire ruleset. This will make deleting rules from a large ruleset faster, thus speeding up CNI DELs. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2175041 Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
This commit is contained in:
Miguel Duarte Barroso
30
vendor/github.com/networkplumbing/go-nft/nft/config.go
generated
vendored
30
vendor/github.com/networkplumbing/go-nft/nft/config.go
generated
vendored
@ -20,12 +20,19 @@
|
||||
package nft
|
||||
|
||||
import (
|
||||
"context"
|
||||
"time"
|
||||
|
||||
nftconfig "github.com/networkplumbing/go-nft/nft/config"
|
||||
nftexec "github.com/networkplumbing/go-nft/nft/exec"
|
||||
)
|
||||
|
||||
type Config = nftconfig.Config
|
||||
|
||||
const (
|
||||
defaultTimeout = 30 * time.Second
|
||||
)
|
||||
|
||||
// NewConfig returns a new nftables config structure.
|
||||
func NewConfig() *nftconfig.Config {
|
||||
return nftconfig.New()
|
||||
@ -34,12 +41,29 @@ func NewConfig() *nftconfig.Config {
|
||||
// ReadConfig loads the nftables configuration from the system and
|
||||
// returns it as a nftables config structure.
|
||||
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
|
||||
func ReadConfig() (*Config, error) {
|
||||
return nftexec.ReadConfig()
|
||||
func ReadConfig(filterCommands ...string) (*Config, error) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
|
||||
defer cancel()
|
||||
return ReadConfigContext(ctx, filterCommands...)
|
||||
}
|
||||
|
||||
// ReadConfigContext loads the nftables configuration from the system and
|
||||
// returns it as a nftables config structure.
|
||||
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
|
||||
func ReadConfigContext(ctx context.Context, filterCommands ...string) (*Config, error) {
|
||||
return nftexec.ReadConfig(ctx, filterCommands...)
|
||||
}
|
||||
|
||||
// ApplyConfig applies the given nftables config on the system.
|
||||
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
|
||||
func ApplyConfig(c *Config) error {
|
||||
return nftexec.ApplyConfig(c)
|
||||
ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
|
||||
defer cancel()
|
||||
return ApplyConfigContext(ctx, c)
|
||||
}
|
||||
|
||||
// ApplyConfigContext applies the given nftables config on the system.
|
||||
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
|
||||
func ApplyConfigContext(ctx context.Context, c *Config) error {
|
||||
return nftexec.ApplyConfig(ctx, c)
|
||||
}
|
||||
|
||||
18
vendor/github.com/networkplumbing/go-nft/nft/exec/exec.go
generated
vendored
18
vendor/github.com/networkplumbing/go-nft/nft/exec/exec.go
generated
vendored
@ -21,6 +21,7 @@ package exec
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
@ -41,8 +42,13 @@ const (
|
||||
// ReadConfig loads the nftables configuration from the system and
|
||||
// returns it as a nftables config structure.
|
||||
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
|
||||
func ReadConfig() (*nftconfig.Config, error) {
|
||||
stdout, err := execCommand(cmdJSON, cmdList, cmdRuleset)
|
||||
func ReadConfig(ctx context.Context, filterCommands ...string) (*nftconfig.Config, error) {
|
||||
|
||||
whatToList := cmdRuleset
|
||||
if len(filterCommands) > 0 {
|
||||
whatToList = strings.Join(filterCommands, " ")
|
||||
}
|
||||
stdout, err := execCommand(ctx, cmdJSON, cmdList, whatToList)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -57,7 +63,7 @@ func ReadConfig() (*nftconfig.Config, error) {
|
||||
|
||||
// ApplyConfig applies the given nftables config on the system.
|
||||
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
|
||||
func ApplyConfig(c *nftconfig.Config) error {
|
||||
func ApplyConfig(ctx context.Context, c *nftconfig.Config) error {
|
||||
data, err := c.ToJSON()
|
||||
if err != nil {
|
||||
return err
|
||||
@ -77,15 +83,15 @@ func ApplyConfig(c *nftconfig.Config) error {
|
||||
return fmt.Errorf("failed to close temporary file: %v", err)
|
||||
}
|
||||
|
||||
if _, err := execCommand(cmdJSON, cmdFile, tmpFile.Name()); err != nil {
|
||||
if _, err := execCommand(ctx, cmdJSON, cmdFile, tmpFile.Name()); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func execCommand(args ...string) (*bytes.Buffer, error) {
|
||||
cmd := exec.Command(cmdBin, args...)
|
||||
func execCommand(ctx context.Context, args ...string) (*bytes.Buffer, error) {
|
||||
cmd := exec.CommandContext(ctx, cmdBin, args...)
|
||||
|
||||
var stdout, stderr bytes.Buffer
|
||||
cmd.Stderr = &stderr
|
||||
|
||||
Reference in New Issue
Block a user