ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

build: consume specific tables/chains via go-nft

Browse Source 
This go-nft version allows its users to only read particular
tables/chains when invoking `ReadConfig`, instead of the entire ruleset.

This will make deleting rules from a large ruleset faster, thus speeding
up CNI DELs.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2175041

Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
This commit is contained in:
Miguel Duarte Barroso
2023-03-23 13:54:15 +01:00
parent 9f1f9a588b
commit 83fe87c5b0
5 changed files with 43 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
vendor/github.com/networkplumbing/go-nft/nft/config.go generated vendored
View File

@ -20,12 +20,19 @@
package nft
import (
"context"
"time"
nftconfig "github.com/networkplumbing/go-nft/nft/config"
nftexec "github.com/networkplumbing/go-nft/nft/exec"
)
type Config = nftconfig.Config
const (
defaultTimeout = 30 * time.Second
)
// NewConfig returns a new nftables config structure.
func NewConfig() *nftconfig.Config {
return nftconfig.New()
@ -34,12 +41,29 @@ func NewConfig() *nftconfig.Config {
// ReadConfig loads the nftables configuration from the system and
// returns it as a nftables config structure.
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
func ReadConfig() (*Config, error) {
return nftexec.ReadConfig()
func ReadConfig(filterCommands ...string) (*Config, error) {
ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
defer cancel()
return ReadConfigContext(ctx, filterCommands...)
}
// ReadConfigContext loads the nftables configuration from the system and
// returns it as a nftables config structure.
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
func ReadConfigContext(ctx context.Context, filterCommands ...string) (*Config, error) {
return nftexec.ReadConfig(ctx, filterCommands...)
}
// ApplyConfig applies the given nftables config on the system.
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
func ApplyConfig(c *Config) error {
return nftexec.ApplyConfig(c)
ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
defer cancel()
return ApplyConfigContext(ctx, c)
}
// ApplyConfigContext applies the given nftables config on the system.
// The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
func ApplyConfigContext(ctx context.Context, c *Config) error {
return nftexec.ApplyConfig(ctx, c)
}