Portal:DeveloperDocs/set internals: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(Added intro and (stub) algorithm sections.)
(→‎NFT_SET_FEATURES of available nft_set_types: Added nft_set_estimate .lookup and .space columns)
Line 1: Line 1:
The nftables generalized set infrastructure includes multiple set implementations. ''nft_select_set_ops()'' in [https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git/tree/net/netfilter/nf_tables_api.c nf_tables_api.c] chooses the implementation depending on required set features and operations, and on estimated lookup time and memory requirements in combination with user-specified set policy (''performance'' or ''memory'').   
The nftables generalized set infrastructure includes multiple set implementations. ''nft_select_set_ops()'' in [https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git/tree/net/netfilter/nf_tables_api.c nf_tables_api.c] chooses the implementation depending on required set features and operations, and on estimated lookup time and memory requirements in combination with user-specified set policy (''performance'' or ''memory'').   


== NFT_SET_FEATURES of available nft_set_types ==
== Available nft_set_types ==
{| class="wikitable sortable"
{| class="wikitable sortable"


|-
|-
! ''nft_set_type''
! rowspan="2" | ''nft_set_type''
! ''nft_set_types[]'' order
! rowspan="2" | ''nft_set_types[]'' order
! ''NFT_SET_INTERVAL''
! colspan="2" | ''nft_set_estimate NFT_SET_CLASS_[order]''
! ''NFT_SET_MAP''
! rowspan="2" | ''NFT_SET_INTERVAL''
! ''NFT_SET_TIMEOUT''
! rowspan="2" | ''NFT_SET_MAP''
! ''NFT_SET_OBJECT''
! rowspan="2" | ''NFT_SET_TIMEOUT''
! ''NFT_SET_EVAL''
! rowspan="2" | ''NFT_SET_OBJECT''
! Notes
! rowspan="2" | ''NFT_SET_EVAL''
! rowspan="2" | Notes
 
|-
! ''.lookup''
! ''.space''


|-
|-
! {{rh}} | ''nft_set_hash_fast_type''
! {{rh}} | ''nft_set_hash_fast_type''
| 0
| 0
| ''O_1''
| ''O_N''
| {{no}}
| {{no}}
| {{yes}}
| {{yes}}
Line 27: Line 34:
! {{rh}} | ''nft_set_hash_type''
! {{rh}} | ''nft_set_hash_type''
| 1
| 1
| ''O_1''
| ''O_N''
| {{no}}
| {{no}}
| {{yes}}
| {{yes}}
Line 37: Line 46:
! {{rh}} | ''nft_set_rhash_type''
! {{rh}} | ''nft_set_rhash_type''
| 2
| 2
| ''O_1''
| ''O_N''
| {{no}}
| {{no}}
| {{yes}}
| {{yes}}
Line 47: Line 58:
! {{rh}} | ''nft_set_bitmap_type''
! {{rh}} | ''nft_set_bitmap_type''
| 3
| 3
| ''O_1''
| ''O_1''
| {{no}}
| {{no}}
| {{no}}
| {{no}}
Line 57: Line 70:
! {{rh}} | ''nft_set_rbtree_type''
! {{rh}} | ''nft_set_rbtree_type''
| 4
| 4
| ''O_LOG_N''
| ''O_N''
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
Line 67: Line 82:
! {{rh}} | ''nft_set_pipapo_avx2_type''
! {{rh}} | ''nft_set_pipapo_avx2_type''
| 5
| 5
| ''O_LOG_N''
| ''O_N''
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
Line 77: Line 94:
! {{rh}} | ''nft_set_pipapo_type''
! {{rh}} | ''nft_set_pipapo_type''
| 6
| 6
| ''O_LOG_N''
| ''O_N''
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}

Revision as of 22:19, 4 March 2021

The nftables generalized set infrastructure includes multiple set implementations. nft_select_set_ops() in nf_tables_api.c chooses the implementation depending on required set features and operations, and on estimated lookup time and memory requirements in combination with user-specified set policy (performance or memory).

Available nft_set_types

nft_set_type nft_set_types[] order nft_set_estimate NFT_SET_CLASS_[order] NFT_SET_INTERVAL NFT_SET_MAP NFT_SET_TIMEOUT NFT_SET_OBJECT NFT_SET_EVAL Notes
.lookup .space
nft_set_hash_fast_type 0 O_1 O_N No Yes No Yes No
nft_set_hash_type 1 O_1 O_N No Yes No Yes No
nft_set_rhash_type 2 O_1 O_N No Yes Yes Yes Yes
nft_set_bitmap_type 3 O_1 O_1 No No No No No
nft_set_rbtree_type 4 O_LOG_N O_N Yes Yes Yes Yes No
nft_set_pipapo_avx2_type 5 O_LOG_N O_N Yes Yes Yes Yes No
nft_set_pipapo_type 6 O_LOG_N O_N Yes Yes Yes Yes No

If two nft_set_types have the same estimated lookup time and same estimated space requirement, nft_select_set_ops() chooses the type that appears first in nft_set_types[].

Hash implementations

nft_set_hash.c

Bitmap implementation

nft_set_bitmap.c - contains good documentation

Red-black tree implementation

nft_set_rbtree.c

PIPAPO implementations

PIPAPO is loosely inspired by the Grouper network packet classification algorithm.