diff options
author | oleg <oleg@FreeBSD.org> | 2009-04-27 17:37:36 +0000 |
---|---|---|
committer | oleg <oleg@FreeBSD.org> | 2009-04-27 17:37:36 +0000 |
commit | 60c7eaecd7696c335bea663d8928f295f0ab286a (patch) | |
tree | 452d57a7889bc86602035ed2b67a5372a0a7cd7b | |
parent | 02ba5a63875ab84f75dd14cf7d08da97abfc61ef (diff) | |
download | FreeBSD-src-60c7eaecd7696c335bea663d8928f295f0ab286a.zip FreeBSD-src-60c7eaecd7696c335bea663d8928f295f0ab286a.tar.gz |
Optimize packet flow: if net.inet.ip.fw.one_pass != 0 and packet was
processed by ipfw once - avoid second ipfw_chk() call.
This saves us from unnecessary IPFW_RLOCK(), m_tag_find() calls and
ip/tcp/udp header parsing.
MFC after: 2 month
-rw-r--r-- | sys/netinet/ip_fw2.c | 9 | ||||
-rw-r--r-- | sys/netinet/ip_fw_pfil.c | 18 |
2 files changed, 13 insertions, 14 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 7873468..ab65f35 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -2515,16 +2515,7 @@ do { \ /* * Packet has already been tagged. Look for the next rule * to restart processing. - * - * If fw_one_pass != 0 then just accept it. - * XXX should not happen here, but optimized out in - * the caller. */ - if (V_fw_one_pass) { - IPFW_RUNLOCK(chain); - return (IP_FW_PASS); - } - f = args->rule->next_rule; if (f == NULL) f = lookup_next_rule(args->rule, 0); diff --git a/sys/netinet/ip_fw_pfil.c b/sys/netinet/ip_fw_pfil.c index 11560a7..c2f10b1 100644 --- a/sys/netinet/ip_fw_pfil.c +++ b/sys/netinet/ip_fw_pfil.c @@ -51,7 +51,6 @@ __FBSDID("$FreeBSD$"); #include <sys/ucred.h> #include <sys/vimage.h> -#define _NET_IF_VAR_H_ /* we don't want if_var.h, only if.h */ #include <net/if.h> #include <net/route.h> #include <net/pfil.h> @@ -63,6 +62,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/ip_fw.h> #include <netinet/ip_divert.h> #include <netinet/ip_dummynet.h> +#include <netinet/vinet.h> #include <netgraph/ng_ipfw.h> @@ -131,10 +131,14 @@ again: args.m = *m0; args.inp = inp; - ipfw = ipfw_chk(&args); - *m0 = args.m; tee = 0; + if (V_fw_one_pass == 0 || args.rule == NULL) { + ipfw = ipfw_chk(&args); + *m0 = args.m; + } else + ipfw = IP_FW_PASS; + KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL", __func__)); @@ -257,10 +261,14 @@ again: args.m = *m0; args.oif = ifp; args.inp = inp; - ipfw = ipfw_chk(&args); - *m0 = args.m; tee = 0; + if (V_fw_one_pass == 0 || args.rule == NULL) { + ipfw = ipfw_chk(&args); + *m0 = args.m; + } else + ipfw = IP_FW_PASS; + KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL", __func__)); |