diff options
author | Daniel Borkmann <daniel@iogearbox.net> | 2015-04-02 14:28:30 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-04-08 16:47:49 +0200 |
commit | d64d80a2cde94f3e89caebd27240be419fec5b81 (patch) | |
tree | ad0b515bfbf7f37185776c384f952cc7ee7f64ae /net/bridge | |
parent | 0b67c43ce36a9964f1d5e3f973ee19eefd3f9f8f (diff) | |
download | op-kernel-dev-d64d80a2cde94f3e89caebd27240be419fec5b81.zip op-kernel-dev-d64d80a2cde94f3e89caebd27240be419fec5b81.tar.gz |
netfilter: x_tables: don't extract flow keys on early demuxed sks in socket match
Currently in xt_socket, we take advantage of early demuxed sockets
since commit 00028aa37098 ("netfilter: xt_socket: use IP early demux")
in order to avoid a second socket lookup in the fast path, but we
only make partial use of this:
We still unnecessarily parse headers, extract proto, {s,d}addr and
{s,d}ports from the skb data, accessing possible conntrack information,
etc even though we were not even calling into the socket lookup via
xt_socket_get_sock_{v4,v6}() due to skb->sk hit, meaning those cycles
can be spared.
After this patch, we only proceed the slower, manual lookup path
when we have a skb->sk miss, thus time to match verdict for early
demuxed sockets will improve further, which might be i.e. interesting
for use cases such as mentioned in 681f130f39e1 ("netfilter: xt_socket:
add XT_SOCKET_NOWILDCARD flag").
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/bridge')
0 files changed, 0 insertions, 0 deletions