git.baikalelectronics.ru Git - kernel.git/commit

author	Daniel Borkmann <daniel@iogearbox.net>
	Thu, 2 Apr 2015 12:28:30 +0000 (14:28 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 8 Apr 2015 14:47:49 +0000 (16:47 +0200)
commit	0af2a326dc151d0627aecc967b2cd0c878c5d29e
tree	ad0b515bfbf7f37185776c384f952cc7ee7f64ae	tree \| snapshot
parent	c3a7d94472f1b3560fe6e8e227bf2752319ce60c	commit \| diff

netfilter: x_tables: don't extract flow keys on early demuxed sks in socket match

Currently in xt_socket, we take advantage of early demuxed sockets
since commit ced68bb90f77 ("netfilter: xt_socket: use IP early demux")
in order to avoid a second socket lookup in the fast path, but we
only make partial use of this:

We still unnecessarily parse headers, extract proto, {s,d}addr and
{s,d}ports from the skb data, accessing possible conntrack information,
etc even though we were not even calling into the socket lookup via
xt_socket_get_sock_{v4,v6}() due to skb->sk hit, meaning those cycles
can be spared.

After this patch, we only proceed the slower, manual lookup path
when we have a skb->sk miss, thus time to match verdict for early
demuxed sockets will improve further, which might be i.e. interesting
for use cases such as mentioned in 3a77f786410b ("netfilter: xt_socket:
add XT_SOCKET_NOWILDCARD flag").

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>