Changeset 42045


Ignore:
Timestamp:
2014-08-07T20:59:18+02:00 (3 years ago)
Author:
nbd
Message:

kernel: improve ipv4 netfilter optimization patch

Signed-off-by: Felix Fietkau <nbd@…>

Location:
trunk/target/linux/generic
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/target/linux/generic/patches-3.10/611-netfilter_match_bypass_default_table.patch

    r36663 r42045  
    3535 unsigned int 
    3636 ipt_do_table(struct sk_buff *skb, 
    37 @@ -334,6 +361,25 @@ ipt_do_table(struct sk_buff *skb, 
     37@@ -331,9 +358,27 @@ ipt_do_table(struct sk_buff *skb, 
     38        unsigned int addend; 
     39  
     40        /* Initialization */ 
     41+       IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 
     42+       local_bh_disable(); 
     43+       private = table->private; 
     44+       cpu        = smp_processor_id(); 
     45+       table_base = private->entries[cpu]; 
     46+       e = get_entry(table_base, private->hook_entry[hook]); 
     47+       if (ipt_handle_default_rule(e, &verdict)) { 
     48+               ADD_COUNTER(e->counters, skb->len, 1); 
     49+               local_bh_enable(); 
     50+               return verdict; 
     51+       } 
     52+ 
    3853        ip = ip_hdr(skb); 
    3954        indev = in ? in->name : nulldevname; 
    4055        outdev = out ? out->name : nulldevname; 
    4156+ 
    42 +       IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 
    43 +       local_bh_disable(); 
    4457+       addend = xt_write_recseq_begin(); 
    45 +       private = table->private; 
    46 +       cpu        = smp_processor_id(); 
    47 +       table_base = private->entries[cpu]; 
    4858+       jumpstack  = (struct ipt_entry **)private->jumpstack[cpu]; 
    4959+       stackptr   = per_cpu_ptr(private->stackptr, cpu); 
    5060+       origptr    = *stackptr; 
    5161+ 
    52 +       e = get_entry(table_base, private->hook_entry[hook]); 
    53 +       if (ipt_handle_default_rule(e, &verdict)) { 
    54 +               ADD_COUNTER(e->counters, skb->len, 1); 
    55 +               xt_write_recseq_end(addend); 
    56 +               local_bh_enable(); 
    57 +               return verdict; 
    58 +       } 
    59 + 
    6062        /* We handle fragments by dealing with the first fragment as 
    6163         * if it was a normal packet.  All other fragments are treated 
    6264         * normally, except that they will NEVER match rules that ask 
    63 @@ -348,18 +394,6 @@ ipt_do_table(struct sk_buff *skb, 
     65@@ -348,18 +393,6 @@ ipt_do_table(struct sk_buff *skb, 
    6466        acpar.family  = NFPROTO_IPV4; 
    6567        acpar.hooknum = hook; 
  • trunk/target/linux/generic/patches-3.14/611-netfilter_match_bypass_default_table.patch

    r39348 r42045  
    3535 unsigned int 
    3636 ipt_do_table(struct sk_buff *skb, 
    37 @@ -334,19 +361,6 @@ ipt_do_table(struct sk_buff *skb, 
    38         ip = ip_hdr(skb); 
    39         indev = in ? in->name : nulldevname; 
    40         outdev = out ? out->name : nulldevname; 
    41 -       /* We handle fragments by dealing with the first fragment as 
    42 -        * if it was a normal packet.  All other fragments are treated 
    43 -        * normally, except that they will NEVER match rules that ask 
    44 -        * things we don't know, ie. tcp syn flag or ports).  If the 
    45 -        * rule is also a fragment-specific rule, non-fragments won't 
    46 -        * match it. */ 
    47 -       acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; 
    48 -       acpar.thoff   = ip_hdrlen(skb); 
    49 -       acpar.hotdrop = false; 
    50 -       acpar.in      = in; 
    51 -       acpar.out     = out; 
    52 -       acpar.family  = NFPROTO_IPV4; 
    53 -       acpar.hooknum = hook; 
     37@@ -331,9 +358,33 @@ ipt_do_table(struct sk_buff *skb, 
     38        unsigned int addend; 
    5439  
    55         IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 
    56         local_bh_disable(); 
    57 @@ -364,6 +378,26 @@ ipt_do_table(struct sk_buff *skb, 
    58         origptr    = *stackptr; 
    59   
    60         e = get_entry(table_base, private->hook_entry[hook]); 
     40        /* Initialization */ 
     41+       IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 
     42+       local_bh_disable(); 
     43+       private = table->private; 
     44+       cpu        = smp_processor_id(); 
     45+       /* 
     46+        * Ensure we load private-> members after we've fetched the base 
     47+        * pointer. 
     48+        */ 
     49+       smp_read_barrier_depends(); 
     50+       table_base = private->entries[cpu]; 
     51+ 
     52+       e = get_entry(table_base, private->hook_entry[hook]); 
    6153+       if (ipt_handle_default_rule(e, &verdict)) { 
    6254+               ADD_COUNTER(e->counters, skb->len, 1); 
    63 +               xt_write_recseq_end(addend); 
    6455+               local_bh_enable(); 
    6556+               return verdict; 
    6657+       } 
    6758+ 
    68 +       /* We handle fragments by dealing with the first fragment as 
    69 +        * if it was a normal packet.  All other fragments are treated 
    70 +        * normally, except that they will NEVER match rules that ask 
    71 +        * things we don't know, ie. tcp syn flag or ports).  If the 
    72 +        * rule is also a fragment-specific rule, non-fragments won't 
    73 +        * match it. */ 
    74 +       acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; 
    75 +       acpar.thoff   = ip_hdrlen(skb); 
    76 +       acpar.hotdrop = false; 
    77 +       acpar.in      = in; 
    78 +       acpar.out     = out; 
    79 +       acpar.family  = NFPROTO_IPV4; 
    80 +       acpar.hooknum = hook; 
     59        ip = ip_hdr(skb); 
     60        indev = in ? in->name : nulldevname; 
     61        outdev = out ? out->name : nulldevname; 
     62+ 
     63+       addend = xt_write_recseq_begin(); 
     64+       jumpstack  = (struct ipt_entry **)private->jumpstack[cpu]; 
     65+       stackptr   = per_cpu_ptr(private->stackptr, cpu); 
     66+       origptr    = *stackptr; 
     67+ 
     68        /* We handle fragments by dealing with the first fragment as 
     69         * if it was a normal packet.  All other fragments are treated 
     70         * normally, except that they will NEVER match rules that ask 
     71@@ -348,23 +399,6 @@ ipt_do_table(struct sk_buff *skb, 
     72        acpar.family  = NFPROTO_IPV4; 
     73        acpar.hooknum = hook; 
    8174  
     75-       IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 
     76-       local_bh_disable(); 
     77-       addend = xt_write_recseq_begin(); 
     78-       private = table->private; 
     79-       cpu        = smp_processor_id(); 
     80-       /* 
     81-        * Ensure we load private-> members after we've fetched the base 
     82-        * pointer. 
     83-        */ 
     84-       smp_read_barrier_depends(); 
     85-       table_base = private->entries[cpu]; 
     86-       jumpstack  = (struct ipt_entry **)private->jumpstack[cpu]; 
     87-       stackptr   = per_cpu_ptr(private->stackptr, cpu); 
     88-       origptr    = *stackptr; 
     89- 
     90-       e = get_entry(table_base, private->hook_entry[hook]); 
     91- 
    8292        pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n", 
    8393                 table->name, hook, origptr, 
     94                 get_entry(table_base, private->underflow[hook])); 
Note: See TracChangeset for help on using the changeset viewer.