* netfilter: NAT: do the optimization for getting curr_tuple in function nf_nat_setup_info
@ 2014-10-24 4:01 billbonaparte
0 siblings, 0 replies; only message in thread
From: billbonaparte @ 2014-10-24 4:01 UTC (permalink / raw)
To: 'Pablo Neira Ayuso', 'Patrick McHardy', kadlec,
davem
Cc: Netfilter Developer Mailing List, coreteam, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]
Hi all:
In function nf_nat_setup_info, we need to get the current tuple
which is supposed to send to destination.
If we haven't done any NAT (SNAT or DNAT) for the tuple, then the
current tuple is equal to original tuple,
otherwise, we should get current tuple by invoking
nf_ct_invert_tuplepr(curr_tuple, &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
like the existing comment says:
/* What we've got will look like inverse of reply. Normally
* this is what is in the conntrack, except for prior
* manipulations (future optimization: if num_manips == 0,
* orig_tp = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
*/
nf_ct_invert_tuplepr(&curr_tuple,
&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
So, since it is so, why don't we do the optimization for getting
current tuple ?
As mentioned above, if we have not done DNAT for the tuple, then the
current tuple is equal to original tuple.
So I add the optimization as following:
+ if (!(ct->status & IPS_DST_NAT)) /* we do the optimization, as
mentioned above */
+ curr_tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ else
+ nf_ct_invert_tuplepr(curr_tuple,
&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
the attachment is the detailed diff.
[-- Attachment #2: do the optimization for getting curr_tuple in function nf_nat_setup_info.diff --]
[-- Type: application/octet-stream, Size: 1648 bytes --]
Index: nf_nat_core.c
===================================================================
--- nf_nat_core.c (mainline version)
+++ nf_nat_core.c (working copy)
@@ -358,7 +358,8 @@
enum nf_nat_manip_type maniptype)
{
struct net *net = nf_ct_net(ct);
- struct nf_conntrack_tuple curr_tuple, new_tuple;
+ struct nf_conntrack_tuple orig_tuple, new_tuple;
+ struct nf_conntrack_tuple *curr_tuple = &orig_tuple;
struct nf_conn_nat *nat;
/* nat helper or nfctnetlink also setup binding */
@@ -378,14 +379,18 @@
/* What we've got will look like inverse of reply. Normally
this is what is in the conntrack, except for prior
manipulations (future optimization: if num_manips == 0,
- orig_tp =
- conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple) */
- nf_ct_invert_tuplepr(&curr_tuple,
+ curr_tp = orig_tp =
+ conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
+ */
+ if (!(ct->status & IPS_DST_NAT)) /* we do the optimization, as mentioned above */
+ curr_tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ else
+ nf_ct_invert_tuplepr(curr_tuple,
&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
- get_unique_tuple(&new_tuple, &curr_tuple, ranges, ct, maniptype);
+ get_unique_tuple(&new_tuple, curr_tuple, ranges, ct, maniptype);
- if (!nf_ct_tuple_equal(&new_tuple, &curr_tuple)) {
+ if (!nf_ct_tuple_equal(&new_tuple, curr_tuple)) {
struct nf_conntrack_tuple reply;
/* Alter conntrack table so will recognize replies. */
@@ -405,19 +410,20 @@
srchash = nat_hash_by_src(net, 0,
&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
spin_lock_bh(&nf_nat_lock);
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-10-24 4:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-24 4:01 netfilter: NAT: do the optimization for getting curr_tuple in function nf_nat_setup_info billbonaparte
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).