netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, kaber@trash.net, netdev@vger.kernel.org
Subject: [PATCH 07/17] netfilter: nft_payload: add optimized payload implementation for small loads
Date: Mon, 14 Oct 2013 18:38:48 +0200	[thread overview]
Message-ID: <1381768738-17739-8-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1381768738-17739-1-git-send-email-pablo@netfilter.org>

From: Patrick McHardy <kaber@trash.net>

Add an optimized payload expression implementation for small (up to 4 bytes)
aligned data loads from the linear packet area.

This patch also includes original Patrick McHardy's entitled (nf_tables:
inline nft_payload_fast_eval() into main evaluation loop).

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_tables_core.h |    9 +++++
 net/netfilter/nf_tables_core.c         |   31 +++++++++++++-
 net/netfilter/nft_payload.c            |   69 +++++++++++++++++++-------------
 3 files changed, 81 insertions(+), 28 deletions(-)

diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
index 3df6a9b..fe7b162 100644
--- a/include/net/netfilter/nf_tables_core.h
+++ b/include/net/netfilter/nf_tables_core.h
@@ -27,6 +27,15 @@ extern void nft_bitwise_module_exit(void);
 extern int nft_byteorder_module_init(void);
 extern void nft_byteorder_module_exit(void);
 
+struct nft_payload {
+	enum nft_payload_bases	base:8;
+	u8			offset;
+	u8			len;
+	enum nft_registers	dreg:8;
+};
+
+extern const struct nft_expr_ops nft_payload_fast_ops;
+
 extern int nft_payload_module_init(void);
 extern void nft_payload_module_exit(void);
 
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 2400018..9aede59 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -32,6 +32,34 @@ static void nft_cmp_fast_eval(const struct nft_expr *expr,
 	data[NFT_REG_VERDICT].verdict = NFT_BREAK;
 }
 
+static bool nft_payload_fast_eval(const struct nft_expr *expr,
+				  struct nft_data data[NFT_REG_MAX + 1],
+				  const struct nft_pktinfo *pkt)
+{
+	const struct nft_payload *priv = nft_expr_priv(expr);
+	const struct sk_buff *skb = pkt->skb;
+	struct nft_data *dest = &data[priv->dreg];
+	unsigned char *ptr;
+
+	if (priv->base == NFT_PAYLOAD_NETWORK_HEADER)
+		ptr = skb_network_header(skb);
+	else
+		ptr = skb_transport_header(skb);
+
+	ptr += priv->offset;
+
+	if (unlikely(ptr + priv->len >= skb_tail_pointer(skb)))
+		return false;
+
+	if (priv->len == 2)
+		*(u16 *)dest->data = *(u16 *)ptr;
+	else if (priv->len == 4)
+		*(u32 *)dest->data = *(u32 *)ptr;
+	else
+		*(u8 *)dest->data = *(u8 *)ptr;
+	return true;
+}
+
 unsigned int nft_do_chain(const struct nf_hook_ops *ops,
 			  struct sk_buff *skb,
 			  const struct net_device *in,
@@ -62,7 +90,8 @@ next_rule:
 		nft_rule_for_each_expr(expr, last, rule) {
 			if (expr->ops == &nft_cmp_fast_ops)
 				nft_cmp_fast_eval(expr, data);
-			else
+			else if (expr->ops != &nft_payload_fast_ops ||
+				 !nft_payload_fast_eval(expr, data, &pkt))
 				expr->ops->eval(expr, data, &pkt);
 
 			if (data[NFT_REG_VERDICT].verdict != NFT_CONTINUE)
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index d99db6e..7cf13f7 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -17,13 +17,6 @@
 #include <net/netfilter/nf_tables_core.h>
 #include <net/netfilter/nf_tables.h>
 
-struct nft_payload {
-	enum nft_payload_bases	base:8;
-	u8			offset;
-	u8			len;
-	enum nft_registers	dreg:8;
-};
-
 static void nft_payload_eval(const struct nft_expr *expr,
 			     struct nft_data data[NFT_REG_MAX + 1],
 			     const struct nft_pktinfo *pkt)
@@ -71,27 +64,9 @@ static int nft_payload_init(const struct nft_ctx *ctx,
 	struct nft_payload *priv = nft_expr_priv(expr);
 	int err;
 
-	if (tb[NFTA_PAYLOAD_DREG] == NULL ||
-	    tb[NFTA_PAYLOAD_BASE] == NULL ||
-	    tb[NFTA_PAYLOAD_OFFSET] == NULL ||
-	    tb[NFTA_PAYLOAD_LEN] == NULL)
-		return -EINVAL;
-
-	priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
-	switch (priv->base) {
-	case NFT_PAYLOAD_LL_HEADER:
-	case NFT_PAYLOAD_NETWORK_HEADER:
-	case NFT_PAYLOAD_TRANSPORT_HEADER:
-		break;
-	default:
-		return -EOPNOTSUPP;
-	}
-
+	priv->base   = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
 	priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
 	priv->len    = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
-	if (priv->len == 0 ||
-	    priv->len > FIELD_SIZEOF(struct nft_data, data))
-		return -EINVAL;
 
 	priv->dreg = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_DREG]));
 	err = nft_validate_output_register(priv->dreg);
@@ -124,9 +99,49 @@ static const struct nft_expr_ops nft_payload_ops = {
 	.dump		= nft_payload_dump,
 };
 
+const struct nft_expr_ops nft_payload_fast_ops = {
+	.type		= &nft_payload_type,
+	.size		= NFT_EXPR_SIZE(sizeof(struct nft_payload)),
+	.eval		= nft_payload_eval,
+	.init		= nft_payload_init,
+	.dump		= nft_payload_dump,
+};
+
+static const struct nft_expr_ops *nft_payload_select_ops(const struct nlattr * const tb[])
+{
+	enum nft_payload_bases base;
+	unsigned int offset, len;
+
+	if (tb[NFTA_PAYLOAD_DREG] == NULL ||
+	    tb[NFTA_PAYLOAD_BASE] == NULL ||
+	    tb[NFTA_PAYLOAD_OFFSET] == NULL ||
+	    tb[NFTA_PAYLOAD_LEN] == NULL)
+		return ERR_PTR(-EINVAL);
+
+	base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
+	switch (base) {
+	case NFT_PAYLOAD_LL_HEADER:
+	case NFT_PAYLOAD_NETWORK_HEADER:
+	case NFT_PAYLOAD_TRANSPORT_HEADER:
+		break;
+	default:
+		return ERR_PTR(-EOPNOTSUPP);
+	}
+
+	offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
+	len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
+	if (len == 0 || len > FIELD_SIZEOF(struct nft_data, data))
+		return ERR_PTR(-EINVAL);
+
+	if (len <= 4 && IS_ALIGNED(offset, len) && base != NFT_PAYLOAD_LL_HEADER)
+		return &nft_payload_fast_ops;
+	else
+		return &nft_payload_ops;
+}
+
 static struct nft_expr_type nft_payload_type __read_mostly = {
 	.name		= "payload",
-	.ops		= &nft_payload_ops,
+	.select_ops	= nft_payload_select_ops,
 	.policy		= nft_payload_policy,
 	.maxattr	= NFTA_PAYLOAD_MAX,
 	.owner		= THIS_MODULE,
-- 
1.7.10.4

  parent reply	other threads:[~2013-10-14 16:38 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-14 16:38 [PATCH 00/17] netfilter updates: nf_tables pull request Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 01/17] netfilter: pass hook ops to hookfn Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 02/17] netfilter: nf_nat: move alloc_null_binding to nf_nat_core.c Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 03/17] netfilter: add nftables Pablo Neira Ayuso
2013-10-20 11:46   ` Jan Engelhardt
2013-10-14 16:38 ` [PATCH 04/17] netfilter: nf_tables: add netlink set API Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 05/17] netfilter: nf_tables: expression ops overloading Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 06/17] netfilter: nf_tables: add optimized data comparison for small values Pablo Neira Ayuso
2013-10-14 16:38 ` Pablo Neira Ayuso [this message]
2013-10-14 16:38 ` [PATCH 08/17] netfilter: nf_tables: convert built-in tables/chains to chain types Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 09/17] netfilter: nf_tables: add compatibility layer for x_tables Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 10/17] netfilter: nf_tables: nft_payload: fix transport header base Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 11/17] netfilter: nf_tables: add support for dormant tables Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 12/17] netfilter: nf_tables: Add support for IPv6 NAT Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 13/17] netfilter: nf_tables: complete net namespace support Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 14/17] netfilter: nf_tables: add insert operation Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 15/17] netfilter: nfnetlink: add batch support and use it from nf_tables Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 16/17] netfilter: nf_tables: add trace support Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 17/17] netfilter: nf_tables: add ARP filtering support Pablo Neira Ayuso
2013-10-17 19:23 ` [PATCH 00/17] netfilter updates: nf_tables pull request David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1381768738-17739-8-git-send-email-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).