From patchwork Wed May 22 21:01:06 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 245713 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 407FD2C0089 for ; Thu, 23 May 2013 07:01:13 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753204Ab3EVVBK (ORCPT ); Wed, 22 May 2013 17:01:10 -0400 Received: from mail-ob0-f172.google.com ([209.85.214.172]:44533 "EHLO mail-ob0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751457Ab3EVVBJ (ORCPT ); Wed, 22 May 2013 17:01:09 -0400 Received: by mail-ob0-f172.google.com with SMTP id tb18so3046016obb.31 for ; Wed, 22 May 2013 14:01:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:content-type:x-mailer :content-transfer-encoding:mime-version; bh=wR6GkQMmLTttk4L9V6rQHcfnc6oz/2UCzp4n+owFLW0=; b=XL54Jvd9cc8dv22Otg33n5EI9hhLDMNg5WfrBLJhuxAZJ+MIedrtI4Z/SSm9dH+DBI OFrVpcTI4a4w457HFduecqd3v37Ob6uAY/EicInaXkk4kD9RXUKqIuV6AyHIBSDU6EHY DcVmAw21Q7Va4ekjKE68ipT05uxAgBbt0iu/s6FmWiA3CXaX05gI84RUHfq+cf9KiZP1 /aiFRbNxzBG5OW5DznijykiNl9CdLIDZXPOFHoMWoUmPOtFH1qaDW6fXbx31w+JRZ/hZ 73WX57Vkn5Y3mrv2VCejps7IAPRRBcM3Thjldp1my+CD1cD21z2pRJYZfZi3jVXyWEjt qz+g== X-Received: by 10.60.15.39 with SMTP id u7mr4425217oec.24.1369256469074; Wed, 22 May 2013 14:01:09 -0700 (PDT) Received: from ?IPv6:2620:0:1000:3304:1109:dda6:46f3:f394? ([2620:0:1000:3304:1109:dda6:46f3:f394]) by mx.google.com with ESMTPSA id eq4sm9246378obb.5.2013.05.22.14.01.07 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Wed, 22 May 2013 14:01:08 -0700 (PDT) Message-ID: <1369256466.3301.364.camel@edumazet-glaptop> Subject: [PATCH net-next] netfilter: xt_socket: use IP early demux From: Eric Dumazet To: Pablo Neira Ayuso Cc: netdev , netfilter-devel@vger.kernel.org, Patrick McHardy Date: Wed, 22 May 2013 14:01:06 -0700 X-Mailer: Evolution 3.2.3-0ubuntu6 Mime-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Eric Dumazet With IP early demux added in linux-3.6, we perform TCP lookup in IP layer before iptables hooks. We can avoid doing a second lookup in xt_socket. Signed-off-by: Eric Dumazet Acked-by: David S. Miller --- net/netfilter/xt_socket.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index 63b2bdb..0270424 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c @@ -107,7 +107,7 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par, { const struct iphdr *iph = ip_hdr(skb); struct udphdr _hdr, *hp = NULL; - struct sock *sk; + struct sock *sk = skb->sk; __be32 uninitialized_var(daddr), uninitialized_var(saddr); __be16 uninitialized_var(dport), uninitialized_var(sport); u8 uninitialized_var(protocol); @@ -155,9 +155,11 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par, } #endif - sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol, - saddr, daddr, sport, dport, par->in, NFT_LOOKUP_ANY); - if (sk != NULL) { + if (!sk) + sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol, + saddr, daddr, sport, dport, + par->in, NFT_LOOKUP_ANY); + if (sk) { bool wildcard; bool transparent = true; @@ -173,7 +175,8 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par, (sk->sk_state == TCP_TIME_WAIT && inet_twsk(sk)->tw_transparent)); - xt_socket_put_sk(sk); + if (sk != skb->sk) + xt_socket_put_sk(sk); if (wildcard || !transparent) sk = NULL; @@ -260,7 +263,7 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par) { struct ipv6hdr *iph = ipv6_hdr(skb); struct udphdr _hdr, *hp = NULL; - struct sock *sk; + struct sock *sk = skb->sk; struct in6_addr *daddr = NULL, *saddr = NULL; __be16 uninitialized_var(dport), uninitialized_var(sport); int thoff = 0, uninitialized_var(tproto); @@ -291,9 +294,11 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par) return false; } - sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto, - saddr, daddr, sport, dport, par->in, NFT_LOOKUP_ANY); - if (sk != NULL) { + if (!sk) + sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto, + saddr, daddr, sport, dport, + par->in, NFT_LOOKUP_ANY); + if (sk) { bool wildcard; bool transparent = true; @@ -309,7 +314,8 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par) (sk->sk_state == TCP_TIME_WAIT && inet_twsk(sk)->tw_transparent)); - xt_socket_put_sk(sk); + if (sk != skb->sk) + xt_socket_put_sk(sk); if (wildcard || !transparent) sk = NULL;