Le samedi 24 juillet 2010 à 10:55 +0200, Jan Engelhardt a écrit :
> Introduce xt_length match revision 1. It adds support for layer-4,
> layer-5 and layer-7 length matching. It is much easier than writing up
> the according xt_u32 magic.
>
> This can be used for packet scheduling; specific example are online
> games where all data is transferred over the same port, but the regular
> gameplay has a characteristically lower packet size than bulk downloads
> of game maps. (Tested with Unreal Tournament 99.)
>
> Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx>
> ---
> +static bool
> +length2_mt(const struct sk_buff *skb, struct xt_action_param *par)
> +{
> + const struct xt_length_mtinfo2 *info = par->matchinfo;
> + const struct iphdr *iph = ip_hdr(skb);
> + unsigned int len = 0;
> + bool hit = true;
> +
> + if (info->flags & XT_LENGTH_LAYER3)
> + len = ntohs(iph->tot_len);
> + else if (info->flags & XT_LENGTH_LAYER4)
> + len = ntohs(iph->tot_len) - par->thoff;
> + else if (info->flags & XT_LENGTH_LAYER5)
> + hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
> + else if (info->flags & XT_LENGTH_LAYER7)
> + hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
> + if (!hit)
> + return false;
> +
> + return (len >= info->min && len <= info->max) ^
> + !!(info->flags & XT_LENGTH_INVERT);
> +}
This serie of tests is expensive and useless.
A switch() would be faster, if you dont use a bit mask, but continuous
values to get the layer.
(Use 3 bits to encode the layer, one bit for the invert)
Also, using a u16 is more expensive than a u32.
On x86, compiler is forced to use prefixes or conversions instructions
(movzwl), this makes code bigger. And much slower on some arches.
Trying to make xt_length rules shorter is a not a win, considering the
minimum size of an iptable rule (112 bytes) and 8 bytes alignement, and
bigger code size.
When v0 of xt_length was designed, the u16 choice for min/max was
already a bad choice, since a v1 is now needed.
BTW, you mention "revision 2" in your patch title, while it is revision
1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
