On Thu, Mar 26, 2015 at 08:14:47PM +0100, Daniel Borkmann wrote:
> The socket lookup helpers are also needed for fixing xt_cgroups,
> therefore refactor them into shareable helper functions.
>
> This simplifies and optimizes the xt_socket code itself a bit
> as well, i.e. time to verdict for early demux sockets should be
> much faster than previously:
>
> We've unnecessarily extracted proto, {s,d}addr and {s,d}ports
> from the skb data, accessing possible conntrack information,
> etc even though we were not even calling into the socket lookup
> via xt_socket_get_sock_v4() due to skb->sk hit.
>
> After this patch, we only proceed the slow-path when we have an
> actual skb->sk miss.
>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Cc: Daniel Mack <daniel@xxxxxxxxxx>
> Cc: Florian Westphal <fw@xxxxxxxxx>
> ---
> net/netfilter/xt_sk_helper.h | 282 +++++++++++++++++++++++++++++++++++++++++
> net/netfilter/xt_socket.c | 293 +++----------------------------------------
> 2 files changed, 300 insertions(+), 275 deletions(-)
> create mode 100644 net/netfilter/xt_sk_helper.h
>
> diff --git a/net/netfilter/xt_sk_helper.h b/net/netfilter/xt_sk_helper.h
> new file mode 100644
> index 0000000..604b7ac
> --- /dev/null
> +++ b/net/netfilter/xt_sk_helper.h
Please, no code in a header file. Instead split the content of this
file in two:
* net/ipv4/netfilter/nf_sock_ipv4.c
* net/ipv6/netfilter/nf_sock_ipv6.c
You will have the corresponding Kconfig and Makefile trickery too.
Also rename all those functions to the prefix nf_sock_*
The Kconfig for xt_socket should contain:
select NF_SOCK_IPV4
select NF_SOCK_IPV6 if IP6_NF_IPTABLES
This is how we're doing with other extensions to share code between xt
and nft, you will help us if you do it like that.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
