On Thu, Apr 02, 2015 at 02:28:30PM +0200, Daniel Borkmann wrote:
> Currently in xt_socket, we take advantage of early demuxed sockets
> since commit 00028aa37098 ("netfilter: xt_socket: use IP early demux")
> in order to avoid a second socket lookup in the fast path, but we
> only make partial use of this:
>
> We still unnecessarily parse headers, extract proto, {s,d}addr and
> {s,d}ports from the skb data, accessing possible conntrack information,
> etc even though we were not even calling into the socket lookup via
> xt_socket_get_sock_{v4,v6}() due to skb->sk hit, meaning those cycles
> can be spared.
>
> After this patch, we only proceed the slower, manual lookup path
> when we have a skb->sk miss, thus time to match verdict for early
> demuxed sockets will improve further, which might be i.e. interesting
> for use cases such as mentioned in 681f130f39e1 ("netfilter: xt_socket:
> add XT_SOCKET_NOWILDCARD flag").
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
