git: 9c6558383546 - main - siftr: apply filter early on
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 07 Oct 2022 14:56:23 UTC
The branch main has been updated by rscheff:
URL: https://cgit.FreeBSD.org/src/commit/?id=9c6558383546fd3eb0fb934625c4c5ade901a6cd
commit 9c6558383546fd3eb0fb934625c4c5ade901a6cd
Author: Richard Scheffenegger <rscheff@FreeBSD.org>
AuthorDate: 2022-10-06 23:31:48 +0000
Commit: Richard Scheffenegger <rscheff@FreeBSD.org>
CommitDate: 2022-10-06 23:39:41 +0000
siftr: apply filter early on
Quickly check TCP port filter, before investing into
expensive operations.
No functional change.
Obtained from: guest-ccui
Reviewed By: #transport, tuexen, guest-ccui
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D36842
---
sys/netinet/siftr.c | 70 ++++++++++++++++++++++++++---------------------------
1 file changed, 35 insertions(+), 35 deletions(-)
diff --git a/sys/netinet/siftr.c b/sys/netinet/siftr.c
index c025c06d7f32..e21d15212979 100644
--- a/sys/netinet/siftr.c
+++ b/sys/netinet/siftr.c
@@ -853,6 +853,24 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags,
if (ip->ip_p != IPPROTO_TCP)
goto ret;
+ /*
+ * Create a tcphdr struct starting at the correct offset
+ * in the IP packet. ip->ip_hl gives the ip header length
+ * in 4-byte words, so multiply it to get the size in bytes.
+ */
+ ip_hl = (ip->ip_hl << 2);
+ th = (struct tcphdr *)((caddr_t)ip + ip_hl);
+
+ /*
+ * Only pkts selected by the tcp port filter
+ * can be inserted into the pkt_queue
+ */
+ if ((siftr_port_filter != 0) &&
+ (siftr_port_filter != ntohs(th->th_sport)) &&
+ (siftr_port_filter != ntohs(th->th_dport))) {
+ goto ret;
+ }
+
/*
* If a kernel subsystem reinjects packets into the stack, our pfil
* hook will be called multiple times for the same packet.
@@ -866,14 +884,6 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags,
else
ss->n_out++;
- /*
- * Create a tcphdr struct starting at the correct offset
- * in the IP packet. ip->ip_hl gives the ip header length
- * in 4-byte words, so multiply it to get the size in bytes.
- */
- ip_hl = (ip->ip_hl << 2);
- th = (struct tcphdr *)((caddr_t)ip + ip_hl);
-
/*
* If the pfil hooks don't provide a pointer to the
* inpcb, we need to find it ourselves and lock it.
@@ -907,15 +917,6 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags,
goto inp_unlock;
}
- /*
- * Only pkts selected by the tcp port filter
- * can be inserted into the pkt_queue
- */
- if ((siftr_port_filter != 0) &&
- (siftr_port_filter != ntohs(inp->inp_lport)) &&
- (siftr_port_filter != ntohs(inp->inp_fport))) {
- goto inp_unlock;
- }
pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO);
@@ -1038,6 +1039,23 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags,
if (ip6->ip6_nxt != IPPROTO_TCP)
goto ret6;
+ /*
+ * Create a tcphdr struct starting at the correct offset
+ * in the ipv6 packet.
+ */
+ ip6_hl = sizeof(struct ip6_hdr);
+ th = (struct tcphdr *)((caddr_t)ip6 + ip6_hl);
+
+ /*
+ * Only pkts selected by the tcp port filter
+ * can be inserted into the pkt_queue
+ */
+ if ((siftr_port_filter != 0) &&
+ (siftr_port_filter != ntohs(th->th_sport)) &&
+ (siftr_port_filter != ntohs(th->th_dport))) {
+ goto ret6;
+ }
+
/*
* If a kernel subsystem reinjects packets into the stack, our pfil
* hook will be called multiple times for the same packet.
@@ -1051,15 +1069,6 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags,
else
ss->n_out++;
- ip6_hl = sizeof(struct ip6_hdr);
-
- /*
- * Create a tcphdr struct starting at the correct offset
- * in the ipv6 packet. ip->ip_hl gives the ip header length
- * in 4-byte words, so multiply it to get the size in bytes.
- */
- th = (struct tcphdr *)((caddr_t)ip6 + ip6_hl);
-
/*
* For inbound packets, the pfil hooks don't provide a pointer to the
* inpcb, so we need to find it ourselves and lock it.
@@ -1091,15 +1100,6 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags,
goto inp_unlock6;
}
- /*
- * Only pkts selected by the tcp port filter
- * can be inserted into the pkt_queue
- */
- if ((siftr_port_filter != 0) &&
- (siftr_port_filter != ntohs(inp->inp_lport)) &&
- (siftr_port_filter != ntohs(inp->inp_fport))) {
- goto inp_unlock6;
- }
pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO);