1. 08 Apr, 2015 4 commits
    • Florian Westphal's avatar
      netfilter: physdev: use helpers · a99074ae
      Florian Westphal authored
      Avoid skb->nf_bridge accesses where possible.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a99074ae
    • Florian Westphal's avatar
      netfilter: bridge: add helpers for fetching physin/outdev · c737b7c4
      Florian Westphal authored
      right now we store this in the nf_bridge_info struct, accessible
      via skb->nf_bridge.  This patch prepares removal of this pointer from skb:
      
      Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out
      device (or ifindexes).
      
      Followup patches to netfilter will then allow nf_bridge_info to be
      obtained by a call into the br_netfilter core, rather than keeping a
      pointer to it in sk_buff.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c737b7c4
    • Florian Westphal's avatar
      netfilter: bridge: don't use nf_bridge_info data to store mac header · e70deecb
      Florian Westphal authored
      br_netfilter maintains an extra state, nf_bridge_info, which is attached
      to skb via skb->nf_bridge pointer.
      
      Amongst other things we use skb->nf_bridge->data to store the original
      mac header for every processed skb.
      
      This is required for ip refragmentation when using conntrack
      on top of bridge, because ip_fragment doesn't copy it from original skb.
      
      However there is no need anymore to do this unconditionally.
      
      Move this to the one place where its needed -- when br_netfilter calls
      ip_fragment().
      
      Also switch to percpu storage for this so we can handle fragmenting
      without accessing nf_bridge meta data.
      
      Only user left is neigh resolution when DNAT is detected, to hold
      the original source mac address (neigh resolution builds new mac header
      using bridge mac), so rename ->data and reduce its size to whats needed.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e70deecb
    • Daniel Borkmann's avatar
      netfilter: x_tables: don't extract flow keys on early demuxed sks in socket match · d64d80a2
      Daniel Borkmann authored
      Currently in xt_socket, we take advantage of early demuxed sockets
      since commit 00028aa3 ("netfilter: xt_socket: use IP early demux")
      in order to avoid a second socket lookup in the fast path, but we
      only make partial use of this:
      
      We still unnecessarily parse headers, extract proto, {s,d}addr and
      {s,d}ports from the skb data, accessing possible conntrack information,
      etc even though we were not even calling into the socket lookup via
      xt_socket_get_sock_{v4,v6}() due to skb->sk hit, meaning those cycles
      can be spared.
      
      After this patch, we only proceed the slower, manual lookup path
      when we have a skb->sk miss, thus time to match verdict for early
      demuxed sockets will improve further, which might be i.e. interesting
      for use cases such as mentioned in 681f130f ("netfilter: xt_socket:
      add XT_SOCKET_NOWILDCARD flag").
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d64d80a2
  2. 02 Apr, 2015 1 commit
  3. 01 Apr, 2015 7 commits
  4. 31 Mar, 2015 28 commits