Commit c29b72e0 authored by Patrick McHardy's avatar Patrick McHardy Committed by Pablo Neira Ayuso

netfilter: nft_payload: add optimized payload implementation for small loads

Add an optimized payload expression implementation for small (up to 4 bytes)
aligned data loads from the linear packet area.

This patch also includes original Patrick McHardy's entitled (nf_tables:
inline nft_payload_fast_eval() into main evaluation loop).
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent cb7dbfd0
...@@ -27,6 +27,15 @@ extern void nft_bitwise_module_exit(void); ...@@ -27,6 +27,15 @@ extern void nft_bitwise_module_exit(void);
extern int nft_byteorder_module_init(void); extern int nft_byteorder_module_init(void);
extern void nft_byteorder_module_exit(void); extern void nft_byteorder_module_exit(void);
struct nft_payload {
enum nft_payload_bases base:8;
u8 offset;
u8 len;
enum nft_registers dreg:8;
};
extern const struct nft_expr_ops nft_payload_fast_ops;
extern int nft_payload_module_init(void); extern int nft_payload_module_init(void);
extern void nft_payload_module_exit(void); extern void nft_payload_module_exit(void);
......
...@@ -32,6 +32,34 @@ static void nft_cmp_fast_eval(const struct nft_expr *expr, ...@@ -32,6 +32,34 @@ static void nft_cmp_fast_eval(const struct nft_expr *expr,
data[NFT_REG_VERDICT].verdict = NFT_BREAK; data[NFT_REG_VERDICT].verdict = NFT_BREAK;
} }
static bool nft_payload_fast_eval(const struct nft_expr *expr,
struct nft_data data[NFT_REG_MAX + 1],
const struct nft_pktinfo *pkt)
{
const struct nft_payload *priv = nft_expr_priv(expr);
const struct sk_buff *skb = pkt->skb;
struct nft_data *dest = &data[priv->dreg];
unsigned char *ptr;
if (priv->base == NFT_PAYLOAD_NETWORK_HEADER)
ptr = skb_network_header(skb);
else
ptr = skb_transport_header(skb);
ptr += priv->offset;
if (unlikely(ptr + priv->len >= skb_tail_pointer(skb)))
return false;
if (priv->len == 2)
*(u16 *)dest->data = *(u16 *)ptr;
else if (priv->len == 4)
*(u32 *)dest->data = *(u32 *)ptr;
else
*(u8 *)dest->data = *(u8 *)ptr;
return true;
}
unsigned int nft_do_chain(const struct nf_hook_ops *ops, unsigned int nft_do_chain(const struct nf_hook_ops *ops,
struct sk_buff *skb, struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
...@@ -62,7 +90,8 @@ unsigned int nft_do_chain(const struct nf_hook_ops *ops, ...@@ -62,7 +90,8 @@ unsigned int nft_do_chain(const struct nf_hook_ops *ops,
nft_rule_for_each_expr(expr, last, rule) { nft_rule_for_each_expr(expr, last, rule) {
if (expr->ops == &nft_cmp_fast_ops) if (expr->ops == &nft_cmp_fast_ops)
nft_cmp_fast_eval(expr, data); nft_cmp_fast_eval(expr, data);
else else if (expr->ops != &nft_payload_fast_ops ||
!nft_payload_fast_eval(expr, data, &pkt))
expr->ops->eval(expr, data, &pkt); expr->ops->eval(expr, data, &pkt);
if (data[NFT_REG_VERDICT].verdict != NFT_CONTINUE) if (data[NFT_REG_VERDICT].verdict != NFT_CONTINUE)
......
...@@ -17,13 +17,6 @@ ...@@ -17,13 +17,6 @@
#include <net/netfilter/nf_tables_core.h> #include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h> #include <net/netfilter/nf_tables.h>
struct nft_payload {
enum nft_payload_bases base:8;
u8 offset;
u8 len;
enum nft_registers dreg:8;
};
static void nft_payload_eval(const struct nft_expr *expr, static void nft_payload_eval(const struct nft_expr *expr,
struct nft_data data[NFT_REG_MAX + 1], struct nft_data data[NFT_REG_MAX + 1],
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
...@@ -71,27 +64,9 @@ static int nft_payload_init(const struct nft_ctx *ctx, ...@@ -71,27 +64,9 @@ static int nft_payload_init(const struct nft_ctx *ctx,
struct nft_payload *priv = nft_expr_priv(expr); struct nft_payload *priv = nft_expr_priv(expr);
int err; int err;
if (tb[NFTA_PAYLOAD_DREG] == NULL || priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
tb[NFTA_PAYLOAD_BASE] == NULL ||
tb[NFTA_PAYLOAD_OFFSET] == NULL ||
tb[NFTA_PAYLOAD_LEN] == NULL)
return -EINVAL;
priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
switch (priv->base) {
case NFT_PAYLOAD_LL_HEADER:
case NFT_PAYLOAD_NETWORK_HEADER:
case NFT_PAYLOAD_TRANSPORT_HEADER:
break;
default:
return -EOPNOTSUPP;
}
priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
if (priv->len == 0 ||
priv->len > FIELD_SIZEOF(struct nft_data, data))
return -EINVAL;
priv->dreg = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_DREG])); priv->dreg = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_DREG]));
err = nft_validate_output_register(priv->dreg); err = nft_validate_output_register(priv->dreg);
...@@ -124,9 +99,49 @@ static const struct nft_expr_ops nft_payload_ops = { ...@@ -124,9 +99,49 @@ static const struct nft_expr_ops nft_payload_ops = {
.dump = nft_payload_dump, .dump = nft_payload_dump,
}; };
const struct nft_expr_ops nft_payload_fast_ops = {
.type = &nft_payload_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_payload)),
.eval = nft_payload_eval,
.init = nft_payload_init,
.dump = nft_payload_dump,
};
static const struct nft_expr_ops *nft_payload_select_ops(const struct nlattr * const tb[])
{
enum nft_payload_bases base;
unsigned int offset, len;
if (tb[NFTA_PAYLOAD_DREG] == NULL ||
tb[NFTA_PAYLOAD_BASE] == NULL ||
tb[NFTA_PAYLOAD_OFFSET] == NULL ||
tb[NFTA_PAYLOAD_LEN] == NULL)
return ERR_PTR(-EINVAL);
base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
switch (base) {
case NFT_PAYLOAD_LL_HEADER:
case NFT_PAYLOAD_NETWORK_HEADER:
case NFT_PAYLOAD_TRANSPORT_HEADER:
break;
default:
return ERR_PTR(-EOPNOTSUPP);
}
offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
if (len == 0 || len > FIELD_SIZEOF(struct nft_data, data))
return ERR_PTR(-EINVAL);
if (len <= 4 && IS_ALIGNED(offset, len) && base != NFT_PAYLOAD_LL_HEADER)
return &nft_payload_fast_ops;
else
return &nft_payload_ops;
}
static struct nft_expr_type nft_payload_type __read_mostly = { static struct nft_expr_type nft_payload_type __read_mostly = {
.name = "payload", .name = "payload",
.ops = &nft_payload_ops, .select_ops = nft_payload_select_ops,
.policy = nft_payload_policy, .policy = nft_payload_policy,
.maxattr = NFTA_PAYLOAD_MAX, .maxattr = NFTA_PAYLOAD_MAX,
.owner = THIS_MODULE, .owner = THIS_MODULE,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment