The branch main has been updated by rscheff: URL: https://cgit.FreeBSD.org/src/commit/?id=9c6558383546fd3eb0fb934625c4c5ade901a6cd
commit 9c6558383546fd3eb0fb934625c4c5ade901a6cd Author: Richard Scheffenegger <[email protected]> AuthorDate: 2022-10-06 23:31:48 +0000 Commit: Richard Scheffenegger <[email protected]> CommitDate: 2022-10-06 23:39:41 +0000 siftr: apply filter early on Quickly check TCP port filter, before investing into expensive operations. No functional change. Obtained from: guest-ccui Reviewed By: #transport, tuexen, guest-ccui Sponsored by: NetApp, Inc. Differential Revision: https://reviews.freebsd.org/D36842 --- sys/netinet/siftr.c | 70 ++++++++++++++++++++++++++--------------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/sys/netinet/siftr.c b/sys/netinet/siftr.c index c025c06d7f32..e21d15212979 100644 --- a/sys/netinet/siftr.c +++ b/sys/netinet/siftr.c @@ -853,6 +853,24 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags, if (ip->ip_p != IPPROTO_TCP) goto ret; + /* + * Create a tcphdr struct starting at the correct offset + * in the IP packet. ip->ip_hl gives the ip header length + * in 4-byte words, so multiply it to get the size in bytes. + */ + ip_hl = (ip->ip_hl << 2); + th = (struct tcphdr *)((caddr_t)ip + ip_hl); + + /* + * Only pkts selected by the tcp port filter + * can be inserted into the pkt_queue + */ + if ((siftr_port_filter != 0) && + (siftr_port_filter != ntohs(th->th_sport)) && + (siftr_port_filter != ntohs(th->th_dport))) { + goto ret; + } + /* * If a kernel subsystem reinjects packets into the stack, our pfil * hook will be called multiple times for the same packet. @@ -866,14 +884,6 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags, else ss->n_out++; - /* - * Create a tcphdr struct starting at the correct offset - * in the IP packet. ip->ip_hl gives the ip header length - * in 4-byte words, so multiply it to get the size in bytes. - */ - ip_hl = (ip->ip_hl << 2); - th = (struct tcphdr *)((caddr_t)ip + ip_hl); - /* * If the pfil hooks don't provide a pointer to the * inpcb, we need to find it ourselves and lock it. @@ -907,15 +917,6 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags, goto inp_unlock; } - /* - * Only pkts selected by the tcp port filter - * can be inserted into the pkt_queue - */ - if ((siftr_port_filter != 0) && - (siftr_port_filter != ntohs(inp->inp_lport)) && - (siftr_port_filter != ntohs(inp->inp_fport))) { - goto inp_unlock; - } pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO); @@ -1038,6 +1039,23 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags, if (ip6->ip6_nxt != IPPROTO_TCP) goto ret6; + /* + * Create a tcphdr struct starting at the correct offset + * in the ipv6 packet. + */ + ip6_hl = sizeof(struct ip6_hdr); + th = (struct tcphdr *)((caddr_t)ip6 + ip6_hl); + + /* + * Only pkts selected by the tcp port filter + * can be inserted into the pkt_queue + */ + if ((siftr_port_filter != 0) && + (siftr_port_filter != ntohs(th->th_sport)) && + (siftr_port_filter != ntohs(th->th_dport))) { + goto ret6; + } + /* * If a kernel subsystem reinjects packets into the stack, our pfil * hook will be called multiple times for the same packet. @@ -1051,15 +1069,6 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags, else ss->n_out++; - ip6_hl = sizeof(struct ip6_hdr); - - /* - * Create a tcphdr struct starting at the correct offset - * in the ipv6 packet. ip->ip_hl gives the ip header length - * in 4-byte words, so multiply it to get the size in bytes. - */ - th = (struct tcphdr *)((caddr_t)ip6 + ip6_hl); - /* * For inbound packets, the pfil hooks don't provide a pointer to the * inpcb, so we need to find it ourselves and lock it. @@ -1091,15 +1100,6 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags, goto inp_unlock6; } - /* - * Only pkts selected by the tcp port filter - * can be inserted into the pkt_queue - */ - if ((siftr_port_filter != 0) && - (siftr_port_filter != ntohs(inp->inp_lport)) && - (siftr_port_filter != ntohs(inp->inp_fport))) { - goto inp_unlock6; - } pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO);
