From aafcea0542d73fdaf32cbfa3eb3908aebf524717 Mon Sep 17 00:00:00 2001 From: nbd Date: Sat, 30 Jul 2011 15:39:52 +0000 Subject: kernel: add a new version of my netfilter speedup patches for linux 2.6.39 and 3.0 git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27840 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- .../611-netfilter_match_bypass_default_table.patch | 78 ++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch (limited to 'target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch') diff --git a/target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch b/target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch new file mode 100644 index 000000000..f2004a6b1 --- /dev/null +++ b/target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch @@ -0,0 +1,78 @@ +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -316,6 +316,33 @@ struct ipt_entry *ipt_next_entry(const s + return (void *)entry + entry->next_offset; + } + ++static bool ++ipt_handle_default_rule(struct ipt_entry *e, unsigned int *verdict) ++{ ++ struct xt_entry_target *t; ++ struct xt_standard_target *st; ++ ++ if (e->target_offset != sizeof(struct ipt_entry)) ++ return false; ++ ++ if (!(e->ip.flags & IPT_F_NO_DEF_MATCH)) ++ return false; ++ ++ t = ipt_get_target(e); ++ if (t->u.kernel.target->target) ++ return false; ++ ++ st = (struct xt_standard_target *) t; ++ if (st->verdict == XT_RETURN) ++ return false; ++ ++ if (st->verdict >= 0) ++ return false; ++ ++ *verdict = (unsigned)(-st->verdict) - 1; ++ return true; ++} ++ + /* Returns one of the generic firewall policies, like NF_ACCEPT. */ + unsigned int + ipt_do_table(struct sk_buff *skb, +@@ -339,6 +366,23 @@ ipt_do_table(struct sk_buff *skb, + ip = ip_hdr(skb); + indev = in ? in->name : nulldevname; + outdev = out ? out->name : nulldevname; ++ ++ IP_NF_ASSERT(table->valid_hooks & (1 << hook)); ++ xt_info_rdlock_bh(); ++ private = table->private; ++ cpu = smp_processor_id(); ++ table_base = private->entries[cpu]; ++ jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; ++ stackptr = per_cpu_ptr(private->stackptr, cpu); ++ origptr = *stackptr; ++ ++ e = get_entry(table_base, private->hook_entry[hook]); ++ if (ipt_handle_default_rule(e, &verdict)) { ++ ADD_COUNTER(e->counters, skb->len, 1); ++ xt_info_rdunlock_bh(); ++ return verdict; ++ } ++ + /* We handle fragments by dealing with the first fragment as + * if it was a normal packet. All other fragments are treated + * normally, except that they will NEVER match rules that ask +@@ -353,17 +397,6 @@ ipt_do_table(struct sk_buff *skb, + acpar.family = NFPROTO_IPV4; + acpar.hooknum = hook; + +- IP_NF_ASSERT(table->valid_hooks & (1 << hook)); +- xt_info_rdlock_bh(); +- private = table->private; +- cpu = smp_processor_id(); +- table_base = private->entries[cpu]; +- jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; +- stackptr = per_cpu_ptr(private->stackptr, cpu); +- origptr = *stackptr; +- +- e = get_entry(table_base, private->hook_entry[hook]); +- + pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n", + table->name, hook, origptr, + get_entry(table_base, private->underflow[hook])); -- cgit v1.2.3