diff options
| author | David S. Miller <davem@davemloft.net> | 2012-06-29 04:32:45 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-06-29 04:36:36 -0400 |
| commit | 7a9bc9b81a5bc6e44ebc80ef781332e4385083f2 (patch) | |
| tree | 1342c672823d47bfb112fee63951af9f6a3eb590 /net/ipv4/fib_frontend.c | |
| parent | b8c8430726e5bd552e01dacc5a44f3f83f7446ca (diff) | |
ipv4: Elide fib_validate_source() completely when possible.
If rpfilter is off (or the SKB has an IPSEC path) and there are not
tclassid users, we don't have to do anything at all when
fib_validate_source() is invoked besides setting the itag to zero.
We monitor tclassid uses with a counter (modified only under RTNL and
marked __read_mostly) and we protect the fib_validate_source() real
work with a test against this counter and whether rpfilter is to be
done.
Having a way to know whether we need no tclassid processing or not
also opens the door for future optimized rpfilter algorithms that do
not perform full FIB lookups.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/fib_frontend.c')
| -rw-r--r-- | net/ipv4/fib_frontend.c | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index c84cff52021e..ae528d1b293a 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c | |||
| @@ -31,6 +31,7 @@ | |||
| 31 | #include <linux/if_addr.h> | 31 | #include <linux/if_addr.h> |
| 32 | #include <linux/if_arp.h> | 32 | #include <linux/if_arp.h> |
| 33 | #include <linux/skbuff.h> | 33 | #include <linux/skbuff.h> |
| 34 | #include <linux/cache.h> | ||
| 34 | #include <linux/init.h> | 35 | #include <linux/init.h> |
| 35 | #include <linux/list.h> | 36 | #include <linux/list.h> |
| 36 | #include <linux/slab.h> | 37 | #include <linux/slab.h> |
| @@ -217,6 +218,10 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb) | |||
| 217 | return inet_select_addr(dev, ip_hdr(skb)->saddr, scope); | 218 | return inet_select_addr(dev, ip_hdr(skb)->saddr, scope); |
| 218 | } | 219 | } |
| 219 | 220 | ||
| 221 | #ifdef CONFIG_IP_ROUTE_CLASSID | ||
| 222 | int fib_num_tclassid_users __read_mostly; | ||
| 223 | #endif | ||
| 224 | |||
| 220 | /* Given (packet source, input interface) and optional (dst, oif, tos): | 225 | /* Given (packet source, input interface) and optional (dst, oif, tos): |
| 221 | * - (main) check, that source is valid i.e. not broadcast or our local | 226 | * - (main) check, that source is valid i.e. not broadcast or our local |
| 222 | * address. | 227 | * address. |
| @@ -225,11 +230,11 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb) | |||
| 225 | * - check, that packet arrived from expected physical interface. | 230 | * - check, that packet arrived from expected physical interface. |
| 226 | * called with rcu_read_lock() | 231 | * called with rcu_read_lock() |
| 227 | */ | 232 | */ |
| 228 | int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos, | 233 | static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, |
| 229 | int oif, struct net_device *dev, struct in_device *idev, | 234 | u8 tos, int oif, struct net_device *dev, |
| 230 | u32 *itag) | 235 | int rpf, struct in_device *idev, u32 *itag) |
| 231 | { | 236 | { |
| 232 | int ret, no_addr, rpf, accept_local; | 237 | int ret, no_addr, accept_local; |
| 233 | struct fib_result res; | 238 | struct fib_result res; |
| 234 | struct flowi4 fl4; | 239 | struct flowi4 fl4; |
| 235 | struct net *net; | 240 | struct net *net; |
| @@ -242,12 +247,9 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos, | |||
| 242 | fl4.flowi4_tos = tos; | 247 | fl4.flowi4_tos = tos; |
| 243 | fl4.flowi4_scope = RT_SCOPE_UNIVERSE; | 248 | fl4.flowi4_scope = RT_SCOPE_UNIVERSE; |
| 244 | 249 | ||
| 245 | no_addr = rpf = accept_local = 0; | 250 | no_addr = accept_local = 0; |
| 246 | no_addr = idev->ifa_list == NULL; | 251 | no_addr = idev->ifa_list == NULL; |
| 247 | 252 | ||
| 248 | /* Ignore rp_filter for packets protected by IPsec. */ | ||
| 249 | rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); | ||
| 250 | |||
| 251 | accept_local = IN_DEV_ACCEPT_LOCAL(idev); | 253 | accept_local = IN_DEV_ACCEPT_LOCAL(idev); |
| 252 | fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0; | 254 | fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0; |
| 253 | 255 | ||
| @@ -303,6 +305,20 @@ e_rpf: | |||
| 303 | return -EXDEV; | 305 | return -EXDEV; |
| 304 | } | 306 | } |
| 305 | 307 | ||
| 308 | /* Ignore rp_filter for packets protected by IPsec. */ | ||
| 309 | int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, | ||
| 310 | u8 tos, int oif, struct net_device *dev, | ||
| 311 | struct in_device *idev, u32 *itag) | ||
| 312 | { | ||
| 313 | int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); | ||
| 314 | |||
| 315 | if (!r && !fib_num_tclassid_users) { | ||
| 316 | *itag = 0; | ||
| 317 | return 0; | ||
| 318 | } | ||
| 319 | return __fib_validate_source(skb, src, dst, tos, oif, dev, r, idev, itag); | ||
| 320 | } | ||
| 321 | |||
| 306 | static inline __be32 sk_extract_addr(struct sockaddr *addr) | 322 | static inline __be32 sk_extract_addr(struct sockaddr *addr) |
| 307 | { | 323 | { |
| 308 | return ((struct sockaddr_in *) addr)->sin_addr.s_addr; | 324 | return ((struct sockaddr_in *) addr)->sin_addr.s_addr; |