[NETFILTER]: FTP helper: search optimization

Instead of skipping search entries for the wrong direction simply index them by direction. Based on patch by Pablo Neira <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2006-05-29 21:25:38 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-06-18 00:29:07 -0400
commit: 7d8c50181778b6ba10c2bba9a2f22db9493bb245 (patch)
tree: b0a87854e0c377eccca3849351951d5456687729 /net/ipv4
parent: 695ecea3299dba2239d1cb4fd4d4e4c95a5b9ce7 (diff)
1 files changed, 43 insertions, 34 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_ftp.c b/net/ipv4/netfilter/ip_conntrack_ftp.c
index 3e542bf28a9d..4dcf526c3944 100644
--- a/net/ipv4/netfilter/ip_conntrack_ftp.c
+++ b/net/ipv4/netfilter/ip_conntrack_ftp.c
@@ -56,37 +56,48 @@ static int try_eprt(const char *, size_t, u_int32_t [], char);
 static int try_epsv_response(const char *, size_t, u_int32_t [], char);
 static const struct ftp_search {
-        enum ip_conntrack_dir dir;
        const char *pattern;
        size_t plen;
        char skip;
        char term;
        enum ip_ct_ftp_type ftptype;
        int (*getnum)(const char *, size_t, u_int32_t[], char);
-} search[] = {
+} search[IP_CT_DIR_MAX][2] = {
-        {
+        [IP_CT_DIR_ORIGINAL] = {
-                IP_CT_DIR_ORIGINAL,
+                {
-                "PORT", sizeof("PORT") - 1, ' ', '\r',
+                        .pattern        =  "PORT",
-                IP_CT_FTP_PORT,
+                        .plen           = sizeof("PORT") - 1,
-                try_rfc959,
+                        .skip           = ' ',
+                        .term           = '\r',
+                        .ftptype        = IP_CT_FTP_PORT,
+                        .getnum         = try_rfc959,
+                },
+                {
+                        .pattern        = "EPRT",
+                        .plen           = sizeof("EPRT") - 1,
+                        .skip           = ' ',
+                        .term           = '\r',
+                        .ftptype        = IP_CT_FTP_EPRT,
+                        .getnum         = try_eprt,
+                },
        },
-        {
+        [IP_CT_DIR_REPLY] = {
-                IP_CT_DIR_REPLY,
+                {
-                "227 ", sizeof("227 ") - 1, '(', ')',
+                        .pattern        = "227 ",
-                IP_CT_FTP_PASV,
+                        .plen           = sizeof("227 ") - 1,
-                try_rfc959,
+                        .skip           = '(',
-        },
+                        .term           = ')',
-        {
+                        .ftptype        = IP_CT_FTP_PASV,
-                IP_CT_DIR_ORIGINAL,
+                        .getnum         = try_rfc959,
-                "EPRT", sizeof("EPRT") - 1, ' ', '\r',
+                },
-                IP_CT_FTP_EPRT,
+                {
-                try_eprt,
+                        .pattern        = "229 ",
-        },
+                        .plen           = sizeof("229 ") - 1,
-        {
+                        .skip           = '(',
-                IP_CT_DIR_REPLY,
+                        .term           = ')',
-                "229 ", sizeof("229 ") - 1, '(', ')',
+                        .ftptype        = IP_CT_FTP_EPSV,
-                IP_CT_FTP_EPSV,
+                        .getnum         = try_epsv_response,
-                try_epsv_response,
+                },
        },
 };
@@ -346,17 +357,15 @@ static int help(struct sk_buff **pskb,
        array[2] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 8) & 0xFF;
        array[3] = ntohl(ct->tuplehash[dir].tuple.src.ip) & 0xFF;
-        for (i = 0; i < ARRAY_SIZE(search); i++) {
+        for (i = 0; i < ARRAY_SIZE(search[dir]); i++) {
-                if (search[i].dir != dir) continue;
                found = find_pattern(fb_ptr, (*pskb)->len - dataoff,
-                                     search[i].pattern,
+                                     search[dir][i].pattern,
-                                     search[i].plen,
+                                     search[dir][i].plen,
-                                     search[i].skip,
+                                     search[dir][i].skip,
-                                     search[i].term,
+                                     search[dir][i].term,
                                     &matchoff, &matchlen,
                                     array,
-                                     search[i].getnum);
+                                     search[dir][i].getnum);
                if (found) break;
        }
        if (found == -1) {
@@ -366,7 +375,7 @@ static int help(struct sk_buff **pskb,
                   this case. */
                if (net_ratelimit())
                        printk("conntrack_ftp: partial %s %u+%u\n",
-                               search[i].pattern,
+                               search[dir][i].pattern,
                               ntohl(th->seq), datalen);
                ret = NF_DROP;
                goto out;
@@ -426,7 +435,7 @@ static int help(struct sk_buff **pskb,
        /* Now, NAT might want to mangle the packet, and register the
         * (possibly changed) expectation itself. */
        if (ip_nat_ftp_hook)
-                ret = ip_nat_ftp_hook(pskb, ctinfo, search[i].ftptype,
+                ret = ip_nat_ftp_hook(pskb, ctinfo, search[dir][i].ftptype,
                                      matchoff, matchlen, exp, &seq);
        else {
                /* Can't expect this?  Best to drop packet now. */
author	Patrick McHardy <kaber@trash.net>	2006-05-29 21:25:38 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-06-18 00:29:07 -0400
commit	7d8c50181778b6ba10c2bba9a2f22db9493bb245 (patch)
tree	b0a87854e0c377eccca3849351951d5456687729 /net/ipv4
parent	695ecea3299dba2239d1cb4fd4d4e4c95a5b9ce7 (diff)

diff --git a/net/ipv4/netfilter/ip_conntrack_ftp.c b/net/ipv4/netfilter/ip_conntrack_ftp.c index 3e542bf28a9d..4dcf526c3944 100644 --- a/net/ipv4/netfilter/ip_conntrack_ftp.c +++ b/net/ipv4/netfilter/ip_conntrack_ftp.c
@@ -56,37 +56,48 @@ static int try_eprt(const char *, size_t, u_int32_t [], char);
56	static int try_epsv_response(const char *, size_t, u_int32_t [], char);	56	static int try_epsv_response(const char *, size_t, u_int32_t [], char);
57		57
58	static const struct ftp_search {	58	static const struct ftp_search {
59	enum ip_conntrack_dir dir;
60	const char *pattern;	59	const char *pattern;
61	size_t plen;	60	size_t plen;
62	char skip;	61	char skip;
63	char term;	62	char term;
64	enum ip_ct_ftp_type ftptype;	63	enum ip_ct_ftp_type ftptype;
65	int (getnum)(const char , size_t, u_int32_t[], char);	64	int (getnum)(const char , size_t, u_int32_t[], char);
66	} search[] = {	65	} search[IP_CT_DIR_MAX][2] = {
67	{	66	[IP_CT_DIR_ORIGINAL] = {
68	IP_CT_DIR_ORIGINAL,	67	{
69	"PORT", sizeof("PORT") - 1, ' ', '\r',	68	.pattern = "PORT",
70	IP_CT_FTP_PORT,	69	.plen = sizeof("PORT") - 1,
71	try_rfc959,	70	.skip = ' ',
		71	.term = '\r',
		72	.ftptype = IP_CT_FTP_PORT,
		73	.getnum = try_rfc959,
		74	},
		75	{
		76	.pattern = "EPRT",
		77	.plen = sizeof("EPRT") - 1,
		78	.skip = ' ',
		79	.term = '\r',
		80	.ftptype = IP_CT_FTP_EPRT,
		81	.getnum = try_eprt,
		82	},
72	},	83	},
73	{	84	[IP_CT_DIR_REPLY] = {
74	IP_CT_DIR_REPLY,	85	{
75	"227 ", sizeof("227 ") - 1, '(', ')',	86	.pattern = "227 ",
76	IP_CT_FTP_PASV,	87	.plen = sizeof("227 ") - 1,
77	try_rfc959,	88	.skip = '(',
78	},	89	.term = ')',
79	{	90	.ftptype = IP_CT_FTP_PASV,
80	IP_CT_DIR_ORIGINAL,	91	.getnum = try_rfc959,
81	"EPRT", sizeof("EPRT") - 1, ' ', '\r',	92	},
82	IP_CT_FTP_EPRT,	93	{
83	try_eprt,	94	.pattern = "229 ",
84	},	95	.plen = sizeof("229 ") - 1,
85	{	96	.skip = '(',
86	IP_CT_DIR_REPLY,	97	.term = ')',
87	"229 ", sizeof("229 ") - 1, '(', ')',	98	.ftptype = IP_CT_FTP_EPSV,
88	IP_CT_FTP_EPSV,	99	.getnum = try_epsv_response,
89	try_epsv_response,	100	},
90	},	101	},
91	};	102	};
92		103
@@ -346,17 +357,15 @@ static int help(struct sk_buff **pskb,
346	array[2] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 8) & 0xFF;	357	array[2] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 8) & 0xFF;
347	array[3] = ntohl(ct->tuplehash[dir].tuple.src.ip) & 0xFF;	358	array[3] = ntohl(ct->tuplehash[dir].tuple.src.ip) & 0xFF;
348		359
349	for (i = 0; i < ARRAY_SIZE(search); i++) {	360	for (i = 0; i < ARRAY_SIZE(search[dir]); i++) {
350	if (search[i].dir != dir) continue;
351
352	found = find_pattern(fb_ptr, (*pskb)->len - dataoff,	361	found = find_pattern(fb_ptr, (*pskb)->len - dataoff,
353	search[i].pattern,	362	search[dir][i].pattern,
354	search[i].plen,	363	search[dir][i].plen,
355	search[i].skip,	364	search[dir][i].skip,
356	search[i].term,	365	search[dir][i].term,
357	&matchoff, &matchlen,	366	&matchoff, &matchlen,
358	array,	367	array,
359	search[i].getnum);	368	search[dir][i].getnum);
360	if (found) break;	369	if (found) break;
361	}	370	}
362	if (found == -1) {	371	if (found == -1) {
@@ -366,7 +375,7 @@ static int help(struct sk_buff **pskb,
366	this case. */	375	this case. */
367	if (net_ratelimit())	376	if (net_ratelimit())
368	printk("conntrack_ftp: partial %s %u+%u\n",	377	printk("conntrack_ftp: partial %s %u+%u\n",
369	search[i].pattern,	378	search[dir][i].pattern,
370	ntohl(th->seq), datalen);	379	ntohl(th->seq), datalen);
371	ret = NF_DROP;	380	ret = NF_DROP;
372	goto out;	381	goto out;
@@ -426,7 +435,7 @@ static int help(struct sk_buff **pskb,
426	/* Now, NAT might want to mangle the packet, and register the	435	/* Now, NAT might want to mangle the packet, and register the
427	* (possibly changed) expectation itself. */	436	* (possibly changed) expectation itself. */
428	if (ip_nat_ftp_hook)	437	if (ip_nat_ftp_hook)
429	ret = ip_nat_ftp_hook(pskb, ctinfo, search[i].ftptype,	438	ret = ip_nat_ftp_hook(pskb, ctinfo, search[dir][i].ftptype,
430	matchoff, matchlen, exp, &seq);	439	matchoff, matchlen, exp, &seq);
431	else {	440	else {
432	/* Can't expect this? Best to drop packet now. */	441	/* Can't expect this? Best to drop packet now. */