[conntrack-tools] filter: do not filter in user-space if kernel supports BSF
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Tue Oct 21 19:14:36 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=50162d3c19e38a491d95ec26767438ec25bab0dc
commit 50162d3c19e38a491d95ec26767438ec25bab0dc
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Oct 21 19:11:42 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Oct 21 19:11:42 2008 +0200
filter: do not filter in user-space if kernel supports BSF
This patch avoids a double filtering in user-space and kernel-space if
the kernel support BSF. Since we do not use BSF for dumps and resyncs,
we add a new parameter to ignore_conntrack to indicate if we have to
perform the filtering in user-space or not.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 6d6ebd1247076c88ceeb8d9528d62cd38a5e909a
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Oct 21 19:05:02 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Oct 21 19:05:02 2008 +0200
cache: use jhash2 instead of double jhash+jhash_2words
Currently, oprofile reports ~17% of sample in the hashing. With
this patch, that uses jhash2 instead of a double call to jhash
and one to jhash_2words, it goes down to ~11%.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 50162d3c19e38a491d95ec26767438ec25bab0dc (commit)
via 6d6ebd1247076c88ceeb8d9528d62cd38a5e909a (commit)
from 705435f574e45348f5613672588b453d6285ef20 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 50162d3c19e38a491d95ec26767438ec25bab0dc
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Oct 21 19:11:42 2008 +0200
filter: do not filter in user-space if kernel supports BSF
This patch avoids a double filtering in user-space and kernel-space if
the kernel support BSF. Since we do not use BSF for dumps and resyncs,
we add a new parameter to ignore_conntrack to indicate if we have to
perform the filtering in user-space or not.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 6d6ebd1247076c88ceeb8d9528d62cd38a5e909a
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Oct 21 19:05:02 2008 +0200
cache: use jhash2 instead of double jhash+jhash_2words
Currently, oprofile reports ~17% of sample in the hashing. With
this patch, that uses jhash2 instead of a double call to jhash
and one to jhash_2words, it goes down to ~11%.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
include/netlink.h | 2 +-
src/cache.c | 36 +++++++++++++++++-------------------
src/netlink.c | 11 ++++++-----
src/stats-mode.c | 2 +-
src/sync-mode.c | 2 +-
5 files changed, 26 insertions(+), 27 deletions(-)
Currently, oprofile reports ~17% of sample in the hashing. With
this patch, that uses jhash2 instead of a double call to jhash
and one to jhash_2words, it goes down to ~11%.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/src/cache.c b/src/cache.c
index 63a8cff..1d39fd5 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -30,15 +30,14 @@
static uint32_t __hash4(const struct nf_conntrack *ct, struct hashtable *table)
{
- unsigned int a, b;
-
- a = jhash(nfct_get_attr(ct, ATTR_ORIG_IPV4_SRC), sizeof(uint32_t),
- ((nfct_get_attr_u8(ct, ATTR_ORIG_L3PROTO) << 16) |
- (nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO))));
-
- b = jhash(nfct_get_attr(ct, ATTR_ORIG_IPV4_DST), sizeof(uint32_t),
- ((nfct_get_attr_u16(ct, ATTR_ORIG_PORT_SRC) << 16) |
- (nfct_get_attr_u16(ct, ATTR_ORIG_PORT_DST))));
+ uint32_t a[4] = {
+ [0] = nfct_get_attr_u32(ct, ATTR_IPV4_SRC),
+ [1] = nfct_get_attr_u32(ct, ATTR_IPV4_DST),
+ [2] = nfct_get_attr_u8(ct, ATTR_L3PROTO) << 16 |
+ nfct_get_attr_u8(ct, ATTR_L4PROTO),
+ [3] = nfct_get_attr_u16(ct, ATTR_PORT_SRC) << 16 |
+ nfct_get_attr_u16(ct, ATTR_PORT_DST),
+ };
/*
* Instead of returning hash % table->hashsize (implying a divide)
@@ -47,22 +46,21 @@ static uint32_t __hash4(const struct nf_conntrack *ct, struct hashtable *table)
* but using a multiply, less expensive than a divide. See:
* http://www.mail-archive.com/netdev@vger.kernel.org/msg56623.html
*/
- return ((uint64_t)jhash_2words(a, b, 0) * table->hashsize) >> 32;
+ return ((uint64_t)jhash2(a, 4, 0) * table->hashsize) >> 32;
}
static uint32_t __hash6(const struct nf_conntrack *ct, struct hashtable *table)
{
- unsigned int a, b;
-
- a = jhash(nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC), sizeof(uint32_t)*4,
- ((nfct_get_attr_u8(ct, ATTR_ORIG_L3PROTO) << 16) |
- (nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO))));
+ uint32_t a[10];
- b = jhash(nfct_get_attr(ct, ATTR_ORIG_IPV6_DST), sizeof(uint32_t)*4,
- ((nfct_get_attr_u16(ct, ATTR_ORIG_PORT_SRC) << 16) |
- (nfct_get_attr_u16(ct, ATTR_ORIG_PORT_DST))));
+ memcpy(&a[0], nfct_get_attr(ct, ATTR_IPV6_SRC), sizeof(uint32_t)*4);
+ memcpy(&a[4], nfct_get_attr(ct, ATTR_IPV6_SRC), sizeof(uint32_t)*4);
+ a[8] = nfct_get_attr_u8(ct, ATTR_ORIG_L3PROTO) << 16 |
+ nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO);
+ a[9] = nfct_get_attr_u16(ct, ATTR_ORIG_PORT_SRC) << 16 |
+ nfct_get_attr_u16(ct, ATTR_ORIG_PORT_DST);
- return ((uint64_t)jhash_2words(a, b, 0) * table->hashsize) >> 32;
+ return ((uint64_t)jhash2(a, 10, 0) * table->hashsize) >> 32;
}
static uint32_t hash(const void *data, struct hashtable *table)
More information about the netfilter-cvslog
mailing list