diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2010-06-08 16:09:52 +0200 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2010-06-08 16:09:52 +0200 |
commit | 5bfddbd46a95c978f4d3c992339cbdf4f4b790a3 (patch) | |
tree | 9291ba4e1e3c7bf7ae8b5dfa8271e7127a6a6958 /net/netfilter/xt_state.c | |
parent | netfilter: xt_rateest: Better struct xt_rateest layout (diff) | |
download | linux-dev-5bfddbd46a95c978f4d3c992339cbdf4f4b790a3.tar.xz linux-dev-5bfddbd46a95c978f4d3c992339cbdf4f4b790a3.zip |
netfilter: nf_conntrack: IPS_UNTRACKED bit
NOTRACK makes all cpus share a cache line on nf_conntrack_untracked
twice per packet. This is bad for performance.
__read_mostly annotation is also a bad choice.
This patch introduces IPS_UNTRACKED bit so that we can use later a
per_cpu untrack structure more easily.
A new helper, nf_ct_untracked_get() returns a pointer to
nf_conntrack_untracked.
Another one, nf_ct_untracked_status_or() is used by nf_nat_init() to add
IPS_NAT_DONE_MASK bits to untracked status.
nf_ct_is_untracked() prototype is changed to work on a nf_conn pointer.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter/xt_state.c')
-rw-r--r-- | net/netfilter/xt_state.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c index e12e053d3782..a507922d80cd 100644 --- a/net/netfilter/xt_state.c +++ b/net/netfilter/xt_state.c @@ -26,14 +26,16 @@ state_mt(const struct sk_buff *skb, struct xt_action_param *par) const struct xt_state_info *sinfo = par->matchinfo; enum ip_conntrack_info ctinfo; unsigned int statebit; + struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - if (nf_ct_is_untracked(skb)) - statebit = XT_STATE_UNTRACKED; - else if (!nf_ct_get(skb, &ctinfo)) + if (!ct) statebit = XT_STATE_INVALID; - else - statebit = XT_STATE_BIT(ctinfo); - + else { + if (nf_ct_is_untracked(ct)) + statebit = XT_STATE_UNTRACKED; + else + statebit = XT_STATE_BIT(ctinfo); + } return (sinfo->statemask & statebit); } |