the decision on wether a packet is to be delivered locally or forwarded

is pretty expensive, the more the more addresses are configured locally,
since we walk a list. when pf is on and we have a state key pointer,
and that state key is linked to another state key, we know for sure this
is not local. when it has a link to a pcb, it certainly goes to the local
codepath.
on a box with 1000 adresses forwarding 3 times as fast as before. theo ok

1 files changed, 17 insertions, 7 deletions

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 918b7516b4c..1413f0244cc 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.162 2009/05/18 20:37:13 bluhm Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.163 2009/06/04 05:02:25 henning Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -386,16 +386,25 @@ ipv4_input(m)
 	        return;
 	}
 
-	/*
-	 * Check our list of addresses, to see if the packet is for us.
-	 */
-	if ((ia = in_iawithaddr(ip->ip_dst, m)) != NULL &&
-	    (ia->ia_ifp->if_flags & IFF_UP))
+	if (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED)
 		goto ours;
 
-	if (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED)
+#if NPF > 0
+	if (m->m_pkthdr.pf.statekey &&
+	    ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp)
 		goto ours;
 
+	/*
+	 * Check our list of addresses, to see if the packet is for us.
+	 * if we have linked state keys it is certainly to be forwarded.
+	 */
+	if (!m->m_pkthdr.pf.statekey ||
+	    !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse)
+#endif
+		if ((ia = in_iawithaddr(ip->ip_dst, m)) != NULL &&
+		    (ia->ia_ifp->if_flags & IFF_UP))
+			goto ours;
+
 	if (IN_MULTICAST(ip->ip_dst.s_addr)) {
 		struct in_multi *inm;
 #ifdef MROUTING
@@ -451,6 +460,7 @@ ipv4_input(m)
 		}
 		goto ours;
 	}
+
 	if (ip->ip_dst.s_addr == INADDR_BROADCAST ||
 	    ip->ip_dst.s_addr == INADDR_ANY)
 		goto ours;