siftr: apply filter early on

Quickly check TCP port filter, before investing into expensive operations. No functional change. Obtained from: guest-ccui Reviewed By: #transport, tuexen, guest-ccui Sponsored by: NetApp, Inc. Differential Revision: https://reviews.freebsd.org/D36842
2022-10-07 01:31:48 +02:00 · 2022-10-07 01:31:48 +02:00 · 9c65583835
commit 9c65583835
parent de1ea2d517
1 changed files with 35 additions and 35 deletions
--- a/sys/netinet/siftr.c
+++ b/sys/netinet/siftr.c
@ -853,6 +853,24 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags,
 	if (ip->ip_p != IPPROTO_TCP)
 		goto ret;

+	/*
+	 * Create a tcphdr struct starting at the correct offset
+	 * in the IP packet. ip->ip_hl gives the ip header length
+	 * in 4-byte words, so multiply it to get the size in bytes.
+	 */
+	ip_hl = (ip->ip_hl << 2);
+	th = (struct tcphdr *)((caddr_t)ip + ip_hl);
+
+	/*
+	 * Only pkts selected by the tcp port filter
+	 * can be inserted into the pkt_queue
+	 */
+	if ((siftr_port_filter != 0) &&
+	    (siftr_port_filter != ntohs(th->th_sport)) &&
+	    (siftr_port_filter != ntohs(th->th_dport))) {
+		goto ret;
+	}
+
 	/*
 	 * If a kernel subsystem reinjects packets into the stack, our pfil
 	 * hook will be called multiple times for the same packet.
@ -866,14 +884,6 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags,
 	else
 		ss->n_out++;

-	/*
-	 * Create a tcphdr struct starting at the correct offset
-	 * in the IP packet. ip->ip_hl gives the ip header length
-	 * in 4-byte words, so multiply it to get the size in bytes.
-	 */
-	ip_hl = (ip->ip_hl << 2);
-	th = (struct tcphdr *)((caddr_t)ip + ip_hl);
-
 	/*
 	 * If the pfil hooks don't provide a pointer to the
 	 * inpcb, we need to find it ourselves and lock it.
@ -907,15 +917,6 @@ siftr_chkpkt(struct mbuf **m, struct ifnet *ifp, int flags,
 		goto inp_unlock;
 	}

-	/*
-	 * Only pkts selected by the tcp port filter
-	 * can be inserted into the pkt_queue
-	 */
-	if ((siftr_port_filter != 0) &&
-	    (siftr_port_filter != ntohs(inp->inp_lport)) &&
-	    (siftr_port_filter != ntohs(inp->inp_fport))) {
-		goto inp_unlock;
-	}

 	pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO);

@ -1038,6 +1039,23 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags,
 	if (ip6->ip6_nxt != IPPROTO_TCP)
 		goto ret6;

+	/*
+	 * Create a tcphdr struct starting at the correct offset
+	 * in the ipv6 packet.
+	 */
+	ip6_hl = sizeof(struct ip6_hdr);
+	th = (struct tcphdr *)((caddr_t)ip6 + ip6_hl);
+
+	/*
+	 * Only pkts selected by the tcp port filter
+	 * can be inserted into the pkt_queue
+	 */
+	if ((siftr_port_filter != 0) &&
+	    (siftr_port_filter != ntohs(th->th_sport)) &&
+	    (siftr_port_filter != ntohs(th->th_dport))) {
+		goto ret6;
+	}
+
 	/*
 	 * If a kernel subsystem reinjects packets into the stack, our pfil
 	 * hook will be called multiple times for the same packet.
@ -1051,15 +1069,6 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags,
 	else
 		ss->n_out++;

-	ip6_hl = sizeof(struct ip6_hdr);
-
-	/*
-	 * Create a tcphdr struct starting at the correct offset
-	 * in the ipv6 packet. ip->ip_hl gives the ip header length
-	 * in 4-byte words, so multiply it to get the size in bytes.
-	 */
-	th = (struct tcphdr *)((caddr_t)ip6 + ip6_hl);
-
 	/*
 	 * For inbound packets, the pfil hooks don't provide a pointer to the
 	 * inpcb, so we need to find it ourselves and lock it.
@ -1091,15 +1100,6 @@ siftr_chkpkt6(struct mbuf **m, struct ifnet *ifp, int flags,
 		goto inp_unlock6;
 	}

-	/*
-	 * Only pkts selected by the tcp port filter
-	 * can be inserted into the pkt_queue
-	 */
-	if ((siftr_port_filter != 0) &&
-	    (siftr_port_filter != ntohs(inp->inp_lport)) &&
-	    (siftr_port_filter != ntohs(inp->inp_fport))) {
-		goto inp_unlock6;
-	}

 	pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO);