From nobody Mon Jun 19 10:04:52 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ql53T1n2sz4fH2k; Mon, 19 Jun 2023 10:04:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ql53S5pQkz4MYR; Mon, 19 Jun 2023 10:04:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687169092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HX5YLngNPdOilqscUKXm8bJXgcV4CjYe+pdhndqVZ1Y=; b=lT7yKTXmNPFF9y3M4IwVqSPbFGVFF2Ln74X3tl+4tMteBpd7UBIycyunCFvwzWw7LcCEgQ lVgLGNdPRx6B/NZbRjrXhPeY9FlTqWEawgKmlXrLweTilc16SKb6wIdBYDGW0Ur7kYhE/N PG/9Wqn3CwaAW9U57zHJ3xJL8eicxZGx4tYJ3pToJ31Df0NuMCx92ljaHD1FsIdTnxSb8h pR45KvkH97eA5NXVtOpfHVJ9PfiTALPOtBZrmx14FPiNmfLNLDdOy1MxWHi0Rd9OHqvGVH bEJXfPCIPbjZKsvKTzx0IYuhARMzwYc8UUkScRbw4k3M8IFKA84w7HD8AvxCUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687169092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HX5YLngNPdOilqscUKXm8bJXgcV4CjYe+pdhndqVZ1Y=; b=CfAA6G6ldJlPmNnocwJuBIm+yVLzAJQc2xF94Z/7y/CBBRJ4siqOSzlPpmsCulQsNBM73/ 2dJ9abZyUPYZYp1oyXM8XRkojhmfDKFWWU2OMO283mLPbqVp8pN/F9P+j8lTEbpr4bW8QU 4SFw+RngSWYirCflMAbVpWFr3/GV7VRVd1wUVUqbAHj+tZK0txip0Uv4XjL1adGV5MkQMN IC/kpwWJVuOVwzJWn4cayHGoi5BzTtVhXHuxFgMYDFVw2u27FNvwyokUwwJMlz+HvcyzD9 QR2TNk2rYv5Fy+vbgQm4VwW08fNsTcsQx1QamrkLDBMLJHmr+OmfjmeXxnvn3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687169092; a=rsa-sha256; cv=none; b=SP+Ef+SvP/FSOl8EmirvVcRSuGlBM8tCZoJkEPwBswWpu5ARRQ9hkoMmXx38MQluv98ekj sh2MLONNDhn2EREBhylH37yICmc45znR44sd7DFlX2mvOPAffXaw5FkE58MQWK2VE+42FP bZxntyYXF6viuiTN6uQE7L5U56JNU9LMkf51n4d96O4Z2tS60hvrUDI7M8GUSZ/JJFOZPw hahixYfn5feFAkhBpUH2Z3k6z7WXM04tUQN0io8iAg7NoeSrhOazmhKMrliPMW85y9qF8O ihZgAgiuIXikqjtyflL5dxS8+1FHzseO1/VKXeTPlUEN3O9D5YOHsxwJcA8Z4Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ql53S4RPKz1CjZ; Mon, 19 Jun 2023 10:04:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 35JA4qrx038412; Mon, 19 Jun 2023 10:04:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 35JA4qie038411; Mon, 19 Jun 2023 10:04:52 GMT (envelope-from git) Date: Mon, 19 Jun 2023 10:04:52 GMT Message-Id: <202306191004.35JA4qie038411@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: ba94bf2880b8 - main - pf: extend use of skip steps for Ethernet rules List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ba94bf2880b8f33593323db50ced99c8daf8bd05 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=ba94bf2880b8f33593323db50ced99c8daf8bd05 commit ba94bf2880b8f33593323db50ced99c8daf8bd05 Author: Kristof Provost AuthorDate: 2023-06-15 15:12:11 +0000 Commit: Kristof Provost CommitDate: 2023-06-19 08:18:30 +0000 pf: extend use of skip steps for Ethernet rules Use the already populated PFE_SKIP_DST_ADDR and extend the skip infrastructure to also skip on IP source/destination addresses. This should make evaluating the rules slightly faster. Reported by: R. Christian McDonald Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D40567 --- sys/net/pfvar.h | 6 +++++- sys/netpfil/pf/pf.c | 10 ++++------ sys/netpfil/pf/pf_ioctl.c | 6 ++++++ 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index a658573cf6f1..4176dbd3e37d 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -697,7 +697,9 @@ struct pf_keth_rule { #define PFE_SKIP_PROTO 2 #define PFE_SKIP_SRC_ADDR 3 #define PFE_SKIP_DST_ADDR 4 -#define PFE_SKIP_COUNT 5 +#define PFE_SKIP_SRC_IP_ADDR 5 +#define PFE_SKIP_DST_IP_ADDR 6 +#define PFE_SKIP_COUNT 7 union pf_keth_rule_ptr skip[PFE_SKIP_COUNT]; TAILQ_ENTRY(pf_keth_rule) entries; @@ -2215,6 +2217,8 @@ extern void pf_unlink_src_node(struct pf_ksrc_node *); extern u_int pf_free_src_nodes(struct pf_ksrc_node_list *); extern void pf_print_state(struct pf_kstate *); extern void pf_print_flags(u_int8_t); +extern int pf_addr_wrap_neq(struct pf_addr_wrap *, + struct pf_addr_wrap *); extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, u_int8_t); extern u_int16_t pf_proto_cksum_fixup(struct mbuf *, u_int16_t, diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ebc201e4f5b4..7b52f6f0d2aa 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -321,8 +321,6 @@ static int pf_check_proto_cksum(struct mbuf *, int, int, u_int8_t, sa_family_t); static void pf_print_state_parts(struct pf_kstate *, struct pf_state_key *, struct pf_state_key *); -static int pf_addr_wrap_neq(struct pf_addr_wrap *, - struct pf_addr_wrap *); static void pf_patch_8(struct mbuf *, u_int16_t *, u_int8_t *, u_int8_t, bool, u_int8_t); static struct pf_kstate *pf_find_state(struct pfi_kkif *, @@ -2429,7 +2427,7 @@ pf_calc_skip_steps(struct pf_krulequeue *rules) PF_SET_SKIP_STEPS(i); } -static int +int pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) { if (aw1->type != aw2->type) @@ -4014,19 +4012,19 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0) else if (! pf_match_eth_addr(e->ether_dhost, &r->dst)) { SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r, "dst"); - r = TAILQ_NEXT(r, entries); + r = r->skip[PFE_SKIP_DST_ADDR].ptr; } else if (src != NULL && PF_MISMATCHAW(&r->ipsrc.addr, src, af, r->ipsrc.neg, kif, M_GETFIB(m))) { SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r, "ip_src"); - r = TAILQ_NEXT(r, entries); + r = r->skip[PFE_SKIP_SRC_IP_ADDR].ptr; } else if (dst != NULL && PF_MISMATCHAW(&r->ipdst.addr, dst, af, r->ipdst.neg, kif, M_GETFIB(m))) { SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r, "ip_dst"); - r = TAILQ_NEXT(r, entries); + r = r->skip[PFE_SKIP_DST_IP_ADDR].ptr; } else if (r->match_tag && !pf_match_eth_tag(m, r, &tag, mtag ? mtag->tag : 0)) { diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index cb6d22885ef4..e76a92fb7e7f 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -843,6 +843,12 @@ pf_eth_calc_skip_steps(struct pf_keth_ruleq *rules) PF_SET_SKIP_STEPS(PFE_SKIP_SRC_ADDR); if (memcmp(&cur->dst, &prev->dst, sizeof(cur->dst)) != 0) PF_SET_SKIP_STEPS(PFE_SKIP_DST_ADDR); + if (cur->ipsrc.neg != prev->ipsrc.neg || + pf_addr_wrap_neq(&cur->ipsrc.addr, &prev->ipsrc.addr)) + PF_SET_SKIP_STEPS(PFE_SKIP_SRC_IP_ADDR); + if (cur->ipdst.neg != prev->ipdst.neg || + pf_addr_wrap_neq(&cur->ipdst.addr, &prev->ipdst.addr)) + PF_SET_SKIP_STEPS(PFE_SKIP_DST_IP_ADDR); prev = cur; cur = TAILQ_NEXT(cur, entries);