www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 20 Feb 2025 13:07:01 +0000 (14:07 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 21 Mar 2025 09:12:15 +0000 (10:12 +0100)
commit	eaaff9b6702e99be5d79135f2afa9fc48a0d59e0
tree	cbf16d4ba80ab797815fcf072673b749c346562c	tree
parent	8b6861390ffee6b8ed78b9395e3776c16fec6579	commit \| diff

netfilter: fib: avoid lookup if socket is available

In case the fib match is used from the input hook we can avoid the fib
lookup if early demux assigned a socket for us: check that the input
interface matches sk-cached one.

Rework the existing 'lo bypass' logic to first check sk, then
for loopback interface type to elide the fib lookup.

This speeds up fib matching a little, before:
93.08 GBit/s (no rules at all)
75.1 GBit/s ("fib saddr . iif oif missing drop" in prerouting)
75.62 GBit/s ("fib saddr . iif oif missing drop" in input)

After:
92.48 GBit/s (no rules at all)
75.62 GBit/s (fib rule in prerouting)
90.37 GBit/s (fib rule in input).

Numbers for the 'no rules' and 'prerouting' are expected to
closely match in-between runs, the 3rd/input test case exercises the
the 'avoid lookup if cached ifindex in sk matches' case.

Test used iperf3 via veth interface, lo can't be used due to existing
loopback test.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nft_fib.h		diff \| blob \| history
net/ipv4/netfilter/nft_fib_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nft_fib_ipv6.c		diff \| blob \| history