diff options
author | Phil Sutter <phil@nwl.cc> | 2020-10-02 09:44:38 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2020-11-04 15:39:23 +0100 |
commit | 323259001d617ae359430a03ee3d3e7f107684e0 (patch) | |
tree | bb45b44cc1208b2e5607bdcd11d447db8e119cad /iptables/nft-shared.c | |
parent | 06a2eb727b0f350fcfea95839fc8c4674763a35d (diff) |
nft: Optimize class-based IP prefix matches
Payload expression works on byte-boundaries, leverage this with suitable
prefix lengths.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft-shared.c')
-rw-r--r-- | iptables/nft-shared.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 7741d23b..545e9c60 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -166,16 +166,22 @@ void add_addr(struct nftnl_rule *r, int offset, void *data, void *mask, size_t len, uint32_t op) { const unsigned char *m = mask; + bool bitwise = false; int i; - add_payload(r, offset, len, NFT_PAYLOAD_NETWORK_HEADER); - for (i = 0; i < len; i++) { - if (m[i] != 0xff) + if (m[i] != 0xff) { + bitwise = m[i] != 0; break; + } } - if (i != len) + if (!bitwise) + len = i; + + add_payload(r, offset, len, NFT_PAYLOAD_NETWORK_HEADER); + + if (bitwise) add_bitwise(r, mask, len); add_cmp_ptr(r, op, data, len); |