diff options
author | Florian Westphal <fw@strlen.de> | 2019-01-09 00:15:09 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2019-01-11 15:06:00 +0100 |
commit | ce2651222911f09ca838fbdd29b5b2e0ff5f262f (patch) | |
tree | 6298b45b289b47edf36a1b71addcedaea7dce7c9 /tests/shell/testcases | |
parent | b338244abc7f018d79a95657fff88eadee7e9f6b (diff) |
payload: refine payload expr merging
nf_tables can handle payload exprs for sizes <= sizeof(u32) via a direct
operation from the eval loop, rather than a a call to the payload
expression. Two loads for four byte quantities are thus faster than a
single load for an 8 byte load.
ip saddr 1.2.3.4 ip daddr 2.3.4.5
is faster with this applied, even though it involves two payload and two
two compare expressions, just because all can be handled from the main
loop without any calls to expression ops.
Keep merging for linklayer and when at least one of the expressions
already exceeded the 4 byte "limit" anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
-rw-r--r-- | tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft index c67d25b6..7abced86 100644 --- a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft @@ -4,7 +4,7 @@ table inet t { iifname { "whatever" } iif { "lo" } meta mark 0x0000007b ct state established,related,new ct state != established | related | new - ip saddr 10.0.0.0 ip saddr 10.0.0.0 ip daddr 10.0.0.2 + ip saddr 10.0.0.0 ip daddr 10.0.0.2 ip saddr 10.0.0.0 ip6 daddr fe0::1 ip6 saddr fe0::2 ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept } ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept } |