netfilter: nf_tables: avoid retpoline overhead for some ct expression calls

nft_ct expression cannot be made builtin to nf_tables without also forcing the conntrack itself to be builtin. However, this can be avoided by splitting retrieval of a few selector keys that only need to access the nf_conn structure, i.e. no function calls to nf_conntrack code. Many rulesets start with something like "ct status established,related accept" With this change, this no longer requires an indirect call, which gives about 1.8% more throughput with a simple conntrack-enabled forwarding test (retpoline thunk used). Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2023-01-03 13:47:17 +0100
committer: Florian Westphal <fw@strlen.de> 2023-01-18 13:05:25 +0100
commit: d9e7891476057b24a1acbf10a491e5b9a1c4ae77 (patch)
tree: e423897435657e7f0b9a485043b5cedb922fd776 /net/netfilter/nf_tables_core.c
parent: 2032e907d8d498fcabfe24b43550c50947817c6d (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index d9992906199f..6ecd0ba2e546 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -228,6 +228,9 @@ static void expr_call_ops_eval(const struct nft_expr *expr,
 	X(e, nft_counter_eval);
 	X(e, nft_meta_get_eval);
 	X(e, nft_lookup_eval);
+#if IS_ENABLED(CONFIG_NFT_CT)
+	X(e, nft_ct_get_fast_eval);
+#endif
 	X(e, nft_range_eval);
 	X(e, nft_immediate_eval);
 	X(e, nft_byteorder_eval);
author	Florian Westphal <fw@strlen.de>	2023-01-03 13:47:17 +0100
committer	Florian Westphal <fw@strlen.de>	2023-01-18 13:05:25 +0100
commit	d9e7891476057b24a1acbf10a491e5b9a1c4ae77 (patch)
tree	e423897435657e7f0b9a485043b5cedb922fd776 /net/netfilter/nf_tables_core.c
parent	2032e907d8d498fcabfe24b43550c50947817c6d (diff)