From dec43a22802ec013c504ff22aa17627e0b57cea7 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 10 Mar 2026 11:05:17 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9A=A1=20Bolt:=20Extract=20dominant=20data-p?= =?UTF-8?q?lane=20case=20to=20explicit=20if=20branch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: igorls <4753812+igorls@users.noreply.github.com> --- .jules/bolt.md | 4 ++ src/main.zig | 102 +++++++++++++++++++++------------------ src/wireguard/device.zig | 8 ++- 3 files changed, 64 insertions(+), 50 deletions(-) create mode 100644 .jules/bolt.md diff --git a/.jules/bolt.md b/.jules/bolt.md new file mode 100644 index 0000000..c927fa6 --- /dev/null +++ b/.jules/bolt.md @@ -0,0 +1,4 @@ + +## 2024-05-19 - Optimization: Dominant packet path extraction +**Learning:** Zig switch statements over integer values compile down to jump tables or sequential branches depending on the optimizer. In hot loops like `PacketType.classify(pkt)` checking, an enum `switch` can cause a pipeline stall on jump evaluation. +**Action:** Extracting the dominant data-plane case (e.g. `if (pkt_type == .wg_transport)`) explicitly before the `switch` statement forces the compiler to emit a direct branch instruction, which the CPU branch predictor handles much more efficiently, avoiding jump table overhead on the hot path. Remember to include the unreachable case within the switch so the code compiles. diff --git a/src/main.zig b/src/main.zig index 6f93b6b..2909c64 100644 --- a/src/main.zig +++ b/src/main.zig @@ -2533,7 +2533,25 @@ fn processIncomingPacket( ) void { const Device = lib.wireguard.Device; - switch (Device.PacketType.classify(pkt)) { + const pkt_type = Device.PacketType.classify(pkt); + // Optimization: Extract dominant data-plane case to explicit if branch + if (pkt_type == .wg_transport) { + if (n_decrypted.* < 64) { + if (wg_dev.decryptTransport(pkt, &decrypt_storage[n_decrypted.*])) |result| { + // Check service filter before buffering + const PolicyMod = lib.services.Policy; + if (PolicyMod.parseTransportHeader(decrypt_storage[n_decrypted.*][0..result.len])) |ti| { + if (wg_dev.peers[result.slot]) |peer| { + const org_pk = if (swim.membership.peers.getPtr(peer.identity_key)) |mp| mp.org_pubkey else null; + if (!service_filter.check(peer.identity_key, org_pk, ti.proto, ti.dst_port)) return; + } + } + decrypt_lens[n_decrypted.*] = result.len; + decrypt_slots[n_decrypted.*] = result.slot; + n_decrypted.* += 1; + } else |_| {} + } + } else switch (pkt_type) { .wg_handshake_init => { if (pkt.len >= @sizeOf(lib.wireguard.Noise.HandshakeInitiation)) { const msg: *const lib.wireguard.Noise.HandshakeInitiation = @ptrCast(@alignCast(pkt.ptr)); @@ -2556,23 +2574,7 @@ fn processIncomingPacket( } else |_| {} } }, - .wg_transport => { - if (n_decrypted.* < 64) { - if (wg_dev.decryptTransport(pkt, &decrypt_storage[n_decrypted.*])) |result| { - // Check service filter before buffering - const PolicyMod = lib.services.Policy; - if (PolicyMod.parseTransportHeader(decrypt_storage[n_decrypted.*][0..result.len])) |ti| { - if (wg_dev.peers[result.slot]) |peer| { - const org_pk = if (swim.membership.peers.getPtr(peer.identity_key)) |mp| mp.org_pubkey else null; - if (!service_filter.check(peer.identity_key, org_pk, ti.proto, ti.dst_port)) return; - } - } - decrypt_lens[n_decrypted.*] = result.len; - decrypt_slots[n_decrypted.*] = result.slot; - n_decrypted.* += 1; - } else |_| {} - } - }, + .wg_transport => unreachable, .wg_cookie => {}, .stun => swim.feedPacket(pkt, sender_addr, sender_port), .swim => swim.feedPacket(pkt, sender_addr, sender_port), @@ -2615,7 +2617,22 @@ fn windowsEventLoop( const recv = (udp_sock.recvFrom(&udp_recv_buf) catch break) orelse break; const pkt = recv.data; - switch (Device.PacketType.classify(pkt)) { + const pkt_type = Device.PacketType.classify(pkt); + // Optimization: Extract dominant data-plane case to explicit if branch + if (pkt_type == .wg_transport) { + // Decrypt WG transport → write plaintext to Wintun + if (wg_dev.decryptTransport(pkt, &decrypt_buf)) |result| { + // Apply service filter before writing to TUN + const PolicyMod = lib.services.Policy; + if (PolicyMod.parseTransportHeader(decrypt_buf[0..result.len])) |ti| { + if (wg_dev.peers[result.slot]) |peer| { + const org_pk = if (swim.membership.peers.getPtr(peer.identity_key)) |mp| mp.org_pubkey else null; + if (!service_filter.check(peer.identity_key, org_pk, ti.proto, ti.dst_port)) continue; + } + } + tun_dev.write(decrypt_buf[0..result.len]) catch {}; + } else |_| {} + } else switch (pkt_type) { .wg_handshake_init => { if (pkt.len >= @sizeOf(Noise.HandshakeInitiation)) { const msg: *const Noise.HandshakeInitiation = @ptrCast(@alignCast(pkt.ptr)); @@ -2638,20 +2655,7 @@ fn windowsEventLoop( } else |_| {} } }, - .wg_transport => { - // Decrypt WG transport → write plaintext to Wintun - if (wg_dev.decryptTransport(pkt, &decrypt_buf)) |result| { - // Apply service filter before writing to TUN - const PolicyMod = lib.services.Policy; - if (PolicyMod.parseTransportHeader(decrypt_buf[0..result.len])) |ti| { - if (wg_dev.peers[result.slot]) |peer| { - const org_pk = if (swim.membership.peers.getPtr(peer.identity_key)) |mp| mp.org_pubkey else null; - if (!service_filter.check(peer.identity_key, org_pk, ti.proto, ti.dst_port)) continue; - } - } - tun_dev.write(decrypt_buf[0..result.len]) catch {}; - } else |_| {} - }, + .wg_transport => unreachable, .wg_cookie => {}, // SWIM and STUN packets: feed to SWIM via feedPacket (non-blocking) .stun => swim.feedPacket(pkt, recv.sender_addr, recv.sender_port), @@ -2750,7 +2754,22 @@ fn macosEventLoop( const recv = (udp_sock.recvFrom(&udp_recv_buf) catch break) orelse break; const pkt = recv.data; - switch (Device.PacketType.classify(pkt)) { + const pkt_type = Device.PacketType.classify(pkt); + // Optimization: Extract dominant data-plane case to explicit if branch + if (pkt_type == .wg_transport) { + // Decrypt WG transport → write plaintext to utun + if (wg_dev.decryptTransport(pkt, &decrypt_buf)) |result| { + // Apply service filter before writing to TUN + const PolicyMod = lib.services.Policy; + if (PolicyMod.parseTransportHeader(decrypt_buf[0..result.len])) |ti| { + if (wg_dev.peers[result.slot]) |peer| { + const org_pk = if (swim.membership.peers.getPtr(peer.identity_key)) |mp| mp.org_pubkey else null; + if (!service_filter.check(peer.identity_key, org_pk, ti.proto, ti.dst_port)) continue; + } + } + tun_dev.write(decrypt_buf[0..result.len]) catch {}; + } else |_| {} + } else switch (pkt_type) { .wg_handshake_init => { if (pkt.len >= @sizeOf(Noise.HandshakeInitiation)) { const msg: *const Noise.HandshakeInitiation = @ptrCast(@alignCast(pkt.ptr)); @@ -2773,20 +2792,7 @@ fn macosEventLoop( } else |_| {} } }, - .wg_transport => { - // Decrypt WG transport → write plaintext to utun - if (wg_dev.decryptTransport(pkt, &decrypt_buf)) |result| { - // Apply service filter before writing to TUN - const PolicyMod = lib.services.Policy; - if (PolicyMod.parseTransportHeader(decrypt_buf[0..result.len])) |ti| { - if (wg_dev.peers[result.slot]) |peer| { - const org_pk = if (swim.membership.peers.getPtr(peer.identity_key)) |mp| mp.org_pubkey else null; - if (!service_filter.check(peer.identity_key, org_pk, ti.proto, ti.dst_port)) continue; - } - } - tun_dev.write(decrypt_buf[0..result.len]) catch {}; - } else |_| {} - }, + .wg_transport => unreachable, .wg_cookie => {}, .stun => swim.feedPacket(pkt, recv.sender_addr, recv.sender_port), .swim => swim.feedPacket(pkt, recv.sender_addr, recv.sender_port), diff --git a/src/wireguard/device.zig b/src/wireguard/device.zig index bfbf740..6cac88f 100644 --- a/src/wireguard/device.zig +++ b/src/wireguard/device.zig @@ -24,16 +24,20 @@ pub const PacketType = enum { stun, // STUN binding response unknown, - pub fn classify(data: []const u8) PacketType { + pub inline fn classify(data: []const u8) PacketType { if (data.len < 4) return .unknown; // WireGuard messages: first byte is type, next 3 are zeros const msg_type = std.mem.readInt(u32, data[0..4], .little); + + // Optimization: Extract dominant data-plane case to explicit if branch to avoid jump table + if (msg_type == 4) return .wg_transport; + return switch (msg_type) { 1 => .wg_handshake_init, 2 => .wg_handshake_resp, 3 => .wg_cookie, - 4 => .wg_transport, + 4 => unreachable, else => blk: { // STUN: check for magic cookie at bytes 4-7 if (data.len >= 8) {