summaryrefslogtreecommitdiffstats
path: root/include/linux
Commit message (Collapse)AuthorAgeFilesLines
* extension: add xt_cpu matchEric Dumazet2010-07-231-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Kernel 2.6.36 supports xt_cpu match In some situations a CPU match permits a better spreading of connections, or select targets only for a given cpu. With Remote Packet Steering or multiqueue NIC and appropriate IRQ affinities, we can distribute trafic on available cpus, per session. (all RX packets for a given flow are handled by a given cpu) Some legacy applications being not SMP friendly, one way to scale a server is to run multiple copies of them. Instead of randomly choosing an instance, we can use the cpu number as a key so that softirq handler for a whole instance is running on a single cpu, maximizing cache effects in TCP/UDP stacks. Using NAT for example, a four ways machine might run four copies of server application, using a separate listening port for each instance, but still presenting an unique external port : iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \ -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \ -j REDIRECT --to-port 8081 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \ -j REDIRECT --to-port 8082 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \ -j REDIRECT --to-port 8083 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_ipvs: user-space lib for netfilter matcher xt_ipvsHannes Eder2010-07-231-0/+27
| | | | | | | | | The user-space library for the netfilter matcher xt_ipvs. [ trivial up-port by Simon Horman <horms@verge.net.au> ] Signed-off-by: Hannes Eder <heder@google.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'master' into iptables-nextPatrick McHardy2010-07-1512-554/+221
|\
| * Merge branch 'master' of vishnu.netfilter.org:/data/git/iptablesPatrick McHardy2010-06-253-519/+110
| |\
| | * libxt_set: new revision addedJozsef Kadlecsik2010-06-163-519/+110
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | libipt_set renamed to libxt_set and the support for the forthcoming ipset release added. I have tested backward (IPv4) and forward compatibility (IPv4/IPv6): ipset -N test iphash ipset -A test test-address iptables -N test-set iptables -A test-set -j LOG --log-prefix "match " iptables -A test-set -j DROP iptables -A OUTPUT -m set --match-set test dst -j test-set ping test-address
| * | includes: sync header files from Linux 2.6.35-rc1Jan Engelhardt2010-06-079-35/+111
| |/ | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: fix compilation of the new CHECKSUM targetPatrick McHardy2010-07-151-0/+18
| | | | | | | | | | | | Add missing header file. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: libipt_LOG/libip6t_LOG: support macdecode optionPatrick McHardy2010-06-282-2/+4
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: add idletimer xt target extensionLuciano Coelho2010-06-151-0/+45
|/ | | | | | | Add the extension plugin for the IDLETIMER x_tables target. Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Revert "Revert "Merge branch 'iptables-next'""Patrick McHardy2010-05-211-0/+9
| | | | | | This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099. Revert the revert to restore the TEE target.
* Revert "Merge branch 'iptables-next'"Patrick McHardy2010-05-211-9/+0
| | | | | | | This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e. Forgot to commit the version increase.
* extensions: add support for xt_TEEJan Engelhardt2010-04-191-0/+9
| | | | | | xt_TEE is firstly included in Linux 2.6.35. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add CT extensionPatrick McHardy2010-03-082-0/+38
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* includes: header updatesJan Engelhardt2010-02-0161-652/+296
| | | | | | | | | | | | Update the shipped Linux kernel headers from 2.6.33-rc6, as iptables's ipt_ECN.h for example references ipt_DSCP.h, which no longer exists. Since a number of old code pieces have been removed in the kernel in that fashion, the structs for older versions are moved into the .c file, to keep header updating simple. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add osf extensionPatrick McHardy2009-11-121-0/+135
| | | | | | From Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_NFQUEUE: add new v1 version with queue-balance optionFlorian Westphal2009-08-201-0/+5
| | | | | | | | | | | | | | | | New version that adds support for specifying a queue range instead of a single queue id. The kernel will distribute flows across the given queue range. This is useful for multicore systems, simply start multiple instances of the userspace program on queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets belonging to the same connection are put into the same queue. With fixes from Jan Engelhardt. Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* xt_conntrack: revision 2 for enlarged state_mask memberJan Engelhardt2009-06-251-0/+13
| | | | | | This complements the xt_conntrack revision 2 code added to the kenrel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add `cluster' match supportPablo Neira Ayuso2009-05-061-0/+17
| | | | | | This patch adds support for the cluster match to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resynchronize headers with 2.6.29-rc5Jan Engelhardt2009-02-2114-191/+26
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xt_NFLOG: Set default NFLOG qthreshold to 0Eric Leblond2009-02-091-1/+1
| | | | | | | By setting default NFLOG qthreshold to 0, userspace does not overwrite the per-instance value. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: remove unused include filesJan Engelhardt2008-12-076-141/+0
| | | | | | | | No .c files include any of these - in fact they seem to be remnants missed during commit b1f568309a09e61f892dee3c23279cecff0b0ff4 - so remove them. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use NFPROTO_ constantsJan Engelhardt2008-11-181-0/+10
| | | | | | | | Resync netfilter.h from the latest kernel and make use of the new NFPROTO_ constants that have been introduced. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Move libipt_recent to libxt_recentJan Engelhardt2008-10-222-27/+26
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add iptables support for the TPROXY targetKOVACS Krisztian2008-10-151-0/+14
| | | | | Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
* xt_string: string extension case insensitive matchingJoonwoo Park2008-07-071-1/+14
| | | | | | | | | The string extension can search patterns case insensitively with --icase option. A new revision 1 was added, in the meantime invert of xt_string_info was moved into flags as a flag. Signed-off-by: Joonwoo Park <joonwpark81@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* addrtype match: added revision 1Laszlo Attila Toth2008-06-061-0/+14
| | | | | | | | | In revision 1 address type checking can be limited to either the incoming or outgoing interface depending on the current chain. In the FORWARD chain only one of them is allowed at the same time. Signed-off-by: Laszlo Attila Toth <panther@balabit.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Resync header files with kernelPatrick McHardy2008-06-0521-129/+473
| | | | | Resync headers and add types.h file for endian annotated types, which are not available with old headers.
* manpages: consistent syntaxPatrick McHardy2008-06-021-2/+2
| | | | | | | | | | In the manpages, bold is used to denote characters the user has to enter verbatim, italic denotes placeholders and non-highlighted pieces are used as a structure: "[]" specifying an optional part, "{}" a mandatory part, with "|" used for alternations. The "!" for negation is better supported before the option than after it, too. The patch makes a few files consistent with this style already used in manpages.
* Remove support for compilation of conditional extensionsJan Engelhardt2008-04-152-0/+519
|
* Add all necessary header files - compilation fix for various casesJan Engelhardt2008-04-1413-96/+230
| | | | | | Allow iptables to compile without a kernel source tree. This implies fixing build for older kernels, such as 2.6.17 which lack xt_SECMARK.h.
* Add support for xt_hashlimit match revision 1Jan Engelhardt2008-04-131-6/+32
|
* Fix -Wshadow warnings and clean up xt_sctp.hJan Engelhardt2008-04-061-50/+37
| | | | | Note: xt_sctp.h is still not merged upstream in the kernel as of this commit. But a refactoring was really needed.
* Remove compiler.h inclusions.Patrick McHardy2008-02-223-4/+0
|
* Add netfilter.hPatrick McHardy2008-01-291-0/+48
|
* [IPTABLES]: libxt_owner: UID/GID range supportJan Engelhardt2008-01-291-2/+2
| | | | | | UID/GID range support for libxt_owner Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_CONNMARK revision 1Jan Engelhardt2008-01-291-0/+5
| | | | | | Add support for xt_CONNMARK target revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_TCPOPTSTRIPSven Schnelle2008-01-201-0/+13
| | | | | | | Import libxt_TCPOPTSTRIP into iptables. Signed-off-by: Sven Schnelle <svens@bitebene.org> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_iprange r0Jan Engelhardt2008-01-202-5/+20
| | | | | | Move libipt_iprange to libxt_iprange. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_mark r1Jan Engelhardt2008-01-201-1/+6
| | | | | | Introduce libxt_mark match revision 1 support. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_conntrack r0Jan Engelhardt2008-01-202-77/+83
| | | | | | Move libipt_conntrack to libxt_conntrack. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_connmark r1Jan Engelhardt2008-01-201-0/+5
| | | | | | Add support for xt_connmark match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_MARK r2Jan Engelhardt2008-01-201-0/+4
| | | | | | | Add support for xt_MARK target revision 2. Also consolidate libip6t_MARK.man and libipt_MARK.man. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_TOSJan Engelhardt2008-01-201-0/+5
| | | | | | | Move libipt_TOS revision 0 to libxt_TOS revision 0 and add support for xt_TOS target revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_tosJan Engelhardt2008-01-201-0/+6
| | | | | | | Move libipt_tos revision 0 to libxt_tos revision 0 and add support for xt_tos match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_ownerJan Engelhardt2008-01-201-0/+16
| | | | | | | libxt_owner merges libipt_owner and libip6t_owner, and adds support for the xt_owner match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* Add rateest match extensionPatrick McHardy2008-01-151-0/+33
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add RATEEST target extensionPatrick McHardy2008-01-151-0/+11
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix make/compile error for iptables-1.4.0rc1Jesper Brouer2007-11-253-2/+616
| | | | | | | | | | | | | | | | | | | Fixing a make/compile issue with iptables, release candidate 1.4.0rc1, which has existed since SVN changeset 6920. This patch adds ip_tables.h and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree. Changeset 6920 added the include file x_tables.h from kernel source, but didn't add ip_tables.h and ip6_tables.h. At some point (Tue Nov 14 19:48:48 2006, by Yasuyuki Kozakai) these kernel headers where changed, which actually removes certain depencencies from ip_tables.h and ip6_tables.h to x_tables.h. If compiling will fail, with old kernel headers (ip_tables.h and ip6_tables.h) available in systems include path, because they depend on certaine defines in x_tables.h with is missing in the version in SVN. Jesper Brouer <jdb@comx.dk>
* Add the libxt_time iptables matchJan Engelhardt2007-09-231-0/+25
| | | | | | | | | | | This is libipt_time from POM-ng enhanced by the following: * day-of-month support (for example "match on the 15th of each month") * inversion support for --weekdays and --monthdays * match against UTC or local timezone * a manpage Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* Adds u32 to iptables.Jan Engelhardt2007-09-101-0/+40
| | | | Signed-off-by: Jan Engelhardt <jengelh@gmx.de>