summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorholger@eitzenberger.org <holger@eitzenberger.org>2013-04-02 00:35:39 +0000
committerPablo Neira Ayuso <pablo@soleta.eu>2013-05-29 19:26:03 +0200
commitce7d0619ce49587ca78456caf467cf25f7cbbc4e (patch)
tree1a3a4669324fc3048c119354c75dd1faf26a6145
parentaef9c366d1761fd2d2013250df699f3dd5a4b708 (diff)
extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--extensions/libxt_NFQUEUE.c63
-rw-r--r--extensions/libxt_NFQUEUE.man7
-rw-r--r--include/linux/netfilter/xt_NFQUEUE.h9
3 files changed, 76 insertions, 3 deletions
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 8c2f6999..0c869187 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -13,8 +13,10 @@ enum {
O_QUEUE_NUM = 0,
O_QUEUE_BALANCE,
O_QUEUE_BYPASS,
+ O_QUEUE_CPU_FANOUT,
F_QUEUE_NUM = 1 << O_QUEUE_NUM,
F_QUEUE_BALANCE = 1 << O_QUEUE_BALANCE,
+ F_QUEUE_CPU_FANOUT = 1 << O_QUEUE_CPU_FANOUT,
};
static void NFQUEUE_help(void)
@@ -37,7 +39,15 @@ static void NFQUEUE_help_v2(void)
{
NFQUEUE_help_v1();
printf(
-" --queue-bypass Bypass Queueing if no queue instance exists.\n");
+" --queue-bypass Bypass Queueing if no queue instance exists.\n"
+" --queue-cpu-fanout Use current CPU (no hashing)\n");
+}
+
+static void NFQUEUE_help_v3(void)
+{
+ NFQUEUE_help_v2();
+ printf(
+" --queue-cpu-fanout Use current CPU (no hashing)\n");
}
#define s struct xt_NFQ_info
@@ -48,6 +58,8 @@ static const struct xt_option_entry NFQUEUE_opts[] = {
{.name = "queue-balance", .id = O_QUEUE_BALANCE,
.type = XTTYPE_UINT16RC, .excl = F_QUEUE_NUM},
{.name = "queue-bypass", .id = O_QUEUE_BYPASS, .type = XTTYPE_NONE},
+ {.name = "queue-cpu-fanout", .id = O_QUEUE_CPU_FANOUT,
+ .type = XTTYPE_NONE, .also = F_QUEUE_BALANCE},
XTOPT_TABLEEND,
};
#undef s
@@ -92,6 +104,18 @@ static void NFQUEUE_parse_v2(struct xt_option_call *cb)
}
}
+static void NFQUEUE_parse_v3(struct xt_option_call *cb)
+{
+ struct xt_NFQ_info_v3 *info = cb->data;
+
+ NFQUEUE_parse_v2(cb);
+ switch (cb->entry->id) {
+ case O_QUEUE_CPU_FANOUT:
+ info->flags |= NFQ_FLAG_CPU_FANOUT;
+ break;
+ }
+}
+
static void NFQUEUE_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
@@ -120,10 +144,20 @@ static void NFQUEUE_print_v2(const void *ip,
const struct xt_NFQ_info_v2 *info = (void *) target->data;
NFQUEUE_print_v1(ip, target, numeric);
- if (info->bypass)
+ if (info->bypass & NFQ_FLAG_BYPASS)
printf(" bypass");
}
+static void NFQUEUE_print_v3(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_NFQ_info_v3 *info = (void *)target->data;
+
+ NFQUEUE_print_v2(ip, target, numeric);
+ if (info->flags & NFQ_FLAG_CPU_FANOUT)
+ printf(" cpu-fanout");
+}
+
static void NFQUEUE_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_NFQ_info *tinfo =
@@ -151,10 +185,20 @@ static void NFQUEUE_save_v2(const void *ip, const struct xt_entry_target *target
NFQUEUE_save_v1(ip, target);
- if (info->bypass)
+ if (info->bypass & NFQ_FLAG_BYPASS)
printf(" --queue-bypass");
}
+static void NFQUEUE_save_v3(const void *ip,
+ const struct xt_entry_target *target)
+{
+ const struct xt_NFQ_info_v3 *info = (void *)target->data;
+
+ NFQUEUE_save_v2(ip, target);
+ if (info->flags & NFQ_FLAG_CPU_FANOUT)
+ printf(" --queue-cpu-fanout");
+}
+
static void NFQUEUE_init_v1(struct xt_entry_target *t)
{
struct xt_NFQ_info_v1 *tinfo = (void *)t->data;
@@ -199,6 +243,19 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v2,
.x6_parse = NFQUEUE_parse_v2,
.x6_options = NFQUEUE_opts,
+},{
+ .family = NFPROTO_UNSPEC,
+ .revision = 3,
+ .name = "NFQUEUE",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_NFQ_info_v3)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info_v3)),
+ .help = NFQUEUE_help_v3,
+ .init = NFQUEUE_init_v1,
+ .print = NFQUEUE_print_v3,
+ .save = NFQUEUE_save_v3,
+ .x6_parse = NFQUEUE_parse_v3,
+ .x6_options = NFQUEUE_opts,
}
};
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index f11e0c89..7a991291 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -23,3 +23,10 @@ Packets belonging to the same connection are put into the same nfqueue.
By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet
will move on to the next table.
+.PP
+.TP
+\fB\-\-queue\-cpu-fanout\fP
+Available starting Linux kernel 3.10. When used together with
+\fB--queue-balance\fP this will use the CPU ID as an index to map packets to
+the queues. The idea is that you can improve performance if there's a queue
+per CPU. This requires \fB--queue-balance\fP to be specified.
diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/linux/netfilter/xt_NFQUEUE.h
index 9eafdbbb..8bb5fe65 100644
--- a/include/linux/netfilter/xt_NFQUEUE.h
+++ b/include/linux/netfilter/xt_NFQUEUE.h
@@ -26,4 +26,13 @@ struct xt_NFQ_info_v2 {
__u16 bypass;
};
+struct xt_NFQ_info_v3 {
+ __u16 queuenum;
+ __u16 queues_total;
+ __u16 flags;
+#define NFQ_FLAG_BYPASS 0x01 /* for compatibility with v2 */
+#define NFQ_FLAG_CPU_FANOUT 0x02 /* use current CPU (no hashing) */
+#define NFQ_FLAG_MASK 0x03
+};
+
#endif /* _XT_NFQ_TARGET_H */