| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ]
to make hashlimit match when X bytes/second are exceeded;
optionally, Y bytes will not be matched (i.e. bursted).
[ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ]
libxt_hashlimit.c: In function ‘parse_bytes’:
libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat]
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The target allows you to set mark packets based Jenkins' hash calculation:
h(t, rnd) = x
mark = (x % mod) + offset
where:
* t is a tuple that is used for the hashing:
t = [ src, dst, proto, sport, dport ]
Note that you can customize the tuple, thus, removing some component
that you don't want to use for the calculation. You can also use spi
instead of sport and dport, btw.
* rnd is the random seed that is explicitly passed via --hmark-rnd
* mod is the modulus, to determine the range of possible marks
* offset determines where the mark starts from
This target only works for the "raw" and "mangle" tables.
This can be used to distribute flows between a cluster of
systems and uplinks.
Initially based on work from Hans Schillingstrom. Pablo took it
over and introduced several improvements.
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the --timeout option to allow to attach timeout
policy objects to flows, eg.
iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \
-j CT --timeout custom-tcp-policy
You need the nfct(8) tool which is available at:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git
To define the cttimeout policies.
Example of usage:
nfct timeout add custom-tcp-policy inet tcp established 1000
The new nfct tool also requires libnetfilter_cttimeout:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides the user-space iptables support for the nfacct match.
This can be used as it follows:
nfacct add http-traffic
iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic
nfacct get http-traffic
See also man nfacct(8) for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Patrick submitted this patch by 9th Jun 2011, I'm recovering
and applying it to iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but
there was no corresponding iptables patch so far.
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
The new revision of the SET target supports the following new operations
- specifying the timeout value of the entry to be added
- flag to instruct the kernel that if the entry already
exists then reset the timeout value to the specified one (or
to the default from the set definition)
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
Add support for revision 3 of the conntrack match, which allows to
specify port ranges for origsrc/origdst/replsrc/repldst.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
--queue-bypass: if no userpace program is listening on the queue, then
allow packets to continue through the ruleset instead of dropping them.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
libxt module for the AUDIT target.
-j AUDIT --type (accept|reject|drop)
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
|
| |
|
|
| |
Also includes the type change to __u{8,16,32} kernel types already.
|
| |
|
|
|
|
|
|
| |
Don't ignore the quota value on deletion, then we can remove a special
rule everytime.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel 2.6.36 supports xt_cpu match
In some situations a CPU match permits a better spreading of
connections, or select targets only for a given cpu.
With Remote Packet Steering or multiqueue NIC and appropriate IRQ
affinities, we can distribute trafic on available cpus, per session.
(all RX packets for a given flow are handled by a given cpu)
Some legacy applications being not SMP friendly, one way to scale a
server is to run multiple copies of them.
Instead of randomly choosing an instance, we can use the cpu number as a
key so that softirq handler for a whole instance is running on a single
cpu, maximizing cache effects in TCP/UDP stacks.
Using NAT for example, a four ways machine might run four copies of
server application, using a separate listening port for each instance,
but still presenting an unique external port :
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \
-j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \
-j REDIRECT --to-port 8081
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \
-j REDIRECT --to-port 8082
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \
-j REDIRECT --to-port 8083
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
The user-space library for the netfilter matcher xt_ipvs.
[ trivial up-port by Simon Horman <horms@verge.net.au> ]
Signed-off-by: Hannes Eder <heder@google.com>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | |\ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
libipt_set renamed to libxt_set and the support for the forthcoming
ipset release added. I have tested backward (IPv4) and forward
compatibility (IPv4/IPv6):
ipset -N test iphash
ipset -A test test-address
iptables -N test-set
iptables -A test-set -j LOG --log-prefix "match "
iptables -A test-set -j DROP
iptables -A OUTPUT -m set --match-set test dst -j test-set
ping test-address
|
| | |/
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| | |
Add missing header file.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
|
|
| |
Add the extension plugin for the IDLETIMER x_tables target.
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099.
Revert the revert to restore the TEE target.
|
| |
|
|
|
|
|
| |
This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing
changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e.
Forgot to commit the version increase.
|
| |
|
|
|
|
| |
xt_TEE is firstly included in Linux 2.6.35.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update the shipped Linux kernel headers from 2.6.33-rc6, as
iptables's ipt_ECN.h for example references ipt_DSCP.h, which no
longer exists.
Since a number of old code pieces have been removed in the kernel in
that fashion, the structs for older versions are moved into the .c
file, to keep header updating simple.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
From Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New version that adds support for specifying a queue range instead
of a single queue id.
The kernel will distribute flows across the given queue range.
This is useful for multicore systems, simply start multiple instances
of the userspace program on queues x, x+1, .. x+n and use
"--queue-balance x:x+n".
Packets belonging to the same connection are put into the same queue.
With fixes from Jan Engelhardt.
Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
This complements the xt_conntrack revision 2 code added to the kenrel.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
This patch adds support for the cluster match to iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
By setting default NFLOG qthreshold to 0, userspace does not overwrite
the per-instance value.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
The string extension can search patterns case insensitively with
--icase option. A new revision 1 was added, in the meantime invert
of xt_string_info was moved into flags as a flag.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Resync headers and add types.h file for endian annotated types, which
are not available with old headers.
|
| |
|
|
|
|
| |
Allow iptables to compile without a kernel source tree. This
implies fixing build for older kernels, such as 2.6.17 which
lack xt_SECMARK.h.
|
| | |
|
| |
|
|
|
| |
Note: xt_sctp.h is still not merged upstream in the kernel as of
this commit. But a refactoring was really needed.
|
| |
|
|
|
|
| |
UID/GID range support for libxt_owner
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add support for xt_CONNMARK target revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
Import libxt_TCPOPTSTRIP into iptables.
Signed-off-by: Sven Schnelle <svens@bitebene.org>
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Move libipt_iprange to libxt_iprange.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Introduce libxt_mark match revision 1 support.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Move libipt_conntrack to libxt_conntrack.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
