summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
...
* extension: add xt_cpu matchEric Dumazet2010-07-231-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Kernel 2.6.36 supports xt_cpu match In some situations a CPU match permits a better spreading of connections, or select targets only for a given cpu. With Remote Packet Steering or multiqueue NIC and appropriate IRQ affinities, we can distribute trafic on available cpus, per session. (all RX packets for a given flow are handled by a given cpu) Some legacy applications being not SMP friendly, one way to scale a server is to run multiple copies of them. Instead of randomly choosing an instance, we can use the cpu number as a key so that softirq handler for a whole instance is running on a single cpu, maximizing cache effects in TCP/UDP stacks. Using NAT for example, a four ways machine might run four copies of server application, using a separate listening port for each instance, but still presenting an unique external port : iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \ -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \ -j REDIRECT --to-port 8081 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \ -j REDIRECT --to-port 8082 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \ -j REDIRECT --to-port 8083 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_ipvs: user-space lib for netfilter matcher xt_ipvsHannes Eder2010-07-231-0/+27
| | | | | | | | | The user-space library for the netfilter matcher xt_ipvs. [ trivial up-port by Simon Horman <horms@verge.net.au> ] Signed-off-by: Hannes Eder <heder@google.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'master' into iptables-nextPatrick McHardy2010-07-1513-555/+221
|\
| * Merge branch 'master' of vishnu.netfilter.org:/data/git/iptablesPatrick McHardy2010-06-253-519/+110
| |\
| | * libxt_set: new revision addedJozsef Kadlecsik2010-06-163-519/+110
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | libipt_set renamed to libxt_set and the support for the forthcoming ipset release added. I have tested backward (IPv4) and forward compatibility (IPv4/IPv6): ipset -N test iphash ipset -A test test-address iptables -N test-set iptables -A test-set -j LOG --log-prefix "match " iptables -A test-set -j DROP iptables -A OUTPUT -m set --match-set test dst -j test-set ping test-address
| * | xtables: remove xtables_set_revision functionJan Engelhardt2010-06-071-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | Since iptables uses its own copies of the header files anyway where the revision field is exposed, there is no reach to access name[] beyond its size. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | includes: sync header files from Linux 2.6.35-rc1Jan Engelhardt2010-06-079-35/+111
| |/ | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: fix compilation of the new CHECKSUM targetPatrick McHardy2010-07-151-0/+18
| | | | | | | | | | | | Add missing header file. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: libipt_LOG/libip6t_LOG: support macdecode optionPatrick McHardy2010-06-282-2/+4
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: add idletimer xt target extensionLuciano Coelho2010-06-151-0/+45
|/ | | | | | | Add the extension plugin for the IDLETIMER x_tables target. Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Revert "Revert "Merge branch 'iptables-next'""Patrick McHardy2010-05-211-0/+9
| | | | | | This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099. Revert the revert to restore the TEE target.
* Revert "Merge branch 'iptables-next'"Patrick McHardy2010-05-211-9/+0
| | | | | | | This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e. Forgot to commit the version increase.
* extensions: add support for xt_TEEJan Engelhardt2010-04-191-0/+9
| | | | | | xt_TEE is firstly included in Linux 2.6.35. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add CT extensionPatrick McHardy2010-03-082-0/+38
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* includes: header updatesJan Engelhardt2010-02-0161-652/+296
| | | | | | | | | | | | Update the shipped Linux kernel headers from 2.6.33-rc6, as iptables's ipt_ECN.h for example references ipt_DSCP.h, which no longer exists. Since a number of old code pieces have been removed in the kernel in that fashion, the structs for older versions are moved into the .c file, to keep header updating simple. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add osf extensionPatrick McHardy2009-11-121-0/+135
| | | | | | From Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-031-1/+1
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_NFQUEUE: add new v1 version with queue-balance optionFlorian Westphal2009-08-201-0/+5
| | | | | | | | | | | | | | | | New version that adds support for specifying a queue range instead of a single queue id. The kernel will distribute flows across the given queue range. This is useful for multicore systems, simply start multiple instances of the userspace program on queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets belonging to the same connection are put into the same queue. With fixes from Jan Engelhardt. Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'stable'Jan Engelhardt2009-08-051-0/+13
|\ | | | | | | | | | | | | Conflicts: extensions/libxt_conntrack.c Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * xt_conntrack: revision 2 for enlarged state_mask memberJan Engelhardt2009-06-251-0/+13
| | | | | | | | | | | | This complements the xt_conntrack revision 2 code added to the kenrel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: combine iptables-multi and iptables-staticJan Engelhardt2009-07-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changed the Makefile so that: 1. --enable-shared / --disable-shared control the linkage against libdl (and thus the potential to use 3rd party extensions) 2. --enable-static / --disable-static controls whether shipped extensions are built-in or provided as modules iptables-static becomes redundant by this action; iptables-multi now has the feature. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: fix struct size mismatchJan Engelhardt2009-07-251-4/+0
| | | | | | | | | | | | | | | | | | Mixing code compiled with and without -DNO_SHARED_LIBS is fine as long as the structs have the same layout. This patch prevents a potential (currently non-triggerable) "ip6tables: target (null)<123> is missing a version" error. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | xtables: add multi-registration functionsJan Engelhardt2009-06-261-0/+2
| | | | | | | | | | | | Similar to the ones that are present in the kernel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | iptables: accept multiple IP address specifications for -s, -dMichael Granzow2009-06-261-0/+5
|/ | | | | | | | | | | | | | libiptc already supports adding and deleting multiple rules with different addresses, so it only needs to be wired up to the options. # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2 Adjustments made: syntax, removal of unneeded variables, manpage adjustment, soversion bump. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: use extern "C"Jan Engelhardt2009-05-261-0/+8
| | | | | | This fixes linking errors for 3rd-party C++ code. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add `cluster' match supportPablo Neira Ayuso2009-05-061-0/+17
| | | | | | This patch adds support for the cluster match to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* SNAT/DNAT: add support for persistent multi-range NAT mappingsPatrick McHardy2009-04-171-0/+1
| | | | | | | Add support for persistent mappings (2.6.29-rc2+) as replacement for the removed SAME target. Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxtables: reorder .version memberJan Engelhardt2009-04-031-3/+13
| | | | | | | | | | | | | When the structure's layout changes, as it did between v1.4.1 and v1.4.2, trying to compare the version string makes iptables segfault while it tries to determine whether the module is compatible in the first place. By moving the member to a known offset in the struct and keeping it there, objects (both iptables and 3rd party) compiled from this commit onwards will avoid the segfault. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge commit 'nf/master'Jan Engelhardt2009-03-151-0/+1
|\
| * iptables: Add limits.h to get INT_MIN, INT_MAX, ...Stephen Hemminger2009-02-251-0/+1
| | | | | | | | | | | | | | | | | | | | Fix build failure of iptables utilities on debian/ubuntu, maybe other distros. The values INT_MIN and INT_MAX are used by many filters and these are defined in limits.h --- patch against current iptables.git Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: add missing limits.h includeJan Engelhardt2009-02-212-0/+10
| | | | | | | | | | | | Thanks to Stephen Hemminger for noticing. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | include: resynchronize headers with 2.6.29-rc5Jan Engelhardt2009-02-2114-60/+63
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-211-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: inline and remove unused OPTION_OFFSET macroJan Engelhardt2009-02-211-1/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: make library available as a shared libraryJan Engelhardt2009-02-161-0/+4
| | | | | Tested-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: general follow-up cleanupJamal Hadi Salim2009-02-131-1/+0
| | | | | | Kill program_name, program_version and xtables_program_name. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: consolidate init calls into one functionJamal Hadi Salim2009-02-131-0/+1
| | | | | | | | | | | Introduce xtables_init_all() which hides three calls xtables_init(), xtables_set_nfproto(), and xtables_set_params(). Make ip[6]tables-restore, ip[6]tables-save and ip[6]tables-standalone use it. I moved xtables_set_params around for readability reasons. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: consolidate merge_options into xtables_merge_optionsJamal Hadi Salim2009-02-131-0/+4
| | | | | | | | Introduce xtables_merge_options() for re-use reasons. Apps can use it instead of each defining their own merge_options(). Made iptables and ip6tables use the new shared interface. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: make iptables and ip6tables use xtables_free_optsJamal Hadi Salim2009-02-121-1/+2
| | | | | | | | The patch modifies xtables_globals to introduce orig_opts and xtables_free_opts() to emulate what free_opts used to do. We also get rid of the copies of free_opts() that iptables and ip6tables keep. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: add xtables_set_revisionJamal Hadi Salim2009-02-121-0/+1
| | | | | | Introduce xtables_set_revision() and make iptables and ip6tables use it. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: set names of programsJamal Hadi Salim2009-02-122-0/+4
| | | | | | Set proper name of application. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* build: restructure Makefile for include/ directoryJan Engelhardt2009-02-121-0/+8
| | | | | | This patch will support adding libiptc to the headers list in future. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: use const for vars holding literalsJan Engelhardt2009-02-121-2/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2009-02-125-38/+21
|\
| * src: consolidate duplicate code in iptables/internal.hJan Engelhardt2009-02-103-4/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: move compat defines to xtables.cJan Engelhardt2009-02-102-10/+0
| | | | | | | | | | | | | | Addendum to commit v1.4.3-rc1-41-g77f48c2 where the macro users got moved. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * src: remove unused ipt_tryload macroJan Engelhardt2009-02-102-4/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * src: remove iptables_rule_match indirection macroJan Engelhardt2009-02-102-2/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: decouple non-xtables parts from headerJan Engelhardt2009-02-104-6/+11
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: remove unused XT_LIB_DIR macroJan Engelhardt2009-02-101-4/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>