| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ip[6]tables currently waits for 1 second for the xtables lock to be
freed if the -w option is used. We have seen that the lock is held
much less than that resulting in unnecessary delay when trying to
acquire the lock. This problem is even severe in case of latency
sensitive applications.
Introduce a new option 'W' to specify the wait interval in microseconds.
If this option is not specified, the command sleeps for 1 second by
default.
v1->v2: Change behavior to take millisecond sleep as an argument to
-w as suggested by Pablo. Also maintain current behavior for -w to
sleep for 1 second as mentioned by Liping.
v2->v3: Move the millisecond behavior to a new option as suggested
by Pablo.
v3->v4: Use select instead of usleep. Sleep every iteration for
the time specified in the "-W" argument. Update man page.
v4->v5: Fix compilation error when enabling nftables
v5->v6: Simplify -W so it only takes the interval wait in microseconds.
Bail out if -W is specific but -w is not.
Joint work with Pablo Neira.
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
SNAT section in iptables-extensions(8) already mentions this
but the main section did not.
Reported-by: Lion Yang <lion@aosc.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
-L omits some details (e.g. interfaces).
We already mentioned '-L -v' but for convenience also mention
ipt-save since that lists it as-is too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an optional numeric argument
to -w option (added with 93587a0) so one can
specify how long to wait for an exclusive lock.
If the value isn't specified it works as before,
i.e. program waits indefinitely.
If user specifies it, program exits after
the given time interval passes.
This patch also adds the -w/--wait to nftables
compat code, so the parser doesn't complain.
[ In the original patch, iptables-compat -w X was not working,
I have fixed by adding the dummy code not to break scripts
using the new optional argument --pablo ]
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
its enforced by both by libiptc and kernel.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
a couple of improvements to the iptables man page never made it into
ip6tables version.
The number of differences between these two files is so small that
it seems preferable to alias the ipv6 man pages to their ipv4 counterpart
and change iptables man page to specifically document differences
(e.g. lack of ip6tables -f, etc).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
... and remove the QUEUE snippets from ip(6)tables man page,
the queue target was replaced by nfqueue years ago.
Fix up a couple of needless differences in ip(6)tables.8, too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously. Currently
open bug reports which are related:
325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts
As Patrick notes in 325: "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."
I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile. But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up. And this also requires a writable filesystem. Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.
Starting in 2.2, Linux added support for abstract sockets. These sockets
require no filesystem, and automatically disappear once the application
terminates. This is the locking solution I chose to implement in ip[6]tables.
As an added bonus, since each network namespace has its own socket pool, an
ip[6]tables instance running in one namespace will not lock out an ip[6]tables
instance running in another namespace. A filesystem approach would have
to recognize and handle multiple network namespaces.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a bug in iptables.8 and ip6tables.8 where @PACKAGE_VERSION@
was not processed in the VERSION section. It also simplifies the
Makefile by avoiding some sed commands.
[ Mangled this patch to rename iptables-extensions.8.in to
iptables-extensions.8.tmpl.in to avoid having a file whose name
is terminated by .in.in --pablo ]
Signed-off-by: Andy Spencer <andy753421@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This closes bugzilla:
http://bugzilla.netfilter.org/show_bug.cgi?id=807
Reported-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
References: http://bugs.debian.org/660748
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
|
|
|
|
|
|
| |
iptables.8 and ip6tables.8 had pretty much the same content, with a few
protocol-specific deviations here and there. Not only did that bloat the
manpages, but it also made it harder to spot differences. Separate out
the extension descriptions into a new manpage, which conveniently
features differences next to one another (cf. REJECT).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
"-vv" can be used to further increase the verbosity level. Document
this.
References: http://bugs.debian.org/616037
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
(Unclutter top-level dir)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
