From cca5cf91c789f3301cc2541a79c323c53be5a8e1 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 15 Jul 2010 11:27:41 +0200 Subject: nfnetlink_log: do not expose NFULNL_COPY_DISABLED to user-space This patch moves NFULNL_COPY_PACKET definition from linux/netfilter/nfnetlink_log.h to net/netfilter/nfnetlink_log.h since this copy mode is only for internal use. I have also changed the value from 0x03 to 0xff. Thus, we avoid a gap from user-space that may confuse users if we add new copy modes in the future. This change was introduced in: http://www.spinics.net/lists/netfilter-devel/msg13535.html Since this change is not included in any stable Linux kernel, I think it's safe to make this change now. Anyway, this copy mode does not make any sense from user-space, so this patch should not break any existing setup. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy --- include/linux/netfilter/nfnetlink_log.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/linux') diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/linux/netfilter/nfnetlink_log.h index 1d0b84aa1d42..ea9b8d380527 100644 --- a/include/linux/netfilter/nfnetlink_log.h +++ b/include/linux/netfilter/nfnetlink_log.h @@ -89,7 +89,7 @@ enum nfulnl_attr_config { #define NFULNL_COPY_NONE 0x00 #define NFULNL_COPY_META 0x01 #define NFULNL_COPY_PACKET 0x02 -#define NFULNL_COPY_DISABLED 0x03 +/* 0xff is reserved, don't use it for new copy modes. */ #define NFULNL_CFG_F_SEQ 0x0001 #define NFULNL_CFG_F_SEQ_GLOBAL 0x0002 -- cgit v1.2.3 From edf0e1fb0d0910880881523cfaaabcec06a2c0d5 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Thu, 15 Jul 2010 17:20:46 +0200 Subject: netfilter: add CHECKSUM target This adds a `CHECKSUM' target, which can be used in the iptables mangle table. You can use this target to compute and fill in the checksum in a packet that lacks a checksum. This is particularly useful, if you need to work around old applications such as dhcp clients, that do not work well with checksum offloads, but don't want to disable checksum offload in your device. The problem happens in the field with virtualized applications. For reference, see Red Hat bz 605555, as well as http://www.spinics.net/lists/kvm/msg37660.html Typical expected use (helps old dhclient binary running in a VM): iptables -A POSTROUTING -t mangle -p udp --dport bootpc \ -j CHECKSUM --checksum-fill Includes fixes by Jan Engelhardt Signed-off-by: Michael S. Tsirkin Signed-off-by: Patrick McHardy --- include/linux/netfilter/xt_CHECKSUM.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 include/linux/netfilter/xt_CHECKSUM.h (limited to 'include/linux') diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/linux/netfilter/xt_CHECKSUM.h new file mode 100644 index 000000000000..3b4fb77acef6 --- /dev/null +++ b/include/linux/netfilter/xt_CHECKSUM.h @@ -0,0 +1,18 @@ +/* Header file for iptables ipt_CHECKSUM target + * + * (C) 2002 by Harald Welte + * (C) 2010 Red Hat Inc + * Author: Michael S. Tsirkin + * + * This software is distributed under GNU GPL v2, 1991 +*/ +#ifndef _IPT_CHECKSUM_TARGET_H +#define _IPT_CHECKSUM_TARGET_H + +#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ + +struct xt_CHECKSUM_info { + __u8 operation; /* bitset of operations */ +}; + +#endif /* _IPT_CHECKSUM_TARGET_H */ -- cgit v1.2.3 From 22cb516696304a9b85892b18c483a27d97cfa51b Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Fri, 16 Jul 2010 14:08:20 +0200 Subject: netfilter: correct CHECKSUM header and export it Signed-off-by: Michael S. Tsirkin Signed-off-by: Patrick McHardy --- include/linux/netfilter/Kbuild | 1 + include/linux/netfilter/xt_CHECKSUM.h | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'include/linux') diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index bb103f43afa0..b93b64dc9fae 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild @@ -3,6 +3,7 @@ header-y += nf_conntrack_tuple_common.h header-y += nfnetlink_conntrack.h header-y += nfnetlink_log.h header-y += nfnetlink_queue.h +header-y += xt_CHECKSUM.h header-y += xt_CLASSIFY.h header-y += xt_CONNMARK.h header-y += xt_CONNSECMARK.h diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/linux/netfilter/xt_CHECKSUM.h index 3b4fb77acef6..9a2e4661654e 100644 --- a/include/linux/netfilter/xt_CHECKSUM.h +++ b/include/linux/netfilter/xt_CHECKSUM.h @@ -6,8 +6,10 @@ * * This software is distributed under GNU GPL v2, 1991 */ -#ifndef _IPT_CHECKSUM_TARGET_H -#define _IPT_CHECKSUM_TARGET_H +#ifndef _XT_CHECKSUM_TARGET_H +#define _XT_CHECKSUM_TARGET_H + +#include #define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ @@ -15,4 +17,4 @@ struct xt_CHECKSUM_info { __u8 operation; /* bitset of operations */ }; -#endif /* _IPT_CHECKSUM_TARGET_H */ +#endif /* _XT_CHECKSUM_TARGET_H */ -- cgit v1.2.3 From 9c3e1c39679144c250dda95098333ecb5f1f407a Mon Sep 17 00:00:00 2001 From: Hannes Eder Date: Fri, 23 Jul 2010 12:42:58 +0200 Subject: netfilter: xt_ipvs (netfilter matcher for IPVS) This implements the kernel-space side of the netfilter matcher xt_ipvs. [ minor fixes by Simon Horman ] Signed-off-by: Hannes Eder Signed-off-by: Simon Horman [ Patrick: added xt_ipvs.h to Kbuild ] Signed-off-by: Patrick McHardy --- include/linux/netfilter/Kbuild | 1 + include/linux/netfilter/xt_ipvs.h | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 include/linux/netfilter/xt_ipvs.h (limited to 'include/linux') diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index b93b64dc9fae..0cb62c857187 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild @@ -31,6 +31,7 @@ header-y += xt_dscp.h header-y += xt_esp.h header-y += xt_hashlimit.h header-y += xt_iprange.h +header-y += xt_ipvs.h header-y += xt_helper.h header-y += xt_length.h header-y += xt_limit.h diff --git a/include/linux/netfilter/xt_ipvs.h b/include/linux/netfilter/xt_ipvs.h new file mode 100644 index 000000000000..1167aeb7a347 --- /dev/null +++ b/include/linux/netfilter/xt_ipvs.h @@ -0,0 +1,27 @@ +#ifndef _XT_IPVS_H +#define _XT_IPVS_H + +enum { + XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */ + XT_IPVS_PROTO = 1 << 1, + XT_IPVS_VADDR = 1 << 2, + XT_IPVS_VPORT = 1 << 3, + XT_IPVS_DIR = 1 << 4, + XT_IPVS_METHOD = 1 << 5, + XT_IPVS_VPORTCTL = 1 << 6, + XT_IPVS_MASK = (1 << 7) - 1, + XT_IPVS_ONCE_MASK = XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY +}; + +struct xt_ipvs_mtinfo { + union nf_inet_addr vaddr, vmask; + __be16 vport; + __u8 l4proto; + __u8 fwd_method; + __be16 vportctl; + + __u8 invert; + __u8 bitmask; +}; + +#endif /* _XT_IPVS_H */ -- cgit v1.2.3 From e8648a1fdb54da1f683784b36a17aa65ea56e931 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Fri, 23 Jul 2010 12:59:36 +0200 Subject: netfilter: add xt_cpu match In some situations a CPU match permits a better spreading of connections, or select targets only for a given cpu. With Remote Packet Steering or multiqueue NIC and appropriate IRQ affinities, we can distribute trafic on available cpus, per session. (all RX packets for a given flow is handled by a given cpu) Some legacy applications being not SMP friendly, one way to scale a server is to run multiple copies of them. Instead of randomly choosing an instance, we can use the cpu number as a key so that softirq handler for a whole instance is running on a single cpu, maximizing cache effects in TCP/UDP stacks. Using NAT for example, a four ways machine might run four copies of server application, using a separate listening port for each instance, but still presenting an unique external port : iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \ -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \ -j REDIRECT --to-port 8081 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \ -j REDIRECT --to-port 8082 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \ -j REDIRECT --to-port 8083 Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy --- include/linux/netfilter/Kbuild | 3 ++- include/linux/netfilter/xt_cpu.h | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 include/linux/netfilter/xt_cpu.h (limited to 'include/linux') diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index 0cb62c857187..edeeabdc1500 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild @@ -20,12 +20,13 @@ header-y += xt_TCPMSS.h header-y += xt_TCPOPTSTRIP.h header-y += xt_TEE.h header-y += xt_TPROXY.h +header-y += xt_cluster.h header-y += xt_comment.h header-y += xt_connbytes.h header-y += xt_connlimit.h header-y += xt_connmark.h header-y += xt_conntrack.h -header-y += xt_cluster.h +header-y += xt_cpu.h header-y += xt_dccp.h header-y += xt_dscp.h header-y += xt_esp.h diff --git a/include/linux/netfilter/xt_cpu.h b/include/linux/netfilter/xt_cpu.h new file mode 100644 index 000000000000..93c7f11d8f42 --- /dev/null +++ b/include/linux/netfilter/xt_cpu.h @@ -0,0 +1,11 @@ +#ifndef _XT_CPU_H +#define _XT_CPU_H + +#include + +struct xt_cpu_info { + __u32 cpu; + __u32 invert; +}; + +#endif /*_XT_CPU_H*/ -- cgit v1.2.3 From 49daf6a22622d4e1619aeaad5f9f0472bf89daff Mon Sep 17 00:00:00 2001 From: Changli Gao Date: Fri, 23 Jul 2010 14:07:47 +0200 Subject: xt_quota: report initial quota value instead of current value to userspace We should copy the initial value to userspace for iptables-save and to allow removal of specific quota rules. Signed-off-by: Changli Gao Signed-off-by: Patrick McHardy --- include/linux/netfilter/xt_quota.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/linux') diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h index 8dc89dfc1361..b0d28c659ab7 100644 --- a/include/linux/netfilter/xt_quota.h +++ b/include/linux/netfilter/xt_quota.h @@ -11,9 +11,9 @@ struct xt_quota_priv; struct xt_quota_info { u_int32_t flags; u_int32_t pad; + aligned_u64 quota; /* Used internally by the kernel */ - aligned_u64 quota; struct xt_quota_priv *master; }; -- cgit v1.2.3