- 28 12月, 2011 1 次提交
-
-
由 Jan Engelhardt 提交于
Prepare the ECN match for augmentation by an IPv6 counterpart. Since no symbol dependencies to ipv6.ko are added, having a single ecn match module is the more so welcome. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 25 12月, 2011 2 次提交
-
-
由 Pablo Neira Ayuso 提交于
This patch adds the match that allows to perform extended accounting. It requires the new nfnetlink_acct infrastructure. # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic # iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Pablo Neira Ayuso 提交于
We currently have two ways to account traffic in netfilter: - iptables chain and rule counters: # iptables -L -n -v Chain INPUT (policy DROP 3 packets, 867 bytes) pkts bytes target prot opt in out source destination 8 1104 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 - use flow-based accounting provided by ctnetlink: # conntrack -L tcp 6 431999 ESTABLISHED src=192.168.1.130 dst=212.106.219.168 sport=58152 dport=80 packets=47 bytes=7654 src=212.106.219.168 dst=192.168.1.130 sport=80 dport=58152 packets=49 bytes=66340 [ASSURED] mark=0 use=1 While trying to display real-time accounting statistics, we require to pool the kernel periodically to obtain this information. This is OK if the number of flows is relatively low. However, in case that the number of flows is huge, we can spend a considerable amount of cycles to iterate over the list of flows that have been obtained. Moreover, if we want to obtain the sum of the flow accounting results that match some criteria, we have to iterate over the whole list of existing flows, look for matchings and update the counters. This patch adds the extended accounting infrastructure for nfnetlink which aims to allow displaying real-time traffic accounting without the need of complicated and resource-consuming implementation in user-space. Basically, this new infrastructure allows you to create accounting objects. One accounting object is composed of packet and byte counters. In order to manipulate create accounting objects, you require the new libnetfilter_acct library. It contains several examples of use: libnetfilter_acct/examples# ./nfacct-add http-traffic libnetfilter_acct/examples# ./nfacct-get http-traffic = { pkts = 000000000000, bytes = 000000000000 }; Then, you can use one of this accounting objects in several iptables rules using the new nfacct match (which comes in a follow-up patch): # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic # iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic The idea is simple: if one packet matches the rule, the nfacct match updates the counters. Thanks to Patrick McHardy, Eric Dumazet, Changli Gao for reviewing and providing feedback for this contribution. Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 02 12月, 2011 1 次提交
-
-
由 David S. Miller 提交于
firewalld in Fedora 16 needs this. Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 24 11月, 2011 1 次提交
-
-
由 David S. Miller 提交于
Distributions are using this in their default scripts, so don't hide them behind the advanced setting. Reported-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 28 9月, 2011 1 次提交
-
-
由 Paul Bolle 提交于
There are numerous broken references to Documentation files (in other Documentation files, in comments, etc.). These broken references are caused by typo's in the references, and by renames or removals of the Documentation files. Some broken references are simply odd. Fix these broken references, sometimes by dropping the irrelevant text they were part of. Signed-off-by: NPaul Bolle <pebolle@tiscali.nl> Signed-off-by: NJiri Kosina <jkosina@suse.cz>
-
- 04 4月, 2011 1 次提交
-
-
由 Florian Westphal 提交于
This avoids pulling in the ipv6 module when using (ipv4-only) iptables -m addrtype. Signed-off-by: NFlorian Westphal <fw@strlen.de> Acked-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 16 3月, 2011 2 次提交
-
-
由 Florian Westphal 提交于
The kernel will refuse certain types that do not work in ipv6 mode. We can then add these features incrementally without risk of userspace breakage. Signed-off-by: NFlorian Westphal <fwestphal@astaro.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Florian Westphal 提交于
Followup patch will add ipv6 support. ipt_addrtype.h is retained for compatibility reasons, but no longer used by the kernel. Signed-off-by: NFlorian Westphal <fwestphal@astaro.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 03 2月, 2011 1 次提交
-
-
由 Patrick McHardy 提交于
Add a new 'devgroup' match to match on the device group of the incoming and outgoing network device of a packet. Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 01 2月, 2011 2 次提交
-
-
由 Jozsef Kadlecsik 提交于
The patch adds the combined module of the "SET" target and "set" match to netfilter. Both the previous and the current revisions are supported. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jozsef Kadlecsik 提交于
The patch adds the IP set core support to the kernel. The IP set core implements a netlink (nfnetlink) based protocol by which one can create, destroy, flush, rename, swap, list, save, restore sets, and add, delete, test elements from userspace. For simplicity (and backward compatibilty and for not to force ip(6)tables to be linked with a netlink library) reasons a small getsockopt-based protocol is also kept in order to communicate with the ip(6)tables match and target. The netlink protocol passes all u16, etc values in network order with NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the NLA_F_NESTED and NLA_F_NET_BYTEORDER flags. For other kernel subsystems (netfilter match and target) the API contains the functions to add, delete and test elements in sets and the required calls to get/put refereces to the sets before those operations can be performed. The set types (which are implemented in independent modules) are stored in a simple RCU protected list. A set type may have variants: for example without timeout or with timeout support, for IPv4 or for IPv6. The sets (i.e. the pointers to the sets) are stored in an array. The sets are identified by their index in the array, which makes possible easy and fast swapping of sets. The array is protected indirectly by the nfnl mutex from nfnetlink. The content of the sets are protected by the rwlock of the set. There are functional differences between the add/del/test functions for the kernel and userspace: - kernel add/del/test: works on the current packet (i.e. one element) - kernel test: may trigger an "add" operation in order to fill out unspecified parts of the element from the packet (like MAC address) - userspace add/del: works on the netlink message and thus possibly on multiple elements from the IPSET_ATTR_ADT container attribute. - userspace add: may trigger resizing of a set Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 19 1月, 2011 2 次提交
-
-
由 Pablo Neira Ayuso 提交于
This patch adds flow-based timestamping for conntracks. This conntrack extension is disabled by default. Basically, we use two 64-bits variables to store the creation timestamp once the conntrack has been confirmed and the other to store the deletion time. This extension is disabled by default, to enable it, you have to: echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp This patch allows to save memory for user-space flow-based loogers such as ulogd2. In short, ulogd2 does not need to keep a hashtable with the conntrack in user-space to know when they were created and destroyed, instead we use the kernel timestamp. If we want to have a sane IPFIX implementation in user-space, this nanosecs resolution timestamps are also useful. Other custom user-space applications can benefit from this via libnetfilter_conntrack. This patch modifies the /proc output to display the delta time in seconds since the flow start. You can also obtain the flow-start date by means of the conntrack-tools. Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jiri Olsa 提交于
Adding support for SNMP broadcast connection tracking. The SNMP broadcast requests are now paired with the SNMP responses. Thus allowing using SNMP broadcasts with firewall enabled. Please refer to the following conversation: http://marc.info/?l=netfilter-devel&m=125992205006600&w=2 Patrick McHardy wrote: > > The best solution would be to add generic broadcast tracking, the > > use of expectations for this is a bit of abuse. > > The second best choice I guess would be to move the help() function > > to a shared module and generalize it so it can be used for both. This patch implements the "second best choice". Since the netbios-ns conntrack module uses the same helper functionality as the snmp, only one helper function is added for both snmp and netbios-ns modules into the new object - nf_conntrack_broadcast. Signed-off-by: NJiri Olsa <jolsa@redhat.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 18 1月, 2011 1 次提交
-
-
由 Florian Westphal 提交于
NFLOG already does the same thing for NETFILTER_NETLINK_LOG. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 17 1月, 2011 1 次提交
-
-
由 Thomas Graf 提交于
This patch adds a new netfilter target which creates audit records for packets traversing a certain chain. It can be used to record packets which are rejected administraively as follows: -N AUDIT_DROP -A AUDIT_DROP -j AUDIT --type DROP -A AUDIT_DROP -j DROP a rule which would typically drop or reject a packet would then invoke the new chain to record packets before dropping them. -j AUDIT_DROP The module is protocol independant and works for iptables, ip6tables and ebtables. The following information is logged: - netfilter hook - packet length - incomming/outgoing interface - MAC src/dst/proto for ethernet packets - src/dst/protocol address for IPv4/IPv6 - src/dst port for TCP/UDP/UDPLITE - icmp type/code Cc: Patrick McHardy <kaber@trash.net> Cc: Eric Paris <eparis@parisplace.org> Cc: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: NThomas Graf <tgraf@redhat.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 14 1月, 2011 1 次提交
-
-
由 Patrick McHardy 提交于
Fix dependencies of netfilter realm match: it depends on NET_CLS_ROUTE, which itself depends on NET_SCHED; this dependency is missing from netfilter. Since matching on realms is also useful without having NET_SCHED enabled and the option really only controls whether the tclassid member is included in route and dst entries, rename the config option to IP_ROUTE_CLASSID and move it outside of traffic scheduling context to get rid of the NET_SCHED dependeny. Reported-by: NVladis Kletnieks <Valdis.Kletnieks@vt.edu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 26 10月, 2010 1 次提交
-
-
由 KOVACS Krisztian 提交于
One of the previous tproxy related patches split IPv6 defragmentation and connection tracking, but did not correctly add Kconfig stanzas to handle the new dependencies correctly. This patch fixes that by making the config options mirror the setup we have for IPv4: a distinct config option for defragmentation that is automatically selected by both connection tracking and xt_TPROXY/xt_socket. The patch also changes the #ifdefs enclosing IPv6 specific code in xt_socket and xt_TPROXY: we only compile these in case we have ip6tables support enabled. Signed-off-by: NKOVACS Krisztian <hidden@balabit.hu> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 23 7月, 2010 2 次提交
-
-
由 Eric Dumazet 提交于
In some situations a CPU match permits a better spreading of connections, or select targets only for a given cpu. With Remote Packet Steering or multiqueue NIC and appropriate IRQ affinities, we can distribute trafic on available cpus, per session. (all RX packets for a given flow is handled by a given cpu) Some legacy applications being not SMP friendly, one way to scale a server is to run multiple copies of them. Instead of randomly choosing an instance, we can use the cpu number as a key so that softirq handler for a whole instance is running on a single cpu, maximizing cache effects in TCP/UDP stacks. Using NAT for example, a four ways machine might run four copies of server application, using a separate listening port for each instance, but still presenting an unique external port : iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \ -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \ -j REDIRECT --to-port 8081 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \ -j REDIRECT --to-port 8082 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \ -j REDIRECT --to-port 8083 Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Hannes Eder 提交于
This implements the kernel-space side of the netfilter matcher xt_ipvs. [ minor fixes by Simon Horman <horms@verge.net.au> ] Signed-off-by: NHannes Eder <heder@google.com> Signed-off-by: NSimon Horman <horms@verge.net.au> [ Patrick: added xt_ipvs.h to Kbuild ] Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 15 7月, 2010 1 次提交
-
-
由 Michael S. Tsirkin 提交于
This adds a `CHECKSUM' target, which can be used in the iptables mangle table. You can use this target to compute and fill in the checksum in a packet that lacks a checksum. This is particularly useful, if you need to work around old applications such as dhcp clients, that do not work well with checksum offloads, but don't want to disable checksum offload in your device. The problem happens in the field with virtualized applications. For reference, see Red Hat bz 605555, as well as http://www.spinics.net/lists/kvm/msg37660.html Typical expected use (helps old dhclient binary running in a VM): iptables -A POSTROUTING -t mangle -p udp --dport bootpc \ -j CHECKSUM --checksum-fill Includes fixes by Jan Engelhardt <jengelh@medozas.de> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 25 6月, 2010 1 次提交
-
-
由 Tim Gardner 提交于
CONFIG_NF_CT_ACCT has been deprecated for awhile and was originally scheduled for removal by 2.6.29. Removing support for this config option also stops this deprecation warning message in the kernel log. [ 61.669627] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) [ 61.669850] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use [ 61.669852] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or [ 61.669853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. Signed-off-by: NTim Gardner <tim.gardner@canonical.com> [Patrick: changed default value to 0] Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 22 6月, 2010 1 次提交
-
-
由 Arnd Hannemann 提交于
Destination was spelled wrong in KConfig. Signed-off-by: NArnd Hannemann <hannemann@nets.rwth-aachen.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 15 6月, 2010 1 次提交
-
-
由 Luciano Coelho 提交于
This patch implements an idletimer Xtables target that can be used to identify when interfaces have been idle for a certain period of time. Timers are identified by labels and are created when a rule is set with a new label. The rules also take a timeout value (in seconds) as an option. If more than one rule uses the same timer label, the timer will be restarted whenever any of the rules get a hit. One entry for each timer is created in sysfs. This attribute contains the timer remaining for the timer to expire. The attributes are located under the xt_idletimer class: /sys/class/xt_idletimer/timers/<label> When the timer expires, the target module sends a sysfs notification to the userspace, which can then decide what to do (eg. disconnect to save power). Cc: Timo Teras <timo.teras@iki.fi> Signed-off-by: NLuciano Coelho <luciano.coelho@nokia.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 15 5月, 2010 1 次提交
-
-
由 Randy Dunlap 提交于
Fix xt_TEE build for the case of NF_CONNTRACK=m and NETFILTER_XT_TARGET_TEE=y: xt_TEE.c:(.text+0x6df5c): undefined reference to `nf_conntrack_untracked' 4x Built with all 4 m/y combinations. Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com> Acked-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 13 5月, 2010 1 次提交
-
-
由 Jan Engelhardt 提交于
Aviod these link-time errors when IPV6=m, XT_TEE=y: net/built-in.o: In function `tee_tg_route6': xt_TEE.c:(.text+0x45ca5): undefined reference to `ip6_route_output' net/built-in.o: In function `tee_tg6': xt_TEE.c:(.text+0x45d79): undefined reference to `ip6_local_out' Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Acked-by: NRandy Dunlap <randy.dunlap@oracle.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 19 4月, 2010 1 次提交
-
-
由 Jan Engelhardt 提交于
xt_TEE can be used to clone and reroute a packet. This can for example be used to copy traffic at a router for logging purposes to another dedicated machine. References: http://www.gossamer-threads.com/lists/iptables/devel/68781Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 18 3月, 2010 1 次提交
-
-
由 Jan Engelhardt 提交于
Restore alphabetical ordering of the list and put the xt_osf option into its 'right' place again. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 17 3月, 2010 4 次提交
-
-
由 Jan Engelhardt 提交于
The compat option was introduced in October 2008. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Two arguments for combining the two: - xt_mark is pretty useless without xt_MARK - the actual code is so small anyway that the kmod metadata and the module in its loaded state totally outweighs the combined actual code size. i586-before: -rw-r--r-- 1 jengelh users 3821 Feb 10 01:01 xt_MARK.ko -rw-r--r-- 1 jengelh users 2592 Feb 10 00:04 xt_MARK.o -rw-r--r-- 1 jengelh users 3274 Feb 10 01:01 xt_mark.ko -rw-r--r-- 1 jengelh users 2108 Feb 10 00:05 xt_mark.o text data bss dec hex filename 354 264 0 618 26a xt_MARK.o 223 176 0 399 18f xt_mark.o And the runtime size is like 14 KB. i586-after: -rw-r--r-- 1 jengelh users 3264 Feb 18 17:28 xt_mark.o Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 16 2月, 2010 1 次提交
-
-
由 Patrick McHardy 提交于
Normally, each connection needs a unique identity. Conntrack zones allow to specify a numerical zone using the CT target, connections in different zones can use the same identity. Example: iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1 iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1 Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 04 2月, 2010 1 次提交
-
-
由 Patrick McHardy 提交于
Add a new target for the raw table, which can be used to specify conntrack parameters for specific connections, f.i. the conntrack helper. The target attaches a "template" connection tracking entry to the skb, which is used by the conntrack core when initializing a new conntrack. Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 13 6月, 2009 1 次提交
-
-
由 Pavel Machek 提交于
.ko is normally not included in Kconfig help, make it consistent. Signed-off-by: NPavel Machek <pavel@ucw.cz> Signed-off-by: NJiri Kosina <jkosina@suse.cz>
-
- 08 6月, 2009 1 次提交
-
-
由 Evgeniy Polyakov 提交于
Passive OS fingerprinting netfilter module allows to passively detect remote OS and perform various netfilter actions based on that knowledge. This module compares some data (WS, MSS, options and it's order, ttl, df and others) from packets with SYN bit set with dynamically loaded OS fingerprints. Fingerprint matching rules can be downloaded from OpenBSD source tree or found in archive and loaded via netfilter netlink subsystem into the kernel via special util found in archive. Archive contains library file (also attached), which was shipped with iptables extensions some time ago (at least when ipt_osf existed in patch-o-matic). Following changes were made in this release: * added NLM_F_CREATE/NLM_F_EXCL checks * dropped _rcu list traversing helpers in the protected add/remove calls * dropped unneded structures, debug prints, obscure comment and check Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os or can be found in archive Example usage: -d switch removes fingerprints Please consider for inclusion. Thank you. Passive OS fingerprint homepage (archives, examples): http://www.ioremap.net/projects/osfSigned-off-by: NEvgeniy Polyakov <zbr@ioremap.net> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 02 5月, 2009 1 次提交
-
-
由 Laszlo Attila Toth 提交于
xt_socket can use connection tracking, and checks whether it is a module. Signed-off-by: NLaszlo Attila Toth <panther@balabit.hu> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 24 4月, 2009 1 次提交
-
-
由 Laszlo Attila Toth 提交于
Signed-off-by: NLaszlo Attila Toth <panther@balabit.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 06 4月, 2009 1 次提交
-
-
由 Alex Riesen 提交于
It's plural, not LED_TRIGGERS. Signed-off-by: NAlex Riesen <fork0@users.sourceforge.net> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 30 3月, 2009 1 次提交
-
-
由 Matt LaPlante 提交于
Signed-off-by: NMatt LaPlante <kernel1@cyberdogtech.com> Acked-by: NRandy Dunlap <randy.dunlap@oracle.com> Signed-off-by: NJiri Kosina <jkosina@suse.cz>
-