1. 28 12月, 2011 1 次提交
  2. 25 12月, 2011 2 次提交
    • P
      netfilter: xtables: add nfacct match to support extended accounting · ceb98d03
      Pablo Neira Ayuso 提交于
      This patch adds the match that allows to perform extended
      accounting. It requires the new nfnetlink_acct infrastructure.
      
       # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
       # iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ceb98d03
    • P
      netfilter: add extended accounting infrastructure over nfnetlink · 94139027
      Pablo Neira Ayuso 提交于
      We currently have two ways to account traffic in netfilter:
      
      - iptables chain and rule counters:
      
       # iptables -L -n -v
      Chain INPUT (policy DROP 3 packets, 867 bytes)
       pkts bytes target     prot opt in     out     source               destination
          8  1104 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
      
      - use flow-based accounting provided by ctnetlink:
      
       # conntrack -L
      tcp      6 431999 ESTABLISHED src=192.168.1.130 dst=212.106.219.168 sport=58152 dport=80 packets=47 bytes=7654 src=212.106.219.168 dst=192.168.1.130 sport=80 dport=58152 packets=49 bytes=66340 [ASSURED] mark=0 use=1
      
      While trying to display real-time accounting statistics, we require
      to pool the kernel periodically to obtain this information. This is
      OK if the number of flows is relatively low. However, in case that
      the number of flows is huge, we can spend a considerable amount of
      cycles to iterate over the list of flows that have been obtained.
      
      Moreover, if we want to obtain the sum of the flow accounting results
      that match some criteria, we have to iterate over the whole list of
      existing flows, look for matchings and update the counters.
      
      This patch adds the extended accounting infrastructure for
      nfnetlink which aims to allow displaying real-time traffic accounting
      without the need of complicated and resource-consuming implementation
      in user-space. Basically, this new infrastructure allows you to create
      accounting objects. One accounting object is composed of packet and
      byte counters.
      
      In order to manipulate create accounting objects, you require the
      new libnetfilter_acct library. It contains several examples of use:
      
      libnetfilter_acct/examples# ./nfacct-add http-traffic
      libnetfilter_acct/examples# ./nfacct-get
      http-traffic = { pkts = 000000000000,   bytes = 000000000000 };
      
      Then, you can use one of this accounting objects in several iptables
      rules using the new nfacct match (which comes in a follow-up patch):
      
       # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
       # iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic
      
      The idea is simple: if one packet matches the rule, the nfacct match
      updates the counters.
      
      Thanks to Patrick McHardy, Eric Dumazet, Changli Gao for reviewing and
      providing feedback for this contribution.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      94139027
  3. 02 12月, 2011 1 次提交
  4. 24 11月, 2011 1 次提交
  5. 28 9月, 2011 1 次提交
    • P
      doc: fix broken references · 395cf969
      Paul Bolle 提交于
      There are numerous broken references to Documentation files (in other
      Documentation files, in comments, etc.). These broken references are
      caused by typo's in the references, and by renames or removals of the
      Documentation files. Some broken references are simply odd.
      
      Fix these broken references, sometimes by dropping the irrelevant text
      they were part of.
      Signed-off-by: NPaul Bolle <pebolle@tiscali.nl>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      395cf969
  6. 04 4月, 2011 1 次提交
  7. 16 3月, 2011 2 次提交
  8. 03 2月, 2011 1 次提交
  9. 01 2月, 2011 2 次提交
    • J
      netfilter: xtables: "set" match and "SET" target support · d956798d
      Jozsef Kadlecsik 提交于
      The patch adds the combined module of the "SET" target and "set" match
      to netfilter. Both the previous and the current revisions are supported.
      Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      d956798d
    • J
      netfilter: ipset: IP set core support · a7b4f989
      Jozsef Kadlecsik 提交于
      The patch adds the IP set core support to the kernel.
      
      The IP set core implements a netlink (nfnetlink) based protocol by which
      one can create, destroy, flush, rename, swap, list, save, restore sets,
      and add, delete, test elements from userspace. For simplicity (and backward
      compatibilty and for not to force ip(6)tables to be linked with a netlink
      library) reasons a small getsockopt-based protocol is also kept in order
      to communicate with the ip(6)tables match and target.
      
      The netlink protocol passes all u16, etc values in network order with
      NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
      NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.
      
      For other kernel subsystems (netfilter match and target) the API contains
      the functions to add, delete and test elements in sets and the required calls
      to get/put refereces to the sets before those operations can be performed.
      
      The set types (which are implemented in independent modules) are stored
      in a simple RCU protected list. A set type may have variants: for example
      without timeout or with timeout support, for IPv4 or for IPv6. The sets
      (i.e. the pointers to the sets) are stored in an array. The sets are
      identified by their index in the array, which makes possible easy and
      fast swapping of sets. The array is protected indirectly by the nfnl
      mutex from nfnetlink. The content of the sets are protected by the rwlock
      of the set.
      
      There are functional differences between the add/del/test functions
      for the kernel and userspace:
      
      - kernel add/del/test: works on the current packet (i.e. one element)
      - kernel test: may trigger an "add" operation  in order to fill
        out unspecified parts of the element from the packet (like MAC address)
      - userspace add/del: works on the netlink message and thus possibly
        on multiple elements from the IPSET_ATTR_ADT container attribute.
      - userspace add: may trigger resizing of a set
      Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      a7b4f989
  10. 19 1月, 2011 2 次提交
    • P
      netfilter: nf_conntrack_tstamp: add flow-based timestamp extension · a992ca2a
      Pablo Neira Ayuso 提交于
      This patch adds flow-based timestamping for conntracks. This
      conntrack extension is disabled by default. Basically, we use
      two 64-bits variables to store the creation timestamp once the
      conntrack has been confirmed and the other to store the deletion
      time. This extension is disabled by default, to enable it, you
      have to:
      
      echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
      
      This patch allows to save memory for user-space flow-based
      loogers such as ulogd2. In short, ulogd2 does not need to
      keep a hashtable with the conntrack in user-space to know
      when they were created and destroyed, instead we use the
      kernel timestamp. If we want to have a sane IPFIX implementation
      in user-space, this nanosecs resolution timestamps are also
      useful. Other custom user-space applications can benefit from
      this via libnetfilter_conntrack.
      
      This patch modifies the /proc output to display the delta time
      in seconds since the flow start. You can also obtain the
      flow-start date by means of the conntrack-tools.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      a992ca2a
    • J
      netfilter: nf_conntrack: nf_conntrack snmp helper · 93557f53
      Jiri Olsa 提交于
      Adding support for SNMP broadcast connection tracking. The SNMP
      broadcast requests are now paired with the SNMP responses.
      Thus allowing using SNMP broadcasts with firewall enabled.
      
      Please refer to the following conversation:
      http://marc.info/?l=netfilter-devel&m=125992205006600&w=2
      
      Patrick McHardy wrote:
      > > The best solution would be to add generic broadcast tracking, the
      > > use of expectations for this is a bit of abuse.
      > > The second best choice I guess would be to move the help() function
      > > to a shared module and generalize it so it can be used for both.
      This patch implements the "second best choice".
      
      Since the netbios-ns conntrack module uses the same helper
      functionality as the snmp, only one helper function is added
      for both snmp and netbios-ns modules into the new object -
      nf_conntrack_broadcast.
      Signed-off-by: NJiri Olsa <jolsa@redhat.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      93557f53
  11. 18 1月, 2011 1 次提交
  12. 17 1月, 2011 1 次提交
    • T
      netfilter: audit target to record accepted/dropped packets · 43f393ca
      Thomas Graf 提交于
      This patch adds a new netfilter target which creates audit records
      for packets traversing a certain chain.
      
      It can be used to record packets which are rejected administraively
      as follows:
      
        -N AUDIT_DROP
        -A AUDIT_DROP -j AUDIT --type DROP
        -A AUDIT_DROP -j DROP
      
      a rule which would typically drop or reject a packet would then
      invoke the new chain to record packets before dropping them.
      
        -j AUDIT_DROP
      
      The module is protocol independant and works for iptables, ip6tables
      and ebtables.
      
      The following information is logged:
       - netfilter hook
       - packet length
       - incomming/outgoing interface
       - MAC src/dst/proto for ethernet packets
       - src/dst/protocol address for IPv4/IPv6
       - src/dst port for TCP/UDP/UDPLITE
       - icmp type/code
      
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Al Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: NThomas Graf <tgraf@redhat.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      43f393ca
  13. 14 1月, 2011 1 次提交
    • P
      netfilter: fix Kconfig dependencies · c7066f70
      Patrick McHardy 提交于
      Fix dependencies of netfilter realm match: it depends on NET_CLS_ROUTE,
      which itself depends on NET_SCHED; this dependency is missing from netfilter.
      
      Since matching on realms is also useful without having NET_SCHED enabled and
      the option really only controls whether the tclassid member is included in
      route and dst entries, rename the config option to IP_ROUTE_CLASSID and move
      it outside of traffic scheduling context to get rid of the NET_SCHED dependeny.
      Reported-by: NVladis Kletnieks <Valdis.Kletnieks@vt.edu>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      c7066f70
  14. 26 10月, 2010 1 次提交
  15. 23 7月, 2010 2 次提交
    • E
      netfilter: add xt_cpu match · e8648a1f
      Eric Dumazet 提交于
      In some situations a CPU match permits a better spreading of
      connections, or select targets only for a given cpu.
      
      With Remote Packet Steering or multiqueue NIC and appropriate IRQ
      affinities, we can distribute trafic on available cpus, per session.
      (all RX packets for a given flow is handled by a given cpu)
      
      Some legacy applications being not SMP friendly, one way to scale a
      server is to run multiple copies of them.
      
      Instead of randomly choosing an instance, we can use the cpu number as a
      key so that softirq handler for a whole instance is running on a single
      cpu, maximizing cache effects in TCP/UDP stacks.
      
      Using NAT for example, a four ways machine might run four copies of
      server application, using a separate listening port for each instance,
      but still presenting an unique external port :
      
      iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \
              -j REDIRECT --to-port 8080
      
      iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \
              -j REDIRECT --to-port 8081
      
      iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \
              -j REDIRECT --to-port 8082
      
      iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \
              -j REDIRECT --to-port 8083
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      e8648a1f
    • H
      netfilter: xt_ipvs (netfilter matcher for IPVS) · 9c3e1c39
      Hannes Eder 提交于
      This implements the kernel-space side of the netfilter matcher xt_ipvs.
      
      [ minor fixes by Simon Horman <horms@verge.net.au> ]
      Signed-off-by: NHannes Eder <heder@google.com>
      Signed-off-by: NSimon Horman <horms@verge.net.au>
      [ Patrick: added xt_ipvs.h to Kbuild ]
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      9c3e1c39
  16. 15 7月, 2010 1 次提交
    • M
      netfilter: add CHECKSUM target · edf0e1fb
      Michael S. Tsirkin 提交于
      This adds a `CHECKSUM' target, which can be used in the iptables mangle
      table.
      
      You can use this target to compute and fill in the checksum in
      a packet that lacks a checksum.  This is particularly useful,
      if you need to work around old applications such as dhcp clients,
      that do not work well with checksum offloads, but don't want to
      disable checksum offload in your device.
      
      The problem happens in the field with virtualized applications.
      For reference, see Red Hat bz 605555, as well as
      http://www.spinics.net/lists/kvm/msg37660.html
      
      Typical expected use (helps old dhclient binary running in a VM):
      iptables -A POSTROUTING -t mangle -p udp --dport bootpc \
      	-j CHECKSUM --checksum-fill
      
      Includes fixes by Jan Engelhardt <jengelh@medozas.de>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      edf0e1fb
  17. 25 6月, 2010 1 次提交
    • T
      netfilter: complete the deprecation of CONFIG_NF_CT_ACCT · d70a011d
      Tim Gardner 提交于
      CONFIG_NF_CT_ACCT has been deprecated for awhile and
      was originally scheduled for removal by 2.6.29.
      
      Removing support for this config option also stops
      this deprecation warning message in the kernel log.
      
      [   61.669627] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
      [   61.669850] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
      [   61.669852] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
      [   61.669853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
      Signed-off-by: NTim Gardner <tim.gardner@canonical.com>
      [Patrick: changed default value to 0]
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      d70a011d
  18. 22 6月, 2010 1 次提交
  19. 15 6月, 2010 1 次提交
    • L
      netfilter: xtables: idletimer target implementation · 0902b469
      Luciano Coelho 提交于
      This patch implements an idletimer Xtables target that can be used to
      identify when interfaces have been idle for a certain period of time.
      
      Timers are identified by labels and are created when a rule is set with a new
      label.  The rules also take a timeout value (in seconds) as an option.  If
      more than one rule uses the same timer label, the timer will be restarted
      whenever any of the rules get a hit.
      
      One entry for each timer is created in sysfs.  This attribute contains the
      timer remaining for the timer to expire.  The attributes are located under
      the xt_idletimer class:
      
      /sys/class/xt_idletimer/timers/<label>
      
      When the timer expires, the target module sends a sysfs notification to the
      userspace, which can then decide what to do (eg. disconnect to save power).
      
      Cc: Timo Teras <timo.teras@iki.fi>
      Signed-off-by: NLuciano Coelho <luciano.coelho@nokia.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      0902b469
  20. 15 5月, 2010 1 次提交
  21. 13 5月, 2010 1 次提交
  22. 19 4月, 2010 1 次提交
  23. 18 3月, 2010 1 次提交
  24. 17 3月, 2010 4 次提交
  25. 16 2月, 2010 1 次提交
  26. 04 2月, 2010 1 次提交
    • P
      netfilter: xtables: add CT target · 84f3bb9a
      Patrick McHardy 提交于
      Add a new target for the raw table, which can be used to specify conntrack
      parameters for specific connections, f.i. the conntrack helper.
      
      The target attaches a "template" connection tracking entry to the skb, which
      is used by the conntrack core when initializing a new conntrack.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      84f3bb9a
  27. 13 6月, 2009 1 次提交
  28. 08 6月, 2009 1 次提交
    • E
      netfilter: passive OS fingerprint xtables match · 11eeef41
      Evgeniy Polyakov 提交于
      Passive OS fingerprinting netfilter module allows to passively detect
      remote OS and perform various netfilter actions based on that knowledge.
      This module compares some data (WS, MSS, options and it's order, ttl, df
      and others) from packets with SYN bit set with dynamically loaded OS
      fingerprints.
      
      Fingerprint matching rules can be downloaded from OpenBSD source tree
      or found in archive and loaded via netfilter netlink subsystem into
      the kernel via special util found in archive.
      
      Archive contains library file (also attached), which was shipped
      with iptables extensions some time ago (at least when ipt_osf existed
      in patch-o-matic).
      
      Following changes were made in this release:
       * added NLM_F_CREATE/NLM_F_EXCL checks
       * dropped _rcu list traversing helpers in the protected add/remove calls
       * dropped unneded structures, debug prints, obscure comment and check
      
      Fingerprints can be downloaded from
      http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
      or can be found in archive
      
      Example usage:
      -d switch removes fingerprints
      
      Please consider for inclusion.
      Thank you.
      
      Passive OS fingerprint homepage (archives, examples):
      http://www.ioremap.net/projects/osfSigned-off-by: NEvgeniy Polyakov <zbr@ioremap.net>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      11eeef41
  29. 02 5月, 2009 1 次提交
  30. 24 4月, 2009 1 次提交
  31. 06 4月, 2009 1 次提交
  32. 30 3月, 2009 1 次提交