linux.git/include/linux/netfilter/Kbuild, branch v2.6.27 Linux kernel source tree [NETFILTER]: Make sure xt_policy.h is unifdef'ed. 2008-02-20T01:19:14+00:00 Robert P. J. Day rpjday@crashcourse.ca 2008-02-20T01:19:14+00:00 651acc9893f2cd036e9485ce782d0c4cffbc27f5 Since the header file xt_policy.h tests __KERNEL__, it should be unifdef'ed before exporting to userspace. Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Since the header file xt_policy.h tests __KERNEL__, it should be
unifdef'ed before exporting to userspace.

Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Rename ipt_iprange to xt_iprange 2008-01-28T23:02:27+00:00 Jan Engelhardt jengelh@computergmbh.de 2008-01-15T07:42:47+00:00 f72e25a897c7edda03a0e1f767925d98772684da This patch moves ipt_iprange to xt_iprange, in preparation for adding IPv6 support to xt_iprange. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch moves ipt_iprange to xt_iprange, in preparation for adding
IPv6 support to xt_iprange.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: x_tables: add rateest match 2008-01-28T22:56:03+00:00 Patrick McHardy kaber@trash.net 2007-12-04T12:02:19+00:00 50c164a81f1c0dfad056f99e5685537fdd0f07dd Add rate estimator match. The rate estimator match can match on estimated rates by the RATEEST target. It supports matching on absolute bps/pps values, comparing two rate estimators and matching on the difference between two rate estimators. This is what I use to route outgoing data connections from a FTP server over two lines based on the available bandwidth: # estimate outgoing rates iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 \ --rateest-interval 250ms \ --rateest-ewma 0.5s iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 \ --rateest-interval 250ms \ --rateest-ewma 0.5s # mark based on available bandwidth iptables -t mangle -A BALANCE -m state --state NEW \ -m helper --helper ftp \ -m rateest --rateest-delta \ --rateest1 eth0 \ --rateest-bps1 2.5mbit \ --rateest-gt \ --rateest2 ppp0 \ --rateest-bps2 2mbit \ -j CONNMARK --set-mark 0x1 iptables -t mangle -A BALANCE -m state --state NEW \ -m helper --helper ftp \ -m rateest --rateest-delta \ --rateest1 ppp0 \ --rateest-bps1 2mbit \ --rateest-gt \ --rateest2 eth0 \ --rateest-bps2 2.5mbit \ -j CONNMARK --set-mark 0x2 iptables -t mangle -A BALANCE -j CONNMARK --restore-mark Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Add rate estimator match. The rate estimator match can match on
estimated rates by the RATEEST target. It supports matching on
absolute bps/pps values, comparing two rate estimators and matching
on the difference between two rate estimators.

This is what I use to route outgoing data connections from a FTP
server over two lines based on the  available bandwidth:

# estimate outgoing rates
iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 \
                                                     --rateest-interval 250ms \
                                                     --rateest-ewma 0.5s
iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 \
                                                     --rateest-interval 250ms \
                                                     --rateest-ewma 0.5s

# mark based on available bandwidth
iptables -t mangle -A BALANCE -m state --state NEW \
                              -m helper --helper ftp \
                              -m rateest --rateest-delta \
                                         --rateest1 eth0 \
                                         --rateest-bps1 2.5mbit \
                                         --rateest-gt \
                                         --rateest2 ppp0 \
                                         --rateest-bps2 2mbit \
                              -j CONNMARK --set-mark 0x1

iptables -t mangle -A BALANCE -m state --state NEW \
                              -m helper --helper ftp \
                              -m rateest --rateest-delta \
                                         --rateest1 ppp0 \
                                         --rateest-bps1 2mbit \
                                         --rateest-gt \
                                         --rateest2 eth0 \
                                         --rateest-bps2 2.5mbit \
                              -j CONNMARK --set-mark 0x2

iptables -t mangle -A BALANCE -j CONNMARK --restore-mark

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: x_tables: add RATEEST target 2008-01-28T22:56:02+00:00 Patrick McHardy kaber@trash.net 2007-12-05T07:40:05+00:00 5859034d7eb8793d3d78d3af515c4175e7b9d03a Add new rate estimator target (using gen_estimator). In combination with the rateest match (next patch) this can be used for load-based multipath routing. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Add new rate estimator target (using gen_estimator). In combination with
the rateest match (next patch) this can be used for load-based multipath
routing.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: merge ipt_owner/ip6t_owner in xt_owner 2008-01-28T22:55:55+00:00 Jan Engelhardt jengelh@computergmbh.de 2007-12-05T07:27:38+00:00 0265ab44bacc1a1e0e3f5873d8ca2d5a29e33db2 xt_owner merges ipt_owner and ip6t_owner, and adds a flag to match on socket (non-)existence. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
xt_owner merges ipt_owner and ip6t_owner, and adds a flag to match
on socket (non-)existence.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Sort matches/targets in Kbuild file 2007-11-07T12:08:21+00:00 Jan Engelhardt jengelh@computergmbh.de 2007-11-06T04:42:16+00:00 b98e1747eecc19b872572c5fffedc1868531dac6 Sort matches and targets in the Kbuild file. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Sort matches and targets in the Kbuild file.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: nfnetlink: convert to generic netlink attribute functions 2007-10-10T23:53:31+00:00 Patrick McHardy kaber@trash.net 2007-09-28T21:37:03+00:00 df6fb868d6118686805c2fa566e213a8f31c8e4f Get rid of the duplicated rtnetlink macros and use the generic netlink attribute functions. The old duplicated stuff is moved to a new header file that exists just for userspace. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Get rid of the duplicated rtnetlink macros and use the generic netlink
attribute functions. The old duplicated stuff is moved to a new header
file that exists just for userspace.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Add xt_statistic.h to the header list for usermode programs 2007-08-05T04:18:16+00:00 Chuck Ebbert cebbert@redhat.com 2007-08-05T04:18:16+00:00 be1b685fe6c9928848b26b568eaa86ba8ce0046c Add xt_statistic.h to the list of headers to install. Apparently needed to build newer versions of iptables. Signed-off-by: Chuck Ebbert <cebbert@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Add xt_statistic.h to the list of headers to install.

Apparently needed to build newer versions of iptables.

Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: add IPv6-capable TCPMSS target 2007-02-08T20:39:16+00:00 Patrick McHardy kaber@trash.net 2007-02-07T23:09:46+00:00 cdd289a2f833b93e65b9a09a02c37f47a58140a8 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: x_tables: add NFLOG target 2006-12-03T05:31:31+00:00 Patrick McHardy kaber@trash.net 2006-11-29T01:35:38+00:00 baf7b1e11282127e068d149825cccec002091d61 Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6. Currently we have two (unsupported by userspace) hacks in the LOG and ULOG targets to optionally call to the nflog API. They lack a few features, namely the IPv4 and IPv6 LOG targets can not specify a number of arguments related to nfnetlink_log, while the ULOG target is only available for IPv4. Remove those hacks and add a clean way to use nfnetlink_log. Signed-off-by: Patrick McHardy <kaber@trash.net> 
Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6.
Currently we have two (unsupported by userspace) hacks in the LOG and ULOG
targets to optionally call to the nflog API. They lack a few features,
namely the IPv4 and IPv6 LOG targets can not specify a number of arguments
related to nfnetlink_log, while the ULOG target is only available for IPv4.
Remove those hacks and add a clean way to use nfnetlink_log.

Signed-off-by: Patrick McHardy <kaber@trash.net>