1. 23 Jul, 2010 6 commits
    • Changli Gao's avatar
      netfilter: arptables: use arp_hdr_len() · f667009e
      Changli Gao authored
      use arp_hdr_len().
      Signed-off-by: default avatarChangli Gao <xiaosuo@gmail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      f667009e
    • Changli Gao's avatar
      netfilter: nf_nat_core: merge the same lines · c36952e5
      Changli Gao authored
      proto->unique_tuple() will be called finally, if the previous calls fail. This
      patch checks the false condition of (range->flags &IP_NAT_RANGE_PROTO_RANDOM)
      instead to avoid duplicate line of code: proto->unique_tuple().
      Signed-off-by: default avatarChangli Gao <xiaosuo@gmail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      c36952e5
    • Eric Dumazet's avatar
      netfilter: add xt_cpu match · e8648a1f
      Eric Dumazet authored
      In some situations a CPU match permits a better spreading of
      connections, or select targets only for a given cpu.
      
      With Remote Packet Steering or multiqueue NIC and appropriate IRQ
      affinities, we can distribute trafic on available cpus, per session.
      (all RX packets for a given flow is handled by a given cpu)
      
      Some legacy applications being not SMP friendly, one way to scale a
      server is to run multiple copies of them.
      
      Instead of randomly choosing an instance, we can use the cpu number as a
      key so that softirq handler for a whole instance is running on a single
      cpu, maximizing cache effects in TCP/UDP stacks.
      
      Using NAT for example, a four ways machine might run four copies of
      server application, using a separate listening port for each instance,
      but still presenting an unique external port :
      
      iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \
              -j REDIRECT --to-port 8080
      
      iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \
              -j REDIRECT --to-port 8081
      
      iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \
              -j REDIRECT --to-port 8082
      
      iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \
              -j REDIRECT --to-port 8083
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      e8648a1f
    • Hannes Eder's avatar
      IPVS: make FTP work with full NAT support · 7f1c4075
      Hannes Eder authored
      Use nf_conntrack/nf_nat code to do the packet mangling and the TCP
      sequence adjusting.  The function 'ip_vs_skb_replace' is now dead
      code, so it is removed.
      
      To SNAT FTP, use something like:
      
      % iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
          --vport 21 -j SNAT --to-source 192.168.10.10
      and for the data connections in passive mode:
      
      % iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
          --vportctl 21 -j SNAT --to-source 192.168.10.10
      using '-m state --state RELATED' would also works.
      
      Make sure the kernel modules ip_vs_ftp, nf_conntrack_ftp, and
      nf_nat_ftp are loaded.
      
      [ up-port and minor fixes by Simon Horman <horms@verge.net.au> ]
      Signed-off-by: default avatarHannes Eder <heder@google.com>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      7f1c4075
    • Hannes Eder's avatar
      IPVS: make friends with nf_conntrack · 7b215ffc
      Hannes Eder authored
      Update the nf_conntrack tuple in reply direction, as we will see
      traffic from the real server (RIP) to the client (CIP).  Once this is
      done we can use netfilters SNAT in POSTROUTING, especially with
      xt_ipvs, to do source NAT, e.g.:
      
      % iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 --vport 80 \
      		  -j SNAT --to-source 192.168.10.10
      
      [ minor fixes by Simon Horman <horms@verge.net.au> ]
      Signed-off-by: default avatarHannes Eder <heder@google.com>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      7b215ffc
    • Hannes Eder's avatar
      netfilter: xt_ipvs (netfilter matcher for IPVS) · 9c3e1c39
      Hannes Eder authored
      This implements the kernel-space side of the netfilter matcher xt_ipvs.
      
      [ minor fixes by Simon Horman <horms@verge.net.au> ]
      Signed-off-by: default avatarHannes Eder <heder@google.com>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      [ Patrick: added xt_ipvs.h to Kbuild ]
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      9c3e1c39
  2. 16 Jul, 2010 1 commit
  3. 15 Jul, 2010 3 commits
  4. 09 Jul, 2010 2 commits
  5. 05 Jul, 2010 4 commits
  6. 04 Jul, 2010 9 commits
  7. 03 Jul, 2010 1 commit
  8. 02 Jul, 2010 12 commits
  9. 30 Jun, 2010 2 commits