mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 09:03:30 +01:00
Implement CPU Fanout for NFQUEUE.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
cc937ffaba
commit
eea9882953
@ -25,7 +25,7 @@
|
|||||||
# loaded after this one and replaces some of the functions declared here.
|
# loaded after this one and replaces some of the functions declared here.
|
||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_CAPVERSION=50004
|
SHOREWALL_CAPVERSION=50100
|
||||||
|
|
||||||
if [ -z "$g_basedir" ]; then
|
if [ -z "$g_basedir" ]; then
|
||||||
#
|
#
|
||||||
@ -2799,6 +2799,7 @@ determine_capabilities() {
|
|||||||
IFACE_MATCH=
|
IFACE_MATCH=
|
||||||
TCPMSS_TARGET=
|
TCPMSS_TARGET=
|
||||||
WAIT_OPTION=
|
WAIT_OPTION=
|
||||||
|
CPU_FANOUT=
|
||||||
|
|
||||||
AMANDA_HELPER=
|
AMANDA_HELPER=
|
||||||
FTP_HELPER=
|
FTP_HELPER=
|
||||||
@ -3096,7 +3097,12 @@ determine_capabilities() {
|
|||||||
qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
|
qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
|
||||||
HASHLIMIT_MATCH=$OLD_HL_MATCH
|
HASHLIMIT_MATCH=$OLD_HL_MATCH
|
||||||
fi
|
fi
|
||||||
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
|
||||||
|
if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
|
||||||
|
NFQUEUE_TARGET=Yes
|
||||||
|
qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -3294,6 +3300,7 @@ report_capabilities_unsorted() {
|
|||||||
report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
|
report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
|
||||||
report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
|
report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
|
||||||
report_capability "CT Target (CT_TARGET)" $CT_TARGET
|
report_capability "CT Target (CT_TARGET)" $CT_TARGET
|
||||||
|
report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
|
||||||
|
|
||||||
echo " Kernel Version (KERNELVERSION): $KERNELVERSION"
|
echo " Kernel Version (KERNELVERSION): $KERNELVERSION"
|
||||||
echo " Capabilities Version (CAPVERSION): $CAPVERSION"
|
echo " Capabilities Version (CAPVERSION): $CAPVERSION"
|
||||||
@ -3399,6 +3406,7 @@ report_capabilities_unsorted1() {
|
|||||||
report_capability1 IFACE_MATCH
|
report_capability1 IFACE_MATCH
|
||||||
report_capability1 TCPMSS_TARGET
|
report_capability1 TCPMSS_TARGET
|
||||||
report_capability1 WAIT_OPTION
|
report_capability1 WAIT_OPTION
|
||||||
|
report_capability1 CPU_FANOUT
|
||||||
|
|
||||||
report_capability1 AMANDA_HELPER
|
report_capability1 AMANDA_HELPER
|
||||||
report_capability1 FTP_HELPER
|
report_capability1 FTP_HELPER
|
||||||
|
@ -412,6 +412,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
IFACE_MATCH => 'Iface Match',
|
IFACE_MATCH => 'Iface Match',
|
||||||
TCPMSS_TARGET => 'TCPMSS Target',
|
TCPMSS_TARGET => 'TCPMSS Target',
|
||||||
WAIT_OPTION => 'iptables --wait option',
|
WAIT_OPTION => 'iptables --wait option',
|
||||||
|
CPU_FANOUT => 'NFQUEUE CPU Fanout',
|
||||||
|
|
||||||
AMANDA_HELPER => 'Amanda Helper',
|
AMANDA_HELPER => 'Amanda Helper',
|
||||||
FTP_HELPER => 'FTP Helper',
|
FTP_HELPER => 'FTP Helper',
|
||||||
@ -748,7 +749,7 @@ sub initialize( $;$$) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
KLUDGEFREE => '',
|
KLUDGEFREE => '',
|
||||||
VERSION => "5.0.9-Beta2",
|
VERSION => "5.0.9-Beta2",
|
||||||
CAPVERSION => 50004 ,
|
CAPVERSION => 50100 ,
|
||||||
BLACKLIST_LOG_TAG => '',
|
BLACKLIST_LOG_TAG => '',
|
||||||
RELATED_LOG_TAG => '',
|
RELATED_LOG_TAG => '',
|
||||||
MACLIST_LOG_TAG => '',
|
MACLIST_LOG_TAG => '',
|
||||||
@ -1035,6 +1036,7 @@ sub initialize( $;$$) {
|
|||||||
IFACE_MATCH => undef,
|
IFACE_MATCH => undef,
|
||||||
TCPMSS_TARGET => undef,
|
TCPMSS_TARGET => undef,
|
||||||
WAIT_OPTION => undef,
|
WAIT_OPTION => undef,
|
||||||
|
CPU_FANOUT => undef,
|
||||||
|
|
||||||
AMANDA_HELPER => undef,
|
AMANDA_HELPER => undef,
|
||||||
FTP_HELPER => undef,
|
FTP_HELPER => undef,
|
||||||
@ -4845,6 +4847,10 @@ sub Tcpmss_Target() {
|
|||||||
qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
|
qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Cpu_Fanout() {
|
||||||
|
have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
|
||||||
|
}
|
||||||
|
|
||||||
our %detect_capability =
|
our %detect_capability =
|
||||||
( ACCOUNT_TARGET =>\&Account_Target,
|
( ACCOUNT_TARGET =>\&Account_Target,
|
||||||
AMANDA_HELPER => \&Amanda_Helper,
|
AMANDA_HELPER => \&Amanda_Helper,
|
||||||
@ -4861,6 +4867,7 @@ our %detect_capability =
|
|||||||
CONNMARK => \&Connmark,
|
CONNMARK => \&Connmark,
|
||||||
CONNMARK_MATCH => \&Connmark_Match,
|
CONNMARK_MATCH => \&Connmark_Match,
|
||||||
CONNTRACK_MATCH => \&Conntrack_Match,
|
CONNTRACK_MATCH => \&Conntrack_Match,
|
||||||
|
CPU_FANOUT => \&Cpu_Fanout,
|
||||||
CT_TARGET => \&Ct_Target,
|
CT_TARGET => \&Ct_Target,
|
||||||
DSCP_MATCH => \&Dscp_Match,
|
DSCP_MATCH => \&Dscp_Match,
|
||||||
DSCP_TARGET => \&Dscp_Target,
|
DSCP_TARGET => \&Dscp_Target,
|
||||||
@ -5088,6 +5095,7 @@ sub determine_capabilities() {
|
|||||||
$capabilities{TARPIT_TARGET} = detect_capability( 'TARPIT_TARGET' );
|
$capabilities{TARPIT_TARGET} = detect_capability( 'TARPIT_TARGET' );
|
||||||
$capabilities{IFACE_MATCH} = detect_capability( 'IFACE_MATCH' );
|
$capabilities{IFACE_MATCH} = detect_capability( 'IFACE_MATCH' );
|
||||||
$capabilities{TCPMSS_TARGET} = detect_capability( 'TCPMSS_TARGET' );
|
$capabilities{TCPMSS_TARGET} = detect_capability( 'TCPMSS_TARGET' );
|
||||||
|
$capabilities{CPU_FANOUT} = detect_capability( 'CPU_FANOUT' );
|
||||||
|
|
||||||
unless ( have_capability 'CT_TARGET' ) {
|
unless ( have_capability 'CT_TARGET' ) {
|
||||||
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
|
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
|
||||||
|
@ -574,7 +574,7 @@ sub process_default_action( $$$$ ) {
|
|||||||
#
|
#
|
||||||
sub handle_nfqueue( $$ ) {
|
sub handle_nfqueue( $$ ) {
|
||||||
my ($params, $allow_bypass ) = @_;
|
my ($params, $allow_bypass ) = @_;
|
||||||
my ( $action, $bypass );
|
my ( $action, $bypass, $fanout );
|
||||||
my ( $queue1, $queue2, $queuenum1, $queuenum2 );
|
my ( $queue1, $queue2, $queuenum1, $queuenum2 );
|
||||||
|
|
||||||
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
|
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
|
||||||
@ -600,6 +600,7 @@ sub handle_nfqueue( $$ ) {
|
|||||||
fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
|
fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
|
||||||
|
|
||||||
if ( supplied $queue2 ) {
|
if ( supplied $queue2 ) {
|
||||||
|
$fanout = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
|
||||||
$queuenum2 = numeric_value( $queue2 );
|
$queuenum2 = numeric_value( $queue2 );
|
||||||
|
|
||||||
fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
|
fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
|
||||||
@ -621,7 +622,8 @@ sub handle_nfqueue( $$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( supplied $queue2 ) {
|
if ( supplied $queue2 ) {
|
||||||
return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
|
require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
|
||||||
|
return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
|
||||||
} else {
|
} else {
|
||||||
return "NFQUEUE --queue-num ${queuenum1}${bypass}";
|
return "NFQUEUE --queue-num ${queuenum1}${bypass}";
|
||||||
}
|
}
|
||||||
|
@ -629,7 +629,7 @@
|
|||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
|
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Queues the packet to a user-space application using the
|
<para>Queues the packet to a user-space application using the
|
||||||
@ -648,12 +648,19 @@
|
|||||||
systems: start multiple instances of the userspace program on
|
systems: start multiple instances of the userspace program on
|
||||||
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
|
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
|
||||||
the same connection are put into the same nfqueue.</para>
|
the same connection are put into the same nfqueue.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be
|
||||||
|
followed by the letter 'c' to indicate that the CPU ID will be
|
||||||
|
used as an index to map packets to the queues. The idea is
|
||||||
|
that you can improve performance if there's a queue per CPU.
|
||||||
|
Requires the NFQUEUE CPU Fanout capability in your kernel and
|
||||||
|
iptables.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold"><emphasis
|
<term><emphasis role="bold"><emphasis
|
||||||
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
|
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||||
|
@ -606,7 +606,7 @@
|
|||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
|
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Queues the packet to a user-space application using the
|
<para>Queues the packet to a user-space application using the
|
||||||
@ -625,17 +625,24 @@
|
|||||||
systems: start multiple instances of the userspace program on
|
systems: start multiple instances of the userspace program on
|
||||||
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
|
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
|
||||||
the same connection are put into the same nfqueue.</para>
|
the same connection are put into the same nfqueue.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be
|
||||||
|
followed by the letter 'c' to indicate that the CPU ID will be
|
||||||
|
used as an index to map packets to the queues. The idea is
|
||||||
|
that you can improve performance if there's a queue per CPU.
|
||||||
|
Requires the NFQUEUE CPU Fanout capability in your kernel and
|
||||||
|
iptables.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold"><emphasis
|
<term><emphasis role="bold"><emphasis
|
||||||
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
|
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user