holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement CPU Fanout for NFQUEUE.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-12-09 10:46:39 -08:00
parent cc937ffaba
commit eea9882953
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
5 changed files with 42 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Shorewall-core/lib.cli
View File

@ -25,7 +25,7 @@
# loaded after this one and replaces some of the functions declared here. # loaded after this one and replaces some of the functions declared here.
# #
SHOREWALL_CAPVERSION=50004 SHOREWALL_CAPVERSION=50100
if [ -z "$g_basedir" ]; then if [ -z "$g_basedir" ]; then
# #
@ -2799,6 +2799,7 @@ determine_capabilities() {
IFACE_MATCH= IFACE_MATCH=
TCPMSS_TARGET= TCPMSS_TARGET=
WAIT_OPTION= WAIT_OPTION=
CPU_FANOUT=
AMANDA_HELPER= AMANDA_HELPER=
FTP_HELPER= FTP_HELPER=
@ -3096,7 +3097,12 @@ determine_capabilities() {
qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
HASHLIMIT_MATCH=$OLD_HL_MATCH HASHLIMIT_MATCH=$OLD_HL_MATCH
fi fi
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
NFQUEUE_TARGET=Yes
qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
fi
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
# #
@ -3294,6 +3300,7 @@ report_capabilities_unsorted() {
report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
report_capability "CT Target (CT_TARGET)" $CT_TARGET report_capability "CT Target (CT_TARGET)" $CT_TARGET
report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
echo " Kernel Version (KERNELVERSION): $KERNELVERSION" echo " Kernel Version (KERNELVERSION): $KERNELVERSION"
echo " Capabilities Version (CAPVERSION): $CAPVERSION" echo " Capabilities Version (CAPVERSION): $CAPVERSION"
@ -3399,6 +3406,7 @@ report_capabilities_unsorted1() {
report_capability1 IFACE_MATCH report_capability1 IFACE_MATCH
report_capability1 TCPMSS_TARGET report_capability1 TCPMSS_TARGET
report_capability1 WAIT_OPTION report_capability1 WAIT_OPTION
report_capability1 CPU_FANOUT
report_capability1 AMANDA_HELPER report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER report_capability1 FTP_HELPER

10
Shorewall/Perl/Shorewall/Config.pm
View File

@ -412,6 +412,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
IFACE_MATCH => 'Iface Match', IFACE_MATCH => 'Iface Match',
TCPMSS_TARGET => 'TCPMSS Target', TCPMSS_TARGET => 'TCPMSS Target',
WAIT_OPTION => 'iptables --wait option', WAIT_OPTION => 'iptables --wait option',
CPU_FANOUT => 'NFQUEUE CPU Fanout',
AMANDA_HELPER => 'Amanda Helper', AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper', FTP_HELPER => 'FTP Helper',
@ -748,7 +749,7 @@ sub initialize( $;$$) {
EXPORT => 0, EXPORT => 0,
KLUDGEFREE => '', KLUDGEFREE => '',
VERSION => "5.0.9-Beta2", VERSION => "5.0.9-Beta2",
CAPVERSION => 50004 , CAPVERSION => 50100 ,
BLACKLIST_LOG_TAG => '', BLACKLIST_LOG_TAG => '',
RELATED_LOG_TAG => '', RELATED_LOG_TAG => '',
MACLIST_LOG_TAG => '', MACLIST_LOG_TAG => '',
@ -1035,6 +1036,7 @@ sub initialize( $;$$) {
IFACE_MATCH => undef, IFACE_MATCH => undef,
TCPMSS_TARGET => undef, TCPMSS_TARGET => undef,
WAIT_OPTION => undef, WAIT_OPTION => undef,
CPU_FANOUT => undef,
AMANDA_HELPER => undef, AMANDA_HELPER => undef,
FTP_HELPER => undef, FTP_HELPER => undef,
@ -4845,6 +4847,10 @@ sub Tcpmss_Target() {
qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" ); qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
} }
sub Cpu_Fanout() {
have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
}
our %detect_capability = our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target, ( ACCOUNT_TARGET =>\&Account_Target,
AMANDA_HELPER => \&Amanda_Helper, AMANDA_HELPER => \&Amanda_Helper,
@ -4861,6 +4867,7 @@ our %detect_capability =
CONNMARK => \&Connmark, CONNMARK => \&Connmark,
CONNMARK_MATCH => \&Connmark_Match, CONNMARK_MATCH => \&Connmark_Match,
CONNTRACK_MATCH => \&Conntrack_Match, CONNTRACK_MATCH => \&Conntrack_Match,
CPU_FANOUT => \&Cpu_Fanout,
CT_TARGET => \&Ct_Target, CT_TARGET => \&Ct_Target,
DSCP_MATCH => \&Dscp_Match, DSCP_MATCH => \&Dscp_Match,
DSCP_TARGET => \&Dscp_Target, DSCP_TARGET => \&Dscp_Target,
@ -5088,6 +5095,7 @@ sub determine_capabilities() {
$capabilities{TARPIT_TARGET} = detect_capability( 'TARPIT_TARGET' ); $capabilities{TARPIT_TARGET} = detect_capability( 'TARPIT_TARGET' );
$capabilities{IFACE_MATCH} = detect_capability( 'IFACE_MATCH' ); $capabilities{IFACE_MATCH} = detect_capability( 'IFACE_MATCH' );
$capabilities{TCPMSS_TARGET} = detect_capability( 'TCPMSS_TARGET' ); $capabilities{TCPMSS_TARGET} = detect_capability( 'TCPMSS_TARGET' );
$capabilities{CPU_FANOUT} = detect_capability( 'CPU_FANOUT' );
unless ( have_capability 'CT_TARGET' ) { unless ( have_capability 'CT_TARGET' ) {
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH'; $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';

6
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -574,7 +574,7 @@ sub process_default_action( $$$$ ) {
# #
sub handle_nfqueue( $$ ) { sub handle_nfqueue( $$ ) {
my ($params, $allow_bypass ) = @_; my ($params, $allow_bypass ) = @_;
my ( $action, $bypass ); my ( $action, $bypass, $fanout );
my ( $queue1, $queue2, $queuenum1, $queuenum2 ); my ( $queue1, $queue2, $queuenum1, $queuenum2 );
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' ); require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
@ -600,6 +600,7 @@ sub handle_nfqueue( $$ ) {
fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535; fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
if ( supplied $queue2 ) { if ( supplied $queue2 ) {
$fanout = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
$queuenum2 = numeric_value( $queue2 ); $queuenum2 = numeric_value( $queue2 );
fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2; fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@ -621,7 +622,8 @@ sub handle_nfqueue( $$ ) {
} }
if ( supplied $queue2 ) { if ( supplied $queue2 ) {
return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}"; require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
} else { } else {
return "NFQUEUE --queue-num ${queuenum1}${bypass}"; return "NFQUEUE --queue-num ${queuenum1}${bypass}";
} }

11
Shorewall/manpages/shorewall-rules.xml
View File

@ -629,7 +629,7 @@
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term> role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
<listitem> <listitem>
<para>Queues the packet to a user-space application using the <para>Queues the packet to a user-space application using the
@ -648,12 +648,19 @@
systems: start multiple instances of the userspace program on systems: start multiple instances of the userspace program on
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
the same connection are put into the same nfqueue.</para> the same connection are put into the same nfqueue.</para>
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be
followed by the letter 'c' to indicate that the CPU ID will be
used as an index to map packets to the queues. The idea is
that you can improve performance if there's a queue per CPU.
Requires the NFQUEUE CPU Fanout capability in your kernel and
iptables.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold"><emphasis <term><emphasis role="bold"><emphasis
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term> role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
<listitem> <listitem>
<para>like NFQUEUE but exempts the rule from being suppressed <para>like NFQUEUE but exempts the rule from being suppressed

13
Shorewall6/manpages/shorewall6-rules.xml
View File

@ -606,7 +606,7 @@
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term> role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
<listitem> <listitem>
<para>Queues the packet to a user-space application using the <para>Queues the packet to a user-space application using the
@ -625,17 +625,24 @@
systems: start multiple instances of the userspace program on systems: start multiple instances of the userspace program on
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
the same connection are put into the same nfqueue.</para> the same connection are put into the same nfqueue.</para>
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be
followed by the letter 'c' to indicate that the CPU ID will be
used as an index to map packets to the queues. The idea is
that you can improve performance if there's a queue per CPU.
Requires the NFQUEUE CPU Fanout capability in your kernel and
iptables.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold"><emphasis <term><emphasis role="bold"><emphasis
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term> role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
<listitem> <listitem>
<para>like NFQUEUE but exempts the rule from being suppressed <para>like NFQUEUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>