extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 8c2f69998005c76ec58980bdd81d8bc52cb48879..0c869187abf38a02235f0f310fbacb071e48c8e0 100644 (file)
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -13,8 +13,10 @@ enum {
        O_QUEUE_NUM = 0,
        O_QUEUE_BALANCE,
        O_QUEUE_BYPASS,
+       O_QUEUE_CPU_FANOUT,
        F_QUEUE_NUM     = 1 << O_QUEUE_NUM,
        F_QUEUE_BALANCE = 1 << O_QUEUE_BALANCE,
+       F_QUEUE_CPU_FANOUT = 1 << O_QUEUE_CPU_FANOUT,
 };
 
 static void NFQUEUE_help(void)
@@ -37,7 +39,15 @@ static void NFQUEUE_help_v2(void)
 {
        NFQUEUE_help_v1();
        printf(
-"  --queue-bypass              Bypass Queueing if no queue instance exists.\n");
+"  --queue-bypass              Bypass Queueing if no queue instance exists.\n"
+"  --queue-cpu-fanout  Use current CPU (no hashing)\n");
+}
+
+static void NFQUEUE_help_v3(void)
+{
+       NFQUEUE_help_v2();
+       printf(
+"  --queue-cpu-fanout  Use current CPU (no hashing)\n");
 }
 
 #define s struct xt_NFQ_info
@@ -48,6 +58,8 @@ static const struct xt_option_entry NFQUEUE_opts[] = {
        {.name = "queue-balance", .id = O_QUEUE_BALANCE,
         .type = XTTYPE_UINT16RC, .excl = F_QUEUE_NUM},
        {.name = "queue-bypass", .id = O_QUEUE_BYPASS, .type = XTTYPE_NONE},
+       {.name = "queue-cpu-fanout", .id = O_QUEUE_CPU_FANOUT,
+        .type = XTTYPE_NONE, .also = F_QUEUE_BALANCE},
        XTOPT_TABLEEND,
 };
 #undef s
@@ -92,6 +104,18 @@ static void NFQUEUE_parse_v2(struct xt_option_call *cb)
        }
 }
 
+static void NFQUEUE_parse_v3(struct xt_option_call *cb)
+{
+       struct xt_NFQ_info_v3 *info = cb->data;
+
+       NFQUEUE_parse_v2(cb);
+       switch (cb->entry->id) {
+       case O_QUEUE_CPU_FANOUT:
+               info->flags |= NFQ_FLAG_CPU_FANOUT;
+               break;
+       }
+}
+
 static void NFQUEUE_print(const void *ip,
                           const struct xt_entry_target *target, int numeric)
 {
@@ -120,10 +144,20 @@ static void NFQUEUE_print_v2(const void *ip,
        const struct xt_NFQ_info_v2 *info = (void *) target->data;
 
        NFQUEUE_print_v1(ip, target, numeric);
-       if (info->bypass)
+       if (info->bypass & NFQ_FLAG_BYPASS)
                printf(" bypass");
 }
 
+static void NFQUEUE_print_v3(const void *ip,
+                             const struct xt_entry_target *target, int numeric)
+{
+       const struct xt_NFQ_info_v3 *info = (void *)target->data;
+
+       NFQUEUE_print_v2(ip, target, numeric);
+       if (info->flags & NFQ_FLAG_CPU_FANOUT)
+               printf(" cpu-fanout");
+}
+
 static void NFQUEUE_save(const void *ip, const struct xt_entry_target *target)
 {
        const struct xt_NFQ_info *tinfo =
@@ -151,10 +185,20 @@ static void NFQUEUE_save_v2(const void *ip, const struct xt_entry_target *target
 
        NFQUEUE_save_v1(ip, target);
 
-       if (info->bypass)
+       if (info->bypass & NFQ_FLAG_BYPASS)
                printf(" --queue-bypass");
 }
 
+static void NFQUEUE_save_v3(const void *ip,
+                           const struct xt_entry_target *target)
+{
+       const struct xt_NFQ_info_v3 *info = (void *)target->data;
+
+       NFQUEUE_save_v2(ip, target);
+       if (info->flags & NFQ_FLAG_CPU_FANOUT)
+               printf(" --queue-cpu-fanout");
+}
+
 static void NFQUEUE_init_v1(struct xt_entry_target *t)
 {
        struct xt_NFQ_info_v1 *tinfo = (void *)t->data;
@@ -199,6 +243,19 @@ static struct xtables_target nfqueue_targets[] = {
        .save           = NFQUEUE_save_v2,
        .x6_parse       = NFQUEUE_parse_v2,
        .x6_options     = NFQUEUE_opts,
+},{
+       .family         = NFPROTO_UNSPEC,
+       .revision       = 3,
+       .name           = "NFQUEUE",
+       .version        = XTABLES_VERSION,
+       .size           = XT_ALIGN(sizeof(struct xt_NFQ_info_v3)),
+       .userspacesize  = XT_ALIGN(sizeof(struct xt_NFQ_info_v3)),
+       .help           = NFQUEUE_help_v3,
+       .init           = NFQUEUE_init_v1,
+       .print          = NFQUEUE_print_v3,
+       .save           = NFQUEUE_save_v3,
+       .x6_parse       = NFQUEUE_parse_v3,
+       .x6_options     = NFQUEUE_opts,
 }
 };
 

diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index f11e0c89cc9f32217abbed3948879e91911b3f67..7a9912919c312c8b6c60f905bcdfa4f88c0f54b0 100644 (file)
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -23,3 +23,10 @@ Packets belonging to the same connection are put into the same nfqueue.
 By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
 are dropped.  When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet
 will move on to the next table.
+.PP
+.TP
+\fB\-\-queue\-cpu-fanout\fP
+Available starting Linux kernel 3.10. When used together with
+\fB--queue-balance\fP this will use the CPU ID as an index to map packets to
+the queues. The idea is that you can improve performance if there's a queue
+per CPU. This requires \fB--queue-balance\fP to be specified.

diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/linux/netfilter/xt_NFQUEUE.h
index 9eafdbbb401cd3609095c2395e541d5ddef0b869..8bb5fe657d34bbeba55f1026cbc667745c52fd42 100644 (file)
--- a/include/linux/netfilter/xt_NFQUEUE.h
+++ b/include/linux/netfilter/xt_NFQUEUE.h
@@ -26,4 +26,13 @@ struct xt_NFQ_info_v2 {
        __u16 bypass;
 };
 
+struct xt_NFQ_info_v3 {
+       __u16 queuenum;
+       __u16 queues_total;
+       __u16 flags;
+#define NFQ_FLAG_BYPASS                0x01 /* for compatibility with v2 */
+#define NFQ_FLAG_CPU_FANOUT    0x02 /* use current CPU (no hashing) */
+#define NFQ_FLAG_MASK          0x03
+};
+
 #endif /* _XT_NFQ_TARGET_H */