A 64-bit kernel will interpret the pointer with 64 bits width, while
a 32-bit userspace filled in only 32 of it, leaving the other 32
undefined. This must be avoided.
The subnet list may become really large (United States: ~15000
entries), which means a use of roughly 120 KB, and kmalloc may fail
to find a contiguous block in physical memory. Virtual contiguity is
enough, so use vmalloc/vfree.
vfree may not be called within a spin_lock_bh area, so release the
lock first, it is safe to do so.
Certain countries have lots (around 10000) of IP address ranges
(US,GB,DE,...). The current linear search is really bad:
No firewall:
3000 packets transmitted, 3000 received, 0% packet loss, time 1992ms
Testing against the countries with top 50 IP ranges:
3000 packets transmitted, 3000 received, 0% packet loss, time 8998ms
With binary search:
3000 packets transmitted, 3000 received, 0% packet loss, time 2358ms
find_node: The reference count needs to be increased while the lock
is held. Otherwise, the node may disappear right after the lock was
released and increase was attempted, leading to an oops.
remove_node: The reference count needs to be checked while the lock
is held. Otherwise, the node may be used in the match function or
returned from find_node while it has a zero refcount.
If xtables.h is to be found in a directory other than included in the
default preprocessor search path, compilation failed because the path
specified with --with-xtables= was not passed to gcc.
Some code already uses ip_hdr() functions which did not exist in
2.6.21 and I do not feel like adding more compat code.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
The extension modules use the API of a fairly recent kernel, if not
even the networking git tree. To make it work with older Linux
kernels, an API wrapper is added. Should compile against
running-kernels Linux 2.6.19..current (tested: 2.6.22..current).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Populate the iptables-addons repository with two modules, xt_TARPIT
and xt_TEE, as a starting point.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
