For the header file, we need __u32 and so on because they are exported
to userspace and rather constitute a kernel header.
Use normal types instead of uintXX_t in the main code.
spin_lock_bh does not look safe (only disables preempt on current
CPU?). Change to spin_lock, that also avoids the management overhead
of spin_lock_bh. to spin_lock to avoid management overhead.
Use rcu in match and destroy function.
A 64-bit kernel will interpret the pointer with 64 bits width, while
a 32-bit userspace filled in only 32 of it, leaving the other 32
undefined. This must be avoided.
The subnet list may become really large (United States: ~15000
entries), which means a use of roughly 120 KB, and kmalloc may fail
to find a contiguous block in physical memory. Virtual contiguity is
enough, so use vmalloc/vfree.
vfree may not be called within a spin_lock_bh area, so release the
lock first, it is safe to do so.
Certain countries have lots (around 10000) of IP address ranges
(US,GB,DE,...). The current linear search is really bad:
No firewall:
3000 packets transmitted, 3000 received, 0% packet loss, time 1992ms
Testing against the countries with top 50 IP ranges:
3000 packets transmitted, 3000 received, 0% packet loss, time 8998ms
With binary search:
3000 packets transmitted, 3000 received, 0% packet loss, time 2358ms
find_node: The reference count needs to be increased while the lock
is held. Otherwise, the node may disappear right after the lock was
released and increase was attempted, leading to an oops.
remove_node: The reference count needs to be checked while the lock
is held. Otherwise, the node may be used in the match function or
returned from find_node while it has a zero refcount.
If xtables.h is to be found in a directory other than included in the
default preprocessor search path, compilation failed because the path
specified with --with-xtables= was not passed to gcc.
Some code already uses ip_hdr() functions which did not exist in
2.6.21 and I do not feel like adding more compat code.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
The extension modules use the API of a fairly recent kernel, if not
even the networking git tree. To make it work with older Linux
kernels, an API wrapper is added. Should compile against
running-kernels Linux 2.6.19..current (tested: 2.6.22..current).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Populate the iptables-addons repository with two modules, xt_TARPIT
and xt_TEE, as a starting point.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
