Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter/IPVS updates for your
net-next tree. A couple of new features for nf_tables, and unsorted
cleanups and incremental updates for the Netfilter tree. More
specifically, they are:
1) Allow to check for TCP option presence via nft_exthdr, patch
from Phil Sutter.
2) Add symmetric hash support to nft_hash, from Laura Garcia Liebana.
3) Use pr_cont() in ebt_log, from Joe Perches.
4) Remove some dead code in arp_tables reported via static analysis
tool, from Colin Ian King.
5) Consolidate nf_tables expression validation, from Liping Zhang.
6) Consolidate set lookup via nft_set_lookup().
7) Remove unnecessary rcu read lock side in bridge netfilter, from
Florian Westphal.
8) Remove unused variable in nf_reject_ipv4, from Tahee Yoo.
9) Pass nft_ctx struct to object initialization indirections, from
Florian Westphal.
10) Add code to integrate conntrack helper into nf_tables, also from
Florian.
11) Allow to check if interface index or name exists via
NFTA_FIB_F_PRESENT, from Phil Sutter.
12) Simplify resolve_normal_ct(), from Florian.
13) Use per-limit spinlock in nft_limit and xt_limit, from Liping Zhang.
14) Use rwlock in nft_set_rbtree set, also from Liping Zhang.
15) One patch to remove a useless printk at netns init path in ipvs,
and several patches to document IPVS knobs.
16) Use refcount_t for reference counter in the Netfilter/IPVS code,
from Elena Reshetova.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
@@ -175,6 +175,14 @@ nat_icmp_send - BOOLEAN
|
||||
for VS/NAT when the load balancer receives packets from real
|
||||
servers but the connection entries don't exist.
|
||||
|
||||
pmtu_disc - BOOLEAN
|
||||
0 - disabled
|
||||
not 0 - enabled (default)
|
||||
|
||||
By default, reject with FRAG_NEEDED all DF packets that exceed
|
||||
the PMTU, irrespective of the forwarding method. For TUN method
|
||||
the flag can be disabled to fragment such packets.
|
||||
|
||||
secure_tcp - INTEGER
|
||||
0 - disabled (default)
|
||||
|
||||
@@ -185,15 +193,59 @@ secure_tcp - INTEGER
|
||||
The value definition is the same as that of drop_entry and
|
||||
drop_packet.
|
||||
|
||||
sync_threshold - INTEGER
|
||||
default 3
|
||||
sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period
|
||||
default 3 50
|
||||
|
||||
It sets synchronization threshold, which is the minimum number
|
||||
of incoming packets that a connection needs to receive before
|
||||
the connection will be synchronized. A connection will be
|
||||
synchronized, every time the number of its incoming packets
|
||||
modulus 50 equals the threshold. The range of the threshold is
|
||||
from 0 to 49.
|
||||
It sets synchronization threshold, which is the minimum number
|
||||
of incoming packets that a connection needs to receive before
|
||||
the connection will be synchronized. A connection will be
|
||||
synchronized, every time the number of its incoming packets
|
||||
modulus sync_period equals the threshold. The range of the
|
||||
threshold is from 0 to sync_period.
|
||||
|
||||
When sync_period and sync_refresh_period are 0, send sync only
|
||||
for state changes or only once when pkts matches sync_threshold
|
||||
|
||||
sync_refresh_period - UNSIGNED INTEGER
|
||||
default 0
|
||||
|
||||
In seconds, difference in reported connection timer that triggers
|
||||
new sync message. It can be used to avoid sync messages for the
|
||||
specified period (or half of the connection timeout if it is lower)
|
||||
if connection state is not changed since last sync.
|
||||
|
||||
This is useful for normal connections with high traffic to reduce
|
||||
sync rate. Additionally, retry sync_retries times with period of
|
||||
sync_refresh_period/8.
|
||||
|
||||
sync_retries - INTEGER
|
||||
default 0
|
||||
|
||||
Defines sync retries with period of sync_refresh_period/8. Useful
|
||||
to protect against loss of sync messages. The range of the
|
||||
sync_retries is from 0 to 3.
|
||||
|
||||
sync_qlen_max - UNSIGNED LONG
|
||||
|
||||
Hard limit for queued sync messages that are not sent yet. It
|
||||
defaults to 1/32 of the memory pages but actually represents
|
||||
number of messages. It will protect us from allocating large
|
||||
parts of memory when the sending rate is lower than the queuing
|
||||
rate.
|
||||
|
||||
sync_sock_size - INTEGER
|
||||
default 0
|
||||
|
||||
Configuration of SNDBUF (master) or RCVBUF (slave) socket limit.
|
||||
Default value is 0 (preserve system defaults).
|
||||
|
||||
sync_ports - INTEGER
|
||||
default 1
|
||||
|
||||
The number of threads that master and backup servers can use for
|
||||
sync traffic. Every thread will use single UDP port, thread 0 will
|
||||
use the default port 8848 while last thread will use port
|
||||
8848+sync_ports-1.
|
||||
|
||||
snat_reroute - BOOLEAN
|
||||
0 - disabled
|
||||
|
||||
Reference in New Issue
Block a user