diff options
author | Patrick McHardy <kaber@trash.net> | 2007-12-04 07:02:19 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:56:03 -0500 |
commit | 50c164a81f1c0dfad056f99e5685537fdd0f07dd (patch) | |
tree | 8f1383e3bdff0de1969dc280faf11b3e4bf01ef8 /include/linux | |
parent | 5859034d7eb8793d3d78d3af515c4175e7b9d03a (diff) |
[NETFILTER]: x_tables: add rateest match
Add rate estimator match. The rate estimator match can match on
estimated rates by the RATEEST target. It supports matching on
absolute bps/pps values, comparing two rate estimators and matching
on the difference between two rate estimators.
This is what I use to route outgoing data connections from a FTP
server over two lines based on the available bandwidth:
# estimate outgoing rates
iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 \
--rateest-interval 250ms \
--rateest-ewma 0.5s
iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 \
--rateest-interval 250ms \
--rateest-ewma 0.5s
# mark based on available bandwidth
iptables -t mangle -A BALANCE -m state --state NEW \
-m helper --helper ftp \
-m rateest --rateest-delta \
--rateest1 eth0 \
--rateest-bps1 2.5mbit \
--rateest-gt \
--rateest2 ppp0 \
--rateest-bps2 2mbit \
-j CONNMARK --set-mark 0x1
iptables -t mangle -A BALANCE -m state --state NEW \
-m helper --helper ftp \
-m rateest --rateest-delta \
--rateest1 ppp0 \
--rateest-bps1 2mbit \
--rateest-gt \
--rateest2 eth0 \
--rateest-bps2 2.5mbit \
-j CONNMARK --set-mark 0x2
iptables -t mangle -A BALANCE -j CONNMARK --restore-mark
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/netfilter/Kbuild | 1 | ||||
-rw-r--r-- | include/linux/netfilter/xt_rateest.h | 33 |
2 files changed, 34 insertions, 0 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index 707a15854430..ac9e6429f747 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild | |||
@@ -30,6 +30,7 @@ header-y += xt_multiport.h | |||
30 | header-y += xt_owner.h | 30 | header-y += xt_owner.h |
31 | header-y += xt_pkttype.h | 31 | header-y += xt_pkttype.h |
32 | header-y += xt_policy.h | 32 | header-y += xt_policy.h |
33 | header-y += xt_rateest.h | ||
33 | header-y += xt_realm.h | 34 | header-y += xt_realm.h |
34 | header-y += xt_sctp.h | 35 | header-y += xt_sctp.h |
35 | header-y += xt_state.h | 36 | header-y += xt_state.h |
diff --git a/include/linux/netfilter/xt_rateest.h b/include/linux/netfilter/xt_rateest.h new file mode 100644 index 000000000000..51948e15aea2 --- /dev/null +++ b/include/linux/netfilter/xt_rateest.h | |||
@@ -0,0 +1,33 @@ | |||
1 | #ifndef _XT_RATEEST_MATCH_H | ||
2 | #define _XT_RATEEST_MATCH_H | ||
3 | |||
4 | enum xt_rateest_match_flags { | ||
5 | XT_RATEEST_MATCH_INVERT = 1<<0, | ||
6 | XT_RATEEST_MATCH_ABS = 1<<1, | ||
7 | XT_RATEEST_MATCH_REL = 1<<2, | ||
8 | XT_RATEEST_MATCH_DELTA = 1<<3, | ||
9 | XT_RATEEST_MATCH_BPS = 1<<4, | ||
10 | XT_RATEEST_MATCH_PPS = 1<<5, | ||
11 | }; | ||
12 | |||
13 | enum xt_rateest_match_mode { | ||
14 | XT_RATEEST_MATCH_NONE, | ||
15 | XT_RATEEST_MATCH_EQ, | ||
16 | XT_RATEEST_MATCH_LT, | ||
17 | XT_RATEEST_MATCH_GT, | ||
18 | }; | ||
19 | |||
20 | struct xt_rateest_match_info { | ||
21 | char name1[IFNAMSIZ]; | ||
22 | char name2[IFNAMSIZ]; | ||
23 | u_int16_t flags; | ||
24 | u_int16_t mode; | ||
25 | u_int32_t bps1; | ||
26 | u_int32_t pps1; | ||
27 | u_int32_t bps2; | ||
28 | u_int32_t pps2; | ||
29 | struct xt_rateest *est1 __attribute__((aligned(8))); | ||
30 | struct xt_rateest *est2 __attribute__((aligned(8))); | ||
31 | }; | ||
32 | |||
33 | #endif /* _XT_RATEEST_MATCH_H */ | ||