From 9a2cf10c33e30b89083ac48e2777cc06f899aee7 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 3 Nov 2014 22:01:45 +0000 Subject: [PATCH] netfilter: Enable compiling iptables match cluster This patch adds the userspace and kernelspace for - match NETFILTER_XT_MATCH_CLUSTER This match can be used to deploy gateway and back-end load-sharing clusters. - target IP_NF_TARGET_CLUSTERIP This module allows you to configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them. Connections are statically distributed between the nodes in this cluster. This is used i.e. by strongswan-ha. Signed-off-by: Christian Scheele SVN-Revision: 43174 --- include/netfilter.mk | 7 ++++ package/kernel/linux/modules/netfilter.mk | 48 +++++++++++++++++++++++ package/network/utils/iptables/Makefile | 42 ++++++++++++++++++++ 3 files changed, 97 insertions(+) diff --git a/include/netfilter.mk b/include/netfilter.mk index fd119c5f85..72c66d955e 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -46,6 +46,9 @@ $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MULTIPORT, $(P_XT)xt_mul $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_COMMENT, $(P_XT)xt_comment)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_ID, $(P_XT)xt_id)) +#cluster +$(eval $(call nf_add,IPT_CLUSTER,CONFIG_NETFILTER_XT_MATCH_CLUSTER, $(P_XT)xt_cluster)) + $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)xt_LOG, ge 3.4.0)) $(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_LOG, $(P_V4)ipt_LOG, lt 3.4.0)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_TCPMSS, $(P_XT)xt_TCPMSS)) @@ -126,6 +129,8 @@ $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_HL, $(P_XT)xt_HL)) # iprange $(eval $(call nf_add,IPT_IPRANGE,CONFIG_NETFILTER_XT_MATCH_IPRANGE, $(P_XT)xt_iprange)) +#clusterip +$(eval $(call nf_add,IPT_CLUSTERIP,CONFIG_IP_NF_TARGET_CLUSTERIP, $(P_V4)ipt_CLUSTERIP)) # ipsec $(eval $(call nf_add,IPT_IPSEC,CONFIG_IP_NF_MATCH_AH, $(P_V4)ipt_ah)) @@ -346,6 +351,8 @@ IPT_BUILTIN += $(IPT_EXTRA-y) IPT_BUILTIN += $(IPT_FILTER-y) IPT_BUILTIN += $(IPT_IPOPT-y) IPT_BUILTIN += $(IPT_IPRANGE-y) +IPT_BUILTIN += $(IPT_CLUSTER-y) +IPT_BUILTIN += $(IPT_CLUSTERIP-y) IPT_BUILTIN += $(IPT_IPSEC-y) IPT_BUILTIN += $(IPT_IPV6-y) $(IPT_IPV6-m) IPT_BUILTIN += $(NF_NAT-y) diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 7621c7f945..2cb769dead 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -496,6 +496,54 @@ endef $(eval $(call KernelPackage,ipt-iprange)) +define KernelPackage/ipt-cluster + TITLE:=Module for matching cluster + KCONFIG:=$(KCONFIG_IPT_CLUSTER) + FILES:=$(foreach mod,$(IPT_CLUSTER-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTER-m))) + $(call AddDepends/ipt) +endef + +define KernelPackage/ipt-cluster/description + Netfilter (IPv4/IPv6) module for matching cluster + This option allows you to build work-load-sharing clusters of + network servers/stateful firewalls without having a dedicated + load-balancing router/server/switch. Basically, this match returns + true when the packet must be handled by this cluster node. Thus, + all nodes see all packets and this match decides which node handles + what packets. The work-load sharing algorithm is based on source + address hashing. + + This module is usable for ipv4 and ipv6. + + To use it also enable iptables-mod-cluster + + see `iptables -m cluster --help` for more information. +endef + +$(eval $(call KernelPackage,ipt-cluster)) + +define KernelPackage/ipt-clusterip + TITLE:=Module for CLUSTERIP + KCONFIG:=$(KCONFIG_IPT_CLUSTERIP) + FILES:=$(foreach mod,$(IPT_CLUSTERIP-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTERIP-m))) + $(call AddDepends/ipt,+kmod-nf-conntrack) +endef + +define KernelPackage/ipt-clusterip/description + Netfilter (IPv4-only) module for CLUSTERIP + The CLUSTERIP target allows you to build load-balancing clusters of + network servers without having a dedicated load-balancing + router/server/switch. + + To use it also enable iptables-mod-clusterip + + see `iptables -j CLUSTERIP --help` for more information. +endef + +$(eval $(call KernelPackage,ipt-clusterip)) + define KernelPackage/ipt-extra TITLE:=Extra modules diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index f8ce00c4ec..c749a33ac9 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -247,6 +247,46 @@ iptables extensions for matching ip ranges. endef +define Package/iptables-mod-cluster +$(call Package/iptables/Module, +kmod-ipt-cluster) + TITLE:=Match cluster extension +endef + +define Package/iptables-mod-cluster/description +iptables extensions for matching cluster. + + Netfilter (IPv4/IPv6) module for matching cluster + This option allows you to build work-load-sharing clusters of + network servers/stateful firewalls without having a dedicated + load-balancing router/server/switch. Basically, this match returns + true when the packet must be handled by this cluster node. Thus, + all nodes see all packets and this match decides which node handles + what packets. The work-load sharing algorithm is based on source + address hashing. + + This module is usable for ipv4 and ipv6. + + If you select it, it enables kmod-ipt-cluster. + + see `iptables -m cluster --help` for more information. +endef + +define Package/iptables-mod-clusterip +$(call Package/iptables/Module, +kmod-ipt-clusterip) + TITLE:=Clusterip extension +endef + +define Package/iptables-mod-clusterip/description +iptables extensions for CLUSTERIP. + The CLUSTERIP target allows you to build load-balancing clusters of + network servers without having a dedicated load-balancing + router/server/switch. + + If you select it, it enables kmod-ipt-clusterip. + + see `iptables -j CLUSTERIP --help` for more information. +endef + define Package/iptables-mod-extra $(call Package/iptables/Module, +kmod-ipt-extra) TITLE:=Other extra iptables extensions @@ -490,6 +530,8 @@ $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) +$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m))) +$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m))) $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m))) $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m))) $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))