Hi Dave,

the following patches contain (the major part of) my netfilter updates for 2.6.30.
Besides the usual small fixes and cleanups, there is:

- a new LED trigger target by Adam Nielsen

- device name match optimizations for *tables from Eric Dumazet

- Conversion of *tables to use RCU for rulesets and counters from Stephen
  and Eric

- unification of the TTL/HL targets and ttl/hl matches from Jan Engelhardt

- a new "cluster" match from Pablo to transparently distribute traffic over
  a cluster of machines without a load-balancer

- a set of patches to make netfilter logging backends selectable per address
  family from Eric Leblond

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git

Thanks!


 drivers/leds/Kconfig                           |    3 +
 include/linux/netfilter/Kbuild                 |    8 +
 include/linux/netfilter/nfnetlink.h            |    1 +
 include/linux/netfilter/x_tables.h             |   15 +-
 include/linux/netfilter/xt_LED.h               |   13 ++
 include/linux/netfilter/xt_cluster.h           |   15 ++
 include/linux/netfilter/xt_limit.h             |    9 +-
 include/linux/netfilter/xt_quota.h             |    4 +-
 include/linux/netfilter/xt_statistic.h         |    7 +-
 include/linux/netfilter_ipv6/Kbuild            |    1 +
 include/net/netfilter/nf_conntrack.h           |    2 +-
 include/net/netfilter/nf_conntrack_l4proto.h   |   10 +-
 include/net/netfilter/nf_log.h                 |   11 +-
 net/bridge/netfilter/ebtable_broute.c          |    1 -
 net/bridge/netfilter/ebtable_filter.c          |    1 -
 net/bridge/netfilter/ebtable_nat.c             |    1 -
 net/ipv4/netfilter/Kconfig                     |   30 ++--
 net/ipv4/netfilter/Makefile                    |    2 -
 net/ipv4/netfilter/arp_tables.c                |  159 ++++++++++++++-----
 net/ipv4/netfilter/arptable_filter.c           |    2 -
 net/ipv4/netfilter/ip_queue.c                  |    2 +
 ...
[ message continues ]

commit 9c8222b9e71b690c8388bb0ebe5c3e5a1469e884
Author: Stephen Hemminger <shemminger@vyatta.com>
Date:   Wed Feb 18 16:30:20 2009 +0100

    netfilter: x_tables: remove unneeded initializations
    
    Later patches change the locking on xt_table and the initialization of
    the lock element is not needed since the lock is always initialized in
    xt_table_register anyway.
    
    Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index e091187..6ecfdae 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -48,8 +48,6 @@ static struct
 static struct xt_table packet_filter = {
 	.name		= "filter",
 	.valid_hooks	= FILTER_VALID_HOOKS,
-	.lock		= __RW_LOCK_UNLOCKED(packet_filter.lock),
-	.private	= NULL,
 	.me		= THIS_MODULE,
 	.af		= NFPROTO_ARP,
 };
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 52cb693..c30a969 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -56,7 +56,6 @@ static struct
 static struct xt_table packet_filter = {
 	.name		= "filter",
 	.valid_hooks	= FILTER_VALID_HOOKS,
-	.lock		= __RW_LOCK_UNLOCKED(packet_filter.lock),
 	.me		= THIS_MODULE,
 	.af		= AF_INET,
 };
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 3929d20..4087614 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -67,7 +67,6 @@ static struct
 static struct xt_table packet_mangler = {
 	.name		= "mangle",
 	.valid_hooks	= MANGLE_VALID_HOOKS,
-	.lock		= __RW_LOCK_UNLOCKED(packet_mangler.lock),
 	.me		= THIS_MODULE,
 	.af		= AF_INET,
 };
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 7f65d18..e5356da 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ ...
[ message continues ]

commit 4a2f965ca5a4e2593744bf75425d85e0e8ff814a
Author: Stephen Hemminger <shemminger@vyatta.com>
Date:   Wed Feb 18 16:29:44 2009 +0100

    netfilter: x_tables: change elements in x_tables
    
    Change to proper type on private pointer rather than anonymous void.
    Keep active elements on same cache line.
    
    Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index c7ee874..9fac88f 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -349,9 +349,6 @@ struct xt_table
 {
 	struct list_head list;
 
-	/* A unique name... */
-	const char name[XT_TABLE_MAXNAMELEN];
-
 	/* What hooks you will enter on */
 	unsigned int valid_hooks;
 
@@ -359,13 +356,15 @@ struct xt_table
 	rwlock_t lock;
 
 	/* Man behind the curtain... */
-	//struct ip6t_table_info *private;
-	void *private;
+	struct xt_table_info *private;
 
 	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
 	struct module *me;
 
 	u_int8_t af;		/* address/protocol family */
+
+	/* A unique name... */
+	const char name[XT_TABLE_MAXNAMELEN];
 };
 
 #include <linux/netfilter_ipv4.h>
--

[ message continues ]

commit fecea3a389c89de9afae2eda74fad894d5677229
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Wed Feb 18 16:29:08 2009 +0100

    netfilter: remove unneeded goto
    
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index a90ac83..5bb3473 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -174,7 +174,6 @@ next_hook:
 			     outdev, &elem, okfn, hook_thresh);
 	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
 		ret = 1;
-		goto unlock;
 	} else if (verdict == NF_DROP) {
 		kfree_skb(skb);
 		ret = -EPERM;
@@ -183,7 +182,6 @@ next_hook:
 			      verdict >> NF_VERDICT_BITS))
 			goto next_hook;
 	}
-unlock:
 	rcu_read_unlock();
 	return ret;
 }
--

[ message continues ]

commit 268cb38e1802db560c73167e643f14a3dcb4b07c
Author: Adam Nielsen <a.nielsen@shikadi.net>
Date:   Fri Feb 20 10:55:14 2009 +0100

    netfilter: x_tables: add LED trigger target
    
    Kernel module providing implementation of LED netfilter target.  Each
    instance of the target appears as a led-trigger device, which can be
    associated with one or more LEDs in /sys/class/leds/
    
    Signed-off-by: Adam Nielsen <a.nielsen@shikadi.net>
    Acked-by: Richard Purdie <rpurdie@linux.intel.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/drivers/leds/Kconfig b/drivers/leds/Kconfig
index 7427136..556aeca 100644
--- a/drivers/leds/Kconfig
+++ b/drivers/leds/Kconfig
@@ -223,4 +223,7 @@ config LEDS_TRIGGER_DEFAULT_ON
 	  This allows LEDs to be initialised in the ON state.
 	  If unsure, say Y.
 
+comment "iptables trigger is under Netfilter config (LED target)"
+	depends on LEDS_TRIGGERS
+
 endif # NEW_LEDS
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 5a8af87..deeaee5 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -7,6 +7,7 @@ header-y += xt_CLASSIFY.h
 header-y += xt_CONNMARK.h
 header-y += xt_CONNSECMARK.h
 header-y += xt_DSCP.h
+header-y += xt_LED.h
 header-y += xt_MARK.h
 header-y += xt_NFLOG.h
 header-y += xt_NFQUEUE.h
diff --git a/include/linux/netfilter/xt_LED.h b/include/linux/netfilter/xt_LED.h
new file mode 100644
index 0000000..4c91a0d
--- /dev/null
+++ b/include/linux/netfilter/xt_LED.h
@@ -0,0 +1,13 @@
+#ifndef _XT_LED_H
+#define _XT_LED_H
+
+struct xt_led_info {
+	char id[27];        /* Unique ID for this trigger in the LED class */
+	__u8 always_blink;  /* Blink even if the LED is already on */
+	__u32 delay;        /* Delay until LED is switched off after trigger */
+
+	/* Kernel data used in the module */
+	void *internal_data __attribute__((aligned(8)));
+};
+
+#endif /* _XT_LED_H */
diff --git a/net/netfilter/Kconfig ...
[ message continues ]

commit 563d36eb3fb22dd04da9aa6f12e1b9ba0ac115f3
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Wed Feb 18 18:38:40 2009 +0100

    netfilter: Combine ipt_TTL and ip6t_HL source
    
    Suggested by: James King <t.james.king@gmail.com>
    
    Similarly to commit c9fd49680954714473d6cbd2546d6ff120f96840, merge
    TTL and HL. Since HL does not depend on any IPv6-specific function,
    no new module dependencies would arise.
    
    With slight adjustments to the Kconfig help text.
    
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 3816e1d..3ad9f43 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -322,21 +322,6 @@ config IP_NF_TARGET_ECN
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_TARGET_TTL
-	tristate  'TTL target support'
-	depends on IP_NF_MANGLE
-	depends on NETFILTER_ADVANCED
-	help
-	  This option adds a `TTL' target, which enables the user to modify
-	  the TTL value of the IP header.
-
-	  While it is safe to decrement/lower the TTL, this target also enables
-	  functionality to increment and set the TTL value of the IP header to
-	  arbitrary values.  This is EXTREMELY DANGEROUS since you can easily
-	  create immortal packets that loop forever on the network.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 # raw + specific targets
 config IP_NF_RAW
 	tristate  'raw table support (required for NOTRACK/TRACE)'
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 5f9b650..20b0c37 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -61,7 +61,6 @@ obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ...
[ message continues ]

commit 784544739a25c30637397ace5489eeb6e15d7d49
Author: Stephen Hemminger <shemminger@vyatta.com>
Date:   Fri Feb 20 10:35:32 2009 +0100

    netfilter: iptables: lock free counters
    
    The reader/writer lock in ip_tables is acquired in the critical path of
    processing packets and is one of the reasons just loading iptables can cause
    a 20% performance loss. The rwlock serves two functions:
    
    1) it prevents changes to table state (xt_replace) while table is in use.
       This is now handled by doing rcu on the xt_table. When table is
       replaced, the new table(s) are put in and the old one table(s) are freed
       after RCU period.
    
    2) it provides synchronization when accesing the counter values.
       This is now handled by swapping in new table_info entries for each cpu
       then summing the old values, and putting the result back onto one
       cpu.  On a busy system it may cause sampling to occur at different
       times on each cpu, but no packet/byte counts are lost in the process.
    
    Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
    
    Sucessfully tested on my dual quad core machine too, but iptables only (no ipv6 here)
    BTW, my new "tbench 8" result is 2450 MB/s, (it was 2150 MB/s not so long ago)
    
    Acked-by: Eric Dumazet <dada1@cosmosbay.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 9fac88f..e8e08d0 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -353,7 +353,7 @@ struct xt_table
 	unsigned int valid_hooks;
 
 	/* Lock for the curtain */
-	rwlock_t lock;
+	struct mutex lock;
 
 	/* Man behind the curtain... */
 	struct xt_table_info *private;
@@ -385,7 +385,7 @@ struct xt_table_info
 
 	/* ipt_entry tables: one per CPU */
 	/* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
-	char *entries[1];
+	void *entries[1];
 };
 
 ...
[ message continues ]

From: Patrick McHardy <kaber@trash.net>

I'm going to pull this all in, thanks Patrick.

I'll reply to a few patches for which I'd like to see some
followup discussion and change.

Thanks.
--

[ message continues ]

Thanks. The discussions seems to be over already, so I'll just collect
the resulting patches :)
--

[ message continues ]