netfilter: Add fail-open support

Implement a new "fail-open" mode where packets are not dropped upon queue-full condition. This mode can be enabled/disabled per queue using netlink NFQA_CFG_FLAGS & NFQA_CFG_MASK attributes. Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com> Signed-off-by: Vivek Kashyap <vivk@us.ibm.com> Signed-off-by: Sridhar Samudrala <samudrala@us.ibm.com>
author: Krishna Kumar <krkumar2@in.ibm.com> 2012-05-24 03:56:44 +0000
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-06-07 14:58:39 +0200
commit: fdb694a01f1fcd30fd16d8aa290c34699fe98a17 (patch)
tree: 4da135c27f582e3a3f6891a4bc4bf4abb6a57829 /include/linux/netfilter
parent: 68c07cb6d8aa05daf38ab47d5bb674d81a2066fb (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index 24b32e6c009..a6c1ddac05c 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -84,8 +84,13 @@ enum nfqnl_attr_config {
 	NFQA_CFG_CMD,			/* nfqnl_msg_config_cmd */
 	NFQA_CFG_PARAMS,		/* nfqnl_msg_config_params */
 	NFQA_CFG_QUEUE_MAXLEN,		/* __u32 */
+	NFQA_CFG_MASK,			/* identify which flags to change */
+	NFQA_CFG_FLAGS,			/* value of these flags (__u32) */
 	__NFQA_CFG_MAX
 };
 #define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
 
+/* Flags for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN			(1 << 0)
+
 #endif /* _NFNETLINK_QUEUE_H */
author	Krishna Kumar <krkumar2@in.ibm.com>	2012-05-24 03:56:44 +0000
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-06-07 14:58:39 +0200
commit	fdb694a01f1fcd30fd16d8aa290c34699fe98a17 (patch)
tree	4da135c27f582e3a3f6891a4bc4bf4abb6a57829 /include/linux/netfilter
parent	68c07cb6d8aa05daf38ab47d5bb674d81a2066fb (diff)