if (prtb[IFLA_BRPORT_MCAST_FLOOD])
print_onoff(fp, "mcast_flood",
rta_getattr_u8(prtb[IFLA_BRPORT_MCAST_FLOOD]));
+ if (prtb[IFLA_BRPORT_MCAST_TO_UCAST])
+ print_onoff(fp, "mcast_to_unicast",
+ rta_getattr_u8(prtb[IFLA_BRPORT_MCAST_TO_UCAST]));
if (prtb[IFLA_BRPORT_NEIGH_SUPPRESS])
print_onoff(fp, "neigh_suppress",
rta_getattr_u8(prtb[IFLA_BRPORT_NEIGH_SUPPRESS]));
fprintf(stderr, " [ learning_sync {on | off} ]\n");
fprintf(stderr, " [ flood {on | off} ]\n");
fprintf(stderr, " [ mcast_flood {on | off} ]\n");
+ fprintf(stderr, " [ mcast_to_unicast {on | off} ]\n");
fprintf(stderr, " [ neigh_suppress {on | off} ]\n");
fprintf(stderr, " [ vlan_tunnel {on | off} ]\n");
fprintf(stderr, " [ isolated {on | off} ]\n");
__s8 flood = -1;
__s8 vlan_tunnel = -1;
__s8 mcast_flood = -1;
+ __s8 mcast_to_unicast = -1;
__s8 isolated = -1;
__s8 hairpin = -1;
__s8 bpdu_guard = -1;
NEXT_ARG();
if (!on_off("mcast_flood", &mcast_flood, *argv))
return -1;
+ } else if (strcmp(*argv, "mcast_to_unicast") == 0) {
+ NEXT_ARG();
+ if (!on_off("mcast_to_unicast", &mcast_to_unicast, *argv))
+ return -1;
} else if (strcmp(*argv, "cost") == 0) {
NEXT_ARG();
cost = atoi(*argv);
if (mcast_flood >= 0)
addattr8(&req.n, sizeof(req), IFLA_BRPORT_MCAST_FLOOD,
mcast_flood);
+ if (mcast_to_unicast >= 0)
+ addattr8(&req.n, sizeof(req), IFLA_BRPORT_MCAST_TO_UCAST,
+ mcast_to_unicast);
if (learning >= 0)
addattr8(&req.n, sizeof(req), IFLA_BRPORT_LEARNING, learning);
if (learning_sync >= 0)
ipxfrm.o xfrm_state.o xfrm_policy.o xfrm_monitor.o iplink_dummy.o \
iplink_ifb.o iplink_nlmon.o iplink_team.o iplink_vcan.o iplink_vxcan.o \
iplink_vlan.o link_veth.o link_gre.o iplink_can.o iplink_xdp.o \
- iplink_macvlan.o ipl2tp.o link_vti.o link_vti6.o \
+ iplink_macvlan.o ipl2tp.o link_vti.o link_vti6.o link_xfrm.o \
iplink_vxlan.o tcp_metrics.o iplink_ipoib.o ipnetconf.o link_ip6tnl.o \
link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
" bridge | bond | team | ipoib | ip6tnl | ipip | sit | vxlan |\n"
" gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan |\n"
" vti | nlmon | team_slave | bond_slave | bridge_slave |\n"
- " ipvlan | ipvtap | geneve | vrf | macsec | netdevsim | rmnet }\n");
+ " ipvlan | ipvtap | geneve | vrf | macsec | netdevsim | rmnet |\n"
+ " xfrm }\n");
}
exit(-1);
}
" [ mcast_router MULTICAST_ROUTER ]\n"
" [ mcast_fast_leave {on | off} ]\n"
" [ mcast_flood {on | off} ]\n"
+ " [ mcast_to_unicast {on | off} ]\n"
" [ group_fwd_mask MASK ]\n"
" [ neigh_suppress {on | off} ]\n"
" [ vlan_tunnel {on | off} ]\n"
_print_onoff(f, "mcast_flood", "mcast_flood",
rta_getattr_u8(tb[IFLA_BRPORT_MCAST_FLOOD]));
+ if (tb[IFLA_BRPORT_MCAST_TO_UCAST])
+ _print_onoff(f, "mcast_to_unicast", "mcast_to_unicast",
+ rta_getattr_u8(tb[IFLA_BRPORT_MCAST_TO_UCAST]));
+
if (tb[IFLA_BRPORT_NEIGH_SUPPRESS])
_print_onoff(f, "neigh_suppress", "neigh_suppress",
rta_getattr_u8(tb[IFLA_BRPORT_NEIGH_SUPPRESS]));
NEXT_ARG();
bridge_slave_parse_on_off("mcast_flood", *argv, n,
IFLA_BRPORT_MCAST_FLOOD);
+ } else if (matches(*argv, "mcast_to_unicast") == 0) {
+ NEXT_ARG();
+ bridge_slave_parse_on_off("mcast_to_unicast", *argv, n,
+ IFLA_BRPORT_MCAST_TO_UCAST);
} else if (matches(*argv, "proxy_arp") == 0) {
NEXT_ARG();
bridge_slave_parse_on_off("proxy_arp", *argv, n,
" [ egress-qos-map QOS-MAP ]\n"
"\n"
"VLANID := 0-4095\n"
- "VLANPROTO: [ 802.1Q / 802.1ad ]\n"
+ "VLANPROTO: [ 802.1Q | 802.1ad ]\n"
"QOS-MAP := [ QOS-MAP ] QOS-MAPPING\n"
"QOS-MAPPING := FROM:TO\n"
);
(xuo->flags & XFRM_OFFLOAD_INBOUND) ? "in" : "out");
fprintf(fp, "%s", _SL_);
}
+ if (tb[XFRMA_IF_ID]) {
+ __u32 if_id = rta_getattr_u32(tb[XFRMA_IF_ID]);
+
+ if (prefix)
+ fputs(prefix, fp);
+ fprintf(fp, "if_id %#x", if_id);
+ fprintf(fp, "%s", _SL_);
+ }
}
static int xfrm_selector_iszero(struct xfrm_selector *s)
--- /dev/null
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * link_xfrm.c Virtual XFRM Interface driver module
+ *
+ * Authors: Matt Ellison <matt@arroyo.io>
+ */
+
+#include <string.h>
+#include <linux/if_link.h>
+
+#include "rt_names.h"
+#include "utils.h"
+#include "ip_common.h"
+#include "tunnel.h"
+
+static void xfrm_print_help(struct link_util *lu, int argc, char **argv,
+ FILE *f)
+{
+ fprintf(f, "Usage: ... %-4s dev PHYS_DEV [ if_id IF-ID ]\n", lu->id);
+ fprintf(f, "\nWhere: IF-ID := { 0x0..0xffffffff }\n");
+}
+
+static int xfrm_parse_opt(struct link_util *lu, int argc, char **argv,
+ struct nlmsghdr *n)
+{
+ unsigned int link = 0;
+ __u32 if_id = 0;
+
+ while (argc > 0) {
+ if (!matches(*argv, "dev")) {
+ NEXT_ARG();
+ link = ll_name_to_index(*argv);
+ if (!link)
+ exit(nodev(*argv));
+ } else if (!matches(*argv, "if_id")) {
+ NEXT_ARG();
+ if (!get_u32(&if_id, *argv, 0))
+ addattr32(n, 1024, IFLA_XFRM_IF_ID, if_id);
+ } else {
+ xfrm_print_help(lu, argc, argv, stderr);
+ return -1;
+ }
+ argc--; argv++;
+ }
+
+ if (link) {
+ addattr32(n, 1024, IFLA_XFRM_LINK, link);
+ } else {
+ fprintf(stderr, "must specify physical device\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+static void xfrm_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
+{
+
+ if (!tb)
+ return;
+
+ if (tb[IFLA_XFRM_IF_ID]) {
+ __u32 id = rta_getattr_u32(tb[IFLA_XFRM_IF_ID]);
+
+ print_0xhex(PRINT_ANY, "if_id", "if_id %#llx ", id);
+
+ }
+
+}
+
+struct link_util xfrm_link_util = {
+ .id = "xfrm",
+ .maxattr = IFLA_XFRM_MAX,
+ .parse_opt = xfrm_parse_opt,
+ .print_opt = xfrm_print_opt,
+ .print_help = xfrm_print_help,
+};
fprintf(stderr, "Usage: ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ]\n");
fprintf(stderr, " [ mark MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ]\n");
fprintf(stderr, " [ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ]\n");
- fprintf(stderr, " [ LIMIT-LIST ] [ TMPL-LIST ]\n");
+ fprintf(stderr, " [ if_id IF_ID ] [ LIMIT-LIST ] [ TMPL-LIST ]\n");
fprintf(stderr, "Usage: ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR\n");
fprintf(stderr, " [ ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]\n");
fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ] [ dir DIR ]\n");
struct xfrm_user_sec_ctx sctx;
char str[CTX_BUF_SIZE];
} ctx = {};
+ bool is_if_id_set = false;
+ __u32 if_id = 0;
while (argc > 0) {
if (strcmp(*argv, "dir") == 0) {
xfrm_tmpl_parse(tmpl, &argc, &argv);
tmpls_len += sizeof(*tmpl);
+ } else if (strcmp(*argv, "if_id") == 0) {
+ NEXT_ARG();
+ if (get_u32(&if_id, *argv, 0))
+ invarg("IF_ID value is invalid", *argv);
+ is_if_id_set = true;
} else {
if (selp)
duparg("unknown", *argv);
(void *)&ctx, ctx.sctx.len);
}
+ if (is_if_id_set)
+ addattr32(&req.n, sizeof(req.buf), XFRMA_IF_ID, if_id);
+
if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
exit(1);
fprintf(stderr, " [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ]\n");
fprintf(stderr, " [ offload [dev DEV] dir DIR ]\n");
fprintf(stderr, " [ output-mark OUTPUT-MARK ]\n");
++ fprintf(stderr, " [ if_id IF_ID ]\n");
fprintf(stderr, "Usage: ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ]\n");
fprintf(stderr, " [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]\n");
fprintf(stderr, "Usage: ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\n");
char str[CTX_BUF_SIZE];
} ctx = {};
__u32 output_mark = 0;
+ bool is_if_id_set = false;
+ __u32 if_id = 0;
while (argc > 0) {
if (strcmp(*argv, "mode") == 0) {
NEXT_ARG();
if (get_u32(&output_mark, *argv, 0))
invarg("value after \"output-mark\" is invalid", *argv);
+ } else if (strcmp(*argv, "if_id") == 0) {
+ NEXT_ARG();
+ if (get_u32(&if_id, *argv, 0))
+ invarg("value after \"if_id\" is invalid", *argv);
+ is_if_id_set = true;
} else {
/* try to assume ALGO */
int type = xfrm_algotype_getbyname(*argv);
}
}
+ if (is_if_id_set)
+ addattr32(&req.n, sizeof(req.buf), XFRMA_IF_ID, if_id);
+
if (xfrm_xfrmproto_is_ipsec(req.xsinfo.id.proto)) {
switch (req.xsinfo.mode) {
case XFRM_MODE_TRANSPORT:
int type;
const char *name;
} arphrd_names[] = {
-{ 0, "generic" },
+__PF(NETROM,netrom)
__PF(ETHER,ether)
__PF(EETHER,eether)
__PF(AX25,ax25)
.BR flood " { " on " | " off " } ] [ "
.BR hwmode " { " vepa " | " veb " } ] [ "
.BR mcast_flood " { " on " | " off " } ] [ "
+.BR mcast_to_unicast " { " on " | " off " } ] [ "
.BR neigh_suppress " { " on " | " off " } ] [ "
.BR vlan_tunnel " { " on " | " off " } ] [ "
.BR isolated " { " on " | " off " } ] [ "
.TP
.BR "mcast_flood on " or " mcast_flood off "
-Controls whether a given port will flood multicast traffic for which there is no MDB entry. By default this flag is on.
+Controls whether a given port will flood multicast traffic for which
+there is no MDB entry. By default this flag is on.
+
+.TP
+.BR "mcast_to_unicast on " or " mcast_to_unicast off "
+Controls whether a given port will replicate packets using unicast
+instead of multicast. By default this flag is off.
.TP
.BR "neigh_suppress on " or " neigh_suppress off "
-Controls whether neigh discovery (arp and nd) proxy and suppression is enabled on the port. By default this flag is off.
+Controls whether neigh discovery (arp and nd) proxy and suppression is
+enabled on the port. By default this flag is off.
.TP
.BR "vlan_tunnel on " or " vlan_tunnel off "
-Controls whether vlan to tunnel mapping is enabled on the port. By default this flag is off.
+Controls whether vlan to tunnel mapping is enabled on the port. By
+default this flag is off.
.TP
.BR "isolated on " or " isolated off "
-Controls whether a given port will be isolated, which means it will be able to communicate with non-isolated ports only.
-By default this flag is off.
+Controls whether a given port will be isolated, which means it will be
+able to communicate with non-isolated ports only. By default this
+flag is off.
.TP
.BI backup_port " DEVICE"
-If the port loses carrier all traffic will be redirected to the configured backup port
+If the port loses carrier all traffic will be redirected to the
+configured backup port
.TP
.BR nobackup_port
.TP
.BI tunnel_info " TUNNEL_ID"
-the TUNNEL ID that maps to this vlan. The tunnel id is set in dst_metadata for
-every packet that belongs to this vlan (applicable to bridge ports with vlan_tunnel
-flag set).
+the TUNNEL ID that maps to this vlan. The tunnel id is set in
+dst_metadata for every packet that belongs to this vlan (applicable to
+bridge ports with vlan_tunnel flag set).
.TP
.BI pvid
.BR vrf " |"
.BR macsec " |"
.BR netdevsim " |"
-.BR rmnet " ]"
+.BR rmnet " |"
+.BR xfrm " ]"
.ti -8
.IR ETYPE " := [ " TYPE " |"
.sp
.BR rmnet
- Qualcomm rmnet device
+.sp
+.BR xfrm
+- Virtual xfrm interface
.in -8
.TP
.TP
.BI gso_max_size " BYTES "
-specifies the recommended maximum size of a Generic Segment Offload packet the new device should accept.
+specifies the recommended maximum size of a Generic Segment Offload
+packet the new device should accept.
.TP
.BI gso_max_segs " SEGMENTS "
-specifies the recommended maximum number of a Generic Segment Offload segments the new device should accept.
+specifies the recommended maximum number of a Generic Segment Offload
+segments the new device should accept.
.TP
.BI index " IDX "
-specifies the desired index of the new virtual device. The link creation fails, if the index is busy.
+specifies the desired index of the new virtual device. The link
+creation fails, if the index is busy.
.TP
VLAN Type Support
.in +4
If
.BR reorder_hdr " is " on
-then VLAN header will be not inserted immediately but only before passing to the
-physical device (if this device does not support VLAN offloading), the similar
-on the RX direction - by default the packet will be untagged before being
-received by VLAN device. Reordering allows to accelerate tagging on egress and
-to hide VLAN header on ingress so the packet looks like regular Ethernet packet,
-at the same time it might be confusing for packet capture as the VLAN header
-does not exist within the packet.
+then VLAN header will be not inserted immediately but only before
+passing to the physical device (if this device does not support VLAN
+offloading), the similar on the RX direction - by default the packet
+will be untagged before being received by VLAN device. Reordering
+allows to accelerate tagging on egress and to hide VLAN header on
+ingress so the packet looks like regular Ethernet packet, at the same
+time it might be confusing for packet capture as the VLAN header does
+not exist within the packet.
VLAN offloading can be checked by
.BR ethtool "(8):"
.in -4
.BR gvrp " { " on " | " off " } "
-- specifies whether this VLAN should be registered using GARP VLAN Registration Protocol.
+- specifies whether this VLAN should be registered using GARP VLAN
+ Registration Protocol.
.BR mvrp " { " on " | " off " } "
-- specifies whether this VLAN should be registered using Multiple VLAN Registration Protocol.
+- specifies whether this VLAN should be registered using Multiple VLAN
+ Registration Protocol.
.BR loose_binding " { " on " | " off " } "
- specifies whether the VLAN device state is bound to the physical device state.
-t mangle -A POSTROUTING [...] -j CLASSIFY --set-class 0:4
.sp
.in -4
-and this "4" priority can be used in the egress qos mapping to set VLAN prio "5":
+and this "4" priority can be used in the egress qos mapping to set
+VLAN prio "5":
.sp
.in +4
.B ip
.sp
.BI dstport " PORT"
-- specifies the UDP destination port to communicate to the remote VXLAN tunnel endpoint.
+- specifies the UDP destination port to communicate to the remote
+ VXLAN tunnel endpoint.
.sp
.BI srcport " MIN MAX"
.in +8
.sp
.BI ageing_time " AGEING_TIME "
-- configure the bridge's FDB entries ageing time, ie the number of seconds a MAC address will be kept in the FDB after a packet has been received from that address. after this time has passed, entries are cleaned up.
+- configure the bridge's FDB entries ageing time, ie the number of
+seconds a MAC address will be kept in the FDB after a packet has been
+received from that address. after this time has passed, entries are
+cleaned up.
.BI group_fwd_mask " MASK "
-- set the group forward mask. This is the bitmask that is applied to decide whether to forward incoming frames destined to link-local addresses, ie addresses of the form 01:80:C2:00:00:0X (defaults to 0, ie the bridge does not forward any link-local frames).
+- set the group forward mask. This is the bitmask that is applied to
+decide whether to forward incoming frames destined to link-local
+addresses, ie addresses of the form 01:80:C2:00:00:0X (defaults to 0,
+ie the bridge does not forward any link-local frames).
.BI group_address " ADDRESS "
-- set the MAC address of the multicast group this bridge uses for STP. The address must be a link-local address in standard Ethernet MAC address format, ie an address of the form 01:80:C2:00:00:0X, with X in [0, 4..f].
+- set the MAC address of the multicast group this bridge uses for STP.
+The address must be a link-local address in standard Ethernet MAC
+address format, ie an address of the form 01:80:C2:00:00:0X, with X
+ in [0, 4..f].
.BI forward_delay " FORWARD_DELAY "
-- set the forwarding delay in seconds, ie the time spent in LISTENING state (before moving to LEARNING) and in LEARNING state (before moving to FORWARDING). Only relevant if STP is enabled. Valid values are between 2 and 30.
+- set the forwarding delay in seconds, ie the time spent in LISTENING
+state (before moving to LEARNING) and in LEARNING state (before
+moving to FORWARDING). Only relevant if STP is enabled. Valid values
+are between 2 and 30.
.BI hello_time " HELLO_TIME "
-- set the time in seconds between hello packets sent by the bridge, when it is a root bridge or a designated bridges. Only relevant if STP is enabled. Valid values are between 1 and 10.
+- set the time in seconds between hello packets sent by the bridge,
+when it is a root bridge or a designated bridges.
+Only relevant if STP is enabled. Valid values are between 1 and 10.
.BI max_age " MAX_AGE "
-- set the hello packet timeout, ie the time in seconds until another bridge in the spanning tree is assumed to be dead, after reception of its last hello message. Only relevant if STP is enabled. Valid values are between 6 and 40.
+- set the hello packet timeout, ie the time in seconds until another
+bridge in the spanning tree is assumed to be dead, after reception of
+its last hello message. Only relevant if STP is enabled. Valid values
+are between 6 and 40.
.BI stp_state " STP_STATE "
- turn spanning tree protocol on
for this bridge.
.BI priority " PRIORITY "
-- set this bridge's spanning tree priority, used during STP root bridge election.
+- set this bridge's spanning tree priority, used during STP root
+bridge election.
.I PRIORITY
is a 16bit unsigned integer.
IGMP querier, ie sending of multicast queries by the bridge (default: disabled).
.BI mcast_querier_interval " QUERIER_INTERVAL "
-- interval between queries sent by other routers. if no queries are seen after this delay has passed, the bridge will start to send its own queries (as if
+- interval between queries sent by other routers. if no queries are seen
+after this delay has passed, the bridge will start to send its own queries
+(as if
.BI mcast_querier
was enabled).
.BI mcast_hash_elasticity " HASH_ELASTICITY "
-- set multicast database hash elasticity, ie the maximum chain length in the multicast hash table (defaults to 4).
+- set multicast database hash elasticity, ie the maximum chain length
+in the multicast hash table (defaults to 4).
.BI mcast_hash_max " HASH_MAX "
-- set maximum size of multicast hash table (defaults to 512, value must be a power of 2).
+- set maximum size of multicast hash table (defaults to 512,
+value must be a power of 2).
.BI mcast_last_member_count " LAST_MEMBER_COUNT "
-- set multicast last member count, ie the number of queries the bridge will send before stopping forwarding a multicast group after a "leave" message has been received (defaults to 2).
+- set multicast last member count, ie the number of queries the bridge
+will send before stopping forwarding a multicast group after a "leave"
+message has been received (defaults to 2).
.BI mcast_last_member_interval " LAST_MEMBER_INTERVAL "
-- interval between queries to find remaining members of a group, after a "leave" message is received.
+- interval between queries to find remaining members of a group,
+after a "leave" message is received.
.BI mcast_startup_query_count " STARTUP_QUERY_COUNT "
- set the number of IGMP queries to send during startup phase (defaults to 2).
- interval between queries in the startup phase.
.BI mcast_query_interval " QUERY_INTERVAL "
-- interval between queries sent by the bridge after the end of the startup phase.
+- interval between queries sent by the bridge after the end of the
+startup phase.
.BI mcast_query_response_interval " QUERY_RESPONSE_INTERVAL "
-- set the Max Response Time/Maximum Response Delay for IGMP/MLD queries sent by the bridge.
+- set the Max Response Time/Maximum Response Delay for IGMP/MLD
+queries sent by the bridge.
.BI mcast_membership_interval " MEMBERSHIP_INTERVAL "
-- delay after which the bridge will leave a group, if no membership reports for this group are received.
+- delay after which the bridge will leave a group,
+if no membership reports for this group are received.
.BI mcast_stats_enabled " MCAST_STATS_ENABLED "
- enable
.sp
.BI port " PORT "
-- sets the port number component of secure channel for this MACsec device, in a
-range from 1 to 65535 inclusive. Numbers with a leading " 0 " or " 0x " are
-interpreted as octal and hexadecimal, respectively.
+- sets the port number component of secure channel for this MACsec
+device, in a range from 1 to 65535 inclusive. Numbers with a leading "
+0 " or " 0x " are interpreted as octal and hexadecimal, respectively.
.sp
.BI sci " SCI "
.sp
.BR "send_sci on " or " send_sci off"
-- specifies whether the SCI is included in every packet, or only when it is necessary.
+- specifies whether the SCI is included in every packet,
+or only when it is necessary.
.sp
.BR "end_station on " or " end_station off"
.in -8
+.TP
+XFRM Type Support
+For a link of type
+.I XFRM
+the following additional arguments are supported:
+
+.BI "ip link add " DEVICE " type xfrm dev " PHYS_DEV " [ if_id " IF_ID " ]"
+
+.in +8
+.sp
+.BI dev " PHYS_DEV "
+- specifies the underlying physical interface from which transform traffic is sent and received.
+
+.sp
+.BI if_id " IF-ID "
+- specifies the hexadecimal lookup key used to send traffic to and from specific xfrm
+policies. Policies must be configured with the same key. If not set, the key defaults to
+0 and will match any policies which similarly do not have a lookup key configuration.
+
+.in -8
+
.SS ip link delete - delete virtual link
.TP
.TP
.BI dev " DEVICE "
.I DEVICE
-specifies network device to operate on. When configuring SR-IOV Virtual Function
-(VF) devices, this keyword should specify the associated Physical Function (PF)
-device.
+specifies network device to operate on. When configuring SR-IOV
+Virtual Function (VF) devices, this keyword should specify the
+associated Physical Function (PF) device.
.TP
.BI group " GROUP "
.BR "protodown on " or " protodown off"
change the
.B PROTODOWN
-state on the device. Indicates that a protocol error has been detected on the port. Switch drivers can react to this error by doing a phys down on the switch port.
+state on the device. Indicates that a protocol error has been detected
+on the port. Switch drivers can react to this error by doing a phys
+down on the switch port.
.TP
.BR "dynamic on " or " dynamic off"
change the
.B DYNAMIC
-flag on the device. Indicates that address can change when interface goes down (currently
+flag on the device. Indicates that address can change when interface
+goes down (currently
.B NOT
used by the Linux).
Some devices are not allowed to change network namespace: loopback, bridge,
ppp, wireless. These are network namespace local devices. In such case
.B ip
-tool will return "Invalid argument" error. It is possible to find out if device is local
-to a single network namespace by checking
+tool will return "Invalid argument" error. It is possible to find out
+if device is local to a single network namespace by checking
.B netns-local
flag in the output of the
.BR ethtool ":"
To change network namespace for wireless devices the
.B iw
-tool can be used. But it allows to change network namespace only for physical devices and by process
+tool can be used. But it allows to change network namespace only for
+physical devices and by process
.IR PID .
.TP
.sp
.BI proto " VLAN-PROTO"
- assign VLAN PROTOCOL for the VLAN tag, either 802.1Q or 802.1ad.
-Setting to 802.1ad, all traffic sent from the VF will be tagged with VLAN S-Tag.
-Incoming traffic will have VLAN S-Tags stripped before being passed to the VF.
-Setting to 802.1ad also enables an option to concatenate another VLAN tag, so both
-S-TAG and C-TAG will be inserted/stripped for outgoing/incoming traffic, respectively.
-If not specified, the value is assumed to be 802.1Q. Both the
+Setting to 802.1ad, all traffic sent from the VF will be tagged with
+VLAN S-Tag. Incoming traffic will have VLAN S-Tags stripped before
+being passed to the VF. Setting to 802.1ad also enables an option to
+concatenate another VLAN tag, so both S-TAG and C-TAG will be
+inserted/stripped for outgoing/incoming traffic, respectively. If not
+specified, the value is assumed to be 802.1Q. Both the
.B vf
and
.B vlan
.sp
.BI max_tx_rate " TXRATE"
-- change the allowed maximum transmit bandwidth, in Mbps, for the specified VF.
-Setting this parameter to 0 disables rate limiting.
+- change the allowed maximum transmit bandwidth, in Mbps, for the
+specified VF. Setting this parameter to 0 disables rate limiting.
.B vf
parameter must be specified.
- turn packet spoof checking on or off for the specified VF.
.sp
.BI query_rss " on|off"
-- toggle the ability of querying the RSS configuration of a specific VF. VF RSS information like RSS hash key may be considered sensitive on some devices where this information is shared between VF and PF and thus its querying may be prohibited by default.
+- toggle the ability of querying the RSS configuration of a specific
+ VF. VF RSS information like RSS hash key may be considered sensitive
+ on some devices where this information is shared between VF and PF
+ and thus its querying may be prohibited by default.
.sp
.BI state " auto|enable|disable"
-- set the virtual link state as seen by the specified VF. Setting to auto means a
-reflection of the PF link state, enable lets the VF to communicate with other VFs on
-this host even if the PF link state is down, disable causes the HW to drop any packets
-sent by the VF.
+- set the virtual link state as seen by the specified VF. Setting to
+auto means a reflection of the PF link state, enable lets the VF to
+communicate with other VFs on this host even if the PF link state is
+down, disable causes the HW to drop any packets sent by the VF.
.sp
.BI trust " on|off"
-- trust the specified VF user. This enables that VF user can set a specific feature
-which may impact security and/or performance. (e.g. VF multicast promiscuous mode)
+- trust the specified VF user. This enables that VF user can set a
+specific feature which may impact security and/or
+performance. (e.g. VF multicast promiscuous mode)
.sp
.BI node_guid " eui64"
- configure node GUID for Infiniband VFs.
- disable automatic address generation
.I stable_secret
-- generate the interface identifier based on a preset /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
+- generate the interface identifier based on a preset
+ /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
.I random
- like stable_secret, but auto-generate a new random secret if none is set
] [
.BR mcast_flood " { " on " | " off " }"
] [
+.BR mcast_to_unicast " { " on " | " off " }"
+] [
.BR group_fwd_mask " MASK"
] [
.BR neigh_suppress " { " on " | " off " }"
option above.
.BR mcast_flood " { " on " | " off " }"
-- controls whether a given port will flood multicast traffic for which there is no MDB entry.
+- controls whether a given port will flood multicast traffic for which
+ there is no MDB entry.
+
+.BR mcast_to_unicast " { " on " | " off " }"
+- controls whether a given port will replicate packets using unicast
+ instead of multicast. By default this flag is off.
.BI group_fwd_mask " MASK "
-- set the group forward mask. This is the bitmask that is applied to decide whether to forward incoming frames destined to link-local addresses, ie addresses of the form 01:80:C2:00:00:0X (defaults to 0, ie the bridge does not forward any link-local frames coming on this port).
+- set the group forward mask. This is the bitmask that is applied to
+decide whether to forward incoming frames destined to link-local
+addresses, ie addresses of the form 01:80:C2:00:00:0X (defaults to
+0, ie the bridge does not forward any link-local frames coming on
+this port).
.BR neigh_suppress " { " on " | " off " }"
-- controls whether neigh discovery (arp and nd) proxy and suppression is enabled on the port. By default this flag is off.
+- controls whether neigh discovery (arp and nd) proxy and suppression
+is enabled on the port. By default this flag is off.
.BR vlan_tunnel " { " on " | " off " }"
-- controls whether vlan to tunnel mapping is enabled on the port. By default this flag is off.
+- controls whether vlan to tunnel mapping is enabled on the port. By
+default this flag is off.
.BI backup_port " DEVICE"
-- if the port loses carrier all traffic will be redirected to the configured backup port
+- if the port loses carrier all traffic will be redirected to the
+configured backup port
.BR nobackup_port
- removes the currently configured backup port
.TP
.BR "\-force"
-Don't terminate ip on errors in batch mode.
-If there were any errors during execution of the commands, the application return code will be non zero.
+Don't terminate ip on errors in batch mode. If there were any errors
+during execution of the commands, the application return code will be
+non zero.
.TP
.BR "\-s" , " \-stats" , " \-statistics"
.TP
.BR "\-f" , " \-family " <FAMILY>
-Specifies the protocol family to use. The protocol family identifier can be one of
+Specifies the protocol family to use. The protocol family identifier
+can be one of
.BR "inet" , " inet6" , " bridge" , " mpls"
or
.BR link .
.TP
.BR "\-a" , " \-all"
-executes specified command over all objects, it depends if command supports this option.
+executes specified command over all objects, it depends if command
+supports this option.
.TP
.BR \-c [ color ][ = { always | auto | never }
.BR always ,
color output is enabled regardless of stdout state. If parameter is
.BR auto ,
-stdout is checked to be a terminal before enabling color output. If parameter is
+stdout is checked to be a terminal before enabling color output. If
+parameter is
.BR never ,
color output is disabled. If specified multiple times, the last one takes
precedence. This flag is ignored if
.TP
.BR "\-br" , " \-brief"
-Print only basic information in a tabular format for better readability. This option is currently only supported by
+Print only basic information in a tabular format for better
+readability. This option is currently only supported by
.BR "ip addr show " and " ip link show " commands.
.TP
.TP
.BR "\-p", " \-pretty"
-The default JSON format is compact and more efficient to parse but hard for most users to read.
-This flag adds indentation for readability.
+The default JSON format is compact and more efficient to parse but
+hard for most users to read. This flag adds indentation for
+readability.
.SH IP - COMMAND SYNTAX
.SH ENVIRONMENT
.TP
.B COLORFGBG
-If set, it's value is used for detection whether background is dark or light and use contrast colors for it.
+If set, it's value is used for detection whether background is dark or
+light and use contrast colors for it.
COLORFGBG environment variable usually contains either two or three
values separated by semicolons; we want the last value in either case.
is used to dump socket statistics. It allows showing information similar
to
.IR netstat .
-It can display more TCP and state informations than other tools.
+It can display more TCP and state information than other tools.
.SH OPTIONS
-When no option is used ss displays a list of
-open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection.
+When no option is used ss displays a list of open non-listening
+sockets (e.g. TCP/UNIX/UDP) that have established connection.
.TP
.B \-h, \-\-help
Show summary of options.
Try to resolve numeric address/ports.
.TP
.B \-a, \-\-all
-Display both listening and non-listening (for TCP this means established connections) sockets.
+Display both listening and non-listening (for TCP this means
+established connections) sockets.
.TP
.B \-l, \-\-listening
Display only listening sockets (these are omitted by default).
.TP
.B \-o, \-\-options
-Show timer information. For tcp protocol, the output format is:
+Show timer information. For TCP protocol, the output format is:
.RS
.P
timer:(<timer_name>,<expire_time>,<retrans>)
the name of the timer, there are five kind of timer names:
.RS
.P
-.BR on ": means one of these timers: tcp retrans timer, tcp early retrans timer and tail loss probe timer"
+.B on
+: means one of these timers: TCP retrans timer, TCP early retrans
+timer and tail loss probe timer
.P
.BR keepalive ": tcp keep alive timer"
.P
.P
.TP
.B <retrans>
-how many times the retran occurs
+how many times the retransmission occured
.RE
.TP
.B \-e, \-\-extended
.P
.TP
.B <fwd_alloc>
-the memory allocated by the socket as cache, but not used for receiving/sending packet yet. If need memory to send/receive packet, the memory in this cache will be used before allocate additional memory.
+the memory allocated by the socket as cache, but not used for
+receiving/sending packet yet. If need memory to send/receive packet,
+the memory in this cache will be used before allocate additional
+memory.
.P
.TP
.B <wmem_queued>
The memory allocated for sending packet (which has not been sent to layer 3)
.P
.TP
-.B <opt_mem>
+.B <ropt_mem>
The memory used for storing socket option, e.g., the key for TCP MD5 signature
.P
.TP
.B <back_log>
-The memory used for the sk backlog queue. On a process context, if the process is receiving packet, and a new packet is received, it will be put into the sk backlog queue, so it can be received by the process immediately
+The memory used for the sk backlog queue. On a process context, if the
+process is receiving packet, and a new packet is received, it will be
+put into the sk backlog queue, so it can be received by the process
+immediately
.RE
.TP
.B \-p, \-\-processes
.P
.TP
.B wscale:<snd_wscale>:<rcv_wscale>
-if window scale option is used, this field shows the send scale factor and receive scale factor
+if window scale option is used, this field shows the send scale factor
+and receive scale factor
.P
.TP
.B rto:<icsk_rto>
.P
.TP
.B backoff:<icsk_backoff>
-used for exponential backoff re-transmission, the actual re-transmission timeout value is icsk_rto << icsk_backoff
+used for exponential backoff re-transmission, the actual
+re-transmission timeout value is icsk_rto << icsk_backoff
.P
.TP
.B rtt:<rtt>/<rttvar>
-rtt is the average round trip time, rttvar is the mean deviation of rtt, their units are millisecond
+rtt is the average round trip time, rttvar is the mean deviation of
+rtt, their units are millisecond
.P
.TP
.B ato:<ato>
.P
.TP
.B class_id
-Class id set by net_cls cgroup. If class is zero this shows priority set by SO_PRIORITY.
+Class id set by net_cls cgroup. If class is zero this shows priority
+set by SO_PRIORITY.
.RE
.TP
.B \-K, \-\-kill
Switch to the specified network namespace name.
.TP
.B \-b, \-\-bpf
-Show socket BPF filters (only administrators are allowed to get these information).
+Show socket BPF filters (only administrators are allowed to get these
+information).
.TP
.B \-4, \-\-ipv4
Display only IP version 4 sockets (alias for -f inet).
Display XDP sockets (alias for -f xdp).
.TP
.B \-f FAMILY, \-\-family=FAMILY
-Display sockets of type FAMILY.
-Currently the following families are supported: unix, inet, inet6, link, netlink, vsock, xdp.
+Display sockets of type FAMILY. Currently the following families are
+supported: unix, inet, inet6, link, netlink, vsock, xdp.
.TP
.B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY
List of socket tables to dump, separated by commas. The following identifiers
to exclude that socket table from being dumped.
.TP
.B \-D FILE, \-\-diag=FILE
-Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used.
+Do not display anything, just dump raw information about TCP sockets
+to FILE after applying filters. If FILE is - stdout is used.
.TP
.B \-F FILE, \-\-filter=FILE
-Read filter information from FILE.
-Each line of FILE is interpreted like single command line option. If FILE is - stdin is used.
+Read filter information from FILE. Each line of FILE is interpreted
+like single command line option. If FILE is - stdin is used.
.TP
.B FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
Please take a look at the official documentation for details regarding filters.
.SH STATE-FILTER
.B STATE-FILTER
-allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and exclude followed by identifier of state.
+allows to construct arbitrary set of states to match. Its syntax is
+sequence of keywords state and exclude followed by identifier of
+state.
.TP
Available identifiers are:
Find all local processes connected to X server.
.TP
.B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24
-List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.
+List all the tcp sockets in state FIN-WAIT-1 for our apache to network
+193.233.7/24 and look at their timers.
.TP
.B ss -a -A 'all,!tcp'
List sockets in all states from all socket tables but TCP.
LIMIT ]
.br
[
+.BR fwmark
+MASK ]
+.br
+[
.BR ptm
|
.BR atm
.br
Voice (CS7, CS6, EF, VA, TOS4), 25% threshold, reduced Codel interval.
+.PP
+.B fwmark
+MASK
+.br
+ This options turns on fwmark-based overriding of CAKE's tin selection.
+If set, the option specifies a bitmask that will be applied to the fwmark
+associated with each packet. If the result of this masking is non-zero, the
+result will be right-shifted by the number of least-significant unset bits in
+the mask value, and the result will be used as a the tin number for that packet.
+This can be used to set policies in a firewall script that will override CAKE's
+built-in tin selection.
+
.SH OTHER PARAMETERS
.B memlimit
LIMIT
is reached. Default is 1000 packets.
.SS target
-is the expected queue delay. The default target delay is 20ms.
+is the expected queue delay. The default target delay is 15ms.
.SS tupdate
-is the frequency at which the system drop probability is calculated. The default is 30ms.
+is the frequency at which the system drop probability is calculated. The default is 15ms.
.SS alpha
.SS beta
.SH EXAMPLES
# tc qdisc add dev eth0 root pie
# tc -s qdisc show
- qdisc pie 8034: dev eth0 root refcnt 2 limit 200p target 19000us tupdate 29000us alpha 2 beta 20
- Sent 7443524 bytes 7204 pkt (dropped 900, overlimits 0 requeues 0)
- backlog 38998b 37p requeues 0
- prob 0.123384 delay 25000us avg_dq_rate 1464840
- pkts_in 7241 overlimit 900 dropped 0 maxq 186 ecn_mark 0
+ qdisc pie 8036: dev eth0 root refcnt 2 limit 1000p target 15.0ms tupdate 16.0ms alpha 2 beta 20
+ Sent 31216108 bytes 20800 pkt (dropped 80, overlimits 0 requeues 0)
+ backlog 16654b 11p requeues 0
+ prob 0.006161 delay 15666us avg_dq_rate 1159667
+ pkts_in 20811 overlimit 0 dropped 80 maxq 50 ecn_mark 0
# tc qdisc add dev eth0 root pie limit 100 target 20ms tupdate 30ms ecn
# tc -s qdisc show
- qdisc pie 8036: dev eth0 root refcnt 2 limit 200p target 19000 tupdate 29000 alpha 2 beta 20 ecn
- Sent 2491922 bytes 2507 pkt (dropped 214, overlimits 0 requeues 0)
- backlog 33728b 32p requeues 0
- prob 0.102262 delay 24000us avg_dq_rate 1464840
- pkts_in 2468 overlimit 214 dropped 0 maxq 192 ecn_mark 71
-
+ qdisc pie 8036: dev eth0 root refcnt 2 limit 100p target 20.0ms tupdate 32.0ms alpha 2 beta 20 ecn
+ Sent 6591724 bytes 4442 pkt (dropped 27, overlimits 0 requeues 0)
+ backlog 18168b 12p requeues 0
+ prob 0.008845 delay 11348us avg_dq_rate 1342773
+ pkts_in 4454 overlimit 0 dropped 27 maxq 65 ecn_mark 0
# tc qdisc add dev eth0 root pie limit 100 target 50ms tupdate 30ms bytemode
# tc -s qdisc show
- qdisc pie 8036: dev eth0 root refcnt 2 limit 200p target 19000 tupdate 29000 alpha 2 beta 20 ecn
- Sent 2491922 bytes 2507 pkt (dropped 214, overlimits 0 requeues 0)
- backlog 33728b 32p requeues 0
- prob 0.102262 delay 24000us avg_dq_rate 1464840
- pkts_in 2468 overlimit 214 dropped 0 maxq 192 ecn_mark 71
-
+ qdisc pie 8036: dev eth0 root refcnt 2 limit 100p target 50.0ms tupdate 32.0ms alpha 2 beta 20 bytemode
+ Sent 1616274 bytes 1137 pkt (dropped 0, overlimits 0 requeues 0)
+ backlog 13626b 9p requeues 0
+ prob 0.000000 delay 0us avg_dq_rate 0
+ pkts_in 1146 overlimit 0 dropped 0 maxq 23 ecn_mark 0
.SH SEE ALSO
.BR tc (8),
.BR tc-red (8)
.SH SOURCES
- o IETF draft submission is at http://tools.ietf.org/html/draft-pan-tsvwg-pie-00
- o IEEE Conference on High Performance Switching and Routing 2013 : "PIE: A
-Lightweight Control Scheme to Address the Bufferbloat Problem"
+ o RFC 8033: https://tools.ietf.org/html/rfc8033
.SH AUTHORS
PIE was implemented by Vijay Subramanian and Mythili Prabhu, also the authors of
.BR tc-mqprio (8),
.BR tc-pfifo (8),
.BR tc-pfifo_fast (8),
+.BR tc-pie (8),
.BR tc-red (8),
.BR tc-route (8),
.BR tc-sfb (8),
" [ split-gso* | no-split-gso ]\n"
" [ ack-filter | ack-filter-aggressive | no-ack-filter* ]\n"
" [ memlimit LIMIT ]\n"
+" [ fwmark MASK ]\n"
" [ ptm | atm | noatm* ] [ overhead N | conservative | raw* ]\n"
" [ mpu N ] [ ingress | egress* ]\n"
" (* marks defaults)\n");
int autorate = -1;
int ingress = -1;
int overhead = 0;
+ int fwmark = -1;
int wash = -1;
int nat = -1;
int atm = -1;
"Illegal value for \"memlimit\": \"%s\"\n", *argv);
return -1;
}
+ } else if (strcmp(*argv, "fwmark") == 0) {
+ unsigned int fwm;
+
+ NEXT_ARG();
+ if (get_u32(&fwm, *argv, 0)) {
+ fprintf(stderr,
+ "Illegal value for \"fwmark\": \"%s\"\n", *argv);
+ return -1;
+ }
+ fwmark = fwm;
} else if (strcmp(*argv, "help") == 0) {
explain();
return -1;
if (memlimit)
addattr_l(n, 1024, TCA_CAKE_MEMORY, &memlimit,
sizeof(memlimit));
+ if (fwmark != -1)
+ addattr_l(n, 1024, TCA_CAKE_FWMARK, &fwmark,
+ sizeof(fwmark));
if (nat != -1)
addattr_l(n, 1024, TCA_CAKE_NAT, &nat, sizeof(nat));
if (wash != -1)
struct rtattr *tb[TCA_CAKE_MAX + 1];
unsigned int interval = 0;
unsigned int memlimit = 0;
+ unsigned int fwmark = 0;
__u64 bandwidth = 0;
int ack_filter = 0;
int split_gso = 0;
RTA_PAYLOAD(tb[TCA_CAKE_RTT]) >= sizeof(__u32)) {
interval = rta_getattr_u32(tb[TCA_CAKE_RTT]);
}
+ if (tb[TCA_CAKE_FWMARK] &&
+ RTA_PAYLOAD(tb[TCA_CAKE_FWMARK]) >= sizeof(__u32)) {
+ fwmark = rta_getattr_u32(tb[TCA_CAKE_FWMARK]);
+ }
if (wash)
print_string(PRINT_FP, NULL, "wash ", NULL);
sprint_size(memlimit, b1));
}
+ if (fwmark)
+ print_uint(PRINT_FP, NULL, "fwmark 0x%x ", fwmark);
+ print_0xhex(PRINT_JSON, "fwmark", NULL, fwmark);
+
return 0;
}
st = RTA_DATA(xstats);
/*prob is returned as a fracion of maximum integer value */
fprintf(f, "prob %f delay %uus avg_dq_rate %u\n",
- (double)st->prob / (double)0xffffffff, st->delay,
+ (double)st->prob / UINT64_MAX, st->delay,
st->avg_dq_rate);
fprintf(f, "pkts_in %u overlimit %u dropped %u maxq %u ecn_mark %u\n",
st->packets_in, st->overlimit, st->dropped, st->maxq,
--- /dev/null
+#!/bin/sh
+
+. lib/generic.sh
+
+ts_log "[Testing Add XFRM Interface, With IF-ID]"
+
+PHYS_DEV="lo"
+NEW_DEV="$(rand_dev)"
+IF_ID="0xf"
+
+ts_ip "$0" "Add $NEW_DEV xfrm interface" link add dev $NEW_DEV type xfrm dev $PHYS_DEV if_id $IF_ID
+
+ts_ip "$0" "Show $NEW_DEV xfrm interface" -d link show dev $NEW_DEV
+test_on "$NEW_DEV"
+test_on "if_id $IF_ID"
+
+ts_ip "$0" "Del $NEW_DEV xfrm interface" link del dev $NEW_DEV
+
+
+ts_log "[Testing Add XFRM Interface, No IF-ID]"
+
+PHYS_DEV="lo"
+NEW_DEV="$(rand_dev)"
+IF_ID="0xf"
+
+ts_ip "$0" "Add $NEW_DEV xfrm interface" link add dev $NEW_DEV type xfrm dev $PHYS_DEV
+
+ts_ip "$0" "Show $NEW_DEV xfrm interface" -d link show dev $NEW_DEV
+test_on "$NEW_DEV"
+test_on_not "if_id $IF_ID"
+
+ts_ip "$0" "Del $NEW_DEV xfrm interface" link del dev $NEW_DEV
projects / mirror_iproute2.git / commitdiff