Phil Sutter [Thu, 16 Jun 2016 14:19:40 +0000 (16:19 +0200)]
iplink: Check address length via netlink
This is a feature which was lost during the conversion to netlink
interface: If the device exists and a user tries to change the link
layer address, query the kernel for the old address first and reject the
new one if sizes differ.
This patch adds the same check when setting VF address by assuming same
length as PF device.
Note that at least for VFs the check can't be done in kernel space since
struct ifla_vf_mac lacks a length field and due to netlink padding the
exact size can't be communicated to the kernel.
Martin KaFai Lau [Sat, 18 Jun 2016 00:38:53 +0000 (17:38 -0700)]
ss: Add tcp_info fields data_segs_in/out
tcp_info fields, data_segs_in and data_segs_out, have been added to the
kernel in commit a44d6eacdaf5 ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In")
since kernel 4.6.
This patch renames "iptables_target" to "xtables_target" and some other
things which gets renamed and I noticed while reading iptables git log.
Functions which are not used in m_ipt.c and not exported by the header
are removed, if they still used in m_ipt.c I added a static to the function.
Reported-by: Clemens Gruber <clemens.gruber@pqgruber.com> Signed-off-by: Alexander Aring <aar@pengutronix.de>
Phil Sutter [Fri, 10 Jun 2016 11:42:02 +0000 (13:42 +0200)]
tc: m_xt: Fix indenting
By exiting early if xtables_find_target() fails, one indenting level can
be dropped. Some of the wrongly indented code then happens to sit at the
right spot by accident which is why this patch is smaller than expected.
Phil Sutter [Fri, 10 Jun 2016 11:42:01 +0000 (13:42 +0200)]
tc: m_xt: Fix segfault when adding multiple actions at once
Without this, the following call to tc would segfault:
| tc filter add dev d0 parent ffff: u32 match u32 0 0 \
| action xt -j MARK --set-mark 0x1 \
| action xt -j MARK --set-mark 0x1
The reason is basically the same as for 6e2e5ec28bad4 ("fix print_ipt:
segfault if more then one filter with action -j MARK.") but in
parse_ipt() instead of print_ipt().
strtoul() only modifies errno on overflow, so if errno is not zero
before calling the function its value is preserved and makes the
function fail for valid inputs; initialize it.
tc: f_u32: Add support for skip_hw and skip_sw flags
On devices that support TC U32 offloads, these flags enable a filter to be
added only to HW or only to SW. skip_sw and skip_hw are mutually exclusive
flags. By default without any flags, the filter is added to both HW and SW,
but no error checks are done in case of failure to add to HW.
With skip-sw, failure to add to HW is treated as an error.
Here is a sample script that adds 2 filters, one with skip_sw and the other
with skip_hw flag.
# add ingress qdisc
tc qdisc add dev p4p1 ingress
# enable hw tc offload.
ethtool -K p4p1 hw-tc-offload on
# add u32 filter with skip-sw flag.
tc filter add dev p4p1 parent ffff: protocol ip prio 99 \
handle 800:0:1 u32 ht 800: flowid 800:1 \
skip-sw \
match ip src 192.168.1.0/24 \
action drop
# add u32 filter with skip-hw flag.
tc filter add dev p4p1 parent ffff: protocol ip prio 99 \
handle 800:0:2 u32 ht 800: flowid 800:2 \
skip-hw \
match ip src 192.168.2.0/24 \
action drop
Phil Sutter [Mon, 30 May 2016 18:46:27 +0000 (20:46 +0200)]
man: ip, ip-link: Fix ip option location
This patch drops the redundant description of some of ip's options in
ip-link.8's description of the 'show' subcommand, preserving the
description of -iec (but appending it to the list in ip.8 with minor
fixes).
David Ahern [Tue, 24 May 2016 22:04:49 +0000 (15:04 -0700)]
Make builds default to quiet mode
Similar to the Linux kernel and perf add infrastructure to reduce the
amount of output tossed to a user during a build. Full build output
can be obtained with 'make V=1'
Jamal Hadi Salim [Tue, 24 May 2016 11:52:48 +0000 (07:52 -0400)]
tc simple action: bug fix
Failed compile
m_simple.c: In function ‘parse_simple’:
m_simple.c:154:6: warning: too many arguments for format [-Wformat-extra-args]
*argv);
^
m_simple.c:103:14: warning: unused variable ‘maybe_bind’ [-Wunused-variable]
Reported-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Peter Heise [Mon, 30 May 2016 13:32:07 +0000 (15:32 +0200)]
Added support for selection of new HSR version
A new HSR version was added in 4.7 that can be enabled
via iproute2. Per default the old version is selected,
however, with "ip link add [..] type hsr [..] version 1"
the newer version can be enabled.
Signed-off-by: Peter Heise <peter.heise@airbus.com>
Daniel Borkmann [Wed, 18 May 2016 09:58:41 +0000 (11:58 +0200)]
f_bpf: fix filling of handle when no further arg is provided
We need to fill handle when provided by the user, even if no further
argument is provided. Thus, move the test for arg to the correct location,
so that it works correctly:
# tc filter show dev foo egress
filter protocol all pref 1 bpf
filter protocol all pref 1 bpf handle 0x1 bpf.o:[classifier] direct-action
filter protocol all pref 1 bpf handle 0x2 bpf.o:[classifier] direct-action
# tc filter del dev foo egress prio 1 handle 2 bpf
# tc filter show dev foo egress
filter protocol all pref 1 bpf
filter protocol all pref 1 bpf handle 0x1 bpf.o:[classifier] direct-action
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
David Ahern [Wed, 11 May 2016 13:51:58 +0000 (06:51 -0700)]
ip link: Add support for kernel side filtering
Kernel gained support for filtering link dumps with commit dc599f76c22b
("net: Add support for filtering link dump by master device and kind").
Add support to ip link command. If a user passes master device or
kind to ip link command they are added to the link dump request message.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Jiri Pirko [Sat, 14 May 2016 13:21:02 +0000 (15:21 +0200)]
devlink: implement shared buffer occupancy control
Use kernel shared buffer occupancy control commands to make snapshot and
clear occupancy watermarks. Also, allow to show occupancy values in a
nice way.
Jiri Pirko [Sat, 14 May 2016 13:21:01 +0000 (15:21 +0200)]
devlink: implement shared buffer support
Implement kernel devlink shared buffer interface. Introduce new object
"sb" and allow to browse the shared buffer parameters and also change
configuration.
Daniel Borkmann [Sun, 15 May 2016 16:36:03 +0000 (18:36 +0200)]
ingress, clsact: don't add TCA_OPTIONS to nl msg
In ingress and clsact qdisc TCA_OPTIONS are ignored, since it's
parameterless. In tc, we add an empty addattr_l(... TCA_OPTIONS,
NULL, 0) to the netlink message nevertheless. This has the
side effect that when someone tries a 'tc qdisc replace' and
already an existing such qdisc is present, tc fails with
EINVAL here.
Reason is that in the kernel, this invokes qdisc_change() when
such requested qdisc is already present. When TCA_OPTIONS are
passed to modify parameters, it looks whether qdisc implements
.change() callback, and if not present (like in both cases here)
it returns with error. Rather than adding an empty stub to the
kernel that ignores TCA_OPTIONS again, just don't add TCA_OPTIONS
to the netlink message in the first place.
Before:
# tc qdisc replace dev foo clsact # first try
# tc qdisc replace dev foo clsact # second one
RTNETLINK answers: Invalid argument
After:
# tc qdisc replace dev foo clsact
# tc qdisc replace dev foo clsact
# tc qdisc replace dev foo clsact
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Brings it closer to more serious actions (adding branching
and allowing for late binding)
Unfortunately this breaks old syntax of the simple action.
But because simple is a pedagogical example unlikely to be used
in production environments (i.e its role is to serve as an example
on how to write actions), then this is ok.
New syntax for simple has new keyword "sdata". Example usage is:
sudo tc actions add action simple sdata "foobar" index 1
or
tc filter add dev $DEV parent ffff: protocol ip prio 1 u32\
match ip dst 17.0.0.1/32 flowid 1:10 action simple sdata "foobar"
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
This action allows for a sending side to encapsulate arbitrary metadata
which is decapsulated by the receiving end.
The sender runs in encoding mode and the receiver in decode mode.
Both sender and receiver must specify the same ethertype.
At some point we hope to have a registered ethertype and we'll
then provide a default so the user doesnt have to specify it.
For now we enforce the user specify it.
Described in netdev01 paper:
"Distributing Linux Traffic Control Classifier-Action Subsystem"
Authors: Jamal Hadi Salim and Damascene M. Joachimpillai
Also refer to IETF draft-ietf-forces-interfelfb-04.txt
Lets show example usage where we encode icmp from a sender towards
a receiver with an skbmark of 17; both sender and receiver use
ethertype of 0xdead to interop.
YYYY: Lets start with Receiver-side policy config:
xxx: add an ingress qdisc
sudo tc qdisc add dev $ETH ingress
xxx: any packets with ethertype 0xdead will be subjected to ife decoding
xxx: we then restart the classification so we can match on icmp at prio 3
sudo $TC filter add dev $ETH parent ffff: prio 2 protocol 0xdead \
u32 match u32 0 0 flowid 1:1 \
action ife decode reclassify
xxx: on restarting the classification from above if it was an icmp
xxx: packet, then match it here and continue to the next rule at prio 4
xxx: which will match based on skb mark of 17
sudo tc filter add dev $ETH parent ffff: prio 3 protocol ip \
u32 match ip protocol 1 0xff flowid 1:1 \
action continue
xxx: match on skbmark of 0x11 (decimal 17) and accept
sudo tc filter add dev $ETH parent ffff: prio 4 protocol ip \
handle 0x11 fw flowid 1:1 \
action ok
xxx: Lets show the decoding policy
sudo tc -s filter ls dev $ETH parent ffff: protocol 0xdead
xxx:
filter pref 2 u32
filter pref 2 u32 fh 800: ht divisor 1
filter pref 2 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 (rule hit 0 success 0)
match 00000000/00000000 at 0 (success 0 )
action order 1: ife decode action reclassify type 0x0
allow mark allow prio
index 11 ref 1 bind 1 installed 45 sec used 45 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
xxx:
Observe that above lists all metadatum it can decode. Typically these
submodules will already be compiled into a monolithic kernel or
loaded as modules
YYYY: Lets show the sender side now ..
xxx: Add an egress qdisc on the sender netdev
sudo tc qdisc add dev $ETH root handle 1: prio
xxx:
xxx: Match all icmp packets to 192.168.122.237/24, then
xxx: tag the packet with skb mark of decimal 17, then
xxx: Encode it with:
xxx: ethertype 0xdead
xxx: add skb->mark to whitelist of metadatum to send
xxx: rewrite target dst MAC address to 02:15:15:15:15:15
xxx:
sudo $TC filter add dev $ETH parent 1: protocol ip prio 10 u32 \
match ip dst 192.168.122.237/24 \
match ip protocol 1 0xff \
flowid 1:2 \
action skbedit mark 17 \
action ife encode \
type 0xDEAD \
allow mark \
dst 02:15:15:15:15:15
xxx: Lets show the encoding policy
filter pref 10 u32
filter pref 10 u32 fh 800: ht divisor 1
filter pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:2 (rule hit 118 success 0)
match c0a87a00/ffffff00 at 16 (success 0 )
match 00010000/00ff0000 at 8 (success 0 )
action order 1: skbedit mark 17
index 11 ref 1 bind 1 installed 3 sec used 3 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
action order 2: ife encode action pipe type 0xDEAD
allow mark dst 02:15:15:15:15:15
index 12 ref 1 bind 1 installed 3 sec used 3 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
xxx:
Now test by sending ping from sender to destination
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
ip link gre: print only relevant info in external mode
Display only attributes that are relevant when a GRE interface is in
'external' mode instead of the default values (which are ignored by the
kernel even if passed back).
Fixes: 926b39e1feffd ("gre: add support for collect metadata flag") Signed-off-by: Jiri Benc <jbenc@redhat.com>
ip link gre: create interfaces in external mode correctly
For GRE interfaces in 'external' mode, the kernel ignores all manual
settings like remote IP address or TTL. However, for some of those
attributes, kernel checks their value and does not allow them to be zero
(even though they're ignored later).
Currently, 'ip link' always includes all attributes in the netlink message.
This leads to problem with creating interfaces in 'external' mode. For
example, this command does not work:
ip link add gre1 type gretap external
and needs a bogus remote IP address to be specified, as the kernel enforces
remote IP address to be either not present, or not null.
Ignore the parameters that do not make sense in 'external' mode.
Unfortunately, we cannot error out, as there may be existing deployments
that workarounded the bug by specifying bogus values.
Fixes: 926b39e1feffd ("gre: add support for collect metadata flag") Signed-off-by: Jiri Benc <jbenc@redhat.com>
Quentin Monnet [Tue, 3 May 2016 07:39:08 +0000 (09:39 +0200)]
tc: add bash-completion function
Add function for command completion for tc in bash, and update Makefile
to install it under /usr/share/bash-completion/completions/.
Inside iproute2 repository, the completion code is in a new
`bash-completion` toplevel directory.
v2: Remove `if` statement in Makefile: do not try to install in
/etc/bash_completion.d/ if /usr/share/bash-completion/completions/
is not found; instead, the user can override the installation path
with the specific environment variable.
Eric Dumazet [Thu, 21 Apr 2016 12:19:04 +0000 (05:19 -0700)]
ss: add SK_MEMINFO_DROPS display
SK_MEMINFO_DROPS is added in linux-4.7 for TCP, UDP and SCTP
skmem will display the socket drop count using d prefix as in :
$ ss -tm src :22 | more
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 52 10.246.7.151:ssh 172.20.10.101:50759
skmem:(r0,rb8388608,t0,tb8388608,f1792,w2304,o0,bl0,d0)
devlink: implement shared buffer occupancy control
Use kernel shared buffer occupancy control commands to make snapshot and
clear occupancy watermarks. Also, allow to show occupancy values in a
nice way.
Implement kernel devlink shared buffer interface. Introduce new object
"sb" and allow to browse the shared buffer parameters and also change
configuration.
This function is to be used from dump callbacks to decide if the output
currect output should be filtered off or not. Filtering is based on
previously parsed and stored command line options.
Phil Sutter [Wed, 13 Apr 2016 20:07:05 +0000 (22:07 +0200)]
ss: Fix accidental state filter override
Passing a filter expression and selecting an address family using the
'-f' flag would overwrite the state filter by accident. Therefore
calling e.g. 'ss -nl -f inet '(sport = :22)' would not only print
listening sockets (as requested by '-l' flag) but connected ones, as
well.
Fix this by reusing the formerly ineffective call to filter_states_set()
to restore the state filter as it was before the call to
filter_af_set().
Jeff Harris [Thu, 14 Apr 2016 18:15:03 +0000 (14:15 -0400)]
ip: neigh: Fix leftover attributes message during flush
Use the same rtnl_dump_request_n call as the show. The rtnl_wilddump_request
assumes the type uses an ifinfomsg which is not the case for the neighbor
table.
Signed-off-by: Jeff Harris <jefftharris@gmail.com> Acked-by: David Ahern <dsa@cumulusnetworks.com>
projects / mirror_iproute2.git / log