Amir Vadai [Sun, 23 Apr 2017 12:53:54 +0000 (15:53 +0300)]
tc/pedit: p_eth: ETH header editor
For example, forward tcp traffic to veth0 and set
destination mac address to 11:22:33:44:55:66 :
$ tc filter add dev enp0s9 protocol ip parent ffff: \
flower \
ip_proto tcp \
action pedit ex munge \
eth dst set 11:22:33:44:55:66 \
action mirred egress \
redirect dev veth0
Amir Vadai [Sun, 23 Apr 2017 12:53:52 +0000 (15:53 +0300)]
tc/pedit: p_ip: introduce editing ttl header
Enable user to edit IP header ttl field.
For example, to forward any TCP packet and decrease its TTL by one:
$ tc filter add dev enp0s9 protocol ip parent ffff: \
flower \
ip_proto tcp \
action pedit ex munge \
ip ttl add 0xff pipe \
action mirred egress \
redirect dev veth0
Amir Vadai [Sun, 23 Apr 2017 12:53:50 +0000 (15:53 +0300)]
tc/pedit: Extend pedit to specify offset relative to mac/transport headers
Utilize the extended pedit netlink to set an offset relative to a
specific header type. Old netlink only enabled the user to set
approximated offset relative to the IPv4 header.
To use this extended functionality need to use the 'ex' keyword after
'pedit' and before any 'munge'.
e.g:
$ tc filter add dev ens9 protocol ip parent ffff: \
flower \
ip_proto udp \
dst_port 80 \
action pedit ex munge \
ip dst set 1.1.1.1 \
pipe \
action mirred egress redirect dev veth0
Michal Kubeček [Thu, 27 Apr 2017 09:43:47 +0000 (11:43 +0200)]
routel: fix infinite loop in line parser
As noticed by one of the few users of routel script, it ends up in an
infinite loop when they pull out the cable from the NIC used for some
route. This is caused by its parser expecting the line of "ip route show"
output consists of "key value" pairs (except for the initial target range),
together with an old trap of Bourne style shells that "shift 2" does
nothing if there is only one argument left. Some keywords, e.g. "linkdown",
are not followed by a value.
Improve the parser to
(1) only set variables for keywords we care about
(2) recognize (currently) known keywords without value
This is still far from perfect (and certainly not future proof) but to
fully fix the script, one would probably have to rewrite the logic
completely (and I'm not sure it's worth the effort).
Introduce optional 128-bit action cookie.
Like all other cookie schemes in the networking world (eg in protocols
like http or existing kernel fib protocol field, etc) the idea is to
save user state that when retrieved serves as a correlator. The kernel
_should not_ intepret it. The user can store whatever they wish in the
128 bits.
Sample exercise(showing variable length use of cookie)
.. create an accept action with cookie a1b2c3d4
sudo $TC actions add action ok index 1 cookie a1b2c3d4
.. dump all gact actions..
sudo $TC -s actions ls action gact
action order 0: gact action pass
random type none pass val 0
index 1 ref 1 bind 0 installed 5 sec used 5 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
cookie a1b2c3d4
.. bind the accept action to a filter..
sudo $TC filter add dev lo parent ffff: protocol ip prio 1 \
u32 match ip dst 127.0.0.1/32 flowid 1:1 action gact index 1
... send some traffic..
$ ping 127.0.0.1 -c 3
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.038 ms
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
David Ahern [Fri, 14 Apr 2017 23:09:56 +0000 (16:09 -0700)]
ip vrf: Add command name next to pid
'ip vrf pids' is used to list processes bound to a vrf, but it only
shows the pid leaving a lot of work for the user. Add the command
name to the output. With this patch you get the more user friendly:
The maketable program used to generate one of the configuration
files at build time for netem would access past the end of the array
for one input value. This is a bug inherited from original NISTnet.
Just fold the value, like other code there.
This is not a runtime error security problem.
It only impacts the build process if the build machine
had extra hardening enabled.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Phil Sutter [Tue, 28 Mar 2017 21:19:39 +0000 (23:19 +0200)]
ip: link: Add missing link type help texts
These are basically stubs: The types which lacked their own help text
simply don't accept any options (yet). Still it might be a bit confusing
to users if they are presented with the generic 'ip link' help text
instead of something saying there are no type specific options.
Phil Sutter [Tue, 28 Mar 2017 21:19:38 +0000 (23:19 +0200)]
ip: link: Unify link type help functions a bit
Take help function in iplink_bridge.c as an example and make other link
types' help functions similar:
* Use a single fprintf() call (if possible).
* Don't state a full command line, just "... type OPTIONS".
* Put every option in it's own line, align options by column.
* List mandatory options first.
link_veth.c is intentionally left untouched because it's 'peer' option
eats all kinds of generic link options and the help text points this out
without duplicating all the options there again.
While generating PDFs from the man pages, I saw the warning below from
several files. Compared the tc-matchall.8 with bridge.8 and used .RI
instead of .R. It should have no effect on the man page rendering.
`R' is a string (producing the registered sign), not a macro.
Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com>
Vincent Bernat [Thu, 9 Mar 2017 20:05:42 +0000 (21:05 +0100)]
vxlan: use preferred address family when neither group or remote is specified
When neither group or remote is specified (or if they are specified with
the any address), nothing is sent to the kernel. In this case, the
kernel defaults to IPv4. This makes impossible to use IPv6 with
unspecified unicast remote ("bridge fdb add" will return
EAFNOTSUPPORT).
If the user specifies a preferred address family (eg, "ip -6 link add"),
then send either IFLA_VXLAN_GROUP or IFLA_VXLAN_GROUP6 to enforce the
use of the appropriate family.
Having some examples in the top level man page might make it a little bit easier
for new users to get started. Reused some words / sentences from the existing
man pages.
Suggested-by: 積丹尼 Dan Jacobson <jidanni@jidanni.org> Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com>
Robert Shearman [Thu, 9 Mar 2017 12:43:36 +0000 (12:43 +0000)]
iplink: add support for afstats subcommand
Add support for new afstats subcommand. This uses the new
IFLA_STATS_AF_SPEC attribute of RTM_GETSTATS messages to show
per-device, AF-specific stats. At the moment the kernel only supports
MPLS AF stats, so that is all that's implemented here.
The print_num function is exposed from ipaddress.c to be used for
printing the new stats so that the human-readable option, if set, can
be respected.
Daniel Borkmann [Mon, 6 Mar 2017 12:06:00 +0000 (13:06 +0100)]
bpf: test for valid type in bpf_get_work_dir
Jan-Erik reported an assertion in bpf_prog_to_subdir() failed where
type was BPF_PROG_TYPE_UNSPEC, which is only used in bpf_init_env()
to auto-mount and cache the bpf fs mount point.
Therefore, make sure when bpf_init_env() is called multiple times
(f.e. eBPF classifier with eBPF action attached) and bpf_mnt_cached
is set already that the type is also valid. In bpf_init_env(), we're
only interested in the mount point and not a type-specific subdir.
Fixes: e42256699cac ("bpf: make tc's bpf loader generic and move into lib") Reported-by: Jan-Erik Rediger <janerik@rediger.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Jiri Kosina [Fri, 24 Feb 2017 17:28:54 +0000 (18:28 +0100)]
iproute2: tc: introduce build dependency on libnetlink
Rebuilding libnetlink doesn't trigger rebuild of tc, which is wrong
(especially so for builds where libnetlink.a gets statically linked into
tc). Fix that by introducing an explicit dependency.
Use the new helper functions rta_getattr_u* instead of direct
cast of RTA_DATA(). Where RTA_DATA() is a structure, then remove
the unnecessary cast since RTA_DATA() is void *
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Daniel Borkmann [Thu, 23 Feb 2017 12:07:14 +0000 (13:07 +0100)]
{f,m}_bpf: dump tag over insns
We already export TCA_BPF_TAG resp. TCA_ACT_BPF_TAG from kernel commit f1f7714ea51c ("bpf: rework prog_digest into prog_tag"), thus also dump
it when filter/actions are shown.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Roi Dayan [Wed, 22 Feb 2017 14:05:01 +0000 (16:05 +0200)]
tc: flower: Fix parsing ip address
Fix order of arguments when passed to __flower_parse_ip_addr.
Fixes: ("f888f4e20534 tc: flower: Support matching ARP") Signed-off-by: Roi Dayan <roid@mellanox.com> Reviewed-by: Paul Blakey <paulb@mellanox.com> Reviewed-by: Simon Horman <simon.horman@netronome.com>
David Ahern [Tue, 21 Feb 2017 17:23:31 +0000 (09:23 -0800)]
ip: Add support for MPLS netconf
Add support for MPLS netconf to ip monitor and ip netconf commands.
Changes to header files not included as those are typically pulled
in my a header sync with the kernel.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
This patch adds support for a new xstats link subcommand which uses the
specified link type's new parse/print_ifla_xstats callbacks to display
extended statistics.
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Leon Romanovsky [Tue, 14 Feb 2017 05:29:38 +0000 (07:29 +0200)]
devlink: Call dl_free in early exit case
Prior to parsing command options, the devlink tool allocates memory
to store results. In case of early exit (wrong parameters or version
check), this memory wasn't freed.
Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Acked-by: Jiri Pirko <jiri@mellanox.com>
Lucas Bates [Fri, 10 Feb 2017 23:28:54 +0000 (18:28 -0500)]
man page: add page for skbmod action
Signed-off-by: Lucas Bates <lucasb@mojatatu.com> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Roman Mashak <mrv@mojatatu.com> Reviewed-by: Simon Horman <simon.horman@netronome.com>
David Ahern [Thu, 16 Feb 2017 16:58:57 +0000 (08:58 -0800)]
ip vrf: Handle VRF nesting in namespace
Since cgroups are not namespace aware, the directory heirarchy used by
ip vrf should account for network namespaces. In this case, change the
path from CGRP/BASE/vrf/NAME to CGRP/BASE/NETNS/vrf/NAME where CGRP is
the cgroup2 mount path, BASE in any base heirarchy inherited before VRF
is applied and NAME is the VRF name.
The intent is as follows: a user logs into the box into some namespace
with a name known to iproute2. Some other policy may have put the
process into a BASE heirarchy. From there the user executes a task in
a VRF and in doing so the task heirarchy becomes CGRP/BASE/NETNS/vrf/NAME.
The namespace level is omitted for the default namespace.
Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
David Ahern [Thu, 16 Feb 2017 16:58:55 +0000 (08:58 -0800)]
ip vrf: Handle vrf in a cgroup hierarchy
Add support for VRF in a pre-existing hierarchy. For example, if the
current process is running in CGRP/foo/bar, the 'ip vrf exec NAME CMD'
should run CMD in the cgroup CGRP/foo/bar/vrf/NAME.
When listing process ids in a VRF, search for the directory vrf/NAME
regardless of base path (foo/bar/vrf/NAME and vrf/NAME) are still
running against the same vrf NAME.
Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Simon Horman [Thu, 9 Feb 2017 13:49:00 +0000 (14:49 +0100)]
tc: flower: provide generic masked u8 print helper
Provide generic masked u8 print helper and use it to print arp operations.
Also:
* Make name parameter of arp op print helper const.
* Consistently use __u8 rather than uint8_t, in keeping with the
pervasive style in the file.
Signed-off-by: Simon Horman <simon.horman@netronome.com>
David Ahern [Mon, 13 Feb 2017 20:21:53 +0000 (12:21 -0800)]
ip route: Make name of protocol 0 consistent
iproute2 can inconsistently show the name of protocol 0 if a route with
a custom protocol is added. For example:
dsa@cartman:~$ ip -6 ro ls table all | egrep 'proto none|proto unspec'
local ::1 dev lo table local proto none metric 0 pref medium
local fe80::225:90ff:fecb:1c18 dev lo table local proto none metric 0 pref medium
local fe80::92e2:baff:fe5c:da5d dev lo table local proto none metric 0 pref medium
protocol 0 is pretty printed as "none". Add a route with a custom protocol:
dsa@cartman:~$ sudo ip -6 ro add 2001:db8:200::1/128 dev eth0 proto 123
And now display has switched from "none" to "unspec":
dsa@cartman:~$ ip -6 ro ls table all | egrep 'proto none|proto unspec'
local ::1 dev lo table local proto unspec metric 0 pref medium
local fe80::225:90ff:fecb:1c18 dev lo table local proto unspec metric 0 pref medium
local fe80::92e2:baff:fe5c:da5d dev lo table local proto unspec metric 0 pref medium
The rt_protos file has the id to name mapping as "unspec" while
rtnl_rtprot_tab[0] has "none". The presence of a custom protocol id
triggers reading the rt_protos file and overwriting the string in
rtnl_rtprot_tab. All of this is logic from 2004 and earlier.
Update rtnl_rtprot_tab to "unspec" to match the enum value.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Phil Sutter [Thu, 9 Feb 2017 10:50:54 +0000 (11:50 +0100)]
testsuite: Generate nlmsg blob at runtime
Since netlink messages are in host byte order, shipping a pre-generated
nlmsg blob won't suffice on systems with different endianness. Therefore
generate the blob at runtime, so it's content fits the hosts endianness.
Note that the generated message will contain only a single interface
featuring two VFs instead of the full list before. Yet this is
sufficient, as it triggers the crash with iproute versions prior to
commit 8c29ae7cc2494 ("ip link: Fix crash on older kernels when show VF
dev").
did not suggest the specific mirred parameters. Add the support for this
kind of completion by adding the _tc_filter_action_options routine and
invoking it from inside _tc_filter_options.
Yotam Gigi [Tue, 7 Feb 2017 13:50:49 +0000 (15:50 +0200)]
tc: bash-completion: Prepare action autocomplete to support several actions
The action autocomplete routine (_tc_action_options) currently does not
support several actions statements in one tc command line as it uses the
_tc_once_attr and _tc_one_from_list.
the _tc_once_attr function, when invoked with "group rate" will not
suggest those as they already exist on the command line.
Fix the function to use the _from variant, thus allowing each action
autocomplete start from the action keyword, and not from the beginning of
the command line.
Yotam Gigi [Tue, 7 Feb 2017 13:50:48 +0000 (15:50 +0200)]
tc: bash-completion: Add the _from variant to _tc_one* funcs
The _tc_one_of_list and _tc_once_attr functions simplfy the bash
completion task by validating each attr exist only once on the command
line.
For example, for the command line:
$ a b c d e
and the call to _tc_once_attr with "a f g", the function will suggest
"f g" as "a" existed in the command line in args 0.
Add the _from variant to those functions, which allows having the command
line option once from a specified index. In the previous example, calling
_tc_once_attr with 4 and "a f g" will suggest "a f g".
Yotam Gigi [Sun, 5 Feb 2017 07:58:54 +0000 (09:58 +0200)]
tc: man: matchall: Update examples to include sample
Add an example of packet sampling to the tc-matchall man page examples
section. The example uses the matchall classifier and the sample action to
create packet sampling on a port.
Yotam Gigi [Mon, 6 Feb 2017 22:23:21 +0000 (14:23 -0800)]
tc: man: Add man entry for the tc-sample action
In addition to general information about the tc action, the man entry
contains common usage examples and information about the tlv fields packed
within each sampled packet.
Yotam Gigi [Sun, 5 Feb 2017 07:58:52 +0000 (09:58 +0200)]
tc: Add support for the sample tc action
The sample tc action allows sampling packets matching a classifier. It
peeks randomly packets, and samples them using the psample netlink
channel. The user can specify the psample group, which the packet will be
sampled to, the sampling rate and the packet truncation (to save
kernel-user traffic).
The sampled packets contain informative metadata, for example, the input
interface and the original packet length.
The action syntax:
tc filter add [...] \
action sample rate <RATE> group <GROUP> [trunc <SIZE>]
[...]
Where:
RATE := The sampling rate which is the ratio of packets observed at the
data source to the samples generated
GROUP := the psample module sampling group
SIZE := optional truncation size
An example for a common usecase of the sample tc action: to sample ingress
traffic from interface eth1, one may use the commands:
tc qdisc add dev eth1 handle ffff: ingress
tc filter add dev eth1 parent ffff: \
matchall action sample rate 12 group 4
Where the first command adds an ingress qdisc and the second starts
sampling randomly with an average of one sampled packet per 12 packets
on dev eth1 to psample group 4.
Phil Sutter [Thu, 2 Feb 2017 15:22:56 +0000 (16:22 +0100)]
man: ip-route.8: Fix 'expires' indenting
Descriptions of each route sub-command's arguments are enclosed in
.RS/.RE pairs. For 'replace' sub-command, '.RE' was incorrectly put
before the last argument ('expires').
Fixes: 3fbe7ca847367 ("iproute2: ip-route.8.in: Add expires option for ip route") Signed-off-by: Phil Sutter <phil@nwl.cc>
Nogah Frankel [Thu, 26 Jan 2017 12:44:40 +0000 (14:44 +0200)]
ifstat: Add "sw only" extended statistics to ifstat
Add support for extended statistics of SW only type, for counting only the
packets that went via the cpu. (useful for systems with forward
offloading). It reads it from filter type IFLA_STATS_LINK_OFFLOAD_XSTATS
and sub type IFLA_OFFLOAD_XSTATS_CPU_HIT.
It is under the name 'cpu_hits'
(or any shorten of it as 'cpu' or simply 'c')
Nogah Frankel [Thu, 26 Jan 2017 12:44:39 +0000 (14:44 +0200)]
ifstat: Add extended statistics to ifstat
Extended stats are part of the RTM_GETSTATS method. This patch adds them
to ifstat.
While extended stats can come in many forms, we support only the
rtnl_link_stats64 struct for them (which is the 64 bits version of struct
rtnl_link_stats).
We support stats in the main nesting level, or one lower.
The extension can be called by its name or any shorten of it. If there is
more than one matched, the first one will be picked.
To get the extended stats the flag -x <stats type> is used.