Paolo Abeni [Fri, 18 Dec 2015 09:50:38 +0000 (10:50 +0100)]
lwtunnel: implement support for ip6 encap
Currently ip6 encap support for lwtunnel is missing.
This patch implement it, mostly duplicating the ipv4 parts.
Also be sure to insert a space after the encap type, when
showing lwtunnel, to avoid the tunnel type and the following
argument being merged into a single word.
Paolo Abeni [Tue, 15 Dec 2015 11:18:04 +0000 (12:18 +0100)]
lwtunnel: fix argument parsing
Currently parse_encap_ip() does not update correctly argv/argc;
if multiple lwtunnel arguments are provided, the parsing fails after
the first one, i.e.
ip route add 172.16.101.0/24 dev vxlan1 encap ip id 42 dst 192.168.255.1
fails with:
Error: either "to" is duplicate, or "dst" is a garbage.
This commit addresses the issue, stepping to next argument at each iteration
of the parsing loop.
Fixes: 1e5293056a02 ("lwtunnel: Add encapsulation support to ip route") Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Tom Herbert [Mon, 30 Nov 2015 22:57:28 +0000 (14:57 -0800)]
ila: Add support for ILA lwtunnels
This patch:
- Adds a utility function for parsing a 64 bit address
- Adds a utility function for converting a 64 bit address to ASCII
- Adds and ILA encap type in lwt tunnels
Nicolas Dichtel [Thu, 3 Dec 2015 16:13:48 +0000 (17:13 +0100)]
libnetlink: don't confuse variables in rtnl_talk()
There is two variables named 'len' in rtnl_talk. In fact, commit c079e121a73a didn't work. For example, it was possible to trigger
a seg fault with this command:
$ ip link set gre2 type ip6gre hoplimit 32
Let's rename the argument len to maxlen.
Fixes: c079e121a73a ("libnetlink: add size argument to rtnl_talk") Reported-by: Thomas Faivre <thomas.faivre@6wind.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Phil Sutter [Wed, 2 Dec 2015 12:50:22 +0000 (13:50 +0100)]
route: ignore RTAX_HOPLIMIT of value -1
Older kernels use -1 internally as indicator to use the sysctl default,
but they still export the setting. Newer kernels use 0 to indicate that
(which is why the conversion from -1 to 0 was done here), but they also
stopped exporting the value. Since the meaning of -1 is clear, treat it
equally like default on newer kernels (which is to not print anything).
ip_tunnel: determine tunnel address family from the tunnel type
On 24.11.2015 02:26, Stephen Hemminger wrote:
> On Thu, 12 Nov 2015 21:10:08 +0000
> Konstantin Shemyak <konstantin@shemyak.com> wrote:
>
>> When creating an IP tunnel over IPv6, the address family must be passed in
>> the option, e.g.
>>
>> ip -6 tunnel add mode ip6gre local 1::1 remote 2::2
>>
>> This makes it impossible to create both IPv4 and IPv6 tunnels in one batch.
>>
>> In fact the address family option is redundant here, as each tunnel mode is
>> relevant for only one address family.
>> The patch determines whether the applicable address family is AF_INET6
>> instead of the default AF_INET and makes the "-6" option unnecessary for
>> "ip tunnel add".
>>
>> Signed-off-by: Konstantin Shemyak <konstantin@shemyak.com>
>> ---
>> ip/iptunnel.c | 26 ++++++++++++++++++++++++++
>> testsuite/tests/ip/tunnel/add_tunnel.t | 14 ++++++++++++++
>> 2 files changed, 40 insertions(+)
>> create mode 100755 testsuite/tests/ip/tunnel/add_tunnel.t
>>
>> diff --git a/ip/iptunnel.c b/ip/iptunnel.c
>> index 78fa988..7826a37 100644
>> --- a/ip/iptunnel.c
>> +++ b/ip/iptunnel.c
>> @@ -629,8 +629,34 @@ static int do_6rd(int argc, char **argv)
>> return tnl_6rd_ioctl(cmd, medium, &ip6rd);
>> }
>>
>> +static int tunnel_mode_is_ipv6(char *tunnel_mode) {
>> + char *ipv6_modes[] = {
>> + "ipv6/ipv6", "ip6ip6",
>> + "vti6",
>> + "ip/ipv6", "ipv4/ipv6", "ipip6", "ip4ip6",
>> + "ip6gre", "gre/ipv6",
>> + "any/ipv6", "any"
>> + };
>> + int i;
>> +
>> + for (i = 0; i < sizeof(ipv6_modes) / sizeof(char *); i++) {
>> + if (strcmp(ipv6_modes[i], tunnel_mode) == 0)
>> + return 1;
>> + }
>> + return 0;
>> +}
>> +
>
> The ipv6_modes table should be static const.
Thank you for the note! attached the corrected patch.
> Also is it possible to use strstr for ipv6 and ip6 or even strchr(tunnel_mode, '6')
> to simplify this?
There is IPv6 tunnel mode 'any', and IPv4 tunnel mode 'ipv6/ip' (aka
'sit'). It looks to me that attempts to find some substring match
would not make the code much shorter, but definitely less readable.
Konstantin Shemyak.
>From 42d27db0055c3a114fe6eb86d680bef9ec098ad4 Mon Sep 17 00:00:00 2001
From: Konstantin Shemyak <konstantin@shemyak.com>
Date: Thu, 12 Nov 2015 20:52:02 +0200
Subject: [PATCH] Tunnel address family is determined from the tunnel mode
When the tunnel mode already tells the IP address family, "ip tunnel"
command determines it and does not require option "-4"/"-6" to be passed.
This makes possible creating both IPv4 and IPv6 tunnels in one batch.
Signed-off-by: Konstantin Shemyak <konstantin@shemyak.com>
Daniel Borkmann [Thu, 26 Nov 2015 14:38:46 +0000 (15:38 +0100)]
{f,m}_bpf: add more example code
I've added three examples to examples/bpf/ that demonstrate how one can
implement eBPF tail calls in tc with f.e. multiple levels of nesting.
That should act as a good starting point, but also as test cases for the
ELF loader and kernel. A real test suite for {f,m,e}_bpf is still to be
developed in future work.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org>
Daniel Borkmann [Thu, 26 Nov 2015 14:38:45 +0000 (15:38 +0100)]
{f,m}_bpf: allow updates on program arrays
Since we have all infrastructure in place now, allow atomic live updates
on program arrays. This can be very useful e.g. in case programs that are
being tail-called need to be replaced, f.e. when classifier functionality
needs to be changed, new protocols added/removed during runtime, etc.
Thus, provide a way for in-place code updates, minimal example: Given is
an object file cls.o that contains the entry point in section 'classifier',
has a globally pinned program array 'jmp' with 2 slots and id of 0, and
two tail called programs under section '0/0' (prog array key 0) and '0/1'
(prog array key 1), the section encoding for the loader is <id/key>.
Adding the filter loads everything into cls_bpf:
tc filter add dev foo parent ffff: bpf da obj cls.o
Now, the program under section '0/1' needs to be replaced with an updated
version that resides in the same section (also full path to tc's subfolder
of the mount point can be passed, e.g. /sys/fs/bpf/tc/globals/jmp):
tc exec bpf graft m:globals/jmp obj cls.o sec 0/1
In case the program resides under a different section 'foo', it can also
be injected into the program array like:
If the new tail called classifier program is already available as a pinned
object somewhere (here: /sys/fs/bpf/tc/progs/parser), it can be injected
into the prog array like:
Daniel Borkmann [Thu, 26 Nov 2015 14:38:44 +0000 (15:38 +0100)]
{f, m}_bpf: allow for user-defined object pinnings
The recently introduced object pinning can be further extended in order
to allow sharing maps beyond tc namespace. F.e. maps that are being pinned
from tracing side, can be accessed through this facility as well.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org>
Daniel Borkmann [Thu, 26 Nov 2015 14:38:43 +0000 (15:38 +0100)]
{f, m}_bpf: check map attributes when fetching as pinned
Make use of the new show_fdinfo() facility and verify that when a
pinned map is being fetched that its basic attributes are the same
as the map we declared from the ELF file. I.e. when placed into the
globalns, collisions could occur. In such a case warn the user and
bail out.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org>
Daniel Borkmann [Thu, 26 Nov 2015 14:38:42 +0000 (15:38 +0100)]
{f,m}_bpf: make tail calls working
Now that we have the possibility of sharing maps, it's time we get the
ELF loader fully working with regards to tail calls. Since program array
maps are pinned, we can keep them finally alive. I've noticed two bugs
that are being fixed in bpf_fill_prog_arrays() with this patch. Example
code comes as follow-up.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org>
Tom Herbert [Fri, 27 Nov 2015 18:23:43 +0000 (10:23 -0800)]
vxlan: Add support for remote checksum offload
This patch adds support to remote checksum checksum offload
to VXLAN. This patch adds remcsumtx and remcsumrx to ip vxlan
configuration to enable remote checksum offload for transmit
and receive on the VXLAN tunnel.
Phil Sutter [Sat, 28 Nov 2015 00:00:05 +0000 (01:00 +0100)]
get rid of unnecessary fgets() buffer size limitation
fgets() will read at most size-1 bytes into the buffer and add a
terminating null-char at the end. Therefore it is not necessary to pass
a reduced buffer size when calling it.
This change was generated using the following semantic patch:
Phil Sutter [Sat, 28 Nov 2015 00:00:03 +0000 (01:00 +0100)]
ss: review is_ephemeral()
No need to keep static port boundaries global, they are not used
directly. Keeping them local also allows to safely reduce their names to
the minimum. Assign hardcoded fallback values also if fscanf() fails.
Get rid of unnecessary braces around return parameter.
Instead of more or less duplicating is_ephemeral() in run_ssfilter(),
simply call the function instead.
Phil Sutter [Tue, 24 Nov 2015 14:45:31 +0000 (15:45 +0100)]
iproute: restrict hoplimit values to be in range [0; 255]
Technically, the range of possible hoplimit values are defined by IPv4
and IPv6 header formats. Both define the field to be eight bits in size,
which leads to a value range of [0;255]. Setting a packet's hoplimit
field to 0 though makes not much sense, as the next hop would
immediately drop the packet. Therefore Linux uses 0 as a special value
indicating to use the system's default hoplimit (configurable via
sysctl). In iproute, setting the hoplimit of a route to 0 is equivalent
to omitting the hoplimit parameter alltogether, so it is actually not
necessary to allow that value to be specified, but keep it anyway for
backwards compatibility.
Phil Sutter [Tue, 24 Nov 2015 14:31:02 +0000 (15:31 +0100)]
ipaddress: fix ipaddr_flush for Linux >= 3.1
Linux version 3.1 introduced a consistency check for netlink dumps in
commit 670dc28 ("netlink: advertise incomplete dumps"). This bites
iproute2 when flushing more addresses than can fit into a single
RTM_GETADDR response. To silence the spurious error message "Dump was
interrupted and may be inconsistent.", advise rtnl_dump_filter_l() to
not care about NLM_F_DUMP_INTR.
Daniel Borkmann [Thu, 12 Nov 2015 23:39:29 +0000 (00:39 +0100)]
{f,m}_bpf: allow for sharing maps
This larger work addresses one of the bigger remaining issues on
tc's eBPF frontend, that is, to allow for persistent file descriptors.
Whenever tc parses the ELF object, extracts and loads maps into the
kernel, these file descriptors will be out of reach after the tc
instance exits.
Meaning, for simple (unnested) programs which contain one or
multiple maps, the kernel holds a reference, and they will live
on inside the kernel until the program holding them is unloaded,
but they will be out of reach for user space, even worse with
(also multiple nested) tail calls.
For this issue, we introduced the concept of an agent that can
receive the set of file descriptors from the tc instance creating
them, in order to be able to further inspect/update map data for
a specific use case. However, while that is more tied towards
specific applications, it still doesn't easily allow for sharing
maps accross multiple tc instances and would require a daemon to
be running in the background. F.e. when a map should be shared by
two eBPF programs, one attached to ingress, one to egress, this
currently doesn't work with the tc frontend.
This work solves exactly that, i.e. if requested, maps can now be
_arbitrarily_ shared between object files (PIN_GLOBAL_NS) or within
a single object (but various program sections, PIN_OBJECT_NS) without
"loosing" the file descriptor set. To make that happen, we use eBPF
object pinning introduced in kernel commit b2197755b263 ("bpf: add
support for persistent maps/progs") for exactly this purpose.
The shipped examples/bpf/bpf_shared.c code from this patch can be
easily applied, for instance, as:
The toy example increments a shared counter on egress and dumps its
value on ingress (if no sharing (PIN_NONE) would have been chosen,
map value is 0, of course, due to the two map instances being created):
Neil Horman [Thu, 5 Nov 2015 19:54:17 +0000 (14:54 -0500)]
iproute2: Ignore EADDRNOTAVAIL errors during address flush operation
I found recently that, if I disabled address promotion in the kernel, that
ip addr flush dev <dev>
would fail with an EADDRNOTAVAIL errno (though the flush operation would in fact
flush all addresses from an interface properly)
Whats happening is that, if I add a primary and multiple secondary addresses to
an interface, the flush operation first ennumerates them all with a GETADDR |
DUMP operation, then sends a delete request for each address. But the kernel,
having promotion disabled, deletes all secondary addresses when the primary is
removed. That means, that several delete requests may still be pending in the
netlink request for addresses that have been removed on our behalf, resulting in
EADDRNOTAVAIL return codes.
It seems the simplest thing to do is to understand that EADDRUNAVAIL isn't a
fatal outcome on a flush operation, as it just indicates that an address which
you want to remove is already removed, so it can safely be ignored.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com> CC: Stephen Hemminger <stephen@networkplumber.org> CC: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Phil Sutter [Wed, 18 Nov 2015 15:57:47 +0000 (16:57 +0100)]
lnstat: fix header displaying mechanism
The algorithm depends on the loop counter ('i') to increment by one in
each iteration. Though if running endlessly (count==0), the counter was
not incremented at all.
Also change formatting of the header printing conditional a bit so it's
hopefully easier to read.
Fixes: e7e2913 ("lnstat: run indefinitely by default") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 6 Nov 2015 17:54:08 +0000 (18:54 +0100)]
ip_common.h header cleanup
- Drop 'extern' keyword from all function prototypes.
- Make line breaking of print_* functions consistent.
- Make print_ntable() and ipntable_reset_filter() static and remove
their declaration.
- Drop declaration of non-existent ipaddr_list() and iproute_monitor().
Phil Sutter [Fri, 13 Nov 2015 17:09:02 +0000 (18:09 +0100)]
iptunnel: simplify parsing TTL, allow 'hlim' as identifier
Instead of parsing an unsigned integer and checking boundaries, simply
parse u8. This and the added ttl alias 'hlim' provide consistency with
ip6tunnel.
Phil Sutter [Fri, 13 Nov 2015 17:08:58 +0000 (18:08 +0100)]
ip{,6}tunnel: align do_tunnels_list() a bit
In iptunnel, declare loop variables inside the loop as done in
ip6tunnel.
Fix and simplify goto logic in ip6tunnel:
- Failure to read over header lines would have left fp opened.
- By returning directly upon fopen() failure, fp can be closed
unconditionally in the end.
Phil Sutter [Fri, 13 Nov 2015 17:08:55 +0000 (18:08 +0100)]
ip/tunnel: introduce tnl_parse_key()
Instead of duplicating the same code six times (key, ikey and okey in
iptunnel and ip6tunnel), have a common parsing routine. This has the
added benefit of having the same verbose error message in ip6tunnel as
well as iptunnel.
I'm not sure if parsing an IPv4 address as key makes sense for
ip6tunnel, but the code was there before so this patch at least doesn't
make it worse.
Phil Sutter [Fri, 23 Oct 2015 17:21:23 +0000 (19:21 +0200)]
tc: u32 filter coding style cleanup
Add missing spaces around operators to increase readability. Aside from
that, make "preference" match a real synonym for "tos" and "dsfield" as
it's effect was identical to them.
Daniel Borkmann [Thu, 8 Oct 2015 10:22:39 +0000 (12:22 +0200)]
ip, realms: also allow to pass in raw realms value
If get_rt_realms() fails, try to get a possible raw u32 realms
value for the u32 RTA_FLOW/FRA_FLOW attribute, as it might be
useful to directly configure the hex value itself. And only if
that fails, then bail out.
The source realm is provided in the upper u16 (mask: 0xffff0000)
and the destination realm through the lower u16 part (mask:
0x0000ffff). This can be useful for tc's bpf realm matcher, but
also a full hex/mask param can be provided already for matching
through iptables' --realm cmdline option, for example.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
projects / mirror_iproute2.git / log