WANG Cong [Mon, 8 Aug 2016 23:24:45 +0000 (16:24 -0700)]
tc: fix a misleading failure
Before this patch:
# ./tc/tc actions add action drop index 11
RTNETLINK answers: File exists
We have an error talking to the kernel
Command "(null)" is unknown, try "tc actions help".
After this patch:
# ./tc/tc actions add action drop index 11
RTNETLINK answers: File exists
We have an error talking to the kernel
Cc: Stephen Hemminger <shemming@brocade.com> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Phil Sutter [Wed, 3 Aug 2016 09:43:45 +0000 (11:43 +0200)]
tc: Fix for missing estimator initialization
When switching to C99 initializers, I forgot to add this one. This means
that when trying to set an estimator value, tc would complain about
spurious duplicate estimator parameter. But much worse, the random
variable content is sent to the kernel regardless of whether an
estimator was given or not.
since kernel driver has valid default values for 'cipher' and 'icvlen',
there is no need for requiring users to specify both of them when a new
link is added. Also, prompt an error message and exit with appropriate
exit status in case of unsupported cipher suite.
- ip-macsec.8: fix wrong 'device' keyword in 'ip link add device eth0';
add missing description of 'validate' keyword; remove spurious bracket
near 'encrypt' keyword; add missing reference to configuration of 'port'
and 'sci'
- ip-link.8 fix wrong 'es' and 'encoding' keywords in MACsec section
Phil Sutter [Sat, 23 Jul 2016 11:28:08 +0000 (13:28 +0200)]
tc: util: bore up action_a2n()
It's a pitty this function is used nowhere, so let's polish it for use:
* Loop over branch names, makes it clear that every former conditional
was exactly identical.
* Support 'pipe' branch name, too.
* Make number parsing optional.
Phil Sutter [Sat, 23 Jul 2016 11:28:07 +0000 (13:28 +0200)]
tc: Reformat tc_util.h
* Drop 'extern' keyword before function declarations.
* Add parameter names where they were missing for matters of
consistency.
* Drop fancy indenting (e.g. tab between type and name).
* Break long lines to not exceed 80 columns.
Phil Sutter [Mon, 18 Jul 2016 14:48:43 +0000 (16:48 +0200)]
Replace malloc && memset by calloc
This only replaces occurrences where the newly allocated memory is
cleared completely afterwards, as in other cases it is a theoretical
performance hit although code would be cleaner this way.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: David Ahern <dsa@cumulusnetworks.com>
Phil Sutter [Mon, 18 Jul 2016 14:48:42 +0000 (16:48 +0200)]
Use C99 style initializers everywhere
This big patch was compiled by vimgrepping for memset calls and changing
to C99 initializer if applicable. One notable exception is the
initialization of union bpf_attr in tc/tc_bpf.c: changing it would break
for older gcc versions (at least <=3.4.6).
Calls to memset for struct rtattr pointer fields for parse_rtattr*()
were just dropped since they are not needed.
The changes here allowed the compiler to discover some unused variables,
so get rid of them, too.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: David Ahern <dsa@cumulusnetworks.com>
Phil Sutter [Mon, 18 Jul 2016 14:48:41 +0000 (16:48 +0200)]
tc: m_action: Improve conversion to C99 style initializers
This improves my initial change in the following points:
- Flatten embedded struct's initializers.
- No need to initialize variables to zero as the key feature of C99
initializers is to do this implicitly.
- By relocating the declaration of struct rtattr *tail, it can be
initialized at the same time.
Fixes: a0a73b298a579 ("tc: m_action: Use C99 style initializers for struct req") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: David Ahern <dsa@cumulusnetworks.com>
Storing the schema file for the json format will be useful for doc
purposes as optional paramaters are typically suppressed in the json
sample outputs.
David Ahern [Fri, 15 Jul 2016 22:41:35 +0000 (15:41 -0700)]
ss: Fix support for device filter by index
Support was recently added for device filters. The intent was to allow
the device to be specified by name or index, and using the if%u format
(dev == if5) or the simpler and more intuitive index alone (dev == 5).
The latter case is broken since the index is not saved to the filter
after the strtoul conversion. Further, the tmp variable used for the
conversion shadows another variable used in the function. Fix both.
With this change all 3 variants work as expected:
$ ss -t 'dev == 62'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 224 10.0.1.3%mgmt:ssh 192.168.0.50:58442
$ ss -t 'dev == mgmt'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 224 10.0.1.3%mgmt:ssh 192.168.0.50:58442
$ ss -t 'dev == if62'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 36 10.0.1.3%mgmt:ssh 192.168.0.50:58442
Fixes: 2d2932125616 ("ss: Add support to filter on device") Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Daniel Borkmann [Mon, 18 Jul 2016 23:09:52 +0000 (01:09 +0200)]
bpf: also check elf for official e_machine value
Use the official BPF ELF e_machine value that was assigned recently [1]
and will be propagated to glibc, libelf et al. LLVM will switch to it
in 3.9 release, therefore we need to prepare tc to check for EM_ELF as
well, older version still have the EM_NONE.
Xin Long [Tue, 12 Jul 2016 13:37:58 +0000 (21:37 +0800)]
ip route: restore route entries in correct order
Sometimes we cannot restore route entries, because in kernel
[1] fib_check_nh()
[2] fib_valid_prefsrc()
cause some routes to depend on existence of others while adding.
For example, we saved all the routes, and flushed all tables
[a] default via 192.168.122.1 dev eth0
[b] 192.168.122.0/24 dev eth0 src 192.168.122.21
[c] broadcast 127.0.0.0 dev lo table local src 127.0.0.1
[d] local 127.0.0.0/8 dev lo table local src 127.0.0.1
[e] local 127.0.0.1 dev lo table local src 127.0.0.1
[f] broadcast 127.255.255.255 dev lo table local src 127.0.0.1
[g] broadcast 192.168.122.0 dev eth0 table local src 192.168.122.21
[h] local 192.168.122.21 dev eth0 table local src 192.168.122.21
[i] broadcast 192.168.122.255 dev eth0 table local src 192.168.122.21
Now start to restore them:
If we want to add [a], we have to add [b] first, as [1] and
'via 192.168.122.1' in [a].
If we want to add [b], we have to add [h] first, as [2] and
'src 192.168.122.21' in [b].
So the correct order to restore should be like:
[e][h] -> [b][c][d][f][g][i] -> [a]
This patch fixes it by traversing the file 3 times, it only restores
part of them in each run according to the following conditions, to
make sure every entry can be restored successfully.
1. !gw && (!fib_prefsrc || fib_prefsrc == cfg->fc_dst)
2. !gw && (fib_prefsrc != cfg->fc_dst)
3. gw
Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Phil Sutter <phil@nwl.cc>
Eli Cohen [Thu, 7 Jul 2016 21:09:03 +0000 (16:09 -0500)]
Add support for configuring Infiniband GUIDs
Add two NLA's that allow configuration of Infiniband node or port GUIDs
by referencing the IPoIB net device set over the physical function. The
format to be used is as follows:
ip link set dev ib0 vf 0 node_guid 00:02:c9:03:00:21:6e:70
ip link set dev ib0 vf 0 port_guid 00:02:c9:03:00:21:6e:78
David Ahern [Wed, 29 Jun 2016 18:27:02 +0000 (11:27 -0700)]
ip route: Add support for vrf keyword
Add vrf keyword to 'ip route' commands. Allows:
1. Users can list routes by VRF name:
$ ip route show vrf NAME
VRF tables have all routes including local and broadcast routes.
The VRF keyword filters LOCAL and BROADCAST routes; to see all
routes the table option can be used. Or to see local routes only
for a VRF:
$ ip route show vrf NAME type local
2. Add or delete a route for a VRF:
$ ip route {add|delete} vrf NAME <route spec>
3. Do a route lookup for a VRF:
$ ip route get vrf NAME ADDRESS
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Amir Vadai [Mon, 4 Jul 2016 07:34:11 +0000 (10:34 +0300)]
tc: flower: Add skip_{hw|sw} support
On devices that support TC flower offloads, these flags enable a filter to be
added only to HW or only to SW. skip_sw and skip_hw are mutually exclusive
flags. By default without any flags, the filter is added to both HW and SW,
but no error checks are done in case of failure to add to HW.
With skip-sw, failure to add to HW is treated as an error.
Here is a sample script that adds 2 filters, one with skip_sw and the other
with skip_hw flag.
# add ingress qdisc
tc qdisc add dev enp0s9 ingress
# enable hw tc offload.
ethtool -K enp0s9 hw-tc-offload on
# add a flower filter with skip-sw flag.
tc filter add dev enp0s9 protocol ip parent ffff: flower \
ip_proto 1 indev enp0s9 skip_sw \
action drop
# add a flower filter with skip-hw flag.
tc filter add dev enp0s9 protocol ip parent ffff: flower \
ip_proto 3 indev enp0s9 skip_hw \
action drop
Signed-off-by: Amir Vadai <amirva@mellanox.com> Acked-by: Jiri Pirko <jiri@mellanox.com>
actions: skbedit add support for mod-ing skb pkt_type
I'll make a formal submission sans the header when the kernel patches
makes it in. This version is for someone who wants to play around with
the net-next kernel patches i sent
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Phil Sutter [Thu, 30 Jun 2016 14:47:02 +0000 (16:47 +0200)]
ip-address: constify match_link_kind arg
Since the function won't ever change the data 'kind' is pointing at, it
can sanely be made const.
Fixes: e0513807f6dbb ("ip-address: Support filtering by slave type, too") Suggested-by: Stephen Hemminger <shemming@brocade.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
Andrew Vagin [Tue, 28 Jun 2016 23:27:14 +0000 (02:27 +0300)]
ip route: timeout for routes has to be set in seconds
Currently a timeout is multiplied by HZ in user-space and
then it multiplied by HZ in kernel-space.
$ ./ip/ip r add 2002::0/64 dev veth1 expires 10
$ ./ip/ip -6 r
2002::/64 dev veth1 metric 1024 linkdown expires 996sec pref medium
Cc: Xin Long <lucien.xin@gmail.com> Cc: Hangbin Liu <liuhangbin@gmail.com> Cc: Stephen Hemminger <shemming@brocade.com> Fixes: 68eede250500 ("route: allow routes to be configured with expire values") Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Phil Sutter [Tue, 28 Jun 2016 13:07:16 +0000 (15:07 +0200)]
ip-address: Support filtering by slave type, too
This patch allows to query all interfaces enslaved to a bridge or bond
using the following syntax:
| ip addr show type bridge_slave
Filtering has to be done in userspace since the kernel does not support
filtering on IFLA_INFO_SLAVE_KIND.
Functionality introduced in this patch is not fully complete since it
does not allow to match on type and slave type at the same time, but it
doesn't prevent implementing a dedicated slave_type match, either.
David Ahern [Mon, 27 Jun 2016 18:34:24 +0000 (11:34 -0700)]
ss: Allow ssfilter_bytecompile to return 0
Allow ssfilter_bytecompile to return 0 for filter ops the kernel
does not support. If such an op is in the filter string then all
filtering is done in userspace.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
David Ahern [Mon, 27 Jun 2016 18:34:23 +0000 (11:34 -0700)]
ss: Refactor inet_show_sock
Extract parsing of sockstat and filter from inet_show_sock.
While moving run_ssfilter into callers of inet_show_sock enable
userspace filtering before the kill.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Jakub Sitnicki [Wed, 22 Jun 2016 11:34:13 +0000 (13:34 +0200)]
ip/tcp_metrics: Simplify process_msg a bit
On Tue, Jun 21, 2016 at 06:18 PM CEST, Phil Sutter <phil@nwl.cc> wrote:
> By combining the attribute extraction and check for existence, the
> additional indentation level in the 'else' clause can be avoided.
>
> In addition to that, common actions for 'daddr' are combined since the
> function returns if neither of the branches are taken.
>
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
> ip/tcp_metrics.c | 45 ++++++++++++++++++---------------------------
> 1 file changed, 18 insertions(+), 27 deletions(-)
>
> diff --git a/ip/tcp_metrics.c b/ip/tcp_metrics.c
> index f82604f458ada..899830c127bcb 100644
> --- a/ip/tcp_metrics.c
> +++ b/ip/tcp_metrics.c
> @@ -112,47 +112,38 @@ static int process_msg(const struct sockaddr_nl *who, struct nlmsghdr *n,
> parse_rtattr(attrs, TCP_METRICS_ATTR_MAX, (void *) ghdr + GENL_HDRLEN,
> len);
>
> - a = attrs[TCP_METRICS_ATTR_ADDR_IPV4];
> - if (a) {
> + if ((a = attrs[TCP_METRICS_ATTR_ADDR_IPV4])) {
Copy the pointer inside the branch?
Same gain on indentation while keeping checkpatch happy.
Phil Sutter [Thu, 16 Jun 2016 14:19:40 +0000 (16:19 +0200)]
iplink: Check address length via netlink
This is a feature which was lost during the conversion to netlink
interface: If the device exists and a user tries to change the link
layer address, query the kernel for the old address first and reject the
new one if sizes differ.
This patch adds the same check when setting VF address by assuming same
length as PF device.
Note that at least for VFs the check can't be done in kernel space since
struct ifla_vf_mac lacks a length field and due to netlink padding the
exact size can't be communicated to the kernel.
Martin KaFai Lau [Sat, 18 Jun 2016 00:38:53 +0000 (17:38 -0700)]
ss: Add tcp_info fields data_segs_in/out
tcp_info fields, data_segs_in and data_segs_out, have been added to the
kernel in commit a44d6eacdaf5 ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In")
since kernel 4.6.
This patch renames "iptables_target" to "xtables_target" and some other
things which gets renamed and I noticed while reading iptables git log.
Functions which are not used in m_ipt.c and not exported by the header
are removed, if they still used in m_ipt.c I added a static to the function.
Reported-by: Clemens Gruber <clemens.gruber@pqgruber.com> Signed-off-by: Alexander Aring <aar@pengutronix.de>