There have been several instances where response from kernel
has overrun the stack buffer from the caller. Avoid future problems
by passing a size argument.
Also drop the unused peer and group arguments to rtnl_talk.
Richard Alpe [Thu, 7 May 2015 13:07:36 +0000 (15:07 +0200)]
tipc: add new TIPC configuration tool
tipc is a user-space configuration tool for TIPC (Transparent
Inter-process Communication). It utilizes the TIPC netlink API in the
kernel to fetch data or perform actions.
The tipc tool has somewhat similar syntax to the ip tool meaning that
users of the ip tool should not feel that unfamiliar with this tool.
Signed-off-by: Richard Alpe <richard.alpe@ericsson.com> Reviewed-by: Erik Hugne <erik.hugne@ericsson.com> Reviewed-by: Ying Xue <ying.xue@windriver.com> Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
David Ward [Mon, 18 May 2015 15:35:13 +0000 (11:35 -0400)]
tc: gred: Adopt the term VQ in the command syntax and output
In the GRED kernel source code, both of the terms "drop parameters"
(DP) and "virtual queue" (VQ) are used to refer to the same thing.
Each "DP" is better understood as a "set of drop parameters", since
it has values for limit, min, max, avpkt, etc. This terminology can
result in confusion when creating a GRED qdisc having multiple DPs.
Netlink attributes and struct members with the DP name seem to have
been left intact for compatibility, while the term VQ was otherwise
adopted in the code, which is more intuitive.
Use the VQ term in the tc command syntax and output (but maintain
compatibility with the old syntax).
Rewrite the usage text to be concise and similar to other qdiscs.
David Ward [Mon, 18 May 2015 15:35:12 +0000 (11:35 -0400)]
tc: gred: Handle unsigned values properly in option parsing/printing
DPs, def_DP, and DP are unsigned values that are sent and received
in TCA_GRED_* netlink attributes; handle them properly when they
are parsed or printed. Use MAX_DPs as the initial value for def_DP
and DP, and fix the operator used for bounds checking them.
David Ward [Mon, 18 May 2015 15:35:10 +0000 (11:35 -0400)]
tc: gred: Print usage text if no arguments appear after "gred"
This is more helpful to the user, since the command takes two forms,
and the message that would otherwise appear about missing parameters
assumes one of those forms.
WANG Cong [Tue, 5 May 2015 22:30:20 +0000 (15:30 -0700)]
tc: fill in handle before checking argc
When deleting a specific basic filter with handle,
tc command always ignores the 'handle' option, so
tcm_handle is always 0 and kernel deletes all filters
in the selected group. This is wrong, we should respect
'handle' in cmdline.
Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
If ip rule command fails talking to kernel, exit code should be 2.
The sub-command is called by cmd loop and the exit code is negative
of return value from the command callback.
Add a new option to toggle the ability of querying the RSS configuration of a specific VF.
VF RSS information like RSS hash key may be considered sensitive on some devices where
this information is shared between VF and PF and thus its querying may be prohibited by default.
This new option allows a system administrator with privileges to modify a PF state
to control if the above VF querying is allowed or not.
For example:
To enable RSS querying of VF[0] of ethX:
>> ip link set dev ethX vf 0 query_rss on
Daniel Borkmann [Tue, 28 Apr 2015 11:37:42 +0000 (13:37 +0200)]
tc: {m, f}_ebpf: add option for dumping verifier log
Currently, only on error we get a log dump, but I found it useful when
working with eBPF to have an option to also dump the log on success.
Also spotted a typo in a header comment, which is fixed here as well.
Daniel Borkmann [Mon, 20 Apr 2015 11:48:54 +0000 (13:48 +0200)]
examples: bpf: fix ld offs to have same prog loaded on ingress/egress
Fix up the eBPF example program to match our kernel fix in a166151cbe33 ("bpf:
fix bpf helpers to use skb->mac_header relative offsets"). Tested on ingress
and egress paths.
Daniel Borkmann [Thu, 16 Apr 2015 19:20:06 +0000 (21:20 +0200)]
tc: built-in eBPF exec proxy
This work follows upon commit 6256f8c9e45f ("tc, bpf: finalize eBPF
support for cls and act front-end") and takes up the idea proposed by
Hannes Frederic Sowa to spawn a shell (or any other command) that holds
generated eBPF map file descriptors.
File descriptors, based on their id, are being fetched from the same
unix domain socket as demonstrated in the bpf_agent, the shell spawned
via execvpe(2) and the map fds passed over the environment, and thus
are made available to applications in the fashion of std{in,out,err}
for read/write access, for example in case of iproute2's examples/bpf/:
# env | grep BPF
BPF_NUM_MAPS=3
BPF_MAP1=6 <- BPF_MAP_ID_QUEUE (id 1)
BPF_MAP0=5 <- BPF_MAP_ID_PROTO (id 0)
BPF_MAP2=7 <- BPF_MAP_ID_DROPS (id 2)
The advantage (as opposed to the direct/native usage) is that now the
shell is map fd owner and applications can terminate and easily reattach
to descriptors w/o any kernel changes. Moreover, multiple applications
can easily read/write eBPF maps simultaneously.
To further allow users for experimenting with that, next step is to add
a small helper that can get along with simple data types, so that also
shell scripts can make use of bpf syscall, f.e to read/write into maps.
Generally, this allows for prepopulating maps, or any runtime altering
which could influence eBPF program behaviour (f.e. different run-time
classifications, skb modifications, ...), dumping of statistics, etc.
Reference: http://thread.gmane.org/gmane.linux.network/357471/focus=357860 Suggested-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Nicolas Dichtel [Wed, 22 Apr 2015 08:27:07 +0000 (10:27 +0200)]
mroute: remove invalid check against NLM_F_MULTI
This flag is only for the netlink protocol (multi-part messages), no reason
to reject messages without it.
Note that this flag was removed by the following kernel patches (v3.14) 65886f439ab0 ipmr: fix mfc notification flags f518338b1603 ip6mr: fix mfc notification flags
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Nicolas Dichtel [Wed, 22 Apr 2015 08:27:06 +0000 (10:27 +0200)]
libnamespaces: fix warning about syscall()
The warning was:
In file included from namespace.c:14:0:
../include/namespace.h: In function ‘setns’:
../include/namespace.h:37:2: warning: implicit declaration of function ‘syscall’ [-Wimplicit-function-declaration]
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Nicolas Dichtel [Wed, 22 Apr 2015 08:27:05 +0000 (10:27 +0200)]
tc: fix compilation warning on 32bits arch
The warning was:
m_simple.c: In function ‘parse_simple’:
m_simple.c:142:4: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 3 has type ‘size_t’ [-Wformat]
Useful to be able to compile with -Werror.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Nicolas Dichtel [Wed, 15 Apr 2015 12:00:53 +0000 (14:00 +0200)]
ipxfrm: wrong nl msg sent on deleteall cmd
XFRM netlink family is independent from the route netlink family. It's wrong
to call rtnl_wilddump_request(), because it will add a 'struct ifinfomsg' into
the header and the kernel will complain (at least for xfrm state):
netlink: 24 bytes leftover after parsing attributes in process `ip'.
Reported-by: Gregory Hoggarth <Gregory.Hoggarth@alliedtelesis.co.nz> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Nicolas Dichtel [Wed, 15 Apr 2015 12:23:22 +0000 (14:23 +0200)]
netns: allow to dump and monitor nsid
Two commands are added:
- ip netns list-id
- ip monitor nsid
A cache is also added to remember the association between the iproute2 netns
name (from /var/run/netns/) and the nsid.
To avoid interfering with the rth socket, a new rtnl socket (rtnsh) is used to
get nsid (we may send rtnl request during listing on rth).
Pavel Šimerda [Mon, 13 Apr 2015 14:00:58 +0000 (16:00 +0200)]
cbq: fix find syntax in example
Without modification, using the example resulted in the following error:
[root@localhost sbin]# cbq restart
find: warning: you have specified the -maxdepth option after a
non-option argument (, but options are not positional (-maxdepth affects
tests specified before it as well as those specified after it). Please
specify options before other arguments.
find: warning: you have specified the -maxdepth option after a
non-option argument (, but options are not positional (-maxdepth affects
tests specified before it as well as those specified after it). Please
specify options before other arguments.
Pavel Šimerda [Mon, 13 Apr 2015 14:00:57 +0000 (16:00 +0200)]
ip-xfrm: support 'proto any' with 'sport' and 'dport'
When creating an IPsec SA that sets 'proto any' (IPPROTO_IP) and
specifies 'sport' and 'dport' at the same time in selector, the
following error is issued:
"sport" and "dport" are invalid with proto=ip
However using IPPROTO_IP with ports is completely legal and necessary
when one wants to share the SA on both TCP and UDP. One of the
applications requiring sharing SAs is 3GPP IMS AKA authentication.
Pavel Šimerda [Mon, 13 Apr 2015 14:00:56 +0000 (16:00 +0200)]
turn Makefile more distribution friendly
Changes:
* Accept directory settings from environment.
* Remove redundant ROOTDIR variable.
* Set KERNEL_INCLUDE default to '/usr/include'.
* Use CFLAGS from environemnt.
Note: In the long term it might be better to improve the configure
script to generate those parts of the Makefile in a manner similar
to autoconf. It might be even practical to autotoolize the package.
Signed-off-by: Pavel Šimerda <psimerda@redhat.com>
Felix Fietkau [Sun, 15 Feb 2015 16:57:19 +0000 (11:57 -0500)]
tc: add support for connmark action
Add ability to add the netfilter connmark support.
Typical usage:
...lets tag outgoing icmp with mark 0x10..
iptables -tmangle -A PREROUTING -p icmp -j CONNMARK --set-mark 0x10
..add on ingress of $ETH an extractor for connmark...
tc filter add dev $ETH parent ffff: prio 4 protocol ip \
u32 match ip protocol 1 0xff \
flowid 1:1 \
action connmark continue
...if the connmark was 0x11, we police to a ridic rate of 10Kbps
tc filter add dev $ETH parent ffff: prio 5 protocol ip \
handle 0x11 fw flowid 1:1 \
action police rate 10kbit burst 10k
Other ways to use the connmark is to supply the zone, index and
branching choice. Refer to help.
Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Andy Gospodarek [Fri, 10 Apr 2015 20:50:40 +0000 (16:50 -0400)]
iproute2: unify naming for entries offloaded to hardware
The kernel now has the capability to offload FDB and FIB entries to hardware.
It is important to let users know if table entries are also offloaded to
hardware. Currently offloaded FDB entries are indicated by the existence of
the flag 'external' on the entry as of the following commit:
bridge/fdb: add flag/indication for FDB entry synced from offload device
When the patch to add support for indicating that FIB entries were also
offloaded as posted to netdev by Scott Feldman it became clear that 'external'
would not be an ideal name for routes. There could definitely be confusion
about what this might mean since many routes are to external networks -- a
collision/confusion that did not happen with FDB.
Scott Feldman asked me to check with others and build concensus around a name.
After speaking with several people about this I am proposing we refer to both
FDB and FIB entries that are currently backed by hardware (based on the work
done in rocker) with the flag 'offload' appended to the end ofthe entry.
Some people liked the string 'external,' others liked 'hardware,' but the point
is to communicate that these routes are available to something that will will
offload the forwarding normally done by the kernel. Since the term 'offload'
is used so frequently it seems appropriate to use the same language in
ip/bridge output.
The term 'offload' also seems to resonate with many of the people who have
responded on Scott's original thread or to those who I reached out to directly
and did respond to my query, so it seems we have reached consensus that it
should be the term used going forward.
v2: rebased against net-next branch
Signed-off-by: Andy Gospodarek <gospo@cumulusnetworks.com> CC: Jamal Hadi Salim <jhs@mojatatu.com> CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com> CC: Jiri Pirko <jiri@resnulli.us> CC: John W. Linville <linville@tuxdriver.com> CC: Roopa Prabhu <roopa@cumulusnetworks.com> CC: Scott Feldman <sfeldma@gmail.com> CC: Stephen Hemminger <stephen@networkplumber.org>
Daniel Borkmann [Wed, 1 Apr 2015 15:57:44 +0000 (17:57 +0200)]
tc, bpf: finalize eBPF support for cls and act front-end
This work finalizes both eBPF front-ends for the classifier and action
part in tc, it allows for custom ELF section selection, a simplified tc
command frontend (while keeping compat), reusing of common maps between
classifier and actions residing in the same object file, and exporting
of all map fds to an eBPF agent for handing off further control in user
space.
It also adds an extensive example of how eBPF can be used, and a minimal
self-contained example agent that dumps map data. The example is well
documented and hopefully provides a good starting point into programming
cls_bpf and act_bpf.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Alexei Starovoitov <ast@plumgrid.com> Cc: Jiri Pirko <jiri@resnulli.us> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Acked-by: Alexei Starovoitov <ast@plumgrid.com> Acked-by: Thomas Graf <tgraf@suug.ch> Acked-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
add a new command to configure the SPD hash table:
ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
and code to display the SPD hash configuration:
ip -s -s xfrm policy count
hthresh4: defines minimum local and remote IPv4 prefix lengths of
selectors to hash a policy. If prefix lengths are greater or equal
to the thresholds, then the policy is hashed, otherwise it falls back
in the policy_inexact chained list.
hthresh6: defines minimum local and remote IPv6 prefix lengths of
selectors to hash a policy, otherwise it falls back
in the policy_inexact chained list.
Example:
% ip -s -s xfrm policy count
SPD IN 0 OUT 0 FWD 0 (Sock: IN 0 OUT 0 FWD 0)
SPD buckets: count 7 Max 1048576
SPD IPv4 thresholds: local 32 remote 32
SPD IPv6 thresholds: local 128 remote 128
% ip xfrm pol set hthresh4 24 16 hthresh6 64 56
% ip -s -s xfrm policy count
SPD IN 0 OUT 0 FWD 0 (Sock: IN 0 OUT 0 FWD 0)
SPD buckets: count 7 Max 1048576
SPD IPv4 thresholds: local 24 remote 16
SPD IPv6 thresholds: local 64 remote 56
- Pull in the uapi mpls.h
- Update rtnetlink.h to include the mpls rtnetlink notification multicast group.
- Define AF_MPLS in utils.h if it is not defined from elsewhere
as is done with AF_DECnet
The address syntax for multiple mpls labels is a complete invention.
When I looked there seemed to be no wide spread convention for talking
about an mpls label stack in text for. Sometimes people did:
"{ Label1, Label2, Label3 }", sometimes people would do:
"[ label3, label2, label1 ]", and most of the time label
stacks were not explicitly shown at all.
The syntax I wound up using, so it would not have spaces and so it
would visually distinct from other kinds of addresses is.
label1/label2/label3 Where label1 is the label at the top of the label
stack and label3 is the label at the bottom on the label stack.
When there is a single label this matches what seems to be convention
with other tools. Just print out the numeric value of the mpls label.
The netlink protocol for labels uses the on the wire format for a
label stack. The ttl and traffic class are expected to be 0. Using
the on the wire format is common and what happens with other address
types. BGP when passing label stacks also uses this technique with the
exception that the ttl byte is not included making each label in a BGP
label stack 3 bytes instead of 4.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This attribute is like RTA_DST except it specifies the destination
address to place on a packet when it leaves the host. For ip based
protocols this is destination NAT and not a common part of forwarding.
For protocols like MPLS label swapping is something that typically
happens on every hop.
There is likely to be a RTA_NEWSRC at some point so RTA_NEWDST
is printed as "as to" and can be specified either as "as to"
or just "as"
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Daniel Borkmann [Mon, 16 Mar 2015 18:37:41 +0000 (19:37 +0100)]
tc: add eBPF support to f_bpf
This work adds the tc frontend for kernel commit e2e9b6541dd4 ("cls_bpf:
add initial eBPF support for programmable classifiers").
A C-like classifier program (f.e. see e2e9b6541dd4) is being compiled via
LLVM's eBPF backend into an ELF file, that is then being passed to tc. tc
then loads, if any, eBPF maps and eBPF opcodes (with fixed-up eBPF map file
descriptors) out of its dedicated sections, and via bpf(2) into the kernel
and then the resulting fd via netlink down to cls_bpf. cls_bpf allows for
annotations, currently, I've used the file name for that, so that the user
can easily identify his filter when dumping configurations back.
tc filter show dev em1 [...]
filter parent 1: protocol all pref 49152 bpf handle 0x1 flowid x:y cls.o
I placed the parser bits derived from Alexei's kernel sample, into tc_bpf.c
as my next step is to also add the same support for BPF action, so we can
have a fully fledged eBPF classifier and action in tc.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Madhu Challa [Wed, 4 Mar 2015 18:30:10 +0000 (10:30 -0800)]
ip: enable configuring multicast group autojoin
Joining multicast group on ethernet level via "ip maddr" command would
not work if we have an Ethernet switch that does igmp snooping since
the switch would not replicate multicast packets on ports that did not
have IGMP reports for the multicast addresses.
Linux vxlan interfaces created via "ip link add vxlan" have the group option
that enables then to do the required join.
By extending ip address command with option "autojoin" we can get similar
functionality for openvswitch vxlan interfaces as well as other tunneling
mechanisms that need to receive multicast traffic.
example:
ip address add 224.1.1.10/24 dev eth5 autojoin
ip address del 224.1.1.10/24 dev eth5
Scott Feldman [Sun, 8 Mar 2015 06:15:35 +0000 (22:15 -0800)]
route: label externally offloaded routes
On ip route print dump, label externally offloaded routes with "external".
Offloaded routes are flagged with RTNH_F_EXTERNAL, a recent additon to
net-next. For example:
$ ip route
default via 192.168.0.2 dev eth0
11.0.0.0/30 dev swp1 proto kernel scope link src 11.0.0.2 external
11.0.0.4/30 via 11.0.0.1 dev swp1 proto zebra metric 20 external
11.0.0.8/30 dev swp2 proto kernel scope link src 11.0.0.10 external
11.0.0.12/30 via 11.0.0.9 dev swp2 proto zebra metric 20 external
12.0.0.2 proto zebra metric 30 external
nexthop via 11.0.0.1 dev swp1 weight 1
nexthop via 11.0.0.9 dev swp2 weight 1
12.0.0.3 via 11.0.0.1 dev swp1 proto zebra metric 20 external
12.0.0.4 via 11.0.0.9 dev swp2 proto zebra metric 20 external
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.15
Signed-off-by: Scott Feldman <sfeldma@gmail.com> Reviewed-by: Jiri Pirko <jiri@resnulli.us>
Daniel Borkmann [Wed, 18 Mar 2015 09:13:34 +0000 (10:13 +0100)]
tc: m_bpf: fix next arg selection after tc opcode
Next argument after the tc opcode/verdict is optional, using NEXT_ARG()
requires to have another argument after that one otherwise tc will bail
out. Therefore, we need to advance to the next argument manually as done
elsewhere.
Fixes: 86ab59a6660f ("tc: add support for BPF based actions") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Jiri Pirko <jiri@resnulli.us>
Roopa Prabhu [Wed, 18 Mar 2015 02:18:28 +0000 (19:18 -0700)]
lib utils: fix family during af_bit_len calculation
commit f3a2ddc124e0 ("lib utils: Use helpers to get AF bit/byte len")
used a wrong family or family of zero in the default case
during af_bit_len calculation causing ip route commands to
fail with below error
Error: an inet prefix is expected rather than "10.0.2.14/24".
Mark Einon [Mon, 16 Mar 2015 09:59:09 +0000 (09:59 +0000)]
ip: Make uniform the use of synonyms list, show and lst
Where used in the ip tool, the 'show' option always has the synonyms
'list' and 'lst', except for ip-token and ip-addrlabel, which are missing
'lst'. Add this as a synonym for these commands.
Vadim Kochan [Sat, 7 Mar 2015 06:30:58 +0000 (08:30 +0200)]
ip netns: Fix rtnl error while print netns list
Observed on the Linux 3.18:
# ip netns
RTNETLINK answers: Operation not supported
net0
CC: Nicolas Dichtel <nicolas.dichtel@6wind.com> Fixes: d182ee1307c7 ("ipnetns: allow to get and set netns ids") Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
projects / mirror_iproute2.git / log