bridge: fdb show: fix fdb entry state output for json context
bridge json fdb show is printing an incorrect / non-machine readable
value, when using -j (json output) we are expecting machine readable
data that shouldn't require special handling/parsing.
Anton Danilov [Mon, 27 Jul 2020 13:26:07 +0000 (16:26 +0300)]
bridge: fdb: the 'dynamic' option in the show/get commands
In most of cases a user wants to see only the dynamic mac addresses
in the fdb output. But currently the 'fdb show' displays tons of
various self entries, those only waste the output without any useful
goal.
New option 'dynamic' for 'show' and 'get' commands forces display
only relevant records.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
ip xfrm: update man page on setting/printing XFRMA_IF_ID in states/policies
In commit aed63ae1acb9 ("ip xfrm: support setting/printing XFRMA_IF_ID attribute in states/policies")
I added the ability to set/print the xfrm interface ID without updating
the man page.
Fixes: aed63ae1acb9 ("ip xfrm: support setting/printing XFRMA_IF_ID attribute in states/policies") Signed-off-by: Eyal Birger <eyal.birger@gmail.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Hoang Huu Le [Thu, 9 Jul 2020 04:25:55 +0000 (11:25 +0700)]
tipc: fixed a compile warning in tipc/link.c
Fixes: 5027f233e35b ("tipc: add link broadcast get") Signed-off-by: Hoang Huu Le <hoang.h.le@dektech.com.au> Acked-by: Jon Maloy <jmaloy@redhat.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Tony Ambardar [Tue, 7 Jul 2020 07:58:33 +0000 (00:58 -0700)]
configure: support ipset version 7 with kernel version 5
The configure script checks for ipset v6 availability but doesn't test
for v7, which is backward compatible and used on kernel v5.x systems.
Update the script to test for both ipset versions. Without this change,
the tc ematch function em_ipset will be disabled.
Signed-off-by: Tony Ambardar <Tony.Ambardar@gmail.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Louis Peens [Fri, 19 Jun 2020 11:50:07 +0000 (13:50 +0200)]
devlink: add 'disk' to 'fw_load_policy' string validation
The 'fw_load_policy' devlink parameter supports the 'disk' value
since kernel v5.4, seems like there was some oversight in adding
this to iproute, fixed by this patch.
Signed-off-by: Louis Peens <louis.peens@netronome.com> Reviewed-by: Simon Horman <simon.horman@netronome.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Add the new "mpls" keyword that can be used to match MPLS fields in
arbitrary Label Stack Entries.
LSEs are introduced by the "lse" keyword and followed by LSE options:
"depth", "label", "tc", "bos" and "ttl". The depth is manadtory, the
other options are optionals.
For example, the following filter drops MPLS packets having two labels,
where the first label is 21 and has TTL 64 and the second label is 22:
$ tc filter add dev ethX ingress proto mpls_uc flower mpls \
lse depth 1 label 21 ttl 64 \
lse depth 2 label 22 bos 1 \
action drop
Signed-off-by: Guillaume Nault <gnault@redhat.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Bareudp devices provide a generic L3 encapsulation for tunnelling
different protocols like MPLS, IP, NSH, etc. inside a UDP tunnel.
This patch is based on original work from Martin Varghese:
https://lore.kernel.org/netdev/1570532361-15163-1-git-send-email-martinvarghesenokia@gmail.com/
Examples:
- ip link add dev bareudp0 type bareudp dstport 6635 ethertype mpls_uc
This creates a bareudp tunnel device which tunnels L3 traffic with
ethertype 0x8847 (unicast MPLS traffic). The destination port of the
UDP header will be set to 6635. The device will listen on UDP port 6635
to receive traffic.
- ip link add dev bareudp0 type bareudp dstport 6635 ethertype ipv4 multiproto
Same as the MPLS example, but for IPv4. The "multiproto" keyword allows
the device to also tunnel IPv6 traffic.
Signed-off-by: Guillaume Nault <gnault@redhat.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Anton Danilov [Fri, 3 Jul 2020 15:39:22 +0000 (18:39 +0300)]
tc: improve the qdisc show command
Before can be possible show only all qeueue disciplines on an interface.
There wasn't a way to get the qdisc info by handle or parent, only full
dump of the disciplines with a following grep/sed usage.
Now new and old options work as expected to filter a qdisc by handle or
parent.
Full syntax of the qdisc show command:
tc qdisc { show | list } [ dev STRING ] [ QDISC_ID ] [ invisible ]
QDISC_ID := { root | ingress | handle QHANDLE | parent CLASSID }
This change doesn't require any changes in the kernel.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
libnetlink.3: display section numbers in roman font, not boldface
Typeset section numbers in roman font, see man-pages(7).
###
Details:
Output is from: test-groff -b -mandoc -T utf8 -rF0 -t -w w -z
[ "test-groff" is a developmental version of "groff" ]
<./man/man3/libnetlink.3>:53 (macro BR): only 1 argument, but more are expected
<./man/man3/libnetlink.3>:132 (macro BR): only 1 argument, but more are expected
<./man/man3/libnetlink.3>:134 (macro BR): only 1 argument, but more are expected
<./man/man3/libnetlink.3>:197 (macro BR): only 1 argument, but more are expected
<./man/man3/libnetlink.3>:198 (macro BR): only 1 argument, but more are expected
Roi Dayan [Thu, 11 Jun 2020 17:35:43 +0000 (20:35 +0300)]
ip address: Fix loop initial declarations are only allowed in C99
On some distros, i.e. rhel 7.6, compilation fails with the following:
ipaddress.c: In function ‘lookup_flag_data_by_name’:
ipaddress.c:1260:2: error: ‘for’ loop initial declarations are only allowed in C99 mode
for (int i = 0; i < ARRAY_SIZE(ifa_flag_data); ++i) {
^
ipaddress.c:1260:2: note: use option -std=c99 or -std=gnu99 to compile your code
This commit fixes the single place needed for compilation to pass.
Fixes: 9d59c86e575b ("iproute2: ip addr: Organize flag properties structurally") Signed-off-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Ian K. Coolidge [Wed, 27 May 2020 18:03:45 +0000 (11:03 -0700)]
iproute2: ip addr: Organize flag properties structurally
This creates a nice systematic way to check that the various flags are
mutable from userspace and that the address family is valid.
Mutability properties are preserved to avoid introducing any behavioral
change in this CL. However, previously, immutable flags were ignored and
fell through to this confusing error:
Error: either "local" is duplicate, or "dadfailed" is a garbage.
But now, they just warn more explicitly:
Warning: dadfailed option is not mutable from userspace Signed-off-by: David Ahern <dsahern@gmail.com>
Andrea Claudi [Tue, 26 May 2020 16:04:11 +0000 (18:04 +0200)]
bpf: Fixes a snprintf truncation warning
gcc v9.3.1 reports:
bpf.c: In function ‘bpf_get_work_dir’:
bpf.c:784:49: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
784 | snprintf(bpf_wrk_dir, sizeof(bpf_wrk_dir), "%s/", mnt);
| ^
bpf.c:784:2: note: ‘snprintf’ output between 2 and 4097 bytes into a destination of size 4096
784 | snprintf(bpf_wrk_dir, sizeof(bpf_wrk_dir), "%s/", mnt);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix this simply checking snprintf return code and properly handling the error.
Fixes: e42256699cac ("bpf: make tc's bpf loader generic and move into lib") Signed-off-by: Andrea Claudi <aclaudi@redhat.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
This happens because asprintf allocates exactly the space needed to hold a
string in the buffer passed as its first argument, but if this buffer is later
used in strcat() or similar we have a buffer overrun.
As the aim of commit c0325b06382c is simply to fix a compiler warning, it
seems safe and reasonable to revert it.
Fixes: c0325b06382c ("bpf: replace snprintf with asprintf when dealing with long buffers") Reported-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Andrea Claudi <aclaudi@redhat.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Tuong Lien [Tue, 26 May 2020 09:40:55 +0000 (16:40 +0700)]
tipc: enable printing of broadcast rcv link stats
This commit allows printing the statistics of a broadcast-receiver link
using the same tipc command, but with additional 'link' options:
$ tipc link stat show --help
Usage: tipc link stat show [ link { LINK | SUBSTRING | all } ]
With:
+ 'LINK' : print the stats of the specific link 'LINK';
+ 'SUBSTRING' : print the stats of all the links having the 'SUBSTRING'
in name;
+ 'all' : print all the links' stats incl. the broadcast-receiver
ones;
Also, a link stats can be reset in the usual way by specifying the link
name in command.
For example:
$ tipc l st sh l br
Link <broadcast-link>
Window:50 packets
RX packets:0 fragments:0/0 bundles:0/0
TX packets:5011125 fragments:4968774/149643 bundles:38402/307061
RX naks:781484 defs:0 dups:0
TX naks:0 acks:0 retrans:330259
Congestion link:50657 Send queue max:0 avg:0
Store the parsed count/offset pair count onto a dedicated variable that
will be compared against opt.num_tc after all of the command line
arguments were parsed. Bail out if this count is higher than opt.num_tc
and let user know about it.
Drivers were swallowing such commands as they were iterating over
count/offset pairs where num_tc was used as a delimiter, so this is not
a big deal, but better catch such misconfiguration at the command line
argument parsing level.
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Dmitry Yakunin [Sat, 9 May 2020 16:52:02 +0000 (19:52 +0300)]
ss: add checks for bc filter support
As noted by David Ahern, now if some bytecode filter is not supported
by running kernel printed error message is not clear. This patch is attempt to
detect such case and print correct message. This is done by providing checking
function for new filter types. As example check function for cgroup filter
is implemented. It sends correct lightweight request (idiag_states = 0)
with zero cgroup condition to the kernel and checks returned errno. If filter
is not supported EINVAL is returned. Result of checking is cached to
avoid extra checks if several same filters are specified.
Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru> Signed-off-by: David Ahern <dsahern@gmail.com>
Dmitry Yakunin [Sat, 9 May 2020 16:52:01 +0000 (19:52 +0300)]
ss: add support for cgroup v2 information and filtering
This patch introduces two new features: obtaining cgroup information and
filtering sockets by cgroups. These features work based on cgroup v2 ID
field in the socket (kernel should be compiled with CONFIG_SOCK_CGROUP_DATA).
Cgroup information can be obtained by specifying --cgroup flag and now contains
only pathname. For faster pathname lookups cgroup cache is implemented. This
cache is filled on ss startup and missed entries are resolved and saved
on the fly.
Cgroup filter extends EXPRESSION and allows to specify cgroup pathname
(relative or absolute) to obtain sockets attached only to this cgroup.
Filter syntax: ss [ cgroup PATHNAME ]
Examples:
ss -a cgroup /sys/fs/cgroup/unified (or ss -a cgroup .)
ss -a cgroup /sys/fs/cgroup/unified/cgroup1 (or ss -a cgroup cgroup1)
v2:
- style fixes (David Ahern)
Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru> Signed-off-by: David Ahern <dsahern@gmail.com>
Dmitry Yakunin [Sat, 9 May 2020 16:52:00 +0000 (19:52 +0300)]
ss: introduce cgroup2 cache and helper functions
This patch prepares infrastructure for matching sockets by cgroups.
Two helper functions are added for transformation between cgroup v2 ID
and pathname. Cgroup v2 cache is implemented as hash table indexed by ID.
This cache is needed for faster lookups of socket cgroup.
v2:
- style fixes (David Ahern)
Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru> Signed-off-by: David Ahern <dsahern@gmail.com>
Po Liu [Fri, 8 May 2020 07:02:46 +0000 (15:02 +0800)]
iproute2-next:tc:action: add a gate control action
Introduce a ingress frame gate control flow action.
Tc gate action does the work like this:
Assume there is a gate allow specified ingress frames can pass at
specific time slot, and also drop at specific time slot. Tc filter
chooses the ingress frames, and tc gate action would specify what slot
does these frames can be passed to device and what time slot would be
dropped.
Tc gate action would provide an entry list to tell how much time gate
keep open and how much time gate keep state close. Gate action also
assign a start time to tell when the entry list start. Then driver would
repeat the gate entry list cyclically.
For the software simulation, gate action require the user assign a time
clock type.
Below is the setting example in user space. Tc filter a stream source ip
address is 192.168.0.20 and gate action own two time slots. One is last
200ms gate open let frame pass another is last 100ms gate close let
frames dropped.
# tc qdisc add dev eth0 ingress
# tc filter add dev eth0 parent ffff: protocol ip \
flower src_ip 192.168.0.20 \
action gate index 2 clockid CLOCK_TAI \
sched-entry open 200000000ns -1 8000000b \
sched-entry close 100000000ns
# tc chain del dev eth0 ingress chain 0
"sched-entry" follow the name taprio style. Gate state is
"open"/"close". Follow the period nanosecond. Then next -1 is internal
priority value means which ingress queue should put to. "-1" means
wildcard. The last value optional specifies the maximum number of
MSDU octets that are permitted to pass the gate during the specified
time interval, the overlimit frames would be dropped.
Below example shows filtering a stream with destination mac address is
10:00:80:00:00:00 and ip type is ICMP, follow the action gate. The gate
action would run with one close time slot which means always keep close.
The time cycle is total 200000000ns. The base-time would calculate by:
ip link add br0 type bridge
ip link add vx0 type vxlan dstport 4789 external
ip link set dev vx0 master br0
bridge vlan del vid 1 dev vx0
ip link add vx1 type vxlan dstport 4790 external
ip link set dev vx1 master br0
root@vsid:/src/iproute2# ./bridge/bridge vlan
port vlan-id
br0 1 PVID Egress Untagged
Why does vx0 appear in normal output and not json output?
Why output an empty list for br0 and vx1?
Fix these inconsistencies and avoid outputting entries with no values. This
makes the behavior consistent with other iproute2 commands, for example
`ip -6 addr`: if an interface doesn't have any ipv6 addresses, it is not
part of the listing.
Fixes: 8652eeb3ab12 ("bridge: vlan: support for per vlan tunnel info") Signed-off-by: Benjamin Poirier <bpoirier@cumulusnetworks.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Fixes: 7abf5de677e3 ("bridge: vlan: add support to display per-vlan statistics") Signed-off-by: Benjamin Poirier <bpoirier@cumulusnetworks.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Xin Long [Mon, 27 Apr 2020 10:27:51 +0000 (18:27 +0800)]
tc: f_flower: add options support for erspan
This patch is to add TCA_FLOWER_KEY_ENC_OPTS_ERSPAN's parse and
print to implement erspan options support in m_tunnel_key, like
Commit 56155d4df86d ("tc: f_flower: add geneve option match
support to flower") for geneve options support.
Option is expressed as version:index:dir:hwid, dir and hwid will
be parsed when version is 2, while index will be parsed when
version is 1. erspan doesn't support multiple options.
With this patch, users can add and dump erspan options like:
# ip link add name erspan1 type erspan external
# tc qdisc add dev erspan1 ingress
# tc filter add dev erspan1 protocol ip parent ffff: \
flower \
enc_src_ip 10.0.99.192 \
enc_dst_ip 10.0.99.193 \
enc_key_id 11 \
erspan_opts 1:2:0:0/1:255:0:0 \
ip_proto udp \
action mirred egress redirect dev eth1
# tc -s filter show dev erspan1 parent ffff:
v1->v2:
- no change.
v2->v3:
- no change.
v3->v4:
- keep the same format between input and output, json and non json.
- print version, index, dir and hwid as uint.
Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Xin Long [Mon, 27 Apr 2020 10:27:50 +0000 (18:27 +0800)]
tc: f_flower: add options support for vxlan
This patch is to add TCA_FLOWER_KEY_ENC_OPTS_VXLAN's parse and
print to implement vxlan options support in m_tunnel_key, like
Commit 56155d4df86d ("tc: f_flower: add geneve option match
support to flower") for geneve options support.
Option is expressed a 32bit number for gbp only, and vxlan
doesn't support multiple options.
With this patch, users can add and dump vxlan options like:
# ip link add name vxlan1 type vxlan dstport 0 external
# tc qdisc add dev vxlan1 ingress
# tc filter add dev vxlan1 protocol ip parent ffff: \
flower \
enc_src_ip 10.0.99.192 \
enc_dst_ip 10.0.99.193 \
enc_key_id 11 \
vxlan_opts 65793/4008635966 \
ip_proto udp \
action mirred egress redirect dev eth1
# tc -s filter show dev vxlan1 parent ffff:
v1->v2:
- get_u32 with base = 0 for gbp.
v2->v3:
- implement proper JSON array for opts.
v3->v4:
- keep the same format between input and output, json and non json.
- print gbp as uint.
Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Xin Long [Mon, 27 Apr 2020 10:27:49 +0000 (18:27 +0800)]
tc: m_tunnel_key: add options support for erpsan
This patch is to add TCA_TUNNEL_KEY_ENC_OPTS_ERSPAN's parse and
print to implement erspan options support in m_tunnel_key, like
Commit 6217917a3826 ("tc: m_tunnel_key: Add tunnel option support
to act_tunnel_key") for geneve options support.
Option is expressed as version:index:dir:hwid, dir and hwid will
be parsed when version is 2, while index will be parsed when
version is 1. erspan doesn't support multiple options.
With this patch, users can add and dump erspan options like:
# ip link add name erspan1 type erspan external
# tc qdisc add dev eth0 ingress
# tc filter add dev eth0 protocol ip parent ffff: \
flower indev eth0 \
ip_proto udp \
action tunnel_key \
set src_ip 10.0.99.192 \
dst_ip 10.0.99.193 \
dst_port 6081 \
id 11 \
erspan_opts 1:2:0:0 \
action mirred egress redirect dev erspan1
# tc -s filter show dev eth0 parent ffff:
filter protocol ip pref 49151 flower chain 0 handle 0x1
indev eth0
eth_type ipv4
ip_proto udp
not_in_hw
action order 1: tunnel_key set
src_ip 10.0.99.192
dst_ip 10.0.99.193
key_id 11
dst_port 6081
erspan_opts 1:2:0:0
csum pipe
index 2 ref 1 bind 1
...
v1->v2:
- no change.
v2->v3:
- no change.
v3->v4:
- keep the same format between input and output, json and non json.
- print version, index, dir and hwid as uint.
Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Xin Long [Mon, 27 Apr 2020 10:27:48 +0000 (18:27 +0800)]
tc: m_tunnel_key: add options support for vxlan
This patch is to add TCA_TUNNEL_KEY_ENC_OPTS_VXLAN's parse and
print to implement vxlan options support in m_tunnel_key, like
Commit 6217917a3826 ("tc: m_tunnel_key: Add tunnel option support
to act_tunnel_key") for geneve options support.
Option is expressed a 32bit number for gbp only, and vxlan
doesn't support multiple options.
With this patch, users can add and dump vxlan options like:
# ip link add name vxlan1 type vxlan dstport 0 external
# tc qdisc add dev eth0 ingress
# tc filter add dev eth0 protocol ip parent ffff: \
flower indev eth0 \
ip_proto udp \
action tunnel_key \
set src_ip 10.0.99.192 \
dst_ip 10.0.99.193 \
dst_port 6081 \
id 11 \
vxlan_opts 65793 \
action mirred egress redirect dev vxlan1
# tc -s filter show dev eth0 parent ffff:
v1->v2:
- get_u32 with base = 0 for gbp.
- use to print_unint("0x%x") to print gbp.
v2->v3:
- implement proper JSON array for opts.
v3->v4:
- keep the same format between input and output, json and non json.
- print gbp as uint.
Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Xin Long [Mon, 27 Apr 2020 10:27:47 +0000 (18:27 +0800)]
iproute_lwtunnel: add options support for erspan metadata
This patch is to add LWTUNNEL_IP_OPTS_ERSPAN's parse and print to implement
erspan options support in iproute_lwtunnel.
Option is expressed as version:index:dir:hwid, dir and hwid will be parsed
when version is 2, while index will be parsed when version is 1. All of
these are numbers. erspan doesn't support multiple options.
With this patch, users can add and dump erspan options like:
# ip netns add a
# ip netns add b
# ip -n a link add eth0 type veth peer name eth0 netns b
# ip -n a link set eth0 up
# ip -n b link set eth0 up
# ip -n a addr add 10.1.0.1/24 dev eth0
# ip -n b addr add 10.1.0.2/24 dev eth0
# ip -n b link add erspan1 type erspan key 1 seq erspan 123 \
local 10.1.0.2 remote 10.1.0.1
# ip -n b addr add 1.1.1.1/24 dev erspan1
# ip -n b link set erspan1 up
# ip -n b route add 2.1.1.0/24 dev erspan1
# ip -n a link add erspan1 type erspan key 1 seq local 10.1.0.1 external
# ip -n a addr add 2.1.1.1/24 dev erspan1
# ip -n a link set erspan1 up
# ip -n a route add 1.1.1.0/24 encap ip id 1 \
erspan_opts 2:123:1:2 dst 10.1.0.2 dev erspan1
# ip -n a route show
# ip netns exec a ping 1.1.1.1 -c 1
1.1.1.0/24 encap ip id 1 src 0.0.0.0 dst 10.1.0.2 ttl 0 tos 0
erspan_opts 2:0:1:2 dev erspan1 scope link
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.124 ms
v1->v2:
- improve the changelog.
- use PRINT_ANY to support dumping with json format.
v2->v3:
- implement proper JSON object for opts instead of just bunch of strings.
v3->v4:
- keep the same format between input and output, json and non json.
- print version, index, dir and hwid as uint.
Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Xin Long [Mon, 27 Apr 2020 10:27:46 +0000 (18:27 +0800)]
iproute_lwtunnel: add options support for vxlan metadata
This patch is to add LWTUNNEL_IP_OPTS_VXLAN's parse and print to implement
vxlan options support in iproute_lwtunnel.
Option is expressed a number for gbp only, and vxlan doesn't support
multiple options.
With this patch, users can add and dump vxlan options like:
# ip netns add a
# ip netns add b
# ip -n a link add eth0 type veth peer name eth0 netns b
# ip -n a link set eth0 up
# ip -n b link set eth0 up
# ip -n a addr add 10.1.0.1/24 dev eth0
# ip -n b addr add 10.1.0.2/24 dev eth0
# ip -n b link add vxlan1 type vxlan id 1 local 10.1.0.2 \
remote 10.1.0.1 dev eth0 ttl 64 gbp
# ip -n b addr add 1.1.1.1/24 dev vxlan1
# ip -n b link set vxlan1 up
# ip -n b route add 2.1.1.0/24 dev vxlan1
# ip -n a link add vxlan1 type vxlan local 10.1.0.1 dev eth0 ttl 64 \
gbp external
# ip -n a addr add 2.1.1.1/24 dev vxlan1
# ip -n a link set vxlan1 up
# ip -n a route add 1.1.1.0/24 encap ip id 1 \
vxlan_opts 1110 dst 10.1.0.2 dev vxlan1
# ip -n a route show
# ip netns exec a ping 1.1.1.1 -c 1
1.1.1.0/24 encap ip id 1 src 0.0.0.0 dst 10.1.0.2 ttl 0 tos 0
vxlan_opts 1110 dev vxlan1 scope link
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.111 ms
v1->v2:
- improve the changelog.
- get_u32 with base = 0 for gbp.
- use PRINT_ANY to support dumping with json format.
v2->v3:
- implement proper JSON array for opts.
v3->v4:
- keep the same format between input and output, json and non json.
- print gbp as uint.
Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Xin Long [Mon, 27 Apr 2020 10:27:45 +0000 (18:27 +0800)]
iproute_lwtunnel: add options support for geneve metadata
This patch is to add LWTUNNEL_IP(6)_OPTS and LWTUNNEL_IP_OPTS_GENEVE's
parse and print to implement geneve options support in iproute_lwtunnel.
Options are expressed as class:type:data and multiple options may be
listed using a comma delimiter, class and type are numbers and data
is a hex string.
With this patch, users can add and dump geneve options like:
# ip netns add a
# ip netns add b
# ip -n a link add eth0 type veth peer name eth0 netns b
# ip -n a link set eth0 up; ip -n b link set eth0 up
# ip -n a addr add 10.1.0.1/24 dev eth0
# ip -n b addr add 10.1.0.2/24 dev eth0
# ip -n b link add geneve1 type geneve id 1 remote 10.1.0.1 ttl 64
# ip -n b addr add 1.1.1.1/24 dev geneve1
# ip -n b link set geneve1 up
# ip -n b route add 2.1.1.0/24 dev geneve1
# ip -n a link add geneve1 type geneve external
# ip -n a addr add 2.1.1.1/24 dev geneve1
# ip -n a link set geneve1 up
# ip -n a route add 1.1.1.0/24 encap ip id 1 geneve_opts \
1:1:1212121234567890,1:1:1212121234567890,1:1:1212121234567890 \
dst 10.1.0.2 dev geneve1
# ip -n a route show
# ip netns exec a ping 1.1.1.1 -c 1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.079 ms
v1->v2:
- improve the changelog.
- use PRINT_ANY to support dumping with json format.
v2->v3:
- implement proper JSON array for opts instead of just bunch of strings.
v3->v4:
- keep the same format between input and output, json and non json.
- print class and type as uint and print data as hex string.
Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Petr Machata [Tue, 28 Apr 2020 11:44:33 +0000 (14:44 +0300)]
tc: pedit: Support JSON dumping
The action pedit does not currently support dumping to JSON. Convert
print_pedit() to the print_* family of functions so that dumping is correct
both in plain and JSON mode. In plain mode, the output is character for
character the same as it was before. In JSON mode, this is an example dump:
William Tu [Sun, 26 Apr 2020 15:04:15 +0000 (08:04 -0700)]
erspan: Add type I version 0 support.
The Type I ERSPAN frame format is based on the barebones
IP + GRE(4-byte) encapsulation on top of the raw mirrored frame.
Both type I and II use 0x88BE as protocol type. Unlike type II
and III, no sequence number or key is required.
To creat a type I erspan tunnel device:
$ ip link add dev erspan11 type erspan \
local 172.16.1.100 remote 172.16.1.200 \
erspan_ver 0
CC: Dmitriy Andreyevskiy <dandreye@cisco.com> Signed-off-by: William Tu <u9012063@gmail.com> Signed-off-by: David Ahern <dsahern@gmail.com>
David Ahern [Wed, 29 Apr 2020 16:50:25 +0000 (16:50 +0000)]
Merge branch 'mptcp' into next
Paolo Abeni says:
====================
This introduces support for the MPTCP PM netlink interface, allowing admins
to configure several aspects of the MPTCP path manager. The subcommand is
documented with a newly added man-page.
This series also includes support for MPTCP subflow diag.
Xin Long [Mon, 27 Apr 2020 07:14:24 +0000 (15:14 +0800)]
xfrm: also check for ipv6 state in xfrm_state_keep
As commit f9d696cf414c ("xfrm: not try to delete ipcomp states when using
deleteall") does, this patch is to fix the same issue for ip6 state where
xsinfo->id.proto == IPPROTO_IPV6.
# ip xfrm state add src 2000::1 dst 2000::2 spi 0x1000 \
proto comp comp deflate mode tunnel sel src 2000::1 dst \
2000::2 proto gre
# ip xfrm sta deleteall
Failed to send delete-all request
: Operation not permitted
Note that the xsinfo->proto in common states can never be IPPROTO_IPV6.
Fixes: f9d696cf414c ("xfrm: not try to delete ipcomp states when using deleteall") Reported-by: Xiumei Mu <xmu@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Andrea Claudi <aclaudi@redhat.com> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
David Ahern [Sun, 26 Apr 2020 18:32:20 +0000 (18:32 +0000)]
Merge branch 'macsec-offload' into next
Igor Russkikh says:
====================
From: Mark Starovoytov <mstarovoitov@marvell.com>
This series adds support for selecting the offloading mode of a MACsec
interface at link creation time.
Available modes are for now 'off', 'phy' and 'mac', 'off' being the default
when an interface is created.
First patch adds support for MAC offloading.
Last patch allows a user to change the offloading mode at runtime
through a new attribute, `ip link add link ... offload`:
# ip link add link enp1s0 type macsec encrypt on offload off
# ip link add link enp1s0 type macsec encrypt on offload phy
# ip link add link enp1s0 type macsec encrypt on offload mac
Mark Starovoytov [Fri, 24 Apr 2020 08:38:57 +0000 (11:38 +0300)]
macsec: add support for specifying offload at link add time
This patch adds support for configuring offload mode upon MACsec
device creation.
If offload mode is not specified, then netlink attribute is not
added. Default behavior on the kernel side in this case is
backward-compatible (offloading is disabled by default).
Example:
$ ip link add link eth0 macsec0 type macsec port 11 encrypt on offload mac
Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com> Signed-off-by: Igor Russkikh <irusskikh@marvell.com> Signed-off-by: David Ahern <dsahern@gmail.com>
Mark Starovoytov [Fri, 24 Apr 2020 08:38:56 +0000 (11:38 +0300)]
macsec: add support for MAC offload
This patch enables MAC HW offload usage in iproute, since MACSec
implementation supports it now.
Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com> Signed-off-by: Igor Russkikh <irusskikh@marvell.com> Signed-off-by: David Ahern <dsahern@gmail.com>
projects / mirror_iproute2.git / log