From 14fd32d3c6ab9dcaa9cde6b831a13bf1dd16696e Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 22 Oct 2019 09:53:26 -0700 Subject: [PATCH 01/11] examples: remove out of date cbq stuff The examples around cbq are out of date and never updated. There are better ways to achieve same kind of thing with more modern qdisc. Signed-off-by: Stephen Hemminger --- examples/README.cbq | 122 ------------------------------------ examples/SYN-DoS.rate.limit | 49 --------------- examples/cbqinit.eth1 | 76 ---------------------- 3 files changed, 247 deletions(-) delete mode 100644 examples/README.cbq delete mode 100644 examples/SYN-DoS.rate.limit delete mode 100644 examples/cbqinit.eth1 diff --git a/examples/README.cbq b/examples/README.cbq deleted file mode 100644 index 38c1089d..00000000 --- a/examples/README.cbq +++ /dev/null @@ -1,122 +0,0 @@ -# CHANGES -# ------- -# v0.3a2- fixed bug in "if" operator. Thanks kad@dgtu.donetsk.ua. -# v0.3a- added TIME parameter. Example: -# TIME=00:00-19:00;64Kbit/6Kbit -# So, between 00:00 and 19:00 RATE will be 64Kbit. -# Just start "cbq.init timecheck" periodically from cron (every 10 -# minutes for example). -# !!! Anyway you MUST start "cbq.init start" for CBQ initialize. -# v0.2 - Some cosmetique changes. Now it more compatible with -# old bash version. Thanks to Stanislav V. Voronyi -# . -# v0.1 - First public release -# -# README -# ------ -# -# First of all - this is just a SIMPLE EXAMPLE of CBQ power. -# Don't ask me "why" and "how" :) -# -# This is an example of using CBQ (Class Based Queueing) and policy-based -# filter for building smart ethernet shapers. All CBQ parameters are -# correct only for ETHERNET (eth0,1,2..) linux interfaces. It works for -# ARCNET too (just set bandwidth parameter to 2Mbit). It was tested -# on 2.1.125-2.1.129 linux kernels (KSI linux, Nostromo version) and -# ip-route utility by A.Kuznetsov (iproute2-ss981101 version). -# You can download ip-route from ftp://ftp.inr.ac.ru/ip-routing or -# get iproute2*.rpm (compiled with glibc) from ftp.ksi-linux.com. -# -# -# HOW IT WORKS -# -# Each shaper must be described by config file in $CBQ_PATH -# (/etc/sysconfig/cbq/) directory - one config file for each CBQ shaper. -# -# Some words about config file name: -# Each shaper has its personal ID - two byte HEX number. Really ID is -# CBQ class. -# So, filename looks like: -# -# cbq-1280.My_first_shaper -# ^^^ ^^^ ^^^^^^^^^^^^^ -# | | |______ Shaper name - any word -# | |___________________ ID (0000-FFFF), let ID looks like shaper's rate -# |______________________ Filename must begin from "cbq-" -# -# -# Config file describes shaper parameters and source[destination] -# address[port]. -# For example let's prepare /etc/sysconfig/cbq/cbq-1280.My_first_shaper: -# -# ----------8<--------------------- -# DEVICE=eth0,10Mbit,1Mbit -# RATE=128Kbit -# WEIGHT=10Kbit -# PRIO=5 -# RULE=192.168.1.0/24 -# ----------8<--------------------- -# -# This is minimal configuration, where: -# DEVICE: eth0 - device where we do control our traffic -# 10Mbit - REAL ethernet card bandwidth -# 1Mbit - "weight" of :1 class (parent for all shapers for eth0), -# as a rule of thumb weight=batdwidth/10. -# 100Mbit adapter's example: DEVICE=eth0,100Mbit,10Mbit -# *** If you want to build more than one shaper per device it's -# enough to describe bandwidth and weight once - cbq.init -# is smart :) You can put only 'DEVICE=eth0' into cbq-* -# config file for eth0. -# -# RATE: Shaper's speed - Kbit,Mbit or bps (bytes per second) -# -# WEIGHT: "weight" of shaper (CBQ class). Like for DEVICE - approx. RATE/10 -# -# PRIO: shaper's priority from 1 to 8 where 1 is the highest one. -# I do always use "5" for all my shapers. -# -# RULE: [source addr][:source port],[dest addr][:dest port] -# Some examples: -# RULE=10.1.1.0/24:80 - all traffic for network 10.1.1.0 to port 80 -# will be shaped. -# RULE=10.2.2.5 - shaper works only for IP address 10.2.2.5 -# RULE=:25,10.2.2.128/25:5000 - all traffic from any address and port 25 to -# address 10.2.2.128 - 10.2.2.255 and port 5000 -# will be shaped. -# RULE=10.5.5.5:80, - shaper active only for traffic from port 80 of -# address 10.5.5.5 -# Multiple RULE fields per one config file are allowed. For example: -# RULE=10.1.1.2:80 -# RULE=10.1.1.2:25 -# RULE=10.1.1.2:110 -# -# *** ATTENTION!!! -# All shapers do work only for outgoing traffic! -# So, if you want to build bidirectional shaper you must set it up for -# both ethernet card. For example let's build shaper for our linux box like: -# -# --------- 192.168.1.1 -# BACKBONE -----eth0-| linux |-eth1------*[our client] -# --------- -# -# Let all traffic from backbone to client will be shaped at 28Kbit and -# traffic from client to backbone - at 128Kbit. We need two config files: -# -# ---8<-----/etc/sysconfig/cbq/cbq-28.client-out---- -# DEVICE=eth1,10Mbit,1Mbit -# RATE=28Kbit -# WEIGHT=2Kbit -# PRIO=5 -# RULE=192.168.1.1 -# ---8<--------------------------------------------- -# -# ---8<-----/etc/sysconfig/cbq/cbq-128.client-in---- -# DEVICE=eth0,10Mbit,1Mbit -# RATE=128Kbit -# WEIGHT=10Kbit -# PRIO=5 -# RULE=192.168.1.1, -# ---8<--------------------------------------------- -# ^pay attention to "," - this is source address! -# -# Enjoy. diff --git a/examples/SYN-DoS.rate.limit b/examples/SYN-DoS.rate.limit deleted file mode 100644 index 8766b679..00000000 --- a/examples/SYN-DoS.rate.limit +++ /dev/null @@ -1,49 +0,0 @@ -#! /bin/sh -x -# -# sample script on using the ingress capabilities -# this script shows how one can rate limit incoming SYNs -# Useful for TCP-SYN attack protection. You can use -# IPchains to have more powerful additions to the SYN (eg -# in addition the subnet) -# -#path to various utilities; -#change to reflect yours. -# -IPROUTE=/root/DS-6-beta/iproute2-990530-dsing -TC=$IPROUTE/tc/tc -IP=$IPROUTE/ip/ip -IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains -INDEV=eth2 -# -# tag all incoming SYN packets through $INDEV as mark value 1 -############################################################ -$IPCHAINS -A input -i $INDEV -y -m 1 -############################################################ -# -# install the ingress qdisc on the ingress interface -############################################################ -$TC qdisc add dev $INDEV handle ffff: ingress -############################################################ - -# -# -# SYN packets are 40 bytes (320 bits) so three SYNs equals -# 960 bits (approximately 1kbit); so we rate limit below -# the incoming SYNs to 3/sec (not very sueful really; but -#serves to show the point - JHS -############################################################ -$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \ -police rate 1kbit burst 40 mtu 9k drop flowid :1 -############################################################ - - -# -echo "---- qdisc parameters Ingress ----------" -$TC qdisc ls dev $INDEV -echo "---- Class parameters Ingress ----------" -$TC class ls dev $INDEV -echo "---- filter parameters Ingress ----------" -$TC filter ls dev $INDEV parent ffff: - -#deleting the ingress qdisc -#$TC qdisc del $INDEV ingress diff --git a/examples/cbqinit.eth1 b/examples/cbqinit.eth1 deleted file mode 100644 index 226ec1c5..00000000 --- a/examples/cbqinit.eth1 +++ /dev/null @@ -1,76 +0,0 @@ -#! /bin/sh - -TC=/home/root/tc -IP=/home/root/ip -DEVICE=eth1 -BANDWIDTH="bandwidth 10Mbit" - -# Attach CBQ on $DEVICE. It will have handle 1:. -# $BANDWIDTH is real $DEVICE bandwidth (10Mbit). -# avpkt is average packet size. -# mpu is minimal packet size. - -$TC qdisc add dev $DEVICE root handle 1: cbq \ -$BANDWIDTH avpkt 1000 mpu 64 - -# Create root class with classid 1:1. This step is not necessary. -# bandwidth is the same as on CBQ itself. -# rate == all the bandwidth -# allot is MTU + MAC header -# maxburst measure allowed class burstiness (please,read S.Floyd and VJ papers) -# est 1sec 8sec means, that kernel will evaluate average rate -# on this class with period 1sec and time constant 8sec. -# This rate is viewed with "tc -s class ls dev $DEVICE" - -$TC class add dev $DEVICE parent 1:0 classid :1 est 1sec 8sec cbq \ -$BANDWIDTH rate 10Mbit allot 1514 maxburst 50 avpkt 1000 - -# Bulk. -# New parameters are: -# weight, which is set to be proportional to -# "rate". It is not necessary, weight=1 will work as well. -# defmap and split say that best effort ttraffic, not classfied -# by another means will fall to this class. - -$TC class add dev $DEVICE parent 1:1 classid :2 est 1sec 8sec cbq \ -$BANDWIDTH rate 4Mbit allot 1514 weight 500Kbit \ -prio 6 maxburst 50 avpkt 1000 split 1:0 defmap ff3d - -# OPTIONAL. -# Attach "sfq" qdisc to this class, quantum is MTU, perturb -# gives period of hash function perturbation in seconds. -# -$TC qdisc add dev $DEVICE parent 1:2 sfq quantum 1514b perturb 15 - -# Interactive-burst class - -$TC class add dev $DEVICE parent 1:1 classid :3 est 2sec 16sec cbq \ -$BANDWIDTH rate 1Mbit allot 1514 weight 100Kbit \ -prio 2 maxburst 100 avpkt 1000 split 1:0 defmap c0 - -$TC qdisc add dev $DEVICE parent 1:3 sfq quantum 1514b perturb 15 - -# Background. - -$TC class add dev $DEVICE parent 1:1 classid :4 est 1sec 8sec cbq \ - $BANDWIDTH rate 100Kbit allot 1514 weight 10Mbit \ - prio 7 maxburst 10 avpkt 1000 split 1:0 defmap 2 - -$TC qdisc add dev $DEVICE parent 1:4 sfq quantum 1514b perturb 15 - -# Realtime class for RSVP - -$TC class add dev $DEVICE parent 1:1 classid 1:7FFE cbq \ -rate 5Mbit $BANDWIDTH allot 1514b avpkt 1000 \ -maxburst 20 - -# Reclassified realtime traffic -# -# New element: split is not 1:0, but 1:7FFE. It means, -# that only real-time packets, which violated policing filters -# or exceeded reshaping buffers will fall to it. - -$TC class add dev $DEVICE parent 1:7FFE classid 1:7FFF est 4sec 32sec cbq \ -rate 1Mbit $BANDWIDTH allot 1514b avpkt 1000 weight 10Kbit \ -prio 6 maxburst 10 split 1:7FFE defmap ffff - From 86c0bf598294607d2232a837cacf17f0b54db619 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 23 Oct 2019 09:12:19 -0700 Subject: [PATCH 02/11] examples: remove gaiconf The gaiconf script is a workaround for something now handled in distros as part of libc. Signed-off-by: Stephen Hemminger --- examples/gaiconf | 134 ----------------------------------------------- 1 file changed, 134 deletions(-) delete mode 100644 examples/gaiconf diff --git a/examples/gaiconf b/examples/gaiconf deleted file mode 100644 index d75292b9..00000000 --- a/examples/gaiconf +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/sh - -# -# Setup address label from /etc/gai.conf -# -# Written by YOSHIFUJI Hideaki , 2010. -# - -IP=ip -DEFAULT_GAICONF=/etc/gai.conf -verbose= -debug= - -function run () -{ - if [ x"$verbose" != x"" ]; then - echo "$@" - fi - if [ x"$debug" = x"" ]; then - "$@" - fi -} - -function do_load_config () -{ - file=$1; shift - flush=1 - cat $file | while read command prefix label; do - if [ x"$command" = x"#label" ]; then - if [ ${flush} = 1 ]; then - run ${IP} -6 addrlabel flush - flush=0 - fi - run ${IP} -6 addrlabel add prefix $prefix label $label - fi - done -} - -function do_list_config () -{ - ${IP} -6 addrlabel list | while read p pfx l lbl; do - echo label ${pfx} ${lbl} - done -} - -function help () -{ - echo "Usage: $0 [-v] {--list | --config [ ${DEFAULT_GAICONF} ] | --default}" - exit 1 -} - -TEMP=`getopt -o c::dlv -l config::,default,list,verbose -n gaiconf -- "$@"` - -if [ $? != 0 ]; then - echo "Terminating..." >&2 - exit 1 -fi - -TEMPFILE=`mktemp` - -eval set -- "$TEMP" - -while true ; do - case "$1" in - -c|--config) - if [ x"$cmd" != x"" ]; then - help - fi - case "$2" in - "") gai_conf="${DEFAULT_GAICONF}" - shift 2 - ;; - *) gai_conf="$2" - shift 2 - esac - cmd=config - ;; - -d|--default) - if [ x"$cmd" != x"" ]; then - help - fi - gai_conf=${TEMPFILE} - cmd=config - ;; - -l|--list) - if [ x"$cmd" != x"" ]; then - help - fi - cmd=list - shift - ;; - -v) - verbose=1 - shift - ;; - --) - shift; - break - ;; - *) - echo "Internal error!" >&2 - exit 1 - ;; - esac -done - -case "$cmd" in - config) - if [ x"$gai_conf" = x"${TEMPFILE}" ]; then - sed -e 's/^[[:space:]]*//' <${TEMPFILE} - label ::1/128 0 - label ::/0 1 - label 2002::/16 2 - label ::/96 3 - label ::ffff:0:0/96 4 - label fec0::/10 5 - label fc00::/7 6 - label 2001:0::/32 7 -END_OF_DEFAULT - fi - do_load_config "$gai_conf" - ;; - list) - do_list_config - ;; - *) - help - ;; -esac - -rm -f "${TEMPFILE}" - -exit 0 - From d49e5c2437a4421d379744b1e3d2aa4599422f16 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 23 Oct 2019 09:13:55 -0700 Subject: [PATCH 03/11] examples: remove diffserv The diffserv examples here are out of date and incomplete. Remove them rather than try and fix them. Signed-off-by: Stephen Hemminger --- examples/diffserv/Edge1 | 68 --------- examples/diffserv/Edge2 | 87 ------------ examples/diffserv/Edge31-ca-u32 | 170 ----------------------- examples/diffserv/Edge31-cb-chains | 132 ------------------ examples/diffserv/Edge32-ca-u32 | 198 --------------------------- examples/diffserv/Edge32-cb-chains | 144 ------------------- examples/diffserv/Edge32-cb-u32 | 145 -------------------- examples/diffserv/README | 98 ------------- examples/diffserv/afcbq | 105 -------------- examples/diffserv/ef-prio | 25 ---- examples/diffserv/efcbq | 31 ----- examples/diffserv/regression-testing | 125 ----------------- 12 files changed, 1328 deletions(-) delete mode 100644 examples/diffserv/Edge1 delete mode 100644 examples/diffserv/Edge2 delete mode 100644 examples/diffserv/Edge31-ca-u32 delete mode 100644 examples/diffserv/Edge31-cb-chains delete mode 100644 examples/diffserv/Edge32-ca-u32 delete mode 100644 examples/diffserv/Edge32-cb-chains delete mode 100644 examples/diffserv/Edge32-cb-u32 delete mode 100644 examples/diffserv/README delete mode 100644 examples/diffserv/afcbq delete mode 100644 examples/diffserv/ef-prio delete mode 100644 examples/diffserv/efcbq delete mode 100644 examples/diffserv/regression-testing diff --git a/examples/diffserv/Edge1 b/examples/diffserv/Edge1 deleted file mode 100644 index 4ddffdd1..00000000 --- a/examples/diffserv/Edge1 +++ /dev/null @@ -1,68 +0,0 @@ -#! /bin/sh -x -# -# sample script on using the ingress capabilities -# This script just tags on the ingress interfac using Ipchains -# the result is used for fast classification and re-marking -# on the egress interface -# -#path to various utilities; -#change to reflect yours. -# -IPROUTE=/root/DS-6-beta/iproute2-990530-dsing -TC=$IPROUTE/tc/tc -IP=$IPROUTE/ip/ip -IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains -INDEV=eth2 -EGDEV="dev eth1" -# -# tag all incoming packets from host 10.2.0.24 to value 1 -# tag all incoming packets from host 10.2.0.3 to value 2 -# tag the rest of incoming packets from subnet 10.2.0.0/24 to value 3 -#These values are used in the egress -# -############################################################ -$IPCHAINS -A input -s 10.2.0.4/24 -m 3 -$IPCHAINS -A input -i $INDEV -s 10.2.0.24 -m 1 -$IPCHAINS -A input -i $INDEV -s 10.2.0.3 -m 2 - -######################## Egress side ######################## - - -# attach a dsmarker -# -$TC qdisc add $EGDEV handle 1:0 root dsmark indices 64 set_tc_index -# -# values of the DSCP to change depending on the class -# -#becomes EF -$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ - value 0xb8 -#becomes AF11 -$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ - value 0x28 -#becomes AF21 -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x48 -# -# -# The class mapping -# -$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 1 fw classid 1:1 -$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 2 fw classid 1:2 -$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 3 fw classid 1:3 -# - -# -echo "---- qdisc parameters Ingress ----------" -$TC qdisc ls dev $INDEV -echo "---- Class parameters Ingress ----------" -$TC class ls dev $INDEV -echo "---- filter parameters Ingress ----------" -$TC filter ls dev $INDEV parent 1:0 - -echo "---- qdisc parameters Egress ----------" -$TC qdisc ls $EGDEV -echo "---- Class parameters Egress ----------" -$TC class ls $EGDEV -echo "---- filter parameters Egress ----------" -$TC filter ls $EGDEV parent 1:0 diff --git a/examples/diffserv/Edge2 b/examples/diffserv/Edge2 deleted file mode 100644 index f81f510f..00000000 --- a/examples/diffserv/Edge2 +++ /dev/null @@ -1,87 +0,0 @@ -#! /bin/sh -x -# -# sample script on using the ingress capabilities -# This script tags the fwmark on the ingress interface using IPchains -# the result is used first for policing on the Ingress interface then -# for fast classification and re-marking -# on the egress interface -# -#path to various utilities; -#change to reflect yours. -# -IPROUTE=/root/DS-6-beta/iproute2-990530-dsing -TC=$IPROUTE/tc/tc -IP=$IPROUTE/ip/ip -IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains -INDEV=eth2 -EGDEV="dev eth1" -# -# tag all incoming packets from host 10.2.0.24 to value 1 -# tag all incoming packets from host 10.2.0.3 to value 2 -# tag the rest of incoming packets from subnet 10.2.0.0/24 to value 3 -#These values are used in the egress -############################################################ -$IPCHAINS -A input -s 10.2.0.0/24 -m 3 -$IPCHAINS -A input -i $INDEV -s 10.2.0.24 -m 1 -$IPCHAINS -A input -i $INDEV -s 10.2.0.3 -m 2 -############################################################ -# -# install the ingress qdisc on the ingress interface -############################################################ -$TC qdisc add dev $INDEV handle ffff: ingress -############################################################ - -# -# attach a fw classifier to the ingress which polices anything marked -# by ipchains to tag value 3 (The rest of the subnet packets -- not -# tag 1 or 2) to not go beyond 1.5Mbps -# Allow up to at least 60 packets to burst (assuming maximum packet -# size of # 1.5 KB) in the long run and up to about 6 packets in the -# shot run - -############################################################ -$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 3 fw \ -police rate 1500kbit burst 90k mtu 9k drop flowid :1 -############################################################ - -######################## Egress side ######################## - - -# attach a dsmarker -# -$TC qdisc add $EGDEV handle 1:0 root dsmark indices 64 -# -# values of the DSCP to change depending on the class -# -$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ - value 0xb8 -$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ - value 0x28 -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x48 -# -# -# The class mapping -# -$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 1 fw classid 1:1 -$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 2 fw classid 1:2 -$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 3 fw classid 1:3 -# - -# -echo "---- qdisc parameters Ingress ----------" -$TC qdisc ls dev $INDEV -echo "---- Class parameters Ingress ----------" -$TC class ls dev $INDEV -echo "---- filter parameters Ingress ----------" -$TC filter ls dev $INDEV parent ffff: - -echo "---- qdisc parameters Egress ----------" -$TC qdisc ls $EGDEV -echo "---- Class parameters Egress ----------" -$TC class ls $EGDEV -echo "---- filter parameters Egress ----------" -$TC filter ls $EGDEV parent 1:0 -# -#deleting the ingress qdisc -#$TC qdisc del $DEV ingress diff --git a/examples/diffserv/Edge31-ca-u32 b/examples/diffserv/Edge31-ca-u32 deleted file mode 100644 index 7344851a..00000000 --- a/examples/diffserv/Edge31-ca-u32 +++ /dev/null @@ -1,170 +0,0 @@ -#! /bin/sh -x -# -# sample script on using the ingress capabilities using u32 classifier -# This script tags tcindex based on metering on the ingress -# interface the result is used for fast classification and re-marking -# on the egress interface -# This is an example of a color aware mode marker with PIR configured -# based on draft-wahjak-mcm-00.txt (section 3.1) -# -# The colors are defined using the Diffserv Fields -#path to various utilities; -#change to reflect yours. -# -IPROUTE=/usr/src/iproute2-current -TC=$IPROUTE/tc/tc -IP=$IPROUTE/ip/ip -INDEV=eth0 -EGDEV="dev eth1" -CIR1=1500kbit -CIR2=1000kbit - -#The CBS is about 60 MTU sized packets -CBS1=90k -CBS2=90k - -############################################################ -# -# install the ingress qdisc on the ingress interface -$TC qdisc add dev $INDEV handle ffff: ingress -############################################################ -# -# Create u32 filters -$TC filter add dev $INDEV parent ffff: protocol ip prio 4 handle 1: u32 \ -divisor 1 -############################################################ - -# The meters: Note that we have shared meters in this case as identified -# by the index parameter -meter1=" police index 1 rate $CIR1 burst $CBS1 " -meter2=" police index 2 rate $CIR2 burst $CBS1 " -meter3=" police index 3 rate $CIR2 burst $CBS2 " -meter4=" police index 4 rate $CIR1 burst $CBS2 " -meter5=" police index 5 rate $CIR1 burst $CBS2 " - -# All packets are marked with a tcindex value which is used on the egress -# tcindex 1 maps to AF41, 2->AF42, 3->AF43, 4->BE - -# *********************** AF41 *************************** -#AF41 (DSCP 0x22) is passed on with a tcindex value 1 -#if it doesn't exceed its CIR/CBS -#policer 1 is used. -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 4 u32 \ -match ip tos 0x88 0xfc \ -$meter1 \ -continue flowid :1 -# -# if it exceeds the above but not the extra rate/burst below, it gets a -# tcindex value of 2 -# policer 2 is used -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 5 u32 \ -match ip tos 0x88 0xfc \ -$meter2 \ -continue flowid :2 -# -# if it exceeds the above but not the rule below, it gets a tcindex value -# of 3 (policer 3) -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 6 u32 \ -match ip tos 0x88 0xfc \ -$meter3 \ -drop flowid :3 -# - -# *********************** AF42 *************************** -#AF42 (DSCP 0x24) from is passed on with a tcindex value 2 -#if it doesn't exceed its CIR/CBS -#policer 2 is used. Note that this is shared with the AF41 -# -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 5 u32 \ -match ip tos 0x90 0xfc \ -$meter2 \ -continue flowid :2 -# -# if it exceeds the above but not the rule below, it gets a tcindex value -# of 3 (policer 3) -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 6 u32 \ -match ip tos 0x90 0xfc \ -$meter3 \ -drop flowid :3 -# -# *********************** AF43 *************************** -# -#AF43 (DSCP 0x26) from is passed on with a tcindex value 3 -#if it doesn't exceed its CIR/CBS -#policer 3 is used. Note that this is shared with the AF41 and AF42 -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 6 u32 \ -match ip tos 0x98 0xfc \ -$meter3 \ -drop flowid :3 -# -# *********************** BE *************************** -# -# Anything else (not from the AF4*) gets discarded if it -# exceeds 1Mbps and by default goes to BE if it doesn't -# Note that the BE class is also used by the AF4* in the worst -# case -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 7 u32 \ -match ip src 0/0\ -$meter4 \ -drop flowid :4 - -######################## Egress side ######################## - -# attach a dsmarker -# -$TC qdisc add $EGDEV handle 1:0 root dsmark indices 64 -# -# values of the DSCP to change depending on the class -#note that the ECN bits are masked out -# -#AF41 (0x88 is 0x22 shifted to the right by two bits) -# -$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ - value 0x88 -#AF42 -$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ - value 0x90 -#AF43 -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x98 -#BE -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x0 -# -# -# The class mapping -# -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 1 tcindex classid 1:1 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 2 tcindex classid 1:2 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 3 tcindex classid 1:3 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 4 tcindex classid 1:4 -# - -# -echo "---- qdisc parameters Ingress ----------" -$TC qdisc ls dev $INDEV -echo "---- Class parameters Ingress ----------" -$TC class ls dev $INDEV -echo "---- filter parameters Ingress ----------" -$TC filter ls dev $INDEV parent ffff: - -echo "---- qdisc parameters Egress ----------" -$TC qdisc ls $EGDEV -echo "---- Class parameters Egress ----------" -$TC class ls $EGDEV -echo "---- filter parameters Egress ----------" -$TC filter ls $EGDEV parent 1:0 -# -#deleting the ingress qdisc -#$TC qdisc del $INDEV ingress diff --git a/examples/diffserv/Edge31-cb-chains b/examples/diffserv/Edge31-cb-chains deleted file mode 100644 index 49c396bc..00000000 --- a/examples/diffserv/Edge31-cb-chains +++ /dev/null @@ -1,132 +0,0 @@ -#! /bin/sh -x -# -# sample script on using the ingress capabilities -# This script fwmark tags(IPchains) based on metering on the ingress -# interface the result is used for fast classification and re-marking -# on the egress interface -# This is an example of a color blind mode marker with no PIR configured -# based on draft-wahjak-mcm-00.txt (section 3.1) -# -#path to various utilities; -#change to reflect yours. -# -IPROUTE=/root/DS-6-beta/iproute2-990530-dsing -TC=$IPROUTE/tc/tc -IP=$IPROUTE/ip/ip -IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains -INDEV=eth2 -EGDEV="dev eth1" -CIR1=1500kbit -CIR2=1000kbit - -#The CBS is about 60 MTU sized packets -CBS1=90k -CBS2=90k - -meter1="police rate $CIR1 burst $CBS1 " -meter2="police rate $CIR1 burst $CBS2 " -meter3="police rate $CIR2 burst $CBS1 " -meter4="police rate $CIR2 burst $CBS2 " -meter5="police rate $CIR2 burst $CBS2 " -# -# tag the rest of incoming packets from subnet 10.2.0.0/24 to fw value 1 -# tag all incoming packets from any other subnet to fw tag 2 -############################################################ -$IPCHAINS -A input -i $INDEV -s 0/0 -m 2 -$IPCHAINS -A input -i $INDEV -s 10.2.0.0/24 -m 1 -# -############################################################ -# install the ingress qdisc on the ingress interface -$TC qdisc add dev $INDEV handle ffff: ingress -# -############################################################ - -# All packets are marked with a tcindex value which is used on the egress -# tcindex 1 maps to AF41, 2->AF42, 3->AF43, 4->BE -# -############################################################ -# -# anything with fw tag of 1 is passed on with a tcindex value 1 -#if it doesn't exceed its allocated rate (CIR/CBS) -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 4 handle 1 fw \ -$meter1 \ -continue flowid 4:1 -# -# if it exceeds the above but not the extra rate/burst below, it gets a -#tcindex value of 2 -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 5 handle 1 fw \ -$meter2 \ -continue flowid 4:2 -# -# if it exceeds the above but not the rule below, it gets a tcindex value -# of 3 -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 6 handle 1 fw \ -$meter3 \ -drop flowid 4:3 -# -# Anything else (not from the subnet 10.2.0.24/24) gets discarded if it -# exceeds 1Mbps and by default goes to BE if it doesn't -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 6 handle 2 fw \ -$meter5 \ -drop flowid 4:4 - - -######################## Egress side ######################## - - -# attach a dsmarker -# -$TC qdisc add $EGDEV handle 1:0 root dsmark indices 64 -# -# values of the DSCP to change depending on the class -#note that the ECN bits are masked out -# -#AF41 (0x88 is 0x22 shifted to the right by two bits) -# -$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ - value 0x88 -#AF42 -$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ - value 0x90 -#AF43 -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x98 -#BE -$TC class change $EGDEV classid 1:4 dsmark mask 0x3 \ - value 0x0 -# -# -# The class mapping (using tcindex; could easily have -# replaced it with the fw classifier instead) -# -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 1 tcindex classid 1:1 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 2 tcindex classid 1:2 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 3 tcindex classid 1:3 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 4 tcindex classid 1:4 -# - -# -echo "---- qdisc parameters Ingress ----------" -$TC qdisc ls dev $INDEV -echo "---- Class parameters Ingress ----------" -$TC class ls dev $INDEV -echo "---- filter parameters Ingress ----------" -$TC filter ls dev $INDEV parent ffff: - -echo "---- qdisc parameters Egress ----------" -$TC qdisc ls $EGDEV -echo "---- Class parameters Egress ----------" -$TC class ls $EGDEV -echo "---- filter parameters Egress ----------" -$TC filter ls $EGDEV parent 1:0 -# -#deleting the ingress qdisc -#$TC qdisc del $INDEV ingress diff --git a/examples/diffserv/Edge32-ca-u32 b/examples/diffserv/Edge32-ca-u32 deleted file mode 100644 index 9d3ccd07..00000000 --- a/examples/diffserv/Edge32-ca-u32 +++ /dev/null @@ -1,198 +0,0 @@ -#! /bin/sh -x -# -# sample script on using the ingress capabilities using u32 classifier -# This script tags tcindex based on metering on the ingress -# interface the result is used for fast classification and re-marking -# on the egress interface -# This is an example of a color aware mode marker with PIR configured -# based on draft-wahjak-mcm-00.txt (section 3.2) -# -# The colors are defined using the Diffserv Fields -#path to various utilities; -#change to reflect yours. -# -IPROUTE=/root/DS-6-beta/iproute2-990530-dsing -TC=$IPROUTE/tc/tc -IP=$IPROUTE/ip/ip -IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains -INDEV=eth2 -EGDEV="dev eth1" -CIR1=1000kbit -CIR2=500kbit -# the PIR is what is in excess of the CIR -PIR1=1000kbit -PIR2=500kbit - -#The CBS is about 60 MTU sized packets -CBS1=90k -CBS2=90k -#the EBS is about 20 max sized packets -EBS1=30k -EBS2=30k - -# The meters: Note that we have shared meters in this case as identified -# by the index parameter -meter1=" police index 1 rate $CIR1 burst $CBS1 " -meter1a=" police index 2 rate $PIR1 burst $EBS1 " -meter2=" police index 3 rate $CIR2 burst $CBS1 " -meter2a=" police index 4 rate $PIR2 burst $EBS1 " -meter3=" police index 5 rate $CIR2 burst $CBS2 " -meter3a=" police index 6 rate $PIR2 burst $EBS2 " -meter4=" police index 7 rate $CIR1 burst $CBS2 " - -############################################################ -# -# install the ingress qdisc on the ingress interface -$TC qdisc add dev $INDEV handle ffff: ingress -############################################################ -# -# All packets are marked with a tcindex value which is used on the egress -# tcindex 1 maps to AF41, 2->AF42, 3->AF43, 4->BE -# -# *********************** AF41 *************************** -#AF41 (DSCP 0x22) from is passed on with a tcindex value 1 -#if it doesn't exceed its CIR/CBS + PIR/EBS -#policer 1 is used. -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 1 u32 \ -match ip tos 0x88 0xfc \ -$meter1 \ -continue flowid :1 -$TC filter add dev $INDEV parent ffff: protocol ip prio 2 u32 \ -match ip tos 0x88 0xfc \ -$meter1a \ -continue flowid :1 -# -# if it exceeds the above but not the extra rate/burst below, it gets a -# tcindex value of 2 -# policer 2 is used -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 3 u32 \ -match ip tos 0x88 0xfc \ -$meter2 \ -continue flowid :2 -$TC filter add dev $INDEV parent ffff: protocol ip prio 4 u32 \ -match ip tos 0x88 0xfc \ -$meter2a \ -continue flowid :2 -# -# if it exceeds the above but not the rule below, it gets a tcindex value -# of 3 (policer 3) -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 5 u32 \ -match ip tos 0x88 0xfc \ -$meter3 \ -continue flowid :3 -$TC filter add dev $INDEV parent ffff: protocol ip prio 6 u32 \ -match ip tos 0x88 0xfc \ -$meter3a \ -drop flowid :3 -# -# *********************** AF42 *************************** -#AF42 (DSCP 0x24) from is passed on with a tcindex value 2 -#if it doesn't exceed its CIR/CBS + PIR/EBS -#policer 2 is used. Note that this is shared with the AF41 -# -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 8 u32 \ -match ip tos 0x90 0xfc \ -$meter2 \ -continue flowid :2 -$TC filter add dev $INDEV parent ffff: protocol ip prio 9 u32 \ -match ip tos 0x90 0xfc \ -$meter2a \ -continue flowid :2 -# -# if it exceeds the above but not the rule below, it gets a tcindex value -# of 3 (policer 3) -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 10 u32 \ -match ip tos 0x90 0xfc \ -$meter3 \ -continue flowid :3 -$TC filter add dev $INDEV parent ffff: protocol ip prio 11 u32 \ -match ip tos 0x90 0xfc \ -$meter3a \ -drop flowid :3 - -# -# *********************** AF43 *************************** -# -#AF43 (DSCP 0x26) from is passed on with a tcindex value 3 -#if it doesn't exceed its CIR/CBS + PIR/EBS -#policer 3 is used. Note that this is shared with the AF41 and AF42 -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 13 u32 \ -match ip tos 0x98 0xfc \ -$meter3 \ -continue flowid :3 -$TC filter add dev $INDEV parent ffff: protocol ip prio 14 u32 \ -match ip tos 0x98 0xfc \ -$meter3a \ -drop flowid :3 -# -## *********************** BE *************************** -## -## Anything else (not from the AF4*) gets discarded if it -## exceeds 1Mbps and by default goes to BE if it doesn't -## Note that the BE class is also used by the AF4* in the worst -## case -## -$TC filter add dev $INDEV parent ffff: protocol ip prio 16 u32 \ -match ip src 0/0\ -$meter4 \ -drop flowid :4 - -######################## Egress side ######################## - -# attach a dsmarker -# -$TC qdisc add $EGDEV handle 1:0 root dsmark indices 64 -# -# values of the DSCP to change depending on the class -#note that the ECN bits are masked out -# -#AF41 (0x88 is 0x22 shifted to the right by two bits) -# -$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ - value 0x88 -#AF42 -$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ - value 0x90 -#AF43 -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x98 -#BE -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x0 -# -# -# The class mapping -# -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 1 tcindex classid 1:1 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 2 tcindex classid 1:2 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 3 tcindex classid 1:3 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 4 tcindex classid 1:4 -# - -# -echo "---- qdisc parameters Ingress ----------" -$TC qdisc ls dev $INDEV -echo "---- Class parameters Ingress ----------" -$TC class ls dev $INDEV -echo "---- filter parameters Ingress ----------" -$TC filter ls dev $INDEV parent ffff: - -echo "---- qdisc parameters Egress ----------" -$TC qdisc ls $EGDEV -echo "---- Class parameters Egress ----------" -$TC class ls $EGDEV -echo "---- filter parameters Egress ----------" -$TC filter ls $EGDEV parent 1:0 -# -#deleting the ingress qdisc -#$TC qdisc del $INDEV ingress diff --git a/examples/diffserv/Edge32-cb-chains b/examples/diffserv/Edge32-cb-chains deleted file mode 100644 index 88ee2cea..00000000 --- a/examples/diffserv/Edge32-cb-chains +++ /dev/null @@ -1,144 +0,0 @@ -#! /bin/sh -x -# -# sample script on using the ingress capabilities -# This script fwmark tags(IPchains) based on metering on the ingress -# interface the result is used for fast classification and re-marking -# on the egress interface -# This is an example of a color blind mode marker with no PIR configured -# based on draft-wahjak-mcm-00.txt (section 3.1) -# -#path to various utilities; -#change to reflect yours. -# -IPROUTE=/root/DS-6-beta/iproute2-990530-dsing -TC=$IPROUTE/tc/tc -IP=$IPROUTE/ip/ip -IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains -INDEV=eth2 -EGDEV="dev eth1" -CIR1=1500kbit -CIR2=500kbit - -#The CBS is about 60 MTU sized packets -CBS1=90k -CBS2=90k - -meter1="police rate $CIR1 burst $CBS1 " -meter1a="police rate $CIR2 burst $CBS1 " -meter2="police rate $CIR1 burst $CBS2 " -meter2a="police rate $CIR2 burst $CBS2 " -meter3="police rate $CIR2 burst $CBS1 " -meter3a="police rate $CIR2 burst $CBS1 " -meter4="police rate $CIR2 burst $CBS2 " -meter5="police rate $CIR1 burst $CBS2 " -# -# tag the rest of incoming packets from subnet 10.2.0.0/24 to fw value 1 -# tag all incoming packets from any other subnet to fw tag 2 -############################################################ -$IPCHAINS -A input -i $INDEV -s 0/0 -m 2 -$IPCHAINS -A input -i $INDEV -s 10.2.0.0/24 -m 1 -# -############################################################ -# install the ingress qdisc on the ingress interface -$TC qdisc add dev $INDEV handle ffff: ingress -# -############################################################ - -# All packets are marked with a tcindex value which is used on the egress -# tcindex 1 maps to AF41, 2->AF42, 3->AF43, 4->BE -# -############################################################ -# -# anything with fw tag of 1 is passed on with a tcindex value 1 -#if it doesn't exceed its allocated rate (CIR/CBS) -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 1 handle 1 fw \ -$meter1 \ -continue flowid 4:1 -$TC filter add dev $INDEV parent ffff: protocol ip prio 2 handle 1 fw \ -$meter1a \ -continue flowid 4:1 -# -# if it exceeds the above but not the extra rate/burst below, it gets a -#tcindex value of 2 -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 3 handle 1 fw \ -$meter2 \ -continue flowid 4:2 -$TC filter add dev $INDEV parent ffff: protocol ip prio 4 handle 1 fw \ -$meter2a \ -continue flowid 4:2 -# -# if it exceeds the above but not the rule below, it gets a tcindex value -# of 3 -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 5 handle 1 fw \ -$meter3 \ -continue flowid 4:3 -$TC filter add dev $INDEV parent ffff: protocol ip prio 6 handle 1 fw \ -$meter3a \ -drop flowid 4:3 -# -# Anything else (not from the subnet 10.2.0.24/24) gets discarded if it -# exceeds 1Mbps and by default goes to BE if it doesn't -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 7 handle 2 fw \ -$meter5 \ -drop flowid 4:4 - - -######################## Egress side ######################## - - -# attach a dsmarker -# -$TC qdisc add $EGDEV handle 1:0 root dsmark indices 64 -# -# values of the DSCP to change depending on the class -#note that the ECN bits are masked out -# -#AF41 (0x88 is 0x22 shifted to the right by two bits) -# -$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ - value 0x88 -#AF42 -$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ - value 0x90 -#AF43 -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x98 -#BE -$TC class change $EGDEV classid 1:4 dsmark mask 0x3 \ - value 0x0 -# -# -# The class mapping (using tcindex; could easily have -# replaced it with the fw classifier instead) -# -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 1 tcindex classid 1:1 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 2 tcindex classid 1:2 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 3 tcindex classid 1:3 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 4 tcindex classid 1:4 -# - -# -echo "---- qdisc parameters Ingress ----------" -$TC qdisc ls dev $INDEV -echo "---- Class parameters Ingress ----------" -$TC class ls dev $INDEV -echo "---- filter parameters Ingress ----------" -$TC filter ls dev $INDEV parent ffff: - -echo "---- qdisc parameters Egress ----------" -$TC qdisc ls $EGDEV -echo "---- Class parameters Egress ----------" -$TC class ls $EGDEV -echo "---- filter parameters Egress ----------" -$TC filter ls $EGDEV parent 1:0 -# -#deleting the ingress qdisc -#$TC qdisc del $INDEV ingress diff --git a/examples/diffserv/Edge32-cb-u32 b/examples/diffserv/Edge32-cb-u32 deleted file mode 100644 index 54494137..00000000 --- a/examples/diffserv/Edge32-cb-u32 +++ /dev/null @@ -1,145 +0,0 @@ -#! /bin/sh -# -# sample script on using the ingress capabilities using u32 classifier -# This script tags tcindex based on metering on the ingress -# interface the result is used for fast classification and re-marking -# on the egress interface -# This is an example of a color blind mode marker with PIR configured -# based on draft-wahjak-mcm-00.txt (section 3.2) -# -#path to various utilities; -#change to reflect yours. -# -IPROUTE=/root/DS-6-beta/iproute2-990530-dsing -TC=$IPROUTE/tc/tc -IP=$IPROUTE/ip/ip -INDEV=eth2 -EGDEV="dev eth1" -CIR1=1000kbit -CIR2=1000kbit -# The PIR is the excess (in addition to the CIR i.e if always -# going to the PIR --> average rate is CIR+PIR) -PIR1=1000kbit -PIR2=500kbit - -#The CBS is about 60 MTU sized packets -CBS1=90k -CBS2=90k -#the EBS is about 10 max sized packets -EBS1=15k -EBS2=15k -# The meters -meter1=" police rate $CIR1 burst $CBS1 " -meter1a=" police rate $PIR1 burst $EBS1 " -meter2=" police rate $CIR2 burst $CBS1 " -meter2a="police rate $PIR2 burst $CBS1 " -meter3=" police rate $CIR2 burst $CBS2 " -meter3a=" police rate $PIR2 burst $EBS2 " -meter4=" police rate $CIR1 burst $CBS2 " -meter5=" police rate $CIR1 burst $CBS2 " - - -# install the ingress qdisc on the ingress interface -############################################################ -$TC qdisc add dev $INDEV handle ffff: ingress -############################################################ -# -############################################################ - -# All packets are marked with a tcindex value which is used on the egress -# NOTE: tcindex 1 maps to AF41, 2->AF42, 3->AF43, 4->BE -# -#anything from subnet 10.2.0.2/24 is passed on with a tcindex value 1 -#if it doesn't exceed its CIR/CBS + PIR/EBS -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 1 u32 \ -match ip src 10.2.0.0/24 $meter1 \ -continue flowid :1 -$TC filter add dev $INDEV parent ffff: protocol ip prio 2 u32 \ -match ip src 10.2.0.0/24 $meter1a \ -continue flowid :1 - -# -# if it exceeds the above but not the extra rate/burst below, it gets a -#tcindex value of 2 -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 3 u32 \ -match ip src 10.2.0.0/24 $meter2 \ -continue flowid :2 -$TC filter add dev $INDEV parent ffff: protocol ip prio 4 u32 \ -match ip src 10.2.0.0/24 $meter2a \ -continue flowid :2 -# -# if it exceeds the above but not the rule below, it gets a tcindex value -# of 3 -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 5 u32 \ -match ip src 10.2.0.0/24 $meter3 \ -continue flowid :3 -$TC filter add dev $INDEV parent ffff: protocol ip prio 6 u32 \ -match ip src 10.2.0.0/24 $meter3a \ -drop flowid :3 -# -# -# Anything else (not from the subnet 10.2.0.24/24) gets discarded if it -# exceeds 1Mbps and by default goes to BE if it doesn't -# -$TC filter add dev $INDEV parent ffff: protocol ip prio 7 u32 \ -match ip src 0/0 $meter5 \ -drop flowid :4 - - -######################## Egress side ######################## - - -# attach a dsmarker -# -$TC qdisc add $EGDEV handle 1:0 root dsmark indices 64 -# -# values of the DSCP to change depending on the class -#note that the ECN bits are masked out -# -#AF41 (0x88 is 0x22 shifted to the right by two bits) -# -$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ - value 0x88 -#AF42 -$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ - value 0x90 -#AF43 -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x98 -#BE -$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ - value 0x0 -# -# -# The class mapping -# -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 1 tcindex classid 1:1 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 2 tcindex classid 1:2 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 3 tcindex classid 1:3 -$TC filter add $EGDEV parent 1:0 protocol ip prio 1 \ - handle 4 tcindex classid 1:4 -# - -# -echo "---- qdisc parameters Ingress ----------" -$TC qdisc ls dev $INDEV -echo "---- Class parameters Ingress ----------" -$TC class ls dev $INDEV -echo "---- filter parameters Ingress ----------" -$TC filter ls dev $INDEV parent ffff: - -echo "---- qdisc parameters Egress ----------" -$TC qdisc ls $EGDEV -echo "---- Class parameters Egress ----------" -$TC class ls $EGDEV -echo "---- filter parameters Egress ----------" -$TC filter ls $EGDEV parent 1:0 -# -#deleting the ingress qdisc -#$TC qdisc del $INDEV ingress diff --git a/examples/diffserv/README b/examples/diffserv/README deleted file mode 100644 index ec91d632..00000000 --- a/examples/diffserv/README +++ /dev/null @@ -1,98 +0,0 @@ - -Note all these are mere examples which can be customized to your needs - -AFCBQ ------ -AF PHB built using CBQ, DSMARK,GRED (default in GRIO mode) ,RED for BE -and the tcindex classifier with some algorithmic mapping - -EFCBQ ------ -EF PHB built using CBQ (for rate control and prioritization), -DSMARK( to remark DSCPs), tcindex classifier and RED for the BE -traffic. - -EFPRIO ------- -EF PHB using the PRIO scheduler, Token Bucket to rate control EF, -tcindex classifier, DSMARK to remark, and RED for the BE traffic - -EDGE scripts -============== - -CB-3(1|2)-(u32/chains) -====================== - - -The major differences are that the classifier is u32 on -u32 extension -and IPchains on the chains extension. CB stands for color Blind -and 31 is for the mode where only a CIR and CBS are defined whereas -32 stands for a mode where a CIR/CBS + PIR/EBS are defined. - -Color Blind (CB) -==========-----= -We look at one special subnet that we are interested in for simplicty -reasons to demonstrate the capability. We send the packets from that -subnet to AF4*, BE or end up dropping depending on the metering results. - - -The algorithm overview is as follows: - -*classify: - -**case: subnet X ----------------- - if !exceed meter1 tag as AF41 - else - if !exceed meter2 tag as AF42 - else - if !exceed meter 3 tag as AF43 - else - drop - -default case: Any other subnet -------------------------------- - if !exceed meter 5 tag as AF43 - else - drop - - -One Egress side change the DSCPs of the packets to reflect AF4* and BE -based on the tags from the ingress. - -------------------------------------------------------------- - -Color Aware -=========== - -Define some meters with + policing and give them IDs eg - -meter1=police index 1 rate $CIR1 burst $CBS1 -meter2=police index 2 rate $CIR2 burst $CBS2 etc - -General overview: -classify based on the DSCPs and use the policer ids to decide tagging - - -*classify on ingress: - -switch (dscp) { - case AF41: /* tos&0xfc == 0x88 */ - if (!exceed meter1) break; - case AF42: /* tos&0xfc == 0x90 */ - if (!exceed meter2) { - tag as AF42; - break; - } - case AF43: /* tos&0xfc == 0x98 */ - if (!exceed meter3) { - tag as AF43; - break; - } else - drop; - default: - if (!exceed meter4) tag as BE; - else drop; -} - -On the Egress side mark the proper AF tags diff --git a/examples/diffserv/afcbq b/examples/diffserv/afcbq deleted file mode 100644 index 10d6d934..00000000 --- a/examples/diffserv/afcbq +++ /dev/null @@ -1,105 +0,0 @@ -#!/usr/bin/perl -# -# -# AF using CBQ for a single interface eth0 -# 4 AF classes using GRED and one BE using RED -# Things you might want to change: -# - the device bandwidth (set at 10Mbits) -# - the bandwidth allocated for each AF class and the BE class -# - the drop probability associated with each AF virtual queue -# -# AF DSCP values used (based on AF draft 04) -# ----------------------------------------- -# AF DSCP values -# AF1 1. 0x0a 2. 0x0c 3. 0x0e -# AF2 1. 0x12 2. 0x14 3. 0x16 -# AF3 1. 0x1a 2. 0x1c 3. 0x1e -# AF4 1. 0x22 2. 0x24 3. 0x26 - -# -# -# A simple DSCP-class relationship formula used to generate -# values in the for loop of this script; $drop stands for the -# DP -# $dscp = ($class*8+$drop*2) -# -# if you use GRIO buffer sharing, then GRED priority is set as follows: -# $gprio=$drop+1; -# - -$TC = "/usr/src/iproute2-current/tc/tc"; -$DEV = "dev lo"; -$DEV = "dev eth1"; -$DEV = "dev eth0"; -# the BE-class number -$beclass = "5"; - -#GRIO buffer sharing on or off? -$GRIO = ""; -$GRIO = "grio"; -# The bandwidth of your device -$linerate="10Mbit"; -# The BE and AF rates -%rate_table=(); -$berate="1500Kbit"; -$rate_table{"AF1rate"}="1500Kbit"; -$rate_table{"AF2rate"}="1500Kbit"; -$rate_table{"AF3rate"}="1500Kbit"; -$rate_table{"AF4rate"}="1500Kbit"; -# -# -# -print "\n# --- General setup ---\n"; -print "$TC qdisc add $DEV handle 1:0 root dsmark indices 64 set_tc_index\n"; -print "$TC filter add $DEV parent 1:0 protocol ip prio 1 tcindex mask 0xfc " . - "shift 2 pass_on\n"; - #"shift 2\n"; -print "$TC qdisc add $DEV parent 1:0 handle 2:0 cbq bandwidth $linerate ". - "cell 8 avpkt 1000 mpu 64\n"; -print "$TC filter add $DEV parent 2:0 protocol ip prio 1 tcindex ". - "mask 0xf0 shift 4 pass_on\n"; -for $class (1..4) { - print "\n# --- AF Class $class specific setup---\n"; - $AFrate=sprintf("AF%drate",$class); - print "$TC class add $DEV parent 2:0 classid 2:$class cbq ". - "bandwidth $linerate rate $rate_table{$AFrate} avpkt 1000 prio ". - (6-$class)." bounded allot 1514 weight 1 maxburst 21\n"; - print "$TC filter add $DEV parent 2:0 protocol ip prio 1 handle $class ". - "tcindex classid 2:$class\n"; - print "$TC qdisc add $DEV parent 2:$class gred setup DPs 3 default 2 ". - "$GRIO\n"; -# -# per DP setup -# - for $drop (1..3) { - print "\n# --- AF Class $class DP $drop---\n"; - $dscp = $class*8+$drop*2; - $tcindex = sprintf("1%x%x",$class,$drop); - print "$TC filter add $DEV parent 1:0 protocol ip prio 1 ". - "handle $dscp tcindex classid 1:$tcindex\n"; - $prob = $drop*0.02; - if ($GRIO) { - $gprio = $drop+1; - print "$TC qdisc change $DEV parent 2:$class gred limit 60KB min 15KB ". - "max 45KB burst 20 avpkt 1000 bandwidth $linerate DP $drop ". - "probability $prob ". - "prio $gprio\n"; - } else { - print "$TC qdisc change $DEV parent 2:$class gred limit 60KB min 15KB ". - "max 45KB burst 20 avpkt 1000 bandwidth $linerate DP $drop ". - "probability $prob \n"; - } - } -} -# -# -print "\n#------BE Queue setup------\n"; -print "$TC filter add $DEV parent 1:0 protocol ip prio 2 ". - "handle 0 tcindex mask 0 classid 1:1\n"; -print "$TC class add $DEV parent 2:0 classid 2:$beclass cbq ". - "bandwidth $linerate rate $berate avpkt 1000 prio 6 " . - "bounded allot 1514 weight 1 maxburst 21 \n"; -print "$TC filter add $DEV parent 2:0 protocol ip prio 1 handle 0 tcindex ". - "classid 2:5\n"; -print "$TC qdisc add $DEV parent 2:5 red limit 60KB min 15KB max 45KB ". - "burst 20 avpkt 1000 bandwidth $linerate probability 0.4\n"; diff --git a/examples/diffserv/ef-prio b/examples/diffserv/ef-prio deleted file mode 100644 index 48611bdd..00000000 --- a/examples/diffserv/ef-prio +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/perl -$TC = "/root/DS-6-beta/iproute2-990530-dsing/tc/tc"; -$DEV = "dev eth1"; -$efrate="1.5Mbit"; -$MTU="1.5kB"; -print "$TC qdisc add $DEV handle 1:0 root dsmark indices 64 set_tc_index\n"; -print "$TC filter add $DEV parent 1:0 protocol ip prio 1 tcindex ". - "mask 0xfc shift 2\n"; -print "$TC qdisc add $DEV parent 1:0 handle 2:0 prio\n"; -# -# EF class: Maximum about one MTU sized packet allowed on the queue -# -print "$TC qdisc add $DEV parent 2:1 tbf rate $efrate burst $MTU limit 1.6kB\n"; -print "$TC filter add $DEV parent 2:0 protocol ip prio 1 ". - "handle 0x2e tcindex classid 2:1 pass_on\n"; -# -# BE class -# -print "#BE class(2:2) \n"; -print "$TC qdisc add $DEV parent 2:2 red limit 60KB ". - "min 15KB max 45KB burst 20 avpkt 1000 bandwidth 10Mbit ". - "probability 0.4\n"; -# -print "$TC filter add $DEV parent 2:0 protocol ip prio 2 ". - "handle 0 tcindex mask 0 classid 2:2 pass_on\n"; diff --git a/examples/diffserv/efcbq b/examples/diffserv/efcbq deleted file mode 100644 index bcc437b3..00000000 --- a/examples/diffserv/efcbq +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/perl -# -$TC = "/root/DS-6-beta/iproute2-990530-dsing/tc/tc"; -$DEV = "dev eth1"; -print "$TC qdisc add $DEV handle 1:0 root dsmark indices 64 set_tc_index\n"; -print "$TC filter add $DEV parent 1:0 protocol ip prio 1 tcindex ". - "mask 0xfc shift 2\n"; -print "$TC qdisc add $DEV parent 1:0 handle 2:0 cbq bandwidth ". - "10Mbit cell 8 avpkt 1000 mpu 64\n"; -# -# EF class -# -print "$TC class add $DEV parent 2:0 classid 2:1 cbq bandwidth ". - "10Mbit rate 1500Kbit avpkt 1000 prio 1 bounded isolated ". - "allot 1514 weight 1 maxburst 10 \n"; -# packet fifo for EF? -print "$TC qdisc add $DEV parent 2:1 pfifo limit 5\n"; -print "$TC filter add $DEV parent 2:0 protocol ip prio 1 ". - "handle 0x2e tcindex classid 2:1 pass_on\n"; -# -# BE class -# -print "#BE class(2:2) \n"; -print "$TC class add $DEV parent 2:0 classid 2:2 cbq bandwidth ". - "10Mbit rate 5Mbit avpkt 1000 prio 7 allot 1514 weight 1 ". - "maxburst 21 borrow split 2:0 defmap 0xffff \n"; -print "$TC qdisc add $DEV parent 2:2 red limit 60KB ". - "min 15KB max 45KB burst 20 avpkt 1000 bandwidth 10Mbit ". - "probability 0.4\n"; -print "$TC filter add $DEV parent 2:0 protocol ip prio 2 ". - "handle 0 tcindex mask 0 classid 2:2 pass_on\n"; diff --git a/examples/diffserv/regression-testing b/examples/diffserv/regression-testing deleted file mode 100644 index d50f4c8a..00000000 --- a/examples/diffserv/regression-testing +++ /dev/null @@ -1,125 +0,0 @@ - -These were the tests done to validate the Diffserv scripts. -This document will be updated continuously. If you do more -thorough validation testing please post the details to the -diffserv mailing list. -Nevertheless, these tests should serve for basic validation. - -AFCBQ, EFCBQ, EFPRIO ----------------------- - -generate all possible DSCPs and observe that they -get sent to the proper classes. In the case of AF also -to the correct Virtual Queues. - -Edge1 ------ -generate TOS values 0x0,0x10,0xbb each with IP addresses -10.2.0.24 (mark 1), 10.2.0.3 (mark2) and 10.2.0.30 (mark 3) -and observe that they get marked as expected. - -Edge2 ------ - --Repeat the tests in Edge1 --ftp with data direction from 10.2.0.2 - *observe that the metering/policing works correctly (and the marking - as well). In this case the mark used will be 3 - -Edge31-cb-chains ----------------- - --ftp with data direction from 10.2.0.2 - - *observe that the metering/policing works correctly (and the marking - as well). In this case the mark used will be 1. - - Metering: The data throughput should not exceed 2*CIR1 + 2*CIR2 - which is roughly: 5mbps - - Marking: the should be a variation of marked packets: - AF41(TOS=0x88) AF42(0x90) AF43(0x98) and BE (0x0) - -More tests required to see the interaction of several sources (other -than subnet 10.2.0.0/24). - -Edge31-ca-u32 --------------- - -Generate data using modified tcpblast from 10.2.0.2 (behind eth2) to the -discard port of 10.1.0.2 (behind eth1) - -1) generate with src tos = 0x88 - Metering: Allocated throughput should not exceed 2*CIR1 + 2*CIR2 - approximately 5mbps - Marking: Should vary between 0x88,0x90,0x98 and 0x0 - -2) generate with src tos = 0x90 - Metering: Allocated throughput should not exceed CIR1 + 2*CIR2 - approximately 3.5mbps - Marking: Should vary between 0x90,0x98 and 0x0 - -3) generate with src tos = 0x98 - Metering: Allocated throughput should not exceed CIR1 + CIR2 - approximately 2.5mbps - Marking: Should vary between 0x98 and 0x0 - -4) generate with src tos any other than the above - Metering: Allocated throughput should not exceed CIR1 - approximately 1.5mbps - Marking: Should be consistent at 0x0 - -TODO: Testing on how each color shares when all 4 types of packets -are going through the edge device - -Edge32-cb-u32, Edge32-cb-chains -------------------------------- - --ftp with data direction from 10.2.0.2 - - *observe that the metering/policing works correctly (and the marking - as well). - - Metering: - The data throughput should not exceed 2*CIR1 + 2*CIR2 - + 2*PIR2 + PIR1 for u32 which is roughly: 6mbps - The data throughput should not exceed 2*CIR1 + 5*CIR2 - for chains which is roughly: 6mbps - - Marking: the should be a variation of marked packets: - AF41(TOS=0x88) AF42(0x90) AF43(0x98) and BE (0x0) - -TODO: --More tests required to see the interaction of several sources (other -than subnet 10.2.0.0/24). --More tests needed to capture stats on how many times the CIR was exceeded -but the data was not remarked etc. - -Edge32-ca-u32 --------------- - -Generate data using modified tcpblast from 10.2.0.2 (behind eth2) to the -discard port of 10.1.0.2 (behind eth1) - -1) generate with src tos = 0x88 - Metering: Allocated throughput should not exceed 2*CIR1 + 2*CIR2 - +PIR1 -- approximately 4mbps - Marking: Should vary between 0x88,0x90,0x98 and 0x0 - -2) generate with src tos = 0x90 - Metering: Allocated throughput should not exceed CIR1 + 2*CIR2 - + 2* PIR2 approximately 3mbps - Marking: Should vary between 0x90,0x98 and 0x0 - -3) generate with src tos = 0x98 - Metering: Allocated throughput should not exceed PIR1+ CIR1 + CIR2 - approximately 2.5mbps - Marking: Should vary between 0x98 and 0x0 - -4) generate with src tos any other than the above - Metering: Allocated throughput should not exceed CIR1 - approximately 1mbps - Marking: Should be consistent at 0x0 - -TODO: Testing on how each color shares when all 4 types of packets -are going through the edge device From b7f28e0bd92eae7f03afc7f13ac19b5e64902ef8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=81yszczek?= Date: Tue, 22 Oct 2019 22:09:23 +0200 Subject: [PATCH 04/11] ipnetns: do not check netns NAME when -all is specified MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When `-all' argument is specified netns runs cmd on all namespaces and NAME is not used, but netns nevertheless checks if argv[1] is a valid namespace name ignoring the fact that argv[1] contains cmd and not NAME. This results in bug where user cannot specify absolute path to command. # ip -all netns exec /usr/bin/whoami Invalid netns name "/usr/bin/whoami" This forces user to have his command in PATH. Solution is simply to not validate argv[1] when `-all' argument is specified. Signed-off-by: Michał Łyszczek Signed-off-by: Stephen Hemminger --- ip/ipnetns.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ip/ipnetns.c b/ip/ipnetns.c index 20110ef0..fc58a04b 100644 --- a/ip/ipnetns.c +++ b/ip/ipnetns.c @@ -994,7 +994,7 @@ int do_netns(int argc, char **argv) return netns_list(0, NULL); } - if (argc > 1 && invalid_name(argv[1])) { + if (!do_all && argc > 1 && invalid_name(argv[1])) { fprintf(stderr, "Invalid netns name \"%s\"\n", argv[1]); exit(-1); } From e15011b5e5c06d52a89aa8624b352c0666db31b6 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 23 Oct 2019 10:19:45 -0700 Subject: [PATCH 05/11] remove out of date README The original old README refers to stuff from the pre 2.6 era including cbz. Just kill it. Signed-off-by: Stephen Hemminger --- README.iproute2+tc | 123 --------------------------------------------- 1 file changed, 123 deletions(-) delete mode 100644 README.iproute2+tc diff --git a/README.iproute2+tc b/README.iproute2+tc deleted file mode 100644 index e7bb48ce..00000000 --- a/README.iproute2+tc +++ /dev/null @@ -1,123 +0,0 @@ -iproute2+tc* - -It's the first release of Linux traffic control engine. - - -NOTES. -* csz scheduler is inoperational at the moment, and probably - never will be repaired but replaced with h-pfq scheduler. -* To use "fw" classifier you will need ipfwchains patch. -* No manual available. Ask me, if you have problems (only try to guess - answer yourself at first 8)). - - -Micro-manual how to start it the first time -------------------------------------------- - -A. Attach CBQ to eth1: - -tc qdisc add dev eth1 root handle 1: cbq bandwidth 10Mbit allot 1514 cell 8 \ -avpkt 1000 mpu 64 - -B. Add root class: - -tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 10Mbit rate 10Mbit \ -allot 1514 cell 8 weight 1Mbit prio 8 maxburst 20 avpkt 1000 - -C. Add default interactive class: - -tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 10Mbit rate 1Mbit \ -allot 1514 cell 8 weight 100Kbit prio 3 maxburst 20 avpkt 1000 split 1:0 \ -defmap c0 - -D. Add default class: - -tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 10Mbit rate 8Mbit \ -allot 1514 cell 8 weight 800Kbit prio 7 maxburst 20 avpkt 1000 split 1:0 \ -defmap 3f - -etc. etc. etc. Well, it is enough to start 8) The rest can be guessed 8) -Look also at more elaborated example, ready to start rsvpd, -in rsvp/cbqinit.eth1. - - -Terminology and advices about setting CBQ parameters may be found in Sally Floyd -papers. - - -Pairs X:Y are class handles, X:0 are qdisc handles. -weight should be proportional to rate for leaf classes -(I repeated it ten times less, but it is not necessary) - -defmap is bitmap of logical priorities served by this class. - -E. Another qdiscs are simpler. F.e. let's join TBF on class 1:2 - -tc qdisc add dev eth1 parent 1:2 tbf rate 64Kbit buffer 5Kb/8 limit 10Kb - -F. Look at all that we created: - -tc qdisc ls dev eth1 -tc class ls dev eth1 - -G. Install "route" classifier on root of cbq and map destination from realm -1 to class 1:2 - -tc filter add dev eth1 parent 1:0 protocol ip prio 100 route to 1 classid 1:2 - -H. Assign routes to 10.11.12.0/24 to realm 1 - -ip route add 10.11.12.0/24 dev eth1 via whatever realm 1 - -etc. The same thing can be made with rules. -I still did not test ipchains, but they should work too. - - -Setup and code example of BPF classifier and action can be found under -examples/bpf/, which should explain everything for getting started. - - -Setup of rsvp and u32 classifiers is more hairy. -If you read RSVP specs, you will understand how rsvp classifier -works easily. What's about u32... That's example: - - -#! /bin/sh - -TC=/home/root/tc - -# Setup classifier root on eth1 root (it is cbq) -$TC filter add dev eth1 parent 1:0 prio 5 protocol ip u32 - -# Create hash table of 256 slots with ID 1: -$TC filter add dev eth1 parent 1:0 prio 5 handle 1: u32 divisor 256 - -# Add to 6th slot of hash table rule to select tcp/telnet to 193.233.7.75 -# direct it to class 1:4 and prescribe to fall to best effort, -# if traffic violate TBF (32kbit,5K) -$TC filter add dev eth1 parent 1:0 prio 5 u32 ht 1:6: \ - match ip dst 193.233.7.75 \ - match tcp dst 0x17 0xffff \ - flowid 1:4 \ - police rate 32kbit buffer 5kb/8 mpu 64 mtu 1514 index 1 - -# Add to 1th slot of hash table rule to select icmp to 193.233.7.75 -# direct it to class 1:4 and prescribe to fall to best effort, -# if traffic violate TBF (10kbit,5K) -$TC filter add dev eth1 parent 1:0 prio 5 u32 ht 1:: \ - sample ip protocol 1 0xff \ - match ip dst 193.233.7.75 \ - flowid 1:4 \ - police rate 10kbit buffer 5kb/8 mpu 64 mtu 1514 index 2 - -# Lookup hash table, if it is not fragmented frame -# Use protocol as hash key -$TC filter add dev eth1 parent 1:0 prio 5 handle ::1 u32 ht 800:: \ - match ip nofrag \ - offset mask 0x0F00 shift 6 \ - hashkey mask 0x00ff0000 at 8 \ - link 1: - - -Alexey Kuznetsov -kuznet@ms2.inr.ac.ru From 085ab19bc38e7112f6d5e03c59ba49894bac28f0 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 23 Oct 2019 10:21:06 -0700 Subject: [PATCH 06/11] don't install examples No longer relevant --- Makefile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Makefile b/Makefile index a3cc88f1..0b79b1f1 100644 --- a/Makefile +++ b/Makefile @@ -86,12 +86,6 @@ install: all install -m 0755 -d $(DESTDIR)$(CONFDIR) install -m 0755 -d $(DESTDIR)$(ARPDDIR) install -m 0755 -d $(DESTDIR)$(HDRDIR) - install -m 0755 -d $(DESTDIR)$(DOCDIR)/examples - install -m 0755 -d $(DESTDIR)$(DOCDIR)/examples/diffserv - install -m 0644 README.iproute2+tc $(shell find examples -maxdepth 1 -type f) \ - $(DESTDIR)$(DOCDIR)/examples - install -m 0644 $(shell find examples/diffserv -maxdepth 1 -type f) \ - $(DESTDIR)$(DOCDIR)/examples/diffserv @for i in $(SUBDIRS); do $(MAKE) -C $$i install; done install -m 0644 $(shell find etc/iproute2 -maxdepth 1 -type f) $(DESTDIR)$(CONFDIR) install -m 0755 -d $(DESTDIR)$(BASH_COMPDIR) From 6749801b062c7f97fcf2ccebd592579b2a07efc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=81yszczek?= Date: Thu, 24 Oct 2019 23:20:43 +0200 Subject: [PATCH 07/11] rdma/sys.c: fix possible out-of-bound array access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit netns_modes_str[] array has 2 elements, when netns_mode is 2, condition (2 <= 2) will be true and `mode_str = netns_modes_str[2]' will be executed, which will result in out-of-bound read. Signed-off-by: Michał Łyszczek Signed-off-by: Stephen Hemminger --- rdma/sys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rdma/sys.c b/rdma/sys.c index cef39081..1a434a25 100644 --- a/rdma/sys.c +++ b/rdma/sys.c @@ -31,7 +31,7 @@ static int sys_show_parse_cb(const struct nlmsghdr *nlh, void *data) netns_mode = mnl_attr_get_u8(tb[RDMA_NLDEV_SYS_ATTR_NETNS_MODE]); - if (netns_mode <= ARRAY_SIZE(netns_modes_str)) + if (netns_mode < ARRAY_SIZE(netns_modes_str)) mode_str = netns_modes_str[netns_mode]; else mode_str = "unknown"; From 4f73cd7f0d5d460af8cd39551350bae3bb244310 Mon Sep 17 00:00:00 2001 From: Julien Fortin Date: Thu, 26 Sep 2019 17:29:34 +0200 Subject: [PATCH 08/11] ip: fix ip route show json output for multipath nexthops print_rta_multipath doesn't support JSON output: { "dst":"27.0.0.13", "protocol":"bgp", "metric":20, "flags":[], "gateway":"169.254.0.1"dev uplink-1 weight 1 , "flags":["onlink"], "gateway":"169.254.0.1"dev uplink-2 weight 1 , "flags":["onlink"] }, since RTA_MULTIPATH has nested objects we should print them in a json array. With the path we have the following output: { "flags": [], "dst": "36.0.0.13", "protocol": "bgp", "metric": 20, "nexthops": [ { "weight": 1, "flags": [ "onlink" ], "gateway": "169.254.0.1", "dev": "uplink-1" }, { "weight": 1, "flags": [ "onlink" ], "gateway": "169.254.0.1", "dev": "uplink-2" } ] } Fixes: 663c3cb23103f4 ("iproute: implement JSON and color output") Signed-off-by: Julien Fortin Signed-off-by: David Ahern --- ip/iproute.c | 46 ++++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/ip/iproute.c b/ip/iproute.c index a4533851..32bb52df 100644 --- a/ip/iproute.c +++ b/ip/iproute.c @@ -649,24 +649,26 @@ static void print_rta_multipath(FILE *fp, const struct rtmsg *r, int len = RTA_PAYLOAD(rta); int first = 1; + open_json_array(PRINT_JSON, "nexthops"); + while (len >= sizeof(*nh)) { struct rtattr *tb[RTA_MAX + 1]; if (nh->rtnh_len > len) break; - if (!is_json_context()) { - if ((r->rtm_flags & RTM_F_CLONED) && - r->rtm_type == RTN_MULTICAST) { - if (first) { - fprintf(fp, "Oifs: "); - first = 0; - } else { - fprintf(fp, " "); - } - } else - fprintf(fp, "%s\tnexthop ", _SL_); - } + open_json_object(NULL); + + if ((r->rtm_flags & RTM_F_CLONED) && + r->rtm_type == RTN_MULTICAST) { + if (first) { + print_string(PRINT_FP, NULL, "Oifs: ", NULL); + first = 0; + } else { + print_string(PRINT_FP, NULL, " ", NULL); + } + } else + print_string(PRINT_FP, NULL, "%s\tnexthop ", _SL_); if (nh->rtnh_len > sizeof(*nh)) { parse_rtattr(tb, RTA_MAX, RTNH_DATA(nh), @@ -689,22 +691,30 @@ static void print_rta_multipath(FILE *fp, const struct rtmsg *r, if ((r->rtm_flags & RTM_F_CLONED) && r->rtm_type == RTN_MULTICAST) { - fprintf(fp, "%s", ll_index_to_name(nh->rtnh_ifindex)); + print_string(PRINT_ANY, "dev", + "%s", ll_index_to_name(nh->rtnh_ifindex)); + if (nh->rtnh_hops != 1) - fprintf(fp, "(ttl>%d)", nh->rtnh_hops); - fprintf(fp, " "); + print_int(PRINT_ANY, "ttl", "(ttl>%d)", nh->rtnh_hops); + + print_string(PRINT_FP, NULL, " ", NULL); } else { - fprintf(fp, "dev %s ", ll_index_to_name(nh->rtnh_ifindex)); + print_string(PRINT_ANY, "dev", + "dev %s ", ll_index_to_name(nh->rtnh_ifindex)); + if (r->rtm_family != AF_MPLS) - fprintf(fp, "weight %d ", - nh->rtnh_hops+1); + print_int(PRINT_ANY, "weight", + "weight %d ", nh->rtnh_hops + 1); } print_rt_flags(fp, nh->rtnh_flags); len -= NLMSG_ALIGN(nh->rtnh_len); nh = RTNH_NEXT(nh); + + close_json_object(); } + close_json_array(PRINT_JSON, NULL); } int print_route(struct nlmsghdr *n, void *arg) From cb83101626316aed1cb68931ffc4d27e1b56c503 Mon Sep 17 00:00:00 2001 From: Vlad Buslov Date: Tue, 29 Oct 2019 19:53:46 +0200 Subject: [PATCH 09/11] tc: remove duplicated NEXT_ARG_FWD() in parse_ct() Function parse_ct() manually calls NEXT_ARG_FWD() after parse_action_control_dflt(). This is redundant because parse_action_control_dflt() modifies argc and argv itself. Moreover, such implementation parses out any following actions option. For example, adding action ct with cookie errors: $ sudo tc actions add action ct cookie 111111111111 Bad action type 111111111111 Usage: ... gact [RAND] [INDEX] Where: ACTION := reclassify | drop | continue | pass | pipe | goto chain | jump RAND := random RANDTYPE := netrand | determ VAL : = value not exceeding 10000 JUMP_COUNT := Absolute jump from start of action list INDEX := index value used With fix: $ sudo tc actions add action ct cookie 111111111111 $ sudo tc actions list action ct total acts 1 action order 0: ct zone 0 pipe index 1 ref 1 bind 0 cookie 111111111111 Fixes: c8a494314c40 ("tc: Introduce tc ct action") Signed-off-by: Vlad Buslov Acked-by: Marcelo Ricardo Leitner Signed-off-by: Stephen Hemminger --- tc/m_ct.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tc/m_ct.c b/tc/m_ct.c index 8589cb9a..d79eb5e3 100644 --- a/tc/m_ct.c +++ b/tc/m_ct.c @@ -316,7 +316,6 @@ parse_ct(struct action_util *a, int *argc_p, char ***argv_p, int tca_id, parse_action_control_dflt(&argc, &argv, &sel.action, false, TC_ACT_PIPE); - NEXT_ARG_FWD(); addattr16(n, MAX_MSG, TCA_CT_ACTION, ct_action); addattr_l(n, MAX_MSG, TCA_CT_PARMS, &sel, sizeof(sel)); From eca51239480dfc154a07c496774bf7e7f4fb3d30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=81yszczek?= Date: Tue, 29 Oct 2019 12:13:11 +0100 Subject: [PATCH 10/11] libnetlink.c, ss.c: properly handle fread() errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fread(3) returns size_t data type which is unsigned, thus check `if (fread(...) < 0)' is always false. To check if fread(3) has failed, user should check error indicator with ferror(3). This commit also changes read logic a little bit by being less forgiving for errors. Previous logic was checking if fread(3) read *at least* required ammount of data, now code checks if fread(3) read *exactly* expected ammount of data. This makes sense because code parses very specific binary file, and reading even 1 less/more byte than expected, will later corrupt data anyway. Signed-off-by: Michał Łyszczek Signed-off-by: Stephen Hemminger --- lib/libnetlink.c | 26 +++++++++++++------------- misc/ss.c | 26 +++++++++++++------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/lib/libnetlink.c b/lib/libnetlink.c index 6ce8b199..e02d6294 100644 --- a/lib/libnetlink.c +++ b/lib/libnetlink.c @@ -1174,7 +1174,7 @@ int rtnl_listen(struct rtnl_handle *rtnl, int rtnl_from_file(FILE *rtnl, rtnl_listen_filter_t handler, void *jarg) { - int status; + size_t status; char buf[16384]; struct nlmsghdr *h = (struct nlmsghdr *)buf; @@ -1184,14 +1184,15 @@ int rtnl_from_file(FILE *rtnl, rtnl_listen_filter_t handler, status = fread(&buf, 1, sizeof(*h), rtnl); - if (status < 0) { - if (errno == EINTR) - continue; - perror("rtnl_from_file: fread"); + if (status == 0 && feof(rtnl)) + return 0; + if (status != sizeof(*h)) { + if (ferror(rtnl)) + perror("rtnl_from_file: fread"); + if (feof(rtnl)) + fprintf(stderr, "rtnl-from_file: truncated message\n"); return -1; } - if (status == 0) - return 0; len = h->nlmsg_len; l = len - sizeof(*h); @@ -1204,12 +1205,11 @@ int rtnl_from_file(FILE *rtnl, rtnl_listen_filter_t handler, status = fread(NLMSG_DATA(h), 1, NLMSG_ALIGN(l), rtnl); - if (status < 0) { - perror("rtnl_from_file: fread"); - return -1; - } - if (status < l) { - fprintf(stderr, "rtnl-from_file: truncated message\n"); + if (status != NLMSG_ALIGN(l)) { + if (ferror(rtnl)) + perror("rtnl_from_file: fread"); + if (feof(rtnl)) + fprintf(stderr, "rtnl-from_file: truncated message\n"); return -1; } diff --git a/misc/ss.c b/misc/ss.c index 363b4c8d..efa87781 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -3329,28 +3329,28 @@ static int tcp_show_netlink_file(struct filter *f) } while (1) { - int status, err2; + int err2; + size_t status, nitems; struct nlmsghdr *h = (struct nlmsghdr *)buf; struct sockstat s = {}; status = fread(buf, 1, sizeof(*h), fp); - if (status < 0) { - perror("Reading header from $TCPDIAG_FILE"); - break; - } if (status != sizeof(*h)) { - perror("Unexpected EOF reading $TCPDIAG_FILE"); + if (ferror(fp)) + perror("Reading header from $TCPDIAG_FILE"); + if (feof(fp)) + fprintf(stderr, "Unexpected EOF reading $TCPDIAG_FILE"); break; } - status = fread(h+1, 1, NLMSG_ALIGN(h->nlmsg_len-sizeof(*h)), fp); + nitems = NLMSG_ALIGN(h->nlmsg_len - sizeof(*h)); + status = fread(h+1, 1, nitems, fp); - if (status < 0) { - perror("Reading $TCPDIAG_FILE"); - break; - } - if (status + sizeof(*h) < h->nlmsg_len) { - perror("Unexpected EOF reading $TCPDIAG_FILE"); + if (status != nitems) { + if (ferror(fp)) + perror("Reading $TCPDIAG_FILE"); + if (feof(fp)) + fprintf(stderr, "Unexpected EOF reading $TCPDIAG_FILE"); break; } From 0932814458eb386644c1248e5aabf8303c38d7bb Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Tue, 5 Nov 2019 13:13:36 -0800 Subject: [PATCH 11/11] devlink: require resource parameters If devlink resource set parameters are not provided it crashes: $ devlink resource set netdevsim/netdevsim0 Segmentation fault (core dumped) This is because even though DL_OPT_RESOURCE_PATH and DL_OPT_RESOURCE_SIZE are passed as o_required, the validation table doesn't contain a relevant string. Fixes: 8cd644095842 ("devlink: Add support for devlink resource abstraction") Signed-off-by: Jakub Kicinski Acked-by: Jiri Pirko Signed-off-by: Stephen Hemminger --- devlink/devlink.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/devlink/devlink.c b/devlink/devlink.c index 5bbe0bdd..056ac95e 100644 --- a/devlink/devlink.c +++ b/devlink/devlink.c @@ -1121,6 +1121,8 @@ static const struct dl_args_metadata dl_args_required[] = { {DL_OPT_DPIPE_TABLE_NAME, "Dpipe table name expected."}, {DL_OPT_DPIPE_TABLE_COUNTERS, "Dpipe table counter state expected."}, {DL_OPT_ESWITCH_ENCAP_MODE, "E-Switch encapsulation option expected."}, + {DL_OPT_RESOURCE_PATH, "Resource path expected."}, + {DL_OPT_RESOURCE_SIZE, "Resource size expected."}, {DL_OPT_PARAM_NAME, "Parameter name expected."}, {DL_OPT_PARAM_VALUE, "Value to set expected."}, {DL_OPT_PARAM_CMODE, "Configuration mode expected."},