From 003f0fde6959b0f759fd1cc27201eb367753443e Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 8 Sep 2016 12:33:03 +0200 Subject: [PATCH 1/4] iproute: fix documentation for ip rule scan order Looks like the real issue is missing definition of priority. --- man/man8/ip-rule.8 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/man/man8/ip-rule.8 b/man/man8/ip-rule.8 index 3508d809..13fe9f7f 100644 --- a/man/man8/ip-rule.8 +++ b/man/man8/ip-rule.8 @@ -93,7 +93,7 @@ Each policy routing rule consists of a .B selector and an .B action predicate. -The RPDB is scanned in order of increasing priority. The selector +The RPDB is scanned in order of decreasing priority. The selector of each rule is applied to {source address, destination address, incoming interface, tos, fwmark} and, if the selector matches the packet, the action is performed. The action predicate may return with success. @@ -221,8 +221,10 @@ value to match. .TP .BI priority " PREFERENCE" -the priority of this rule. Each rule should have an explicitly -set +the priority of this rule. +.I PREFERENCE +is an unsigned integer value, higher number means lower priority. Each rule +should have an explicitly set .I unique priority value. The options preference and order are synonyms with priority. From 087dec7fcfb18fc4e8a0ec68c9c0a84cb9f03e69 Mon Sep 17 00:00:00 2001 From: Davide Caratti Date: Fri, 16 Sep 2016 10:30:00 +0200 Subject: [PATCH 2/4] tc: don't accept qdisc 'handle' greater than ffff since get_qdisc_handle() truncates the input value to 16 bit, return an error and prompt "invalid qdisc ID" in case input 'handle' parameter needs more than 16 bit to be stored. Signed-off-by: Davide Caratti Acked-by: Phil Sutter --- tc/tc_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tc/tc_util.c b/tc/tc_util.c index 15e49b7b..24ca1f1c 100644 --- a/tc/tc_util.c +++ b/tc/tc_util.c @@ -82,7 +82,7 @@ int get_qdisc_handle(__u32 *h, const char *str) if (strcmp(str, "none") == 0) goto ok; maj = strtoul(str, &p, 16); - if (p == str) + if (p == str || maj >= (1 << 16)) return -1; maj <<= 16; if (*p != ':' && *p != 0) From e2cfe5501f99ed17e883a02c6fe81b7f9ab6f2d7 Mon Sep 17 00:00:00 2001 From: Jiri Benc Date: Mon, 5 Sep 2016 11:35:28 +0200 Subject: [PATCH 3/4] vxlan: group address requires net device This is now enforced in the kernel, check also in iproute to get a better error message. Signed-off-by: Jiri Benc --- ip/iplink_vxlan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ip/iplink_vxlan.c b/ip/iplink_vxlan.c index 7ba68bc1..bff583a7 100644 --- a/ip/iplink_vxlan.c +++ b/ip/iplink_vxlan.c @@ -266,6 +266,11 @@ static int vxlan_parse_opt(struct link_util *lu, int argc, char **argv, return -1; } + if ((gaddr || !IN6_IS_ADDR_UNSPECIFIED(&gaddr6)) && !link) { + fprintf(stderr, "vxlan: 'group' requires 'dev' to be specified\n"); + return -1; + } + if (!dst_port_set && gpe) { dstport = 4790; } else if (!dst_port_set) { From f20f5f79909fdc6327fcd015a3850645a236729d Mon Sep 17 00:00:00 2001 From: Davide Caratti Date: Fri, 9 Sep 2016 16:02:22 +0200 Subject: [PATCH 4/4] macsec: fix input range of 'icvlen' parameter the maximum possible ICV length in a MACsec frame is 16 octects, not 32: fix get_icvlen() accordingly, so that a proper error message is displayed in case input 'icvlen' is greater than 16. Signed-off-by: Davide Caratti Acked-by: Phil Sutter Acked-by: Sabrina Dubroca --- ip/ipmacsec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c index 2e670e9e..127fa1e3 100644 --- a/ip/ipmacsec.c +++ b/ip/ipmacsec.c @@ -152,9 +152,9 @@ static void get_icvlen(__u8 *icvlen, char *arg) if (ret) invarg("expected ICV length", arg); - if (*icvlen < MACSEC_MIN_ICV_LEN || *icvlen > MACSEC_MAX_ICV_LEN) + if (*icvlen < MACSEC_MIN_ICV_LEN || *icvlen > MACSEC_STD_ICV_LEN) invarg("ICV length must be in the range {" - STR(MACSEC_MIN_ICV_LEN) ".." STR(MACSEC_MAX_ICV_LEN) + STR(MACSEC_MIN_ICV_LEN) ".." STR(MACSEC_STD_ICV_LEN) "}", arg); }