From 6050055387000daf401f3a9c1f1d282b60190bed Mon Sep 17 00:00:00 2001 From: Sabrina Dubroca Date: Tue, 9 Mar 2021 16:44:33 +0100 Subject: [PATCH 1/4] ip: xfrm: limit the length of the security context name when printing Security context names are not guaranteed to be NUL-terminated by the kernel, so we can't just print them using %s directly. The length of the string is determined by sctx->ctx_len, so we can use that to limit what fprintf outputs. While at it, factor that out to a separate function, since the exact same code is used to print the security context for both policies and states. Fixes: b2bb289a57fe ("xfrm security context support") Reported-by: Paul Wouters Signed-off-by: Sabrina Dubroca Signed-off-by: Stephen Hemminger --- ip/ipxfrm.c | 43 +++++++++++++++++-------------------------- 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c index e4a72bd0..8a794032 100644 --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -916,6 +916,19 @@ static int xfrm_selector_iszero(struct xfrm_selector *s) return (memcmp(&s0, s, sizeof(s0)) == 0); } +static void xfrm_sec_ctx_print(FILE *fp, struct rtattr *attr) +{ + struct xfrm_user_sec_ctx *sctx; + + fprintf(fp, "\tsecurity context "); + + if (RTA_PAYLOAD(attr) < sizeof(*sctx)) + fprintf(fp, "(ERROR truncated)"); + + sctx = RTA_DATA(attr); + fprintf(fp, "%.*s %s", sctx->ctx_len, (char *)(sctx + 1), _SL_); +} + void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo, struct rtattr *tb[], FILE *fp, const char *prefix, const char *title, bool nokeys) @@ -983,19 +996,8 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo, xfrm_stats_print(&xsinfo->stats, fp, buf); } - if (tb[XFRMA_SEC_CTX]) { - struct xfrm_user_sec_ctx *sctx; - - fprintf(fp, "\tsecurity context "); - - if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx)) - fprintf(fp, "(ERROR truncated)"); - - sctx = RTA_DATA(tb[XFRMA_SEC_CTX]); - - fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_); - } - + if (tb[XFRMA_SEC_CTX]) + xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]); } void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, @@ -1006,19 +1008,8 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title); - if (tb[XFRMA_SEC_CTX]) { - struct xfrm_user_sec_ctx *sctx; - - fprintf(fp, "\tsecurity context "); - - if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx)) - fprintf(fp, "(ERROR truncated)"); - - sctx = RTA_DATA(tb[XFRMA_SEC_CTX]); - - fprintf(fp, "%s ", (char *)(sctx + 1)); - fprintf(fp, "%s", _SL_); - } + if (tb[XFRMA_SEC_CTX]) + xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]); if (prefix) strlcat(buf, prefix, sizeof(buf)); From 06bee37c1c86d94e1728e75339be15ada08f58d2 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Thu, 11 Mar 2021 13:47:54 -0800 Subject: [PATCH 2/4] lib/bpf: add missing limits.h includes Several functions in bpf_glue.c and bpf_libbpf.c rely on PATH_MAX, which is normally included from in other iproute2 source files. It fixes errors seen using gcc 10.2.0, binutils 2.35.1 and musl 1.1.24: bpf_glue.c: In function 'get_libbpf_version': bpf_glue.c:46:11: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'? 46 | char buf[PATH_MAX], *s; | ^~~~~~~~ | AF_MAX Reported-by: Rui Salvaterra Signed-off-by: Tony Ambardar Signed-off-by: Stephen Hemminger --- lib/bpf_glue.c | 2 ++ lib/bpf_libbpf.c | 1 + 2 files changed, 3 insertions(+) diff --git a/lib/bpf_glue.c b/lib/bpf_glue.c index d00a0dc1..eaa9504f 100644 --- a/lib/bpf_glue.c +++ b/lib/bpf_glue.c @@ -4,6 +4,8 @@ * Authors: Hangbin Liu * */ +#include + #include "bpf_util.h" #ifdef HAVE_LIBBPF #include diff --git a/lib/bpf_libbpf.c b/lib/bpf_libbpf.c index d05737a4..864f8c35 100644 --- a/lib/bpf_libbpf.c +++ b/lib/bpf_libbpf.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include From 6639fce4308980b7b64eb9cfab0e2748bce1b908 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 17 Mar 2021 17:14:13 -0700 Subject: [PATCH 3/4] ip: cleanup help message text Wrap help message text at 80 characters, and put list of things in alpha order. Signed-off-by: Stephen Hemminger --- ip/ip.c | 9 +++++---- ip/ip_common.h | 1 + ip/ipaddress.c | 8 ++------ ip/ipila.c | 3 ++- ip/iplink.c | 22 +++++++++++++++------- ip/ipmonitor.c | 7 ++++--- ip/ipneigh.c | 8 ++++---- ip/iprule.c | 3 ++- ip/iptunnel.c | 3 ++- 9 files changed, 37 insertions(+), 27 deletions(-) diff --git a/ip/ip.c b/ip/ip.c index 40d2998a..c561c01f 100644 --- a/ip/ip.c +++ b/ip/ip.c @@ -64,10 +64,11 @@ static void usage(void) fprintf(stderr, "Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }\n" " ip [ -force ] -batch filename\n" - "where OBJECT := { link | address | addrlabel | route | rule | neigh | ntable |\n" - " tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |\n" - " netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila |\n" - " vrf | sr | nexthop | mptcp }\n" + "where OBJECT := { address | addrlabel | fou | help | ila | l2tp | link |\n" + " macsec | maddress | monitor | mptcp | mroute | mrule |\n" + " neighbor | neighbour | netconf | netns | nexthop | ntable |\n" + " ntbl | route | rule | sr | tap | tcpmetrics |\n" + " token | tunnel | tuntap | vrf | xfrm }\n" " OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n" " -h[uman-readable] | -iec | -j[son] | -p[retty] |\n" " -f[amily] { inet | inet6 | mpls | bridge | link } |\n" diff --git a/ip/ip_common.h b/ip/ip_common.h index 9a31e837..1fd2ed3a 100644 --- a/ip/ip_common.h +++ b/ip/ip_common.h @@ -39,6 +39,7 @@ int print_neigh(struct nlmsghdr *n, void *arg); int ipaddr_list_link(int argc, char **argv); void ipaddr_get_vf_rate(int, int *, int *, const char *); void iplink_usage(void) __attribute__((noreturn)); +void iplink_types_usage(void); void iproute_reset_filter(int ifindex); void ipmroute_reset_filter(int ifindex); diff --git a/ip/ipaddress.c b/ip/ipaddress.c index 0bbcee2b..cfb24f5c 100644 --- a/ip/ipaddress.c +++ b/ip/ipaddress.c @@ -73,12 +73,8 @@ static void usage(void) "CONFFLAG-LIST := [ CONFFLAG-LIST ] CONFFLAG\n" "CONFFLAG := [ home | nodad | mngtmpaddr | noprefixroute | autojoin ]\n" "LIFETIME := [ valid_lft LFT ] [ preferred_lft LFT ]\n" - "LFT := forever | SECONDS\n" - "TYPE := { vlan | veth | vcan | vxcan | dummy | ifb | macvlan | macvtap |\n" - " bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan | lowpan |\n" - " gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan | vti |\n" - " nlmon | can | bond_slave | ipvlan | geneve | bridge_slave |\n" - " hsr | macsec | netdevsim }\n"); + "LFT := forever | SECONDS\n"); + iplink_types_usage(); exit(-1); } diff --git a/ip/ipila.c b/ip/ipila.c index 739ee4e1..475c35b5 100644 --- a/ip/ipila.c +++ b/ip/ipila.c @@ -31,7 +31,8 @@ static void usage(void) "Usage: ip ila add loc_match LOCATOR_MATCH loc LOCATOR [ dev DEV ] OPTIONS\n" " ip ila del loc_match LOCATOR_MATCH [ loc LOCATOR ] [ dev DEV ]\n" " ip ila list\n" - "OPTIONS := [ csum-mode { adj-transport | neutral-map | neutral-map-auto | no-action } ]\n" + "OPTIONS := [ csum-mode { adj-transport | neutral-map |\n" + " neutral-map-auto | no-action } ]\n" " [ ident-type { luid | use-format } ]\n"); exit(-1); diff --git a/ip/iplink.c b/ip/iplink.c index 27c9be44..faafd7e8 100644 --- a/ip/iplink.c +++ b/ip/iplink.c @@ -46,6 +46,19 @@ static void usage(void) __attribute__((noreturn)); static int iplink_have_newlink(void); +void iplink_types_usage(void) +{ + /* Remember to add new entry here if new type is added. */ + fprintf(stderr, + "TYPE := { bareudp | bond | bond_slave | bridge | bridge_slave |\n" + " dummy | erspan | geneve | gre | gretap | ifb |\n" + " ip6erspan | ip6gre | ip6gretap | ip6tnl |\n" + " ipip | ipoib | ipvlan | ipvtap |\n" + " macsec | macvlan | macvtap |\n" + " netdevsim | nlmon | rmnet | sit | team | team_slave |\n" + " vcan | veth | vlan | vrf | vti | vxcan | vxlan | xfrm }\n"); +} + void iplink_usage(void) { if (iplink_have_newlink()) { @@ -117,13 +130,8 @@ void iplink_usage(void) fprintf(stderr, "\n" " ip link help [ TYPE ]\n" - "\n" - "TYPE := { vlan | veth | vcan | vxcan | dummy | ifb | macvlan | macvtap |\n" - " bridge | bond | team | ipoib | ip6tnl | ipip | sit | vxlan |\n" - " gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan |\n" - " vti | nlmon | team_slave | bond_slave | bridge_slave |\n" - " ipvlan | ipvtap | geneve | bareudp | vrf | macsec | netdevsim | rmnet |\n" - " xfrm }\n"); + "\n"); + iplink_types_usage(); } exit(-1); } diff --git a/ip/ipmonitor.c b/ip/ipmonitor.c index 99f5fda8..50aa013e 100644 --- a/ip/ipmonitor.c +++ b/ip/ipmonitor.c @@ -30,9 +30,10 @@ int listen_all_nsid; static void usage(void) { fprintf(stderr, - "Usage: ip monitor [ all | LISTofOBJECTS ] [ FILE ] [ label ] [all-nsid] [dev DEVICE]\n" - "LISTofOBJECTS := link | address | route | mroute | prefix |\n" - " neigh | netconf | rule | nsid | nexthop\n" + "Usage: ip monitor [ all | OBJECTS ] [ FILE ] [ label ] [ all-nsid ]\n" + " [ dev DEVICE ]\n" + "OBJECTS := address | link | mroute | neigh | netconf |\n" + " nexthop | nsid | prefix | route | rule\n" "FILE := file FILENAME\n"); exit(-1); } diff --git a/ip/ipneigh.c b/ip/ipneigh.c index 678b4034..2d6b7f58 100644 --- a/ip/ipneigh.c +++ b/ip/ipneigh.c @@ -50,15 +50,15 @@ static void usage(void) { fprintf(stderr, "Usage: ip neigh { add | del | change | replace }\n" - " { ADDR [ lladdr LLADDR ] [ nud STATE ] | proxy ADDR } [ dev DEV ]\n" - " [ router ] [ extern_learn ] [ protocol PROTO ]\n" + " { ADDR [ lladdr LLADDR ] [ nud STATE ] proxy ADDR }\n" + " [ dev DEV ] [ router ] [ extern_learn ] [ protocol PROTO ]\n" "\n" " ip neigh { show | flush } [ proxy ] [ to PREFIX ] [ dev DEV ] [ nud STATE ]\n" " [ vrf NAME ]\n" " ip neigh get { ADDR | proxy ADDR } dev DEV\n" "\n" - "STATE := { permanent | noarp | stale | reachable | none |\n" - " incomplete | delay | probe | failed }\n"); + "STATE := { delay | failed | incomplete | noarp | none |\n" + " permanent | probe | reachable | stale }\n"); exit(-1); } diff --git a/ip/iprule.c b/ip/iprule.c index 9f5d998b..4166073c 100644 --- a/ip/iprule.c +++ b/ip/iprule.c @@ -44,7 +44,8 @@ static void usage(void) "Usage: ip rule { add | del } SELECTOR ACTION\n" " ip rule { flush | save | restore }\n" " ip rule [ list [ SELECTOR ]]\n" - "SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n" + "SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ]\n" + " [ fwmark FWMARK[/MASK] ]\n" " [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]\n" " [ uidrange NUMBER-NUMBER ]\n" " [ ipproto PROTOCOL ]\n" diff --git a/ip/iptunnel.c b/ip/iptunnel.c index 696f3b92..2369ee06 100644 --- a/ip/iptunnel.c +++ b/ip/iptunnel.c @@ -34,7 +34,8 @@ static void usage(void) { fprintf(stderr, "Usage: ip tunnel { add | change | del | show | prl | 6rd } [ NAME ]\n" - " [ mode { ipip | gre | sit | isatap | vti } ] [ remote ADDR ] [ local ADDR ]\n" + " [ mode { gre | ipip | isatap | sit | vti } ]\n" + " [ remote ADDR ] [ local ADDR ]\n" " [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ]\n" " [ prl-default ADDR ] [ prl-nodefault ADDR ] [ prl-delete ADDR ]\n" " [ 6rd-prefix ADDR ] [ 6rd-relay_prefix ADDR ] [ 6rd-reset ]\n" From 87d6d395d16c4188e98ed9917071cd256e86a243 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Sat, 20 Mar 2021 09:29:02 -0700 Subject: [PATCH 4/4] README: remove doc instructions The out of date documentation was removed in 2017, but the instructions in the README were not removed. Signed-off-by: Stephen Hemminger --- README | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/README b/README index bc82187c..fa0c7869 100644 --- a/README +++ b/README @@ -28,17 +28,12 @@ The makefile will automatically build a config.mk file which contains definitions of libraries that may or may not be available on the system such as: ATM, ELF, MNL, and SELINUX. -3. To make documentation, cd to doc/ directory , then - look at start of Makefile and set correct values for - PAGESIZE=a4 , ie: a4 , letter ... (string) - PAGESPERPAGE=2 , ie: 1 , 2 ... (numeric) - and make there. It assumes, that latex, dvips and psnup - are in your path. +3. include/uapi -4. This package includes matching sanitized kernel headers because - the build environment may not have up to date versions. See Makefile - if you have special requirements and need to point at different - kernel include files. +This package includes matching sanitized kernel headers because +the build environment may not have up to date versions. See Makefile +if you have special requirements and need to point at different +kernel include files. Stephen Hemminger stephen@networkplumber.org