From 70e6e38aadab8cf5b619e0a691d6103fcf5fac48 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 10 Dec 2007 09:36:07 -0800 Subject: [PATCH 01/12] Merge header file changes from net-2.6.25 Signed-off-by: Stephen Hemminger --- include/linux/if.h | 5 ++++- include/linux/netfilter_ipv4/ip_tables.h | 8 ++++---- include/linux/rtnetlink.h | 7 +++++++ include/linux/socket.h | 3 ++- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/include/linux/if.h b/include/linux/if.h index 296cd615..40eb61f9 100644 --- a/include/linux/if.h +++ b/include/linux/if.h @@ -49,7 +49,9 @@ #define IFF_LOWER_UP 0x10000 /* driver signals L1 up */ #define IFF_DORMANT 0x20000 /* driver signals dormant */ -#define IFF_VOLATILE (IFF_LOOPBACK|IFF_POINTOPOINT|IFF_BROADCAST|\ +#define IFF_ECHO 0x40000 /* echo sent packets */ + +#define IFF_VOLATILE (IFF_LOOPBACK|IFF_POINTOPOINT|IFF_BROADCAST|IFF_ECHO|\ IFF_MASTER|IFF_SLAVE|IFF_RUNNING|IFF_LOWER_UP|IFF_DORMANT) /* Private (from user) interface flags (netdevice->priv_flags). */ @@ -60,6 +62,7 @@ #define IFF_MASTER_ALB 0x10 /* bonding master, balance-alb. */ #define IFF_BONDING 0x20 /* bonding master or slave */ #define IFF_SLAVE_NEEDARP 0x40 /* need ARPs for validation */ +#define IFF_ISATAP 0x80 /* ISATAP interface (RFC4214) */ #define IF_GET_IFACE 0x0001 /* for querying only */ #define IF_GET_PROTO 0x0002 diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index b8362332..f1754d10 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -148,10 +148,10 @@ struct ipt_getinfo unsigned int valid_hooks; /* Hook entry points: one per netfilter hook. */ - unsigned int hook_entry[NF_IP_NUMHOOKS]; + unsigned int hook_entry[NF_INET_NUMHOOKS]; /* Underflow points. */ - unsigned int underflow[NF_IP_NUMHOOKS]; + unsigned int underflow[NF_INET_NUMHOOKS]; /* Number of entries */ unsigned int num_entries; @@ -177,10 +177,10 @@ struct ipt_replace unsigned int size; /* Hook entry points. */ - unsigned int hook_entry[NF_IP_NUMHOOKS]; + unsigned int hook_entry[NF_INET_NUMHOOKS]; /* Underflow points. */ - unsigned int underflow[NF_IP_NUMHOOKS]; + unsigned int underflow[NF_INET_NUMHOOKS]; /* Information about old entries: */ /* Number of counters (must be equal to current number of entries). */ diff --git a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h index 4cd0abf5..3b90a974 100644 --- a/include/linux/rtnetlink.h +++ b/include/linux/rtnetlink.h @@ -100,6 +100,13 @@ enum { RTM_NEWNDUSEROPT = 68, #define RTM_NEWNDUSEROPT RTM_NEWNDUSEROPT + RTM_NEWADDRLABEL = 72, +#define RTM_NEWADDRLABEL RTM_NEWADDRLABEL + RTM_DELADDRLABEL, +#define RTM_NEWADDRLABEL RTM_NEWADDRLABEL + RTM_GETADDRLABEL, +#define RTM_GETADDRLABEL RTM_GETADDRLABEL + __RTM_MAX, #define RTM_MAX (((__RTM_MAX + 3) & ~3) - 1) }; diff --git a/include/linux/socket.h b/include/linux/socket.h index 7028e831..0d4c15f2 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -23,7 +23,6 @@ struct __kernel_sockaddr_storage { #include /* iovec support */ #include /* pid_t */ -extern int sysctl_somaxconn; #ifdef CONFIG_PROC_FS struct seq_file; extern void socket_seq_show(struct seq_file *seq); @@ -182,6 +181,7 @@ struct ucred { #define AF_PPPOX 24 /* PPPoX sockets */ #define AF_WANPIPE 25 /* Wanpipe API Sockets */ #define AF_LLC 26 /* Linux LLC */ +#define AF_CAN 29 /* Controller Area Network */ #define AF_TIPC 30 /* TIPC sockets */ #define AF_BLUETOOTH 31 /* Bluetooth sockets */ #define AF_IUCV 32 /* IUCV sockets */ @@ -217,6 +217,7 @@ struct ucred { #define PF_PPPOX AF_PPPOX #define PF_WANPIPE AF_WANPIPE #define PF_LLC AF_LLC +#define PF_CAN AF_CAN #define PF_TIPC AF_TIPC #define PF_BLUETOOTH AF_BLUETOOTH #define PF_IUCV AF_IUCV From ece02ea0a388a0bda5e5dff425fe93e50b2d5c9b Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 10 Dec 2007 09:40:45 -0800 Subject: [PATCH 02/12] Fix breakage from netfilter/ip_tables header change. Signed-off-by: Stephen Hemminger --- tc/m_ipt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tc/m_ipt.c b/tc/m_ipt.c index acbb8d2d..1539dc18 100644 --- a/tc/m_ipt.c +++ b/tc/m_ipt.c @@ -16,6 +16,7 @@ #include #include #include +#include #include #include "utils.h" #include "tc_util.h" From be8d89d3bf4aac08a67c02e317e15dcd82447b58 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 10 Dec 2007 09:40:45 -0800 Subject: [PATCH 03/12] Fix breakage from netfilter/ip_tables header change. Signed-off-by: Stephen Hemminger --- include/linux/netfilter.h | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 include/linux/netfilter.h diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h new file mode 100644 index 00000000..392487e4 --- /dev/null +++ b/include/linux/netfilter.h @@ -0,0 +1,39 @@ +#ifndef __LINUX_NETFILTER_H +#define __LINUX_NETFILTER_H + + +/* Responses from hook functions. */ +#define NF_DROP 0 +#define NF_ACCEPT 1 +#define NF_STOLEN 2 +#define NF_QUEUE 3 +#define NF_REPEAT 4 +#define NF_STOP 5 +#define NF_MAX_VERDICT NF_STOP + +/* we overload the higher bits for encoding auxiliary data such as the queue + * number. Not nice, but better than additional function arguments. */ +#define NF_VERDICT_MASK 0x0000ffff +#define NF_VERDICT_BITS 16 + +#define NF_VERDICT_QMASK 0xffff0000 +#define NF_VERDICT_QBITS 16 + +#define NF_QUEUE_NR(x) (((x << NF_VERDICT_QBITS) & NF_VERDICT_QMASK) | NF_QUEUE) + +/* only for userspace compatibility */ +/* Generic cache responses from hook functions. + <= 0x2000 is used for protocol-flags. */ +#define NFC_UNKNOWN 0x4000 +#define NFC_ALTERED 0x8000 + +enum nf_inet_hooks { + NF_INET_PRE_ROUTING, + NF_INET_LOCAL_IN, + NF_INET_FORWARD, + NF_INET_LOCAL_OUT, + NF_INET_POST_ROUTING, + NF_INET_NUMHOOKS +}; + +#endif /*__LINUX_NETFILTER_H*/ From 7ca30b789d7ea0a7afce45ddf5e5fd5fad0728dc Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 10 Dec 2007 13:10:20 -0800 Subject: [PATCH 04/12] rlim qdisc support Add support for new rate limit qdisc Signed-off-by: Stephen Hemminger --- tc/q_rlim.c | 129 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 tc/q_rlim.c diff --git a/tc/q_rlim.c b/tc/q_rlim.c new file mode 100644 index 00000000..c90796d4 --- /dev/null +++ b/tc/q_rlim.c @@ -0,0 +1,129 @@ +/* + * q_rtlim.c RTLIM. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Alexey Kuznetsov, + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "utils.h" +#include "tc_util.h" + +static void explain(void) +{ + fprintf(stderr, + "Usage: ... rlim limit PACKETS rate KBPS [ overhead BYTES ]\n"); +} + +static void explain1(char *arg) +{ + fprintf(stderr, "Illegal \"%s\"\n", arg); +} + + +#define usage() return(-1) + +static int rlim_parse_opt(struct qdisc_util *qu, int argc, char **argv, struct nlmsghdr *n) +{ + unsigned x; + struct tc_rlim_qopt opt = { + .overhead = 24, /* Ether IPG + Preamble + CRC */ + }; + struct rtattr *tail; + + while (argc > 0) { + if (matches(*argv, "limit") == 0) { + NEXT_ARG(); + if (opt.limit) { + fprintf(stderr, "Double \"limit\" spec\n"); + return -1; + } + if (get_size(&opt.limit, *argv)) { + explain1("limit"); + return -1; + } + } else if (strcmp(*argv, "rate") == 0) { + NEXT_ARG(); + if (opt.rate) { + fprintf(stderr, "Double \"rate\" spec\n"); + return -1; + } + + if (get_rate(&x, *argv)) { + explain1("rate"); + return -1; + } + opt.rate = x; + } else if (strcmp(*argv, "help") == 0) { + explain(); + return -1; + } else { + fprintf(stderr, "What is \"%s\"?\n", *argv); + explain(); + return -1; + } + argc--; argv++; + } + + if (opt.rate == 0) { + fprintf(stderr, "\"rate\" is required.\n"); + return -1; + } + + if (opt.limit == 0) + opt.limit = 1000; + + tail = NLMSG_TAIL(n); + addattr_l(n, 1024, TCA_OPTIONS, NULL, 0); + addattr_l(n, 2024, TCA_RLIM_PARMS, &opt, sizeof(opt)); + tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail; + + return 0; +} + +static int rlim_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt) +{ + struct rtattr *tb[TCA_RLIM_PARMS+1]; + struct tc_rlim_qopt *qopt; + SPRINT_BUF(b1); + SPRINT_BUF(b2); + + if (opt == NULL) + return 0; + + parse_rtattr_nested(tb, TCA_RLIM_PARMS, opt); + if (tb[TCA_RLIM_PARMS] == NULL) + return -1; + + qopt = RTA_DATA(tb[TCA_RLIM_PARMS]); + if (RTA_PAYLOAD(tb[TCA_RLIM_PARMS]) < sizeof(*qopt)) + return -1; + + fprintf(f, "limit %s rate %s overhead %u", + sprint_size(qopt->limit, b1), + sprint_rate(qopt->rate, b2), + qopt->overhead); + + return 0; +} + +struct qdisc_util rlim_qdisc_util = { + .id = "rlim", + .parse_qopt = rlim_parse_opt, + .print_qopt = rlim_print_opt, +}; + From 0bd17929bc6e2df15dc3348f9690f698211c7711 Mon Sep 17 00:00:00 2001 From: "Templin, Fred L" Date: Mon, 26 Nov 2007 09:46:06 -0800 Subject: [PATCH 05/12] iproute2-2.6.23: RFC4214 Support (v2.5) This patch includes support for the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) per RFC4214. The following diffs are specific to the iproute2-2.6.23 software distribution. This message includes the full and patchable diff text; please use this version to apply patches. Signed-off-by: Fred L. Templin Signed-off-by: Stephen Hemminger --- include/linux/if_tunnel.h | 34 ++++++++++++++++++++++++++++++++++ ip/iptunnel.c | 22 +++++++++++++++++++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 include/linux/if_tunnel.h diff --git a/include/linux/if_tunnel.h b/include/linux/if_tunnel.h new file mode 100644 index 00000000..228eb4eb --- /dev/null +++ b/include/linux/if_tunnel.h @@ -0,0 +1,34 @@ +#ifndef _IF_TUNNEL_H_ +#define _IF_TUNNEL_H_ + +#include + +#define SIOCGETTUNNEL (SIOCDEVPRIVATE + 0) +#define SIOCADDTUNNEL (SIOCDEVPRIVATE + 1) +#define SIOCDELTUNNEL (SIOCDEVPRIVATE + 2) +#define SIOCCHGTUNNEL (SIOCDEVPRIVATE + 3) + +#define GRE_CSUM __constant_htons(0x8000) +#define GRE_ROUTING __constant_htons(0x4000) +#define GRE_KEY __constant_htons(0x2000) +#define GRE_SEQ __constant_htons(0x1000) +#define GRE_STRICT __constant_htons(0x0800) +#define GRE_REC __constant_htons(0x0700) +#define GRE_FLAGS __constant_htons(0x00F8) +#define GRE_VERSION __constant_htons(0x0007) + +/* i_flags values for SIT mode */ +#define SIT_ISATAP 0x0001 + +struct ip_tunnel_parm +{ + char name[IFNAMSIZ]; + int link; + __be16 i_flags; + __be16 o_flags; + __be32 i_key; + __be32 o_key; + struct iphdr iph; +}; + +#endif /* _IF_TUNNEL_H_ */ diff --git a/ip/iptunnel.c b/ip/iptunnel.c index aee526b3..3b466bfc 100644 --- a/ip/iptunnel.c +++ b/ip/iptunnel.c @@ -39,7 +39,7 @@ static void usage(void) __attribute__((noreturn)); static void usage(void) { fprintf(stderr, "Usage: ip tunnel { add | change | del | show } [ NAME ]\n"); - fprintf(stderr, " [ mode { ipip | gre | sit } ] [ remote ADDR ] [ local ADDR ]\n"); + fprintf(stderr, " [ mode { ipip | gre | sit | isatap } ] [ remote ADDR ] [ local ADDR ]\n"); fprintf(stderr, " [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ]\n"); fprintf(stderr, " [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ dev PHYS_DEV ]\n"); fprintf(stderr, "\n"); @@ -55,6 +55,7 @@ static int parse_args(int argc, char **argv, int cmd, struct ip_tunnel_parm *p) { int count = 0; char medium[IFNAMSIZ]; + int isatap = 0; memset(p, 0, sizeof(*p)); memset(&medium, 0, sizeof(medium)); @@ -90,6 +91,13 @@ static int parse_args(int argc, char **argv, int cmd, struct ip_tunnel_parm *p) exit(-1); } p->iph.protocol = IPPROTO_IPV6; + } else if (strcmp(*argv, "isatap") == 0) { + if (p->iph.protocol && p->iph.protocol != IPPROTO_IPV6) { + fprintf(stderr, "You managed to ask for more than one tunnel mode.\n"); + exit(-1); + } + p->iph.protocol = IPPROTO_IPV6; + isatap++; } else { fprintf(stderr,"Cannot guess tunnel mode.\n"); exit(-1); @@ -212,6 +220,10 @@ static int parse_args(int argc, char **argv, int cmd, struct ip_tunnel_parm *p) p->iph.protocol = IPPROTO_IPIP; else if (memcmp(p->name, "sit", 3) == 0) p->iph.protocol = IPPROTO_IPV6; + else if (memcmp(p->name, "isatap", 6) == 0) { + p->iph.protocol = IPPROTO_IPV6; + isatap++; + } } if (p->iph.protocol == IPPROTO_IPIP || p->iph.protocol == IPPROTO_IPV6) { @@ -239,6 +251,14 @@ static int parse_args(int argc, char **argv, int cmd, struct ip_tunnel_parm *p) fprintf(stderr, "Broadcast tunnel requires a source address.\n"); return -1; } + if (isatap) { + if (p->iph.daddr) { + fprintf(stderr, "no remote with isatap.\n"); + return -1; + } + p->i_flags |= SIT_ISATAP; + } + return 0; } From c1b81cb5fe92aa938e52071c89e1c8812f6d75e3 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 Dec 2007 15:02:51 -0800 Subject: [PATCH 06/12] netem potential dist table overflow Fix possible stack overflow when given distribution table that is too large. Signed-off-by: Stephen Hemminger --- tc/q_netem.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/tc/q_netem.c b/tc/q_netem.c index f08b9c19..d06932e8 100644 --- a/tc/q_netem.c +++ b/tc/q_netem.c @@ -44,14 +44,18 @@ static void explain1(const char *arg) #define usage() return(-1) +/* Upper bound on size of distribution + * really (TCA_BUF_MAX - other headers) / sizeof (__s16) + */ +#define MAX_DIST (16*1024) + /* * Simplistic file parser for distrbution data. * Format is: * # comment line(s) - * data0 data1 + * data0 data1 ... */ -#define MAXDIST 65536 -static int get_distribution(const char *type, __s16 *data) +static int get_distribution(const char *type, __s16 *data, int maxdata) { FILE *f; int n; @@ -78,7 +82,7 @@ static int get_distribution(const char *type, __s16 *data) if (endp == p) break; - if (n >= MAXDIST) { + if (n >= maxdata) { fprintf(stderr, "%s: too much data\n", name); n = -1; @@ -236,10 +240,12 @@ static int netem_parse_opt(struct qdisc_util *qu, int argc, char **argv, } } else if (matches(*argv, "distribution") == 0) { NEXT_ARG(); - dist_data = alloca(MAXDIST); - dist_size = get_distribution(*argv, dist_data); - if (dist_size < 0) + dist_data = calloc(sizeof(dist_data[0]), MAX_DIST); + dist_size = get_distribution(*argv, dist_data, MAX_DIST); + if (dist_size <= 0) { + free(dist_data); return -1; + } } else if (strcmp(*argv, "help") == 0) { explain(); return -1; @@ -271,25 +277,27 @@ static int netem_parse_opt(struct qdisc_util *qu, int argc, char **argv, return -1; } - if (addattr_l(n, TCA_BUF_MAX, TCA_OPTIONS, &opt, sizeof(opt)) < 0) + if (addattr_l(n, 1024, TCA_OPTIONS, &opt, sizeof(opt)) < 0) return -1; if (present[TCA_NETEM_CORR] && - addattr_l(n, TCA_BUF_MAX, TCA_NETEM_CORR, &cor, sizeof(cor)) < 0) + addattr_l(n, 1024, TCA_NETEM_CORR, &cor, sizeof(cor)) < 0) return -1; if (present[TCA_NETEM_REORDER] && - addattr_l(n, TCA_BUF_MAX, TCA_NETEM_REORDER, &reorder, sizeof(reorder)) < 0) + addattr_l(n, 1024, TCA_NETEM_REORDER, &reorder, sizeof(reorder)) < 0) return -1; if (present[TCA_NETEM_CORRUPT] && - addattr_l(n, TCA_BUF_MAX, TCA_NETEM_CORRUPT, &corrupt, sizeof(corrupt)) < 0) + addattr_l(n, 1024, TCA_NETEM_CORRUPT, &corrupt, sizeof(corrupt)) < 0) return -1; if (dist_data) { - if (addattr_l(n, 32768, TCA_NETEM_DELAY_DIST, - dist_data, dist_size*sizeof(dist_data[0])) < 0) + if (addattr_l(n, MAX_DIST * sizeof(dist_data[0]), + TCA_NETEM_DELAY_DIST, + dist_data, dist_size * sizeof(dist_data[0])) < 0) return -1; + free(dist_data); } tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail; return 0; From bfe594fe31419a5f2cdd7ed7864b587d76fc22de Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 31 Dec 2007 12:54:18 -0800 Subject: [PATCH 07/12] Update header files from net-2.6.25 Signed-off-by: Stephen Hemminger --- include/linux/netfilter.h | 6 +++ include/linux/netfilter/x_tables.h | 43 ++++++++++++++++++ include/linux/netfilter_ipv4/ip_tables.h | 56 ++---------------------- include/linux/xfrm.h | 4 ++ 4 files changed, 57 insertions(+), 52 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 392487e4..e68f362c 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -36,4 +36,10 @@ enum nf_inet_hooks { NF_INET_NUMHOOKS }; +union nf_inet_addr { + u_int32_t all[4]; + __be32 ip; + __be32 ip6[4]; +}; + #endif /*__LINUX_NETFILTER_H*/ diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 95bc6957..89eae5ce 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -126,5 +126,48 @@ struct xt_counters_info #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ +/* fn returns 0 to continue iteration */ +#define XT_MATCH_ITERATE(type, e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct xt_entry_match *__m; \ + \ + for (__i = sizeof(type); \ + __i < (e)->target_offset; \ + __i += __m->u.match_size) { \ + __m = (void *)e + __i; \ + \ + __ret = fn(__m , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ +({ \ + unsigned int __i, __n; \ + int __ret = 0; \ + type *__entry; \ + \ + for (__i = 0, __n = 0; __i < (size); \ + __i += __entry->next_offset, __n++) { \ + __entry = (void *)(entries) + __i; \ + if (__n < n) \ + continue; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ + XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) + #endif /* _X_TABLES_H */ diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index f1754d10..fc64b97a 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -221,60 +221,12 @@ ipt_get_target(struct ipt_entry *e) } /* fn returns 0 to continue iteration */ -#define IPT_MATCH_ITERATE(e, fn, args...) \ -({ \ - unsigned int __i; \ - int __ret = 0; \ - struct ipt_entry_match *__match; \ - \ - for (__i = sizeof(struct ipt_entry); \ - __i < (e)->target_offset; \ - __i += __match->u.match_size) { \ - __match = (void *)(e) + __i; \ - \ - __ret = fn(__match , ## args); \ - if (__ret != 0) \ - break; \ - } \ - __ret; \ -}) +#define IPT_MATCH_ITERATE(e, fn, args...) \ + XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) /* fn returns 0 to continue iteration */ -#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ -({ \ - unsigned int __i; \ - int __ret = 0; \ - struct ipt_entry *__entry; \ - \ - for (__i = 0; __i < (size); __i += __entry->next_offset) { \ - __entry = (void *)(entries) + __i; \ - \ - __ret = fn(__entry , ## args); \ - if (__ret != 0) \ - break; \ - } \ - __ret; \ -}) - -/* fn returns 0 to continue iteration */ -#define IPT_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \ -({ \ - unsigned int __i, __n; \ - int __ret = 0; \ - struct ipt_entry *__entry; \ - \ - for (__i = 0, __n = 0; __i < (size); \ - __i += __entry->next_offset, __n++) { \ - __entry = (void *)(entries) + __i; \ - if (__n < n) \ - continue; \ - \ - __ret = fn(__entry , ## args); \ - if (__ret != 0) \ - break; \ - } \ - __ret; \ -}) +#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ + XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) /* * Main firewall chains definitions and global var's definitions. diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index 51aa0425..d28e0c4b 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -114,6 +114,7 @@ enum XFRM_POLICY_IN = 0, XFRM_POLICY_OUT = 1, XFRM_POLICY_FWD = 2, + XFRM_POLICY_MASK = 3, XFRM_POLICY_MAX = 3 }; @@ -328,6 +329,7 @@ struct xfrm_usersa_info { #define XFRM_STATE_DECAP_DSCP 2 #define XFRM_STATE_NOPMTUDISC 4 #define XFRM_STATE_WILDRECV 8 +#define XFRM_STATE_ICMP 16 }; struct xfrm_usersa_id { @@ -362,6 +364,8 @@ struct xfrm_userpolicy_info { #define XFRM_POLICY_BLOCK 1 __u8 flags; #define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ + /* Automatically expand selector to include matching ICMP payloads. */ +#define XFRM_POLICY_ICMP 2 __u8 share; }; From d21dd573e7c12195bd144f4f95bd6e9de76aa12c Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 2 Jan 2008 09:29:30 -0800 Subject: [PATCH 08/12] Revert "TC action parsing bug fix" [...] > Commands like "tc filter add dev ppp0 parent ffff: protocol ip prio 50 > u32 match ip src 0.0.0.0/0 police rate 4mbit burst 10k drop flowid :1" > apparently no longer works. The flowid is not accepted anymore. > Reverting commit 720a2e8d99... which you authored seems to "fix" this. [...] After further investigation it seems clear to me that reverting the commit 720a2e8d990707749b2... is the correct thing to do, since the real fix for the problem this commit was supposed to fix was instead fixed in commit c29391c7c68f031e246c... Whatever you specify after a u32 police you will now get a syntax error, and according to "tc filter add u32 help" there are several things that you are supposed to be able to specify after a police. This reverts commit 720a2e8d990707749b2cafa77ab3cd2b8241ec47. --- tc/m_police.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tc/m_police.c b/tc/m_police.c index acdfd223..46c785b6 100644 --- a/tc/m_police.c +++ b/tc/m_police.c @@ -37,7 +37,7 @@ static void usage(void) fprintf(stderr, "Usage: ... police rate BPS burst BYTES[/BYTES] [ mtu BYTES[/BYTES] ]\n"); fprintf(stderr, " [ peakrate BPS ] [ avrate BPS ]\n"); fprintf(stderr, " [ ACTIONTERM ]\n"); - fprintf(stderr, "Old Syntax ACTIONTERM := [/NOTEXCEEDACT] \n"); + fprintf(stderr, "Old Syntax ACTIONTERM := action [/NOTEXCEEDACT] \n"); fprintf(stderr, "New Syntax ACTIONTERM := conform-exceed [/NOTEXCEEDACT] \n"); fprintf(stderr, "Where: *EXCEEDACT := pipe | ok | reclassify | drop | continue \n"); fprintf(stderr, "Where: pipe is only valid for new syntax \n"); @@ -237,8 +237,7 @@ int act_parse_police(struct action_util *a,int *argc_p, char ***argv_p, int tca_ } else if (strcmp(*argv, "help") == 0) { usage(); } else { - fprintf(stderr, "What is \"%s\"?\n", *argv); - return -1; + break; } ok++; argc--; argv++; From fbaa3dedd926bc442aa2ab6d97c016b5e3907d64 Mon Sep 17 00:00:00 2001 From: Andreas Henriksson Date: Thu, 3 Jan 2008 00:47:30 +0100 Subject: [PATCH 09/12] iproute2: revert syntax help text mistake. Sorry. The pref and prio options are actually synonyms. This reverts part of commit 576c63ee59de3f18bec4ebd8181a5a395f268d03. Signed-off-by: Andreas Henriksson Signed-off-by: Stephen Hemminger --- ip/iprule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ip/iprule.c b/ip/iprule.c index 0f7c2231..e1a943a2 100644 --- a/ip/iprule.c +++ b/ip/iprule.c @@ -38,7 +38,7 @@ static void usage(void) { fprintf(stderr, "Usage: ip rule [ list | add | del | flush ] SELECTOR ACTION\n"); fprintf(stderr, "SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n"); - fprintf(stderr, " [ dev STRING ] [ pref NUMBER ] [ prio NUMBER ]\n"); + fprintf(stderr, " [ dev STRING ] [ pref NUMBER ]\n"); fprintf(stderr, "ACTION := [ table TABLE_ID ]\n"); fprintf(stderr, " [ prohibit | reject | unreachable ]\n"); fprintf(stderr, " [ realms [SRCREALM/]DSTREALM ]\n"); From 74fe05a2f6a6c44f39782264d75956586487941d Mon Sep 17 00:00:00 2001 From: Andreas Henriksson Date: Thu, 3 Jan 2008 00:49:11 +0100 Subject: [PATCH 10/12] iproute2: add synonyms for ip rule options to ip(8) manpage. commit 355e1438f73602fbac029d28891dfa889471b679 Author: Andreas Henriksson Date: Wed Jan 2 23:21:59 2008 +0100 Add synonyms for ip rule options to ip(8) manpage. See: http://bugs.debian.org/433507 http://bugs.debian.org/213673 Signed-off-by: Stephen Hemminger --- man/man8/ip.8 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/man/man8/ip.8 b/man/man8/ip.8 index 84ec6f3d..1687045f 100644 --- a/man/man8/ip.8 +++ b/man/man8/ip.8 @@ -1568,10 +1568,12 @@ the priority of this rule. Each rule should have an explicitly set .I unique priority value. +The options preference and order are synonyms with priority. .TP .BI table " TABLEID" the routing table identifier to lookup if the rule selector matches. +It is also possible to use lookup instead of table. .TP .BI realms " FROM/TO" @@ -1589,6 +1591,7 @@ may be either the start of the block of NAT addresses (selected by NAT routes) or a local host address (or even zero). In the last case the router does not translate the packets, but masquerades them to this address. +Using map-to instead of nat means the same thing. .B Warning: Changes to the RPDB made with these commands do not become active @@ -1601,6 +1604,7 @@ This command has no arguments. .SS ip rule show - list rules This command has no arguments. +The options list or lst are synonyms with show. .SH ip maddress - multicast addresses management From fb8cc5b26874bc67c4924155711b3f49f0d9b1ee Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 24 Jan 2008 13:14:28 -0800 Subject: [PATCH 11/12] update headers to current net-2.6.25 Signed-off-by: Stephen Hemminger --- include/linux/netfilter.h | 2 ++ include/linux/pkt_cls.h | 3 ++- include/linux/pkt_sched.h | 2 ++ include/linux/tc_ematch/tc_em_meta.h | 1 + include/linux/xfrm.h | 6 +++--- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index e68f362c..2e4dd9d3 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -40,6 +40,8 @@ union nf_inet_addr { u_int32_t all[4]; __be32 ip; __be32 ip6[4]; + struct in_addr in; + struct in6_addr in6; }; #endif /*__LINUX_NETFILTER_H*/ diff --git a/include/linux/pkt_cls.h b/include/linux/pkt_cls.h index 30b8571e..afb79d08 100644 --- a/include/linux/pkt_cls.h +++ b/include/linux/pkt_cls.h @@ -409,7 +409,8 @@ enum #define TCF_EM_U32 3 #define TCF_EM_META 4 #define TCF_EM_TEXT 5 -#define TCF_EM_MAX 5 +#define TCF_EM_VLAN 6 +#define TCF_EM_MAX 6 enum { diff --git a/include/linux/pkt_sched.h b/include/linux/pkt_sched.h index 919af93b..32761352 100644 --- a/include/linux/pkt_sched.h +++ b/include/linux/pkt_sched.h @@ -83,6 +83,8 @@ struct tc_ratespec __u32 rate; }; +#define TC_RTAB_SIZE 1024 + /* FIFO section */ struct tc_fifo_qopt diff --git a/include/linux/tc_ematch/tc_em_meta.h b/include/linux/tc_ematch/tc_em_meta.h index e21937cf..c50d2ba5 100644 --- a/include/linux/tc_ematch/tc_em_meta.h +++ b/include/linux/tc_ematch/tc_em_meta.h @@ -81,6 +81,7 @@ enum TCF_META_ID_SK_SNDTIMEO, TCF_META_ID_SK_SENDMSG_OFF, TCF_META_ID_SK_WRITE_PENDING, + TCF_META_ID_VLAN_TAG, __TCF_META_ID_MAX }; #define TCF_META_ID_MAX (__TCF_META_ID_MAX - 1) diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index d28e0c4b..24999dda 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -91,9 +91,9 @@ struct xfrm_replay_state }; struct xfrm_algo { - char alg_name[64]; - int alg_key_len; /* in bits */ - char alg_key[0]; + char alg_name[64]; + unsigned int alg_key_len; /* in bits */ + char alg_key[0]; }; struct xfrm_stats { From 9becb950e95f9f2b9650e34ec0e0973300e981a4 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 24 Jan 2008 13:16:41 -0800 Subject: [PATCH 12/12] vlan meta tag match Signed-off-by: Stephen Hemminger --- tc/em_meta.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tc/em_meta.c b/tc/em_meta.c index b727422c..bec9db03 100644 --- a/tc/em_meta.c +++ b/tc/em_meta.c @@ -109,6 +109,7 @@ struct meta_entry { __A(SK_ERR_QLEN, "sk_err_queue", "i", "Error queue length"), __A(SK_FORWARD_ALLOCS, "sk_fwd_alloc", "i", "Forward allocations"), __A(SK_SNDBUF, "sk_sndbuf", "i", "Send buffer size"), + __A(VLAN_TAG, "vlan", "i", "Vlan tag"), #undef __A };