From e133fa9c73835f5b80236ae20eaba765f1bfe553 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Tue, 5 May 2020 08:37:41 -0700 Subject: [PATCH 1/7] ss: add support for Gbit speeds in sprint_bw() Also use 'g' specifier instead of 'f' to remove trailing zeros, and increase precision. Examples of output : Before After 8.0Kbps 8Kbps 9.9Mbps 9.92Mbps 55001Mbps 55Gbps Signed-off-by: Eric Dumazet Signed-off-by: Stephen Hemminger --- misc/ss.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/misc/ss.c b/misc/ss.c index 3ef151fb..ab206b20 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -2382,10 +2382,12 @@ static char *sprint_bw(char *buf, double bw) { if (numeric) sprintf(buf, "%.0f", bw); - else if (bw > 1000000.) - sprintf(buf, "%.1fM", bw / 1000000.); - else if (bw > 1000.) - sprintf(buf, "%.1fK", bw / 1000.); + else if (bw >= 1e9) + sprintf(buf, "%.3gG", bw / 1e9); + else if (bw >= 1e6) + sprintf(buf, "%.3gM", bw / 1e6); + else if (bw >= 1e3) + sprintf(buf, "%.3gK", bw / 1e3); else sprintf(buf, "%g", bw); From 8142c76232324d13800b6cfd5b110cb6b134a491 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 5 May 2020 10:18:58 -0700 Subject: [PATCH 2/7] ss: update to bw print Display kilobit with the standard suffix. Add comment to describe where data rate suffixes come from. Add support for terrabit. Signed-off-by: Stephen Hemminger --- misc/ss.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/misc/ss.c b/misc/ss.c index ab206b20..75fde231 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -2378,16 +2378,23 @@ static int proc_inet_split_line(char *line, char **loc, char **rem, char **data) return 0; } +/* + * Display bandwidth in standard units + * See: https://en.wikipedia.org/wiki/Data-rate_units + * bw is in bits per second + */ static char *sprint_bw(char *buf, double bw) { if (numeric) sprintf(buf, "%.0f", bw); + else if (bw >= 1e12) + sprintf(buf, "%.3gT", bw / 1e12); else if (bw >= 1e9) sprintf(buf, "%.3gG", bw / 1e9); else if (bw >= 1e6) sprintf(buf, "%.3gM", bw / 1e6); else if (bw >= 1e3) - sprintf(buf, "%.3gK", bw / 1e3); + sprintf(buf, "%.3gk", bw / 1e3); else sprintf(buf, "%g", bw); From 0ecb90b33c4f4c20b859b1f1245b65e36e963cff Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Tue, 5 May 2020 08:43:48 -0700 Subject: [PATCH 3/7] tc: fq: fix two issues My latest patch missed the fact that this file got JSON support. Also fixes a spelling error added during JSON change. Fixes: be9ca9d54123 ("tc: fq: add timer_slack parameter") Fixes: d15e2bfc042b ("tc: fq: add support for JSON output") Signed-off-by: Eric Dumazet Signed-off-by: Stephen Hemminger --- tc/q_fq.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tc/q_fq.c b/tc/q_fq.c index ffae0523..98d1bf40 100644 --- a/tc/q_fq.c +++ b/tc/q_fq.c @@ -379,7 +379,9 @@ static int fq_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt) if (tb[TCA_FQ_TIMER_SLACK] && RTA_PAYLOAD(tb[TCA_FQ_TIMER_SLACK]) >= sizeof(__u32)) { timer_slack = rta_getattr_u32(tb[TCA_FQ_TIMER_SLACK]); - fprintf(f, "timer_slack %s ", sprint_time64(timer_slack, b1)); + print_uint(PRINT_JSON, "timer_slack", NULL, timer_slack); + print_string(PRINT_FP, NULL, "timer_slack %s ", + sprint_time64(timer_slack, b1)); } return 0; @@ -442,7 +444,7 @@ static int fq_print_xstats(struct qdisc_util *qu, FILE *f, print_nl(); print_lluint(PRINT_ANY, "pkts_too_long", " pkts_too_long %llu", st->pkts_too_long); - print_lluint(PRINT_ANY, "alloc_errors", " alloc_erros %llu", + print_lluint(PRINT_ANY, "alloc_errors", " alloc_errors %llu", st->allocation_errors); } From 924c43778a8453e2cd0fd1440b9224bed9c87c0d Mon Sep 17 00:00:00 2001 From: Paul Blakey Date: Thu, 14 May 2020 17:10:20 +0300 Subject: [PATCH 4/7] man: tc-ct.8: Add manual page for ct tc action Signed-off-by: Paul Blakey Signed-off-by: Stephen Hemminger --- man/man8/tc-ct.8 | 107 +++++++++++++++++++++++++++++++++++++++++++ man/man8/tc-flower.8 | 6 +++ 2 files changed, 113 insertions(+) create mode 100644 man/man8/tc-ct.8 diff --git a/man/man8/tc-ct.8 b/man/man8/tc-ct.8 new file mode 100644 index 00000000..45d29320 --- /dev/null +++ b/man/man8/tc-ct.8 @@ -0,0 +1,107 @@ +.TH "ct action in tc" 8 "14 May 2020" "iproute2" "Linux" +.SH NAME +ct \- tc connection tracking action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR "tc ... action ct commit [ force ] [ zone " +.IR ZONE +.BR "] [ mark " +.IR MASKED_MARK +.BR "] [ label " +.IR MASKED_LABEL +.BR "] [ nat " +.IR NAT_SPEC +.BR "]" + +.ti -8 +.BR "tc ... action ct [ nat ] [ zone " +.IR ZONE +.BR "]" + +.ti -8 +.BR "tc ... action ct clear" + +.SH DESCRIPTION +The ct action is a tc action for sending packets and interacting with the netfilter conntrack module. + +It can (as shown in the synopsis, in order): + +Send the packet to conntrack, and commit the connection, while configuring +a 32bit mark, 128bit label, and src/dst nat. + +Send the packet to conntrack, which will mark the packet with the connection's state and +configured metadata (mark/label), and execute previous configured nat. + +Clear the packet's of previous connection tracking state. + +.SH OPTIONS +.TP +.BI zone " ZONE" +Specify a conntrack zone number on which to send the packet to conntrack. +.TP +.BI mark " MASKED_MARK" +Specify a masked 32bit mark to set for the connection (only valid with commit). +.TP +.BI label " MASKED_LABEL" +Specify a masked 128bit label to set for the connection (only valid with commit). +.TP +.BI nat " NAT_SPEC" +.BI Where " NAT_SPEC " ":= {src|dst} addr" " addr1" "[-" "addr2" "] [port " "port1" "[-" "port2" "]]" + +Specify src/dst and range of nat to configure for the connection (only valid with commit). +.RS +.TP +src/dst - configure src or dst nat +.TP +.BI "" "addr1" "/" "addr2" " - IPv4/IPv6 addresses" +.TP +.BI "" "port1" "/" "port2" " - Port numbers" +.RE +.TP +.BI nat +Restore any previous configured nat. +.TP +.BI clear +Remove any conntrack state and metadata (mark/label) from the packet (must only option specified). +.TP +.BI force +Forces conntrack direction for a previously commited connections, so that current direction will become the original direction (only valid with commit). + +.SH EXAMPLES +Example showing natted firewall in conntrack zone 2, and conntrack mark usage: +.EX + +#Add ingress qdisc on eth0 and eth1 interfaces +.nf +$ tc qdisc add dev eth0 handle ingress +$ tc qdisc add dev eth1 handle ingress + +#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection +$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\ +action ct zone 2 pipe action goto chain 2 +$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new \\ +action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1 +$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\ +action ct nat pipe action mirred egress redirect dev eth1 + +#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case) +$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\ +action ct zone 2 pipe action goto chain 1 +$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\ +action ct nat pipe action mirred egress redirect dev eth0 +.fi + +.EE + +.RE +.SH SEE ALSO +.BR tc (8), +.BR tc-flower (8) +.BR tc-mirred (8) +.SH AUTHORS +Paul Blakey + +Marcelo Ricardo Leitner + +Yossi Kuperman diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8 index eb9eb5f0..12df48dc 100644 --- a/man/man8/tc-flower.8 +++ b/man/man8/tc-flower.8 @@ -1,5 +1,11 @@ .TH "Flower filter in tc" 8 "22 Oct 2015" "iproute2" "Linux" + "Usage: ct clear\n" + " ct commit [force] [zone ZONE] [mark MASKED_MARK] [label MASKED_LABEL] [nat NAT_SPEC] [OFFLOAD_POLICY]\n" + " ct [nat] [zone ZONE] [OFFLOAD_POLICY]\n" + "Where: ZONE is the conntrack zone table number\n" + " NAT_SPEC is {src|dst} addr addr1[-addr2] [port port1[-port2]]\n" + " OFFLOAD_POLICY is [policy_pkts PACKETS] [policy_timeout TIMEOUT]\n" .SH NAME flower \- flow based traffic control filter .SH SYNOPSIS From d7c67a6ed43f84022eda9d0fa818742c58e56ec7 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Tue, 5 May 2020 12:46:18 -0700 Subject: [PATCH 5/7] utils: remove trailing zeros in print_time() and print_time64() Before : tc qd sh dev eth1 ... refill_delay 40.0ms timer_slack 10.000us horizon 10.000s After : ... refill_delay 40ms timer_slack 10us horizon 10s Signed-off-by: Eric Dumazet Signed-off-by: Stephen Hemminger --- lib/utils.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/utils.c b/lib/utils.c index c6f19ce1..c98021d6 100644 --- a/lib/utils.c +++ b/lib/utils.c @@ -1628,9 +1628,9 @@ static void print_time(char *buf, int len, __u32 time) double tmp = time; if (tmp >= TIME_UNITS_PER_SEC) - snprintf(buf, len, "%.1fs", tmp/TIME_UNITS_PER_SEC); + snprintf(buf, len, "%.3gs", tmp/TIME_UNITS_PER_SEC); else if (tmp >= TIME_UNITS_PER_SEC/1000) - snprintf(buf, len, "%.1fms", tmp/(TIME_UNITS_PER_SEC/1000)); + snprintf(buf, len, "%.3gms", tmp/(TIME_UNITS_PER_SEC/1000)); else snprintf(buf, len, "%uus", time); } @@ -1681,11 +1681,11 @@ static void print_time64(char *buf, int len, __s64 time) double nsec = time; if (time >= NSEC_PER_SEC) - snprintf(buf, len, "%.3fs", nsec/NSEC_PER_SEC); + snprintf(buf, len, "%.3gs", nsec/NSEC_PER_SEC); else if (time >= NSEC_PER_MSEC) - snprintf(buf, len, "%.3fms", nsec/NSEC_PER_MSEC); + snprintf(buf, len, "%.3gms", nsec/NSEC_PER_MSEC); else if (time >= NSEC_PER_USEC) - snprintf(buf, len, "%.3fus", nsec/NSEC_PER_USEC); + snprintf(buf, len, "%.3gus", nsec/NSEC_PER_USEC); else snprintf(buf, len, "%lldns", time); } From 1c7aa121045c5e4de17b7e8a909c158c975b8578 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 19 May 2020 14:31:54 -0700 Subject: [PATCH 6/7] uapi: update to bpf.h Part of the zero-length array changes Signed-off-by: Stephen Hemminger --- include/uapi/linux/bpf.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 60684b7b..bc84f10a 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -73,7 +73,7 @@ struct bpf_insn { /* Key of an a BPF_MAP_TYPE_LPM_TRIE entry */ struct bpf_lpm_trie_key { __u32 prefixlen; /* up to 32 for AF_INET, 128 for AF_INET6 */ - __u8 data[]; /* Arbitrary size */ + __u8 data[0]; /* Arbitrary size */ }; struct bpf_cgroup_storage_key { From db35e411ec17bf9da67f22f995fe1e8d5edcda98 Mon Sep 17 00:00:00 2001 From: Roman Mashak Date: Tue, 19 May 2020 20:59:44 -0400 Subject: [PATCH 7/7] tc: action: fix time values output in JSON format Report tcf_t values in seconds, not jiffies, in JSON format as it is now for stdout. v2: use PRINT_ANY, drop the useless casts and fix the style (Stephen Hemminger) Fixes: 2704bd625583 ("tc: jsonify actions core") Cc: Jiri Pirko Signed-off-by: Roman Mashak Signed-off-by: Stephen Hemminger --- tc/tc_util.c | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/tc/tc_util.c b/tc/tc_util.c index 12f865cc..fd5fcb24 100644 --- a/tc/tc_util.c +++ b/tc/tc_util.c @@ -750,21 +750,17 @@ void print_tm(FILE *f, const struct tcf_t *tm) { int hz = get_user_hz(); - if (tm->install != 0) { - print_uint(PRINT_JSON, "installed", NULL, tm->install); - print_uint(PRINT_FP, NULL, " installed %u sec", - (unsigned int)(tm->install/hz)); - } - if (tm->lastuse != 0) { - print_uint(PRINT_JSON, "last_used", NULL, tm->lastuse); - print_uint(PRINT_FP, NULL, " used %u sec", - (unsigned int)(tm->lastuse/hz)); - } - if (tm->expires != 0) { - print_uint(PRINT_JSON, "expires", NULL, tm->expires); - print_uint(PRINT_FP, NULL, " expires %u sec", - (unsigned int)(tm->expires/hz)); - } + if (tm->install != 0) + print_uint(PRINT_ANY, "installed", " installed %u sec", + tm->install / hz); + + if (tm->lastuse != 0) + print_uint(PRINT_ANY, "last_used", " used %u sec", + tm->lastuse / hz); + + if (tm->expires != 0) + print_uint(PRINT_ANY, "expires", " expires %u sec", + tm->expires / hz); } static void print_tcstats_basic_hw(struct rtattr **tbs, char *prefix)