For the display part, we print extra-flags only if show_stats is set, like for
standard flags.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
This change shifts burden onto the users to choose the UDP port value.
Kernel default value is incorrect UDP port 5287 but now there is
an official assigned port for VXLAN.
The kernel can't change because of legacy compatibility
but new deployments should not use the legacy port value.
Add ability to set UDP destination port on a per device basis.
If no port is assigned, the default IANA assigned port will be used.
If you want the kernel default value, then use port 0.
Source port range option is now called 'srcport', to avoid
confusion. The old option syntax is accepted for compatiablity.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
This patch adds support for tokenized IIDs, that enable
administrators to assign well-known host-part addresses
to nodes whilst still obtaining global network prefix
from Router Advertisements. This is the iproute2 part for
the kernel patch f53adae4eae5 (``net: ipv6: add tokenized
interface identifier support'').
Example commands with iproute2:
Setting a device token:
# ip token set ::1a:2b:3c:4d/64 dev eth1
Getting a device token:
# ip token get dev eth1
token ::1a:2b:3c:4d dev eth1
Listing all tokens:
# ip token list (or: ip token)
token :: dev eth0
token ::1a:2b:3c:4d dev eth1
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Change ALGO-KEY to ALGO-KEYMAT to make it more obvious that the
keying material might need to contain more than just the key (such
as a salt or nonce value).
List the algorithm names that currently exist in the kernel.
Indicate that for IPComp, the Compression Parameter Index (CPI) is
used as the SPI.
Group the list of mode values by transform protocol.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Ensure that only algorithms and modes supported by the transform
protocol are specified (so that errors are more obvious).
Signed-off-by: David Ward <david.ward@ll.mit.edu>
AEAD algorithms perform both encryption and authentication; they are
not combined with separate encryption or authentication algorithms.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
A Security Policy Index (SPI) is not used with Mobile IPv6. IPComp
uses a smaller 16-bit Compression Parameter Index (CPI) which is
passed as the SPI value. Perform checks whenever specifying an ID.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
When unmanaged L2TP sessions are created using "ip l2tp add session",
there is no option to allow the session's Layer2SpecificHeader type to
be selected - the kernel's default setting is always used. For
interopability with some vendor equipment, it might be necessary to
use a different setting. So add a new l2spec_type parameter to the "ip
l2tp add session" parameter list, allowing operators to set a specific
Layer2SpecificHeader type. The kernel already exposes the setting as a
netlink attribute so it is straightforward to add support for it in
iproute2.
This change allows unmanaged L2TP sessions to be configured between
Linux and some Cisco equipment by specifying "l2spec_type none" in "ip
l2tp add session" command parameters.
Signed-off-by: James Chapman <jchapman@katalix.com>
My previous commit introduced a patch to allow for states with different
ip address families for selector and id. The must have somehow been a
mixup of the patch I tested and the one I send, so the patch sent breaks
the iproute2 build. This patch fixes this. My apologies.
Signed-off-by: Thomas Egerer <hakke_007@gmx.de>
Do not enforce the selector of a state to have the same address family
as the id. This makes it possible to configure inter family states.
Signed-off-by: Thomas Egerer <hakke_007@gmx.de>
Both ip-link and ip-address support the 'up' argument, however this
isn't documented in neither their help outputs or ip-address' manpage.
This patch fixes that.
Signed-off-by: Petr Šabata <contyk@redhat.com>
Reported-by: Jiří Popelka <jpopelka@redhat.com>
While looking into a sysctl regression in decnet on old kernels I
discovered this omission in the iproute2 documentation.
I can't imagine anyone's muscle memory remembering the longer forms.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Some platforms like ppc64 have unsigned long long as 128 bits, and
the printf format string would cause errors. Resolve this by using
unsigned long long where necessary (or unsigned long).
Fixes Debian bug #700434
Need to table id in filter to be unsigned to avoid conversion to -1
The documentation for "ip" suggests that, when using multiple routing tables, the table ID can be an arbitrary 32 bit number. I've been writing a script that calculates a table Id based on an IP addresses and sets up tables accordingly based on it. This seems to work for everything I've tried except "ip route flush". If you specify a table to flush with an ID over 2^31, it flushes all IPv4 routing tables. For example:
Will delete all routing tables, including the default one. Needless to say, this is quite annoying. I think this is an upstream bug, but your opinions will be greatly appreciated.
This patch improves many error messages as follows:
- For incorrect parameters, show the value of the offending parameter, rather than just say that it is incorrect
- Rephrased messages for clarity
- Rephrased to more `mainstream' english
Signed-off-by: Kees van Reeuwijk <reeuwijk@few.vu.nl>
Since do_help() has to return an int to fit in the table of commands,
it should actually return an int. This patch lets it do so.
Signed-off-by: Kees van Reeuwijk <reeuwijk@few.vu.nl>
This is useful to know the 'real' status of an interface (the flag IFF_PROMISC
is exported by the kernel only when the user set it explicitly, for example it
will not be exported when a tcpdump is running).
This information will be displayed when '-details' is provided by the user.
Example:
$ ip -d l l tun10
6: tun10: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT
link/sit 10.16.0.249 peer 10.16.0.121
sit remote 10.16.0.121 local 10.16.0.249 ttl inherit pmtudisc 6rd-prefix 2002::/16
promiscuity 2
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
The 'inherit/STRING' or 'inherit/00..ff' syntax indicates that the
TOS field of tunneled packets should be copied from the original IP
header, but for non-IP packets the value STRING or 00..ff should be
used instead. (This syntax is already used by 'ip tunnel show'.)
Also clarify the man page and the command usage text (particularly
that the TOS is not specified as a decimal number).
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Add command that go between network namespace names and process
identifiers. The code builds and runs agains older kernels but
only works on Linux 3.8+ kernels where I have fixed stat to work
properly.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Sometimes "ip netns delete" fails because it can not delete the file a
network namespace was mounted on. If this only happened when a
network namespace was really in use this would be fine, but today it
is possible to pin all network namespaces by simply having a long
running process started with "ip netns exec".
Every mount is copied when a network namespace is created so it is
impossible to prevent the mounts from getting into other mount
namespaces. Modify all mounts in the files and subdirectories of
/var/run/netns to be shared mount points so that unmount events can
propogate, making it unlikely that "ip netns delete" will fail because
a directory is mounted in another mount namespace.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Ben Hutchings pointed out that the return value of do_netns is passed
to exit and the current convention of returning -1 for failure is
inconsitent with that reality.
Return EXIT_FAILURE instead of -1 and EXIT_SUCCESS instead of 0. To make
it clear that the return codes are expected to be passed to exit.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Some systems are now following the advice in
linux/Documentation/sharedsubtrees.txt and running with all mount
points shared between all mount namespaces by default.
After creating the mount namespace call mount on / with
MS_SLAVE|MS_REC to modify all mounts in the new mount namespace to
slave mounts if they are shared or private mounts otherwise.
Guarnateeing that changes to the mount namespace created with
"ip netns exec" don't propgate to other namespaces.
Reported-by: Petr Šabata <contyk@redhat.com>
Tested-by: Petr Šabata <contyk@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Clang doesn't support the gcc extension for embeddeding flexible arrays
inside of structures. Use the slightly more portable alloca().
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
mroute was using /proc/net/ip_mr_[vif|cache] to display mroute entries. Hence,
only RT_TABLE_DEFAULT was displayed and only IPv4.
With rtnetlink, it is possible to display all tables for IPv4 and IPv6. The output
format is kept. Also, like before the patch, statistics are displayed when user specify
the '-s' argument.
The patch also adds the support of 'ip monitor mroute', which is now possible.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
This patch adds a new flag to iproute2 for vxlan devices to enable
DOVE features. It also adds support for L2 and L3 switch lookup miss
netlink messages to "ip monitor".
Changes since v2: fix merge conflict
Changes since v1:
- split "dove" flag into separate feature flags:
- "proxy" for ARP reduction
- "rsc" for route short circuiting
- "l2miss" for L2 switch miss notifications
- "l3miss" for L3 switch miss notifications
Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
This patch allows to manage ip tunnels via the interface ip link.
The syntax for parameters is the same that 'ip tunnel'.
It also allows to display tunnels parameters with 'ip -details link' or
'ip -details monitor link'.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
This patch allows to manage ip6 tunnels via the interface ip link.
The syntax for parameters is the same that 'ip -6 tunnel'.
It also allows to display tunnels parameters with 'ip -details link' or
'ip -details monitor link'.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Example of the output:
$ ip monitor netconf&
[1] 24901
$ echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
ipv6 dev lo forwarding off
ipv6 dev eth0 forwarding off
ipv6 all forwarding off
$ echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
ipv4 dev eth0 forwarding on
$ ip -6 netconf
ipv6 all forwarding on mc_forwarding 0
$ ip netconf show dev eth0
ipv4 dev eth0 forwarding on rp_filter off mc_forwarding 1
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Minor cleanup of original patch, made sure netconf.h matched
result of santized kernel headers
When tclass or flowlabel field were updated, we only performed an OR with the
new value. For example, it was not possible to reset tclass:
ip -6 tunnel change ip6tnl2 tclass 0
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Flag IP6_TNL_F_IGN_ENCAP_LIMIT is set when encaplimit is none, but it was not
removed if encaplimit was set on update (ip tunnel change).
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
IPv6 multipath routes were not accepted by "ip route" because an IPv4
address was expected for each gateway. Use `get_addr()` instead of
`get_addr32()`.
Signed-off-by: Vincent Bernat <bernat@luffy.cx>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Added support to ipoib rtnl ops through which one can create, configure,
query and delete IPoIB devices, for example
$ ip link add link ib0.8001 name ib0.8001 type ipoib pkey 0x8001
$ ip link add link ib0.1 name ib0.1 type ipoib mode connected
$ ip --details link show dev ib0.1
Cc: Patrick McHardy <kaber@trash.net>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
ip tcp_metrics/tcpmetrics
We support get/del for single entry and dump for
show/flush.
v3:
- fix rtt/rttvar shifts as suggested by Eric Dumazet
- show rtt/rttvar usecs as suggested by David Laight
Signed-off-by: Julian Anastasov <ja@ssi.bg>
When running 'ip monitor neigh', there is no hint to tell if a neighbor is
updated or deleted.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Both macros are used together, so better to have
single define. Update all requests in ipl2tp.c to use the
new macro.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
This functionality is required by checkpoint-restore project. Since the
dump and restore for routes is already done in ip tool it's naturally to
dump and restore addresses in the ip tool as well.
The implementation logic is the same as for the respective one for routes.
The magic number digits are taken from the Seattle coordinates.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Some time ago the save+restore commands were added to ip route (git
id f4ff11e3, Add ip route save/restore). These two save the raw rtnl
stream into a file and restore one (reading it from stdin).
The problem is that there's no way to get the contents of the dump
file in a human readable form. The proposal is to add a command that
reads the rtnl stream from stdin and prints the data in a way the
usual "ip route list" does?
changes since v1:
* Take the magic at the beginning of the dump file into account
* Check for stdin (the dump is taken from) is not a tty
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
In order to somehow verify that a blob contains route dump a
4-bytes magic is put at the head of the data and is checked
on restore.
Magic digits are taken from Portland (OR) coordinates :) Is
there any more reliable way of generating such?
Signed-of-by: Pavel Emelyanov <xemul@parallels.com>
`ip a s` no longer shows addresses since 3.4.0 works, but 3.5.0,
the simple test case:
make clean && make -j -s && ./ip/ip a s lo
before that change, i would get:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
but after, i now get:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
seems like the bug was introduced in the middle of that patch:
- if (filter.family != AF_PACKET) {
+ if (filter.family && filter.family != AF_PACKET) {
+ if (filter.oneline)
+ no_link = 1;
+
if (rtnl_wilddump_request(&rth, filter.family, RTM_GETADDR) < 0) {
perror("Cannot send dump request");
exit(1);
if i revert the change to the if statement there, `ip a s` works for me again.
Alternative solution to problem reported by Pravin B Shelar <pshelar@nicira.com>
Split large function ipaddr_list_or_flush into components.
Fix memory leak of address and link nlmsg info.
Avoid fetching address info if only flushing.
ip link has quadratic behavior because store_nlmsg()
has a head list pointer and search the end of list.
Provides a head/tail to cut time.
Time with 128000 net devices, to do "ip link show dev xxx"
Before: 2m3.594s
After: 0m2.830s
Signed-off-by: Eric Dumazet <edumazet@google.com>
Adds support for parsing IPv6 addresses to the parameters local and
remote in the l2tp commands. Requires netlink attributes L2TP_ATTR_IP6_SADDR
and L2TP_ATTR_IP6_DADDR, added in a required kernel patch already submitted
to netdev.
Also enables printing of IPv6 addresses returned by the L2TP_CMD_TUNNEL_GET
request.
Signed-off-by: Chris Elston <celston@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Reported by Robert Henney:
> the 'ip' man page does not mention the command "del" at all but does
> claim, "As a rule, it is possible to add, delete and show (or list ) objects".
> however, 'ip' does not always recognize "delete" as a commend.
>
> robh@debian:~$ ip tunnel delete
> Command "delete" is unknown, try "ip tunnel help".
Lets use "delete" in all calls to matches() for consistency. This will
make both "del" and "delete" work everywhere.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Adds support for parsing IPv6 addresses to the parameters local and
remote in the l2tp commands. Requires netlink attributes L2TP_ATTR_IP6_SADDR
and L2TP_ATTR_IP6_DADDR, added in a required kernel patch already submitted
to netdev.
Also enables printing of IPv6 addresses returned by the L2TP_CMD_TUNNEL_GET
request.
Signed-off-by: Chris Elston <celston@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Define where is the are located the iproute2 config files.
Get rid of trailing slashes for paths in several file.
Signed-off-by: Christoph J. Thompson <cjsthompson@gmail.com>
Hi,
I've attached a trivial patch for iproute2 to allow naming interfaces
created with "ip l2tp add session".
I believe patches should go through the netdev mailing list but this
patch is so small I figured that would just add noise. Hope that's OK.
Originally I thought I would need a bigger patch and was going to take a
stab at implementing something like
ip l2tp add tunnel L2TP_TUNNEL_ARGS
ip link add name NAME [ LINK_OPTS ] type l2tp L2TP_SESSION_ARGS
(a better interface IMHO) but all the code was there already, all that I
needed to add was option parsing.
Thanks,
João Valverde
From fd8c3b712527d2e959aeabc6f6b71a9910e7be7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Valverde?= <joao.valverde@ist.utl.pt>
Date: Mon, 26 Mar 2012 18:30:56 +0100
Subject: [PATCH] ipl2tp: allow setting session interface name
The kernel supports a link mode attribute (which can be dormant or default).
This attribute is used to control how the link watch engine
handles operstate transistion.
This adds a new parameter to ip link command to allow setting and
displaying the value.
---
There is nothing in the standard that says 0 can't be used as a key.
It makes sense to allow it. Also fix typo where ikey was printed for
when printing okey.
Change the order of evaluation of ip link type arguements to allow
changing parameters of gre tunnels.
The following wouldn't work:
# ip li add mytunnel type gretap remote 1.1.1.1 key 3
# ip li set mytunnel type gretap key 9
LIBNETLINK will be defined in the main Makefile, so
both ../lib/libnetlink.a ../lib/libutil.a will be
automatically appended during linking. Otherwise
../lib/libnetlink.a ../lib/libutil.a will appear
twice during linking.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
New "ip neigh show proxy" command now can show proxies which
were added with "ip neigh add proxy" command. Kernel code to
support this feature sent a bit earlier to netdev.
Signed-off-by: Tony Zelenoff <antonz@parallels.com>
Both rtnl_talk and rtnl_dump had a callback for handling portions
of netlink message that do not match the correct pid or seq.
But this callback was never used by any part of iproute2 so remove
it.
Add ip link command parsing for VF spoof checking enable/disable
V2 - Fixed problem with parsing of dump info on kernels that don't
support the spoof checking option and also wrapped the ifla_vf_info
structure in #ifdef __KERNEL__ to prevent user space from directly
accessing the structure
V3 - Improved parsing of vfinfo
V4 - Put Makefile back to proper list of subdirs
V5 - Remove struct ifla_vf_info, it is only used by the kernel
V6 - Make sure spoof check is reported by the driver - rtnl will set
it to -1 to indicate driver didn't report a value.
Signed-off-by: Greg Rose <gregory.v.rose@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Alternative fix to problem reported by: Bin Li
The issue is came from https://bugzilla.novell.com/show_bug.cgi?id=681952.
In any previous version (since suse ... 10.0?), ip addr add always returned
the error code 2 in case the ip address is already set on the interface:
inet 172.16.2.3/24 brd 172.16.2.255 scope global bond0
RTNETLINK answers: File exists
2
On 11.4, it returns the exit code 254:
inet 172.16.1.1/24 brd 172.16.1.255 scope global eth0
RTNETLINK answers: File exists
254
This of course causes ifup to return an error in this quite common case..
When changing ip6ip6 parameters (ip -6 tun change), ip passes zeroed
struct ip6_tnl_parm to the kernel. The kernel then tries to change all of
the tunnel parameters to the passed values, including zeroing of local and
remote address. This fails (-EEXIST in net/ipv6/ip6_tunnel.c:ip6_tnl_ioctl).
For other tunnel types, ip fetches the current parameters first and applies
the required changes on top of them. This patch applies the same code as in
ip/iptunnel.c to ip/ip6tunnel.c.
See http://bugzilla.redhat.com/730627 for the original bug report.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Add bridge as a supported type with 'ip link' in usage and all the missing
types in 'ip' man page. Also fixed some typos.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Use O_EXCL so that we only create and mount a new network namespace
if there is no chance an existing network namespace is present.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
If libc has setns present use that version instead of
rolling the syscall wrapper by hand.
Dan McGee found the following compile error:
gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include
-DRESOLVE_HOSTNAMES -DLIBDIR=\"/usr/lib/\" -c -o ipnetns.o ipnetns.c
ipnetns.c:31:12: error: static declaration of ‘setns’ follows non-static
declaration
/usr/include/bits/sched.h:93:12: note: previous declaration of ‘setns’
was here
make[1]: *** [ipnetns.o] Error 1
Reported-by: Dan McGee <dan@archlinux.org>
Tested-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
$ ip route help 2>&1 | grep monitor
ip route { add | del | change | append | replace | monitor } ROUTE
$ ip route monitor
Command "monitor" is unknown, try "ip route help".
(I guess what was really intended is "ip monitor route", so just remove
the argument from the help output.)
Originally reported by martin f krafft at http://bugs.debian.org/537681
While at it, also drop all non-existant (route,link,netns) monitor
arguments from the ip(8) man page.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
The goal of this code change is to implement a mechanism such that it is
simple to work with a kernel that is using multiple network namespaces
at once.
This comes in handy for interacting with vpns where there may be rfc1918
address overlaps, and different policies default routes, name servers
and the like.
Configuration specific to a network namespace that would ordinarily be
stored under /etc/ is stored under /etc/netns/<name>. For example if
the dns server configuration is different for your vpn you would create
a file /etc/netns/myvpn/resolv.conf.
File descriptors that can be used to manipulate a network namespace can
be created by opening /var/run/netns/<NAME>.
This adds the following commands to iproute.
ip netns add NAME
ip netns delete NAME
ip netns monitor
ip netns list
ip netns exec NAME cmd ....
ip link set DEV netns NAME
ip netns exec exists to cater the vast majority of programs that only
know how to operate in a single network namespace. ip netns exec
changes the default network namespace, creates a new mount namespace,
remounts /sys and bind mounts netns specific configuration files to
their standard locations.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
The ip(8) man page and the "ip xfrm [ XFRM-OBJECT ] help" command output
are updated to include missing options, fix errors, and improve grammar.
There are no functional changes made.
The documentation for the ip command has many different meanings for the
same formatting symbols (which really needs to be fixed). This patch makes
consistent use of brackets [ ] to indicate optional parameters, pipes | to
mean "OR", braces { } to group things together, and dashes - instead of
underscores _ inside of parameter names. The parameters are listed in the
order in which they are parsed in the source code.
There are several parameters and options that are still not mentioned or
need to be described more thoroughly in the "COMMAND SYNTAX" section of
the ip(8) man page. I would appreciate help from the developers with this.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Eric Dumazet a écrit :
> We currently use an expensive ioctl() to get device txqueuelen, while
> rtnetlink gave it to us for free. This patch speeds up ip link operation
> when many devices are registered.
>
Here is a 2nd version od this patch, not displaying "qlen 0" useless info
[PATCH iproute2] ip: Support IFLA_TXQLEN in ip link show command
We currently use an expensive ioctl() to get device txqueuelen, while
rtnetlink gave it to us for free. This patch speeds up ip link operation
when many devices are registered.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
If the continue is taken, then there is a memory leak.
https://bugzilla.novell.com/show_bug.cgi?id=538996
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Brandon Philips <bphilips@suse.de>
User can specify device group to list by using the group keyword:
ip link show group test
If no group is specified, 0 (default) is implied.
Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
Hi,
here is a patch against iproute2 to allow user to set a state with a specific
auth length.
Example:
$ ip xfrm state add src 10.16.0.72 dst 10.16.0.121 proto ah spi 0x10000000
auth-trunc "sha256" "azertyuiopqsdfghjklmwxcvbn123456" 96 mode tunnel
$ ip xfrm state
src 10.16.0.72 dst 10.16.0.121
proto ah spi 0x10000000 reqid 0 mode tunnel
replay-window 0
auth-trunc hmac(sha256)
0x617a6572747975696f707173646667686a6b6c6d77786376626e313233343536 96
sel src 0.0.0.0/0 dst 0.0.0.0/0
Regards,
Nicolas
>From 522ed7348cdf3b6f501af2a5a5d989de1696565a Mon Sep 17 00:00:00 2001
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Thu, 23 Dec 2010 06:48:12 -0500
Subject: [PATCH] iproute2: allow to specify truncation bits on auth algo
Attribute XFRMA_ALG_AUTH_TRUNC can be used to specify
truncation bits, so we add a new algo type: auth-trunc.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
The get_jiffies() function retrieves rtt-type values in units of
milliseconds. This patch updates the function name accordingly,
following the pattern given by dst_metric() <=> dst_metric_rtt().
Since July 2008 (2.6.27, c1e20f7c8b9), the kernel stores the values for
RTAX_{RTT{,VAR},RTO_MIN} in milliseconds. When using a kernel > 2.6.27 with
the current iproute2, conversion of these values is broken in either way.
This patch
* updates the code to pass and retrieve milliseconds;
* since values < 1msec would be rounded up, also drops the usec/nsec variants;
* since there is no way to query kernel HZ, also drops the jiffies variant.
Arguments such as
rtt 3.23sec
rto_min 0xff
rto_min 0.200s
rttvar 25ms
now all work as expected when reading back previously set values.
In the Linux kernel, ipsec policy and SAs can include a
security context to support MAC networking. This feature
is often referred to as "labeled ipsec".
This patchset adds security context support into ip xfrm
such that a security context can be included when
add/delete/display SAs and policies with the ip command.
The user provides the security context when adding
SAs and policies. If a policy or SA contains a security
context, the changes allow the security context to be displayed.
For example,
ip xfrm state
src 10.1.1.6 dst 10.1.1.2
proto esp spi 0x00000301 reqid 0 mode transport
replay-window 0
auth hmac(digest_null) 0x3078
enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031
security context root:system_r:unconfined_t:s0
Please let me know if all is ok with the patchset.
Thanks!!
regards,
Joy
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Add support for 'passthru' mode when creating a macvlan/macvtap device
which allows takeover of the underlying device and passing it to a KVM
guest using virtio with macvtap backend.
Only one macvlan device is allowed in passthru mode and it inherits
the mac address from the underlying device and sets it in promiscuous
mode to receive and forward all the packets.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Hi,
here is a patch against iproute2 to allow user to set a state with a specific
auth length.
Example:
$ ip xfrm state add src 10.16.0.72 dst 10.16.0.121 proto ah spi 0x10000000
auth-trunc "sha256" "azertyuiopqsdfghjklmwxcvbn123456" 96 mode tunnel
$ ip xfrm state
src 10.16.0.72 dst 10.16.0.121
proto ah spi 0x10000000 reqid 0 mode tunnel
replay-window 0
auth-trunc hmac(sha256)
0x617a6572747975696f707173646667686a6b6c6d77786376626e313233343536 96
sel src 0.0.0.0/0 dst 0.0.0.0/0
Regards,
Nicolas
>From 522ed7348cdf3b6f501af2a5a5d989de1696565a Mon Sep 17 00:00:00 2001
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Thu, 23 Dec 2010 06:48:12 -0500
Subject: [PATCH] iproute2: allow to specify truncation bits on auth algo
Attribute XFRMA_ALG_AUTH_TRUNC can be used to specify
truncation bits, so we add a new algo type: auth-trunc.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
The get_jiffies() function retrieves rtt-type values in units of
milliseconds. This patch updates the function name accordingly,
following the pattern given by dst_metric() <=> dst_metric_rtt().
Since July 2008 (2.6.27, c1e20f7c8b9), the kernel stores the values for
RTAX_{RTT{,VAR},RTO_MIN} in milliseconds. When using a kernel > 2.6.27 with
the current iproute2, conversion of these values is broken in either way.
This patch
* updates the code to pass and retrieve milliseconds;
* since values < 1msec would be rounded up, also drops the usec/nsec variants;
* since there is no way to query kernel HZ, also drops the jiffies variant.
Arguments such as
rtt 3.23sec
rto_min 0xff
rto_min 0.200s
rttvar 25ms
now all work as expected when reading back previously set values.
In the Linux kernel, ipsec policy and SAs can include a
security context to support MAC networking. This feature
is often referred to as "labeled ipsec".
This patchset adds security context support into ip xfrm
such that a security context can be included when
add/delete/display SAs and policies with the ip command.
The user provides the security context when adding
SAs and policies. If a policy or SA contains a security
context, the changes allow the security context to be displayed.
For example,
ip xfrm state
src 10.1.1.6 dst 10.1.1.2
proto esp spi 0x00000301 reqid 0 mode transport
replay-window 0
auth hmac(digest_null) 0x3078
enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031
security context root:system_r:unconfined_t:s0
Please let me know if all is ok with the patchset.
Thanks!!
regards,
Joy
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Add the group keyword to ip link set, which has the following meaning:
If both a group and a device name are pressent, we change the device's
group to the specified one. If only a group is present, then the
operation specified by the rest of the command should apply on an entire
group, not a single device.
So, to set eth0 to the default group, one would use
ip link set dev eth0 group default
Conversely, to set all the devices in the default group down, use
ip link set group default down
Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
Add the group keyword to ip link set, which has the following meaning:
If both a group and a device name are pressent, we change the device's
group to the specified one. If only a group is present, then the
operation specified by the rest of the command should apply on an entire
group, not a single device.
So, to set eth0 to the default group, one would use
ip link set dev eth0 group default
Conversely, to set all the devices in the default group down, use
ip link set group default down
Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
User can specify device group to list by using the group keyword:
ip link show group test
If no group is specified, 0 (default) is implied.
Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
This reverts commit 632110aa0d.
There seem to be some recent changes in the 802.1Qbh/bg specs which may
result in changes to this patch in the near future. It seems like its best
to ignore this patch for now.
I will re-spin at a later time when the changes in the specs converge.
BTW, Please let me know if I should CC netdev list and others on the
original email. I can resend this email.
Thanks,
Roopa
Resubmitting Scott Feldmans original patch with below changes
- Fix port profile strlen which was off by 1
- Added function to convert IFLA_PORT_RESPONSE codes to string
Add support for IFLA_VF_PORTS. VF port netlink msg layout is
[IFLA_NUM_VF]
[IFLA_VF_PORTS]
[IFLA_VF_PORT]
[IFLA_PORT_*], ...
[IFLA_VF_PORT]
[IFLA_PORT_*], ...
...
[IFLA_PORT_SELF]
[IFLA_PORT_*], ...
The iproute2 cmd line for link set is now:
Usage: ip link add link DEV [ name ] NAME
[ txqueuelen PACKETS ]
[ address LLADDR ]
[ broadcast LLADDR ]
[ mtu MTU ]
type TYPE [ ARGS ]
ip link delete DEV type TYPE [ ARGS ]
ip link set DEVICE [ { up | down } ]
[ arp { on | off } ]
[ dynamic { on | off } ]
[ multicast { on | off } ]
[ allmulticast { on | off } ]
[ promisc { on | off } ]
[ trailers { on | off } ]
[ txqueuelen PACKETS ]
[ name NEWNAME ]
[ address LLADDR ]
[ broadcast LLADDR ]
[ mtu MTU ]
[ netns PID ]
[ alias NAME ]
[ port MODE { PROFILE | VSI } ]
[ vf NUM [ mac LLADDR ]
[ vlan VLANID [ qos VLAN-QOS ] ]
[ rate TXRATE ]
[ port MODE { PROFILE | VSI } ] ]
ip link show [ DEVICE ]
TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | can }
MODE := { assoc | preassoc | preassocrr | disassoc }
PROFILE := profile PROFILE
[ instance UUID ]
[ host UUID ]
VSI := vsi mgr MGRID type VTID ver VER
[ instance UUID ]
Signed-off-by: Scott Feldman <scofeldm@cisco.com>
Signed-off-by: Roopa Prabhu <roprabhu@cisco.com>
This patch adds save and restore commands to "ip route". Save dumps
the RTNL stream to stdout which can then be passed to restore later.
This may be helpful in some normal situations, and will allow C/R to
migrate the routing information in userspace. Tweaking of the stream
can be done by userspace helpers to convert between versions and adjust
things like device indexes when restoring routes in a different
environment.
By factoring out some of the common bits of print_route() into
filter_nlmsg(), the "save" command can use the same selection logic
as "list," allowing the caller to save only specific routes as
necessary.
The only change since the RFC is the addition of manpage and doc
material.
Signed-off-by: Dan Smith <danms@us.ibm.com>
The default remains at 10 for backwards compatibility.
For instance:
# ip addr flush dev eth2
*** Flush remains incomplete after 10 rounds. ***
# ip -l 20 addr flush dev eth2
*** Flush remains incomplete after 20 rounds. ***
# ip -loops 0 addr flush dev eth2
#
This is useful for getting rid of large numbers of IP
addresses in scripts.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Add support for 'mode' parameter when creating a macvtap device.
This allows a macvtap device to be created in bridge, private or
the default vepa modes.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
-------------------------------------------------------------------
Acked-by: Arnd Bergmann <arnd@arndb.de>
Nicolas Dichtel
Stephen Hemminger
Daniel Borkmann
David Ward
James Chapman
Thomas Egerer
Petr Šabata
roopa
Eric W. Biederman
Kees van Reeuwijk
Mike Frysinger
Strake
Zhi Yong Wu
David L Stevens
Vincent Bernat
Or Gerlitz
Stephen Hemminger
Julian Anastasov
Petr Písař
Pavel Emelyanov
Dan Kenigsberg
Jiri Pirko
Saurabh
Eric Dumazet
Chris Elston
Andreas Henriksson
Christoph J. Thompson
Jorge Boncompte [DTI2]
Stephen Hemminger
João Valverde
Florian Westphal
Yegor Yefremov
Tony Zelenoff
Greg Rose
Thomas Jarosch
Jiri Benc
Sridhar Samudrala
Dan McGee
Christoph Biedl
Eric Dumazet
Ulrich Weber
Brandon Philips
Vlad Dogaru
Gerrit Renker
Joy Latten
Jiri Pirko
Roopa Prabhu
Dan Smith
Ben Greear