iptables dropped the xtables_set_revision() function around version 1.4.9,
so set the rev directly ourselves. This should be compatible back to the
original version m_xt itself is designed for.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Fixes problems with xtables based MARK target ("ipt" module).
When tc loads the "ipt" (xt) module it kept the symbols local,
this made loading of libxtables not find the required struct.
currently ipt/xt is the only tc action module.
iproute2 never seem to do dlclose.
hopefully the modules doesn't export more symbols then needed.
In this situation hopefully the RTLD_GLOBAL flag won't hurt us.
I've been using this patch in the Debian package of iproute for
the last 3 weeks and noone has complained.
( This fixes http://bugs.debian.org/584898 )
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
This patch adds ipv6 filter priority/traffic class function
static int parse_ip6_class(int *argc_p, char ***argv_p, struct tc_u32_sel *sel)
shifting filter value to 5th bit and ignoring "at" as header position
is exactly given.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The recent commit "iproute2: add option to build m_xt as a tc module"
(ab814d6355) looks like it wrongly included debug changes in the
install target. So drop the `echo` so the tc binary actually gets
installed again.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
When building on an old environment, the flex generated
tc/emp_ematch.lex.c file would not compile. The error given was:
emp_ematch.lex.c:1686: error: expected â;â, â,â or â)â before numeric constant
The emp_ematch.l uses 'str' as a start symbol name, and flex would create
a '#define str 1' statement. This particular version of flex,
unfortunately, used 'str' as names of string variables in the generated
parser functions. This is line 1686 in the generated file:
YY_BUFFER_STATE ematch__scan_string (yyconst char * str )
This patch just substitutes 'str' for 'lexstr' in emp_ematch.l to avoid
the collision.
This will build the xt module (action ipt) of tc as a
shared object that is linked at runtime by tc if used,
rather then built into tc.
This is similar to how the atm qdisc support
is handled (q_atm.so).
Signed-off-by: Andreas Henriksson <andreas@xxxxxxxx>
Try to automatically detect iptables modules directory.
Make the configure script look for iptables modules.
This also makes it possible to specify it on the
command line while building via "make IPT_LIB_DIR=/foo/bar".
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
parsing a mark as a classid allows for acceptance of strange
informal input.
cheers,
jamal
commit aad0da6507ff8a95a63ed8e529c05f52be5b0e75
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date: Mon Feb 15 06:45:29 2010 -0500
skbedit: use get_u32 for parsing mark
get_u32 is the more appropriate parser for a mark.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
This adds the required changes to gain access to
the head drop classfull queuing discipline named
pfifo_head_drop. In difference to pfifo or pfifo_fast
this queuing discipline will drop the first packet
in the case of queue congestion. As a result the queue
contain always the freshest packets.
To replace the current a root queueing discipline
for eth0:
$ tc qdisc replace dev eth0 root pfifo_head_drop
And show statistics:
$ tc -s qdisc show dev eth0
Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
Since there aren't any targets that currently use this pattern rule, this
is more of a proactive fix.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
This adds support for setting the skb mark.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Add a new cleaned up m_xt.c based on m_xt_old.c
The new m_xt.c has been updated to use the new names and new api
that xtables exposes in iptables 1.4.5.
All the old internal api cruft has also been dropped.
Additionally, a configure script test is added to check for
the new xtables api and set the TC_CONFIG_XT flag in Config.
(tc/Makefile already handles this flag in previous commit.)
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Move the file and rename the configure flags.
The file is being kept around for iptables < 1.4.5 compatibility.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
The kernel takes a lack of options as indication that the fw classifier
should operate in compatibility mode, where marks are mapped directly to
classids.
Commit e22b42a (tc mask patch) broke this by adding an empty TCA_OPTIONS
attribute even if no handle is specified. Restore the old behaviour.
Signed-off-by: Patrick McHardy <kaber@trash.net>
A bunch of source files look like they're copy & pasted from other files,
and some include header files that they don't actually need. Since dlfcn
has very specific usage (and is a pain on a static-only system), drop it
where it isn't really needed.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
The iptables code supports a "no shared libs" mode where it can be used
without requiring dlfcn related functionality. This adds similar support
to iproute2 so that it can easily be used on systems like nommu Linux (but
obviously with a few limitations -- no dynamic plugins).
Rather than modify every location that uses dlfcn.h, I hooked the dlfcn.h
header with stub functions when shared library support is disabled. Then
symbol lookup is done via a local static lookup table (which is generated
automatically at build time) so that internal symbols can be found.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Sometimes while dividing bandwidth by classes it is useful to see how some
specific class doing things live.
Which my simple patch it is possible to do
watch -n1 "tc -s -d class show dev eth0.2022 classid 1:1520"
and to get live statistics, how packets queued or dropped, and how much
bandwidth used (if estimator defined) for specific class.
Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb>
This change was forgotten by Stephen in the last release
Signed-off-by: Denys Fedoryschenko <denys@visp.net.lb>
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Many thanks to Yevgeny Kosarzhevsky <yevg@pisem.net> for reporting
and a lot of testing
Thanks to Jan Engelhardt <jengelh@medozas.de> for a lot of advice
Thanks to Denys Fedoryschenko <denys@visp.net.lb> for some sample
code that he tried and thanks to Andreas Henriksson <andreas@fatal.se>
(who maintains iproute2 on debian) for the persistent followup.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Original from: Alexander Duyck <alexander.h.duyck@intel.com>
A bug was found in which the memory for the tc_skbedit struct was being
used uninitialized to 0. Alternative version of original fix
using initializer rather than memset.
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
1)optind according iptables sources have to be set to 0. If it is set to 1, in
batch it will mess up things. Also in iptables sources i notice that ->tflags
and ->used need to be reset.
2)Since target->t = fw_calloc(1, size); allocated memory in function build_st,
it have to be freed at the end, or in batch we will have memory leak. TODO:
Probably it must be freed in all "return -1" cases in parse_ipt after
build_st. About this i am not sure, up to Stephen.
3)new_name was malloc'ed, but not freed
Add support for multiq qdisc
This patch adds the ability to configure the multiq qdisc. Since the qdisc does not require any input it will pull the number of bands directly from the device that it is added to the root of.
usage: tc qdisc add dev <DEV> root handle <HANDLE> multiq
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Provides ability to edit queue_mapping field
Provides ability to edit priority field
usage: action skbedit [queue_mapping QUEUE_MAPPING] [priority PRIORITY]
at least one option must be select, or both at the same time
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Hello Rafael Almeida.
I noticed your patch adding DESTDIR support in the latest iproute2 release.
Much appreciated! Soon the debian packages might be able to move to actually
using "make install" rather then it's own installation procedure when
building packages. I've noticed something that will break though....
Debian packages usually sets DESTDIR=debian/tmp/ and packages the contents
of that directory as if it where the root file system. This will break
the /usr/lib/{tc,ip}/ module loading, because they DESTDIR (/usr) will be
/whatever-the-build-path-was/debian/tmp/lib/{tc,ip}/.
I beleive others usually call this the LIBDIR to make the separation between
DISTDIR being the (possibly temporary) place things are put when build is
done, and LIBDIR (and others) are used for actual runtime paths.
I'm attaching a patch that I think fixes this, but would be really happy if
you could have a look at to verify I'm not screwing something up.
--
Regards,
Andreas Henriksson
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
Patch adds generic size table that is similiar to rate table, with
difference that size table stores link layer packet size.
Based on patch by Patrick McHardy
http://marc.info/?l=linux-netdev&m=115201979221729&w=2
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
After changing the DESTDIR the installated binaries have some issues
due to hard coded paths. For example, using distributions on NetEm
would segfault.
I've changed iplink.c and tc_util.c so they are now aware of DESTDIR.
Along with that change I needed to change the main Makefile so it
defines the DESTDIR macro when calling gcc.
I also changed the paths so that during the installation sbin, etc,
share and lib directories are created directly inside of the DESTDIR,
instead of creating a usr directory inside that. That's the behaviour
of most packages out there, so I think most users will be expecting
that to happen.
> # tc filter show dev eth1 | grep 4:29:d1
> filter parent 1: protocol ip pref 5 u32 fh 4:29:d1 order 209 key ht 4
> bkt 29 flowid 1:b7aa
>
> # tc filter del dev eth1 parent 1: pref 5 handle 4:29:d1 u32
> RTNETLINK answers: Invalid argument
> We have an error talking to the kernel
>
> after rollback to package"sys-apps/iproute2-2.6.24.20080108" all
> deleted normal...
The current iproute version uses "protocol all" by default
if its not specified. This is actually only useful for creating
new filters, on deletion an unset protocol is treated as wildcard.
And last for now ..
cheers,
jamal
[PATCH 3/3] [TC/U32] Infrastructure for pretty printing
This patch makes it easy to add pretty printers of different protocols.
For starters it makes use of ipv4 and raw printers.
Add more later ...
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
makes protocol accessible ..
cheers,
jamal
[PATCH 2/3] [TC/FILTERS] Expose the filter protocol
Expose the filter protocol so it can be used by underlying
classifiers when they need it.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Don't break scripts that depend on previous offset/value format.
Introduce a new -pretty flag for decoding, and (*gasp*) document
the formatting arguments.
commit c504ffd627ac211eebf5ed34ef0fbfd7f1dbb347
Author: Patrick McHardy <kaber@trash.net>
Date: Wed Mar 26 07:38:43 2008 +0100
[IPROUTE]: Fix classifier help
The new check whether the user has specified a protocol makes
"ip filter <type> help" fails with "protocol is required".
This could be fixed by moving it further down, but a more user-friendly
way it to simply use ETH_P_ALL as default if nothing is specified.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Introducing the function that does the ATM cell alignment, and
modifying tc_calc_rtable() to use this based upon a linklayer
parameter.
Modified from original to use constants from atm.h and
fix all the usages of rtable in same patch.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
For police, implement overhead parameter parsing.
The change is ABI (Application Binary Interface) backward compatible
with older kernels, but will first have effect from kernel 2.6.24.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
For CBQ, implement overhead parameter parsing.
The change is ABI (Application Binary Interface) backward compatible
with older kernels, but will first have effect from kernel 2.6.24.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
Change CBQ to use matches() function instead of strcmp().
This resembels the usage in other parse functions, and allows
partial command parameter matching.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
For TBF, implement overhead parameter parsing.
The change is ABI (Application Binary Interface) backward compatible
with older kernels, but will first have effect from kernel 2.6.24.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
update: Fix the spelling of "hexidecimal"
This updates the help output to specify that CLASSID should be hexidecimal.
This makes sure that a user entering "flowid 1:10" gets his flow put into
band 15 (0x10) and knows why.
Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
commit 94e9cba778cb97d77d9146dc3bd38ff195bc2c8a
Author: Patrick McHardy <kaber@trash.net>
Date: Sat Feb 2 18:22:16 2008 +0100
[IPROUTE]: cls_flow: add vlan-tag support
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
[IPROUTE]: Add flow classifier support
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
[...]
> Commands like "tc filter add dev ppp0 parent ffff: protocol ip prio 50
> u32 match ip src 0.0.0.0/0 police rate 4mbit burst 10k drop flowid :1"
> apparently no longer works. The flowid is not accepted anymore.
> Reverting commit 720a2e8d99... which you authored seems to "fix" this.
[...]
After further investigation it seems clear to me that reverting the
commit 720a2e8d990707749b2... is the correct thing to do, since the real
fix for the problem this commit was supposed to fix was instead fixed in
commit c29391c7c68f031e246c...
Whatever you specify after a u32 police you will now get a syntax error,
and according to "tc filter add u32 help" there are several things that
you are supposed to be able to specify after a police.
This reverts commit 720a2e8d99.
New iptables 1.4.0 has some library names changed from libipt to libxt.
It is prefferable also to open libxt_ first, as newer "style".
Signed-off-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
Patrick McHardy, Cite: 'its better to overestimate than underestimate
to stay in control of the queue'.
Illustrating the rate table array:
Legend description
rtab[x] : Array index x of rtab[x]
xmit_sz : Transmit size contained in rtab[x] (normally transmit time)
maps[a-b] : Packet sizes from a to b, will map into rtab[x]
Current/old rate table mapping (cell_log:3):
rtab[0]:=xmit_sz:0 maps[0-7]
rtab[1]:=xmit_sz:8 maps[8-15]
rtab[2]:=xmit_sz:16 maps[16-23]
rtab[3]:=xmit_sz:24 maps[24-31]
rtab[4]:=xmit_sz:32 maps[32-39]
rtab[5]:=xmit_sz:40 maps[40-47]
rtab[6]:=xmit_sz:48 maps[48-55]
New rate table mapping, with kernel cell_align support.
rtab[0]:=xmit_sz:8 maps[0-8]
rtab[1]:=xmit_sz:16 maps[9-16]
rtab[2]:=xmit_sz:24 maps[17-24]
rtab[3]:=xmit_sz:32 maps[25-32]
rtab[4]:=xmit_sz:40 maps[33-40]
rtab[5]:=xmit_sz:48 maps[41-48]
rtab[6]:=xmit_sz:56 maps[49-56]
New TC util on a kernel WITHOUT support for cell_align
rtab[0]:=xmit_sz:8 maps[0-7]
rtab[1]:=xmit_sz:16 maps[8-15]
rtab[2]:=xmit_sz:24 maps[16-23]
rtab[3]:=xmit_sz:32 maps[24-31]
rtab[4]:=xmit_sz:40 maps[32-39]
rtab[5]:=xmit_sz:48 maps[40-47]
rtab[6]:=xmit_sz:56 maps[48-55]
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
Change tc_calc_rtable() to take a tc_ratespec struct as an
argument. (cell_log still needs to be passed on as a parameter,
because -1 indicate that the cell_log needs to be computed by the
function.).
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
The only current user is HTB. HTB overhead argument is now passed on
to the kernel (in the struct tc_ratespec). Also correct the data
types.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
Hello Stephen,
As the current maintainer of iproute2 package, you could be interested
in including the attached patch that allow using masks in the fw filter
of the tc utility (very useful at least for me). AFAK, it works at least
from iproute2 version 2.6.20-?. Feel free to make the appropriate
cleaning changes if necessary, or contact me if you see any trouble.
Best regards,
François Delawarde.
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
tc_core_time2big only used in tc/q_netem.c where it gets passed an unsigned.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Follow up patch to "Fix overflow in time2tick / tick2time." which switches
the remaining two helper functions from long to unsigned as well.
These functions are only used in "tc/q_hfsc.c" where both the passed argument
and the place the return value is stored are unsigned/u32 variables, so this
change should be safe to make but hasn't been tested as extensively as the
time2tick patch.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
The helper functions gets passed an unsigned int, which gets cast to long
and overflows. See http://bugs.debian.org/175462
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
The help/usage screen of ematch cmp and nbyte say recognised symbolic
values for "layer FOO" are link, header and next-header, but the code
does _not_ implement that: it will recognise "next-header" as what is
supposed to be "header" and will not recognise "header". The right
symbolic values seem to be link, network, transport. Here is a patch
that changes the help/usage screen to match the code.
(http://bugs.debian.org/438653)
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
em_meta doesn't send 0 values to the kernel. breaking matching on them and
resulting in "Missing value TLV" messages on dump.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Mike Frysinger
Stephen Hemminger
Andreas Henriksson
Petr Lautrbach
Bart Trojanowski
jamal
Hagen Paul Pfeifer
Florian Westphal
Patrick McHardy
Denys Fedoryshchenko
Thomas Graf
Petr Jediný
Alexander Duyck
Jussi Kivilinna
Rafael Almeida
Jesper Dangaard Brouer
Jesper Dangaard Brouer
PJ Waskiewicz
Denys Fedoryshchenko
Jesper Dangaard Brouer
Stephen Hemminger
François Delawarde
Herbert Xu
Lionel Elie Mamane