Allow to limit 'ip xfrm {state|policy} list' output to a certain address
family and to delete all states/policies by family.
Although preferred_family was already set in filters, the filter
function ignored it. To enable filtering despite the lack of other
selectors, filter.use has to be set if family is not AF_UNSPEC.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Follow the following steps:
# ip netns add net1
# export MALLOC_MMAP_THRESHOLD_=0
# ip netns list
then Segmentation fault (core dumped) will occur.
In get_netnsid_from_name func, answer is freed before
rta_getattr_u32(tb[NETNSA_NSID]), where tb[] refers to answer`s
content. If we set MALLOC_MMAP_THRESHOLD_=0, mmap will be adoped to
malloc memory, which will be freed immediately after calling free
func. So reading tb[NETNSA_NSID] will access the released memory
after free(answer).
Here, we will call get_netnsid_from_name(tb[NETNSA_NSID]) before free(answer).
Fixes: 86bf43c7c2 ("lib/libnetlink: update rtnl_talk to support malloc buff at run time")
Reported-by: Huiying Kou <kouhuiying@huawei.com>
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Similar to other print functions we need to flush buffered data
in order to work with pipes and output redirects.
After this patch ip monitor mroute &>log works properly.
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
# rule add priority 10 realms 1/0xF
# rule add priority 10 realms 0/0xF
# ip rule
10: from all lookup main 15
10: from all lookup main realms 1/15
The previous behavior was there since the beginning.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
When printing the actions, we avoid adding the trailing space after the
attribute. Possibly because we expect the action to be the last output
on the line and not end with a space.
But for FR_ACT_TO_TBL nothing is printed. That means, we add double
spaces if a protocol is printed as well:
# ip rule add priority 10 protocol 10 type 1
will be printed as
10: from all lookup 1 proto mrt
The only visible effect of the patch is to avoid the double-space and
avoid a trailing space if the action is FR_ACT_TO_TBL.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
It seems print_rule() tries to avoid a trailing space at the end
of the line. At least, when printing details about the actions,
they no longer append the space. Probably expecting to be the
last attribute that will be printed.
Don't let the protocol add the trailing space. The space at the end
of the line should be printed consistently (or not).
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
For all other actions we avoid the trailing space, so do it here
as well.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
The XFRMA_IF_ID attribute is set in policies/states for them to be
associated with an XFRM interface (4.19+).
Add support for setting / displaying this attribute.
Note that 0 is a valid value therefore set XFRMA_IF_ID if any value
was provided in command line.
Tested-by: Antony Antony <antony@phenome.org>
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Interfaces take a 'if_id' which is an interface id which can be set on
an xfrm policy as its interface lookup key (XFRMA_IF_ID).
Signed-off-by: Matt Ellison <matt@arroyo.io>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
This adds configuration for the IFLA_BRPORT_MCAST_TO_UCAST flag that
allows multicast packets to be replicated as unicast packets.
Signed-off-by: Tobias Jungel <tobias.jungel@bisdn.de>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
The ip -j option to print output as JSON is ignored when using 'route get':
$ ip -j route get 127.0.0.1
local 127.0.0.1 dev lo src 127.0.0.1 uid 1000
cache <local>
Enable JSON output in iproute_get(), and don't let print_cache_flags() close
the JSON output, as it's not always the last called JSON function.
Tested on different route types:
$ ip -j -p route get 127.0.0.1
[ {
"type": "local",
"dst": "127.0.0.1",
"dev": "lo",
"prefsrc": "127.0.0.1",
"flags": [ ],
"uid": 1000,
"cache": [ "local" ]
} ]
$ ip -d -j -p route get 192.0.2.1
[ {
"type": "unicast",
"dst": "192.0.2.1",
"gateway": "192.168.85.1",
"dev": "wlp3s0",
"table": "main",
"prefsrc": "192.168.85.2",
"flags": [ ],
"uid": 1000,
"cache": [ ]
} ]
Fixes: 663c3cb231 ("iproute: implement JSON and color output")
Acked-by: Phil Sutter <phil@nwl.cc>
Reviewed-and-tested-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Add json support for bridge's xstats output.
The plain text output format should remain the same.
Note that this patch pulls the interface out of the attribute
loop, this was an oversight when the set was upstreamed. This does not
change the output format, but fixes it when new xstats attributes show
up.
Example:
$ ip -p -j link xstats type bridge
[ {
"ifname": "br0",
"multicast": {
"igmp_queries": {
"rx_v1": 0,
"rx_v2": 32,
"rx_v3": 0,
"tx_v1": 0,
"tx_v2": 0,
"tx_v3": 0
},
"igmp_reports": {
"rx_v1": 0,
"rx_v2": 32,
"rx_v3": 0,
"tx_v1": 0,
"tx_v2": 0,
"tx_v3": 0
},
"igmp_leaves": {
"rx": 0,
"tx": 0
},
"igmp_parse_errors": 0,
"mld_queries": {
"rx_v1": 33,
"rx_v2": 0,
"tx_v1": 0,
"tx_v2": 0
},
"mld_reports": {
"rx_v1": 66,
"rx_v2": 2,
"tx_v1": 0,
"tx_v2": 0
},
"mld_leaves": {
"rx": 0,
"tx": 0
},
"mld_parse_errors": 0
}
} ]
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
This adds only initial object support if json argument is specified.
Later patches convert the current xstats users to json.
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
was displayed as
10: from all iif eth1 [detached] goto 10000unresolved proto mrt
now:
10: from all iif eth1 [detached] goto 10000 [unresolved] proto mrt
Fixes: 0dd4ccc56c ("iprule: add json support")
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
IFLA_VF_MAX is larger than the highest valid index in vf array.
Fixes: a1b99717c7 ("Add displaying VF traffic statistics")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
The key should not be called "to_tbl" because it is exactly
not a FR_ACT_TO_TBL action. Change it to "action".
# ip rule add blackhole
# ip -j rule | python -m json.tool
...
{
"priority": 0,
"src": "all",
"to_tbl": "blackhole"
},
This is an API break of JSON output as it was added in v4.17.0.
Still change it as the API is relatively new and unstable.
Fixes: 0dd4ccc56c ("iprule: add json support")
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
A /0 subnet mask is theoretically valid, but ip route get doesn't allow
it:
$ ip route get 1.0.0.0/0
need at least a destination address
Change the check and remember whether we found an address or not, since
according to the documentation it's a mandatory parameter.
$ ip/ip route get 1.0.0.0/0
1.0.0.0 via 192.168.1.1 dev eth0 src 192.168.1.91 uid 1000
cache
Reported-by: Clément Hertling <wxcafe@wxcafe.net>
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
When attaching an eBPF program to a device, ip link can force the XDP mode
by using the xdp{generic,drv,offload} keyword instead of just 'xdp'.
Document this behaviour also in the help output.
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Fixes: 14683814 ("bpf: add xdpdrv for requesting XDP driver mode")
Fixes: 1b5e8094 ("bpf: allow requesting XDP HW offload")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
in this way, a useless cast to unsigned int is avoided in bpf_print_ops()
and print_tunnel().
Tested with:
# ./tdc.py -c bpf
Suggested-by: Stephen Hemminger <stephen@networkplumber.org>
Cc: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
ip tracks namespaces with dummy files in /var/run/netns/, but can't see
namespaces created with other tools.
Creating the dummy file and bind mounting the correct procfs entry will
make ip aware of that namespace.
Add an ip netns subcommand to automate this task.
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Reviewed-by: Andrea Claudi <aclaudi@redhat.com>
Tested-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
ip l add dev tun type gretap external
ip r a 10.0.0.1 encap ip dst 192.168.152.171 id 1000 dev gretap
For gretap example when the command set the id but don't set the
TUNNEL_KEY flags. There is no key field in the send packet
User can set flags with key, csum, seq
ip r a 10.0.0.1 encap ip dst 192.168.152.171 id 1000 key csum dev gretap
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Kernel ignores the RTM_F_LOOKUP_TABLE flag for all families
but IPv4. Don't set it, otherwise it may fall foul of
strict checking policies.
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
ip xfrm state show currently dumps keys unconditionally. This limits its
use in logging, as security information can be leaked.
This patch adds a nokeys option to ip xfrm ( state show | monitor ), which
prevents the printing of keys. This allows ip xfrm state show to be used
in logging without exposing keys.
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
In case a neighbour message is of family AF_BRIDE the NDA_DST attribute
was not printed so far. With this patch the family is evaluated to pass
the correct family to format_host_rta.
Signed-off-by: Tobias Jungel <tobias.jungel@bisdn.de>
Add ipneigh_dump_filter to add filter attributes to the neighbor
dump request and update do_show_or_flush to use rtnl_neighdump_req.
Signed-off-by: David Ahern <dsahern@gmail.com>
ip rule add from all iif gretap tun_id 2000 lookup 200
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
iproute2 has been updated for the new strict policy in the kernel. Add a
helper to call setsockopt to enable the feature. Add a call to ip.c and
bridge.c
The setsockopt fails on older kernels and the error can be safely ignored
- any new fields or attributes are ignored by the older kernel.
Signed-off-by: David Ahern <dsahern@gmail.com>
Add a filter function to rtnl_addrdump_req to set device index in the
address dump request if the user is filtering addresses by device. In
addition, add a new ipaddr_link_get to do a single RTM_GETLINK request
instead of a device dump yet still store the data in the linfo list.
Signed-off-by: David Ahern <dsahern@gmail.com>
Split ip_linkaddr_list into one function that generates a list of devices
and a second that generates the list of addresses.
Signed-off-by: David Ahern <dsahern@gmail.com>
Similar to 'ip route' add the table id to the dump request for
kernel side filtering if it is supported.
Signed-off-by: David Ahern <dsahern@gmail.com>
Add protocol, table id and device to dump request if set in filter. If
kernel side filtering is supported it is used to reduce the amount of
data sent to userspace.
Older kernels do not parse attributes on a route dump request, so these
are silently ignored and ip will do the filtering in userspace.
Signed-off-by: David Ahern <dsahern@gmail.com>
Add a filter option to rtnl_routedump_req and use it to set rtm_flags
removing the need for rtnl_rtcache_request for dump requests.
Signed-off-by: David Ahern <dsahern@gmail.com>
DECnet belongs in the history museum of dead protocols along
with Appletalk and IPX.
Linux support has outlived its natural life and the time has
come to remove it from iproute2. Dead code is a source
of bugs and exploits.
If anyone actually has DECnet running on some old distribution
they can just keep to the old version of iproute2.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David Ahern <dsahern@gmail.com>
The argument to print_0xhex is converted to unsigned long long
so the format string give for normal printout has to be some
variant of %llx. Otherwise, bogus values will be printed on
32 bit platforms.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
On some 32 bit platforms, the printf was causing warning:
ipmacsec.c: In function ‘getattr_u64’:
ipmacsec.c:655:47: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘unsigned int’ [-Wformat=]
fprintf(stderr, "invalid attribute length %lu\n",
Resolve by computing length as size_t first.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Phil Sutter
Zhiqiang Liu
Nikolay Aleksandrov
Thomas Haller
Beniamino Galvani
Eyal Birger
Matt Ellison
Stephen Hemminger
Tobias Jungel
Matteo Croce
David Ahern
Luca Boccassi
Davide Caratti
wenxu
Jakub Kicinski
Benedict Wong
Stephen Hemminger