The tc-fw filter can be used to match on the packet's fwmark by adding a
filter with a matching handle. It also supports matching on specific
bits of the fwmark by specifying the handle together with a mask. This
is documented in the usage message below, but not in the man page.
Document it in the man page together with an example.
$ tc filter add fw help
Usage: ... fw [ classid CLASSID ] [ indev DEV ] [ action ACTION_SPEC ]
CLASSID := Push matching packets to the class identified by CLASSID with format X:Y
CLASSID is parsed as hexadecimal input.
DEV := specify device for incoming device classification.
ACTION_SPEC := Apply an action on matching packets.
NOTE: handle is represented as HANDLE[/FWMASK].
FWMASK is 0xffffffff by default.
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
This stat was added in commit 794c24e9921f ("net-core: rx_otherhost_dropped to core_stats")
Tested: sent packet with wrong MAC address from 1
network namespace to another, verified that counter showed "1" in
`ip -s -s link sh` and `ip -s -s -j link sh`
Signed-off-by: Jeffrey Ji <jeffreyji@google.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Commit 21c07b4568 ("ss: Show zerocopy sendfile status of TLS
sockets") started displaying the activation status of zerocopy sendfile
on TLS sockets, exposed via sock_diag. This commit makes the format more
compact: the flag's name is shorter and is printed only when the feature
is active, similar to other flag options.
The flag's name is also generalized ("sendfile" -> "tx") to embrace
possible future optimizations, and includes an explicit indication that
the underlying data must not be modified during transfer ("ro").
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Update kernel headers to commit:
27f2533bcc6e ("nfp: flower: support to offload pedit of IPv6 flowinto fields")
Signed-off-by: David Ahern <dsahern@kernel.org>
Nikolay Aleksandrov says:
====================
Hi,
This set adds support for the new bulk delete flag to allow fdb flushing
for specific entries which are matched based on the supplied options.
The new bridge fdb subcommand is "flush", and as can be seen from the
commits it allows to delete entries based on many different criteria:
- matching vlan
- matching port
- matching all sorts of flags (combinations are allowed)
There are also examples for each option in the respective commit messages.
Examples:
$ bridge fdb flush dev swp2 master vlan 100 dynamic
[ delete all dynamic entries with port swp2 and vlan 100 ]
$ bridge fdb flush dev br0 vlan 1 static
[ delete all static entries in br0's fdb table ]
$ bridge fdb flush dev swp2 master extern_learn nosticky
[ delete all entries with port swp2 which have extern_learn set and
don't have the sticky flag set ]
$ bridge fdb flush dev br0 brport br0 vlan 100 permanent
[ delete all entries pointing to the bridge itself with vlan 100 ]
$ bridge fdb flush dev swp2 master nostatic nooffloaded
[ delete all entries with port swp2 which are not static and not
offloaded ]
If keyword is specified and after that nokeyword is specified obviously
the nokeyword would override keyword.
====================
Signed-off-by: David Ahern <dsahern@kernel.org>
Add flush support to match entries with or without (if "no" is
prepended) offloaded flag.
Examples:
$ bridge fdb flush dev br0 offloaded
This will delete all offloaded entries in br0's fdb table.
$ bridge fdb flush dev br0 nooffloaded
This will delete all entries except the ones with offloaded flag in
br0's fdb table.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add flush support to match entries with or without (if "no" is
prepended) sticky flag.
Examples:
$ bridge fdb flush dev br0 sticky
This will delete all sticky entries in br0's fdb table.
$ bridge fdb flush dev br0 nosticky
This will delete all entries except the ones with sticky flag in
br0's fdb table.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add flush support to match entries with or without (if "no" is
prepended) extern_learn flag.
Examples:
$ bridge fdb flush dev br0 extern_learn
This will delete all extern_learn entries in br0's fdb table.
$ bridge fdb flush dev br0 noextern_learn
This will delete all entries except the ones with extern_learn flag in
br0's fdb table.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add flush support to match entries with or without (if "no" is
prepended) added_by_user flag. Note that NTF_USE is used internally
because there is no NTF_ flag that describes such entries.
Examples:
$ bridge fdb flush dev br0 added_by_user
This will delete all added_by_user entries in br0's fdb table.
$ bridge fdb flush dev br0 noadded_by_user
This will delete all entries except the ones with added_by_user flag in
br0's fdb table.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add flush support to match dynamic or non-dynamic (static or permanent)
entries if "no" is prepended respectively. Note that dynamic entries are
defined as fdbs without NUD_NOARP and NUD_PERMANENT set, and non-dynamic
entries are fdbs with NUD_NOARP set (that matches both static and
permanent entries).
Examples:
$ bridge fdb flush dev br0 dynamic
This will delete all dynamic entries in br0's fdb table.
$ bridge fdb flush dev br0 nodynamic
This will delete all entries except the dynamic ones in br0's fdb
table.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add flush support to match static or non-static entries if "no" is
prepended respectively. Note that static entries are only NUD_NOARP ones
without NUD_PERMANENT, also when matching non-static entries exclude
permanent entries as well (permanent entries by definition are also
static).
Examples:
$ bridge fdb flush dev br0 static
This will delete all static entries in br0's fdb table.
$ bridge fdb flush dev br0 nostatic
This will delete all entries except the static ones in br0's fdb
table.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add flush support to match permanent or non-permanent entries if "no" is
prepended respectively.
Examples:
$ bridge fdb flush dev br0 permanent
This will delete all permanent entries in br0's fdb table.
$ bridge fdb flush dev br0 nopermanent
This will delete all entries except the permanent ones in br0's fdb
table.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Usually we match on the device specified after "dev" but there are
special cases where we need an additional device attribute for matching
such as when matching entries specifically pointing to the bridge device
itself. We use NDA_IFINDEX for that purpose.
Example:
$ bridge fdb flush dev br0 brport br0
This will flush only entries pointing to the bridge itself.
$ bridge fdb flush dev swp1 brport swp2 master
Note this will flush entries pointing to swp2 only. The NDA_IFINDEX
attribute overrides the dev argument. This is documented in the man
page.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add flush support to match fdb entries in a specific vlan.
Example:
$ bridge fdb flush dev swp1 vlan 10 master
This will flush all fdb entries with port swp1 and vlan 10.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add support for fdb bulk delete (aka flush) command. Currently it only
supports the self and master flags with the same semantics as fdb
add/del. The device is a mandatory argument.
Example:
$ bridge fdb flush dev br0
This will delete *all* fdb entries in br0's fdb table.
$ bridge fdb flush dev swp1 master
This will delete all fdb entries pointing to swp1.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David Ahern <dsahern@kernel.org>
As per the C standard, "expressions in an initializer for an object that
has static or thread storage duration shall be constant expressions".
Aggregate objects are not constant expressions. Newer GCC doesn't mind, but
older GCC and LLVM do.
Therefore convert to a macro. And since all these macros will look very
similar, extract a generic helper, IPSTATS_STAT_DESC_XSTATS_LEAF, which
takes the leaf name as an argument and initializes the rest as appropriate
for an xstats descriptor.
Reported-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Peilin Ye says:
====================
From: Peilin Ye <peilin.ye@bytedance.com>
This patchset adds a new ss option, -T (--threads), to show thread
information. It extends the -p (--processes) option, and should be useful
for debugging, monitoring multi-threaded applications. Example output:
$ ss -ltT "sport = 1234"
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 0.0.0.0:1234 0.0.0.0:* users:(("test",pid=2932547,tid=2932548,fd=3),("test",pid=2932547,tid=2932547,fd=3))
It implies -p i.e. it outputs all threads in the thread group, including
the thread group leader. When -T is used, -Z and -z also show SELinux
contexts for threads.
[1-5/7] are small clean-ups for the user_ent_hash_build() function. [6/7]
factors out logic iterating $PROC_ROOT/$PID/fd/ from user_ent_hash_build()
to make [7/7] easier. [7/7] actually implements the feature.
====================
Signed-off-by: David Ahern <dsahern@kernel.org>
The -p, -Z and -z options only show process (thread group leader)
information. For example, if the thread group leader has exited, but
another thread in the group is still using a socket, ss -[pZz] does not
show it.
Add a new option, -T (--threads), to show thread information. It implies
the -p option. For example, imagine process A and thread B (in the same
group) using the same socket. ss -p only shows A:
$ ss -ltp "sport = 1234"
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 0.0.0.0:1234 0.0.0.0:* users:(("test",pid=2932547,fd=3))
ss -T shows A and B:
$ ss -ltT "sport = 1234"
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 0.0.0.0:1234 0.0.0.0:* users:(("test",pid=2932547,tid=2932548,fd=3),("test",pid=2932547,tid=2932547,fd=3))
If -T is used, -Z and -z also show SELinux contexts for threads.
Rename some variables (from "process" to "task", for example) since we
use them for both processes and threads.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
We are planning to add a thread version of the -p, --process option.
Move the logic iterating $PROC_ROOT/$PID/fd/ into a new function,
user_ent_hash_build_task(), to make it easier.
Since we will use this function for both processes and threads, rename
local variables as such (e.g. from "process" to "task").
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Make checkpatch.pl --strict happy about user_ent_hash_build().
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
'name' is already $PROC_ROOT/$PID/fd/$FD there, no need to rebuild the
string.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Call user_ent_hash_build() once after the getopt_long() loop if -p, -z
or -Z is used.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Commit 116ac9270b ("ss: Add support for retrieving SELinux contexts")
added an unnecessary stack variable, 'char *p', in
user_ent_hash_build(). Delete it for readability.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Use the '*' assignment-suppression character, instead of an
inappropriately named temporary variable.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Print the activation status of zerocopy sendfile on TLS sockets.
Zerocopy sendfile was recently added to Linux and exposed via sock_diag.
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
New netlink attributes IFLA_TSO_MAX_SIZE and IFLA_TSO_MAX_SEGS
are used to report device TSO limits to user-space.
ip -d link sh dev eth0
...
tso_max_size 65536 tso_max_segs 65535
ip -d link sh dev lo
...
tso_max_size 524280 tso_max_segs 65535
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Key length check in str2key() is wrong for hex. Fix this using the
proper hex key length.
Fixes: 28ee49e515 ("tipc: bail out if key is abnormally long")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
David removed the check using GSO_MAX_SIZE
in commit f1d18e2e6e ("Update kernel headers").
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
In dcb-app man page, 'direcly' should be 'directly'
In dcb-dcbx man page, 'respecively' should be 'respectively'
In devlink-dev man page, 'unspecificed' should be 'unspecified'
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
devlink-region does not accept the legth param, but the length one.
Fixes: 8b4fbf0bed ("devlink: Add support for devlink-region access")
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
tc u32 ematch offset parsing might fail even if nexthdr offset is
aligned to 4. The issue can be reproduced with the following script:
tc qdisc del dev dummy0 root
tc qdisc add dev dummy0 root handle 1: htb r2q 1 default 1
tc class add dev dummy0 parent 1:1 classid 1:108 htb quantum 1000000 \
rate 1.00mbit ceil 10.00mbit burst 6k
while true; do
if ! tc filter add dev dummy0 protocol all parent 1: prio 1 basic match \
"meta(vlan mask 0xfff eq 1)" and "u32(u32 0x20011002 0xffffffff \
at nexthdr+8)" flowid 1:108; then
exit 0
fi
done
which we expect to produce an endless loop.
With the current code, instead, this ends with:
u32: invalid offset alignment, must be aligned to 4.
... meta(vlan mask 0xfff eq 1) and >>u32(u32 0x20011002 0xffffffff at nexthdr+8)<< ...
... u32(u32 0x20011002 0xffffffff at >>nexthdr+8<<)...
Usage: u32(ALIGN VALUE MASK at [ nexthdr+ ] OFFSET)
where: ALIGN := { u8 | u16 | u32 }
Example: u32(u16 0x1122 0xffff at nexthdr+4)
Illegal "ematch"
This is caused by memcpy copying into buf an unterminated string.
Fix it using strncpy instead of memcpy.
Fixes: commit 311b41454d ("Add new extended match files.")
Reported-by: Alfred Yang <alf.redyoung@gmail.com>
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Petr Machata says:
====================
The RTM_GETSTATS response attributes IFLA_STATS_LINK_XSTATS and
IFLA_STATS_LINK_XSTATS_SLAVE are used to carry statistics related to,
respectively, netdevices of a certain type, and netdevices enslaved to
netdevices of a certain type. IFLA_STATS_AF_SPEC are similarly used to
carry statistics specific to a certain address family.
In this patch set, add support for three new stats groups that cover the
above attributes: xstats, xstats_slave and afstats. Add bridge and bond
subgroups to the former two groups, and mpls subgroup to the latter one.
Now "group" is used for selecting the top-level attribute, and subgroup
for the link-type or address-family nest below it (bridge, bond, mpls in
this patchset). But xstats (both master and slave) are further
subdivided. E.g. in the case of bridge statistics, the two subdivisions
are called "stp" and "mcast". To make it possible to pick these sets,
add to the two selector levels of group and subgroup a third level,
suite, which is filtered in the userspace.
====================
Signed-off-by: David Ahern <dsahern@kernel.org>
Add description of the newly-added statistics groups.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Extract from bridge_print_stats_attr() two helpers, one for dumping the
multicast attribute, one for dumping the STP attribute.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
The RTM_GETSTATS response attributes IFLA_STATS_LINK_XSTATS and
IFLA_STATS_LINK_XSTATS_SLAVE are used to carry statistics related to,
respectively, netdevices of a certain type, and netdevices enslaved to
netdevices of a certain type. Inside the nest is then link-type specific
attribute (e.g. LINK_XSTATS_TYPE_BRIDGE), and inside that nest further
attributes for individual type-specific statistical suites.
Under the "ip stats" model, that corresponds to groups "xstats" and
"xstats_slave", link-type specific subgroup, e.g. "bridge", and one or more
link-type specific suites, such as "stp".
Link-type specific stats are currently supported through struct link_util
and in particular the callbacks parse_ifla_xstats and print_ifla_xstats.
The role of parse_ifla_xstats is to establish which statistical suite to
display, and on which device. "ip stats" has framework for both of these
tasks, which obviates the need for custom parsing. Therefore the module
should instead provide a subgroup descriptor, which "ip stats" will then
use as any other.
The second link_util callback, print_ifla_xstats, is for response
dissection. In "ip stats" model, this belongs to leaf descriptors.
Eventually, the link-specific leaf descriptors will be similar to each
other: either master or slave top-level nest needs to be parsed, and
link-type attribute underneath that, and suite attribute underneath that.
To support this commonality, add struct ipstats_stat_desc_xstats to
describe the xstats suites. Further, expose ipstats_stat_desc_pack_xstats()
and ipstats_stat_desc_show_xstats(), which can be used at leaf descriptors
and do the appropriate thing according to the configuration in
ipstats_stat_desc_xstats.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
To show statistics nested under IFLA_STATS_LINK_XSTATS_SLAVE or
IFLA_STATS_LINK_XSTATS, one would use "group" to select the top-level
attribute, then "subgroup" to select the link type, which is itself a nest,
and then would lack a way to denote which attribute to select out of the
link-type nest.
To that end, add the selector level "suite", which is filtered in the
userspace.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Add a new group, "afstats", for showing counters from the
IFLA_STATS_AF_SPEC nest, and a subgroup "mpls" for the AF_MPLS
specifically.
For example:
# ip -n ns0-NrdgY9sx stats show dev veth01 group afstats
3: veth01: group afstats subgroup mpls
RX: bytes packets errors dropped noroute
0 0 0 0 0
TX: bytes packets errors dropped
108 1 0 0
Signed-off-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Extract from print_mpls_stats() a new function, print_mpls_link_stats(),
make it non-static and publish in the header file.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Currently, MPLS stats are formatted this way:
# ip -n ns0-DBZpxj8I link afstats dev veth01
3: veth01
mpls:
RX: bytes packets errors dropped noroute
0 0 0 0 0
TX: bytes packets errors dropped
216 2 0 0
Note how most numbers are not aligned properly under their column headers.
Fix by converting the code to use size_columns() to dynamically determine
the necessary width of individual columns, which also takes care of
formatting the table properly in case the counter values are high.
After the fix, the formatting looks as follows:
# ip -n ns0-Y1PyEc55 link afstats dev veth01
3: veth01
mpls:
RX: bytes packets errors dropped noroute
0 0 0 0 0
TX: bytes packets errors dropped
108 1 0 0
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
In Linux kernel commit 794c24e9921f ("net-core: rx_otherhost_dropped to
core_stats"), struct rtnl_link_stats64 got a new member. This change got to
iproute2 through commit bba9583752 ("Update kernel headers").
"ip stats" makes the assumption that the payload of attributes that carry
structures is at least as long as the size of the given structure as
iproute2 knows it. But that will not hold when a newer iproute2 is used
against an older kernel: since such kernel misses some fields on the tail
end of the structure, "ip stats" bails out:
# ip stats show group link
1: lo: group link
Error: attribute payload too shortDump terminated
Instead, be tolerant of responses that are both longer and shorter than
what is expected. Instead of forming a pointer directly into the payload,
allocate the stats structure on the stack, zero it, and then copy over the
portion from the response.
Reported-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
