The matchall classifier matches every packet and allows the user to apply
actions on it. In addition, it supports the skip_sw and skip_hw (as can
be found on u32 and flower filter) that direct the kernel to skip the
software/hardware processing of the actions.
This filter is very useful in usecases where every packet should be
matched. For example, packet mirroring (SPAN) can be setup very easily
using that filter.
Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Before this patch:
# ./tc/tc actions add action drop index 11
RTNETLINK answers: File exists
We have an error talking to the kernel
Command "(null)" is unknown, try "tc actions help".
After this patch:
# ./tc/tc actions add action drop index 11
RTNETLINK answers: File exists
We have an error talking to the kernel
Cc: Stephen Hemminger <shemming@brocade.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
The function returns zero on success.
Reported-by: Mark Bloch <markb@mellanox.com>
Fixes: 69f5aff63c ("tc: use action_a2n() everywhere")
Signed-off-by: Phil Sutter <phil@nwl.cc>
When switching to C99 initializers, I forgot to add this one. This means
that when trying to set an estimator value, tc would complain about
spurious duplicate estimator parameter. But much worse, the random
variable content is sent to the kernel regardless of whether an
estimator was given or not.
Fixes: d17b136f7d ("Use C99 style initializers everywhere")
Reported-by: Stas Nichiporovich <stasn77@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
It's a pitty this function is used nowhere, so let's polish it for use:
* Loop over branch names, makes it clear that every former conditional
was exactly identical.
* Support 'pipe' branch name, too.
* Make number parsing optional.
Signed-off-by: Phil Sutter <phil@nwl.cc>
* Drop 'extern' keyword before function declarations.
* Add parameter names where they were missing for matters of
consistency.
* Drop fancy indenting (e.g. tab between type and name).
* Break long lines to not exceed 80 columns.
Signed-off-by: Phil Sutter <phil@nwl.cc>
The optional mask which may be added to int values is considered by the
kernel only if it is non-zero, therefore tc should only then also print
it.
Without this, not passing a mask value like so:
| # tc filter add dev d0 parent 8001: \
| basic match meta\(vlan eq 1\) \
| classid 8001:1
Would lead to tc printing an all-zero mask later:
| # tc filter show dev d0
| filter parent 8001: protocol all pref 49151 basic
| filter parent 8001: protocol all pref 49151 basic handle 0x1 flowid 8001:1
| meta(vlan mask 0x00000000 eq 1)
This is obviously confusing as an all-zero mask strictly means to
eliminate all bits from the value, but the opposite is the case.
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Since parse_rtattr_flags() calls memset already, there is no need for
callers to do so themselves.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
This only replaces occurrences where the newly allocated memory is
cleared completely afterwards, as in other cases it is a theoretical
performance hit although code would be cleaner this way.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
This big patch was compiled by vimgrepping for memset calls and changing
to C99 initializer if applicable. One notable exception is the
initialization of union bpf_attr in tc/tc_bpf.c: changing it would break
for older gcc versions (at least <=3.4.6).
Calls to memset for struct rtattr pointer fields for parse_rtattr*()
were just dropped since they are not needed.
The changes here allowed the compiler to discover some unused variables,
so get rid of them, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
This improves my initial change in the following points:
- Flatten embedded struct's initializers.
- No need to initialize variables to zero as the key feature of C99
initializers is to do this implicitly.
- By relocating the declaration of struct rtattr *tail, it can be
initialized at the same time.
Fixes: a0a73b298a ("tc: m_action: Use C99 style initializers for struct req")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Use the official BPF ELF e_machine value that was assigned recently [1]
and will be propagated to glibc, libelf et al. LLVM will switch to it
in 3.9 release, therefore we need to prepare tc to check for EM_ELF as
well, older version still have the EM_NONE.
[1] 36b9c09330
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
On devices that support TC flower offloads, these flags enable a filter to be
added only to HW or only to SW. skip_sw and skip_hw are mutually exclusive
flags. By default without any flags, the filter is added to both HW and SW,
but no error checks are done in case of failure to add to HW.
With skip-sw, failure to add to HW is treated as an error.
Here is a sample script that adds 2 filters, one with skip_sw and the other
with skip_hw flag.
# add ingress qdisc
tc qdisc add dev enp0s9 ingress
# enable hw tc offload.
ethtool -K enp0s9 hw-tc-offload on
# add a flower filter with skip-sw flag.
tc filter add dev enp0s9 protocol ip parent ffff: flower \
ip_proto 1 indev enp0s9 skip_sw \
action drop
# add a flower filter with skip-hw flag.
tc filter add dev enp0s9 protocol ip parent ffff: flower \
ip_proto 3 indev enp0s9 skip_hw \
action drop
Signed-off-by: Amir Vadai <amirva@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
I'll make a formal submission sans the header when the kernel patches
makes it in. This version is for someone who wants to play around with
the net-next kernel patches i sent
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Instead of initializing fields after (or sometimes even before) zeroing
the whole struct via memset(), initialize the whole thing at declaration
time.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Since commit 5cd1adb ("Update to current iptables headers") the build
with m_ipt.o and the following config will fail:
TC_CONFIG_XT:=n
TC_CONFIG_XT_OLD:=n
TC_CONFIG_XT_OLD_H:=n
This patch renames "iptables_target" to "xtables_target" and some other
things which gets renamed and I noticed while reading iptables git log.
Functions which are not used in m_ipt.c and not exported by the header
are removed, if they still used in m_ipt.c I added a static to the function.
Reported-by: Clemens Gruber <clemens.gruber@pqgruber.com>
Signed-off-by: Alexander Aring <aar@pengutronix.de>
This pulls common code from parse_ipt() and print_ipt() functions
together.
While here, also fix for incorrect use of the global 'optarg' variable
in print_ipt().
Signed-off-by: Phil Sutter <phil@nwl.cc>
After dropping the unused decrement of argc in the function's tail, it
can fully take over what iargc has been used for.
Signed-off-by: Phil Sutter <phil@nwl.cc>
By exiting early if xtables_find_target() fails, one indenting level can
be dropped. Some of the wrongly indented code then happens to sit at the
right spot by accident which is why this patch is smaller than expected.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Without this, the following call to tc would segfault:
| tc filter add dev d0 parent ffff: u32 match u32 0 0 \
| action xt -j MARK --set-mark 0x1 \
| action xt -j MARK --set-mark 0x1
The reason is basically the same as for 6e2e5ec28b ("fix print_ipt:
segfault if more then one filter with action -j MARK.") but in
parse_ipt() instead of print_ipt().
Signed-off-by: Phil Sutter <phil@nwl.cc>
Iptables standard targets like DROP or REJECT don't implement the print
callback in libxtables. Hence the following command would segfault:
| tc filter add dev d0 parent ffff: u32 match u32 0 0 action xt -j DROP
With this patch standard targets still can't be used (and are not really
useful anyway), but at least it doesn't crash anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
On devices that support TC U32 offloads, these flags enable a filter to be
added only to HW or only to SW. skip_sw and skip_hw are mutually exclusive
flags. By default without any flags, the filter is added to both HW and SW,
but no error checks are done in case of failure to add to HW.
With skip-sw, failure to add to HW is treated as an error.
Here is a sample script that adds 2 filters, one with skip_sw and the other
with skip_hw flag.
# add ingress qdisc
tc qdisc add dev p4p1 ingress
# enable hw tc offload.
ethtool -K p4p1 hw-tc-offload on
# add u32 filter with skip-sw flag.
tc filter add dev p4p1 parent ffff: protocol ip prio 99 \
handle 800:0:1 u32 ht 800: flowid 800:1 \
skip-sw \
match ip src 192.168.1.0/24 \
action drop
# add u32 filter with skip-hw flag.
tc filter add dev p4p1 parent ffff: protocol ip prio 99 \
handle 800:0:2 u32 ht 800: flowid 800:2 \
skip-hw \
match ip src 192.168.2.0/24 \
action drop
Signed-off-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
"handle" was being used several times for different things.
Fix the 80 character limit abuse and other little issues while at it.
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
The user must at least specify a choice of the token bucket or
ewma policing or late binding index. TB policing requires at minimal
a rate and burst.
In addition fix formatting issues (80 chars etc).
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Similar to the Linux kernel and perf add infrastructure to reduce the
amount of output tossed to a user during a build. Full build output
can be obtained with 'make V=1'
Builds go from:
make[1]: Leaving directory `/home/dsa/iproute2.git/lib'
make[1]: Entering directory `/home/dsa/iproute2.git/ip'
gcc -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wold-style-definition -Wformat=2 -O2 -I../include -DRESOLVE_HOSTNAMES -DLIBDIR=\"/usr/lib\" -DCONFDIR=\"/etc/iproute2\" -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -c -o ip.o ip.c
gcc -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wold-style-definition -Wformat=2 -O2 -I../include -DRESOLVE_HOSTNAMES -DLIBDIR=\"/usr/lib\" -DCONFDIR=\"/etc/iproute2\" -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -c -o ipaddress.o ipaddress.c
to:
...
AR libutil.a
ip
CC ip.o
CC ipaddress.o
...
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Failed compile
m_simple.c: In function ‘parse_simple’:
m_simple.c:154:6: warning: too many arguments for format [-Wformat-extra-args]
*argv);
^
m_simple.c:103:14: warning: unused variable ‘maybe_bind’ [-Wunused-variable]
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
