$ ip route help 2>&1 | grep monitor
ip route { add | del | change | append | replace | monitor } ROUTE
$ ip route monitor
Command "monitor" is unknown, try "ip route help".
(I guess what was really intended is "ip monitor route", so just remove
the argument from the help output.)
Originally reported by martin f krafft at http://bugs.debian.org/537681
While at it, also drop all non-existant (route,link,netns) monitor
arguments from the ip(8) man page.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
The goal of this code change is to implement a mechanism such that it is
simple to work with a kernel that is using multiple network namespaces
at once.
This comes in handy for interacting with vpns where there may be rfc1918
address overlaps, and different policies default routes, name servers
and the like.
Configuration specific to a network namespace that would ordinarily be
stored under /etc/ is stored under /etc/netns/<name>. For example if
the dns server configuration is different for your vpn you would create
a file /etc/netns/myvpn/resolv.conf.
File descriptors that can be used to manipulate a network namespace can
be created by opening /var/run/netns/<NAME>.
This adds the following commands to iproute.
ip netns add NAME
ip netns delete NAME
ip netns monitor
ip netns list
ip netns exec NAME cmd ....
ip link set DEV netns NAME
ip netns exec exists to cater the vast majority of programs that only
know how to operate in a single network namespace. ip netns exec
changes the default network namespace, creates a new mount namespace,
remounts /sys and bind mounts netns specific configuration files to
their standard locations.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
iptables/xtables apparently changed API again.... Now you need to pass
and extra parameter (orig_opts) which was not needed before.
Sprinkle some lovely pre-processor magic to be compatible with both older
and new versions. In the beginning of times XTABLES_VERSION_CODE didn't
exist. Then it was (0x10000 * major + 0x100 * minor + patch) when it was
first introduced (according to git), but now it's at 6...
Don't know what official iptables releases has defined it to over time.
Lets just hope none of the older versions with is has the define
higher then 6 is still around.... so only the "current" versioning
scheme is supported.... lets see how long this lasts now.
For the API change in xtables, see:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff;h=600f38db82548a683775fd89b6e136673e924097
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
The ip(8) man page and the "ip xfrm [ XFRM-OBJECT ] help" command output
are updated to include missing options, fix errors, and improve grammar.
There are no functional changes made.
The documentation for the ip command has many different meanings for the
same formatting symbols (which really needs to be fixed). This patch makes
consistent use of brackets [ ] to indicate optional parameters, pipes | to
mean "OR", braces { } to group things together, and dashes - instead of
underscores _ inside of parameter names. The parameters are listed in the
order in which they are parsed in the source code.
There are several parameters and options that are still not mentioned or
need to be described more thoroughly in the "COMMAND SYNTAX" section of
the ip(8) man page. I would appreciate help from the developers with this.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Fixes following error. We currently provide garbage data to kernel, that
can abort the validation process or produce unexpected results.
$ ss -a autobound
State Recv-Q Send-Q Local Address:Port Peer Address:Port
TCPDIAG answers: Invalid argument
After patch:
$ misc/ss -a autobound
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:44624 *:*
ESTAB 0 0 192.168.1.21:47141 74.125.79.109:imaps
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Eric Dumazet a écrit :
> We currently use an expensive ioctl() to get device txqueuelen, while
> rtnetlink gave it to us for free. This patch speeds up ip link operation
> when many devices are registered.
>
Here is a 2nd version od this patch, not displaying "qlen 0" useless info
[PATCH iproute2] ip: Support IFLA_TXQLEN in ip link show command
We currently use an expensive ioctl() to get device txqueuelen, while
rtnetlink gave it to us for free. This patch speeds up ip link operation
when many devices are registered.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
If the continue is taken, then there is a memory leak.
https://bugzilla.novell.com/show_bug.cgi?id=538996
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Brandon Philips <bphilips@suse.de>
The genl code uses constructs which violate the strict aliasing
constraints of gcc 4.4. Disable the optimization to avoid warnings
and potential breakage.
User can specify device group to list by using the group keyword:
ip link show group test
If no group is specified, 0 (default) is implied.
Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
Hi,
here is a patch against iproute2 to allow user to set a state with a specific
auth length.
Example:
$ ip xfrm state add src 10.16.0.72 dst 10.16.0.121 proto ah spi 0x10000000
auth-trunc "sha256" "azertyuiopqsdfghjklmwxcvbn123456" 96 mode tunnel
$ ip xfrm state
src 10.16.0.72 dst 10.16.0.121
proto ah spi 0x10000000 reqid 0 mode tunnel
replay-window 0
auth-trunc hmac(sha256)
0x617a6572747975696f707173646667686a6b6c6d77786376626e313233343536 96
sel src 0.0.0.0/0 dst 0.0.0.0/0
Regards,
Nicolas
>From 522ed7348cdf3b6f501af2a5a5d989de1696565a Mon Sep 17 00:00:00 2001
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Thu, 23 Dec 2010 06:48:12 -0500
Subject: [PATCH] iproute2: allow to specify truncation bits on auth algo
Attribute XFRMA_ALG_AUTH_TRUNC can be used to specify
truncation bits, so we add a new algo type: auth-trunc.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
The get_jiffies() function retrieves rtt-type values in units of
milliseconds. This patch updates the function name accordingly,
following the pattern given by dst_metric() <=> dst_metric_rtt().
Since July 2008 (2.6.27, c1e20f7c8b9), the kernel stores the values for
RTAX_{RTT{,VAR},RTO_MIN} in milliseconds. When using a kernel > 2.6.27 with
the current iproute2, conversion of these values is broken in either way.
This patch
* updates the code to pass and retrieve milliseconds;
* since values < 1msec would be rounded up, also drops the usec/nsec variants;
* since there is no way to query kernel HZ, also drops the jiffies variant.
Arguments such as
rtt 3.23sec
rto_min 0xff
rto_min 0.200s
rttvar 25ms
now all work as expected when reading back previously set values.
In the Linux kernel, ipsec policy and SAs can include a
security context to support MAC networking. This feature
is often referred to as "labeled ipsec".
This patchset adds security context support into ip xfrm
such that a security context can be included when
add/delete/display SAs and policies with the ip command.
The user provides the security context when adding
SAs and policies. If a policy or SA contains a security
context, the changes allow the security context to be displayed.
For example,
ip xfrm state
src 10.1.1.6 dst 10.1.1.2
proto esp spi 0x00000301 reqid 0 mode transport
replay-window 0
auth hmac(digest_null) 0x3078
enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031
security context root:system_r:unconfined_t:s0
Please let me know if all is ok with the patchset.
Thanks!!
regards,
Joy
Signed-off-by: Joy Latten <latten@austin.ibm.com>
