- Use strncpy() when writing to target->t->u.user.name and make sure the
final byte remains untouched (xtables_calloc() set it to zero).
- 'tname' length sanitization was completely wrong: If it's length
exceeded the 16 bytes available in 'k', passing a length value of 16
to strncpy() would overwrite the previously NULL'ed 'k[15]'. Also, the
sanitization has to happen if 'tname' is exactly 16 bytes long as
well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
The later check for 'k[0] != 0' requires a non-empty filter name,
otherwise NULL pointer dereference in 'q' might happen.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Assuming 'opt' might be NULL, move the call to RTA_PAYLOAD to after the
check since it dereferences its parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
multiq_parse_opt() doesn't change 'opt' at all. So at least make sure
it doesn't fill TCA_OPTIONS attribute with garbage from stack.
Signed-off-by: Phil Sutter <phil@nwl.cc>
The use of 'ok' variable in parse_gact() is ineffective: The second
conditional increments it either if *argv is 'gact' or if
parse_action_control() doesn't fail (in which case exit() is called).
So this is effectively an unconditional increment and since no decrement
happens anywhere, all remaining checks for 'ok != 0' can be dropped.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Commit 69fed534a5 ("change how Config is used in Makefile's") moved
HAVE_MNL specific CFLAGS/LDLIBS for building with libmnl out of the
top level Makefile into sub-Makefiles. However, it also removed the
HAVE_ELF specific CFLAGS/LDLIBS entirely, which breaks the BPF object
loader for tc and ip with "No ELF library support compiled in." despite
having libelf detected in configure script. Fix it similarly as in
69fed534a5 for HAVE_ELF.
Fixes: 69fed534a5 ("change how Config is used in Makefile's")
Reported-by: Jeffrey Panneman <jeffrey.panneman@tno.nl>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- CONTROL has to come last, otherwise 'index' applies to gact and not
simple itself.
- Man page wasn't updated to reflect syntax changes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Make use of TCA_BPF_ID/TCA_ACT_BPF_ID that we exposed and print the ID
of the programs loaded and use the new BPF_OBJ_GET_INFO_BY_FD command
for dumping further information about the program, currently whether
the attached program is jited.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Adding new tunnel key fields would cause the usage line overflow 80 chars.
Make the usage text similar to other commands.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
In case default control action parsing takes place, it is ok to miss.
So don't print error message.
Fixes: e67aba5595 ("tc: actions: add helpers to parse and print control actions")
Reported-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Tested-by: Jiri Benc <jbenc@redhat.com>
parse_action_control helper does advancing of the arg inside. So don't
do it outside.
Fixes: e67aba5595 ("tc: actions: add helpers to parse and print control actions")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Allow users to set flower classifier filter rules which
include matches for ip tos and ttl.
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
This happens with NAT targets, such as SNAT, DNAT and MASQUERADE. These
are still not usable with this patch, but at least tc doesn't crash
anymore when one tries to use them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Each tc action is terminated by a control action. Each action parses and
prints then intividually. Introduce set of helpers and allow to share
this code.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Fixes
| tc_core.c:190:29: error: 'UINT16_MAX' undeclared (first use in this function); did you mean '__INT16_MAX__'?
| if ((sz >> s->size_log) > UINT16_MAX) {
| ^~~~~~~~~~
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Do not allow using eth and udp header types if non-extended pedit kABI
is being used. Other protocol parsers already have this check.
Signed-off-by: Amir Vadai <amir@vadai.me>
Currently there is no way of querying whether a filter is
offloaded to HW or not when using "both" policy (where none
of skip_sw or skip_hw flags are set by user-space).
Add two new flags, "in hw" and "not in hw" such that user
space can determine if a filter is actually offloaded to
hw or not. The "in hw" UAPI semantics was chosen so it's
similar to the "skip hw" flag logic.
If none of these two flags are set, this signals running
over older kernel.
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
For example, forward udp traffic destined to port 999 to veth0 and set
tcp port to 888:
$ tc filter add dev enp0s9 protocol ip parent ffff: \
flower \
ip_proto udp \
dst_port 999 \
action pedit ex munge \
udp dport set 888 \
action mirred egress \
redirect dev veth0
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Amir Vadai <amir@vadai.me>
For example, forward tcp traffic destined to port 80 to veth0 and set
tcp port to 8080:
$ tc filter add dev enp0s9 protocol ip parent ffff: \
flower \
ip_proto tcp \
dst_port 80 \
action pedit ex munge \
tcp dport set 8080 \
action mirred egress \
redirect dev veth0
Signed-off-by: Amir Vadai <amir@vadai.me>
For example, forward tcp traffic to veth0 and set
destination mac address to 11:22:33:44:55:66 :
$ tc filter add dev enp0s9 protocol ip parent ffff: \
flower \
ip_proto tcp \
action pedit ex munge \
eth dst set 11:22:33:44:55:66 \
action mirred egress \
redirect dev veth0
Signed-off-by: Amir Vadai <amir@vadai.me>
Make parse_val() accept fields up to 128 bits long, this should be
enough for current use cases and involves a minimal change to code.
Signed-off-by: Amir Vadai <amir@vadai.me>
Enable user to edit IP header ttl field.
For example, to forward any TCP packet and decrease its TTL by one:
$ tc filter add dev enp0s9 protocol ip parent ffff: \
flower \
ip_proto tcp \
action pedit ex munge \
ip ttl add 0xff pipe \
action mirred egress \
redirect dev veth0
Signed-off-by: Amir Vadai <amir@vadai.me>
Utilize the extended pedit netlink to set an offset relative to a
specific header type. Old netlink only enabled the user to set
approximated offset relative to the IPv4 header.
To use this extended functionality need to use the 'ex' keyword after
'pedit' and before any 'munge'.
e.g:
$ tc filter add dev ens9 protocol ip parent ffff: \
flower \
ip_proto udp \
dst_port 80 \
action pedit ex munge \
ip dst set 1.1.1.1 \
pipe \
action mirred egress redirect dev veth0
Signed-off-by: Amir Vadai <amir@vadai.me>
Make use of 128b user cookies
Introduce optional 128-bit action cookie.
Like all other cookie schemes in the networking world (eg in protocols
like http or existing kernel fib protocol field, etc) the idea is to
save user state that when retrieved serves as a correlator. The kernel
_should not_ intepret it. The user can store whatever they wish in the
128 bits.
Sample exercise(showing variable length use of cookie)
.. create an accept action with cookie a1b2c3d4
sudo $TC actions add action ok index 1 cookie a1b2c3d4
.. dump all gact actions..
sudo $TC -s actions ls action gact
action order 0: gact action pass
random type none pass val 0
index 1 ref 1 bind 0 installed 5 sec used 5 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
cookie a1b2c3d4
.. bind the accept action to a filter..
sudo $TC filter add dev lo parent ffff: protocol ip prio 1 \
u32 match ip dst 127.0.0.1/32 flowid 1:1 action gact index 1
... send some traffic..
$ ping 127.0.0.1 -c 3
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.038 ms
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Support the new TCA_DUMP_INVISIBLE netlink attribute that allows asking
kernel to perform 'full qdisc dump', as for historical reasons some of the
default qdiscs are being hidden by the kernel.
The command syntax is being extended by voluntary 'invisible' argument to
'tc qdisc show'.
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
When built with GCC warnings enabled:
q_pie.c: In function ‘pie_parse_opt’:
q_pie.c:78:38: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
(alpha > ALPHA_MAX) || (alpha < ALPHA_MIN)) {
^
q_pie.c:85:35: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
(beta > BETA_MAX) || (beta < BETA_MIN)) {
^
This is because MIN is 0 and unsigned number can never be less than 0.
Therefore just remove the _MIN values.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
