Add the iproute2 support for the ACT_CSUM action. Can be used as
following, certainly in conjunction with the ACT_PEDIT action (pedit):
# In order to DNAT (stateless) IPv4 packet from 192.168.1.100 to
# 0x12345678 (18.52.86.120), and update the IPv4 header checksum and
# the UDP checksum (the last one, only if the packet is UDP).
tc filter add eth0 prio 1 protocol ip parent ffff: \
u32 match ip src 192.168.1.100/32 flowid :1 \
action pedit munge offset 16 u32 set 0x12345678 \
pipe csum ip and udp
# In order to alter destination address of IPv6 TCP packets from fc00::1
# and correct the TCP checksum (nothing happened? except maybe for
# checksums in the TCP payload ...).
tc filter add eth0 prio 1 protocol ipv6 parent ffff: \
u32 match ip6 src fc00::1/128 match ip6 protocol 0x06 0xff flowid :1 \
action pedit munge offset 24 u32 set 0x12345678 \
pipe csum tcp
We can use rxhash to classify the traffic into flows. As rxhash maybe
supplied by NIC or RPS, it is cheaper.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
iptables dropped the xtables_set_revision() function around version 1.4.9,
so set the rev directly ourselves. This should be compatible back to the
original version m_xt itself is designed for.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Fixes problems with xtables based MARK target ("ipt" module).
When tc loads the "ipt" (xt) module it kept the symbols local,
this made loading of libxtables not find the required struct.
currently ipt/xt is the only tc action module.
iproute2 never seem to do dlclose.
hopefully the modules doesn't export more symbols then needed.
In this situation hopefully the RTLD_GLOBAL flag won't hurt us.
I've been using this patch in the Debian package of iproute for
the last 3 weeks and noone has complained.
( This fixes http://bugs.debian.org/584898 )
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
This patch adds ipv6 filter priority/traffic class function
static int parse_ip6_class(int *argc_p, char ***argv_p, struct tc_u32_sel *sel)
shifting filter value to 5th bit and ignoring "at" as header position
is exactly given.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The recent commit "iproute2: add option to build m_xt as a tc module"
(ab814d6355) looks like it wrongly included debug changes in the
install target. So drop the `echo` so the tc binary actually gets
installed again.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
When building on an old environment, the flex generated
tc/emp_ematch.lex.c file would not compile. The error given was:
emp_ematch.lex.c:1686: error: expected â;â, â,â or â)â before numeric constant
The emp_ematch.l uses 'str' as a start symbol name, and flex would create
a '#define str 1' statement. This particular version of flex,
unfortunately, used 'str' as names of string variables in the generated
parser functions. This is line 1686 in the generated file:
YY_BUFFER_STATE ematch__scan_string (yyconst char * str )
This patch just substitutes 'str' for 'lexstr' in emp_ematch.l to avoid
the collision.
This will build the xt module (action ipt) of tc as a
shared object that is linked at runtime by tc if used,
rather then built into tc.
This is similar to how the atm qdisc support
is handled (q_atm.so).
Signed-off-by: Andreas Henriksson <andreas@xxxxxxxx>
Try to automatically detect iptables modules directory.
Make the configure script look for iptables modules.
This also makes it possible to specify it on the
command line while building via "make IPT_LIB_DIR=/foo/bar".
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
parsing a mark as a classid allows for acceptance of strange
informal input.
cheers,
jamal
commit aad0da6507ff8a95a63ed8e529c05f52be5b0e75
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date: Mon Feb 15 06:45:29 2010 -0500
skbedit: use get_u32 for parsing mark
get_u32 is the more appropriate parser for a mark.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
This adds the required changes to gain access to
the head drop classfull queuing discipline named
pfifo_head_drop. In difference to pfifo or pfifo_fast
this queuing discipline will drop the first packet
in the case of queue congestion. As a result the queue
contain always the freshest packets.
To replace the current a root queueing discipline
for eth0:
$ tc qdisc replace dev eth0 root pfifo_head_drop
And show statistics:
$ tc -s qdisc show dev eth0
Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
Since there aren't any targets that currently use this pattern rule, this
is more of a proactive fix.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
This adds support for setting the skb mark.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Add a new cleaned up m_xt.c based on m_xt_old.c
The new m_xt.c has been updated to use the new names and new api
that xtables exposes in iptables 1.4.5.
All the old internal api cruft has also been dropped.
Additionally, a configure script test is added to check for
the new xtables api and set the TC_CONFIG_XT flag in Config.
(tc/Makefile already handles this flag in previous commit.)
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Move the file and rename the configure flags.
The file is being kept around for iptables < 1.4.5 compatibility.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
The kernel takes a lack of options as indication that the fw classifier
should operate in compatibility mode, where marks are mapped directly to
classids.
Commit e22b42a (tc mask patch) broke this by adding an empty TCA_OPTIONS
attribute even if no handle is specified. Restore the old behaviour.
Signed-off-by: Patrick McHardy <kaber@trash.net>
A bunch of source files look like they're copy & pasted from other files,
and some include header files that they don't actually need. Since dlfcn
has very specific usage (and is a pain on a static-only system), drop it
where it isn't really needed.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
The iptables code supports a "no shared libs" mode where it can be used
without requiring dlfcn related functionality. This adds similar support
to iproute2 so that it can easily be used on systems like nommu Linux (but
obviously with a few limitations -- no dynamic plugins).
Rather than modify every location that uses dlfcn.h, I hooked the dlfcn.h
header with stub functions when shared library support is disabled. Then
symbol lookup is done via a local static lookup table (which is generated
automatically at build time) so that internal symbols can be found.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Sometimes while dividing bandwidth by classes it is useful to see how some
specific class doing things live.
Which my simple patch it is possible to do
watch -n1 "tc -s -d class show dev eth0.2022 classid 1:1520"
and to get live statistics, how packets queued or dropped, and how much
bandwidth used (if estimator defined) for specific class.
Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb>
This change was forgotten by Stephen in the last release
Signed-off-by: Denys Fedoryschenko <denys@visp.net.lb>
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Many thanks to Yevgeny Kosarzhevsky <yevg@pisem.net> for reporting
and a lot of testing
Thanks to Jan Engelhardt <jengelh@medozas.de> for a lot of advice
Thanks to Denys Fedoryschenko <denys@visp.net.lb> for some sample
code that he tried and thanks to Andreas Henriksson <andreas@fatal.se>
(who maintains iproute2 on debian) for the persistent followup.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Original from: Alexander Duyck <alexander.h.duyck@intel.com>
A bug was found in which the memory for the tc_skbedit struct was being
used uninitialized to 0. Alternative version of original fix
using initializer rather than memset.
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
