Hi,

here is a patch against iproute2 to allow user to set a state with a specific
auth length.

Example:
$ ip xfrm state add src 10.16.0.72 dst 10.16.0.121 proto ah spi 0x10000000
auth-trunc "sha256" "azertyuiopqsdfghjklmwxcvbn123456" 96 mode tunnel
$ ip xfrm state
src 10.16.0.72 dst 10.16.0.121
         proto ah spi 0x10000000 reqid 0 mode tunnel
         replay-window 0
         auth-trunc hmac(sha256)
0x617a6572747975696f707173646667686a6b6c6d77786376626e313233343536 96
         sel src 0.0.0.0/0 dst 0.0.0.0/0

Regards,
Nicolas

>From 522ed7348cdf3b6f501af2a5a5d989de1696565a Mon Sep 17 00:00:00 2001
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Thu, 23 Dec 2010 06:48:12 -0500
Subject: [PATCH] iproute2: allow to specify truncation bits on auth algo

Attribute XFRMA_ALG_AUTH_TRUNC can be used to specify
truncation bits, so we add a new algo type: auth-trunc.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>

The get_jiffies() function retrieves rtt-type values in units of
milliseconds. This patch updates the function name accordingly,
following the pattern given by dst_metric() <=> dst_metric_rtt().

Since July 2008 (2.6.27, c1e20f7c8b9), the kernel stores the values for
RTAX_{RTT{,VAR},RTO_MIN} in milliseconds. When using a kernel > 2.6.27 with
the current iproute2, conversion of these values is broken in either way.

This patch
 * updates the code to pass and retrieve milliseconds;
 * since values < 1msec would be rounded up, also drops the usec/nsec variants;
 * since there is no way to query kernel HZ, also drops the jiffies variant.

Arguments such as
	rtt		3.23sec
	rto_min		0xff
	rto_min		0.200s
	rttvar		25ms
now all work as expected when reading back previously set values.

get_jiffies() is in all places called in the same manner, with base=0;
simplify argument list by putting the constant value into the function.

Adds security context support to ip xfrm state.
Signed-off-by: Joy Latten <latten@austin.ibm.com>

Adds security context support to ip xfrm policy.
Signed-off-by: Joy Latten <latten@austin.ibm.com>

In the Linux kernel, ipsec policy and SAs can include a
security context to support MAC networking. This feature
is often referred to as "labeled ipsec".

This patchset adds security context support into ip xfrm
such that a security context can be included when
add/delete/display SAs and policies with the ip command.
The user provides the security context when adding
SAs and policies. If a policy or SA contains a security
context, the changes allow the security context to be displayed.

For example,
ip xfrm state
src 10.1.1.6 dst 10.1.1.2
	proto esp spi 0x00000301 reqid 0 mode transport
	replay-window 0
	auth hmac(digest_null) 0x3078
	enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031
	security context root:system_r:unconfined_t:s0

Please  let me know if all is ok with the patchset.
Thanks!!

regards,
Joy
Signed-off-by: Joy Latten <latten@austin.ibm.com>

Add support for 'passthru' mode when creating a macvlan/macvtap device
which allows takeover of the underlying device and passing it to a KVM
guest using virtio with macvtap backend.

Only one macvlan device is allowed in passthru mode and it inherits
the mac address from the underlying device and sets it in promiscuous
mode to receive and forward all the packets.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>

This reverts commit 632110aa.

There seem to be some recent changes in the 802.1Qbh/bg specs which may
result in changes to this patch in the near future. It seems like its best
to ignore this patch for now.
I will re-spin at a later time when the changes in the specs converge.

BTW, Please let me know if I should CC netdev list and others on the
original email. I can resend this email.

Thanks,
Roopa

Resubmitting Scott Feldmans original patch with below changes

- Fix port profile strlen which was off by 1
- Added function to convert IFLA_PORT_RESPONSE codes to string

Add support for IFLA_VF_PORTS.  VF port netlink msg layout is

        [IFLA_NUM_VF]
        [IFLA_VF_PORTS]
                [IFLA_VF_PORT]
                        [IFLA_PORT_*], ...
                [IFLA_VF_PORT]
                        [IFLA_PORT_*], ...
                ...
        [IFLA_PORT_SELF]
                [IFLA_PORT_*], ...

The iproute2 cmd line for link set is now:

Usage: ip link add link DEV [ name ] NAME
                   [ txqueuelen PACKETS ]
                   [ address LLADDR ]
                   [ broadcast LLADDR ]
                   [ mtu MTU ]
                   type TYPE [ ARGS ]
       ip link delete DEV type TYPE [ ARGS ]

       ip link set DEVICE [ { up | down } ]
                          [ arp { on | off } ]
                          [ dynamic { on | off } ]
                          [ multicast { on | off } ]
                          [ allmulticast { on | off } ]
                          [ promisc { on | off } ]
                          [ trailers { on | off } ]
                          [ txqueuelen PACKETS ]
                          [ name NEWNAME ]
                          [ address LLADDR ]
                          [ broadcast LLADDR ]
                          [ mtu MTU ]
                          [ netns PID ]
                          [ alias NAME ]
                          [ port MODE { PROFILE | VSI } ]
                          [ vf NUM [ mac LLADDR ]
                                   [ vlan VLANID [ qos VLAN-QOS ] ]
                                   [ rate TXRATE ]
                                   [ port MODE { PROFILE | VSI } ] ]
       ip link show [ DEVICE ]

TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | can }
MODE := { assoc | preassoc | preassocrr | disassoc }
PROFILE := profile PROFILE
           [ instance UUID ]
           [ host UUID ]
VSI := vsi mgr MGRID type VTID ver VER
       [ instance UUID ]
Signed-off-by: Scott Feldman <scofeldm@cisco.com>
Signed-off-by: Roopa Prabhu <roprabhu@cisco.com>

Use sanitized headers from 2.6.37-rc8

In preparation for adding name hash:
  * add const
  * use same types in cache as ifinfomsg
  * rename idxmap to ll_cache

Avoid initializing the LL map (which involves a costly RTNL dump)
multiple times. This can happen when running in batch mode.
Signed-off-by: Octavian Purdila <opurdila@ixiacom.com>

The default of 16 is too small for users with 10,000 interfaces.

A small typo fix.

This patch adds save and restore commands to "ip route". Save dumps
the RTNL stream to stdout which can then be passed to restore later.
This may be helpful in some normal situations, and will allow C/R to
migrate the routing information in userspace.  Tweaking of the stream
can be done by userspace helpers to convert between versions and adjust
things like device indexes when restoring routes in a different
environment.

By factoring out some of the common bits of print_route() into
filter_nlmsg(), the "save" command can use the same selection logic
as "list," allowing the caller to save only specific routes as
necessary.

The only change since the RFC is the addition of manpage and doc
material.
Signed-off-by: Dan Smith <danms@us.ibm.com>

Add the iproute2 support for the ACT_CSUM action. Can be used as
following, certainly in conjunction with the ACT_PEDIT action (pedit):

 # In order to DNAT (stateless) IPv4 packet from 192.168.1.100 to
 #  0x12345678 (18.52.86.120), and update the IPv4 header checksum and
 #  the UDP checksum (the last one, only if the packet is UDP).
tc filter add eth0 prio 1 protocol ip parent ffff: \
  u32 match ip src 192.168.1.100/32 flowid :1 \
    action pedit munge offset 16 u32 set 0x12345678 \
      pipe csum ip and udp

 # In order to alter destination address of IPv6 TCP packets from fc00::1
 #  and correct the TCP checksum (nothing happened? except maybe for
 #  checksums in the TCP payload ...).
tc filter add eth0 prio 1 protocol ipv6 parent ffff: \
  u32 match ip6 src fc00::1/128 match ip6 protocol 0x06 0xff flowid :1 \
    action pedit munge offset 24 u32 set 0x12345678 \
      pipe csum tcp

The default remains at 10 for backwards compatibility.

For instance:
 # ip addr flush dev eth2
 *** Flush remains incomplete after 10 rounds. ***
 # ip -l 20 addr flush dev eth2
 *** Flush remains incomplete after 20 rounds. ***
 # ip -loops 0 addr flush dev eth2
 #

This is useful for getting rid of large numbers of IP
addresses in scripts.
Signed-off-by: Ben Greear <greearb@candelatech.com>

Add support for 'mode' parameter when creating a macvtap device.
This allows a macvtap device to be created in bridge, private or
the default vepa modes.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>

-------------------------------------------------------------------
Acked-by: Arnd Bergmann <arnd@arndb.de>

Print directly to the file instead of going through a buffer.
Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>

We can use rxhash to classify the traffic into flows. As rxhash maybe
supplied by NIC or RPS, it is cheaper.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>

Similar to tunnel side: accept dotted-quad and number formats.
Use regular number for printing the key.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>

Print GRE key as a regular number. It is not really an IPv4 address
and this is also how Cisco and Juniper treats GRE keys. Do keep the
parsing of dotted-quad format for backwards compatibility.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>

iptables dropped the xtables_set_revision() function around version 1.4.9,
so set the rev directly ourselves.  This should be compatible back to the
original version m_xt itself is designed for.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>

Use the available libraries for mapping from interface index to name
or type. This should speed up display with lots of interfaces

The subdirectory makefiles need Config file to exist.
Therefore create it, then run make clean, then remove it.

Use santized headers from 2.6.36 release

display socket policy direction
Signed-off-by: Ulrich Weber <uweber@astaro.com>

Bug reported where priorities of GRED DP's are ignored.
The option parsing sets opt then memset was clearing these
values.

Le lundi 23 août 2010 à 10:33 -0700, Stephen Hemminger a écrit :

> I think this breaks the wraparound detection code in this command.
>
>

OK lets fix the bug only, before adding 64bit counters capabilities.

Thanks

[PATCH] iproute2: add 64bit arches support to ifstat

ifstat assumes IFLA_STATS fields are "unsigned long", but they are
__u32. This fix is needed to let ifstat run on 64bit arches.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

In recent kernels, net_device_stats is not exposed and the code
shoulf have used rt_link_statistics.  Also, fix use of sprintf
with user supplied value.

Adds support for RTA_MARK rt attribute added in linux-2.6.36

$ ip route get ADDR mark 4
192.168.20.110 dev eth1  src 192.168.20.108  mark 4
    cache  mtu 1500 advmss 1460 hoplimit 64

$ ip route get 192.168.20.108 from ADDR iif STRING mark 256
local 192.168.20.108 from 192.168.20.110 dev lo  src 192.168.20.108  mark 0x100
    cache <local,src-direct>  iif eth1

$ ip route list cache [ADDR] mark NUMBER

Hexadecimal output if mark >= 16
null marks are not displayed.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>