1. 18 Feb, 2016 3 commits
    • Nikolay Aleksandrov's avatar
      iplink: bridge_slave: add support for IFLA_BRPORT_PROXYARP · f6e615de
      Nikolay Aleksandrov authored
      Add support to be able to view and change IFLA_BRPORT_PROXYARP port
      attribute.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      f6e615de
    • Nikolay Aleksandrov's avatar
      iplink: bridge_slave: export read-only values · 3069539f
      Nikolay Aleksandrov authored
      Export all the read-only values that get returned about a bridge port
      such as the timers, the ids, designated_port and cost,
      topology_change_ack and config_pending. For the bridge ids the
      br_dump_bridge_id function is exported from iplink_bridge.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      3069539f
    • Nicolas Cavallari's avatar
      netns: Fix an off-by-one strcpy() in netns_map_add(). · a1b4a274
      Nicolas Cavallari authored
      netns_map_add() does a malloc of (sizeof (struct nsid_cache) +
      strlen(name)) and then proceed with strcpy() of name into the
      zero-length member at the end of the nsid_cache structure.  The
      nul-terminator is written outside of the allocated memory and may
      overwrite the allocator's internal structure.
      
      This can trigger a segmentation fault on i386 uclibc with names of size 8:
      after the corruption occurs, the call to closedir() on netns_map_init()
      crashes while freeing the DIR structure.
      
      Here is the relevant valgrind output:
      
      ==1251== Memcheck, a memory error detector
      ==1251== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
      ==1251== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright
      info
      ==1251== Command: ./ip netns
      ==1251==
      ==1251== Invalid write of size 1
      ==1251==    at 0x4011975: strcpy (in
      /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==1251==    by 0x8058B00: netns_map_add (ipnetns.c:181)
      ==1251==    by 0x8058E2A: netns_map_init (ipnetns.c:226)
      ==1251==    by 0x8058E79: do_netns (ipnetns.c:776)
      ==1251==    by 0x804D9FF: do_cmd (ip.c:110)
      ==1251==    by 0x804D814: main (ip.c:300)
      a1b4a274
  2. 09 Feb, 2016 24 commits
  3. 07 Feb, 2016 5 commits
    • Roopa Prabhu's avatar
      bridge: support for static fdb entries · a1987cd1
      Roopa Prabhu authored
      There is no intuitive option to add static fdb entries today.
      'temp' seems to have a side effect of adding
      'static' fdb entries. But the name and intent
      of 'temp' does not say anything about it being static.
      
      example:
      bridge fdb add operates as follows:
      
      $bridge fdb add 00:01:02:03:04:05 dev eth0 master
      $bridge fdb add 00:01:02:03:04:06 dev eth0 master temp
      $bridge fdb add 00:01:02:03:04:07 dev eth0 master local
      
      $bridge fdb show
      00:01:02:03:04:05 dev eth0 permanent
      00:01:02:03:04:06 dev eth0 static
      00:01:02:03:04:07 dev eth0 permanent
      00:01:02:03:04:08 dev eth0 <<== dynamic, ageable learned mac
      
      This patch adds a new bridge fdb type 'static' which
      makes sure NUD_NOARP and NUD_REACHABLE is set for static
      entries. This effectively is nothing but what 'temp'
      does today. But the name 'temp' is misleading.
      
      After the patch:
      $bridge fdb add 00:01:02:03:04:06 dev eth0 master static
      
      $bridge fdb show
      00:01:02:03:04:06 dev eth0 static
      
      'temp' could ideally be a dynamic mac that can age (ie just
      NUD_REACHABLE). But, 'temp' sets 'NUD_NOARP' and 'NUD_REACHABLE'.
      Too late to change 'temp' now. But, we are thinking of introduing a
      'dynamic' keyword after this patch that only sets NUD_REACHABLE.
      Signed-off-by: default avatarWilson Kok <wkok@cumulusnetworks.com>
      Signed-off-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      a1987cd1
    • Daniel Borkmann's avatar
      tc, bpf: use bind/type macros from gelf · 5230a2ed
      Daniel Borkmann authored
      Don't reimplement them and rather use the macros from the gelf header,
      that is, GELF_ST_BIND()/GELF_ST_TYPE().
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      5230a2ed
    • Daniel Borkmann's avatar
      tc, bpf: give some more hints wrt false relos · a576c6b9
      Daniel Borkmann authored
      Provide some more hints to the user/developer when relos have been found
      that don't point to ld64 imm instruction. Ran couple of times into relos
      generated by clang [1], where the compiler tried to uninline inlined
      functions with eBPF and emitted BPF_JMP | BPF_CALL opcodes. If this seems
      the case, give a hint that the user should do a work-around to use
      always_inline annotation.
      
        [1] https://llvm.org/bugs/show_bug.cgi?id=26243#c3Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      a576c6b9
    • Daniel Borkmann's avatar
      tc, bpf: improve verifier logging · f31645d1
      Daniel Borkmann authored
      With a bit larger, branchy eBPF programs f.e. already ~BPF_MAXINSNS/7 in
      size, it happens rather quickly that bpf(2) rejects also valid programs
      when only the verifier log buffer size we have in tc is too small.
      
      Change that, so by default we don't do any logging, and only in error
      case we retry with logging enabled. If we should fail providing a
      reasonable dump of the verifier analysis, retry few times with a larger
      log buffer so that we can at least give the user a chance to debug the
      program.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      f31645d1
    • Daniel Borkmann's avatar
      tc, bpf, examples: further bpf_api improvements · 92a36995
      Daniel Borkmann authored
      Add a couple of improvements to tc's BPF api, that facilitate program
      development.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      92a36995
  4. 05 Feb, 2016 3 commits
  5. 02 Feb, 2016 4 commits
  6. 18 Jan, 2016 1 commit
    • Lorenzo Colitti's avatar
      ss: support closing inet sockets via SOCK_DESTROY. · fb2594c1
      Lorenzo Colitti authored
      This patch adds a -K / --kill option to ss that attempts to
      forcibly close matching sockets using SOCK_DESTROY.
      
      Because ss typically prints sockets instead of acting on them,
      and because the kernel only supports forcibly closing some types
      of sockets, the output of -K is as follows:
      
      - If closing the socket succeeds, the socket is printed.
      - If the kernel does not support forcibly closing this type of
        socket (e.g., if it's a UDP socket, or a TIME_WAIT socket),
        the socket is silently skipped.
      - If an error occurs (e.g., permission denied), the error is
        reported and ss exits.
      Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
      fb2594c1