This patch implements both tc and filter chains.
We also need to align tc filter delition implementation
with iprote2 to delete filters withichain by passing
additional bits during filter deletion call.
- changes: 1. set userTmpl.Family to correct family 2. add Selector to XfrmState which is corresponding to XfrmUsersaInfo.Sel
- update *XfrmAddress.ToIPNet method to support 0.0.0.0/0 and ::/0 correctly
- update xfrmStateFromXfrmUsersaInfo to get XfrmState.Selector
- extend TestXfrmStateAddGetDel for v6ov4 and v4ov6 cases
This PR adds support for filtering flows
based on conntrack labels. It adds two
filters `ConntrackMatchLabels` &&
`ConntackUnmatchLabels` through which user can
provide a list of labels as type "bytes" which
will then be compared to flow.Labels to see if
any matches were found.
ConntrackMatchLabels: Every label passed should
be contained in flow.Labels for a match to be true
ConntrackUmmatchLabels: Every label passed should
not be contained in the flow.Labels for a match to
be true
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
Use the constants provided in the golang.org/x/sys/unix package instead
of locally defining them, as done in commit c94808a88b ("link: add
support for IFLA_GRO_MAX_SIZE").
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
GRE L3 devices support "FlowBased" ("collect_md"/"external") mode.
Add support for this configuration and relevant test.
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
IFLA_GRE_COLLECT_METADATA is a "flag" netlink attribute. As such it should
not be sent with a data payload.
Fix gretap link to send this flag correctly and re-enable tests.
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
RouteListFiltered constructs an RtMsg with default options and lists
routes. Only routes matching these default options are returned from the
kernel when STRICT_CHECK enabled. The kernel will return all routes only
when an option is set to the zero value. This patch sets the zero value
by default, overwriting when specified by the consumer.
Return a full created nl.RtNexthop ptr to avoid the
"converted pointer straddles multiple allocations".
UT by fasaxc.
Co-authored-by: fasaxc
Signed-off-by: Javier Garcia <javier.martin.garcia@ibm.com>
Add two attributes to fq: Horizon and HorizonDrop (which correspond to the
TCA_FQ_HORIZON and TCA_FQ_HORIZON_DROP attributes). The HorizonDrop attribute
specifies which policy to apply: drop (1, kernel default), cap delivery time to
horizon (0), and the Horizon attribute specifies the number of useconds before
applying the policy.
Add a new test TestFqHorizon to test the changes and as an example of usage.
Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
Add two new methods to allow setting GSO and GRO max size attributes only.
They make it much easier to enable BIG TCP[1].
The equivalent iproute2 commands are:
$ ip link set $link gso_max_size $maxSize
$ ip link set $link gro_max_size $maxSize
Also add tests for them.
[1] https://patchwork.kernel.org/project/netdevbpf/cover/20220513183408.686447-1-eric.dumazet@gmail.com/
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Add support of XFRMA_SA_EXTRA_FLAGS attribute of XFRM State interface.
The attribute is a 32bit flag and currently two flags
(XFRM_SA_XFLAG_DONT_ENCAP_DSCP and XFRM_SA_XFLAG_OSEQ_MAY_WRAP) are
defined. Two boolean flags added to XfrmState struct are correspoinding
to those flags. Naming of the flags are taken from iproute2's options
(extra-flag dont-encap-dscp | oseq-may-wrap).
Add support for the new IFLA_GRO_MAX_SIZE attribute which is needed to
enable BIG TCP[1] properly. Define the attribute in the local link
attributes (nl/link_linux.go) because it isn't yet present in Go's
x/sys/unix package. Also add a test for it.
[1] https://patchwork.kernel.org/project/netdevbpf/cover/20220513183408.686447-1-eric.dumazet@gmail.com/
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Adding an xfrmi link with if_id 0 results in EINVAL being returned, see
[1]. Adjust TestLinkAddDelXfrmiNoId accordingly to expect an error.
[1] 8efd0d9c31/net/xfrm/xfrm_interface.c (L645-L648)
Fixes: f7fd7af437 ("Only set IFLA_XFRM_IF_ID if not 0")
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Allows the ability to set NETLINK_GET_STRICT_CHK socket option on netlink handles.
This can be used to avoid missing routes due to a kernel bug[1]. The
choice to make this a toggle is because not all operations use the
correctly formatted message and so some will fail. The scope of
determining which calls use the wrong message format is an unknown
amount of work at this time so we give the consumer of the library a
toggle they can use when needed.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=885b8b4dbba5ca6114db0fcd0737fe2512650745
Otherwise addrSubscribeAt()'s goroutine will block in s.Receive()
and potentially call callbacks long after the done channel has
been closed by the caller.
Signed-off-by: Dan Williams <dcbw@redhat.com>
This patch makes two changes:
- setsockopt NETLINK_EXT_ACK, if EnableErrorMessageReporting is
configured. (defaults to false for compatibility with existing code)
- NetlinkRequest.Execute is modified to parse the nlmsgerr attributes
if they are present on the response message.
- After this patch, when the request results in NLMSG_ERROR and the
response contains a netlink error message (NLMSGERR_ATTR_MSG),
NetlinkRequest.Execute will return an error with the message that
wraps syscall.Errno.
A value of 0 for IFLA_XFRM_IF_ID is not valid and will be rejected by
the kernel by returning EINVAL, see [1]. Thus, only set the
IFLA_XFRM_IF_ID attribute in case Xfrmi.Ifid != 0.
[1] 8efd0d9c31/net/xfrm/xfrm_interface.c (L645-L648)
A value of 0 for XFRMA_IF_ID is not valid and will be rejected as of
Linux kernel commit torvalds/linux@68ac0f3810 ("xfrm: state and policy
should fail if XFRMA_IF_ID 0"), which will return EINVAL when setting
XFRMA_IF_ID = 0. Thus, only set the XFRMA_IF_ID attribute in case
XfrmState.Ifid or XfrmPolicy.Ifid are != 0.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
