This patch implements both tc and filter chains.
We also need to align tc filter delition implementation
with iprote2 to delete filters withichain by passing
additional bits during filter deletion call.
This patch adds support for tc police action. And codes of fw filter
have been refactored with the police action for reducing redundant
codes.
Signed-off-by: Wu Zongyong <wuzongyong@linux.alibaba.com>
Add a function FilterReplace, which mirrors the behaviour of
QdiscReplace, etc. This makes it possible to swap out filters
with a single netlink message.
Encountered this in a local test. It turns out that in parseActions
mirred has a bug where it parses the action attributes but then on the
very next line overwrites this hard work by assigning an empty
ActionAttrs struct on top. I copy pasta'd this into connmark. Fix both
instances and amend the unit tests to catch this going forward.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
This patch adds "Hash" attribute that represents the ID of the hash
table with which the filter is associated to U32 struct. If the hash
table is not created yet, a new hash table is created with the
specified ID.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
This patch adds "Divisor" attribute that represents the divisor of the
hash table buckets to U32 struct.
With "Divisor" attribute, only a hash table without its associated
filters can be created. This new capability allows users to construct
the more flexible filter configurations with the hash table that has
the divisor greater than 1, for instance.
Although a hash table is created through the same interfaces as the
filters, it cannot be listed or deleted though the same interfaces as
the filters at this moment. Only real filters can be listed with
FilterList and deleted with FilterDel.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
Fix the following two issues reported by go vet:
bridge_linux_test.go:41: possible formatting directive in Fatal call
filter_test.go:204: possible formatting directive in Fatal call
by using Fatalf instead of Fatal when using formatting directives.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This patch fixes the bug of U32 filters which byte orders are not
appropriately updated based on the endianess of the host. Golang's
range returns copied values instead of their references when it
iterates through a map and the indices should be used to access the
specific value of the map by reference.
This patch also fixes the bug of netlink.FilterAdd that breaks the user
facing model changing the type of cSel, the copied TcU32Sel, from its
pointer to the struct. Previously the pointer is copied and therefore
the data that is given by the users is modified if the endiannesses of
the fields in it need to be changed.
To validate these changes, I added the validation that the user facing
model is identical before and after netlink.FilterAdd. In addition to
that, the fix for the reference bug enables the endianness validations
in the same test case.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
This patch adds the advanced u32 match feature support with the
selection keys. It enables the users to crate a complex filter as follow
for instance:
$ tc filter add dev eth0 parent 1: prio 1 u32 match ip dport 80 0xff \
match u32 0x146ca 0xffff at 32 flowid 1:46cb
To expose TcU32Sel and TcU32Key defined in nl package, this patch copies
them to filte.go and their values that require Big-endianness are
handled appropriately in FilterAdd function in filter_linux.go.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
This patch adds a new switch case that handles the class ID attribute of
the U32 filter data listed by FilterList. Without this case block the
class ID of the U32 filter is always set to zero. The new test
conditions are added to TestFilterAddDel and TestFilterU32BpfAddDel in
filter_test.go as well.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
The go get command and make both fail when executed on
non-linux platforms. Modified it so that there are no
compilation errors when developing in such an
environment.
* Add netlink definitions for extra IFLAs
The relevant IFLA_* are defined in the kernel but not in the syscall
package.
* Parameterize the return value of loadSimpleBpf
Allow the return value of the bpf program created by loadSimpleBpf to
be specified by the caller. Before this, the value was hardcoded to 1.
* Add support for a new IFLA that enables using a bpf program as a
filter early in the driver path of some NICs.
* Add a test for set/get of an xdp program. Since currently, the XDP
IFLA is optional, check that the hardware supports it before trying to
set the field.
Signed-off-by: Brenden Blanco <bblanco@plumgrid.com>
New in kernel 4.5 is a type of qdisc for lightweight (no qdisc lock)
ingress/egress parsing, called clsact. Add support for such a qdisc
type.
One primary consumer of clsact is the bpf filter, add support for that
as well.
Current U32 filter only supports redirect action, but the U32 can
support a lot more. Refactor a bit the action generating/parsing logic
to be more generic and add BPF action support.
When creating a U32 filter, one can supply an array of Actions, which
will be executed by the U32 filter in order:
* The new MirredAction implements the same functionality as RedirIndex
field in the U32 filter, with that static field kept in the struct for
backwards compatibility.
* A new BpfAction type is added which allows a program with an open bpf
file descriptor (implementation is out of scope of this patch) to be
added as well.
Add a test for the above use case which includes one of each type of
action.
Kevin Sheldrake
liuhao.0912
tc
Ivan Kolodyazhny
chengzhycn
Nicholas Hollett
Vishvananda Abrams
Wu Zongyong
tanbangcheng
Zhiyuan Hou
Lorenz Bauer
Krister Johansen
Taku Fukushima
Sargun Dhillon
yandd
Alessandro Boch
Ian Bishop
Tobias Klauser
Aithal
Brenden Blanco
Brenden Blanco
chantra