Add support of XFRMA_SA_EXTRA_FLAGS attribute of XFRM State interface.
The attribute is a 32bit flag and currently two flags
(XFRM_SA_XFLAG_DONT_ENCAP_DSCP and XFRM_SA_XFLAG_OSEQ_MAY_WRAP) are
defined. Two boolean flags added to XfrmState struct are correspoinding
to those flags. Naming of the flags are taken from iproute2's options
(extra-flag dont-encap-dscp | oseq-may-wrap).
Add support for the new IFLA_GRO_MAX_SIZE attribute which is needed to
enable BIG TCP[1] properly. Define the attribute in the local link
attributes (nl/link_linux.go) because it isn't yet present in Go's
x/sys/unix package. Also add a test for it.
[1] https://patchwork.kernel.org/project/netdevbpf/cover/20220513183408.686447-1-eric.dumazet@gmail.com/
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Adding an xfrmi link with if_id 0 results in EINVAL being returned, see
[1]. Adjust TestLinkAddDelXfrmiNoId accordingly to expect an error.
[1] 8efd0d9c31/net/xfrm/xfrm_interface.c (L645-L648)
Fixes: f7fd7af437 ("Only set IFLA_XFRM_IF_ID if not 0")
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Allows the ability to set NETLINK_GET_STRICT_CHK socket option on netlink handles.
This can be used to avoid missing routes due to a kernel bug[1]. The
choice to make this a toggle is because not all operations use the
correctly formatted message and so some will fail. The scope of
determining which calls use the wrong message format is an unknown
amount of work at this time so we give the consumer of the library a
toggle they can use when needed.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=885b8b4dbba5ca6114db0fcd0737fe2512650745
Otherwise addrSubscribeAt()'s goroutine will block in s.Receive()
and potentially call callbacks long after the done channel has
been closed by the caller.
Signed-off-by: Dan Williams <dcbw@redhat.com>
This patch makes two changes:
- setsockopt NETLINK_EXT_ACK, if EnableErrorMessageReporting is
configured. (defaults to false for compatibility with existing code)
- NetlinkRequest.Execute is modified to parse the nlmsgerr attributes
if they are present on the response message.
- After this patch, when the request results in NLMSG_ERROR and the
response contains a netlink error message (NLMSGERR_ATTR_MSG),
NetlinkRequest.Execute will return an error with the message that
wraps syscall.Errno.
A value of 0 for IFLA_XFRM_IF_ID is not valid and will be rejected by
the kernel by returning EINVAL, see [1]. Thus, only set the
IFLA_XFRM_IF_ID attribute in case Xfrmi.Ifid != 0.
[1] 8efd0d9c31/net/xfrm/xfrm_interface.c (L645-L648)
A value of 0 for XFRMA_IF_ID is not valid and will be rejected as of
Linux kernel commit torvalds/linux@68ac0f3810 ("xfrm: state and policy
should fail if XFRMA_IF_ID 0"), which will return EINVAL when setting
XFRMA_IF_ID = 0. Thus, only set the XFRMA_IF_ID attribute in case
XfrmState.Ifid or XfrmPolicy.Ifid are != 0.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This patch adds support for tc police action. And codes of fw filter
have been refactored with the police action for reducing redundant
codes.
Signed-off-by: Wu Zongyong <wuzongyong@linux.alibaba.com>
When the LinkModify was merged in [1] a function
that exports it outside of pkgHandle was never
added like is available for LinkAdd, LinkDel etc.
Update testing to use exported LinkModify that
itself calls the pkgHandle.LinkModify function.
[1] https://github.com/vishvananda/netlink/pull/541
The condition to demand a lladdress for neigh.Flags != NTF_PROXY is just
buggy, since there are various other flags such as NTF_USE, NTF_EXT_MANAGED,
etc where this is not required. Besides, the kernel handles this internally
anyway if it demands a NDA_LLADDR attribute. Simply get rid of the NTF_PROXY
flag/condition since it's wrong.
Fixes: d710fbade4 ("Add proxy support to the neighbor functions (#149)")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
This allows to set NTF_EXT_MANAGED neighbor flag for managed neighbor
entries as per kernel commit 7482e3841d52 ("net, neigh: Add NTF_MANAGED
flag for managed neighbor entries"). The flag then indicates to the
kernel that the neighbor entry should be periodically probed for keeping
the entry in NUD_REACHABLE state iff possible.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
