- 24 Nov, 2015 1 commit
-
-
Daniel Borkmann authored
This larger work addresses one of the bigger remaining issues on tc's eBPF frontend, that is, to allow for persistent file descriptors. Whenever tc parses the ELF object, extracts and loads maps into the kernel, these file descriptors will be out of reach after the tc instance exits. Meaning, for simple (unnested) programs which contain one or multiple maps, the kernel holds a reference, and they will live on inside the kernel until the program holding them is unloaded, but they will be out of reach for user space, even worse with (also multiple nested) tail calls. For this issue, we introduced the concept of an agent that can receive the set of file descriptors from the tc instance creating them, in order to be able to further inspect/update map data for a specific use case. However, while that is more tied towards specific applications, it still doesn't easily allow for sharing maps accross multiple tc instances and would require a daemon to be running in the background. F.e. when a map should be shared by two eBPF programs, one attached to ingress, one to egress, this currently doesn't work with the tc frontend. This work solves exactly that, i.e. if requested, maps can now be _arbitrarily_ shared between object files (PIN_GLOBAL_NS) or within a single object (but various program sections, PIN_OBJECT_NS) without "loosing" the file descriptor set. To make that happen, we use eBPF object pinning introduced in kernel commit b2197755b263 ("bpf: add support for persistent maps/progs") for exactly this purpose. The shipped examples/bpf/bpf_shared.c code from this patch can be easily applied, for instance, as: - classifier-classifier shared: tc filter add dev foo parent 1: bpf obj shared.o sec egress tc filter add dev foo parent ffff: bpf obj shared.o sec ingress - classifier-action shared (here: late binding to a dummy classifier): tc actions add action bpf obj shared.o sec egress pass index 42 tc filter add dev foo parent ffff: bpf obj shared.o sec ingress tc filter add dev foo parent 1: bpf bytecode '1,6 0 0 4294967295,' \ action bpf index 42 The toy example increments a shared counter on egress and dumps its value on ingress (if no sharing (PIN_NONE) would have been chosen, map value is 0, of course, due to the two map instances being created): [...] <idle>-0 [002] ..s. 38264.788234: : map val: 4 <idle>-0 [002] ..s. 38264.788919: : map val: 4 <idle>-0 [002] ..s. 38264.789599: : map val: 5 [...] ... thus if both sections reference the pinned map(s) in question, tc will take care of fetching the appropriate file descriptor. The patch has been tested extensively on both, classifier and action sides. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-
- 23 Nov, 2015 23 commits
-
-
Neil Horman authored
I found recently that, if I disabled address promotion in the kernel, that ip addr flush dev <dev> would fail with an EADDRNOTAVAIL errno (though the flush operation would in fact flush all addresses from an interface properly) Whats happening is that, if I add a primary and multiple secondary addresses to an interface, the flush operation first ennumerates them all with a GETADDR | DUMP operation, then sends a delete request for each address. But the kernel, having promotion disabled, deletes all secondary addresses when the primary is removed. That means, that several delete requests may still be pending in the netlink request for addresses that have been removed on our behalf, resulting in EADDRNOTAVAIL return codes. It seems the simplest thing to do is to understand that EADDRUNAVAIL isn't a fatal outcome on a flush operation, as it just indicates that an address which you want to remove is already removed, so it can safely be ignored. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> CC: Stephen Hemminger <stephen@networkplumber.org> CC: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
-
Phil Sutter authored
Despite commit 45a82e5 ("iproute vxlan add support for fdb replace command"), the 'fdb replace' command was not mentioned in bridge.8. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
The algorithm depends on the loop counter ('i') to increment by one in each iteration. Though if running endlessly (count==0), the counter was not incremented at all. Also change formatting of the header printing conditional a bit so it's hopefully easier to read. Fixes: e7e2913f ("lnstat: run indefinitely by default") Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Stephen Hemminger authored
Post merge window changes
-
Phil Sutter authored
- Drop 'extern' keyword from all function prototypes. - Make line breaking of print_* functions consistent. - Make print_ntable() and ipntable_reset_filter() static and remove their declaration. - Drop declaration of non-existent ipaddr_list() and iproute_monitor(). Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Stephen Hemminger authored
-
Stephen Hemminger authored
Remove extraneous whitespace
-
Ville Skyttä authored
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
-
Ville Skyttä authored
Fix syntax issues and warnings highlighted by `man --warnings=w' from man-db 2.7.1. Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
-
Phil Sutter authored
Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Since p->name is only IFNAMSIZ bytes, do not copy more than IFNAMSIZ - 1 bytes into it so there remains at least a single null byte in the end. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Instead of parsing an unsigned integer and checking boundaries, simply parse u8. This and the added ttl alias 'hlim' provide consistency with ip6tunnel. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
This makes output consistent with iptunnel, also supporting reverse DNS lookup for remote address if requested. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
In iptunnel, declare loop variables inside the loop as done in ip6tunnel. Fix and simplify goto logic in ip6tunnel: - Failure to read over header lines would have left fp opened. - By returning directly upon fopen() failure, fp can be closed unconditionally in the end. Use the same goto logic in iptunnel, as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Although the cache is only initialized in do_show(), this way it is at least consistent with ip6tunnel. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Make ip6tunnel print an error message as well. While there, get rid of unnecessary line breaking. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Instead of duplicating the same code six times (key, ikey and okey in iptunnel and ip6tunnel), have a common parsing routine. This has the added benefit of having the same verbose error message in ip6tunnel as well as iptunnel. I'm not sure if parsing an IPv4 address as key makes sense for ip6tunnel, but the code was there before so this patch at least doesn't make it worse. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Put whitespace in the beginning of optional parts, not as suffix anywhere. Also drop double whitespaces in between words. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Aaro Koskinen authored
Use PKG_CONFIG from Config - it works better when cross-compiling. Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
-
- 04 Nov, 2015 8 commits
-
-
Stephen Hemminger authored
-
Stephen Hemminger authored
-
Stephen Hemminger authored
-
Phil Sutter authored
Instead of statically complaining about illegal inet address, use get_family() to get the address family right. Based on a patch by Hangbin Liu to print "inet6" for AF_INET6 made more generic by me. Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
-
Phil Sutter authored
-
Phil Sutter authored
-
Phil Sutter authored
-
- 23 Oct, 2015 8 commits
-
-
Stephen Hemminger authored
-
Stephen Hemminger authored
-
Stephen Hemminger authored
No blank lines at end of file
-
Stephen Hemminger authored
No blank lines at EOF, or trailing whitespace.
-
Stephen Hemminger authored
Shouldn't have extra blank lines.
-
Phil Sutter authored
Cc: Thomas Graf <tgraf@suug.ch> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: Jiri Pirko <jiri@resnulli.us> Cc: Patrick McHardy <kaber@trash.net> Cc: Werner Almesberger <werner@almesberger.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: Phil Sutter <phil@nwl.cc>
-
Phil Sutter authored
Cc: Werner Almesberger <werner@almesberger.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
-