Age | Commit message (Collapse) | Author |
|
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
|
For both options the values can just be passed to the kernel. All
unsigned values are accepted, thus no range checking required.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
|
|
adds the folloing missing options:
- learning
- rsc
- proxy
- l2miss
- l3miss
- gbp
See ip-link(3) for their meaning.
still missing:
- external
- gpe
I'm not sure how to handle them at the moment. It's unclear to me what
IFLA_VXLAN_* value corresponds to the 'external' option and according to
the manpage, gpe depends on it.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
|
|
Add a small function to handle boolean options and make use of it to handle:
- rxcsum
- txcsum
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
|
|
This adds adds the ability to set the source port range for vxlan
interfaces.
By default vxlans will use a random port within the ephermal range as
source ports for packets. This is done to aid scaleability within a
datacenter.
But with these defaults it's impossible to punch through NATs or
traverese most stateful firewalls easily. One solution is to fix the
srcport to the same as dstport.
If only srcportmin is specified, then srcportmax is set in a way that
outgoing packets will only use srcportmin.
If a range is to be specified, srcportmin and srcportmax have to be
specified. srcportmax is exclusive.
If only srcportmax is specified, the value is ignored and defaults are
used.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
|
|
Add a rtnl helper for adding vlans to a bridge interface.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
If we want a bridge to be vlan aware we need to be able to turn on
filtering.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
After an interface has been renamed on a "fast" device (for example
x86_64), the interface is sometimes not handled correctly by netifd.
Looking in the logs, I see the following messages when renaming fails:
Wed Mar 11 08:52:44 2020 kern.info kernel: [68383.522038] igb 0000:03:00.0 nlw_1: renamed from eth2
Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: __device_add_user(710): Add user for device 'nlw_1', refcount=2
Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: device_claim(413): Claim Network device nlw_1, new active count: 2
Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: device_claim(432): claim Network device nlw_1 failed: -1
Instrumenting netifd further reveals that there is a race between the hotplug
"@move" event and ioctl(SIOCGIFINDEX). When the above error happens, the
ioctl-call fails with ENODEV. Looking closer at the kernel code, it seems the
hotplug-event is triggered before the renaming is completed. The easiest way to
trigger the race, is if an interface name with the old name is not handled by
netifd and an interface with the new name is. If only the old name is handled,
or both names, I was not able to provoke the race.
When the renaming is complete, a NEWLINK-message is generated. This patch
modifies the logic surrounding renaming, so that we wait for the
NEWLINK-message before marking an interface as present. The changes made are:
* We only handle move-events for interfaces we know, and we return after
device has been set as not present.
* When we receive a NEWLINK message for an interface managed by netifd,
we call device_set_present. device_set_present is guarded by the same
checks as the add hotplug-event.
After these changes, renaming works properly on both "fast" and "slow"
devices. Removing a device is also handled correctly.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
It allows setting mappings for instance this way:
"""
config device
option name 'vlan41'
option type '8021q'
option vid '41'
option ifname 'eth1'
list ingress_qos_mapping '1:2'
list ingress_qos_mapping '2:5'
list egress_qos_mapping '0:3'
"""
Signed-off-by: Pau Espin Pedrol <pespin.shar@gmail.com>
Tested-by: Pedro <pedrowrt@cas.cat>
|
|
Use struct device pointer as parameter instead of bare ifname allows
for some simplication and again removing system_ifname_resolve()
function introduced in commit d93126d.
Fixes: d93126d ("interface: allow renaming interface when moving to jail netns")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
Introduce jail_ifname option to define the name of a Linux network
interface when moved into a jail's network namespace.
This is useful for containers which expect the network interface to
have a specific name (eg. 'host0' in case of systemd).
While at it, clean-up and fix bugs in jail interface up/down routines.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
Issue was introduced in commit 1321c1bd8fe921986c4eb39c3783ddd827b79543.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
|
Switched to the plain function instead of the now gone syscall.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
|
Prepare netifd for handling procd service jails having their own
network namespace.
Intefaces having the jail attribute will only be brought inside the
jail's network namespace by procd calling the newly introduced ubus
method 'netns_updown'.
Currently proto 'static' is supported and configuration changes are
not yet being handled (ie. you'll have to restart the jailed service
for changes to take effect).
Example /etc/config/network snippet:
config device 'veth0'
option type 'veth'
option name 'vhost0'
option peer_name 'virt0'
config interface 'virt'
option type 'bridge'
list ifname 'vhost0'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config interface 'virt0'
option ifname 'virt0'
option proto 'static'
option ipaddr '10.0.0.2'
option netmask '255.255.255.0'
option gateway '10.0.0.1'
option dns '10.0.0.1'
option jail 'transmission'
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
Fix cb leak in case invalid type is specified in system_if_clear_entries
Detected by Coverity in CID1431183
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Fixes CID 1220430, 1432226, 1432807 and 1433508
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
-xfrm interfaces were deleted before
-use standard parameters for xfrm interface created
Signed-off-by: André Valentin <avalentin@marcant.net>
|
|
No need to check if dev is NULL as device is always set when
system_neigh is called
Fixes issue reported by Coverity in CID 1445818
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
This adds support for xfrm interfaces. These interfaces can be used since
linux 4.19 for IPsec traffic, like VTI interface.
XFRM interfaces are less complicated compared to VTI because they need no IP
tunnel endpoints.
|
|
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
The neighbor or neighbor6 network section makes neighbours
configurable via UCI or proto shell handlers. It allows to
install neighbor proxy entries or static neighbor entries
The neighbor or neighbor6 section has the following types:
interface : declares the logical OpenWrt interface
ipaddr : the ip address of the neighbor
mac : the mac address of the neighbor
proxy : specifies whether the neighbor ia a proxy
entry (can be 1 or 0)
router : specifies whether the neighbor is a router
(can be 1 or 0)
Signed-off-by: Alexander Meuris <meurisalexander@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Hotplug events are no longer handled after socket RX queue is
overrun. The issue has been fixed by:
- setting SO_RCVBUF initially to 65535
- doubling SO_RCVBUF value each time RX queue gets overrun
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
|
Use sysfs to configure the bridge settings stp/forward_delay/priority
ageing_time/hello_time and max_age as the SIOCDEVPRIVATE bridge ioctl
has no compat ioctl support which makes it impossible to set the above
mentioned bridge paramaters if the kernel is compiled in 64 bit mode
and user_space in 32 bit mode.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Similar as for ip6 tunnels ignore encaplimit by default as not all ISPs
support the destination option header containing the tunnel encapsulation
limit resulting into broken connectivity
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Enable ignore encaplimit by default for ip6 tunnels as not all ISPs support
the destination option header containing the tunnel encapsulation limit
resulting into broken map/ds-lite connectivity.
Setting the ignore encaplimit flag by default is a more sane setting as it
avoids user configuation of the encaplimit uci option for ds-lite/map tunnels
in case of broken connectivity.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Add an #ifdef guard around 56000base* definitions, which don't exist on
Linux 3.18
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
Add all available link mode speed definitions as defined in ethtool.h
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
This adds an array that contains the link modes advertised by the other device and also
indicates whether auto negotiation is true or false.
link-partner may or may not be populated depending on hardware, driver and/or settings.
Signed-off-by: Joe Holden <jwh@zorins.co.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Make encapsulation limit of IP6 tunnels configurable for the ds-lite/map
proto shell handlers as not all ISPs support the destination option header
containing the tunnel encapsulation limit value as reported in FS#1501.
The IP6 tunnel specific setting encaplimit is parsed as a nested json
data object; setting it to ignore disables the insertion of the
destination option header while a value from 0 till 255 sets the
tunnel encapsulation limit accordingly in the destination option header.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Fix strncpy bounds as reported by Coverity in CID 1434988, 1328977,
1328953, 1328952, 1328951, 1328950, 1328949 and 1328944.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Detected by Coverity in CID 1433754
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Detected by Coverity in CID 1433760
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Detected by Coverity in CID 1433686
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Detected by Coverity in CID 1430884
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Detected by coverity in CID 1329735
|
|
Detected by coverity in CID 1412449
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
It is overly complex, yet does not cover common scenarios very well.
It will be replaced with a simpler shell script that provides a better
default policy
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
If you rename a network interface, there is a move uevent
invoked instead of remove/add.
This patch adds support for this kind of event.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Parse map-e fmrs parameters IPv6 prefix, IPv4 prefix, ealen and offset
as array elements nested in a data json object.
At the same time remove the now obsolete TUNNEL_ATTR_FMRS tunnel attribute.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
Signed-off-by: John Crispin <john@phrozen.org>
|
|
When -1 is written in /proc/sys/net/ipv4/neigh/<iface>/locktime,
kernel disables ARP trashing protection. A value of 0 does not completely
disable this protection, a second ARP update being discarded if it
is processed during the same jiffie as the first update.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
|
object
|
|
The kernel expects IFLA_GRE_IKEY and IFLA_GRE_OKEY to be in network byte
order, so convert the values from host byte order.
Fixes ikey/okey on little endian systems.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
|
cppcheck found printf functions with signed instead of unsigned
formats. Fix those as well as some non-matching function
declarations.
Signed-off by: Rosen Penev <rosenp@gmail.com>
|
|
After applying this patch, policy routing rules can be employed that ignore
parts of a routing table. The following config snippet ignores routing lookups
from the specified main routing table yielding the default route, passing the
lookup process on to the next rule (that might provide a special default route
for marked packets):
config rule
option priority 10
# check main routing table first, but ignore default route result
option lookup main
option suppress_prefixlength 0
config rule
option priority 11
# use special routing table for marked packets
# (unless already consumed by previous rule)
option mark 0xFF
option lookup 100
The result is a ruleset like this (only visible using the full 'ip' binary):
# ip rule
0: from all lookup local
10: from all lookup main suppress_prefixlength 0
11: from all fwmark 0xff lookup 100
32766: from all lookup main
32767: from all lookup default
#
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
|