Thomas Egerer [Fri, 10 Jun 2016 09:57:57 +0000 (11:57 +0200)]
xfrm: attach only one xfrm alg attribute to netlink message
The kernel only uses the xfrm alg auth attribute if the xfrm alg auth
truncated attribute is not present. Hence sending both attributes in one
message does not make sense.
This piece of code also removes the call to nla_reserve in favor of the
NLA_PUT macro.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-June/002139.html
Thomas Egerer [Fri, 10 Jun 2016 09:57:55 +0000 (11:57 +0200)]
xfrm: fix memory leak for encap original address
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-June/002141.html
Thomas Egerer [Fri, 10 Jun 2016 09:57:53 +0000 (11:57 +0200)]
xfrm: fix segfault when using encapsulation templates
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-June/002140.html
Thomas Egerer [Mon, 6 Jun 2016 13:21:35 +0000 (15:21 +0200)]
xfrm: make character pointers in setters const
All of these pointers are either strcpy'd or memcpy'd and usually const
in a calling application. Changing them to const in the header does not
break the compatibility and allows for users with const pointers to use
the library without compiler warnings.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-June/002137.html
Thomas Egerer [Tue, 31 May 2016 15:30:03 +0000 (17:30 +0200)]
xfrm: check length of alg_name before strcpying it
If the parameter alg_name points to a string longer then what libnl
accepts as alg_name, the call to strcpy may write far beyond the
particular data structure.
Instead of truncating the string (using strncpy) this patch adds a check
and returns -1 for strings being longer than 63 bytes.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> Signed-off-by: Thomas Haller <thaller@redhat.com> Fixes: 917154470895520a77f527343f3a0cc1605934b0
http://lists.infradead.org/pipermail/libnl/2016-May/002133.html
Thomas Egerer [Tue, 31 May 2016 15:29:58 +0000 (17:29 +0200)]
xfrm: fix buffer overflow when copying keys
A colleague of mine came to notice that -- when adding keys to the
xfrm-part of libnl -- memcpy is given newlen, which copies sizeof(struct
xfrmnl_...) plus keysize instead of only the keysize.
This patch uses a keysize parameter to only copy the required number of
bytes.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> Signed-off-by: Thomas Haller <thaller@redhat.com> Fixes: 917154470895520a77f527343f3a0cc1605934b0
http://lists.infradead.org/pipermail/libnl/2016-May/002132.html
lib: return error on Netlink attribute length overflow
Netlink attribute length is defined as u16. It's possible to exceed nla_len when
creating nested attributes. Storing incorrect length due to overflow will cause
a reader to read only a part of nested attribute or skip it entirely.
As a solution cancel the addition of a nested attribute when nla_len size is
exceeded.
Signed-off-by: Przemyslaw Szczerbik <przemek.szczerbik@gmail.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-May/002131.html
Jef Oliver [Mon, 16 May 2016 23:23:23 +0000 (16:23 -0700)]
link: support RTEXT_FILTER_VF
This patch adds RTEXT_FILTER_VF mask support for SRIOV VFs. Since
SRIOV VFs don't have a defined address family (ie bridge), there
are no new address family specific operations defined.
Exposing this mask makes rtnl_link_get_num_vfs() properly return
the number of loaded SRIOV VFs.
Signed-off-by: Jef Oliver <jef.oliver@intel.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-May/002115.html
http://lists.infradead.org/pipermail/libnl/2016-May/002123.html
Jonas Johansson [Thu, 28 Apr 2016 14:07:11 +0000 (16:07 +0200)]
neigh: add function to look up neighbour (fdb) by ifindex, mac and vlan
The rtnl_neigh_get() function can not be used to look up a fdb entry in the
neigh cache. This is due to that the function searches among destination
addresses (NDA_DST) and not among link layer addresses (NDA_LLADDR), which is
used by fdb entries. A fdb entry can also exist in several vlans, so a vlan id
parameter is also needed to find a unique entry.
This commit adds a function, rtnl_neigh_get_by_vlan() which searches the neigh
cache for a specific neighbour (fdb) entry by interface index, link layer
address and vlan id.
Signed-off-by: Jonas Johansson <jonas.johansson@westermo.se> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-May/002124.html
https://github.com/thom311/libnl/pull/98
Jonas Johansson [Fri, 29 Apr 2016 14:26:22 +0000 (16:26 +0200)]
neigh: support neighbour flag NTF_SELF
Signed-off-by: Jonas Johansson <jonas.johansson@westermo.se> Signed-off-by: Thomas Haller <thaller@redhat.com>
https://github.com/thom311/libnl/pull/96
Thomas Haller [Thu, 31 Mar 2016 14:19:10 +0000 (16:19 +0200)]
sit: refactor IS_SIT_LINK_ASSERT()
Also check for NULL link and dereference link before
basic error checking.
Also move the declaration of the @sit member inside
the macro. Obviously, the macro must now always come at
first, after declaring local auto variables.
Thomas Haller [Thu, 31 Mar 2016 13:44:56 +0000 (15:44 +0200)]
sit: don't print ip6rd_prefix as integer in sit_dump_details()
First of all, inet_ntop() has no reason to fail (ever). As long
as the input arguments point to valid data and family is not bogus.
But when it fails, we cannot pass a 'struct in6_addr' to "%x"
either, so just don't do that.
Same for printing ip6rd_relay_prefix as AF_INET. If our addr-to-str
method fails, we don't want to come up with something fancy. Otherwise,
we'd just implement a inet_ntop() that does not fail.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-February/002086.html
Haishuang Yan [Fri, 1 Apr 2016 10:18:50 +0000 (18:18 +0800)]
ipgre: add support for gretap tunnel
Since kernel support both gre/gretap tunnel, so add support
for gretap appropriately.
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
[thaller@redhat.com: modified original patch to move symbols
in libnl-route-3.sym to proper section]
lib: add type casting for nla_for_each_nested macro
g++ is unable to compile code with nla_for_each_nested macro due to
implicit type conversion from void* to nlattr*. This patch adds type
casting for nla_for_each_nested macro to address this issue.
Signed-off-by: Przemyslaw Szczerbik <przemek.szczerbik@gmail.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2016-February/002095.html
David Ahern [Fri, 18 Dec 2015 17:50:03 +0000 (09:50 -0800)]
lib: update ce-mask to uint64_t
lib/route/link.c already defines 32 attributes which fills the current
uint32_t used for ce_mask. To accommodate more attributes the mask needs
to be expanded. This patch updates the definition to uint64_t.
The nl_object_diff API is maintained for ABI with existing users. A new
nl_object_diff64 API is added for the expanded attribute list. The MSB
of the 32-bit API is used to indicate if higher order attributes had a
mismatch. (Suggested by Thomas).
Note that LINK_ATTR_LINK_NETNSID changes. But since the attribute flags
are not public API it shouldn't be a problem.
Amit Khatri [Thu, 17 Dec 2015 05:03:05 +0000 (10:33 +0530)]
lib/route: potential memory leak in pktloc.c
In scneario, where file modification time is unchanged, code is returning 0
form read_pktlocs(). It causes memory leak for path variable.
Memory for this variable is allocated inside build_sysconf_path()
by asprintf() function.
David Ahern [Wed, 25 Nov 2015 19:14:16 +0000 (11:14 -0800)]
bridge: add support for VLANs
Add operation for requesting VLAN data for AF_BRIDGE and parsing of
IFLA_AF_SPEC for AF_BRIDGE. VLANs are saved in a bitmap.
Also add dumping of vlan info to link list and neigh list.
For example:
$ nl-link-list --details --family=bridge
br1 ether 8e:6e:0e:86:e5:86 master br1 <broadcast,multicast,up,running,lowerup>
mtu 1500 txqlen 0 weight 0 index 18
mode default carrier down
bridge: pvid 1 all vlans: 1 301-400 601-610 untagged vlans: 1
bond1 ether 46:ef:e1:c9:46:fe <broadcast,multicast,master>
mtu 1500 txqlen 0 weight 0 index 20
state down mode default carrier down
bridge:
Signed-off-by: Wilson Kok <wkok@cumulusnetworks.com> Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
[thaller@redhat.com: modified original patch to use ao_parse_af_full().
Also renaming new API and drop some #defines] Signed-off-by: Thomas Haller <thaller@redhat.com>
David Ahern [Wed, 25 Nov 2015 19:14:15 +0000 (11:14 -0800)]
lib: handle family-based parsing of IFLA_AF_SPEC attribute
The encoding of the IFLA_AF_SPEC attribute varies depending on the family
used for the request (RTM_GETLINK) message. For AF_UNSPEC the encoding
has another level of nesting for each address family with the type encoded
first. i.e.,
af_spec = nla_nest_start(skb, IFLA_AF_SPEC)
for each family:
af = nla_nest_start(skb, af_ops->family)
af_ops->fill_link_af(skb, dev, ext_filter_mask)
nest_end
nest_end
This allows the parser to find the address family by looking at the first
type.
which means the parser can not use the attribute itself to know the family
to which the attribute belongs.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
[thaller@redhat.com: refactor code by merging a later patch by
tobias.jungel@bisdn.de and introduce new function ao_parse_af_full()] Signed-off-by: Thomas Haller <thaller@redhat.com>
David Ahern [Wed, 25 Nov 2015 19:14:14 +0000 (11:14 -0800)]
link: add AF operation to append attributes to a GETLINK message
Upcoming bridge patch wants to add IFLA_EXT_MASK attribute to RTM_GETLINK
requests to retrieve VLAN data. Expand request message to a full ifinfomsg
header and call to hook to append attributes if it exists for an address
family.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
[thaller@redhat.com: fix memleak in link_request_update()] Signed-off-by: Thomas Haller <thaller@redhat.com>
David Ahern [Fri, 30 Oct 2015 22:08:40 +0000 (15:08 -0700)]
route/link/vxlan: trivial rename VXLAN_HAS_ prefix and vxi_mask
Global search and replace of VXLAN_HAS_ for VXLAN_ATTR_
and vxi_mask for ce_mask. Preparation step for using ATTR_DIFF
infrastructure in a vxlan_compare.
Signed-off-by: Balki Raman <ramanb@cumulusnetworks.com> Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
[thaller@redhat.com: rebased patch and changed whitespace] Signed-off-by: Thomas Haller <thaller@redhat.com>
David Ahern [Fri, 30 Oct 2015 22:08:39 +0000 (15:08 -0700)]
route/link: add link info compare operation
Signed-off-by: Balki Raman <ramanb@cumulusnetworks.com> Signed-off-by: David Ahern <dsa@cumulusnetworks.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
David Ahern [Tue, 27 Oct 2015 22:40:48 +0000 (15:40 -0700)]
link/neigh: add flags option to link and neighbor caches
Both link and neighbor cache support specify multiple groups (nl_af_group),
but the alloc_cache functions for both do not set the NL_CACHE_AF_ITER
flag before populating the cache so only the first group is used by
default. This patch adds an API to pass in flags to make that happen
and updates the nl-neigh-list command to make use of it.
Thomas Haller [Wed, 21 Oct 2015 16:01:02 +0000 (18:01 +0200)]
route/vlan: allow clearing vlan ingress map
An entry of the ingress map can be cleared by setting
the "to" part to zero.
Previously, vlan_put_attrs() would skip over zero "to"
and thus the user cannot unset an ingress map entry.
Add a modified-mask to record the state of each ingress
map entry and also sent explicit zeros to kernel.
when we receive a IFLA_VLAN_INGRESS_QOS message from kernel,
vlan_parse() similarly sets the received entries as modified.
This preserves previous behavior when using a received object
to modify a vlan.
Add a capability NL_CAPABILITY_RTNL_LINK_VLAN_INGRESS_MAP_CLEAR
to indicate the behavioral change.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
[thaller@redhat.com: slightly modified original patch] Signed-off-by: Thomas Haller <thaller@redhat.com>
Thomas Haller [Mon, 5 Oct 2015 14:52:07 +0000 (16:52 +0200)]
lib/attr: add nla utility functions for signed integers
Commit 7bb956501ccd58ed3bbffc59de996f056e178683 added nla functions for
s32. We preferibly add all signed integer operations at the same time.
Thus, also add s8, s16, and s64.
Also, previously the NLA_TYPE_MAX enum was not extended to have
NLA_S32. Fix that too.
Reported-By: Jiri Pirko <jiri@resnulli.us> Fixes: 7bb956501ccd58ed3bbffc59de996f056e178683 Signed-off-by: Thomas Haller <thaller@redhat.com>
Tobias Klauser [Thu, 20 Aug 2015 13:46:22 +0000 (15:46 +0200)]
route/link: add missing link_attrs translations
Add LINK_ATTR_NSFD, LINK_ATTR_NS_PID and LINK_ATTR_LINK_NETNSID to the
link_attrs translation table after they were added in commits 760bfabad8cd ("add link netns support") and 66aab65595fb ("route/link:
add support for IFLA_LINK_NETNSID") respectively.
Thomas Haller [Mon, 24 Aug 2015 15:57:16 +0000 (17:57 +0200)]
socket: fix assertion in nl_connect() when all ports are already in use
When generating a port fails a few times (because they are already in used
outside of libnl's knowledge), we would back off generating a local
port and instead let kernel decide.
There was however a bug in nl_connect() that caused an assertion:
BUG at file position socket.c:147:_nl_socket_used_ports_release_all
app: socket.c:147: _nl_socket_used_ports_release_all: Assertion `0' failed.
Thomas Haller [Fri, 10 Jul 2015 12:58:51 +0000 (14:58 +0200)]
socket: add fallback for nl_connect() by trying to bind to unspecified local port
libnl allows the user to explicitly set the local port before connecting
the socket. A more convenient way is to leave the local port unspecified
and let libnl generate a port id.
As it is, generate_local_port() would try at most 1024 ports, that
means if a user tries to connect more sockets, the automatism will
fail.
Kernel also supports choosing the local port itself (via netlink_autobind()).
So, this could be fixed by always leaving the port unspecified and let
kernel decide on the port. For that we could entirely drop generate_local_port().
There are however problems with that:
- it is unclear why generate_local_port() was even introduced in the
first place instead of always relying kernel. This code already
appeared in libnl-1, so maybe there was a good reason for it or
it is necessary on some kernel versions.
- The deprecated libnl-1 library also uses a form of generate_local_port().
Its first guess would always be getpid(), but the problem is that
it would not retry on EADDRINUSE. Currently libnl-3 generates ports in
a different sequence and will not generate a conflicting port (until it
already exhausted 1016 other ports).
Hence, currently if your application uses libnl1 and libnl3
together, the automatism might just work without conflicts
(commit 1f734a8f892abcd3f81637df4a089155aca1b66a).
Accidently, kernel/netlink_autobind() also first tries the process
id as port. That means, if we change libnl-3 to leave the decision
to kernel, and
- the application connects sockets both via libnl-1 and libnl-3
- and the libnl-3 socket happens to connect first
then the libnl-1 socket would fail to connect without retrying
another port.
- Removing generate_local_port() entirely changes behavior in the
following case:
sk = nl_socket_alloc();
/* accessing local port before connecting the socket used to
* freeze the local port to the generated value. */
port = nl_socket_get_local_port(sk);
nl_connect(sk, NETLINK_...);
Maybe the issues are minor and it would simplify the code just to get
rid of the cruft. But instead fix the issue without changing behavior.
Just keep trying with generate_local_port() first, before fallback to
kernel.
Reported-by: Julien Courtat <julien.courtat@6wind.com> Signed-off-by: Thomas Haller <thaller@redhat.com>
http://lists.infradead.org/pipermail/libnl/2015-June/001889.html
Thomas Haller [Fri, 10 Jul 2015 12:58:50 +0000 (14:58 +0200)]
socket: clear port when unable to generate local port
When running out of local ports, _nl_socket_generate_local_port_no_release()
would leave the socket with port UINT32_MAX. That means if nl_connect()
fails due to out-of-ports, it would leave the port id assigned to an
invalid port and the socket instance was not re-usable until the user
called nl_socket_set_local_port(). Fix that by resetting the local port
to zero.
Thereby, also change generate_local_port() to return zero when
running out of ports. zero is a more natural value for ~no port found~.
It also matches the port that _nl_socket_generate_local_port_no_release()
uses when failing to generate a port.
Also ensure that zero cannot be returned as valid port by generate_local_port().
Arguably, that would only be possible if (getpid() & 0x3FFFFF)
returns zero. Just be extra cautious.
Kir Kolyshkin [Tue, 7 Jul 2015 05:33:23 +0000 (22:33 -0700)]
doc/Makefile.am: don't use asciidoc if disabled
In case doc/configure.ac hasn't found asciidoc or any of its
prerequisites (such as pygmentize), make shouldn't try to run it.
One such case ("gendoc" target) is covered while the other
("%.html" target) is not. Fix it by adding a proper ifdef.
Kir Kolyshkin [Tue, 7 Jul 2015 05:23:45 +0000 (22:23 -0700)]
doc/configure.ac: simplify python check
A check for python binary that was originally introduced by commit 183e869 is needed because python is used for a couple of preprocessors
(doxygen-link.py and resolve-asciidoc-refs.py) and therefore it is
impossible to build docs without python.
While it is right to check for python, the check was both wrong and
excessive. Instead of just checking for python binary, it checked for
various versions of python and set a few variables that are not needed
here. More to say, the absense of python binary was not treated as
being fatal like it should.
Fix both problems by using AC_CHECK_PROG for python, terminating the
build in the same way as with doxygen absense. Also, remove the
m4/ax_python.m4 which is no longer needed.
Kir Kolyshkin [Tue, 7 Jul 2015 00:25:14 +0000 (17:25 -0700)]
m4/ax*.m4: remove
These files, as well as the proper configure.ac calls, were added
by commit f443be6, but the calls were later removed by commit b4b853e,
so these are no longer needed.
The ifi_change field can be set with the mask of the flags that need
to be changed as part of the link message to the kernel. This means only
the specific flags that have been changed will be modified in the kernel,
rather than the entire flags entry.
[thaller@redhat.com: add capability to indicate the change in behavior]
Thomas Haller [Fri, 26 Jun 2015 16:01:21 +0000 (18:01 +0200)]
ipvlan: don't check for valid @mode argument in rtnl_link_ipvlan_set_mode()
In the future kernel might support more modes. Don't be so
strict in rtnl_link_ipvlan_set_mode() and accept any uint16
mode.
This way when adding new modes, rtnl_link_ipvlan_set_mode() does not
need to be changed.
If the user passes an invalid value and sends a message to the kernel,
it will be rejected there.