Re: [PATCH 1/2] Remove unnecessary locks from rtnetlink
David Miller írta: From: Laszlo Attila Toth <[EMAIL PROTECTED]> Date: Fri, 1 Feb 2008 17:07:33 +0100 The do_setlink() function is protected by rtnl, additional locks are unnecessary. and the set_operstate() function is called from protected parts. Locks removed from both functions. The set_operstate() is also called from rtnl_create_link() and from no other places. In rtnl_create_link() none of the changes is protected by set_lock_bh() except inside set_operstate(), different locking scheme is not necessary for the operstate. Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]> The protection using dev_base_lock() is needed. When analyzing cases like this you need to also look at other code paths outside of rtnetlink that access ->operstate and ->link_mode, you obviously didn't do this. For example, net/core/net-sysfs.c takes a read lock on dev_base_lock in order to fetch a stable copy of both netif_running() and dev->operstate at the same time. Similar write locking to protect dev->operstate is made by net/core/link_watch.c:rfc2863_policy(), for the same reason rtnetlink has to make this locking. You therefore cannot remove it. Thanks for your answer, yes, unfortunatelly I checked only inside rtnetlink.c -- Attila -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] rtnetlink.c: send a single notification on device state changes
In do_setlink() a single notification is sent at the end of the function
if any modification occured. If the address has been changed, another
notification is sent.
Both of them is required because originally only the NETDEV_CHANGEADDR
notification was sent and although device state change implies address
change, some programs may expect the original notification. It remains
for compatibity.
If set_operstate() is called from do_setlink(), it doesn't send
a notification, only if it is called from rtnl_create_link() as earlier.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c | 36 ++--
1 files changed, 26 insertions(+), 10 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 61ac8d0..ecb02af 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -504,7 +504,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct
dst_entry *dst, u32 id,
EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition,
bool send_notification)
{
unsigned char operstate = dev->operstate;
@@ -527,8 +527,12 @@ static void set_operstate(struct net_device *dev, unsigned
char transition)
write_lock_bh(&dev_base_lock);
dev->operstate = operstate;
write_unlock_bh(&dev_base_lock);
- netdev_state_change(dev);
- }
+
+ if (send_notification)
+ netdev_state_change(dev);
+ return 1;
+ } else
+ return 0;
}
static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -822,6 +826,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -834,16 +839,23 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
dev_change_flags(dev, flags);
}
- if (tb[IFLA_TXQLEN])
- dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ if (tb[IFLA_TXQLEN]) {
+ if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+ dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ modified = 1;
+ }
+ }
if (tb[IFLA_OPERSTATE])
- set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]),
false);
if (tb[IFLA_LINKMODE]) {
- write_lock_bh(&dev_base_lock);
- dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
- write_unlock_bh(&dev_base_lock);
+ if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+ write_lock_bh(&dev_base_lock);
+ dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ write_lock_bh(&dev_base_lock);
+ modified = 1;
+ }
}
err = 0;
@@ -857,6 +869,10 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+
+ if (modified)
+ netdev_state_change(dev);
+
return err;
}
@@ -974,7 +990,7 @@ struct net_device *rtnl_create_link(struct net *net, char
*ifname,
if (tb[IFLA_TXQLEN])
dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
if (tb[IFLA_OPERSTATE])
- set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]), true);
if (tb[IFLA_LINKMODE])
dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
--
1.5.2.5
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2] rtnetlink: send a single notification on device state changes
In do_setlink() a single notification is sent at the end of the function
if any modification occured. If the address has been changed, another
notification is sent.
Both of them is required because originally only the NETDEV_CHANGEADDR
notification was sent and although device state change implies address
change, some programs may expect the original notification. It remains
for compatibity.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c | 27 ---
1 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 724e8f5..d67b950 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -545,7 +545,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct
dst_entry *dst, u32 id,
EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
{
unsigned char operstate = dev->operstate;
@@ -566,8 +566,9 @@ static void set_operstate(struct net_device *dev, unsigned
char transition)
if (dev->operstate != operstate) {
dev->operstate = operstate;
- netdev_state_change(dev);
- }
+ return 1;
+ } else
+ return 0;
}
static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -861,6 +862,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -873,14 +875,21 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
dev_change_flags(dev, flags);
}
- if (tb[IFLA_TXQLEN])
- dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ if (tb[IFLA_TXQLEN]) {
+ if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+ dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ modified = 1;
+ }
+ }
if (tb[IFLA_OPERSTATE])
- set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
if (tb[IFLA_LINKMODE]) {
- dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+ dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ modified = 1;
+ }
}
err = 0;
@@ -894,6 +903,10 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+
+ if (modified)
+ netdev_state_change(dev);
+
return err;
}
--
1.5.2.5
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/2] Remove unnecessary locks from rtnetlink
The do_setlink() function is protected by rtnl, additional locks are
unnecessary.
and the set_operstate() function is called from protected parts. Locks removed
from both functions.
The set_operstate() is also called from rtnl_create_link() and from no other
places.
In rtnl_create_link() none of the changes is protected by set_lock_bh() except
inside set_operstate(), different locking scheme is not necessary
for the operstate.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c |4
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index ddbdde8..724e8f5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -565,9 +565,7 @@ static void set_operstate(struct net_device *dev, unsigned
char transition)
}
if (dev->operstate != operstate) {
- write_lock_bh(&dev_base_lock);
dev->operstate = operstate;
- write_unlock_bh(&dev_base_lock);
netdev_state_change(dev);
}
}
@@ -882,9 +880,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
if (tb[IFLA_LINKMODE]) {
- write_lock_bh(&dev_base_lock);
dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
- write_unlock_bh(&dev_base_lock);
}
err = 0;
--
1.5.2.5
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/2] rtnetlink locking and notification fixes
Hi Dave, These two patches remove unnecessary locks from rtnetlink, it was managed in an inconsistent way, and change notification. The latter is always sent if anything is changed but for compatibility the old nofification is also kept. Regards, Attila -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[resend][PATCH] Introducing socket mark socket option
A userspace program may wish to set the mark for each packets its send without using the netfilter MARK target. Changing the mark can be used for mark based routing without netfilter or for packet filtering. It requires CAP_NET_ADMIN capability. Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]> --- include/asm-alpha/socket.h|2 ++ include/asm-arm/socket.h |2 ++ include/asm-avr32/socket.h|2 ++ include/asm-blackfin/socket.h |3 +++ include/asm-cris/socket.h |2 ++ include/asm-frv/socket.h |2 ++ include/asm-h8300/socket.h|2 ++ include/asm-ia64/socket.h |2 ++ include/asm-m32r/socket.h |2 ++ include/asm-m68k/socket.h |2 ++ include/asm-mips/socket.h |2 ++ include/asm-parisc/socket.h |2 ++ include/asm-powerpc/socket.h |2 ++ include/asm-s390/socket.h |2 ++ include/asm-sh/socket.h |2 ++ include/asm-sparc/socket.h|2 ++ include/asm-sparc64/socket.h |1 + include/asm-v850/socket.h |2 ++ include/asm-x86/socket.h |2 ++ include/asm-xtensa/socket.h |2 ++ include/net/route.h |2 ++ include/net/sock.h|2 ++ net/core/sock.c | 11 +++ net/ipv4/ip_output.c |3 +++ net/ipv4/raw.c|2 ++ net/ipv6/ip6_output.c |2 ++ net/ipv6/raw.c|3 +++ 27 files changed, 65 insertions(+), 0 deletions(-) diff --git a/include/asm-alpha/socket.h b/include/asm-alpha/socket.h index 1fede7f..08c9793 100644 --- a/include/asm-alpha/socket.h +++ b/include/asm-alpha/socket.h @@ -60,4 +60,6 @@ #define SO_SECURITY_ENCRYPTION_TRANSPORT 20 #define SO_SECURITY_ENCRYPTION_NETWORK 21 +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-arm/socket.h b/include/asm-arm/socket.h index 65a1a64..6817be9 100644 --- a/include/asm-arm/socket.h +++ b/include/asm-arm/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-avr32/socket.h b/include/asm-avr32/socket.h index a0d0507..35863f2 100644 --- a/include/asm-avr32/socket.h +++ b/include/asm-avr32/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* __ASM_AVR32_SOCKET_H */ diff --git a/include/asm-blackfin/socket.h b/include/asm-blackfin/socket.h index 5213c96..2ca702e 100644 --- a/include/asm-blackfin/socket.h +++ b/include/asm-blackfin/socket.h @@ -50,4 +50,7 @@ #define SO_PASSSEC 34 #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS + +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-cris/socket.h b/include/asm-cris/socket.h index 5b18dfd..9df0ca8 100644 --- a/include/asm-cris/socket.h +++ b/include/asm-cris/socket.h @@ -54,6 +54,8 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-frv/socket.h b/include/asm-frv/socket.h index a823bef..e51ca67 100644 --- a/include/asm-frv/socket.h +++ b/include/asm-frv/socket.h @@ -52,5 +52,7 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-h8300/socket.h b/include/asm-h8300/socket.h index 39911d8..da2520d 100644 --- a/include/asm-h8300/socket.h +++ b/include/asm-h8300/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-ia64/socket.h b/include/asm-ia64/socket.h index 9e42ce4..d5ef0aa 100644 --- a/include/asm-ia64/socket.h +++ b/include/asm-ia64/socket.h @@ -61,4 +61,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_IA64_SOCKET_H */ diff --git a/include/asm-m32r/socket.h b/include/asm-m32r/socket.h index 793d5d3..9a0e200 100644 --- a/include/asm-m32r/socket.h +++ b/include/asm-m32r/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_M32R_SOCKET_H */ diff --git a/include/asm-m68k/socket.h b/include/asm-m68k/socket.h index 6d21b90..dbc64e9 100644 --- a/include/asm-m68k/socket.h +++ b/include/asm-m68k/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define S
[PATCH] Introducing socket mark socket option
A userspace program may wish to set the mark for each packets its send without using the netfilter MARK target. Changing the mark can be used mark based routing without netfilter or for packet filtering. It requires CAP_NET_ADMIN capability. Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]> --- include/asm-alpha/socket.h|2 ++ include/asm-arm/socket.h |2 ++ include/asm-avr32/socket.h|2 ++ include/asm-blackfin/socket.h |3 +++ include/asm-cris/socket.h |2 ++ include/asm-frv/socket.h |2 ++ include/asm-h8300/socket.h|2 ++ include/asm-ia64/socket.h |2 ++ include/asm-m32r/socket.h |2 ++ include/asm-m68k/socket.h |2 ++ include/asm-mips/socket.h |2 ++ include/asm-parisc/socket.h |2 ++ include/asm-powerpc/socket.h |2 ++ include/asm-s390/socket.h |2 ++ include/asm-sh/socket.h |2 ++ include/asm-sparc/socket.h|2 ++ include/asm-sparc64/socket.h |1 + include/asm-v850/socket.h |2 ++ include/asm-x86/socket.h |2 ++ include/asm-xtensa/socket.h |2 ++ include/net/route.h |2 ++ include/net/sock.h|2 ++ net/core/sock.c | 11 +++ net/ipv4/icmp.c |1 + net/ipv4/ip_output.c |3 +++ net/ipv4/raw.c|2 ++ 26 files changed, 61 insertions(+), 0 deletions(-) diff --git a/include/asm-alpha/socket.h b/include/asm-alpha/socket.h index 1fede7f..08c9793 100644 --- a/include/asm-alpha/socket.h +++ b/include/asm-alpha/socket.h @@ -60,4 +60,6 @@ #define SO_SECURITY_ENCRYPTION_TRANSPORT 20 #define SO_SECURITY_ENCRYPTION_NETWORK 21 +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-arm/socket.h b/include/asm-arm/socket.h index 65a1a64..6817be9 100644 --- a/include/asm-arm/socket.h +++ b/include/asm-arm/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-avr32/socket.h b/include/asm-avr32/socket.h index a0d0507..35863f2 100644 --- a/include/asm-avr32/socket.h +++ b/include/asm-avr32/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* __ASM_AVR32_SOCKET_H */ diff --git a/include/asm-blackfin/socket.h b/include/asm-blackfin/socket.h index 5213c96..2ca702e 100644 --- a/include/asm-blackfin/socket.h +++ b/include/asm-blackfin/socket.h @@ -50,4 +50,7 @@ #define SO_PASSSEC 34 #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS + +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-cris/socket.h b/include/asm-cris/socket.h index 5b18dfd..9df0ca8 100644 --- a/include/asm-cris/socket.h +++ b/include/asm-cris/socket.h @@ -54,6 +54,8 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-frv/socket.h b/include/asm-frv/socket.h index a823bef..e51ca67 100644 --- a/include/asm-frv/socket.h +++ b/include/asm-frv/socket.h @@ -52,5 +52,7 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-h8300/socket.h b/include/asm-h8300/socket.h index 39911d8..da2520d 100644 --- a/include/asm-h8300/socket.h +++ b/include/asm-h8300/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-ia64/socket.h b/include/asm-ia64/socket.h index 9e42ce4..d5ef0aa 100644 --- a/include/asm-ia64/socket.h +++ b/include/asm-ia64/socket.h @@ -61,4 +61,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_IA64_SOCKET_H */ diff --git a/include/asm-m32r/socket.h b/include/asm-m32r/socket.h index 793d5d3..9a0e200 100644 --- a/include/asm-m32r/socket.h +++ b/include/asm-m32r/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_M32R_SOCKET_H */ diff --git a/include/asm-m68k/socket.h b/include/asm-m68k/socket.h index 6d21b90..dbc64e9 100644 --- a/include/asm-m68k/socket.h +++ b/include/asm-m68k/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNSSO_TIMESTAMPNS +#define SO_MARK36 + #endif /* _ASM_SOCKET_H */ diff -
Re: [PATCH 0/0]: Cassini bug fixes.
David Miller wrote: Over the past day I've put together the following set of bug fixes for the Cassini driver. At least with my setup it appears to basically work fine, not leak memory, and the SKB BUG messages go away too. I'll be honest and say that I've devoted a couple days to this work, and therefore I have to turn my attention back to other tasks. As a result, it means it will be some time before I can look seriously into any feedback folks provide. And for that I apologize, but this already consumed too much of my time. I'll be pushing these to Linus and -stable shortly. Thanks. We tested the card, it works well, all previous bugs are gone (truesize bug messages and memory comsumption). Thank you again. -- Attila -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv7 2/5][RESEND] rtnetlink: send a single notification on device state changes
In do_setlink() a single notification is sent at the end of the function
if any modification occured. If the address has been changed, another
notification is sent.
Both of them is required because originally only the NETDEV_CHANGEADDR
notification
was sent and although device state change implies address change, some programs
may
expect the original notification. It remains for compatibity.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c | 27 ---
1 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index f95c6c5..6be8608 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -542,7 +542,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct
dst_entry *dst, u32 id,
EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
{
unsigned char operstate = dev->operstate;
@@ -563,8 +563,9 @@ static void set_operstate(struct net_device *dev, unsigned
char transition)
if (dev->operstate != operstate) {
dev->operstate = operstate;
- netdev_state_change(dev);
- }
+ return 1;
+ } else
+ return 0;
}
static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -858,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -870,14 +872,21 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
dev_change_flags(dev, flags);
}
- if (tb[IFLA_TXQLEN])
- dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ if (tb[IFLA_TXQLEN]) {
+ if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+ dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ modified = 1;
+ }
+ }
if (tb[IFLA_OPERSTATE])
- set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
if (tb[IFLA_LINKMODE]) {
- dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+ dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ modified = 1;
+ }
}
err = 0;
@@ -891,6 +900,10 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+
+ if (modified)
+ netdev_state_change(dev);
+
return err;
}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv7 iproute2 2/2][RESEND] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup. Any value of unsigned int32 is valid.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 +
include/rt_names.h |2 +
ip/ipaddress.c |4 +++
ip/iplink.c | 11
lib/rt_names.c | 62 +++
man/man8/ip.8 |5
6 files changed, 86 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index c948395..5a2d071 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..ea2d46a 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(__u32 id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index f28f91c..cdef533 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -146,6 +148,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -198,6 +201,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv))
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..8837e4f 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
return 0;
}
+static char * rtnl_rtifgroup_tab[256] = {
+ "0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+ rtnl_rtifgroup_init = 1;
+ rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+ rtnl_rtifgroup_
[PATCHv7 1/5][RESEND] Remove unnecessary locks from rtnetlink
The do_setlink() function is protected by rtnl, additional locks are
unnecessary.
and the set_operstate() function is called from protected parts. Locks removed
from both functions.
The set_operstate() is also called from rtnl_create_link() and from no other
places.
In rtnl_create_link() none of the changes is protected by set_lock_bh() except
inside set_operstate(), different locking scheme is not necessary
for the operstate.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c |4
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4a07e83..f95c6c5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -562,9 +562,7 @@ static void set_operstate(struct net_device *dev, unsigned
char transition)
}
if (dev->operstate != operstate) {
- write_lock_bh(&dev_base_lock);
dev->operstate = operstate;
- write_unlock_bh(&dev_base_lock);
netdev_state_change(dev);
}
}
@@ -879,9 +877,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
if (tb[IFLA_LINKMODE]) {
- write_lock_bh(&dev_base_lock);
dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
- write_unlock_bh(&dev_base_lock);
}
err = 0;
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
cassini driver skb->truesize bug
Hello, we got the following message: SKB BUG: Invalid truesize (376) len=514, sizeof(sk_buff)=248 It only occurs on larger traffic (at speed 100 Mbps: always), but not when downloading a small web page. In cas_rx_process_pkt() the the skb's truesize is only set via skb_put() but it is not used if there are fragments, also skb->len is increased by the fragment's size, but the truesize member is unchanged. I compared it to the implementation in e1000 where all of the len, datalen and trusize members are increased. If I modify the code to add the fragment's size to the truesize member, the driver allocates all available memory after a while. Regards, Attila -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: cassini driver hw checksum errors with vlans
Laszlo Attila Toth wrote: When we use cassini driver without VLANs, it works as expected but when about 100 VLANs are configured on this interface, the hardware checksum fails. I tried it that I "disable" the checksum on the hardver side, in fact, I used CHECKSUM_NONE instead of CHECKSUM_HW but in this case the driver allocated all available memory after receiving a few hundred MiB data. Attila -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv7 1/5] Remove unnecessary locks from rtnetlink (in do_setlink)
Jarek Poplawski írta: Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM: The do_setlink function is protected by rtnl, additional locks are unnecessary, and the set_operstate() function is called from protected parts. Locks removed from both functions. It doesn't look like in accordance with a comment to dev_base_lock in dev.c. And it makes eg. rfc2863_policy() locking from link_watch.c looking strange. Isn't there needed some additional comment to this? I modified do_setlink(), but set_operstate() is also called from rtnl_create_link() and from no other places. In rtnl_create_link() none of the changes is protected by set_lock_bh() except inside set_operstate(), different locking scheme is not necessary for the operstate. Also two solution can be made, one is locking everything and one is locking nothing (to unify the changes made by these parts). The second one is better if it is protected. I tried to figure out how it is protected but I couldn't. But Patrick said it is protected by rtnl. And he suggested this patch. Attila -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv7 2/5] rtnetlink: send a single notification on device state changes
Jarek Poplawski írta:
Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:
In do_setlink() a single ntification is sent at the end of the function
if any modification occured. If the address has been changed, another
notification is sent.
...
@@ -858,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
..
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+
+ if (modified)
+ netdev_state_change(dev);
+
The subject suggests there might be less notifications. The patch actually
adds a little. Any additional comment why they are necessary?
The actual state of a device contains its address(es), also address
change implies state change, but these are different netlink messages
also the NETDEV_CHANGEADDR cannot be dropped because the other one is used.
Attila
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv7 0/5 + 3] Interface group patches
Patrick McHardy írta: Laszlo Attila Toth wrote: Hello, This is the 7th version of our interface group patches. Patches: [1/5] Remove unnecessary locks from rtnetlink (in do_setlink) [2/5] rtnetlink: send a single notification on device state changes [3/5] Interface group: core (netlink) part [4/5] Ifgroup read/write support in sysfs I vote for these to go in, they're ready and there's no use in reposting them again and again. I see, sorry. In fact, I didn't missed it. But you said the removing of the locks in the rtnl needs a separate patch. This is why I resent _all_. [iptables]Interface group match This one I would queue until we have released the 1.4.0 version of iptables. I don't want to release things that are not in at least a -rc kernel yet. Later I'll resend it in two patches, one for extending iptables with hash tables and one for the ifgroup match. [iproute2 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1 [iproute2 2/2] Interface group as new ip link option And for these Stephen has to decide, but both look fine to me. -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 iptables]Interface group match
Patrick McHardy írta: Laszlo Attila Toth wrote: Lutz Jaenicke írta: On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote: Interface group values can be checked on both input and output interfaces with optional mask. Index: extensions/libxt_ifgroup.c === --- extensions/libxt_ifgroup.c(revision 0) +++ extensions/libxt_ifgroup.c(revision 0) +info->in_group = strtoul(optarg, &end, 0); This is somewhat inconsistent with the iproute patch which targets specific groups (with names). Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"? It would be good but cannot be used if a mask is set and only values less than 256 can be used with names. Why 256? I can see no such limitation. For masks you could simply allow to define masks in rt_ifgroup too and use name/name or simply name/0xmask. 256 because it is the size of a static array (and I don't want allocate too much memory when other arrays such as the routing table names also have this size). In the current version I posted some minutes ago 0..2^32-1 can be used. The syntax "name/0xmask" is simply too strange for me. There is no standard API like getservbyname()... The code of iproute2 should be copied. If Patrick says it is ok, I'll write this part. Of course. Please put the tab part somewhere common, I always wanted to have named firewall marks shared with ip and tc and I believe Balazs wanted that too :) Ok. Yes, he wants :) -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv7 iptables] Interface group match
Interface group values can be checked on both input and output interfaces
with optional mask.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
extensions/Makefile |2
extensions/libxt_ifgroup.c | 201 +++
extensions/libxt_ifgroup.man | 36 ++
include/linux/netfilter/xt_ifgroup.h | 17 ++
4 files changed, 255 insertions(+), 1 deletion(-)
Index: include/linux/netfilter/xt_ifgroup.h
===
--- include/linux/netfilter/xt_ifgroup.h(revision 0)
+++ include/linux/netfilter/xt_ifgroup.h(revision 0)
@@ -0,0 +1,17 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
Index: extensions/libxt_ifgroup.c
===
--- extensions/libxt_ifgroup.c (revision 0)
+++ extensions/libxt_ifgroup.c (revision 0)
@@ -0,0 +1,201 @@
+/*
+ * Shared library add-on to iptables to match
+ * packets by the incoming interface group.
+ *
+ * (c) 2006, 2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+static void
+ifgroup_help(void)
+{
+ printf(
+"ifgroup v%s options:\n"
+" --ifgroup-in [!] group[/mask] incoming interface group and its mask\n"
+" --ifgroup-out [!] group[/mask] outgoing interface group and its mask\n"
+"\n", IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ {"ifgroup-in", 1, NULL, '1'},
+ {"ifgroup-out", 1, NULL, '2'},
+ { }
+};
+
+#define PARAM_MATCH_IN 0x01
+#define PARAM_MATCH_OUT0x02
+
+
+#define IFGROUP_DEFAULT_MASK 0xU
+
+static int
+ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_ifgroup_info *info =
+(struct xt_ifgroup_info *) (*match)->data;
+ char *end;
+
+ switch (c) {
+ case '1':
+ if (*flags & PARAM_MATCH_IN)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Can't specify --ifgroup-in twice");
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ info->in_group = strtoul(optarg, &end, 0);
+ info->in_mask = IFGROUP_DEFAULT_MASK;
+
+ if (*end == '/')
+ info->in_mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Bad ifgroup value `%s'",
optarg);
+
+ if (invert)
+ info->flags |= XT_IFGROUP_INVERT_IN;
+
+ *flags |= PARAM_MATCH_IN;
+ info->flags |= XT_IFGROUP_MATCH_IN;
+ break;
+
+ case '2':
+ if (*flags & PARAM_MATCH_OUT)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Can't specify --ifgroup-out twice");
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ info->out_group = strtoul(optarg, &end, 0);
+ info->out_mask = IFGROUP_DEFAULT_MASK;
+
+ if (*end == '/')
+ info->out_mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Bad ifgroup value `%s'", optarg);
+
+ if (invert)
+ info->flags |= XT_IFGROUP_INVERT_OUT;
+
+ *flags |= PARAM_MATCH_OUT;
+ info->flags |= XT_IFGROUP_MATCH_OUT;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+ifgroup_final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "You must specify either "
+ "`--ifgroup-in' or `--ifgroup-out'");
+}
+
+static void
+ifgroup_print_value_in(struct xt_ifgroup_info *info)
+{
+ printf("0x%x", info->in_group);
+ if (info->in_mask != IFGROUP_DEFAULT_MASK)
+ printf("/0x%x", info
[PATCHv7 iproute2 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]> diff --git a/include/linux/if_link.h b/include/linux/if_link.h index 23b3a8e..c948395 100644 --- a/include/linux/if_link.h +++ b/include/linux/if_link.h @@ -78,6 +78,7 @@ enum IFLA_LINKMODE, IFLA_LINKINFO, #define IFLA_LINKINFO IFLA_LINKINFO + IFLA_NET_NS_PID, __IFLA_MAX }; -- 1.5.2.5 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv7 4/5] Ifgroup read/write support in sysfs
The ifgroup member of each net device can be read and changed in sysfs.
Author: Lutz Jaenicke <[EMAIL PROTECTED]>
---
net/core/net-sysfs.c | 15 +++
1 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 61ead1d..5bd6d35 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -219,6 +219,20 @@ static ssize_t store_tx_queue_len(struct device *dev,
return netdev_store(dev, attr, buf, len, change_tx_queue_len);
}
+NETDEVICE_SHOW(ifgroup, fmt_hex);
+
+static int change_ifgroup(struct net_device *net, unsigned long new_ifgroup)
+{
+ net->ifgroup = new_ifgroup;
+ return 0;
+}
+
+static ssize_t store_ifgroup(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t len)
+{
+ return netdev_store(dev, attr, buf, len, change_ifgroup);
+}
+
static struct device_attribute net_class_attributes[] = {
__ATTR(addr_len, S_IRUGO, show_addr_len, NULL),
__ATTR(iflink, S_IRUGO, show_iflink, NULL),
@@ -235,6 +249,7 @@ static struct device_attribute net_class_attributes[] = {
__ATTR(flags, S_IRUGO | S_IWUSR, show_flags, store_flags),
__ATTR(tx_queue_len, S_IRUGO | S_IWUSR, show_tx_queue_len,
store_tx_queue_len),
+ __ATTR(ifgroup, S_IRUGO | S_IWUSR, show_ifgroup, store_ifgroup),
{}
};
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv7 iproute2 2/2] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup. Any value of unsigned int32 is valid.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index c948395..5a2d071 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..ea2d46a 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(__u32 id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index f28f91c..cdef533 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -146,6 +148,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -198,6 +201,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv))
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..ec6638c 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -439,10 +439,72 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
}
}
- res = strtoul(arg, &end, 16);
+ res = strtoul(arg, &end, 0);
if (!end || end == arg || *end || res > 255)
return -1;
*id = res;
return 0;
}
+static char * rtnl_rtifgroup_tab[256] = {
+ "0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+ rtnl_rtifgroup_init = 1;
+ rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+ rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(__u32 id, char *buf, int len)
+{
+ if (id>=256) {
+
[PATCHv7 1/5] Remove unnecessary locks from rtnetlink (in do_setlink)
The do_setlink function is protected by rtnl, additional locks are unnecessary,
and the set_operstate() function is called from protected parts. Locks removed
from both functions.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c |4
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4a07e83..f95c6c5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -562,9 +562,7 @@ static void set_operstate(struct net_device *dev, unsigned
char transition)
}
if (dev->operstate != operstate) {
- write_lock_bh(&dev_base_lock);
dev->operstate = operstate;
- write_unlock_bh(&dev_base_lock);
netdev_state_change(dev);
}
}
@@ -879,9 +877,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
if (tb[IFLA_LINKMODE]) {
- write_lock_bh(&dev_base_lock);
dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
- write_unlock_bh(&dev_base_lock);
}
err = 0;
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv7 3/5] Interface group: core (netlink) part
Interface groups let handle different interfaces together.
Modified net device structure and netlink interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 ++
include/linux/netdevice.h |2 ++
net/core/rtnetlink.c | 11 +++
3 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 84c3492..722b25c 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 1e6af4f..b1bdcb2 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -519,6 +519,8 @@ struct net_device
/* Interface index. Unique device identifier*/
int ifindex;
int iflink;
+ /* interface group this interface belongs to */
+ u_int32_t ifgroup;
struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 6be8608..61c7367 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -614,6 +614,7 @@ static inline size_t if_nlmsg_size(const struct net_device
*dev)
+ nla_total_size(4) /* IFLA_MTU */
+ nla_total_size(4) /* IFLA_LINK */
+ nla_total_size(4) /* IFLA_MASTER */
+ + nla_total_size(4) /* IFLA_IFGROUP */
+ nla_total_size(1) /* IFLA_OPERSTATE */
+ nla_total_size(1) /* IFLA_LINKMODE */
+ rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -651,6 +652,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct
net_device *dev,
if (dev->master)
NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
+ if (dev->ifgroup)
+ NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
if (dev->qdisc_sleeping)
NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
@@ -889,6 +893,13 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
}
}
+ if (tb[IFLA_IFGROUP]) {
+ if (dev->ifgroup != nla_get_u32(tb[IFLA_IFGROUP])) {
+ dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+ modified = 1;
+ }
+ }
+
err = 0;
errout:
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv7 5/5] Netfilter Interface group match
Interface group values can be checked on both input and output interfaces.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_ifgroup.h | 17 +
net/netfilter/Kconfig| 10 +++
net/netfilter/Makefile |1
net/netfilter/xt_ifgroup.c | 120 ++
4 files changed, 148 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/xt_ifgroup.h
b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 000..3aa4d61
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,17 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 21a9fcc..07ee4a7 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -508,6 +508,16 @@ config NETFILTER_XT_MATCH_HELPER
To compile it as a module, choose M here. If unsure, say Y.
+config NETFILTER_XT_MATCH_IFGROUP
+ tristate '"ifgroup" interface group match support'
+ depends on NETFILTER_XTABLES
+ help
+ Interface group matching allows you to match a packet by
+ its incoming interface "group", settable using ip link set
+ group
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_LENGTH
tristate '"length" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ad0e36e..5107c86 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -61,6 +61,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 000..712ee54
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,120 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006,2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include
+#include
+
+#include
+#include
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Laszlo Attila Toth <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("Xtables interface group matching module");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+
+static inline bool
+ifgroup_match_in(const struct net_device *in,
+const struct xt_ifgroup_info *info)
+{
+ return ((in->ifgroup & info->in_mask) == info->in_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_IN) == XT_IFGROUP_INVERT_IN);
+}
+
+static inline bool
+ifgroup_match_out(const struct net_device *out,
+const struct xt_ifgroup_info *info)
+{
+ return ((out->ifgroup & info->out_mask) == info->out_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_OUT) ==
XT_IFGROUP_INVERT_OUT);
+}
+
+static bool
+ifgroup_match(const struct sk_buff *skb,
+const struct net_device *in,
+const struct net_device *out,
+const struct xt_match *match,
+const void *matchinfo,
+int offset,
+unsigned int protoff,
+bool *hotdrop)
+{
+ const struct xt_ifgroup_info *info = matchinfo;
+
+ if (info->flags & XT_IFGROUP_MATCH_IN && !ifgroup_match_in(in, info))
+ return false;
+ if (info->flags & XT_IFGROUP_MATCH_OUT && !ifgroup_match_out(out, info))
+ return false;
+
+ return true;
+}
+
+static bool ifgroup_checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, unsigned int hook_mask)
+{
+ struct xt_ifgroup_info *info = matchinfo;
+
+ if (!(info->flags & (XT_IFGROUP_MATCH_IN|XT_IFGROUP_MATCH_OUT))) {
+ printk(KERN_ERR "xt_ifgroup: neither incoming nor
[PATCHv7 2/5] rtnetlink: send a single notification on device state changes
In do_setlink() a single ntification is sent at the end of the function
if any modification occured. If the address has been changed, another
notification is sent.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c | 27 ---
1 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index f95c6c5..6be8608 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -542,7 +542,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct
dst_entry *dst, u32 id,
EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
{
unsigned char operstate = dev->operstate;
@@ -563,8 +563,9 @@ static void set_operstate(struct net_device *dev, unsigned
char transition)
if (dev->operstate != operstate) {
dev->operstate = operstate;
- netdev_state_change(dev);
- }
+ return 1;
+ } else
+ return 0;
}
static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -858,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -870,14 +872,21 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
dev_change_flags(dev, flags);
}
- if (tb[IFLA_TXQLEN])
- dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ if (tb[IFLA_TXQLEN]) {
+ if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+ dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ modified = 1;
+ }
+ }
if (tb[IFLA_OPERSTATE])
- set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
if (tb[IFLA_LINKMODE]) {
- dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+ dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ modified = 1;
+ }
}
err = 0;
@@ -891,6 +900,10 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+
+ if (modified)
+ netdev_state_change(dev);
+
return err;
}
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv7 0/5 + 3] Interface group patches
Hello, This is the 7th version of our interface group patches. The interface group value can be used to manage different interfaces at the same time such as in netfilter/iptables. As earlier discussed, it can be used for advanced routing, tc command and so on [1]. An u_int32_t member was added to net devices indicating the interface group number of the device which can be get/set via netlink. The xt_ifgroup netfilter match is for checking this value with an optional mask. Changes: - The first patch of the previous version splitted into 2 separate patches. - The ip command now let values larger than 0xff be set, octal, decimal and hexadecimal values are valid and in the range of 0x00-0xff any name can be used (from /etc/iproute2/rt_ifgroup). - added sysfs support to read/write the ifgroup value Other patches are for userpace programs: * iptables * iproute2. Because kernel 2.6.24-rc1 introduced a new enum value, IFLA_NET_NS_PID, and it wasn't in the iproute2 code, the first patch simply adds this value. The second patch adds support of interface group. Usage: ip link set eth0 group 684# set ip link set eth0 group 0 # unset iptables -A INPUT -m ifgroup --ifgroup-in 4/0xf -j ACCEPT iptables -A FORWARD -m ifgroup --ifgroup-in 4 ! --ifgroup-out 5 -j DROP Patches: [1/5] Remove unnecessary locks from rtnetlink (in do_setlink) [2/5] rtnetlink: send a single notification on device state changes [3/5] Interface group: core (netlink) part [4/5] Ifgroup read/write support in sysfs [5/5] Netfilter Interface group match [iptables]Interface group match [iproute2 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1 [iproute2 2/2] Interface group as new ip link option Rererences: [1] http://marc.info/?l=linux-netdev&m=119556459514598&w=2 -- Laszlo Attila Toth - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 iptables]Interface group match
Lutz Jaenicke írta: On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote: Interface group values can be checked on both input and output interfaces with optional mask. Index: extensions/libxt_ifgroup.c === --- extensions/libxt_ifgroup.c (revision 0) +++ extensions/libxt_ifgroup.c (revision 0) + info->in_group = strtoul(optarg, &end, 0); This is somewhat inconsistent with the iproute patch which targets specific groups (with names). Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"? It would be good but cannot be used if a mask is set and only values less than 256 can be used with names. There is no standard API like getservbyname()... The code of iproute2 should be copied. If Patrick says it is ok, I'll write this part. I do have a draft patch for physdev which is however against iptables-1.3.8 and linux-2.6.19 so it will need some more work but I will attach it for discussion. Thanks. I will send soon for net-2.6.25 and iptables svn version. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
cassini driver hw checksum errors with vlans
Hello, When we use cassini driver without VLANs, it works as expected but when about 100 VLANs are configured on this interface, the hardware checksum fails. What is its reason or how can we debug it? -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 0/3] Interface group patches
David Miller írta: From: Patrick McHardy <[EMAIL PROTECTED]> Date: Wed, 21 Nov 2007 01:25:54 +0100 I'm working on the incremental ruleset changing API BTW :) One of the changes will be that interface matching is not a default part of every rule, and without wildcards it will use the ifindex. But since the cost of this feature seems pretty low, I don't see a compelling reason against it. Fair enough :) If this means the patch is ok, please apply it. Thanks. -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 0/3] Interface group patches
Jan Engelhardt írta: On Nov 20 2007 14:14, Laszlo Attila Toth wrote: This is the 6th version of our interface group patches. The interface group value can be used to manage different interfaces at the same time such as in netfilter/iptables. I take it you could not use...? iptables -i iif1 -j dosomething iptables -i iif2 -j dosomething This kind of usage requires static interface names. But there are dynamic interfaces such as ppp, where the actual name is not always known or sometimes they exist sometimes not. It is difficult to use iptables this way, and every ifup/ifdown requires change in the iptables ruleset (donwload it, modify and upload to the kernel). It may be too slow. The netfilter patch is ready but future plan is the same for ip/tc commands (except the ifgroup value change which happens via "ip link set" command). How can it be useful in conjunction with tc? jamal wrote it previously: http://marc.info/?l=linux-netdev&m=119253403415810&w=2 -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv6 iproute 2/2] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 +
include/rt_names.h |2 +
ip/ipaddress.c |4 +++
ip/iplink.c | 11
lib/rt_names.c | 62 +++
man/man8/ip.8 |5
6 files changed, 86 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index c948395..5a2d071 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..71bd240 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv))
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
return 0;
}
+static char * rtnl_rtifgroup_tab[256] = {
+ "0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+ rtnl_rtifgroup_init = 1;
+ rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+ rtnl_rtifgroup_tab, 256);
+}
+
+char * rt
[PATCHv6 iptables]Interface group match
Interface group values can be checked on both input and output interfaces
with optional mask.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
extensions/Makefile |2
extensions/libxt_ifgroup.c | 201 +++
extensions/libxt_ifgroup.man | 36 ++
include/linux/netfilter/xt_ifgroup.h | 17 ++
4 files changed, 255 insertions(+), 1 deletion(-)
Index: include/linux/netfilter/xt_ifgroup.h
===
--- include/linux/netfilter/xt_ifgroup.h(revision 0)
+++ include/linux/netfilter/xt_ifgroup.h(revision 0)
@@ -0,0 +1,17 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
Index: extensions/libxt_ifgroup.c
===
--- extensions/libxt_ifgroup.c (revision 0)
+++ extensions/libxt_ifgroup.c (revision 0)
@@ -0,0 +1,201 @@
+/*
+ * Shared library add-on to iptables to match
+ * packets by the incoming interface group.
+ *
+ * (c) 2006, 2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+static void
+ifgroup_help(void)
+{
+ printf(
+"ifgroup v%s options:\n"
+" --ifgroup-in [!] group[/mask] incoming interface group and its mask\n"
+" --ifgroup-out [!] group[/mask] outgoing interface group and its mask\n"
+"\n", IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ {"ifgroup-in", 1, NULL, '1'},
+ {"ifgroup-out", 1, NULL, '2'},
+ { }
+};
+
+#define PARAM_MATCH_IN 0x01
+#define PARAM_MATCH_OUT0x02
+
+
+#define IFGROUP_DEFAULT_MASK 0xU
+
+static int
+ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_ifgroup_info *info =
+(struct xt_ifgroup_info *) (*match)->data;
+ char *end;
+
+ switch (c) {
+ case '1':
+ if (*flags & PARAM_MATCH_IN)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Can't specify --ifgroup-in twice");
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ info->in_group = strtoul(optarg, &end, 0);
+ info->in_mask = IFGROUP_DEFAULT_MASK;
+
+ if (*end == '/')
+ info->in_mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Bad ifgroup value `%s'",
optarg);
+
+ if (invert)
+ info->flags |= XT_IFGROUP_INVERT_IN;
+
+ *flags |= PARAM_MATCH_IN;
+ info->flags |= XT_IFGROUP_MATCH_IN;
+ break;
+
+ case '2':
+ if (*flags & PARAM_MATCH_OUT)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Can't specify --ifgroup-out twice");
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ info->out_group = strtoul(optarg, &end, 0);
+ info->out_mask = IFGROUP_DEFAULT_MASK;
+
+ if (*end == '/')
+ info->out_mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Bad ifgroup value `%s'", optarg);
+
+ if (invert)
+ info->flags |= XT_IFGROUP_INVERT_OUT;
+
+ *flags |= PARAM_MATCH_OUT;
+ info->flags |= XT_IFGROUP_MATCH_OUT;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+ifgroup_final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "You must specify either "
+ "`--ifgroup-in' or `--ifgroup-out'");
+}
+
+static void
+ifgroup_print_value_in(struct xt_ifgroup_info *info)
+{
+ printf("0x%x", info->in_group);
+ if (info->in_mask != IFGROUP_DEFAULT_MASK)
+ printf("/0x%x", info
[PATCHv6 3/3] Netfilter Interface group match
Interface group values can be checked on both input and output interfaces.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_ifgroup.h | 17 +
net/netfilter/Kconfig| 10 +++
net/netfilter/Makefile |1 +
net/netfilter/xt_ifgroup.c | 120 ++
4 files changed, 148 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/xt_ifgroup.h
b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 000..3aa4d61
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,17 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 21a9fcc..07ee4a7 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -508,6 +508,16 @@ config NETFILTER_XT_MATCH_HELPER
To compile it as a module, choose M here. If unsure, say Y.
+config NETFILTER_XT_MATCH_IFGROUP
+ tristate '"ifgroup" interface group match support'
+ depends on NETFILTER_XTABLES
+ help
+ Interface group matching allows you to match a packet by
+ its incoming interface "group", settable using ip link set
+ group
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_LENGTH
tristate '"length" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ad0e36e..5107c86 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -61,6 +61,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 000..712ee54
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,120 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006,2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include
+#include
+
+#include
+#include
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Laszlo Attila Toth <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("Xtables interface group matching module");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+
+static inline bool
+ifgroup_match_in(const struct net_device *in,
+const struct xt_ifgroup_info *info)
+{
+ return ((in->ifgroup & info->in_mask) == info->in_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_IN) == XT_IFGROUP_INVERT_IN);
+}
+
+static inline bool
+ifgroup_match_out(const struct net_device *out,
+const struct xt_ifgroup_info *info)
+{
+ return ((out->ifgroup & info->out_mask) == info->out_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_OUT) ==
XT_IFGROUP_INVERT_OUT);
+}
+
+static bool
+ifgroup_match(const struct sk_buff *skb,
+const struct net_device *in,
+const struct net_device *out,
+const struct xt_match *match,
+const void *matchinfo,
+int offset,
+unsigned int protoff,
+bool *hotdrop)
+{
+ const struct xt_ifgroup_info *info = matchinfo;
+
+ if (info->flags & XT_IFGROUP_MATCH_IN && !ifgroup_match_in(in, info))
+ return false;
+ if (info->flags & XT_IFGROUP_MATCH_OUT && !ifgroup_match_out(out, info))
+ return false;
+
+ return true;
+}
+
+static bool ifgroup_checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, unsigned int hook_mask)
+{
+ struct xt_ifgroup_info *info = matchinfo;
+
+ if (!(info->flags & (XT_IFGROUP_MATCH_IN|XT_IFGROUP_MATCH_OUT))) {
+ printk(KERN_ERR "xt_ifgroup: neither incoming nor
[PATCHv6 0/3] Interface group patches
Hi Dave, This is the 6th version of our interface group patches. The interface group value can be used to manage different interfaces at the same time such as in netfilter/iptables. The netfilter patch is ready but future plan is the same for ip/tc commands (except the ifgroup value change which happens via "ip link set" command). The first patch is a fix in the rtnl socket interface. An u_int32_t member was added to net devices indicating the interface group number of the device which can be get/set via netlink. The xt_ifgroup netfilter match is for checking this value with an optional mask. Other patches are for userpace programs: * iptables * iproute2. Because kernel 2.6.24-rc1 introduced a new enum value, IFLA_NET_NS_PID, and it wasn't in the iproute2 code, the first patch simply adds this value. The second patch adds support of interface group. Usage: ip link set eth0 group 4# set ip link set eth0 group 0# unset iptables -A INPUT -m ifgroup --ifgroup-in 4/0xf -j ACCEPT iptables -A FORWARD -m ifgroup --ifgroup-in 4 ! --ifgroup-out 5 -j DROP Patches: [1/3] rtnetlink: setlink changes are unprotected; with single notification [2/3] Interface group: core (netlink) part [3/3] Netfilter Interface group match [iptables]Interface group match [iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1 [iproute 2/2] Interface group as new ip link optio -- Laszlo Attila Toth - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv6 iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]> --- include/linux/if_link.h |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/include/linux/if_link.h b/include/linux/if_link.h index 23b3a8e..c948395 100644 --- a/include/linux/if_link.h +++ b/include/linux/if_link.h @@ -78,6 +78,7 @@ enum IFLA_LINKMODE, IFLA_LINKINFO, #define IFLA_LINKINFO IFLA_LINKINFO + IFLA_NET_NS_PID, __IFLA_MAX }; -- 1.5.2.5 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv6 2/3] Interface group: core (netlink) part
Interface groups let handle different interfaces together.
Modified net device structure and netlink interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 ++
include/linux/netdevice.h |2 ++
net/core/rtnetlink.c | 11 +++
3 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 84c3492..722b25c 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 1e6af4f..b1bdcb2 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -519,6 +519,8 @@ struct net_device
/* Interface index. Unique device identifier*/
int ifindex;
int iflink;
+ /* interface group this interface belongs to */
+ u_int32_t ifgroup;
struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 20cb67e..a710813 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -614,6 +614,7 @@ static inline size_t if_nlmsg_size(const struct net_device
*dev)
+ nla_total_size(4) /* IFLA_MTU */
+ nla_total_size(4) /* IFLA_LINK */
+ nla_total_size(4) /* IFLA_MASTER */
+ + nla_total_size(4) /* IFLA_IFGROUP */
+ nla_total_size(1) /* IFLA_OPERSTATE */
+ nla_total_size(1) /* IFLA_LINKMODE */
+ rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -651,6 +652,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct
net_device *dev,
if (dev->master)
NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
+ if (dev->ifgroup)
+ NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
if (dev->qdisc_sleeping)
NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
@@ -890,6 +894,13 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
}
}
+ if (tb[IFLA_IFGROUP]) {
+ if (dev->ifgroup != nla_get_u32(tb[IFLA_IFGROUP])) {
+ dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+ modified = 1;
+ }
+ }
+
err = 0;
errout:
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHv6 1/3] rtnetlink: setlink changes are unprotected; with single notification
In do_setlink the device changes don't need to be protected. Notification
is sent at the end of the function once if any modification occured
and once if an address has been changed.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c | 32
1 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4a07e83..20cb67e 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -542,7 +542,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct
dst_entry *dst, u32 id,
EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
{
unsigned char operstate = dev->operstate;
@@ -562,11 +562,10 @@ static void set_operstate(struct net_device *dev,
unsigned char transition)
}
if (dev->operstate != operstate) {
- write_lock_bh(&dev_base_lock);
dev->operstate = operstate;
- write_unlock_bh(&dev_base_lock);
- netdev_state_change(dev);
- }
+ return 1;
+ } else
+ return 0;
}
static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -860,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -872,16 +872,22 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
dev_change_flags(dev, flags);
}
- if (tb[IFLA_TXQLEN])
- dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ if (tb[IFLA_TXQLEN]) {
+ if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+ dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ modified = 1;
+ }
+ }
- if (tb[IFLA_OPERSTATE])
- set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ if (tb[IFLA_OPERSTATE]) {
+ modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ }
if (tb[IFLA_LINKMODE]) {
- write_lock_bh(&dev_base_lock);
- dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
- write_unlock_bh(&dev_base_lock);
+ if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+ dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ modified = 1;
+ }
}
err = 0;
@@ -895,6 +901,8 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+ if (modified)
+ netdev_state_change(dev);
return err;
}
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv5 3/3] Netfilter Interface group match
Interface group values can be checked on both input and output interfaces.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_ifgroup.h | 18 +
net/netfilter/Kconfig| 16 +
net/netfilter/Makefile |1 +
net/netfilter/xt_ifgroup.c | 120 ++
4 files changed, 155 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/xt_ifgroup.h
b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 000..9ac75de
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,18 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index d7a600a..0e0cd4f 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -597,6 +597,22 @@ config NETFILTER_XT_MATCH_QUOTA
If you want to compile it as a module, say M here and read
. If unsure, say `N'.
+config NETFILTER_XT_MATCH_IFGROUP
+ tristate '"ifgroup" interface group match support'
+ depends on NETFILTER_XTABLES
+ help
+ Interface group matching allows you to match a packet by
+ its incoming interface "group", settable using ip link set
+ group
+
+ Typical usage is to assign dynamic interfaces to a group
+ when they come up using "ip link set group" and then match
+ incoming packets with a rule like this:
+
+ iptables -A INPUT -m ifgroup --if-group openvpn-rw1 -j LOG
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_REALM
tristate '"realm" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 93c58f9..29718c1 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -78,3 +78,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 000..e0e1fbf
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,120 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006,2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include
+#include
+
+#include
+#include
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Laszlo Attila Toth <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("Xtables interface group matching module");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+
+static inline bool
+ifgroup_match_in(const struct net_device *in,
+const struct xt_ifgroup_info *info)
+{
+ return ((in->ifgroup & info->in_mask) == info->in_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_IN) == XT_IFGROUP_INVERT_IN);
+}
+
+static inline bool
+ifgroup_match_out(const struct net_device *out,
+const struct xt_ifgroup_info *info)
+{
+ return ((out->ifgroup & info->out_mask) == info->out_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_OUT) ==
XT_IFGROUP_INVERT_OUT);
+}
+
+static bool
+ifgroup_match(const struct sk_buff *skb,
+const struct net_device *in,
+const struct net_device *out,
+const struct xt_match *match,
+const void *matchinfo,
+int offset,
+unsigned int protoff,
+bool *hotdrop)
+{
+ const struct xt_ifgroup_info *info = matchinfo;
+
+ if (info->flags & XT_IFGROUP_MATCH_IN && !ifgroup_match_in(in, info))
+ return false;
+ if (info->flags & XT_IFGROUP_MATCH_OUT && !ifgroup_match_out(out, info))
+ return false;
+
+ return true;
+}
+
+static bool ifgroup_checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, unsigned int hook_mask)
+{
+ struct xt_ifgroup_info *info = matchi
[IFGROUPv5 2/3] Interface group: core (netlink) part
Interface groups let handle different interfaces together
especially in netfilter modules.
Modified net device structure and netlink interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 ++
include/linux/netdevice.h |2 ++
net/core/rtnetlink.c | 11 +++
3 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 84c3492..722b25c 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 811024e..e685ae0 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -519,6 +519,8 @@ struct net_device
/* Interface index. Unique device identifier*/
int ifindex;
int iflink;
+ /* interface group this interface belongs to */
+ u_int32_t ifgroup;
struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 0e278ac..4a9f738 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -609,6 +609,7 @@ static inline size_t if_nlmsg_size(const struct net_device
*dev)
+ nla_total_size(4) /* IFLA_MTU */
+ nla_total_size(4) /* IFLA_LINK */
+ nla_total_size(4) /* IFLA_MASTER */
+ + nla_total_size(4) /* IFLA_IFGROUP */
+ nla_total_size(1) /* IFLA_OPERSTATE */
+ nla_total_size(1) /* IFLA_LINKMODE */
+ rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -646,6 +647,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct
net_device *dev,
if (dev->master)
NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
+ if (dev->ifgroup)
+ NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
if (dev->qdisc_sleeping)
NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
@@ -885,6 +889,13 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
}
}
+ if (tb[IFLA_IFGROUP]) {
+ if (dev->ifgroup != nla_get_u32(tb[IFLA_IFGROUP])) {
+ dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+ modified = 1;
+ }
+ }
+
err = 0;
errout:
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv5 iptables] Interface group match
Interface group values can be checked on both input and output interfaces
with optional mask.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
Makefile |2
libip6t_ifgroup.man | 36 +++
libipt_ifgroup.man | 36 +++
libxt_ifgroup.c | 202 +++
linux/netfilter/xt_ifgroup.h | 18 +++
5 files changed, 293 insertions(+), 1 deletion(-)
Index: include/linux/netfilter/xt_ifgroup.h
===
--- include/linux/netfilter/xt_ifgroup.h(revision 0)
+++ include/linux/netfilter/xt_ifgroup.h(revision 0)
@@ -0,0 +1,18 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
Index: extensions/libxt_ifgroup.c
===
--- extensions/libxt_ifgroup.c (revision 0)
+++ extensions/libxt_ifgroup.c (revision 0)
@@ -0,0 +1,202 @@
+/*
+ * Shared library add-on to iptables to match
+ * packets by the incoming interface group.
+ *
+ * (c) 2006, 2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+static void
+ifgroup_help(void)
+{
+ printf(
+"ifgroup v%s options:\n"
+" --ifgroup-in [!] group[/mask] incoming interface group and its mask\n"
+" --ifgroup-out [!] group[/mask] outgoing interface group and its mask\n"
+"\n", IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ {"ifgroup-in", 1, NULL, '1'},
+ {"ifgroup-out", 1, NULL, '2'},
+ { }
+};
+
+#define PARAM_MATCH_IN 0x01
+#define PARAM_MATCH_OUT0x02
+
+
+#define IFGROUP_DEFAULT_MASK 0xU
+
+static int
+ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_ifgroup_info *info =
+(struct xt_ifgroup_info *) (*match)->data;
+ char *end;
+
+ switch (c) {
+ case '1':
+ if (*flags & PARAM_MATCH_IN)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Can't specify --ifgroup-in twice");
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ info->in_group = strtoul(optarg, &end, 0);
+ info->in_mask = IFGROUP_DEFAULT_MASK;
+
+ if (*end == '/')
+ info->in_mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Bad ifgroup value `%s'",
optarg);
+
+ if (invert)
+ info->flags |= XT_IFGROUP_INVERT_IN;
+
+ *flags |= PARAM_MATCH_IN;
+ info->flags |= XT_IFGROUP_MATCH_IN;
+ break;
+
+ case '2':
+ if (*flags & PARAM_MATCH_OUT)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Can't specify --ifgroup-out twice");
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ info->out_group = strtoul(optarg, &end, 0);
+ info->out_mask = IFGROUP_DEFAULT_MASK;
+
+ if (*end == '/')
+ info->out_mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Bad ifgroup value `%s'", optarg);
+
+ if (invert)
+ info->flags |= XT_IFGROUP_INVERT_OUT;
+
+ *flags |= PARAM_MATCH_OUT;
+ info->flags |= XT_IFGROUP_MATCH_OUT;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+ifgroup_final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "You must specify either "
+ "`--ifgroup-in' or `--ifgroup-out'");
+}
+
+static void
+ifgroup_print_value_in(struct xt_ifgroup_info *info)
+{
+ printf("0x%x", info->in_group);
+ if (info->in_mask != IFGROUP_DEFAULT_MASK)
+ pr
[IFGROUPv5 iproute 2/2] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 +
include/rt_names.h |2 +
ip/ipaddress.c |4 +++
ip/iplink.c | 11
lib/rt_names.c | 62 +++
man/man8/ip.8 |5
6 files changed, 86 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index c948395..5a2d071 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..71bd240 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv))
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
return 0;
}
+static char * rtnl_rtifgroup_tab[256] = {
+ "0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+ rtnl_rtifgroup_init = 1;
+ rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+ rtnl_rtifgroup_tab, 256);
+}
+
+char * rt
[IFGROUPv5 1/3] rtnetlink: setlink changes are unprotected; with single notification
In do_setlink the device changes don't need to be protected. Notification
is sent at the end of the function once if any modification occured
and once if an address has been changed.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c | 32
1 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4a2640d..0e278ac 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -537,7 +537,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct
dst_entry *dst, u32 id,
EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
{
unsigned char operstate = dev->operstate;
@@ -557,11 +557,10 @@ static void set_operstate(struct net_device *dev,
unsigned char transition)
}
if (dev->operstate != operstate) {
- write_lock_bh(&dev_base_lock);
dev->operstate = operstate;
- write_unlock_bh(&dev_base_lock);
- netdev_state_change(dev);
- }
+ return 1;
+ } else
+ return 0;
}
static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -855,6 +854,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -867,16 +867,22 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
dev_change_flags(dev, flags);
}
- if (tb[IFLA_TXQLEN])
- dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ if (tb[IFLA_TXQLEN]) {
+ if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+ dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ modified = 1;
+ }
+ }
- if (tb[IFLA_OPERSTATE])
- set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ if (tb[IFLA_OPERSTATE]) {
+ modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ }
if (tb[IFLA_LINKMODE]) {
- write_lock_bh(&dev_base_lock);
- dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
- write_unlock_bh(&dev_base_lock);
+ if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+ dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ modified = 1;
+ }
}
err = 0;
@@ -890,6 +896,8 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+ if (modified)
+ netdev_state_change(dev);
return err;
}
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv5 0/3 (+3)] Interface group patches
Hi Dave, This is the 5th version of our interface group patches. The first patch is a fix in the rtnl socket interface. An u_int32_t member was added to net devices indicating the interface group number of the device which can be get/set via netlink. The xt_ifgroup netfilter match is for checking this value with an optional mask. Other patches are for userpace programs: * iptables * iproute2. Because kernel 2.6.24-rc1 introduced a new enum value, IFLA_NET_NS_PID, and it wasn't in the iproute2 code, the first patch simply adds this value. The second patch adds support of interface group. Usage: ip link set eth0 group 4# set ip link set eth0 group 0# unset iptables -A INPUT -m ifgroup --ifgroup-in 4/0xf -j ACCEPT iptables -A FORWARD -m ifgroup --ifgroup-in 4 ! --ifgroup-out 5 -j DROP Patches: [1/3] rtnetlink: setlink changes atomic with single notification [2/3] Interface group: core (netlink) part [3/3] Netfilter Interface group match [iptables] Interface group match [iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1 [iproute 2/2] Interface group as new ip link option -- Laszlo Attila Toth - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv5 iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]> --- include/linux/if_link.h |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/include/linux/if_link.h b/include/linux/if_link.h index 23b3a8e..c948395 100644 --- a/include/linux/if_link.h +++ b/include/linux/if_link.h @@ -78,6 +78,7 @@ enum IFLA_LINKMODE, IFLA_LINKINFO, #define IFLA_LINKINFO IFLA_LINKINFO + IFLA_NET_NS_PID, __IFLA_MAX }; -- 1.5.2.5 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IFGROUPv4 2/3] Interface group: core (netlink) part
Patrick McHardy írta:
Laszlo Attila Toth wrote:
Interface groups let handle different interfaces together
especially in netfilter modules.
Modified net device structure and netlink interface.
@@ -891,6 +895,13 @@ static int do_setlink(struct net_device *dev,
struct ifinfomsg *ifm,
}
}
+if (tb[IFLA_IFGROUP]) {
+write_lock_bh(&dev_base_lock);
+dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+write_unlock_bh(&dev_base_lock);
+modified = 1;
+}
The locking looks unnecessary, the rtnl should be enough.
I'm not even sure why its used for operstate and linkmode,
AFAICS they are also protected by the rtnl.
Hm, ok. In this case operstate and linkmode can be unprotected as code
cleanup, am I right? Or leave them unchanged?
And notification is only needed if something was changed.
--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv4 iptables] Interface group match
Interface group values can be checked on both input and output interfaces
with optional mask.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
Makefile |2
libip6t_ifgroup.man | 36 +++
libipt_ifgroup.man | 36 +++
libxt_ifgroup.c | 196 +++
linux/netfilter/xt_ifgroup.h | 18 +++
5 files changed, 287 insertions(+), 1 deletion(-)
Index: include/linux/netfilter/xt_ifgroup.h
===
--- include/linux/netfilter/xt_ifgroup.h(revision 0)
+++ include/linux/netfilter/xt_ifgroup.h(revision 0)
@@ -0,0 +1,18 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
Index: extensions/libxt_ifgroup.c
===
--- extensions/libxt_ifgroup.c (revision 0)
+++ extensions/libxt_ifgroup.c (revision 0)
@@ -0,0 +1,196 @@
+/*
+ * Shared library add-on to iptables to match
+ * packets by the incoming interface group.
+ *
+ * (c) 2006, 2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+static void
+ifgroup_help(void)
+{
+ printf(
+"ifgroup v%s options:\n"
+" --ifgroup-in [!] group[/mask] incoming interface group and its mask\n"
+" --ifgroup-out [!] group[/mask] outgoing interface group and its mask\n"
+"\n", IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ {"ifgroup-in", 1, 0, '1'},
+ {"ifgroup-out", 1, 0, '2'},
+ { }
+};
+
+#define PARAM_MATCH_IN 0x01
+#define PARAM_MATCH_OUT0x02
+
+static int
+ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_ifgroup_info *info =
+(struct xt_ifgroup_info *) (*match)->data;
+ char *end;
+
+ switch (c)
+ {
+ case '1':
+ if (*flags & PARAM_MATCH_IN)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Can't specify
--ifgroup-in twice");
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ info->in_group = strtoul(optarg, &end, 0);
+ info->in_mask = 0xUL;
+
+ if (*end == '/')
+ info->in_mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Bad ifgroup value
`%s'",
+ optarg);
+
+ if (invert)
+ info->flags |= XT_IFGROUP_INVERT_IN;
+
+ *flags |= PARAM_MATCH_IN;
+ info->flags |= XT_IFGROUP_MATCH_IN;
+ break;
+ case '2':
+ if (*flags & PARAM_MATCH_OUT)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Can't specify "
+ "--ifgroup-out twice");
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ info->out_group = strtoul(optarg, &end, 0);
+ info->out_mask = 0xUL;
+
+ if (*end == '/')
+ info->out_mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "ifgroup match: Bad ifgroup "
+ "value `%s'",
+ optarg);
+
+ if (invert)
+ info->flags |= XT_IFGROUP_INVERT_OUT;
+
+ *flags |= PARAM_MATCH_OUT;
+
[IFGROUPv4 3/3] Netfilter Interface group match
Interface group values can be checked on both input and output interfaces.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_ifgroup.h | 18 +
net/netfilter/Kconfig| 16 +
net/netfilter/Makefile |1 +
net/netfilter/xt_ifgroup.c | 121 ++
4 files changed, 156 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/xt_ifgroup.h
b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 000..9ac75de
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,18 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index d7a600a..0e0cd4f 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -597,6 +597,22 @@ config NETFILTER_XT_MATCH_QUOTA
If you want to compile it as a module, say M here and read
. If unsure, say `N'.
+config NETFILTER_XT_MATCH_IFGROUP
+ tristate '"ifgroup" interface group match support'
+ depends on NETFILTER_XTABLES
+ help
+ Interface group matching allows you to match a packet by
+ its incoming interface "group", settable using ip link set
+ group
+
+ Typical usage is to assign dynamic interfaces to a group
+ when they come up using "ip link set group" and then match
+ incoming packets with a rule like this:
+
+ iptables -A INPUT -m ifgroup --if-group openvpn-rw1 -j LOG
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_REALM
tristate '"realm" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 93c58f9..29718c1 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -78,3 +78,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 000..2baf772
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,121 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006,2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include
+#include
+
+#include
+#include
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Laszlo Attila Toth <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("Xtables interface group matching module");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+
+static inline bool
+ifgroup_match_in(const struct net_device *in,
+const struct xt_ifgroup_info *info)
+{
+
+ return ((in->ifgroup & info->in_mask) == info->in_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_IN) == XT_IFGROUP_INVERT_IN);
+}
+
+static inline bool
+ifgroup_match_out(const struct net_device *out,
+const struct xt_ifgroup_info *info)
+{
+ return ((out->ifgroup & info->out_mask) == info->out_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_OUT) ==
XT_IFGROUP_INVERT_OUT);
+}
+
+static bool
+ifgroup_match(const struct sk_buff *skb,
+const struct net_device *in,
+const struct net_device *out,
+const struct xt_match *match,
+const void *matchinfo,
+int offset,
+unsigned int protoff,
+bool *hotdrop)
+{
+ const struct xt_ifgroup_info *info = matchinfo;
+
+ if (info->flags & XT_IFGROUP_MATCH_IN && !ifgroup_match_in(in, info))
+ return false;
+ if (info->flags & XT_IFGROUP_MATCH_OUT && !ifgroup_match_out(out,
info))
+ return false;
+
+ return true;
+}
+
+static bool ifgroup_checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, unsigned int hook_mask)
+{
+ struct xt_ifgroup_info *info = matchi
[IFGROUPv4 iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]> --- include/linux/if_link.h |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/include/linux/if_link.h b/include/linux/if_link.h index 23b3a8e..c948395 100644 --- a/include/linux/if_link.h +++ b/include/linux/if_link.h @@ -78,6 +78,7 @@ enum IFLA_LINKMODE, IFLA_LINKINFO, #define IFLA_LINKINFO IFLA_LINKINFO + IFLA_NET_NS_PID, __IFLA_MAX }; -- 1.5.2.5 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv4 2/3] Interface group: core (netlink) part
Interface groups let handle different interfaces together
especially in netfilter modules.
Modified net device structure and netlink interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 ++
include/linux/netdevice.h |2 ++
net/core/rtnetlink.c | 11 +++
3 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 84c3492..722b25c 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index c4de536..87aa550 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -519,6 +519,8 @@ struct net_device
/* Interface index. Unique device identifier*/
int ifindex;
int iflink;
+ /* interface group this interface belongs to */
+ u_int32_t ifgroup;
struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index ecf4dc5..f13883d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -611,6 +611,7 @@ static inline size_t if_nlmsg_size(const struct net_device
*dev)
+ nla_total_size(4) /* IFLA_MTU */
+ nla_total_size(4) /* IFLA_LINK */
+ nla_total_size(4) /* IFLA_MASTER */
+ + nla_total_size(4) /* IFLA_IFGROUP */
+ nla_total_size(1) /* IFLA_OPERSTATE */
+ nla_total_size(1) /* IFLA_LINKMODE */
+ rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -648,6 +649,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct
net_device *dev,
if (dev->master)
NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
+ if (dev->ifgroup)
+ NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
if (dev->qdisc_sleeping)
NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
@@ -891,6 +895,13 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
}
}
+ if (tb[IFLA_IFGROUP]) {
+ write_lock_bh(&dev_base_lock);
+ dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
+
err = 0;
errout:
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv4 iproute 2/2] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 +
include/rt_names.h |2 +
ip/ipaddress.c |4 +++
ip/iplink.c | 11
lib/rt_names.c | 62 +++
man/man8/ip.8 |5
6 files changed, 86 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index c948395..5a2d071 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
IFLA_NET_NS_PID,
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..71bd240 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv))
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
return 0;
}
+static char * rtnl_rtifgroup_tab[256] = {
+ "0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+ rtnl_rtifgroup_init = 1;
+ rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+ rtnl_rtifgroup_tab, 256);
+}
+
+char * rt
[IFGROUPv4 1/3] rtnetlink: setlink changes atomic with single notification
In do_setlink the device changes are atomic and notifications will be sent
at the end of the function once if any modification occured and once if
address has been changed.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c | 34 --
1 files changed, 24 insertions(+), 10 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4a2640d..ecf4dc5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -537,7 +537,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct
dst_entry *dst, u32 id,
EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
{
unsigned char operstate = dev->operstate;
@@ -560,8 +560,9 @@ static void set_operstate(struct net_device *dev, unsigned
char transition)
write_lock_bh(&dev_base_lock);
dev->operstate = operstate;
write_unlock_bh(&dev_base_lock);
- netdev_state_change(dev);
- }
+ return 1;
+ } else
+ return 0;
}
static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -855,6 +856,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -867,16 +869,26 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
dev_change_flags(dev, flags);
}
- if (tb[IFLA_TXQLEN])
- dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ if (tb[IFLA_TXQLEN]) {
+ if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+ write_lock_bh(&dev_base_lock);
+ dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
+ }
- if (tb[IFLA_OPERSTATE])
- set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ if (tb[IFLA_OPERSTATE]) {
+ modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ }
if (tb[IFLA_LINKMODE]) {
- write_lock_bh(&dev_base_lock);
- dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
- write_unlock_bh(&dev_base_lock);
+ if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+ write_lock_bh(&dev_base_lock);
+ dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
}
err = 0;
@@ -890,6 +902,8 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+ if (modified)
+ netdev_state_change(dev);
return err;
}
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv4 0/3 (+3)] Interface group patches
Hi Dave, This is the 4th version of our interface group patches. The only difference from the previous one is in the first patch (single notification and atomic changes in rtnetlink) plus in iptables code: parameter in-ifgroup changed to ifgroup-in (and ifgroup-out). I had to add IFLA_NET_NS_PID in the iproute2 patches as in kernel v2.6.24-rc1. Usage as before: ip link set eth0 group 4 iptables -A INPUT -m ifgroup --ifgroup-in 4/0xf -j ACCEPT iptables -A FORWARD -m ifgroup --ifgroup-in 4 --ifgroup-out 5 -j DROP Patches: [1/3] rtnetlink: setlink changes atomic with single notification [2/3] Interface group: core (netlink) part [3/3] Netfilter Interface group match [iptables] Interface group match [iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1 [iproute 2/2] Interface group as new ip link option Please apply, Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv3 1/3] rtnetlink: setlink changes atomic with single notification
In do_setlink the device changes are atomic and notifications will be sent
at the end of the function once if any modification occured and once if
address has been changed.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
net/core/rtnetlink.c | 23 ---
1 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..53af13f 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -819,6 +819,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -829,21 +830,35 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
flags = (flags & ifm->ifi_change) |
(dev->flags & ~ifm->ifi_change);
dev_change_flags(dev, flags);
+ modified = 1;
}
- if (tb[IFLA_TXQLEN])
+ if (tb[IFLA_TXQLEN]) {
+ write_lock_bh(&dev_base_lock);
dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
- if (tb[IFLA_WEIGHT])
+ if (tb[IFLA_WEIGHT]) {
+ write_lock_bh(&dev_base_lock);
dev->weight = nla_get_u32(tb[IFLA_WEIGHT]);
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
- if (tb[IFLA_OPERSTATE])
+ if (tb[IFLA_OPERSTATE]) {
+ write_lock_bh(&dev_base_lock);
set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
if (tb[IFLA_LINKMODE]) {
write_lock_bh(&dev_base_lock);
dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
write_unlock_bh(&dev_base_lock);
+ modified = 1;
}
err = 0;
@@ -857,6 +872,8 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+ if (modified)
+ rtmsg_ifinfo(RTM_NEWLINK, dev, 0);
return err;
}
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv3 iproute2] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 +
include/rt_names.h |2 +
ip/ipaddress.c |4 +++
ip/iplink.c | 11
lib/rt_names.c | 62 +++
man/man8/ip.8 |5
6 files changed, 86 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..2dfb0b7 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
IFLA_LINKMODE,
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..71bd240 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv))
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
return 0;
}
+static char * rtnl_rtifgroup_tab[256] = {
+ "0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+ rtnl_rtifgroup_init = 1;
+ rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+ rtnl_rtifgroup_tab, 256);
+}
+
+char * rt
[IFGROUPv3 3/3] Interface group match
Interface group values can be checked on both input and output interfaces.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_ifgroup.h | 18 +
net/netfilter/Kconfig| 16 +
net/netfilter/Makefile |1 +
net/netfilter/xt_ifgroup.c | 121 ++
4 files changed, 156 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/xt_ifgroup.h
b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 000..9ac75de
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,18 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3599770..0864e19 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -597,6 +597,22 @@ config NETFILTER_XT_MATCH_QUOTA
If you want to compile it as a module, say M here and read
. If unsure, say `N'.
+config NETFILTER_XT_MATCH_IFGROUP
+ tristate '"ifgroup" interface group match support'
+ depends on NETFILTER_XTABLES
+ help
+ Interface group matching allows you to match a packet by
+ its incoming interface "group", settable using ip link set
+ group
+
+ Typical usage is to assign dynamic interfaces to a group
+ when they come up using "ip link set group" and then match
+ incoming packets with a rule like this:
+
+ iptables -A INPUT -m ifgroup --if-group openvpn-rw1 -j LOG
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_REALM
tristate '"realm" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0c054bf..da9ab07 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -77,3 +77,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 000..2baf772
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,121 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006,2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include
+#include
+
+#include
+#include
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Laszlo Attila Toth <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("Xtables interface group matching module");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+
+static inline bool
+ifgroup_match_in(const struct net_device *in,
+const struct xt_ifgroup_info *info)
+{
+
+ return ((in->ifgroup & info->in_mask) == info->in_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_IN) == XT_IFGROUP_INVERT_IN);
+}
+
+static inline bool
+ifgroup_match_out(const struct net_device *out,
+const struct xt_ifgroup_info *info)
+{
+ return ((out->ifgroup & info->out_mask) == info->out_group) ^
+ ((info->flags & XT_IFGROUP_INVERT_OUT) ==
XT_IFGROUP_INVERT_OUT);
+}
+
+static bool
+ifgroup_match(const struct sk_buff *skb,
+const struct net_device *in,
+const struct net_device *out,
+const struct xt_match *match,
+const void *matchinfo,
+int offset,
+unsigned int protoff,
+bool *hotdrop)
+{
+ const struct xt_ifgroup_info *info = matchinfo;
+
+ if (info->flags & XT_IFGROUP_MATCH_IN && !ifgroup_match_in(in, info))
+ return false;
+ if (info->flags & XT_IFGROUP_MATCH_OUT && !ifgroup_match_out(out,
info))
+ return false;
+
+ return true;
+}
+
+static bool ifgroup_checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, unsigned int hook_mask)
+{
+ struct xt_ifgroup_info *info = matchi
[IFGROUPv3 iptables] Interface group match
Matching ifgroup value of incoming and/or outgoing interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
extensions/Makefile |2 +-
extensions/libip6t_ifgroup.man | 36 +++
extensions/libipt_ifgroup.man| 36 +++
extensions/libxt_ifgroup.c | 187 ++
include/linux/netfilter/xt_ifgroup.h | 18
5 files changed, 278 insertions(+), 1 deletions(-)
diff --git a/extensions/Makefile b/extensions/Makefile
index 5af234e..938cf0b 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -7,7 +7,7 @@
#
PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent
tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT
SAME SNAT TOS TTL ULOG
PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL
LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit
helper length limit mac mark multiport physdev pkttype quota sctp state
statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK
NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit
helper ifgroup length limit mac mark multiport physdev pkttype quota sctp state
statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK
NFLOG NFQUEUE NOTRACK TCPMSS TRACE
PF_EXT_SELINUX_SLIB:=
PF6_EXT_SELINUX_SLIB:=
diff --git a/extensions/libip6t_ifgroup.man b/extensions/libip6t_ifgroup.man
new file mode 100644
index 000..a96ec91
--- /dev/null
+++ b/extensions/libip6t_ifgroup.man
@@ -0,0 +1,36 @@
+Maches packets on an interface if it is in the same interface group
+as specified by the
+.B "--in-ifgroup"
+or
+.B "--out-ifgroup"
+parameter. If a mask is also specified, the masked value of
+the inteface's group must be equal to the given value of the
+.B "--in-ifgroup"
+or
+.B "--out-ifgroup"
+parameter to match. This match is available in all tables.
+.TP
+.BR "--in-ifgroup \fIgroup[/mask]\fR"
+This specifies the interface group of input interface and the optional mask.
+Valid only in the in the
+.B PREROUTING
+and
+.B INPUT
+and
+.B FORWARD
+chains, and user-defined chains which are only called from those
+chains.
+.TP
+.BR "--out-ifgroup \fIgroup[/mask]\fR"
+This specifies the interface group of out interface and the optional mask.
+Valid only in the in the
+.B FORWARD
+and
+.B OUTPUT
+and
+.B POSTROUTING
+chains, and user-defined chains which are only called from those
+chains.
+.RS
+.PP
+
diff --git a/extensions/libipt_ifgroup.man b/extensions/libipt_ifgroup.man
new file mode 100644
index 000..a96ec91
--- /dev/null
+++ b/extensions/libipt_ifgroup.man
@@ -0,0 +1,36 @@
+Maches packets on an interface if it is in the same interface group
+as specified by the
+.B "--in-ifgroup"
+or
+.B "--out-ifgroup"
+parameter. If a mask is also specified, the masked value of
+the inteface's group must be equal to the given value of the
+.B "--in-ifgroup"
+or
+.B "--out-ifgroup"
+parameter to match. This match is available in all tables.
+.TP
+.BR "--in-ifgroup \fIgroup[/mask]\fR"
+This specifies the interface group of input interface and the optional mask.
+Valid only in the in the
+.B PREROUTING
+and
+.B INPUT
+and
+.B FORWARD
+chains, and user-defined chains which are only called from those
+chains.
+.TP
+.BR "--out-ifgroup \fIgroup[/mask]\fR"
+This specifies the interface group of out interface and the optional mask.
+Valid only in the in the
+.B FORWARD
+and
+.B OUTPUT
+and
+.B POSTROUTING
+chains, and user-defined chains which are only called from those
+chains.
+.RS
+.PP
+
diff --git a/extensions/libxt_ifgroup.c b/extensions/libxt_ifgroup.c
new file mode 100644
index 000..a4056c9
--- /dev/null
+++ b/extensions/libxt_ifgroup.c
@@ -0,0 +1,187 @@
+/*
+ * Shared library add-on to iptables to match
+ * packets by the incoming interface group.
+ *
+ * (c) 2006, 2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+static void
+ifgroup_help(void)
+{
+ printf(
+"ifgroup v%s options:\n"
+" --in-ifgroup [!] group[/mask] incoming interface group and its mask\n"
+" --out-ifgroup [!] group[/mask] outgoing interface group and its mask\n"
+"\n", IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ {"in-ifgroup", 1, 0, '1'},
+ {"out-ifgroup", 1, 0, '2'},
+ { }
+};
+
+#define PARAM_MATCH_IN 0x01
+#define PARAM_MATCH_OUT 0x02
+
+static int
+ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struc
[IFGROUPv3 2/3] Interface group: core (netlink) part
Interface groups let handle different interfaces together
especially in netfilter modules.
Modified net device structure and netlink interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 ++
include/linux/netdevice.h |2 ++
net/core/rtnetlink.c | 11 +++
3 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 422084d..d9f1726 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
IFLA_LINKMODE,
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
+ IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index e679b27..c489a20 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -365,6 +365,8 @@ struct net_device
/* Interface index. Unique device identifier*/
int ifindex;
int iflink;
+ /* interface group this interface belongs to */
+ u_int32_t ifgroup;
struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 53af13f..de38c03 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -608,6 +608,7 @@ static inline size_t if_nlmsg_size(const struct net_device
*dev)
+ nla_total_size(4) /* IFLA_MTU */
+ nla_total_size(4) /* IFLA_LINK */
+ nla_total_size(4) /* IFLA_MASTER */
+ + nla_total_size(4) /* IFLA_IFGROUP */
+ nla_total_size(1) /* IFLA_OPERSTATE */
+ nla_total_size(1) /* IFLA_LINKMODE */
+ rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -646,6 +647,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct
net_device *dev,
if (dev->master)
NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
+ if (dev->ifgroup)
+ NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
if (dev->qdisc_sleeping)
NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
@@ -861,6 +865,13 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
modified = 1;
}
+ if (tb[IFLA_IFGROUP]) {
+ write_lock_bh(&dev_base_lock);
+ dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
+
err = 0;
errout:
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IFGROUPv3 0/*] Interface groups, round 3
Hello, This is the 3rd version of interface group patches. Each net_device structure has a non-negative ifgroup member indicating the group it belongs to. In the ip tool it is between 0 and 256 where 0 means it is unset. Usage: ip link set eth0 group 4 ip lonk set eth0 group 0# to unset ip link set eth0 group intra# named groups In /etc/iproute2/rt_ifgroup each value may have a symbolic name. Netfilter part: xt_ifgroup module for both IPv4 and IPv6. Iptables usage: iptables -A INPUT -m ifgroup --in-ifgroup 4/0xf -j ACCEPT iptables -A FORWARD -m ifgroup --in-ifgroup 4 --out-ifgroup 5 -j ACCEPT ... in the FORWARD chain both input and output interface group value should be matched (with optional masks). The following patches are: kernel: single notification, atomic changes kernel: core part kernel: netfilter module, ifgroup match iproute2: showing and set ifgroup value iptables: ifgroup match -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] Interface group: core (netlink) part
Patrick McHardy írta:
Laszlo Attila Toth wrote:
@@ -846,6 +850,12 @@ static int do_setlink(struct net_device *dev,
struct ifinfomsg *ifm,
write_unlock_bh(&dev_base_lock);
}
+if (tb[IFLA_IFGROUP]) {
+write_lock_bh(&dev_base_lock);
+dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+write_unlock_bh(&dev_base_lock);
+}
So no notifications at all? Mhh .. I guess its OK for now, this stuff
needs to be fixed to notify once for all changes anyway.
I'll resend the following patch with the new ifgroup patches. The
current changes: changes are now atomic and a notification will be send
later at the end of the function. If an address was changed, a
notification will be send and after that another which is always sent
when anyi modification happened.
This patch may not be complete.
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..87ab3ff 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -819,6 +819,7 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
if (tb[IFLA_BROADCAST]) {
nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST],
dev->addr_len);
send_addr_notify = 1;
+ modified = 1;
}
if (ifm->ifi_flags || ifm->ifi_change) {
@@ -829,21 +830,35 @@ static int do_setlink(struct net_device *dev,
struct ifinfomsg *ifm,
flags = (flags & ifm->ifi_change) |
(dev->flags & ~ifm->ifi_change);
dev_change_flags(dev, flags);
+ modified = 1;
}
- if (tb[IFLA_TXQLEN])
+ if (tb[IFLA_TXQLEN]) {
+ write_lock_bh(&dev_base_lock);
dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
- if (tb[IFLA_WEIGHT])
+ if (tb[IFLA_WEIGHT]) {
+ write_lock_bh(&dev_base_lock);
dev->weight = nla_get_u32(tb[IFLA_WEIGHT]);
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
- if (tb[IFLA_OPERSTATE])
+ if (tb[IFLA_OPERSTATE]) {
+ write_lock_bh(&dev_base_lock);
set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ write_unlock_bh(&dev_base_lock);
+ modified = 1;
+ }
if (tb[IFLA_LINKMODE]) {
write_lock_bh(&dev_base_lock);
dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
write_unlock_bh(&dev_base_lock);
+ modified = 1;
}
err = 0;
@@ -857,6 +872,8 @@ errout:
if (send_addr_notify)
call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+ if (modified)
+ rtmsg_ifinfo(RTM_NEWLINK, dev, 0)
return err;
}
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/2] Interface groups, round two
Patrick McHardy írta: Laszlo Attila Toth wrote: Hello, Here is the new version of ifgroup patches. The interface group value is u_int32_t in net_device which should be enough. Previously it was an int. Usage: ip link set eth0 group 4 but currently it cannot be unset, only changed to another value. The only reason why it can't be set to zero again seems to be this part from the iproute patch: +if (rtnl_ifgroup_a2n(&group, *argv) || group == 0) Why don't you allow a value of zero? It has historical reason. The original version which didn't use netlink (at kernel 2.6.17) used zero to indicate that group was not set. You wrote previously that this part is useless for new kernels. I'll fix this (with type of "group" variable to unsigned int32 to be consistent with the kernel part). -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/2] Interface groups, round two
Hello, Here is the new version of ifgroup patches. The interface group value is u_int32_t in net_device which should be enough. Previously it was an int. Usage: ip link set eth0 group 4 but currently it cannot be unset, only changed to another value. In /etc/iproute2/rt_ifgroup each value may have a symbolic name. Netfilter part: xt_ifgroup module for both IPv4 and IPv6. Iptables usage: iptables -A INPUT -m ifgroup --in-ifgroup 4/0xf -j ACCEPT iptables -A FORWARD -m ifgroup --in-ifgroup 4 --out-ifgroup 5 -j ACCEPT ... in the FORWARD chain both input and output interface group value should be matched (with optional masks). The following patches are: kernel: core part kernel: netfilter module, ifgroup match iproute2: showing and set ifgroup value iptables: ifgroup match -- Laszlo Attila Toth - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2] Interface group match
Interface group values can be checked on both input and output interfaces.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_ifgroup.h | 18 ++
net/netfilter/Kconfig| 16 +
net/netfilter/Makefile |1 +
net/netfilter/xt_ifgroup.c | 108 ++
4 files changed, 143 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/xt_ifgroup.h
b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 000..9ac75de
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,18 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN 0x01
+#define XT_IFGROUP_INVERT_OUT 0x02
+#define XT_IFGROUP_MATCH_IN0x04
+#define XT_IFGROUP_MATCH_OUT 0x08
+
+struct xt_ifgroup_info {
+ u_int32_t in_group;
+ u_int32_t in_mask;
+ u_int32_t out_group;
+ u_int32_t out_mask;
+ u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3599770..0864e19 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -597,6 +597,22 @@ config NETFILTER_XT_MATCH_QUOTA
If you want to compile it as a module, say M here and read
. If unsure, say `N'.
+config NETFILTER_XT_MATCH_IFGROUP
+ tristate '"ifgroup" interface group match support'
+ depends on NETFILTER_XTABLES
+ help
+ Interface group matching allows you to match a packet by
+ its incoming interface "group", settable using ip link set
+ group
+
+ Typical usage is to assign dynamic interfaces to a group
+ when they come up using "ip link set group" and then match
+ incoming packets with a rule like this:
+
+ iptables -A INPUT -m ifgroup --if-group openvpn-rw1 -j LOG
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_REALM
tristate '"realm" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0c054bf..da9ab07 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -77,3 +77,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 000..07c3acc
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,108 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006,2007 Balazs Scheidler <[EMAIL PROTECTED]>,
+ * Laszlo Attila Toth <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include
+#include
+#include
+#include
+
+#include
+#include
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Laszlo Attila Toth <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("Xtables interface group matching module");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+static bool ifgroup_match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const struct xt_match *match,
+ const void *matchinfo,
+ int offset,
+ unsigned int protoff,
+ bool *hotdrop)
+{
+#define FLAG_IS_SET(a,b) ((a & b) == b)
+#define MATCH_IN (((in->ifgroup & info->in_mask) == info->in_group) ^
FLAG_IS_SET(info->flags, XT_IFGROUP_INVERT_IN))
+#define MATCH_OUT (((out->ifgroup & info->out_mask) == info->out_group) ^
FLAG_IS_SET(info->flags, XT_IFGROUP_INVERT_OUT))
+
+ const struct xt_ifgroup_info *info = matchinfo;
+ bool verdict = false;
+
+ if ((info->flags & XT_IFGROUP_MATCH_IN) && (info->flags &
XT_IFGROUP_MATCH_OUT))
+ verdict = MATCH_IN && MATCH_OUT;
+ else if (info->flags & XT_IFGROUP_MATCH_IN)
+ verdict = MATCH_IN;
+ else if (info->flags & XT_IFGROUP_MATCH_OUT)
+ verdict = MATCH_OUT;
+ return verdict;
+}
+
+static bool ifgroup_checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, unsigned int hook_mask)
+{
+ struct xt_ifgroup_info *info = matchinfo;
+
+ if (!(i
[IPROUTE PATCH] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 +
include/rt_names.h |2 +
ip/ipaddress.c |4 +++
ip/iplink.c | 11
lib/rt_names.c | 62 +++
man/man8/ip.8 |5
6 files changed, 86 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..2dfb0b7 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
IFLA_LINKMODE,
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 518d8cd..405e85c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 4060845..bebb2fe 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
return 0;
}
+static char * rtnl_rtifgroup_tab[256] = {
+ "0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+ rtnl_rtifgroup_init = 1;
+ rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+ rtnl_rtifgroup_tab, 256);
+}
+
+char * rt
[IPTABLES PATCH] Interface group match
Matching ifgroup value of incoming and/or outgoing interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
extensions/Makefile |2 +-
extensions/libip6t_ifgroup.man | 36 +++
extensions/libipt_ifgroup.man| 36 +++
extensions/libxt_ifgroup.c | 178 ++
include/linux/netfilter/xt_ifgroup.h | 18
5 files changed, 269 insertions(+), 1 deletions(-)
diff --git a/extensions/Makefile b/extensions/Makefile
index 5af234e..938cf0b 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -7,7 +7,7 @@
#
PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent
tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT
SAME SNAT TOS TTL ULOG
PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL
LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit
helper length limit mac mark multiport physdev pkttype quota sctp state
statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK
NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit
helper ifgroup length limit mac mark multiport physdev pkttype quota sctp state
statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK
NFLOG NFQUEUE NOTRACK TCPMSS TRACE
PF_EXT_SELINUX_SLIB:=
PF6_EXT_SELINUX_SLIB:=
diff --git a/extensions/libip6t_ifgroup.man b/extensions/libip6t_ifgroup.man
new file mode 100644
index 000..a96ec91
--- /dev/null
+++ b/extensions/libip6t_ifgroup.man
@@ -0,0 +1,36 @@
+Maches packets on an interface if it is in the same interface group
+as specified by the
+.B "--in-ifgroup"
+or
+.B "--out-ifgroup"
+parameter. If a mask is also specified, the masked value of
+the inteface's group must be equal to the given value of the
+.B "--in-ifgroup"
+or
+.B "--out-ifgroup"
+parameter to match. This match is available in all tables.
+.TP
+.BR "--in-ifgroup \fIgroup[/mask]\fR"
+This specifies the interface group of input interface and the optional mask.
+Valid only in the in the
+.B PREROUTING
+and
+.B INPUT
+and
+.B FORWARD
+chains, and user-defined chains which are only called from those
+chains.
+.TP
+.BR "--out-ifgroup \fIgroup[/mask]\fR"
+This specifies the interface group of out interface and the optional mask.
+Valid only in the in the
+.B FORWARD
+and
+.B OUTPUT
+and
+.B POSTROUTING
+chains, and user-defined chains which are only called from those
+chains.
+.RS
+.PP
+
diff --git a/extensions/libipt_ifgroup.man b/extensions/libipt_ifgroup.man
new file mode 100644
index 000..a96ec91
--- /dev/null
+++ b/extensions/libipt_ifgroup.man
@@ -0,0 +1,36 @@
+Maches packets on an interface if it is in the same interface group
+as specified by the
+.B "--in-ifgroup"
+or
+.B "--out-ifgroup"
+parameter. If a mask is also specified, the masked value of
+the inteface's group must be equal to the given value of the
+.B "--in-ifgroup"
+or
+.B "--out-ifgroup"
+parameter to match. This match is available in all tables.
+.TP
+.BR "--in-ifgroup \fIgroup[/mask]\fR"
+This specifies the interface group of input interface and the optional mask.
+Valid only in the in the
+.B PREROUTING
+and
+.B INPUT
+and
+.B FORWARD
+chains, and user-defined chains which are only called from those
+chains.
+.TP
+.BR "--out-ifgroup \fIgroup[/mask]\fR"
+This specifies the interface group of out interface and the optional mask.
+Valid only in the in the
+.B FORWARD
+and
+.B OUTPUT
+and
+.B POSTROUTING
+chains, and user-defined chains which are only called from those
+chains.
+.RS
+.PP
+
diff --git a/extensions/libxt_ifgroup.c b/extensions/libxt_ifgroup.c
new file mode 100644
index 000..d7f982c
--- /dev/null
+++ b/extensions/libxt_ifgroup.c
@@ -0,0 +1,178 @@
+/*
+ * Shared library add-on to iptables to match
+ * packets by the incoming interface group.
+ *
+ * Balazs Scheidler <[EMAIL PROTECTED]>
+ */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+static void
+ifgroup_help(void)
+{
+ printf(
+"ifgroup v%s options:\n"
+" --in-ifgroup [!] group[/mask] incoming interface group and its mask\n"
+" --out-ifgroup [!] group[/mask] outgoing interface group and its mask\n"
+"\n", IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ {"in-ifgroup", 1, 0, '1'},
+ {"out-ifgroup", 1, 0, '2'},
+ { }
+};
+
+#define PARAM_MATCH_IN 0x01
+#define PARAM_MATCH_OUT 0x02
+
+static int
+ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_ifgroup_info *info = (struct xt_ifgroup
[PATCH 1/2] Interface group: core (netlink) part
Interface groups let handle different interfaces together
especially in netfilter modules.
Modified net device structure and netlink interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 ++
include/linux/netdevice.h |2 ++
net/core/rtnetlink.c | 10 ++
3 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 422084d..d9f1726 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
IFLA_LINKMODE,
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
+ IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index e679b27..c489a20 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -365,6 +365,8 @@ struct net_device
/* Interface index. Unique device identifier*/
int ifindex;
int iflink;
+ /* interface group this interface belongs to */
+ u_int32_t ifgroup;
struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..bbe4a98 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -608,6 +608,7 @@ static inline size_t if_nlmsg_size(const struct net_device
*dev)
+ nla_total_size(4) /* IFLA_MTU */
+ nla_total_size(4) /* IFLA_LINK */
+ nla_total_size(4) /* IFLA_MASTER */
+ + nla_total_size(4) /* IFLA_IFGROUP */
+ nla_total_size(1) /* IFLA_OPERSTATE */
+ nla_total_size(1) /* IFLA_LINKMODE */
+ rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -646,6 +647,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct
net_device *dev,
if (dev->master)
NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
+ if (dev->ifgroup)
+ NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
if (dev->qdisc_sleeping)
NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
@@ -846,6 +850,12 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
write_unlock_bh(&dev_base_lock);
}
+ if (tb[IFLA_IFGROUP]) {
+ write_lock_bh(&dev_base_lock);
+ dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+ write_unlock_bh(&dev_base_lock);
+ }
+
err = 0;
errout:
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] Interface group match - netfilter part
Patrick McHardy írta:
Laszlo Attila Toth wrote:
+static int match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const struct xt_match *match,
+ const void *matchinfo,
+ int offset,
+ unsigned int protoff,
+ int *hotdrop)
+{
+const struct xt_ifgroup_info *info = matchinfo;
+
+return ((in->ifgroup & info->mask) == info->group) ^ info->invert;
The input interface is only valid in PREROUTING, INPUT and FORWARD.
Why don't you support output-interface matching?
The new version supports output-interface, currently I'm rewriting
iptables part. But I'm not sure what to do with the forward chain
because both input and output interface are valid here. My idea is that
the ifgroup_match function checks ifgroup values of both input and
output interfaces if they are set. An example:
iptables -A FORWARD -m ifgroup --in-ifgroup 4 --out-ifgroup 5/0x0f -j ACCEPT
The packet's input interface must be in group 4 and output interface
must be in group 5 but only lower 4 bits are checked. If one of these
assumptions fails the match fails.
Is it ok, or only one of them should be checked as in xt_policy: if
input side matches, other one is not checked?
--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Resend: [IPROUTE2 PATCH] Interface group as new ip link option
jamal írta:
On Tue, 2007-16-10 at 13:05 +0200, Laszlo Attila Toth wrote:
That sounds great but for what whould you like to use? It may help me
for the implementation.
For example i may want to add a tc rule to a group of interfaces.
tc BNF roughly looks like:
tc
Where targe is :=
It may be useful to extend "target" to include alternatively a group of
devices.
Ok, I see.
Currently it is not available since the the
net_device structure holds the group id and for this get operation an
iteration (of net_devices) may be necessary...
I understand - but i would rather do the iteration in the kernel than in
user space and save myself a gazillion netlink messages.
You are right - that's faster in the kernel and useless to move it to
userspace.
We didn't want to use multiple groups in favour of masked group ids.
What kind of usage needs other implementation?
Same lazyperson use cases as above; in one case i may want to set a rule
to group = {eth0, eth1, eth10} and in another {eth0,eth5}. I realize
this may be more involved something clever for an implementation (eg
using a bitmap instead of a straight int) - so if it not a simple thing,
just defer it to some later time.
Hm, the main problem (for me) is that it requires more then one value
per net device and it should be limited. But if I say it is 5 for
instance, anyone can say it is not enough for him.
Ok, now that you are asking, heres another one feature request for
you;-> It would be nice if i can set a group based on a regular
expression of a devices name; eg "ppp*". Use case for this, off top of
my head (without looking at your syntax):
ip set group 10 ppp*
ip link set ppp0 group 10
also if "ip link set..." works for multiple interfaces it is already
done. If it is not, it will affect positively all other settings :)
--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Resend: [IPROUTE2 PATCH] Interface group as new ip link option
jamal írta: On Tue, 2007-16-10 at 11:03 +0200, Laszlo Attila Toth wrote: Interfaces can be grouped and each group has an unique positive integer ID. It can be set via ip link. Feature request: Can you also implement a get operation. Perhaps something that returns from the kernel a list of ifindices when one passes a group to it? That sounds great but for what whould you like to use? It may help me for the implementation. Currently it is not available since the the net_device structure holds the group id and for this get operation an iteration (of net_devices) may be necessary... BTW, does it make sense to have one interface in multiple groups? We didn't want to use multiple groups in favour of masked group ids. What kind of usage needs other implementation? -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/2] Interface groups
Philip Craig írta: Laszlo Attila Toth wrote: Hello, Different network interfaces can be grouped using the same group ID. With this patch fewer netfilter rules are necessary but it may also be used by routing. This allows an interface to belong to only one group. I expect there are situations where you want more. eg you might want a group of all pptp connections, and another group of pptp connections for a subset of users. With masked values it should work with only one group. -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] Interface group match - netfilter part
Patrick McHardy írta:
Laszlo Attila Toth wrote:
+static int match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const struct xt_match *match,
+ const void *matchinfo,
+ int offset,
+ unsigned int protoff,
+ int *hotdrop)
+{
+const struct xt_ifgroup_info *info = matchinfo;
+
+return ((in->ifgroup & info->mask) == info->group) ^ info->invert;
The input interface is only valid in PREROUTING, INPUT and FORWARD.
Why don't you support output-interface matching?
It has no specific reason. I'll make it with the other changes you
wrote. I'll send the iptables patch at the same time.
--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPROUTE2 PATCH] Interface group as new ip link option
Patrick McHardy írta: Laszlo Attila Toth wrote: diff --git a/man/man8/ip.8 b/man/man8/ip.8 index c74440a..8e6a9a3 100644 --- a/man/man8/ip.8 +++ b/man/man8/ip.8 @@ -511,6 +511,11 @@ already configured. @@ -1835,3 +1840,6 @@ was written by Alexey N. Kuznetsov and added in Linux 2.2. .SH AUTHOR Original Manpage by Michail Litvak <[EMAIL PROTECTED]> +.br +Modified for ZorpOS by Tamas Pal <[EMAIL PROTECTED]> Did you really intend to include this? I forgot to cut it off because in ZorpOS (v3.1, which is Sarge-based) the manual page contains this part. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Resend: [IPROUTE2 PATCH] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 +
include/rt_names.h |2 +
ip/ipaddress.c |4 +++
ip/iplink.c | 49 +
lib/rt_names.c | 62 +++
man/man8/ip.8 |8 ++
6 files changed, 127 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..2dfb0b7 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
IFLA_LINKMODE,
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 518d8cd..405e85c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..87901e7 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
@@ -462,6 +473,32 @@ static int set_mtu(const char *dev, int mtu)
return 0;
}
+static int set_group(const char *dev, int ifgroup)
+{
+ struct {
+ struct nlmsghdr n;
+ struct ifinfomsgifi;
+ charbuf[256];
+ } req;
+ struct rtnl_handle rth;
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.ifi));
+ req.n.nlmsg_flags = NLM_F_REQUEST;
+ req.n.nlmsg_type = RTM_SETLINK;
+
+
[PATCH 2/2] Interface group match - netfilter part
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_ifgroup.h | 11 +
net/netfilter/Kconfig| 16 +++
net/netfilter/Makefile |1 +
net/netfilter/xt_ifgroup.c | 78 ++
4 files changed, 106 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/xt_ifgroup.h
b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 000..a992d4c
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,11 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+struct xt_ifgroup_info {
+ u_int32_t group;
+ u_int32_t mask;
+ u_int8_t invert;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3599770..0864e19 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -597,6 +597,22 @@ config NETFILTER_XT_MATCH_QUOTA
If you want to compile it as a module, say M here and read
. If unsure, say `N'.
+config NETFILTER_XT_MATCH_IFGROUP
+ tristate '"ifgroup" interface group match support'
+ depends on NETFILTER_XTABLES
+ help
+ Interface group matching allows you to match a packet by
+ its incoming interface "group", settable using ip link set
+ group
+
+ Typical usage is to assign dynamic interfaces to a group
+ when they come up using "ip link set group" and then match
+ incoming packets with a rule like this:
+
+ iptables -A INPUT -m ifgroup --if-group openvpn-rw1 -j LOG
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_REALM
tristate '"realm" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0c054bf..da9ab07 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -77,3 +77,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 000..766f668
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,78 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006 Balazs Scheidler <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include
+#include
+#include
+#include
+
+#include
+#include
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Balazs Scheidler <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("IP tables match to match on interface group");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+static int match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const struct xt_match *match,
+ const void *matchinfo,
+ int offset,
+ unsigned int protoff,
+ int *hotdrop)
+{
+ const struct xt_ifgroup_info *info = matchinfo;
+
+ return ((in->ifgroup & info->mask) == info->group) ^ info->invert;
+}
+
+static struct xt_match ifgroup_match = {
+ .name = "ifgroup",
+ .match = match,
+ .matchsize = sizeof(struct xt_ifgroup_info),
+ .family = AF_INET,
+ .me = THIS_MODULE,
+};
+
+static struct xt_match ifgroup6_match = {
+ .name = "ifgroup",
+ .match = match,
+ .matchsize = sizeof(struct xt_ifgroup_info),
+ .family = AF_INET6,
+ .me = THIS_MODULE,
+};
+
+static int __init xt_ifgroup_init(void)
+{
+ int ret;
+
+ ret = xt_register_match(&ifgroup_match);
+ if (ret)
+ return ret;
+
+ ret = xt_register_match(&ifgroup6_match);
+ if (ret)
+ xt_unregister_match(&ifgroup_match);
+
+ return ret;
+}
+
+static void __exit xt_ifgroup_fini(void)
+{
+ xt_unregister_match(&ifgroup_match);
+ xt_unregister_match(&ifgroup6_match);
+}
+
+module_init(xt_ifgroup_init);
+module_exit(xt_ifgroup_fini);
+
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[IPROUTE2 PATCH] Interface group as new ip link option
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED](none)>
---
include/linux/if_link.h |2 +
include/rt_names.h |2 +
ip/ipaddress.c |4 +++
ip/iplink.c | 49 +
lib/rt_names.c | 62 +++
man/man8/ip.8 |8 ++
6 files changed, 127 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..2dfb0b7 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
IFLA_LINKMODE,
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
+ IFLA_IFGROUP,
+#defineIFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
const char *inet_proto_n2a(int proto, char *buf, int len);
int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 518d8cd..405e85c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
if (tb[IFLA_QDISC])
fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+ if (tb[IFLA_IFGROUP]) {
+ SPRINT_BUF(b1);
+ fprintf(fp, "group %s ",
rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+ }
#ifdef IFLA_MASTER
if (tb[IFLA_MASTER]) {
SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..87901e7 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include "rt_names.h"
#include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
fprintf(stderr, "promisc { on | off } |\n");
fprintf(stderr, "trailers { on | off }
|\n");
fprintf(stderr, "txqueuelen PACKETS |\n");
+ fprintf(stderr, "group GROUP |\n");
fprintf(stderr, "name NEWNAME |\n");
fprintf(stderr, "address LLADDR | broadcast
LLADDR |\n");
fprintf(stderr, "mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
{
int qlen = -1;
+ __u32 group = 0;
int mtu = -1;
int len;
char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int
argc, char **argv)
if (get_integer(&qlen, *argv, 0))
invarg("Invalid \"txqueuelen\" value\n", *argv);
addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+ } else if (matches(*argv, "group") == 0) {
+ NEXT_ARG();
+ if (group != 0)
+ duparg("group", *argv);
+
+ if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+ invarg("\"group\" value is invalid\n", *argv);
+ addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group,
sizeof(group));
} else if (strcmp(*argv, "mtu") == 0) {
NEXT_ARG();
if (mtu != -1)
@@ -462,6 +473,32 @@ static int set_mtu(const char *dev, int mtu)
return 0;
}
+static int set_group(const char *dev, int ifgroup)
+{
+ struct {
+ struct nlmsghdr n;
+ struct ifinfomsgifi;
+ charbuf[256];
+ } req;
+ struct rtnl_handle rth;
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.ifi));
+ req.n.nlmsg_flags = NLM_F_REQUEST;
+ req.n.nlmsg_type = RTM_SETLINK;
+
+
[PATCH 0/2] Interface groups
Hello, Different network interfaces can be grouped using the same group ID. With this patch fewer netfilter rules are necessary but it may also be used by routing. The interface group (ifgroup) member of the net_device can be modified via netlink (with iproute2) and it is used in the new 'ifgroup' netfilter match. ip link set eth0 group 4 iptables -A INPUT -m ifgroup --if-group 4 -j ACCEPT -- Laszlo Attila Toth - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/2] Interface group: core (netlink) part
Interface groups let handle different interfaces with one (netfilter) rule.
Modified net device structure and netlink interface.
Signed-off-by: Laszlo Attila Toth <[EMAIL PROTECTED]>
---
include/linux/if_link.h |2 ++
include/linux/netdevice.h |2 ++
net/core/rtnetlink.c |8
3 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 422084d..d9f1726 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
IFLA_LINKMODE,
IFLA_LINKINFO,
#define IFLA_LINKINFO IFLA_LINKINFO
+ IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
__IFLA_MAX
};
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index e679b27..4cfc697 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -365,6 +365,8 @@ struct net_device
/* Interface index. Unique device identifier*/
int ifindex;
int iflink;
+ /* interface group this interface belongs to */
+ int ifgroup;
struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..18ff3c5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -646,6 +646,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct
net_device *dev,
if (dev->master)
NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
+ if (dev->ifgroup)
+ NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
if (dev->qdisc_sleeping)
NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
@@ -846,6 +849,11 @@ static int do_setlink(struct net_device *dev, struct
ifinfomsg *ifm,
write_unlock_bh(&dev_base_lock);
}
+ if (tb[IFLA_IFGROUP]) {
+ dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP ]);
+ rtmsg_ifinfo(RTM_NEWLINK, dev, 0);
+ }
+
err = 0;
errout:
--
1.5.2.5
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
