diff options
Diffstat (limited to 'man')
65 files changed, 5431 insertions, 396 deletions
diff --git a/man/man3/Makefile b/man/man3/Makefile index bf55658c..a98741de 100644 --- a/man/man3/Makefile +++ b/man/man3/Makefile @@ -1,4 +1,4 @@ -MAN3PAGES=libnetlink.3 +MAN3PAGES = $(wildcard *.3) all: diff --git a/man/man3/libnetlink.3 b/man/man3/libnetlink.3 index 99be9cc9..8e3dc620 100644 --- a/man/man3/libnetlink.3 +++ b/man/man3/libnetlink.3 @@ -32,12 +32,12 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer, .br void *jarg) .sp -int rtnl_listen(struct rtnl_handle *rtnl, +int rtnl_listen(struct rtnl_handle *rtnl, int (*handler)(struct sockaddr_nl *, struct rtnl_ctrl_data *, struct nlmsghdr *n, void *), void *jarg) .sp -int rtnl_from_file(FILE *rtnl, +int rtnl_from_file(FILE *rtnl, int (*handler)(struct sockaddr_nl *,struct nlmsghdr *n, void *), void *jarg) .sp @@ -49,35 +49,35 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data) .sp int rta_addattr_l(struct rtattr *rta, int maxlen, int type, void *data, int alen) .SH DESCRIPTION -libnetlink provides a higher level interface to -.BR rtnetlink(7). +libnetlink provides a higher level interface to +.BR rtnetlink(7). The read functions return 0 on success and a negative errno on failure. The send functions return the amount of data sent, or -1 on error. -.TP +.TP rtnl_open Open a rtnetlink socket and save the state into the .B rth -handle. This handle is passed to all subsequent calls. +handle. This handle is passed to all subsequent calls. .B subscriptions is a bitmap of the rtnetlink multicast groups the socket will be a member of. .TP rtnl_wilddump_request -Request a full dump of the +Request a full dump of the .B type database for .B family addresses. .B type -is a rtnetlink message type. +is a rtnetlink message type. .\" XXX .TP rtnl_dump_request -Request a full dump of the -.B type -data buffer into +Request a full dump of the +.B type +data buffer into .B buf with maximum length of .B len. @@ -91,12 +91,12 @@ The .B filter callback checks if the received message is wanted. It gets the source address of the message, the message itself and -.B arg1 +.B arg1 as arguments. 0 as return means that the filter passed, a negative value is returned by -.I rtnl_dump_filter -in case of error. NULL for +.I rtnl_dump_filter +in case of error. NULL for .I filter means to not use a filter. .B junk @@ -106,7 +106,7 @@ pending, this function does not block. .TP rtnl_listen -Receive netlink data after a request and pass it to +Receive netlink data after a request and pass it to .I handler. .B handler is a callback that gets the message source address, anscillary data, the message @@ -118,8 +118,8 @@ pending this function does not block. .TP rtnl_from_file -Works like -.I rtnl_listen, +Works like +.I rtnl_listen, but reads a netlink message bundle from the file .B file and passes the messages to @@ -134,7 +134,7 @@ and .BR netlink(3) on how to generate a rtnetlink message. The following utility functions require a continuous buffer that already contains a netlink message header -and a rtnetlink request. +and a rtnetlink request. .TP rtnl_send @@ -168,7 +168,7 @@ length to netlink message .B n, which is part of a buffer of length .B maxlen. -.B data +.B data is copied. .TP diff --git a/man/man7/Makefile b/man/man7/Makefile index ccfd8398..689fc713 100644 --- a/man/man7/Makefile +++ b/man/man7/Makefile @@ -1,4 +1,4 @@ -MAN7PAGES = tc-hfsc.7 +MAN7PAGES = $(wildcard *.7) all: diff --git a/man/man7/tc-hfsc.7 b/man/man7/tc-hfsc.7 index ca049619..5ae5e6b3 100644 --- a/man/man7/tc-hfsc.7 +++ b/man/man7/tc-hfsc.7 @@ -555,8 +555,8 @@ Please refer to \fBtc\-stab\fR(8) . \fBtc\fR(8), \fBtc\-hfsc\fR(8), \fBtc\-stab\fR(8) -Please direct bugreports and patches to: <net...@vger.kernel.org> +Please direct bugreports and patches to: <netdev@vger.kernel.org> . .SH "AUTHOR" . -Manpage created by Michal Soltys (sol...@ziu.info) +Manpage created by Michal Soltys (soltys@ziu.info) diff --git a/man/man8/.gitignore b/man/man8/.gitignore index 4f1a476d..0c3d1504 100644 --- a/man/man8/.gitignore +++ b/man/man8/.gitignore @@ -2,4 +2,3 @@ ip-address.8 ip-link.8 ip-route.8 - diff --git a/man/man8/Makefile b/man/man8/Makefile index 2f776406..12af66be 100644 --- a/man/man8/Makefile +++ b/man/man8/Makefile @@ -1,20 +1,6 @@ TARGETS = ip-address.8 ip-link.8 ip-route.8 -MAN8PAGES = $(TARGETS) ip.8 arpd.8 lnstat.8 routel.8 rtacct.8 rtmon.8 rtpr.8 ss.8 \ - tc.8 tc-bfifo.8 tc-bpf.8 tc-cbq.8 tc-cbq-details.8 tc-choke.8 tc-codel.8 \ - tc-fq.8 \ - tc-drr.8 tc-ematch.8 tc-fq_codel.8 tc-hfsc.8 tc-htb.8 tc-pie.8 \ - tc-mqprio.8 tc-netem.8 tc-pfifo.8 tc-pfifo_fast.8 tc-prio.8 tc-red.8 \ - tc-sfb.8 tc-sfq.8 tc-stab.8 tc-tbf.8 \ - bridge.8 rtstat.8 ctstat.8 nstat.8 routef.8 \ - ip-addrlabel.8 ip-fou.8 ip-gue.8 ip-l2tp.8 \ - ip-maddress.8 ip-monitor.8 ip-mroute.8 ip-neighbour.8 \ - ip-netns.8 ip-ntable.8 ip-rule.8 ip-tunnel.8 ip-xfrm.8 \ - ip-tcp_metrics.8 ip-netconf.8 ip-token.8 \ - tipc.8 tipc-bearer.8 tipc-link.8 tipc-media.8 tipc-nametable.8 \ - tipc-node.8 tipc-socket.8 \ - tc-basic.8 tc-cgroup.8 tc-flow.8 tc-flower.8 tc-fw.8 tc-route.8 \ - tc-tcindex.8 tc-u32.8 +MAN8PAGES = $(TARGETS) $(filter-out $(TARGETS),$(wildcard *.8)) all: $(TARGETS) diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 index 0ec6f174..9c5f855d 100644 --- a/man/man8/bridge.8 +++ b/man/man8/bridge.8 @@ -20,8 +20,9 @@ bridge \- show / manipulate bridge addresses and devices .IR OPTIONS " := { " \fB\-V\fR[\fIersion\fR] | \fB\-s\fR[\fItatistics\fR] | -\fB\-n\fR[\fIetns\fR] name } -\fB\-b\fR[\fIatch\fR] filename } +\fB\-n\fR[\fIetns\fR] name | +\fB\-b\fR[\fIatch\fR] filename | +\fB\-j\fR[\fIson\fR] } .ti -8 .BR "bridge link set" @@ -42,7 +43,8 @@ bridge \- show / manipulate bridge addresses and devices .BR learning_sync " { " on " | " off " } ] [ " .BR flood " { " on " | " off " } ] [ " .BR hwmode " { " vepa " | " veb " } ] [ " -.BR self " ] [ " master " ] " +.BR mcast_flood " { " on " | " off " } ] [ " +.BR self " ] [ " master " ]" .ti -8 .BR "bridge link" " [ " show " ] [ " @@ -54,7 +56,7 @@ bridge \- show / manipulate bridge addresses and devices .I LLADDR .B dev .IR DEV " { " -.BR local " | " temp " } [ " +.BR local " | " static " | " dynamic " } [ " .BR self " ] [ " master " ] [ " router " ] [ " use " ] [ " .B dst .IR IPADDR " ] [ " @@ -68,7 +70,15 @@ bridge \- show / manipulate bridge addresses and devices .ti -8 .BR "bridge fdb" " [ " show " ] [ " .B dev -.IR DEV " ]" +.IR DEV " ] [ " +.B br +.IR BRDEV " ] [ " +.B brport +.IR DEV " ] [ " +.B vlan +.IR VID " ] [ " +.B state +.IR STATE " ]" .ti -8 .BR "bridge mdb" " { " add " | " del " } " @@ -119,6 +129,10 @@ is given multiple times, the amount of information increases. As a rule, the information is statistics or some time values. .TP +.BR "\-d" , " \-details" +print detailed information about MDB router ports. + +.TP .BR "\-n" , " \-net" , " \-netns " <NETNS> switches .B bridge @@ -149,6 +163,10 @@ Don't terminate bridge command on errors in batch mode. If there were any errors during execution of the commands, the application return code will be non zero. +.TP +.BR "\-json" +Display results in JSON format. Currently available for vlan and fdb. + .SH BRIDGE - COMMAND SYNTAX .SS @@ -230,8 +248,8 @@ error. .sp .B 1 -- STP LISTENING state. Only valid if STP is enabled on the brige. In this -state the port for list for STP BPDUs and drop all other traffic. +- STP LISTENING state. Only valid if STP is enabled on the bridge. In this +state the port listens for STP BPDUs and drops all other traffic frames. .sp .B 2 @@ -252,7 +270,7 @@ STP BPDUs. .TP .BR "guard on " or " guard off " -Controls whether STP BPUDs will be processed by the bridge port. By default, +Controls whether STP BPDUs will be processed by the bridge port. By default, the flag is turned off allowed BPDU processing. Turning this flag on will cause the port to stop processing STP BPDUs. @@ -301,6 +319,10 @@ switch. - bridging happens in hardware. .TP +.BR "mcast_flood on " or " mcast_flood off " +Controls whether a given port will be flooded with multicast traffic for which there is no MDB entry. By default this flag is on. + +.TP .BI self link setting is configured on specified physical device @@ -338,6 +360,18 @@ the Ethernet MAC address. .BI dev " DEV" the interface to which this address is associated. +.B local +- is a local permanent fdb entry +.sp + +.B static +- is a static (no arp) fdb entry +.sp + +.B dynamic +- is a dynamic reachable age-able fdb entry +.sp + .B self - the address is associated with the port drivers fdb. Usually hardware. .sp @@ -491,6 +525,11 @@ With the option, the command becomes verbose. It prints out the ports known to have a connected router. +.PP +With the +.B -statistics +option, the command displays timer values for mdb and router port entries. + .SH bridge vlan - VLAN filter list .B vlan @@ -530,8 +569,8 @@ device is the bridge device. .BI master the vlan is configured on the software bridge (default). -.SS bridge vlan delete - delete a forwarding database entry -This command removes an existing fdb entry. +.SS bridge vlan delete - delete a vlan filter entry +This command removes an existing vlan filter entry. .PP The arguments are the same as with @@ -544,6 +583,11 @@ flags are ignored. This command displays the current VLAN filter table. +.PP +With the +.B -statistics +option, the command displays per-vlan traffic statistics. + .SH bridge monitor - state monitoring The diff --git a/man/man8/devlink-dev.8 b/man/man8/devlink-dev.8 new file mode 100644 index 00000000..b074d57a --- /dev/null +++ b/man/man8/devlink-dev.8 @@ -0,0 +1,126 @@ +.TH DEVLINK\-DEV 8 "14 Mar 2016" "iproute2" "Linux" +.SH NAME +devlink-dev \- devlink device configuration +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B devlink +.RI "[ " OPTIONS " ]" +.B dev +.RI " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.IR OPTIONS " := { " +\fB\-V\fR[\fIersion\fR] | +\fB\-n\fR[\fIno-nice-names\fR] } + +.ti -8 +.B devlink dev show +.RI "[ " DEV " ]" + +.ti -8 +.B devlink dev help + +.ti -8 +.BR "devlink dev eswitch set" +.IR DEV +.RI "[ " +.BR mode " { " legacy " | " switchdev " } " +.RI "]" +.RI "[ " +.BR inline-mode " { " none " | " link " | " network " | " transport " } " +.RI "]" +.RI "[ " +.BR encap " { " disable " | " enable " } " +.RI "]" + +.ti -8 +.BR "devlink dev eswitch show" +.IR DEV + +.SH "DESCRIPTION" +.SS devlink dev show - display devlink device attributes + +.PP +.I "DEV" +- specifies the devlink device to show. +If this argument is omitted all devices are listed. + +.in +4 +Format is: +.in +2 +BUS_NAME/BUS_ADDRESS + +.SS devlink dev eswitch show - display devlink device eswitch attributes +.SS devlink dev eswitch set - sets devlink device eswitch attributes + +.TP +.BR mode " { " legacy " | " switchdev " } " +Set eswitch mode + +.I legacy +- Legacy SRIOV + +.I switchdev +- SRIOV switchdev offloads + +.TP +.BR inline-mode " { " none " | " link " | " network " | " transport " } " +Some HWs need the VF driver to put part of the packet headers on the TX descriptor so the e-switch can do proper matching and steering. + +.I none +- None + +.I link +- L2 mode + +.I network +- L3 mode + +.I transport +- L4 mode + +.TP +.BR encap " { " disable " | " enable " } " +Set eswitch encapsulation support + +.I disable +- Disable encapsulation support + +.I enable +- Enable encapsulation support + +.SH "EXAMPLES" +.PP +devlink dev show +.RS 4 +Shows the state of all devlink devices on the system. +.RE +.PP +devlink dev show pci/0000:01:00.0 +.RS 4 +Shows the state of specified devlink device. +.RE +.PP +devlink dev eswitch show pci/0000:01:00.0 +.RS 4 +Shows the eswitch mode of specified devlink device. +.RE +.PP +devlink dev eswitch set pci/0000:01:00.0 mode switchdev +.RS 4 +Sets the eswitch mode of specified devlink device to switchdev. + +.SH SEE ALSO +.BR devlink (8), +.BR devlink-port (8), +.BR devlink-sb (8), +.BR devlink-monitor (8), +.br + +.SH AUTHOR +Jiri Pirko <jiri@mellanox.com> diff --git a/man/man8/devlink-monitor.8 b/man/man8/devlink-monitor.8 new file mode 100644 index 00000000..13fe641d --- /dev/null +++ b/man/man8/devlink-monitor.8 @@ -0,0 +1,37 @@ +.TH DEVLINK\-MONITOR 8 "14 Mar 2016" "iproute2" "Linux" +.SH "NAME" +devlink-monitor \- state monitoring +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.BR "devlink monitor" " [ " all " |" +.IR OBJECT-LIST " ]" +.sp + +.SH DESCRIPTION +The +.B devlink +utility can monitor the state of devlink devices and ports +continuously. This option has a slightly different format. Namely, the +.B monitor +command is the first in the command line and then the object list. + +.I OBJECT-LIST +is the list of object types that we want to monitor. +It may contain +.BR dev ", " port ". + +.B devlink +opens Devlink Netlink socket, listens on it and dumps state changes. + +.SH SEE ALSO +.BR devlink (8), +.BR devlink-dev (8), +.BR devlink-sb (8), +.BR devlink-port (8), +.br + +.SH AUTHOR +Jiri Pirko <jiri@mellanox.com> diff --git a/man/man8/devlink-port.8 b/man/man8/devlink-port.8 new file mode 100644 index 00000000..a639d01f --- /dev/null +++ b/man/man8/devlink-port.8 @@ -0,0 +1,128 @@ +.TH DEVLINK\-PORT 8 "14 Mar 2016" "iproute2" "Linux" +.SH NAME +devlink-port \- devlink port configuration +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B devlink +.RI "[ " OPTIONS " ]" +.B port +.RI " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.IR OPTIONS " := { " +\fB\-V\fR[\fIersion\fR] | +\fB\-n\fR[\fIno-nice-names\fR] } + +.ti -8 +.BR "devlink port set " +.IR DEV/PORT_INDEX +.RI "[ " +.BR type " { " eth " | " ib " | " auto " }" +.RI "]" + +.ti -8 +.BR "devlink port split " +.IR DEV/PORT_INDEX +.BR count +.IR COUNT + +.ti -8 +.BR "devlink port unsplit " +.IR DEV/PORT_INDEX + +.ti -8 +.B devlink port show +.RI "[ " DEV/PORT_INDEX " ]" + +.ti -8 +.B devlink port help + +.SH "DESCRIPTION" +.SS devlink port set - change devlink port attributes + +.PP +.B "DEV/PORT_INDEX" +- specifies the devlink port to operate on. + +.in +4 +Format is: +.in +2 +BUS_NAME/BUS_ADDRESS/PORT_INDEX + +.TP +.BR type " { " eth " | " ib " | " auto " } " +set port type + +.I eth +- Ethernet + +.I ib +- Infiniband + +.I auto +- autoselect + +.SS devlink port split - split devlink port into more + +.PP +.B "DEV/PORT_INDEX" +- specifies the devlink port to operate on. + +.TP +.BI count " COUNT" +number of ports to split to. + +.SS devlink port unsplit - unsplit previously split devlink port +Could be performed on any split port of the same split group. + +.PP +.B "DEV/PORT_INDEX" +- specifies the devlink port to operate on. + +.SS devlink port show - display devlink port attributes + +.PP +.I "DEV/PORT_INDEX" +- specifies the devlink port to show. +If this argument is omitted all ports are listed. + +.SH "EXAMPLES" +.PP +devlink port show +.RS 4 +Shows the state of all devlink ports on the system. +.RE +.PP +devlink port show pci/0000:01:00.0/1 +.RS 4 +Shows the state of specified devlink port. +.RE +.PP +devlink port set pci/0000:01:00.0/1 type eth +.RS 4 +Set type of specified devlink port to Ethernet. +.RE +.PP +devlink port split pci/0000:01:00.0/1 count 4 +.RS 4 +Split the specified devlink port into four ports. +.RE +.PP +devlink port unsplit pci/0000:01:00.0/1 +.RS 4 +Unplit the specified previously split devlink port. + +.SH SEE ALSO +.BR devlink (8), +.BR devlink-dev (8), +.BR devlink-sb (8), +.BR devlink-monitor (8), +.br + +.SH AUTHOR +Jiri Pirko <jiri@mellanox.com> diff --git a/man/man8/devlink-sb.8 b/man/man8/devlink-sb.8 new file mode 100644 index 00000000..ffb5553e --- /dev/null +++ b/man/man8/devlink-sb.8 @@ -0,0 +1,313 @@ +.TH DEVLINK\-SB 8 "14 Apr 2016" "iproute2" "Linux" +.SH NAME +devlink-sb \- devlink shared buffer configuration +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B devlink +.RI "[ " OPTIONS " ]" +.B sb +.RI " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.IR OPTIONS " := { " +\fB\-V\fR[\fIersion\fR] | +\fB\-n\fR[\fIno-nice-names\fR] } + +.ti -8 +.BR "devlink sb show " +.RI "[ " DEV " [ " +.B sb +.IR SB_INDEX " ] ]" + +.ti -8 +.BR "devlink sb pool show " +.RI "[ " DEV " [ " +.B sb +.IR SB_INDEX " ] " +.br +.B pool +.IR POOL_INDEX " ]" + +.ti -8 +.BI "devlink sb pool set " DEV " +.RB "[ " sb +.IR SB_INDEX " ] " +.br +.BI pool " POOL_INDEX " +.br +.BI size " POOL_SIZE " +.br +.BR thtype " { " static " | " dynamic " }" + +.ti -8 +.BR "devlink sb port pool show " +.RI "[ " DEV/PORT_INDEX " [ " +.B sb +.IR SB_INDEX " ] " +.br +.B pool +.IR POOL_INDEX " ]" + +.ti -8 +.BI "devlink sb port pool set " DEV/PORT_INDEX " +.RB "[ " sb +.IR SB_INDEX " ] " +.br +.BI pool " POOL_INDEX " +.br +.BI th " THRESHOLD " + +.ti -8 +.BR "devlink sb tc bind show " +.RI "[ " DEV/PORT_INDEX " [ " +.B sb +.IR SB_INDEX " ] " +.br +.BI tc " TC_INDEX " +.br +.B type +.RB "{ " ingress " | " egress " } ]" + +.ti -8 +.BI "devlink sb tc bind set " DEV/PORT_INDEX " +.RB "[ " sb +.IR SB_INDEX " ] " +.br +.BI tc " TC_INDEX " +.br +.BR type " { " ingress " | " egress " }" +.br +.BI pool " POOL_INDEX " +.br +.BI th " THRESHOLD " + +.ti -8 +.BR "devlink sb occupancy show " +.RI "{ " DEV " | " DEV/PORT_INDEX " } [ " +.B sb +.IR SB_INDEX " ] " + +.ti -8 +.BR "devlink sb occupancy snapshot " +.IR DEV " [ " +.B sb +.IR SB_INDEX " ]" + +.ti -8 +.BR "devlink sb occupancy clearmax " +.IR DEV " [ " +.B sb +.IR SB_INDEX " ]" + +.ti -8 +.B devlink sb help + +.SH "DESCRIPTION" +.SS devlink sb show - display available shared buffers and their attributes + +.PP +.I "DEV" +- specifies the devlink device to show shared buffers. +If this argument is omitted all shared buffers of all devices are listed. + +.PP +.I "SB_INDEX" +- specifies the shared buffer. +If this argument is omitted shared buffer with index 0 is selected. +Behaviour of this argument it the same for every command. + +.SS devlink sb pool show - display available pools and their attributes + +.PP +.I "DEV" +- specifies the devlink device to show pools. +If this argument is omitted all pools of all devices are listed. + +.SS devlink sb pool set - set attributes of pool + +.PP +.I "DEV" +- specifies the devlink device to set pool. + +.TP +.BI size " POOL_SIZE" +size of the pool in Bytes. + +.TP +.BR thtype " { " static " | " dynamic " } " +pool threshold type. + +.I static +- Threshold values for the pool will be passed in Bytes. + +.I dynamic +- Threshold values ("to_alpha") for the pool will be used to compute alpha parameter according to formula: +.br +.in +16 +alpha = 2 ^ (to_alpha - 10) +.in -16 + +.in +10 +The range of the passed value is between 0 to 20. The computed alpha is used to determine the maximum usage of the flow: +.in -10 +.br +.in +16 +max_usage = alpha / (1 + alpha) * Free_Buffer +.in -16 + +.SS devlink sb port pool show - display port-pool combinations and threshold for each +.I "DEV/PORT_INDEX" +- specifies the devlink port. + +.TP +.BI pool " POOL_INDEX" +pool index. + +.SS devlink sb port pool set - set port-pool threshold +.I "DEV/PORT_INDEX" +- specifies the devlink port. + +.TP +.BI pool " POOL_INDEX" +pool index. + +.TP +.BI th " THRESHOLD" +threshold value. Type of the value is either Bytes or "to_alpha", depends on +.B thtype +set for the pool. + +.SS devlink sb tc bind show - display port-TC to pool bindings and threshold for each + +.I "DEV/PORT_INDEX" +- specifies the devlink port. + +.TP +.BI tc " TC_INDEX" +index of either ingress or egress TC, usually in range 0 to 8 (depends on device). + +.TP +.BR type " { " ingress " | " egress " } " +TC type. + +.SS devlink sb tc bind set - set port-TC to pool binding with specified threshold + +.I "DEV/PORT_INDEX" +- specifies the devlink port. + +.TP +.BI tc " TC_INDEX" +index of either ingress or egress TC, usually in range 0 to 8 (depends on device). + +.TP +.BR type " { " ingress " | " egress " } " +TC type. + +.TP +.BI pool " POOL_INDEX" +index of pool to bind this to. + +.TP +.BI th " THRESHOLD" +threshold value. Type of the value is either Bytes or "to_alpha", depends on +.B thtype +set for the pool. + +.SS devlink sb occupancy show - display shared buffer occupancy values for device or port + +.PP +This command is used to browse shared buffer occupancy values. Values are showed for every port-pool combination as well as for all port-TC combinations (with pool this port-TC is bound to). Format of value is: +.br +.in +16 +current_value/max_value +.in -16 +Note that before showing values, one has to issue +.b occupancy snapshot +command first. + +.PP +.I "DEV" +- specifies the devlink device to show occupancy values for. + +.I "DEV/PORT_INDEX" +- specifies the devlink port to show occupancy values for. + +.SS devlink sb occupancy snapshot - take occupancy snapshot of shared buffer for device +This command is used to take a snapshot of shared buffer occupancy values. After that, the values can be showed using +.B occupancy show +command. + +.PP +.I "DEV" +- specifies the devlink device to take occupancy snapshot on. + +.SS devlink sb occupancy clearmax - clear occupancy watermarks of shared buffer for device +This command is used to reset maximal occupancy values reached for whole device. Note that before browsing reset values, one has to issue +.B occupancy snapshot +command. + +.PP +.I "DEV" +- specifies the devlink device to clear occupancy watermarks on. + +.SH "EXAMPLES" +.PP +devlink sb show +.RS 4 +List available share buffers. +.RE +.PP +devlink sb pool show +.RS 4 +List available pools and their config. +.RE +.PP +devlink sb port pool show pci/0000:03:00.0/1 pool 0 +.RS 4 +Show port-pool setup for specified port and pool. +.RE +.PP +sudo devlink sb port pool set pci/0000:03:00.0/1 pool 0 th 15 +.RS 4 +Change threshold for port specified port and pool. +.RE +.PP +devlink sb tc bind show pci/0000:03:00.0/1 tc 0 type ingress +.RS 4 +Show pool binding and threshold for specified port and TC. +.RE +.PP +sudo devlink sb tc bind set pci/0000:03:00.0/1 tc 0 type ingress pool 0 th 9 +.RS 4 +Set pool binding and threshold for specified port and TC. +.RE +.PP +sudo devlink sb occupancy snapshot pci/0000:03:00.0 +.RS 4 +Make a snapshot of occupancy of shared buffer for specified devlink device. +.RE +.PP +devlink sb occupancy show pci/0000:03:00.0/1 +.RS 4 +Show occupancy for specified port from the snapshot. +.RE +.PP +sudo devlink sb occupancy clearmax pci/0000:03:00.0 +.RS 4 +Clear watermarks for shared buffer of specified devlink device. + + +.SH SEE ALSO +.BR devlink (8), +.BR devlink-dev (8), +.BR devlink-port (8), +.BR devlink-monitor (8), +.br + +.SH AUTHOR +Jiri Pirko <jiri@mellanox.com> diff --git a/man/man8/devlink.8 b/man/man8/devlink.8 new file mode 100644 index 00000000..a975ef34 --- /dev/null +++ b/man/man8/devlink.8 @@ -0,0 +1,115 @@ +.TH DEVLINK 8 "14 Mar 2016" "iproute2" "Linux" +.SH NAME +devlink \- Devlink tool +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B devlink +.RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.B devlink +.RB "[ " -force " ] " +.BI "-batch " filename +.sp + +.ti -8 +.IR OBJECT " := { " +.BR dev " | " port " | " monitor " }" +.sp + +.ti -8 +.IR OPTIONS " := { " +\fB\-V\fR[\fIersion\fR] | +\fB\-n\fR[\fIno-nice-names\fR] } +\fB\-j\fR[\fIjson\fR] } +\fB\-p\fR[\fIpretty\fR] } + +.SH OPTIONS + +.TP +.BR "\-V" , " --Version" +Print the version of the +.B devlink +utility and exit. + +.TP +.BR "\-b", " \-batch " <FILENAME> +Read commands from provided file or standard input and invoke them. +First failure will cause termination of devlink. + +.TP +.BR "\-force" +Don't terminate devlink on errors in batch mode. +If there were any errors during execution of the commands, the application return code will be non zero. + +.TP +.BR "\-n" , " --no-nice-names" +Turn off printing out nice names, for example netdevice ifnames instead of devlink port identification. + +.TP +.BR "\-j" , " --json" +Generate JSON output. + +.TP +.BR "\-p" , " --pretty" +When combined with -j generate a pretty JSON output. + +.SS +.I OBJECT + +.TP +.B dev +- devlink device. + +.TP +.B port +- devlink port. + +.TP +.B monitor +- watch for netlink messages. + +.SS +.I COMMAND + +Specifies the action to perform on the object. +The set of possible actions depends on the object type. +As a rule, it is possible to +.B show +(or +.B list +) objects, but some objects do not allow all of these operations +or have some additional commands. The +.B help +command is available for all objects. It prints +out a list of available commands and argument syntax conventions. +.sp +If no command is given, some default command is assumed. +Usually it is +.B list +or, if the objects of this class cannot be listed, +.BR "help" . + +.SH EXIT STATUS +Exit status is 0 if command was successful or a positive integer upon failure. + +.SH SEE ALSO +.BR devlink-dev (8), +.BR devlink-port (8), +.BR devlink-monitor (8), +.BR devlink-sb (8), +.br + +.SH REPORTING BUGS +Report any bugs to the Network Developers mailing list +.B <netdev@vger.kernel.org> +where the development and maintenance is primarily done. +You do not have to be subscribed to the list to send a message there. + +.SH AUTHOR +Jiri Pirko <jiri@mellanox.com> diff --git a/man/man8/ifstat.8 b/man/man8/ifstat.8 index e49d8680..3ba0088d 100644 --- a/man/man8/ifstat.8 +++ b/man/man8/ifstat.8 @@ -14,7 +14,8 @@ ifstat \- handy utility to read network interface statistics The utility keeps records of the previous data displayed in history files and by default only shows difference between the last and the current call. Location of the history files defaults to /tmp/.ifstat.u$UID but may be -overridden with the IFSTAT_HISTORY environment variable. +overridden with the IFSTAT_HISTORY environment variable. Similarly, the default +location for xstat (extended stats) is /tmp/.<xstat name>_ifstat.u$UID. .SH OPTIONS .TP .B \-h, \-\-help @@ -46,6 +47,15 @@ Report average over the last SECS seconds. .TP .B \-z, \-\-zeros Show entries with zero activity. +.TP +.B \-x, \-\-extended=TYPE +Show extended stats of TYPE. Supported types are: + +.in +8 +.B cpu_hits +- Counts only packets that went via the CPU. +.in -8 + .SH ENVIRONMENT .TP .B IFSTAT_HISTORY diff --git a/man/man8/ip-address.8.in b/man/man8/ip-address.8.in index 159d9065..988a7965 100644 --- a/man/man8/ip-address.8.in +++ b/man/man8/ip-address.8.in @@ -23,7 +23,7 @@ ip-address \- protocol address management .IB IFADDR " dev " IFNAME " [ " mngtmpaddr " ]" .ti -8 -.BR "ip address" " { " show " | " save " | " flush " } [ " dev +.BR "ip address" " { " save " | " flush " } [ " dev .IR IFNAME " ] [ " .B scope .IR SCOPE-ID " ] [ " @@ -33,6 +33,23 @@ ip-address \- protocol address management .IR PATTERN " ] [ " up " ]" .ti -8 +.BR "ip address" " [ " show " [ " dev +.IR IFNAME " ] [ " +.B scope +.IR SCOPE-ID " ] [ " +.B to +.IR PREFIX " ] [ " FLAG-LIST " ] [ " +.B label +.IR PATTERN " ] [ " +.B master +.IR DEVICE " ] [ " +.B type +.IR TYPE " ] [ " +.B vrf +.IR NAME " ] [ " +.BR up " ] ]" + +.ti -8 .BR "ip address" " { " showdump " | " restore " }" .ti -8 @@ -58,21 +75,22 @@ ip-address \- protocol address management .ti -8 .IR FLAG " := " -.RB "[ " permanent " | " dynamic " | " secondary " | " primary " | \ -[ - ] " tentative " | [ - ] " deprecated " | [ - ] " dadfailed " | "\ -temporary " | " CONFFLAG-LIST " ]" +.RB "[ " permanent " | " dynamic " | " secondary " | " primary " |" +.RB [ - ] tentative " | [" - ] deprecated " | [" - ] dadfailed " |" +.BR temporary " |" +.IR CONFFLAG-LIST " ]" .ti -8 .IR CONFFLAG-LIST " := [ " CONFFLAG-LIST " ] " CONFFLAG .ti -8 .IR CONFFLAG " := " -.RB "[ " home " | " mngtmpaddr " | " nodad " | " noprefixroute " ]" +.RB "[ " home " | " mngtmpaddr " | " nodad " | " noprefixroute " | " autojoin " ]" .ti -8 .IR LIFETIME " := [ " .BI valid_lft " LFT" -.RB "| " preferred_lft +.RB "] [ " preferred_lft .IR LFT " ]" .ti -8 @@ -80,6 +98,39 @@ temporary " | " CONFFLAG-LIST " ]" .BR forever " |" .IR SECONDS " ]" +.ti -8 +.IR TYPE " := [ " +.BR bridge " | " +.BR bridge_slave " |" +.BR bond " | " +.BR bond_slave " |" +.BR can " | " +.BR dummy " | " +.BR hsr " | " +.BR ifb " | " +.BR ipoib " |" +.BR macvlan " | " +.BR macvtap " | " +.BR vcan " | " +.BR veth " | " +.BR vlan " | " +.BR vxlan " |" +.BR ip6tnl " |" +.BR ipip " |" +.BR sit " |" +.BR gre " |" +.BR gretap " |" +.BR erspan " |" +.BR ip6gre " |" +.BR ip6gretap " |" +.BR vti " |" +.BR vrf " |" +.BR nlmon " |" +.BR ipvlan " |" +.BR lowpan " |" +.BR geneve " |" +.BR macsec " ]" + .SH "DESCRIPTION" The .B address @@ -201,6 +252,26 @@ address, and don't search for one to delete when removing the address. Changing an address to add this flag will remove the automatically added prefix route, changing it to remove this flag will create the prefix route automatically. +.TP +.B autojoin +Joining multicast groups on Ethernet level via +.B "ip maddr" +command does not work if connected to an Ethernet switch that does IGMP +snooping since the switch would not replicate multicast packets on ports that +did not have IGMP reports for the multicast addresses. + +Linux VXLAN interfaces created via +.B "ip link add vxlan" +have the +.B group +option that enables them to do the required join. + +Using the +.B autojoin +flag when adding a multicast address enables similar functionality for +Openvswitch VXLAN interfaces as well as other tunneling mechanisms that need to +receive multicast traffic. + .SS ip address delete - delete protocol address .B Arguments: coincide with the arguments of @@ -230,6 +301,24 @@ only list addresses with labels matching the is a usual shell style pattern. .TP +.BI master " DEVICE" +only list interfaces enslaved to this master device. + +.TP +.BI vrf " NAME " +only list interfaces enslaved to this vrf. + +.TP +.BI type " TYPE" +only list interfaces of the given type. + +Note that the type name is not checked against the list of supported types - +instead it is sent as-is to the kernel. Later it is used to filter the returned +interface list by comparing it with the relevant attribute in case the kernel +didn't filter already. Therefore any string is accepted, but may lead to empty +output. + +.TP .B up only list running interfaces. @@ -280,8 +369,8 @@ This command flushes the protocol addresses selected by some criteria. .PP This command has the same arguments as -.B show. -The difference is that it does not run when no arguments are given. +.BR show " except that " type " and " master " selectors are not supported." +Another difference is that it does not run when no arguments are given. .PP .B Warning: diff --git a/man/man8/ip-addrlabel.8 b/man/man8/ip-addrlabel.8 index 51ef5727..233d6067 100644 --- a/man/man8/ip-addrlabel.8 +++ b/man/man8/ip-addrlabel.8 @@ -6,21 +6,9 @@ ip-addrlabel \- protocol address label management .ad l .in +8 .ti -8 -.B ip -.RI "[ " OPTIONS " ]" -.B addrlabel +.B ip addrlabel .RI " { " COMMAND " | " .BR help " }" -.sp - -.ti -8 -.IR OPTIONS " := { " -\fB\-V\fR[\fIersion\fR] | -\fB\-s\fR[\fItatistics\fR] | -\fB\-r\fR[\fIesolve\fR] | -\fB\-f\fR[\fIamily\fR] { -.BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | " -\fB\-o\fR[\fIneline\fR] } .ti -8 .BR "ip addrlabel" " { " add " | " del " } " prefix diff --git a/man/man8/ip-fou.8 b/man/man8/ip-fou.8 index 0fa22ee6..0c8f0a4d 100644 --- a/man/man8/ip-fou.8 +++ b/man/man8/ip-fou.8 @@ -56,7 +56,7 @@ in the delete command. .PP .SS Configure a FOU receive port for GRE bound to 7777 .nf -# ip fou add port 8888 ipproto 47 +# ip fou add port 7777 ipproto 47 .PP .SS Configure a FOU receive port for IPIP bound to 8888 .nf diff --git a/man/man8/ip-l2tp.8 b/man/man8/ip-l2tp.8 index 1738035f..8ce630a6 100644 --- a/man/man8/ip-l2tp.8 +++ b/man/man8/ip-l2tp.8 @@ -15,10 +15,7 @@ ip-l2tp - L2TPv3 static unmanaged tunnel configuration .ti -8 .BR "ip l2tp add tunnel" .br -.B remote -.RI "[ " ADDR " ]" -.B local -.RI "[ " ADDR " ]" +.BI remote " ADDR " local " ADDR " .br .B tunnel_id .IR ID @@ -33,6 +30,12 @@ ip-l2tp - L2TPv3 static unmanaged tunnel configuration .IR PORT .RB " ]" .br +.RB "[ " udp_csum " { " on " | " off " } ]" +.br +.RB "[ " udp6_csum_tx " { " on " | " off " } ]" +.br +.RB "[ " udp6_csum_rx " { " on " | " off " } ]" +.br .ti -8 .BR "ip l2tp add session" .RB "[ " name @@ -54,6 +57,8 @@ ip-l2tp - L2TPv3 static unmanaged tunnel configuration .br .RB "[ " l2spec_type " { " none " | " default " } ]" .br +.RB "[ " seq " { " none " | " send " | " recv " | " both " } ]" +.br .RB "[ " offset .IR OFFSET .RB " ] [ " peer_offset @@ -73,24 +78,21 @@ ip-l2tp - L2TPv3 static unmanaged tunnel configuration .IR ID .br .ti -8 -.BR "ip l2tp show tunnel" -.B "[" tunnel_id -.IR ID -.B "]" +.BR "ip l2tp show tunnel" " [ " tunnel_id +.IR ID " ]" .br .ti -8 -.BR "ip l2tp show session" -.B "[" tunnel_id -.IR ID -.B "] [" session_id -.IR ID -.B "]" +.BR "ip l2tp show session" " [ " tunnel_id +.IR ID .B " ] [" +.B session_id +.IR ID " ]" .br .ti -8 .IR NAME " := " .IR STRING .ti -8 -.IR ADDR " := { " IP_ADDRESS " }" +.IR ADDR " := { " IP_ADDRESS " |" +.BR any " }" .ti -8 .IR PORT " := { " NUMBER " }" .ti -8 @@ -160,9 +162,6 @@ tunnels and sessions to be established and provides for detecting and acting upon network failures. .SS ip l2tp add tunnel - add a new tunnel .TP -.BI name " NAME " -sets the session network interface name. Default is l2tpethN. -.TP .BI tunnel_id " ID" set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel. The value used must match the peer_tunnel_id @@ -197,6 +196,33 @@ selected. set the UDP destination port to be used for the tunnel. Must be present when udp encapsulation is selected. Ignored when ip encapsulation is selected. +.TP +.BI udp_csum " STATE" +(IPv4 only) control if IPv4 UDP checksums should be calculated and checked for the +encapsulating UDP packets, when UDP encapsulating is selected. +Default is +.BR off "." +.br +Valid values are: +.BR on ", " off "." +.TP +.BI udp6_csum_tx " STATE" +(IPv6 only) control if IPv6 UDP checksums should be calculated for encapsulating +UDP packets, when UDP encapsulating is selected. +Default is +.BR on "." +.br +Valid values are: +.BR on ", " off "." +.TP +.BI udp6_csum_rx " STATE" +(IPv6 only) control if IPv6 UDP checksums should be checked for the encapsulating +UDP packets, when UDP encapsulating is selected. +Default is +.BR on "." +.br +Valid values are: +.BR on ", " off "." .SS ip l2tp del tunnel - destroy a tunnel .TP .BI tunnel_id " ID" @@ -245,7 +271,20 @@ find in received L2TP packets. Default is to use no cookie. set the layer2specific header type of the session. .br Valid values are: -.BR none ", " udp "." +.BR none ", " default "." +.TP +.BI seq " SEQ" +controls sequence numbering to prevent or detect out of order packets. +.B send +puts a sequence number in the default layer2specific header of each +outgoing packet. +.B recv +reorder packets if they are received out of order. +Default is +.BR none "." +.br +Valid values are: +.BR none ", " send ", " recv ", " both "." .TP .BI offset " OFFSET" sets the byte offset from the L2TP header where user data starts in diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in index 4d323435..d96ee288 100644 --- a/man/man8/ip-link.8.in +++ b/man/man8/ip-link.8.in @@ -6,25 +6,12 @@ ip-link \- network device configuration .ad l .in +8 .ti -8 -.B ip -.RI "[ " OPTIONS " ]" -.B link +.B ip link .RI " { " COMMAND " | " .BR help " }" .sp .ti -8 -.IR OPTIONS " := { " -\fB\-V\fR[\fIersion\fR] | -\fB\-h\fR[\fIuman-readable\fR] | -\fB\-s\fR[\fItatistics\fR] | -\fB\-r\fR[\fIesolve\fR] | -\fB\-f\fR[\fIamily\fR] { -.BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | " -\fB\-o\fR[\fIneline\fR] | -\fB\-br\fR[\fIief\fR] } - -.ti -8 .BI "ip link add" .RB "[ " link .IR DEVICE " ]" @@ -49,38 +36,10 @@ ip-link \- network device configuration .RB "[ " numrxqueues .IR QUEUE_COUNT " ]" .br -.BR type " TYPE" +.BI type " TYPE" .RI "[ " ARGS " ]" .ti -8 -.IR TYPE " := [ " -.BR bridge " | " -.BR bond " | " -.BR can " | " -.BR dummy " | " -.BR hsr " | " -.BR ifb " | " -.BR ipoib " |" -.BR macvlan " | " -.BR macvtap " | " -.BR vcan " | " -.BR veth " | " -.BR vlan " | " -.BR vxlan " |" -.BR ip6tnl " |" -.BR ipip " |" -.BR sit " |" -.BR gre " |" -.BR gretap " |" -.BR ip6gre " |" -.BR ip6gretap " |" -.BR vti " |" -.BR nlmon " |" -.BR ipvlan " |" -.BR lowpan " |" -.BR geneve " ]" - -.ti -8 .BR "ip link delete " { .IR DEVICE " | " .BI "group " GROUP @@ -92,85 +51,184 @@ ip-link \- network device configuration .BR "ip link set " { .IR DEVICE " | " .BI "group " GROUP -.RB "} { " up " | " down " | " arp " { " on " | " off " } |" +} .br -.BR promisc " { " on " | " off " } |" +.RB "[ { " up " | " down " } ]" .br -.BR allmulticast " { " on " | " off " } |" +.RB "[ " type +.IR "ETYPE TYPE_ARGS" " ]" .br -.BR dynamic " { " on " | " off " } |" +.RB "[ " arp " { " on " | " off " } ]" .br -.BR multicast " { " on " | " off " } |" +.RB "[ " dynamic " { " on " | " off " } ]" .br -.BR protodown " { " on " | " off " } |" +.RB "[ " multicast " { " on " | " off " } ]" .br -.B txqueuelen -.IR PACKETS " |" +.RB "[ " allmulticast " { " on " | " off " } ]" .br -.B name -.IR NEWNAME " |" +.RB "[ " promisc " { " on " | " off " } ]" .br -.B address -.IR LLADDR " |" -.B broadcast -.IR LLADDR " |" +.RB "[ " protodown " { " on " | " off " } ]" .br -.B mtu -.IR MTU " |" +.RB "[ " trailers " { " on " | " off " } ]" .br -.B netns -.IR PID " |" +.RB "[ " txqueuelen +.IR PACKETS " ]" .br -.B netns -.IR NETNSNAME " |" +.RB "[ " name +.IR NEWNAME " ]" .br -.B alias -.IR NAME " |" +.RB "[ " address +.IR LLADDR " ]" .br -.B vf +.RB "[ " broadcast +.IR LLADDR " ]" +.br +.RB "[ " mtu +.IR MTU " ]" +.br +.RB "[ " netns " {" +.IR PID " | " NETNSNAME " } ]" +.br +.RB "[ " link-netnsid +.IR ID " ]" +.br +.RB "[ " alias +.IR NAME " ]" +.br +.RB "[ " vf .IR NUM " [" .B mac -.IR LLADDR " ] [" -.B vlan -.IR VLANID " [ " -.B qos -.IR VLAN-QOS " ] ] [" -.B rate -.IR TXRATE " ] [" -.B max_tx_rate -.IR TXRATE " ] [" -.B min_tx_rate -.IR TXRATE " ] [" -.B spoofchk { on | off } ] [ -.B state { auto | enable | disable} -] | +.IR LLADDR " ]" .br -.B master -.IR DEVICE " |" +.in +9 +.RI "[ " VFVLAN-LIST " ]" .br -.B nomaster " |" +.RB "[ " rate +.IR TXRATE " ]" .br -.B addrgenmode { eui64 | none | stable_secret | random } +.RB "[ " max_tx_rate +.IR TXRATE " ]" +.br +.RB "[ " min_tx_rate +.IR TXRATE " ]" +.br +.RB "[ " spoofchk " { " on " | " off " } ]" +.br +.RB "[ " query_rss " { " on " | " off " } ]" +.br +.RB "[ " state " { " auto " | " enable " | " disable " } ]" +.br +.RB "[ " trust " { " on " | " off " } ]" +.br +.RB "[ " node_guid " eui64 ]" +.br +.RB "[ " port_guid " eui64 ] ]" +.br +.in -9 +.RB "[ { " xdp " | " xdpgeneric " | " xdpdrv " | " xdpoffload " } { " off " | " +.br +.in +8 +.BR object +.IR FILE +.RB "[ " section +.IR NAME " ]" +.RB "[ " verbose " ] |" +.br +.BR pinned +.IR FILE " } ]" +.br +.in -8 +.RB "[ " master +.IR DEVICE " ]" +.br +.RB "[ " nomaster " ]" +.br +.RB "[ " vrf +.IR NAME " ]" +.br +.RB "[ " addrgenmode " { " eui64 " | " none " | " stable_secret " | " random " } ]" +.br +.RB "[ " macaddr " { " flush " | { " add " | " del " } " +.IR MACADDR " | set [ " +.IR MACADDR " [ " +.IR MACADDR " [ ... ] ] ] } ]" .br -.B link-netnsid ID -.BR " }" - .ti -8 .B ip link show .RI "[ " DEVICE " | " .B group -.IR GROUP " | " -.BR up " | " +.IR GROUP " ] [" +.BR up " ] [" .B master -.IR DEVICE " | " +.IR DEVICE " ] [" .B type -.IR TYPE " ]" +.IR ETYPE " ] [" +.B vrf +.IR NAME " ]" + +.ti -8 +.B ip link xstats +.BI type " TYPE" +.RI "[ " ARGS " ]" + +.ti -8 +.B ip link afstats +.RB "[ " dev +.IR DEVICE " ]" .ti -8 .B ip link help .RI "[ " TYPE " ]" +.ti -8 +.IR TYPE " := [ " +.BR bridge " | " +.BR bond " | " +.BR can " | " +.BR dummy " | " +.BR hsr " | " +.BR ifb " | " +.BR ipoib " |" +.BR macvlan " | " +.BR macvtap " | " +.BR vcan " | " +.BR veth " | " +.BR vlan " | " +.BR vxlan " |" +.BR ip6tnl " |" +.BR ipip " |" +.BR sit " |" +.BR gre " |" +.BR gretap " |" +.BR erspan " |" +.BR ip6gre " |" +.BR ip6gretap " |" +.BR vti " |" +.BR nlmon " |" +.BR ipvlan " |" +.BR lowpan " |" +.BR geneve " |" +.BR vrf " |" +.BR macsec " ]" + +.ti -8 +.IR ETYPE " := [ " TYPE " |" +.BR bridge_slave " | " bond_slave " ]" + +.ti -8 +.IR VFVLAN-LIST " := [ " VFVLAN-LIST " ] " VFVLAN + +.ti -8 +.IR VFVLAN " := " +.RB "[ " vlan +.IR VLANID " [ " +.B qos +.IR VLAN-QOS " ] [" +.B proto +.IR VLAN-PROTO " ] ]" + .SH "DESCRIPTION" .SS ip link add - add virtual link @@ -192,6 +250,7 @@ Link types: .sp .B bond - Bonding device +.sp .B can - Controller Area Network interface .sp @@ -240,6 +299,9 @@ Link types: .BR gretap - Virtual L2 tunnel interface GRE over IPv4 .sp +.BR erspan +- Encapsulated Remote SPAN over GRE and IPv4 +.sp .BR ip6gre - Virtual tunnel interface GRE over IPv6 .sp @@ -260,6 +322,12 @@ Link types: .sp .BR geneve - GEneric NEtwork Virtualization Encapsulation +.sp +.BR macsec +- Interface for IEEE 802.1AE MAC Security (MACsec) +.sp +.BR vrf +- Interface for L3 VRF domains .in -8 .TP @@ -283,7 +351,7 @@ the following additional arguments are supported: .BI "ip link add .BI link " DEVICE " .BI name " NAME " -.BI type " vlan " +.B "type vlan" [ .BI protocol " VLAN_PROTO " ] @@ -385,7 +453,7 @@ For a link of type the following additional arguments are supported: .BI "ip link add " DEVICE -.BI type " vxlan " id " ID" +.BI type " vxlan " id " VNI" [ .BI dev " PHYS_DEV " .RB " ] [ { " group " | " remote " } " @@ -398,31 +466,37 @@ the following additional arguments are supported: ] [ .BI tos " TOS " ] [ +.BI flowlabel " FLOWLABEL " +] [ .BI dstport " PORT " ] [ .BI srcport " MIN MAX " ] [ -.I "[no]learning " +.RB [ no ] learning ] [ -.I "[no]proxy " +.RB [ no ] proxy ] [ -.I "[no]rsc " +.RB [ no ] rsc ] [ -.I "[no]l2miss " +.RB [ no ] l2miss ] [ -.I "[no]l3miss " +.RB [ no ] l3miss ] [ -.I "[no]udpcsum " +.RB [ no ] udpcsum ] [ -.I "[no]udp6zerocsumtx " +.RB [ no ] udp6zerocsumtx ] [ -.I "[no]udp6zerocsumrx " +.RB [ no ] udp6zerocsumrx ] [ .BI ageing " SECONDS " ] [ .BI maxaddress " NUMBER " ] [ +.RB [ no ] external +] [ .B gbp +] [ +.B gpe ] .in +8 @@ -462,6 +536,10 @@ parameter. - specifies the TOS value to use in outgoing packets. .sp +.BI flowlabel " FLOWLABEL" +- specifies the flow label to use in outgoing packets. + +.sp .BI dstport " PORT" - specifies the UDP destination port to communicate to the remote VXLAN tunnel endpoint. @@ -471,37 +549,37 @@ parameter. source ports to communicate to the remote VXLAN tunnel endpoint. .sp -.I [no]learning +.RB [ no ] learning - specifies if unknown source link layer addresses and IP addresses are entered into the VXLAN device forwarding database. .sp -.I [no]rsc +.RB [ no ] rsc - specifies if route short circuit is turned on. .sp -.I [no]proxy +.RB [ no ] proxy - specifies ARP proxy is turned on. .sp -.I [no]l2miss +.RB [ no ] l2miss - specifies if netlink LLADDR miss notifications are generated. .sp -.I [no]l3miss +.RB [ no ] l3miss - specifies if netlink IP ADDR miss notifications are generated. .sp -.I [no]udpcsum -- specifies if UDP checksum is filled in +.RB [ no ] udpcsum +- specifies if UDP checksum is calculated for transmitted packets over IPv4. .sp -.I [no]udp6zerocsumtx -- specifies if UDP checksum is filled in +.RB [ no ] udp6zerocsumtx +- skip UDP checksum calculation for transmitted packets over IPv6. .sp -.I [no]udp6zerocsumrx -- specifies if UDP checksum is received +.RB [ no ] udp6zerocsumrx +- allow incoming UDP packets over IPv6 with zero checksum field. .sp .BI ageing " SECONDS" @@ -512,6 +590,12 @@ are entered into the VXLAN device forwarding database. - specifies the maximum number of FDB entries. .sp +.RB [ no ] external +- specifies whether an external control plane +.RB "(e.g. " "ip route encap" ) +or the internal FDB should be used. + +.sp .B gbp - enables the Group Policy extension (VXLAN-GBP). @@ -554,27 +638,38 @@ Example: .in -4 +.sp +.B gpe +- enables the Generic Protocol extension (VXLAN-GPE). Currently, this is +only supported together with the +.B external +keyword. + .in -8 .TP -GRE, IPIP, SIT Type Support +GRE, IPIP, SIT, ERSPAN Type Support For a link of types -.I GRE/IPIP/SIT +.I GRE/IPIP/SIT/ERSPAN the following additional arguments are supported: .BI "ip link add " DEVICE -.BR type " { gre | ipip | sit } " +.BR type " { " gre " | " ipip " | " sit " | " erspan " }" .BI " remote " ADDR " local " ADDR [ -.BR encap " { fou | gue | none } " +.BR encap " { " fou " | " gue " | " none " }" ] [ -.BI "encap-sport { " PORT " | auto } " +.BR encap-sport " { " \fIPORT " | " auto " }" ] [ .BI "encap-dport " PORT ] [ -.I " [no]encap-csum " +.RB [ no ] encap-csum ] [ .I " [no]encap-remcsum " +] [ +.I " mode " { ip6ip | ipip | mplsip | any } " +] [ +.BR erspan " \fIIDX " ] .in +8 @@ -588,12 +683,12 @@ the following additional arguments are supported: It must be an address on another interface on this host. .sp -.BR encap " { fou | gue | none } " +.BR encap " { " fou " | " gue " | " none " }" - specifies type of secondary UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue" indicates Generic UDP Encapsulation. .sp -.BI "encap-sport { " PORT " | auto } " +.BR encap-sport " { " \fIPORT " | " auto " }" - specifies the source port in UDP encapsulation. .IR PORT indicates the port by number, "auto" @@ -602,15 +697,30 @@ indicates that the port number should be chosen automatically encapsulated packet). .sp -.I [no]encap-csum +.RB [ no ] encap-csum - specifies if UDP checksums are enabled in the secondary encapsulation. .sp -.I [no]encap-remcsum +.RB [ no ] encap-remcsum - specifies if Remote Checksum Offload is enabled. This is only applicable for Generic UDP Encapsulation. +.sp +.BI mode " { ip6ip | ipip | mplsip | any } " +- specifies mode in which device should run. "ip6ip" indicates +IPv6-Over-IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indicates +MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS Over IPv4. Supported for +SIT where the default is "ip6ip" and IPIP where the default is "ipip". +IPv6-Over-IPv4 is not supported for IPIP. + +.sp +.BR erspan " \fIIDX " +- specifies the ERSPAN index field. +.IR IDX +indicates a 20 bit index/port number associated with the ERSPAN +traffic's source port and direction. + .in -8 .TP @@ -620,13 +730,15 @@ For a link of type the following additional arguments are supported: .BI "ip link add " DEVICE -.BI type " { ip6gre | ip6gretap } " remote " ADDR " local " ADDR +.BR type " { " ip6gre " | " ip6gretap " }" +.BI remote " ADDR " local " ADDR" [ -.I "[i|o]seq]" +.RB [ i | o ] seq ] [ -.I "[i|o]key" KEY +.RB [ i | o ] key +.I KEY ] [ -.I " [i|o]csum " +.RB [ i | o ] csum ] [ .BI hoplimit " TTL " ] [ @@ -652,7 +764,7 @@ the following additional arguments are supported: It must be an address on another interface on this host. .sp -.BI [i|o]seq +.RB [ i | o ] seq - serialize packets. The .B oseq @@ -662,7 +774,7 @@ The flag requires that all input packets are serialized. .sp -.BI [i|o]key " KEY" +.RB [ i | o ] key " \fIKEY" - use keyed GRE with key .IR KEY ". "KEY is either a number or an IPv4 address-like dotted quad. @@ -674,7 +786,7 @@ The parameters specify different keys for input and output. .sp -.BI [i|o]csum +.RB [ i | o ] csum - generate/require checksums for tunneled packets. The .B ocsum @@ -726,7 +838,7 @@ For a link of type the following additional arguments are supported: .BI "ip link add " DEVICE " name " NAME -.BI type " ipoib [ " pkey " PKEY ] [" mode " MODE " ] +.BR "type ipoib " [ " pkey \fIPKEY" " ] [ " mode " \fIMODE \fR]" .in +8 .sp @@ -743,11 +855,23 @@ For a link of type the following additional arguments are supported: .BI "ip link add " DEVICE -.BI type " geneve " id " ID " remote " IPADDR" +.BI type " geneve " id " VNI " remote " IPADDR" [ .BI ttl " TTL " ] [ .BI tos " TOS " +] [ +.BI flowlabel " FLOWLABEL " +] [ +.BI dstport " PORT" +] [ +.RB [ no ] external +] [ +.RB [ no ] udpcsum +] [ +.RB [ no ] udp6zerocsumtx +] [ +.RB [ no ] udp6zerocsumrx ] .in +8 @@ -767,6 +891,36 @@ the following additional arguments are supported: .BI tos " TOS" - specifies the TOS value to use in outgoing packets. +.sp +.BI flowlabel " FLOWLABEL" +- specifies the flow label to use in outgoing packets. + +.sp +.BI dstport " PORT" +- select a destination port other than the default of 6081. + +.sp +.RB [ no ] external +- make this tunnel externally controlled (or not, which is the default). This +flag is mutually exclusive with the +.BR id , +.BR remote , +.BR ttl , +.BR tos " and " flowlabel +options. + +.sp +.RB [ no ] udpcsum +- specifies if UDP checksum is calculated for transmitted packets over IPv4. + +.sp +.RB [ no ] udp6zerocsumtx +- skip UDP checksum calculation for transmitted packets over IPv6. + +.sp +.RB [ no ] udp6zerocsumrx +- allow incoming UDP packets over IPv6 with zero checksum field. + .in -8 .TP @@ -780,7 +934,7 @@ the following additional arguments are supported: .BI "ip link add link " DEVICE " name " NAME .BR type " { " macvlan " | " macvtap " } " .BR mode " { " private " | " vepa " | " bridge " | " passthru -.BR " [ " nopromisc " ] } " +.RB " [ " nopromisc " ] | " source " } " .in +8 .sp @@ -817,6 +971,387 @@ the interface or create vlan interfaces on top of it. By default, this mode forces the underlying interface into promiscuous mode. Passing the .BR nopromisc " flag prevents this, so the promisc flag may be controlled " using standard tools. + +.B mode source +- allows one to set a list of allowed mac address, which is used to match +against source mac address from received frames on underlying interface. This +allows creating mac based VLAN associations, instead of standard port or tag +based. The feature is useful to deploy 802.1x mac based behavior, +where drivers of underlying interfaces doesn't allows that. +.in -8 + +.TP +High-availability Seamless Redundancy (HSR) Support +For a link of type +.I HSR +the following additional arguments are supported: + +.BI "ip link add link " DEVICE " name " NAME " type hsr" +.BI slave1 " SLAVE1-IF " slave2 " SLAVE2-IF " +.RB [ " supervision" +.IR ADDR-BYTE " ] [" +.BR version " { " 0 " | " 1 " } ]" + +.in +8 +.sp +.BR type " hsr " +- specifies the link type to use, here HSR. + +.BI slave1 " SLAVE1-IF " +- Specifies the physical device used for the first of the two ring ports. + +.BI slave2 " SLAVE2-IF " +- Specifies the physical device used for the second of the two ring ports. + +.BI supervision " ADDR-BYTE" +- The last byte of the multicast address used for HSR supervision frames. +Default option is "0", possible values 0-255. + +.BR version " { " 0 " | " 1 " }" +- Selects the protocol version of the interface. Default option is "0", which +corresponds to the 2010 version of the HSR standard. Option "1" activates the +2012 version. +.in -8 + +.TP +BRIDGE Type Support +For a link of type +.I BRIDGE +the following additional arguments are supported: + +.BI "ip link add " DEVICE " type bridge " +[ +.BI ageing_time " AGEING_TIME " +] [ +.BI group_fwd_mask " MASK " +] [ +.BI group_address " ADDRESS " +] [ +.BI forward_delay " FORWARD_DELAY " +] [ +.BI hello_time " HELLO_TIME " +] [ +.BI max_age " MAX_AGE " +] [ +.BI stp_state " STP_STATE " +] [ +.BI priority " PRIORITY " +] [ +.BI vlan_filtering " VLAN_FILTERING " +] [ +.BI vlan_protocol " VLAN_PROTOCOL " +] [ +.BI vlan_default_pvid " VLAN_DEFAULT_PVID " +] [ +.BI vlan_stats_enabled " VLAN_STATS_ENABLED " +] [ +.BI mcast_snooping " MULTICAST_SNOOPING " +] [ +.BI mcast_router " MULTICAST_ROUTER " +] [ +.BI mcast_query_use_ifaddr " MCAST_QUERY_USE_IFADDR " +] [ +.BI mcast_querier " MULTICAST_QUERIER " +] [ +.BI mcast_hash_elasticity " HASH_ELASTICITY " +] [ +.BI mcast_hash_max " HASH_MAX " +] [ +.BI mcast_last_member_count " LAST_MEMBER_COUNT " +] [ +.BI mcast_startup_query_count " STARTUP_QUERY_COUNT " +] [ +.BI mcast_last_member_interval " LAST_MEMBER_INTERVAL " +] [ +.BI mcast_membership_interval " MEMBERSHIP_INTERVAL " +] [ +.BI mcast_querier_interval " QUERIER_INTERVAL " +] [ +.BI mcast_query_interval " QUERY_INTERVAL " +] [ +.BI mcast_query_response_interval " QUERY_RESPONSE_INTERVAL " +] [ +.BI mcast_startup_query_interval " STARTUP_QUERY_INTERVAL " +] [ +.BI mcast_stats_enabled " MCAST_STATS_ENABLED " +] [ +.BI mcast_igmp_version " IGMP_VERSION " +] [ +.BI mcast_mld_version " MLD_VERSION " +] [ +.BI nf_call_iptables " NF_CALL_IPTABLES " +] [ +.BI nf_call_ip6tables " NF_CALL_IP6TABLES " +] [ +.BI nf_call_arptables " NF_CALL_ARPTABLES " +] + +.in +8 +.sp +.BI ageing_time " AGEING_TIME " +- configure the bridge's FDB entries ageing time, ie the number of seconds a MAC address will be kept in the FDB after a packet has been received from that address. after this time has passed, entries are cleaned up. + +.BI group_fwd_mask " MASK " +- set the group forward mask. This is the bitmask that is applied to decide whether to forward incoming frames destined to link-local addresses, ie addresses of the form 01:80:C2:00:00:0X (defaults to 0, ie the bridge does not forward any link-local frames). + +.BI group_address " ADDRESS " +- set the MAC address of the multicast group this bridge uses for STP. The address must be a link-local address in standard Ethernet MAC address format, ie an address of the form 01:80:C2:00:00:0X, with X in [0, 4..f]. + +.BI forward_delay " FORWARD_DELAY " +- set the forwarding delay in seconds, ie the time spent in LISTENING state (before moving to LEARNING) and in LEARNING state (before moving to FORWARDING). Only relevant if STP is enabled. Valid values are between 2 and 30. + +.BI hello_time " HELLO_TIME " +- set the time in seconds between hello packets sent by the bridge, when it is a root bridge or a designated bridges. Only relevant if STP is enabled. Valid values are between 1 and 10. + +.BI max_age " MAX_AGE " +- set the hello packet timeout, ie the time in seconds until another bridge in the spanning tree is assumed to be dead, after reception of its last hello message. Only relevant if STP is enabled. Valid values are between 6 and 40. + +.BI stp_state " STP_STATE " +- turn spanning tree protocol on +.RI ( STP_STATE " > 0) " +or off +.RI ( STP_STATE " == 0). " +for this bridge. + +.BI priority " PRIORITY " +- set this bridge's spanning tree priority, used during STP root bridge election. +.I PRIORITY +is a 16bit unsigned integer. + +.BI vlan_filtering " VLAN_FILTERING " +- turn VLAN filtering on +.RI ( VLAN_FILTERING " > 0) " +or off +.RI ( VLAN_FILTERING " == 0). " +When disabled, the bridge will not consider the VLAN tag when handling packets. + +.BR vlan_protocol " { " 802.1Q " | " 802.1ad " } " +- set the protocol used for VLAN filtering. + +.BI vlan_default_pvid " VLAN_DEFAULT_PVID " +- set the default PVID (native/untagged VLAN ID) for this bridge. + +.BI vlan_stats_enabled " VLAN_STATS_ENABLED " +- enable +.RI ( VLAN_STATS_ENABLED " == 1) " +or disable +.RI ( VLAN_STATS_ENABLED " == 0) " +per-VLAN stats accounting. + +.BI mcast_snooping " MULTICAST_SNOOPING " +- turn multicast snooping on +.RI ( MULTICAST_SNOOPING " > 0) " +or off +.RI ( MULTICAST_SNOOPING " == 0). " + +.BI mcast_router " MULTICAST_ROUTER " +- set bridge's multicast router if IGMP snooping is enabled. +.I MULTICAST_ROUTER +is an integer value having the following meaning: +.in +8 +.sp +.B 0 +- disabled. + +.B 1 +- automatic (queried). + +.B 2 +- permanently enabled. +.in -8 + +.BI mcast_query_use_ifaddr " MCAST_QUERY_USE_IFADDR " +- whether to use the bridge's own IP address as source address for IGMP queries +.RI ( MCAST_QUERY_USE_IFADDR " > 0) " +or the default of 0.0.0.0 +.RI ( MCAST_QUERY_USE_IFADDR " == 0). " + +.BI mcast_querier " MULTICAST_QUERIER " +- enable +.RI ( MULTICAST_QUERIER " > 0) " +or disable +.RI ( MULTICAST_QUERIER " == 0) " +IGMP querier, ie sending of multicast queries by the bridge (default: disabled). + +.BI mcast_querier_interval " QUERIER_INTERVAL " +- interval between queries sent by other routers. if no queries are seen after this delay has passed, the bridge will start to send its own queries (as if +.BI mcast_querier +was enabled). + +.BI mcast_hash_elasticity " HASH_ELASTICITY " +- set multicast database hash elasticity, ie the maximum chain length in the multicast hash table (defaults to 4). + +.BI mcast_hash_max " HASH_MAX " +- set maximum size of multicast hash table (defaults to 512, value must be a power of 2). + +.BI mcast_last_member_count " LAST_MEMBER_COUNT " +- set multicast last member count, ie the number of queries the bridge will send before stopping forwarding a multicast group after a "leave" message has been received (defaults to 2). + +.BI mcast_last_member_interval " LAST_MEMBER_INTERVAL " +- interval between queries to find remaining members of a group, after a "leave" message is received. + +.BI mcast_startup_query_count " STARTUP_QUERY_COUNT " +- set the number of IGMP queries to send during startup phase (defaults to 2). + +.BI mcast_startup_query_interval " STARTUP_QUERY_INTERVAL " +- interval between queries in the startup phase. + +.BI mcast_query_interval " QUERY_INTERVAL " +- interval between queries sent by the bridge after the end of the startup phase. + +.BI mcast_query_response_interval " QUERY_RESPONSE_INTERVAL " +- set the Max Response Time/Maximum Response Delay for IGMP/MLD queries sent by the bridge. + +.BI mcast_membership_interval " MEMBERSHIP_INTERVAL " +- delay after which the bridge will leave a group, if no membership reports for this group are received. + +.BI mcast_stats_enabled " MCAST_STATS_ENABLED " +- enable +.RI ( MCAST_STATS_ENABLED " > 0) " +or disable +.RI ( MCAST_STATS_ENABLED " == 0) " +multicast (IGMP/MLD) stats accounting. + +.BI mcast_igmp_version " IGMP_VERSION " +- set the IGMP version. + +.BI mcast_mld_version " MLD_VERSION " +- set the MLD version. + +.BI nf_call_iptables " NF_CALL_IPTABLES " +- enable +.RI ( NF_CALL_IPTABLES " > 0) " +or disable +.RI ( NF_CALL_IPTABLES " == 0) " +iptables hooks on the bridge. + +.BI nf_call_ip6tables " NF_CALL_IP6TABLES " +- enable +.RI ( NF_CALL_IP6TABLES " > 0) " +or disable +.RI ( NF_CALL_IP6TABLES " == 0) " +ip6tables hooks on the bridge. + +.BI nf_call_arptables " NF_CALL_ARPTABLES " +- enable +.RI ( NF_CALL_ARPTABLES " > 0) " +or disable +.RI ( NF_CALL_ARPTABLES " == 0) " +arptables hooks on the bridge. + + +.in-8 + +.TP +MACsec Type Support +For a link of type +.I MACsec +the following additional arguments are supported: + +.BI "ip link add link " DEVICE " name " NAME " type macsec" +[ [ +.BI address " <lladdr>" +] +.BI port " PORT" +| +.BI sci " SCI" +] [ +.BI cipher " CIPHER_SUITE" +] [ +.BR icvlen " { " +.IR 8..16 " } ] [" +.BR encrypt " {" +.BR on " | " off " } ] [ " +.BR send_sci " { " on " | " off " } ] [" +.BR end_station " { " on " | " off " } ] [" +.BR scb " { " on " | " off " } ] [" +.BR protect " { " on " | " off " } ] [" +.BR replay " { " on " | " off " }" +.BR window " { " +.IR 0..2^32-1 " } ] [" +.BR validate " { " strict " | " check " | " disabled " } ] [" +.BR encodingsa " { " +.IR 0..3 " } ]" + +.in +8 +.sp +.BI address " <lladdr> " +- sets the system identifier component of secure channel for this MACsec device. + +.sp +.BI port " PORT " +- sets the port number component of secure channel for this MACsec device, in a +range from 1 to 65535 inclusive. Numbers with a leading " 0 " or " 0x " are +interpreted as octal and hexadecimal, respectively. + +.sp +.BI sci " SCI " +- sets the secure channel identifier for this MACsec device. +.I SCI +is a 64bit wide number in hexadecimal format. + +.sp +.BI cipher " CIPHER_SUITE " +- defines the cipher suite to use. + +.sp +.BI icvlen " LENGTH " +- sets the length of the Integrity Check Value (ICV). + +.sp +.BR "encrypt on " or " encrypt off" +- switches between authenticated encryption, or authenticity mode only. + +.sp +.BR "send_sci on " or " send_sci off" +- specifies whether the SCI is included in every packet, or only when it is necessary. + +.sp +.BR "end_station on " or " end_station off" +- sets the End Station bit. + +.sp +.BR "scb on " or " scb off" +- sets the Single Copy Broadcast bit. + +.sp +.BR "protect on " or " protect off" +- enables MACsec protection on the device. + +.sp +.BR "replay on " or " replay off" +- enables replay protection on the device. + +.in +8 + +.sp +.BI window " SIZE " +- sets the size of the replay window. + +.in -8 + +.sp +.BR "validate strict " or " validate check " or " validate disabled" +- sets the validation mode on the device. + +.sp +.BI encodingsa " AN " +- sets the active secure association for transmission. + +.in -8 + +.TP +VRF Type Support +For a link of type +.I VRF +the following additional arguments are supported: + +.BI "ip link add " DEVICE " type vrf table " TABLE + +.in +8 +.sp +.BR table " table id associated with VRF device" + .in -8 .SS ip link delete - delete virtual link @@ -836,6 +1371,18 @@ specifies the type of the device. .SS ip link set - change device attributes +.PP +.B Warning: +If multiple parameter changes are requested, +.B ip +aborts immediately after any of the changes have failed. +This is the only case when +.B ip +can move the system to an unpredictable state. The solution +is to avoid changing several parameters with one +.B ip link set +call. + .TP .BI dev " DEVICE " .I DEVICE @@ -988,6 +1535,19 @@ and as 0 disables VLAN tagging and filtering for the VF. .sp +.BI proto " VLAN-PROTO" +- assign VLAN PROTOCOL for the VLAN tag, either 802.1Q or 802.1ad. +Setting to 802.1ad, all traffic sent from the VF will be tagged with VLAN S-Tag. +Incoming traffic will have VLAN S-Tags stripped before being passed to the VF. +Setting to 802.1ad also enables an option to concatenate another VLAN tag, so both +S-TAG and C-TAG will be inserted/stripped for outgoing/incoming traffic, respectively. +If not specified, the value is assumed to be 802.1Q. Both the +.B vf +and +.B vlan +parameters must be specified. + +.sp .BI rate " TXRATE" -- change the allowed transmit bandwidth, in Mbps, for the specified VF. Setting this parameter to 0 disables rate limiting. @@ -1014,14 +1574,107 @@ parameter must be specified. .BI spoofchk " on|off" - turn packet spoof checking on or off for the specified VF. .sp +.BI query_rss " on|off" +- toggle the ability of querying the RSS configuration of a specific VF. VF RSS information like RSS hash key may be considered sensitive on some devices where this information is shared between VF and PF and thus its querying may be prohibited by default. +.sp .BI state " auto|enable|disable" - set the virtual link state as seen by the specified VF. Setting to auto means a reflection of the PF link state, enable lets the VF to communicate with other VFs on this host even if the PF link state is down, disable causes the HW to drop any packets sent by the VF. +.sp +.BI trust " on|off" +- trust the specified VF user. This enables that VF user can set a specific feature +which may impact security and/or performance. (e.g. VF multicast promiscuous mode) +.sp +.BI node_guid " eui64" +- configure node GUID for Infiniband VFs. +.sp +.BI port_guid " eui64" +- configure port GUID for Infiniband VFs. .in -8 .TP +.B xdp object "|" pinned "|" off +set (or unset) a XDP ("eXpress Data Path") BPF program to run on every +packet at driver level. +.B ip link +output will indicate a +.B xdp +flag for the networking device. If the driver does not have native XDP +support, the kernel will fall back to a slower, driver-independent "generic" +XDP variant. The +.B ip link +output will in that case indicate +.B xdpgeneric +instead of +.B xdp +only. If the driver does have native XDP support, but the program is +loaded under +.B xdpgeneric object "|" pinned +then the kernel will use the generic XDP variant instead of the native one. +.B xdpdrv +has the opposite effect of requestsing that the automatic fallback to the +generic XDP variant be disabled and in case driver is not XDP-capable error +should be returned. +.B xdpdrv +also disables hardware offloads. +.B xdpoffload +in ip link output indicates that the program has been offloaded to hardware +and can also be used to request the "offload" mode, much like +.B xdpgeneric +it forces program to be installed specifically in HW/FW of the apater. + +.B off +(or +.B none +) +- Detaches any currently attached XDP/BPF program from the given device. + +.BI object " FILE " +- Attaches a XDP/BPF program to the given device. The +.I FILE +points to a BPF ELF file (f.e. generated by LLVM) that contains the BPF +program code, map specifications, etc. If a XDP/BPF program is already +attached to the given device, an error will be thrown. If no XDP/BPF +program is currently attached, the device supports XDP and the program +from the BPF ELF file passes the kernel verifier, then it will be attached +to the device. If the option +.I -force +is passed to +.B ip +then any prior attached XDP/BPF program will be atomically overridden and +no error will be thrown in this case. If no +.B section +option is passed, then the default section name ("prog") will be assumed, +otherwise the provided section name will be used. If no +.B verbose +option is passed, then a verifier log will only be dumped on load error. +See also +.B EXAMPLES +section for usage examples. + +.BI section " NAME " +- Specifies a section name that contains the BPF program code. If no section +name is specified, the default one ("prog") will be used. This option is +to be passed with the +.B object +option. + +.BI verbose +- Act in verbose mode. For example, even in case of success, this will +print the verifier log in case a program was loaded from a BPF ELF file. + +.BI pinned " FILE " +- Attaches a XDP/BPF program to the given device. The +.I FILE +points to an already pinned BPF program in the BPF file system. The option +.B section +doesn't apply here, but otherwise semantics are the same as with the option +.B object +described already. + +.TP .BI master " DEVICE" set master device of the device (enslave device). @@ -1049,17 +1702,170 @@ set the IPv6 address generation mode .BR "link-netnsid " set peer netnsid for a cross-netns interface -.PP -.B Warning: -If multiple parameter changes are requested, -.B ip -aborts immediately after any of the changes have failed. -This is the only case when -.B ip -can move the system to an unpredictable state. The solution -is to avoid changing several parameters with one -.B ip link set -call. +.TP +.BI type " ETYPE TYPE_ARGS" +Change type-specific settings. For a list of supported types and arguments refer +to the description of +.B "ip link add" +above. In addition to that, it is possible to manipulate settings to slave +devices: + +.TP +Bridge Slave Support +For a link with master +.B bridge +the following additional arguments are supported: + +.B "ip link set type bridge_slave" +[ +.B fdb_flush +] [ +.BI state " STATE" +] [ +.BI priority " PRIO" +] [ +.BI cost " COST" +] [ +.BR guard " { " on " | " off " }" +] [ +.BR hairpin " { " on " | " off " }" +] [ +.BR fastleave " { " on " | " off " }" +] [ +.BR root_block " { " on " | " off " }" +] [ +.BR learning " { " on " | " off " }" +] [ +.BR flood " { " on " | " off " }" +] [ +.BR proxy_arp " { " on " | " off " }" +] [ +.BR proxy_arp_wifi " { " on " | " off " }" +] [ +.BI mcast_router " MULTICAST_ROUTER" +] [ +.BR mcast_fast_leave " { " on " | " off "}" +] [ +.BR mcast_flood " { " on " | " off " } ]" + +.in +8 +.sp +.B fdb_flush +- flush bridge slave's fdb dynamic entries. + +.BI state " STATE" +- Set port state. +.I STATE +is a number representing the following states: +.BR 0 " (disabled)," +.BR 1 " (listening)," +.BR 2 " (learning)," +.BR 3 " (forwarding)," +.BR 4 " (blocking)." + +.BI priority " PRIO" +- set port priority (allowed values are between 0 and 63, inclusively). + +.BI cost " COST" +- set port cost (allowed values are between 1 and 65535, inclusively). + +.BR guard " { " on " | " off " }" +- block incoming BPDU packets on this port. + +.BR hairpin " { " on " | " off " }" +- enable hairpin mode on this port. This will allow incoming packets on this +port to be reflected back. + +.BR fastleave " { " on " | " off " }" +- enable multicast fast leave on this port. + +.BR root_block " { " on " | " off " }" +- block this port from becoming the bridge's root port. + +.BR learning " { " on " | " off " }" +- allow MAC address learning on this port. + +.BR flood " { " on " | " off " }" +- open the flood gates on this port, i.e. forward all unicast frames to this +port also. Requires +.BR proxy_arp " and " proxy_arp_wifi +to be turned off. + +.BR proxy_arp " { " on " | " off " }" +- enable proxy ARP on this port. + +.BR proxy_arp_wifi " { " on " | " off " }" +- enable proxy ARP on this port which meets extended requirements by IEEE +802.11 and Hotspot 2.0 specifications. + +.BI mcast_router " MULTICAST_ROUTER" +- configure this port for having multicast routers attached. A port with a +multicast router will receive all multicast traffic. +.I MULTICAST_ROUTER +may be either +.B 0 +to disable multicast routers on this port, +.B 1 +to let the system detect the presence of of routers (this is the default), +.B 2 +to permanently enable multicast traffic forwarding on this port or +.B 3 +to enable multicast routers temporarily on this port, not depending on incoming +queries. + +.BR mcast_fast_leave " { " on " | " off " }" +- this is a synonym to the +.B fastleave +option above. + +.BR mcast_flood " { " on " | " off " }" +- controls whether a given port will be flooded with multicast traffic for which there is no MDB entry. + +.in -8 + +.TP +Bonding Slave Support +For a link with master +.B bond +the following additional arguments are supported: + +.B "ip link set type bond_slave" +[ +.BI queue_id " ID" +] + +.in +8 +.sp +.BI queue_id " ID" +- set the slave's queue ID (a 16bit unsigned value). + +.in -8 + +.TP +MACVLAN and MACVTAP Support +Modify list of allowed macaddr for link in source mode. + +.B "ip link set type { macvlan | macvap } " +[ +.BI macaddr " " "" COMMAND " " MACADDR " ..." +] + +Commands: +.in +8 +.B add +- add MACADDR to allowed list +.sp +.B set +- replace allowed list +.sp +.B del +- remove MACADDR from allowed list +.sp +.B flush +- flush whole allowed list +.sp +.in -8 + .SS ip link show - display device attributes @@ -1084,30 +1890,34 @@ only display running interfaces. specifies the master device which enslaves devices to show. .TP +.BI vrf " NAME " +.I NAME +speficies the VRF which enslaves devices to show. + +.TP .BI type " TYPE " .I TYPE specifies the type of devices to show. -.TP -The show command has additional formatting options: +Note that the type name is not checked against the list of supported types - +instead it is sent as-is to the kernel. Later it is used to filter the returned +interface list by comparing it with the relevant attribute in case the kernel +didn't filter already. Therefore any string is accepted, but may lead to empty +output. -.RS -.TP -.BR "\-s" , " \-stats", " \-statistics" -output more statistics about packet usage. +.SS ip link xstats - display extended statistics .TP -.BR "\-d", " \-details" -output more detailed information. +.BI type " TYPE " +.I TYPE +specifies the type of devices to display extended statistics for. -.TP -.BR "\-h", " \-human", " \-human-readable" -output statistics with human readable values number followed by suffix +.SS ip link afstats - display address-family specific statistics .TP -.BR "\-iec" -print human readable rates in IEC units (ie. 1K = 1024). -.RE +.BI dev " DEVICE " +.I DEVICE +specifies the device to display address-family statistics for. .SS ip link help - display help @@ -1169,7 +1979,33 @@ encap-dport 5555 encap-csum encap-remcsum .RS 4 Creates an IPIP that is encapsulated with Generic UDP Encapsulation, and the outer UDP checksum and remote checksum offload are enabled. - +.RE +.PP +ip link set dev eth0 xdp obj prog.o +.RS 4 +Attaches a XDP/BPF program to device eth0, where the program is +located in prog.o, section "prog" (default section). In case a +XDP/BPF program is already attached, throw an error. +.RE +.PP +ip -force link set dev eth0 xdp obj prog.o sec foo +.RS 4 +Attaches a XDP/BPF program to device eth0, where the program is +located in prog.o, section "foo". In case a XDP/BPF program is +already attached, it will be overridden by the new one. +.RE +.PP +ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo +.RS 4 +Attaches a XDP/BPF program to device eth0, where the program was +previously pinned as an object node into BPF file system under +name foo. +.RE +.PP +ip link set dev eth0 xdp off +.RS 4 +If a XDP/BPF program is attached on device eth0, detach it and +effectively turn off XDP for device eth0. .RE .PP ip link add link wpan0 lowpan0 type lowpan diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8 new file mode 100644 index 00000000..1aca3bdc --- /dev/null +++ b/man/man8/ip-macsec.8 @@ -0,0 +1,109 @@ +.TH IP\-MACSEC 8 "07 Mar 2016" "iproute" "Linux" +.SH NAME +ip-macsec \- MACsec device configuration +.SH "SYNOPSIS" +.BI "ip link add link " DEVICE " name " NAME " type macsec " +[ [ +.BI address " <lladdr>" +] +.BI port " PORT" +| +.BI sci " <u64>" +] [ +.BR cipher " { " default " | " gcm-aes-128 " } ] [" +.BI icvlen " ICVLEN" +] [ +.BR encrypt " { " on " | " off " } ] [" +.BR send_sci " { " on " | " off " } ] [" +.BR end_station " { " on " | " off " } ] [" +.BR scb " { " on " | " off " } ] [" +.BR protect " { " on " | " off " } ] [" +.BR replay " { " on " | " off " } ] [" +.BI window " WINDOW" +] [ +.BR validate " { " strict " | " check " | " disabled " } ] [" +.BI encodingsa " SA" +] + +.BI "ip macsec add " DEV " tx sa" +.RI "{ " 0..3 " } [ " OPTS " ]" +.BI key " ID KEY" +.br +.BI "ip macsec set " DEV " tx sa" +.RI "{ " 0..3 " } [ " OPTS " ]" +.br +.BI "ip macsec del " DEV " tx sa" +.RI "{ " 0..3 " }" + +.BI "ip macsec add " DEV " rx " SCI +.RB [ " on " | " off " ] +.br +.BI "ip macsec set " DEV " rx " SCI +.RB [ " on " | " off " ] +.br +.BI "ip macsec del " DEV " rx " SCI + +.BI "ip macsec add " DEV " rx " SCI " sa" +.RI "{ " 0..3 " } [ " OPTS " ]" +.BI key " ID KEY" +.br +.BI "ip macsec set " DEV " rx " SCI " sa" +.RI "{ " 0..3 " } [ " OPTS " ]" +.br +.BI "ip macsec del " DEV " rx " SCI " sa" +.RI "{ " 0..3 " }" + +.B ip macsec show +.RI [ " DEV " ] + +.IR OPTS " := [ " +.BR pn " { " +.IR 1..2^32-1 " } ] [" +.BR on " | " off " ]" +.br +.IR SCI " := { " +.B sci +.IR <u64> " | " +.BI port +.IR PORT +.BI address " <lladdr> " +} +.br +.IR PORT " := { " 1..2^16-1 " } " + + +.SH DESCRIPTION +The +.B ip macsec +commands are used to configure transmit secure associations and receive secure channels and their secure associations on a MACsec device created with the +.B ip link add +command using the +.I macsec +type. + +.SH EXAMPLES +.PP +.SS Create a MACsec device on link eth0 +.nf +# ip link add link eth0 macsec0 type macsec port 11 encrypt on +.PP +.SS Configure a secure association on that device +.nf +# ip macsec add macsec0 tx sa 0 pn 1024 on key 01 81818181818181818181818181818181 +.PP +.SS Configure a receive channel +.nf +# ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0 +.PP +.SS Configure a receive association +.nf +# ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0 sa 0 pn 1 on key 00 82828282828282828282828282828282 +.PP +.SS Display MACsec configuration +.nf +# ip macsec show +.SH SEE ALSO +.br +.BR ip-link (8) +.SH AUTHOR +Sabrina Dubroca <sd@queasysnail.net> diff --git a/man/man8/ip-monitor.8 b/man/man8/ip-monitor.8 index d2bd381a..86f8f988 100644 --- a/man/man8/ip-monitor.8 +++ b/man/man8/ip-monitor.8 @@ -6,9 +6,7 @@ ip-monitor, rtmon \- state monitoring .ad l .in +8 .ti -8 -.BR "ip " " [ " -.IR ip-OPTIONS " ]" -.BR "monitor" " [ " all " |" +.BR "ip monitor" " [ " all " |" .IR OBJECT-LIST " ] [" .BI file " FILENAME " ] [ diff --git a/man/man8/ip-mroute.8 b/man/man8/ip-mroute.8 index e89b6b2d..b64e30d3 100644 --- a/man/man8/ip-mroute.8 +++ b/man/man8/ip-mroute.8 @@ -6,7 +6,7 @@ ip-mroute \- multicast routing cache management .ad l .in +8 .ti -8 -.BR "ip " " [ ip-OPTIONS ] " "mroute show" " [ [ " +.BR "ip mroute show" " [ [ " .BR " to " " ] " .IR PREFIX " ] [ " .B from diff --git a/man/man8/ip-neighbour.8 b/man/man8/ip-neighbour.8 index c9b0256e..bbfe8e72 100644 --- a/man/man8/ip-neighbour.8 +++ b/man/man8/ip-neighbour.8 @@ -18,7 +18,9 @@ ip-neighbour \- neighbour/arp tables management. .IR ADDR " [ " .B lladdr .IR LLADDR " ] [ " -.BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy +.B nud +.IR STATE " ] |" +.B proxy .IR ADDR " } [ " .B dev .IR DEV " ]" @@ -29,8 +31,14 @@ ip-neighbour \- neighbour/arp tables management. .B dev .IR DEV " ] [ " .B nud -.IR STATE " ]" +.IR STATE " ] [ " +.B vrf +.IR NAME " ] " +.ti -8 +.IR STATE " := {" +.BR permanent " | " noarp " | " stale " | " reachable " | " none " |" +.BR incomplete " | " delay " | " probe " | " failed " }" .SH DESCRIPTION The @@ -75,12 +83,13 @@ can also be .BR "null" . .TP -.BI nud " NUD_STATE" +.BI nud " STATE" the state of the neighbour entry. .B nud is an abbreviation for 'Neighbour Unreachability Detection'. The state can take one of the following values: +.RS .TP .B permanent the neighbour entry is valid forever and can be only @@ -100,6 +109,24 @@ This option to .B ip neigh does not change the neighbour state if it was valid and the address is not changed by this command. +.TP +.B none +this is a pseudo state used when initially creating a neighbour entry or after +trying to remove it before it becomes free to do so. +.TP +.B incomplete +the neighbour entry has not (yet) been validated/resolved. +.TP +.B delay +neighbor entry validation is currently delayed. +.TP +.B probe +neighbor is being probed. +.TP +.B failed +max number of probes exceeded without success, neighbor validation has +ultimately failed. +.RE .RE .TP @@ -139,6 +166,10 @@ the prefix selecting the neighbours to list. only list the neighbours attached to this device. .TP +.BI vrf " NAME" +only list the neighbours for given VRF. + +.TP .BI proxy list neighbour proxies. @@ -147,7 +178,7 @@ list neighbour proxies. only list neighbours which are not currently in use. .TP -.BI nud " NUD_STATE" +.BI nud " STATE" only list neighbour entries in this state. .I NUD_STATE takes values listed below or the special value diff --git a/man/man8/ip-netconf.8 b/man/man8/ip-netconf.8 index 27182582..7fe3e5f3 100644 --- a/man/man8/ip-netconf.8 +++ b/man/man8/ip-netconf.8 @@ -15,7 +15,7 @@ The .B ip netconf utility can monitor IPv4 and IPv6 parameters (see .BR "/proc/sys/net/ipv[4|6]/conf/[all|DEV]/" ")" -like forwarding, rp_filter +like forwarding, rp_filter, proxy_neigh, ignore_routes_with_linkdown or mc_forwarding status. If no interface is specified, the entry diff --git a/man/man8/ip-netns.8 b/man/man8/ip-netns.8 index c9b0fbc2..c5310e24 100644 --- a/man/man8/ip-netns.8 +++ b/man/man8/ip-netns.8 @@ -13,7 +13,7 @@ ip-netns \- process network namespace management .BR help " }" .sp .ti -8 -.BR "ip netns" " { " list " } " +.BR "ip netns" " [ " list " ]" .ti -8 .B ip netns add @@ -24,7 +24,7 @@ ip-netns \- process network namespace management .RI "[ " NETNSNAME " ]" .ti -8 -.BR "ip netns" " { " set " } " +.B ip netns set .I NETNSNAME NETNSID .ti -8 diff --git a/man/man8/ip-ntable.8 b/man/man8/ip-ntable.8 index 462e5896..4f0f2e54 100644 --- a/man/man8/ip-ntable.8 +++ b/man/man8/ip-ntable.8 @@ -8,7 +8,7 @@ ip-ntable - neighbour table configuration .ti -8 .B ip .RI "[ " OPTIONS " ]" -.B address +.B ntable .RI " { " COMMAND " | " .BR help " }" .sp @@ -17,34 +17,39 @@ ip-ntable - neighbour table configuration .BR "ip ntable change name" .IR NAME " [ " .B dev -.IR DEV " ] " PARMS - -.ti -8 -.IR PARMS " := { " +.IR DEV " ] [" .B thresh1 -.IR VAL " | " +.IR VAL " ] [" .B thresh2 -.IR VAL " | " +.IR VAL " ] [" .B thresh3 -.IR VAL " | " +.IR VAL " ] [" .B gc_int -.IR MSEC " | " +.IR MSEC " ] [" .B base_reachable -.IR MSEC " | " +.IR MSEC " ] [" .B retrans -.IR MSEC " | " "gc_stale MSEC " " | " +.IR MSEC " ] [" +.B gc_stale +.IR MSEC " ] [" .B delay_probe -.IR MSEC " | " "queue LEN " " | " +.IR MSEC " ] [" +.B queue +.IR LEN " ] [" .B app_probs -.IR VAL " | " +.IR VAL " ] [" .B ucast_probes -.IR VAL " | " "mcast_probes VAL " " | " +.IR VAL " ] [" +.B mcast_probes +.IR VAL " ] [" .B anycast_delay -.IR MSEC " | " +.IR MSEC " ] [" .B proxy_delay -.IR MSEC " | " "proxy_queue LEN " " | " +.IR MSEC " ] [" +.B proxy_queue +.IR LEN " ] [" .B locktime -.IR MSEC " }" +.IR MSEC " ]" .ti -8 .BR "ip ntable show" " [ " diff --git a/man/man8/ip-route.8.in b/man/man8/ip-route.8.in index c764bfc8..705ceb20 100644 --- a/man/man8/ip-route.8.in +++ b/man/man8/ip-route.8.in @@ -16,7 +16,7 @@ ip-route \- routing table management .ti -8 .BR "ip route" " { " -.BR list " | " flush " } " +.BR show " | " flush " } " .I SELECTOR .ti -8 @@ -28,12 +28,15 @@ ip-route \- routing table management .ti -8 .B ip route get +.I ROUTE_GET_FLAGS .IR ADDRESS " [ " .BI from " ADDRESS " iif " STRING" .RB " ] [ " oif .IR STRING " ] [ " .B tos -.IR TOS " ]" +.IR TOS " ] [ " +.B vrf +.IR NAME " ] " .ti -8 .BR "ip route" " { " add " | " del " | " change " | " append " | "\ @@ -50,6 +53,8 @@ replace " } " .IR PREFIX " ] [ " .B table .IR TABLE_ID " ] [ " +.B vrf +.IR NAME " ] [ " .B proto .IR RTPROTO " ] [ " .B type @@ -71,7 +76,9 @@ replace " } " .B scope .IR SCOPE " ] [ " .B metric -.IR METRIC " ]" +.IR METRIC " ] [ " +.B ttl-propagate +.RB "{ " enabled " | " disabled " } ]" .ti -8 .IR INFO_SPEC " := " "NH OPTIONS FLAGS" " [" @@ -170,12 +177,14 @@ throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]" .ti -8 .IR ENCAP " := [ " -.IR MPLS " | " IP " ]" +.IR MPLS " | " IP " | " BPF " | " SEG6 " | " SEG6LOCAL " ] " .ti -8 .IR ENCAP_MPLS " := " .BR mpls " [ " -.IR LABEL " ]" +.IR LABEL " ] [" +.B ttl +.IR TTL " ]" .ti -8 .IR ENCAP_IP " := " @@ -189,6 +198,41 @@ throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]" .B ttl .IR TTL " ]" +.ti -8 +.IR ENCAP_BPF " := " +.BR bpf " [ " +.B in +.IR PROG " ] [" +.B out +.IR PROG " ] [" +.B xmit +.IR PROG " ] [" +.B headroom +.IR SIZE " ]" + +.ti -8 +.IR ENCAP_SEG6 " := " +.B seg6 +.BR mode " [ " +.BR encap " | " inline " | " l2encap " ] " +.B segs +.IR SEGMENTS " [ " +.B hmac +.IR KEYID " ]" + +.ti -8 +.IR ENCAP_SEG6LOCAL " := " +.B seg6local +.BR action +.IR SEG6_ACTION " [ " +.IR SEG6_ACTION_PARAM " ] " + +.ti -8 +.IR ROUTE_GET_FLAGS " := " +.BR " [ " +.BR fibmatch +.BR " ] " + .SH DESCRIPTION .B ip route is used to manipulate entries in the kernel routing tables. @@ -278,7 +322,7 @@ normal routing tables. .P .B Route tables: Linux-2.x can pack routes into several routing tables identified -by a number in the range from 1 to 2^31 or by name from the file +by a number in the range from 1 to 2^32-1 or by name from the file .B @SYSCONFDIR@/rt_tables By default all normal routes are inserted into the .B main @@ -350,7 +394,7 @@ from .BI preference " NUMBER" the preference value of the route. .I NUMBER -is an arbitrary 32bit number. +is an arbitrary 32bit number, where routes with lower values are preferred. .TP .BI table " TABLEID" @@ -369,6 +413,11 @@ routes, which are put into the table by default. .TP +.BI vrf " NAME" +the vrf name to add this route to. Implicitly means the table +associated with the VRF. + +.TP .BI dev " NAME" the output device name. @@ -627,6 +676,14 @@ is a string specifying the supported encapsulation type. Namely: .BI ip - IP encapsulation (Geneve, GRE, VXLAN, ...) .sp +.BI bpf +- Execution of BPF program +.sp +.BI seg6 +- encapsulation type IPv6 Segment Routing +.sp +.BI seg6local +- local SRv6 segment processing .in -8 .I ENCAPHDR @@ -639,6 +696,11 @@ is a set of encapsulation attributes specific to the .I MPLSLABEL - mpls label stack with labels separated by .I "/" +.sp + +.B ttl +.I TTL +- TTL to use for MPLS header or 0 to inherit from IP header .in -2 .sp @@ -655,8 +717,103 @@ is a set of encapsulation attributes specific to the .in -2 .sp +.B bpf +.in +2 +.B in +.I PROG +- BPF program to execute for incoming packets +.sp + +.B out +.I PROG +- BPF program to execute for outgoing packets +.sp + +.B xmit +.I PROG +- BPF program to execute for transmitted packets +.sp + +.B headroom +.I SIZE +- Size of header BPF program will attach (xmit) +.in -2 +.sp + +.B seg6 +.in +2 +.B mode inline +- Directly insert Segment Routing Header after IPv6 header +.sp + +.B mode encap +- Encapsulate packet in an outer IPv6 header with SRH +.sp + +.B mode l2encap +- Encapsulate ingress L2 frame within an outer IPv6 header and SRH +.sp + +.I SEGMENTS +- List of comma-separated IPv6 addresses +.sp + +.I KEYID +- Numerical value in decimal representation. See \fBip-sr\fR(8). +.in -2 +.sp + +.B seg6local +.in +2 +.IR SEG6_ACTION " [ " +.IR SEG6_ACTION_PARAM " ] " +- Operation to perform on matching packets. +The following actions are currently supported (\fB4.14+ only\fR). +.in +2 + +.B End +- Regular SRv6 processing as intermediate segment endpoint. +This action only accepts packets with a non-zero Segments Left +value. Other matching packets are dropped. + +.B End.X nh6 +.I NEXTHOP +- Regular SRv6 processing as intermediate segment endpoint. +Additionally, forward processed packets to given next-hop. +This action only accepts packets with a non-zero Segments Left +value. Other matching packets are dropped. + +.B End.DX6 nh6 +.I NEXTHOP +- Decapsulate inner IPv6 packet and forward it to the +specified next-hop. If the argument is set to ::, then +the next-hop is selected according to the local selection +rules. This action only accepts packets with either a zero Segments +Left value or no SRH at all, and an inner IPv6 packet. Other +matching packets are dropped. + +.B End.B6 srh segs +.IR SEGMENTS " [ " +.B hmac +.IR KEYID " ] " +- Insert the specified SRH immediately after the IPv6 header, +update the DA with the first segment of the newly inserted SRH, +then forward the resulting packet. The original SRH is not +modified. This action only accepts packets with a non-zero +Segments Left value. Other matching packets are dropped. + +.B End.B6.Encaps srh segs +.IR SEGMENTS " [ " +.B hmac +.IR KEYID " ] " +- Regular SRv6 processing as intermediate segment endpoint. +Additionally, encapsulate the matching packet within an outer IPv6 header +followed by the specified SRH. The destination address of the outer IPv6 +header is set to the first segment of the new SRH. The source +address is set as described in \fBip-sr\fR(8). +.in -4 + .in -8 -.RE .TP .BI expires " TIME " "(4.4+ only)" @@ -665,6 +822,13 @@ the route will be deleted after the expires time. support IPv6 at present. .TP +.BR ttl-propagate " { " enabled " | " disabled " } " +Control whether TTL should be propagated from any encap into the +un-encapsulated packet, overriding any global configuration. Only +supported for MPLS at present. +.RE + +.TP ip route delete delete route .RS @@ -746,6 +910,10 @@ may either be the ID of a real table or one of the special values: .in -8 .TP +.BI vrf " NAME" +show the routes for the table associated with the vrf name + +.TP .B cloned .TP .B cached @@ -833,6 +1001,11 @@ this command gets a single route to a destination and prints its contents exactly as the kernel sees it. .TP +.BI fibmatch +Return full fib lookup matched route. Default is to return the resolved +dst entry + +.TP .BI to " ADDRESS " (default) the destination address. @@ -855,6 +1028,10 @@ the device from which this packet is expected to arrive. force the output device on which this packet will be routed. .TP +.BI vrf " NAME" +force the vrf device on which this packet will be routed. + +.TP .B connected if no source address .RB "(option " from ")" @@ -907,6 +1084,12 @@ routes are left unchanged. Any routes specified in the data stream that already exist in the table will be ignored. .RE +.SH NOTES +Starting with Linux kernel version 3.6, there is no routing cache for IPv4 +anymore. Hence +.B "ip route show cached" +will never print any entries on systems with this or newer kernel versions. + .SH EXAMPLES .PP ip ro @@ -924,6 +1107,11 @@ ip route add 10.1.1.0/30 encap mpls 200/300 via 10.1.1.1 dev eth0 .RS 4 Adds an ipv4 route with mpls encapsulation attributes attached to it. .RE +.PP +ip -6 route add 2001:db8:1::/64 encap seg6 mode encap segs 2001:db8:42::1,2001:db8:ffff::2 dev eth0 +.RS 4 +Adds an IPv6 route with SRv6 encapsulation and two segments attached. +.RE .SH SEE ALSO .br .BR ip (8) diff --git a/man/man8/ip-rule.8 b/man/man8/ip-rule.8 index b7008c6a..a5c47981 100644 --- a/man/man8/ip-rule.8 +++ b/man/man8/ip-rule.8 @@ -9,20 +9,27 @@ ip-rule \- routing policy database management .B ip .RI "[ " OPTIONS " ]" .B rule -.RI " { " COMMAND " | " +.RI "{ " COMMAND " | " .BR help " }" .sp .ti -8 .B ip rule -.RB " [ " list " | " add " | " del " | " flush " | " save " ]" +.RB "[ " list +.RI "[ " SELECTOR " ]]" + +.ti -8 +.B ip rule +.RB "{ " add " | " del " }" .I SELECTOR ACTION .ti -8 -.B ip rule " restore " +.B ip rule +.RB "{ " flush " | " save " | " restore " }" .ti -8 .IR SELECTOR " := [ " +.BR not " ] [" .B from .IR PREFIX " ] [ " .B to @@ -30,13 +37,14 @@ ip-rule \- routing policy database management .B tos .IR TOS " ] [ " .B fwmark -.IR FWMARK[/MASK] " ] [ " +.IR FWMARK\fR[\fB/\fIMASK "] ] [ " .B iif .IR STRING " ] [ " .B oif .IR STRING " ] [ " .B pref -.IR NUMBER " ]" +.IR NUMBER " ] [ " +.BR l3mdev " ]" .ti -8 .IR ACTION " := [ " @@ -45,8 +53,9 @@ ip-rule \- routing policy database management .B nat .IR ADDRESS " ] [ " .B realms -.RI "[" SRCREALM "/]" DSTREALM " ]" -.I SUPPRESSOR +.RI "[" SRCREALM "\fB/\fR]" DSTREALM " ] [" +.B goto +.IR NUMBER " ] " SUPPRESSOR .ti -8 .IR SUPPRESSOR " := [ " @@ -86,7 +95,10 @@ Each policy routing rule consists of a .B selector and an .B action predicate. -The RPDB is scanned in order of decreasing priority. The selector +The RPDB is scanned in order of decreasing priority (note that lower number +means higher priority, see the description of +.I PREFERENCE +below). The selector of each rule is applied to {source address, destination address, incoming interface, tos, fwmark} and, if the selector matches the packet, the action is performed. The action predicate may return with success. @@ -111,8 +123,6 @@ The .B local table is a special routing table containing high priority control routes for local and broadcast addresses. -.sp -Rule 0 is special. It cannot be deleted or overridden. .TP 2. @@ -216,8 +226,11 @@ value to match. .TP .BI priority " PREFERENCE" -the priority of this rule. Each rule should have an explicitly -set +the priority of this rule. +.I PREFERENCE +is an unsigned integer value, higher number means lower priority, and rules get +processed in order of increasing number. Each rule +should have an explicitly set .I unique priority value. The options preference and order are synonyms with priority. diff --git a/man/man8/ip-sr.8 b/man/man8/ip-sr.8 new file mode 100644 index 00000000..6be1cc54 --- /dev/null +++ b/man/man8/ip-sr.8 @@ -0,0 +1,58 @@ +.TH IP\-SR 8 "14 Apr 2017" "iproute2" "Linux" +.SH "NAME" +ip-sr \- IPv6 Segment Routing management +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B ip sr +.RI " { " COMMAND " | " +.BR help " }" +.sp +.ti -8 + +.ti -8 +.B ip sr hmac show + +.ti -8 +.B ip sr hmac set +.I KEYID ALGO + +.ti -8 +.B ip sr tunsrc show + +.ti -8 +.B ip sr tunsrc set +.I ADDRESS + +.SH DESCRIPTION +The \fBip sr\fR command is used to configure IPv6 Segment Routing (SRv6) +internal parameters. +.PP +Those parameters include the mapping between an HMAC key ID and its associated +hashing algorithm and secret, and the IPv6 address to use as source for encapsulated +packets. +.PP +The \fBip sr hmac set\fR command prompts for a passphrase that will be used as the +HMAC secret for the corresponding key ID. A blank passphrase removes the mapping. +The currently supported algorithms for \fIALGO\fR are \fBsha1\fR and \fBsha256\fR. +.PP +If the tunnel source is set to the address :: (which is the default), then an address +of the egress interface will be selected. As this operation may hinder performances, +it is recommended to set a non-default address. + +.SH EXAMPLES +.PP +.SS Configure an HMAC mapping for key ID 42 and hashing algorithm SHA-256 +.nf +# ip sr hmac set 42 sha256 +.PP +.SS Set the tunnel source address to 2001:db8::1 +.nf +# ip sr tunsrc set 2001:db8::1 +.SH SEE ALSO +.br +.BR ip-route (8) +.SH AUTHOR +David Lebrun <david.lebrun@uclouvain.be> diff --git a/man/man8/ip-token.8 b/man/man8/ip-token.8 index 35a3d1e3..6505b8c5 100644 --- a/man/man8/ip-token.8 +++ b/man/man8/ip-token.8 @@ -7,23 +7,27 @@ ip-token \- tokenized interface identifier support .in +8 .ti -8 .B ip token -.RI " { " COMMAND " | " +.RI "{ " COMMAND " | " .BR help " }" .sp .ti -8 -.BR "ip token" " { " set " } " +.B ip token set .IR TOKEN .B dev .IR DEV .ti -8 -.BR "ip token" " { " get " } " -.B dev +.B ip token del dev .IR DEV .ti -8 -.BR "ip token" " { " list " }" +.B ip token get +.RB "[ " dev +.IR DEV " ]" + +.ti -8 +.BR "ip token" " [ " list " ]" .SH "DESCRIPTION" IPv6 tokenized interface identifier support is used for assigning well-known @@ -37,8 +41,7 @@ IPv6 Identifiers are described in the draft [1]: <draft-chown-6man-tokenised-ipv6-identifiers-02>. .SS ip token set - set an interface token -set the interface token to the kernel. Once a token is set, it cannot be -removed from the interface, only overwritten. +set the interface token to the kernel. .TP .I TOKEN the interface identifier token address. @@ -46,6 +49,12 @@ the interface identifier token address. .BI dev " DEV" the networking interface. +.SS ip token del - delete an interface token +delete the interface token from the kernel. +.TP +.BI dev " DEV" +the networking interface. + .SS ip token get - get the interface token from the kernel show a tokenized interface identifier of a particular networking device. .B Arguments: diff --git a/man/man8/ip-tunnel.8 b/man/man8/ip-tunnel.8 index 8b746cb0..7ddbffb2 100644 --- a/man/man8/ip-tunnel.8 +++ b/man/man8/ip-tunnel.8 @@ -11,7 +11,7 @@ ip-tunnel - tunnel configuration .ti -8 .BR "ip " .RI "[ " OPTIONS " ]" -.BR "tunnel" " { " add " | " change " | " del " | " show " | " prl " }" +.BR "tunnel" " { " add " | " change " | " del " | " show " | " prl " | " 6rd " }" .RI "[ " NAME " ]" .br .RB "[ " mode @@ -42,7 +42,14 @@ ip-tunnel - tunnel configuration .B prl-delete .IR ADDR " ]" .br +.RB "[ " 6rd-prefix +.IR ADDR " ] [" +.B 6rd-relay_prefix +.IR ADDR " ] [ +.BR 6rd-reset " ]" +.br .RB "[ [" no "]" pmtudisc " ]" +.RB "[ [" no "]" ignore-df " ]" .RB "[ " dev .IR PHYS_DEV " ]" @@ -75,9 +82,6 @@ ip-tunnel - tunnel configuration .ti -8 .IR KEY " := { " DOTTED_QUAD " | " NUMBER " }" -.ti -8 -.IR TIME " := " NUMBER "[s|ms]" - .SH DESCRIPTION .B tunnel objects are tunnels, encapsulating packets in IP packets and then @@ -173,6 +177,14 @@ with this option: tunneling with a fixed ttl always makes pmtu discovery. .TP +.B ignore-df +enable IPv4 DF suppression on this tunnel. +Normally datagrams that exceed the MTU will be fragmented; the presence +of the DF flag inhibits this, resulting instead in an ICMP Unreachable +(Fragmentation Required) message. Enabling this attribute casues the +DF flag to be ignored. + +.TP .BI key " K" .TP .BI ikey " K" diff --git a/man/man8/ip-vrf.8 b/man/man8/ip-vrf.8 new file mode 100644 index 00000000..18789339 --- /dev/null +++ b/man/man8/ip-vrf.8 @@ -0,0 +1,99 @@ +.TH IP\-VRF 8 "7 Dec 2016" "iproute2" "Linux" +.SH NAME +ip-vrf \- run a command against a vrf +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B ip +.B vrf +.RI " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.BR "ip vrf show" +.RI "[ " NAME " ]" + +.ti -8 +.BR "ip vrf identify" +.RI "[ " PID " ]" + +.ti -8 +.BR "ip vrf pids" +.I NAME + +.ti -8 +.BR "ip vrf exec " +.RI "[ " NAME " ] " command ... + +.SH DESCRIPTION +A VRF provides traffic isolation at layer 3 for routing, similar to how a +VLAN is used to isolate traffic at layer 2. Fundamentally, a VRF is a separate +routing table. Network devices are associated with a VRF by enslaving the +device to the VRF. At that point network addresses assigned to the device are +local to the VRF with host and connected routes moved to the table associated +with the VRF. + +A process can specify a VRF using several APIs -- binding the socket to the +VRF device using SO_BINDTODEVICE, setting the VRF association using +IP_UNICAST_IF or IPV6_UNICAST_IF, or specifying the VRF for a specific message +using IP_PKTINFO or IPV6_PKTINFO. + +By default a process is not bound to any VRF. An association can be set +explicitly by making the program use one of the APIs mentioned above or +implicitly using a helper to set SO_BINDTODEVICE for all IPv4 and IPv6 +sockets (AF_INET and AF_INET6) when the socket is created. This ip-vrf command +is a helper to run a command against a specific VRF with the VRF association +inherited parent to child. + +.TP +.B ip vrf show [ NAME ] - Show all configured VRF +.sp +This command lists all VRF and their corresponding table ids. If NAME is +given, then only that VRF and table id is shown. The latter command is +useful for scripting where the table id for a VRF is needed. + +.TP +.B ip vrf exec [ NAME ] cmd ... - Run cmd against the named VRF +.sp +This command allows applications that are VRF unaware to be run against +a VRF other than the default VRF (main table). A command can be run against +the default VRF by passing the "default" as the VRF name. This is useful if +the current shell is associated with another VRF (e.g, Management VRF). + +.TP +.B ip vrf identify [PID] - Report VRF association for process +.sp +This command shows the VRF association of the specified process. If PID is +not specified then the id of the current process is used. + +.TP +.B ip vrf pids NAME - Report processes associated with the named VRF +.sp +This command shows all process ids that are associated with the given +VRF. + +.SH CAVEATS +This command requires a kernel compiled with CGROUPS and CGROUP_BPF enabled. + +The VRF helper *only* affects network layer sockets. + +.SH EXAMPLES +.PP +ip vrf exec red ssh 10.100.1.254 +.RS +Executes ssh to 10.100.1.254 against the VRF red table. +.RE + +.SH SEE ALSO +.br +.BR ip (8), +.BR ip-link (8), +.BR ip-address (8), +.BR ip-route (8), +.BR ip-neighbor (8) + +.SH AUTHOR +Original Manpage by David Ahern diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8 index dae07288..a0bbef55 100644 --- a/man/man8/ip-xfrm.8 +++ b/man/man8/ip-xfrm.8 @@ -57,6 +57,8 @@ ip-xfrm \- transform configuration .IR ADDR "[/" PLEN "] ]" .RB "[ " ctx .IR CTX " ]" +.RB "[ " extra-flag +.IR EXTRA-FLAG-LIST " ]" .ti -8 .B "ip xfrm state allocspi" @@ -196,6 +198,13 @@ ip-xfrm \- transform configuration .IR SPORT " " DPORT " " OADDR .ti -8 +.IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG + +.ti -8 +.IR EXTRA-FLAG " := " +.B dont-encap-dscp + +.ti -8 .BR "ip xfrm policy" " { " add " | " update " }" .I SELECTOR .B dir @@ -247,6 +256,8 @@ ip-xfrm \- transform configuration .IR ACTION " ]" .RB "[ " priority .IR PRIORITY " ]" +.RB "[ " flag +.IR FLAG-LIST "]" .ti -8 .B "ip xfrm policy flush" @@ -466,7 +477,7 @@ Encryption algorithms include Authentication algorithms include .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) "," -.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "." +.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "." Authenticated encryption with associated data (AEAD) algorithms include .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "." diff --git a/man/man8/ip.8 b/man/man8/ip.8 index b1f69073..ae018fdf 100644 --- a/man/man8/ip.8 +++ b/man/man8/ip.8 @@ -21,7 +21,8 @@ ip \- show / manipulate routing, devices, policy routing and tunnels .IR OBJECT " := { " .BR link " | " address " | " addrlabel " | " route " | " rule " | " neigh " | "\ ntable " | " tunnel " | " tuntap " | " maddress " | " mroute " | " mrule " | "\ - monitor " | " xfrm " | " netns " | " l2tp " | " tcp_metrics " }" + monitor " | " xfrm " | " netns " | " l2tp " | " tcp_metrics " | " token " | "\ + macsec " }" .sp .ti -8 @@ -29,13 +30,26 @@ ip \- show / manipulate routing, devices, policy routing and tunnels \fB\-V\fR[\fIersion\fR] | \fB\-h\fR[\fIuman-readable\fR] | \fB\-s\fR[\fItatistics\fR] | +\fB\-d\fR[\fIetails\fR] | \fB\-r\fR[\fIesolve\fR] | +\fB\-iec\fR | \fB\-f\fR[\fIamily\fR] { .BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | " +\fB-4\fR | +\fB-6\fR | +\fB-I\fR | +\fB-D\fR | +\fB-B\fR | +\fB-0\fR | +\fB-l\fR[\fIoops\fR] { \fBmaximum-addr-flush-attempts\fR } | \fB\-o\fR[\fIneline\fR] | +\fB\-rc\fR[\fIvbuf\fR] [\fBsize\fR] | +\fB\-t\fR[\fIimestamp\fR] | +\fB\-ts\fR[\fIhort\fR] | \fB\-n\fR[\fIetns\fR] name | \fB\-a\fR[\fIll\fR] | -\fB\-c\fR[\fIolor\fR] } +\fB\-c\fR[\fIolor\fR] +\fB\-br\fR[\fIief\fR] } .SH OPTIONS @@ -179,6 +193,25 @@ Use color output. .BR "\-t" , " \-timestamp" display current time when using monitor option. +.TP +.BR "\-ts" , " \-tshort" +Like +.BR \-timestamp , +but use shorter format. + +.TP +.BR "\-rc" , " \-rcvbuf" <SIZE> +Set the netlink socket receive buffer size, defaults to 1MB. + +.TP +.BR "\-iec" +print human readable rates in IEC units (e.g. 1Ki = 1024). + +.TP +.BR "\-br" , "\-brief" +Print only basic information in a tabular format for better readability. This option is currently only supported by +.BR "ip addr show " and " ip link show " commands. + .SH IP - COMMAND SYNTAX .SS @@ -241,6 +274,10 @@ display current time when using monitor option. - manage TCP Metrics .TP +.B token +- manage tokenized interface identifiers. + +.TP .B tunnel - tunnel over IP. @@ -288,6 +325,34 @@ or, if the objects of this class cannot be listed, Exit status is 0 if command was successful, and 1 if there is a syntax error. If an error was reported by the kernel exit status is 2. +.SH "EXAMPLES" +.PP +ip addr +.RS 4 +Shows addresses assigned to all network interfaces. +.RE +.PP +ip neigh +.RS 4 +Shows the current neighbour table in kernel. +.RE +.PP +ip link set x up +.RS 4 +Bring up interface x. +.RE +.PP +ip link set x down +.RE +.RS 4 +Bring down interface x. +.RE +.PP +ip route +.RS 4 +Show table routes. +.RE + .SH HISTORY .B ip was written by Alexey N. Kuznetsov and added in Linux 2.2. @@ -305,6 +370,7 @@ was written by Alexey N. Kuznetsov and added in Linux 2.2. .BR ip-route (8), .BR ip-rule (8), .BR ip-tcp_metrics (8), +.BR ip-token (8), .BR ip-tunnel (8), .BR ip-xfrm (8) .br diff --git a/man/man8/rdma-dev.8 b/man/man8/rdma-dev.8 new file mode 100644 index 00000000..461681b6 --- /dev/null +++ b/man/man8/rdma-dev.8 @@ -0,0 +1,55 @@ +.TH RDMA\-DEV 8 "06 Jul 2017" "iproute2" "Linux" +.SH NAME +rdmak-dev \- RDMA device configuration +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B rdma +.RI "[ " OPTIONS " ]" +.B dev +.RI " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.IR OPTIONS " := { " +\fB\-V\fR[\fIersion\fR] | +\fB\-d\fR[\fIetails\fR] } + +.ti -8 +.B rdma dev show +.RI "[ " DEV " ]" + +.ti -8 +.B rdma dev help + +.SH "DESCRIPTION" +.SS rdma dev show - display rdma device attributes + +.PP +.I "DEV" +- specifies the RDMA device to show. +If this argument is omitted all devices are listed. + +.SH "EXAMPLES" +.PP +rdma dev +.RS 4 +Shows the state of all RDMA devices on the system. +.RE +.PP +rdma dev show mlx5_3 +.RS 4 +Shows the state of specified RDMA device. +.RE +.PP + +.SH SEE ALSO +.BR rdma (8), +.BR rdma-link (8), +.br + +.SH AUTHOR +Leon Romanovsky <leonro@mellanox.com> diff --git a/man/man8/rdma-link.8 b/man/man8/rdma-link.8 new file mode 100644 index 00000000..8ed049ef --- /dev/null +++ b/man/man8/rdma-link.8 @@ -0,0 +1,55 @@ +.TH RDMA\-LINK 8 "06 Jul 2017" "iproute2" "Linux" +.SH NAME +rdma-link \- rdma link configuration +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B devlink +.RI "[ " OPTIONS " ]" +.B link +.RI " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.IR OPTIONS " := { " +\fB\-V\fR[\fIersion\fR] | +\fB\-d\fR[\fIetails\fR] } + +.ti -8 +.B rdma link show +.RI "[ " DEV/PORT_INDEX " ]" + +.ti -8 +.B rdma link help + +.SH "DESCRIPTION" +.SS rdma link show - display rdma link attributes + +.PP +.I "DEV/PORT_INDEX" +- specifies the RDMa link to show. +If this argument is omitted all links are listed. + +.SH "EXAMPLES" +.PP +rdma link show +.RS 4 +Shows the state of all rdma links on the system. +.RE +.PP +rdma link show mlx5_2/1 +.RS 4 +Shows the state of specified rdma link. +.RE +.PP + +.SH SEE ALSO +.BR rdma (8), +.BR rdma-dev (8), +.br + +.SH AUTHOR +Leon Romanovsky <leonro@mellanox.com> diff --git a/man/man8/rdma.8 b/man/man8/rdma.8 new file mode 100644 index 00000000..798b33d3 --- /dev/null +++ b/man/man8/rdma.8 @@ -0,0 +1,102 @@ +.TH RDMA 8 "28 Mar 2017" "iproute2" "Linux" +.SH NAME +rdma \- RDMA tool +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B rdma +.RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.IR OBJECT " := { " +.BR dev " | " link " }" +.sp + +.ti -8 +.IR OPTIONS " := { " +\fB\-V\fR[\fIersion\fR] | +\fB\-d\fR[\fIetails\fR] } +\fB\-j\fR[\fIson\fR] } +\fB\-p\fR[\fIretty\fR] } + +.SH OPTIONS + +.TP +.BR "\-V" , " -Version" +Print the version of the +.B rdma +tool and exit. + +.TP +.BR "\-d" , " --details" +Otuput detailed information. + +.TP +.BR "\-p" , " --pretty" +When combined with -j generate a pretty JSON output. + +.TP +.BR "\-j" , " --json" +Generate JSON output. + +.SS +.I OBJECT + +.TP +.B dev +- RDMA device. + +.TP +.B link +- RDMA port related. + +.PP +The names of all objects may be written in full or +abbreviated form, for example +.B stats +can be abbreviated as +.B stat +or just +.B s. + +.SS +.I COMMAND + +Specifies the action to perform on the object. +The set of possible actions depends on the object type. +As a rule, it is possible to +.B show +(or +.B list +) objects, but some objects do not allow all of these operations +or have some additional commands. The +.B help +command is available for all objects. It prints +out a list of available commands and argument syntax conventions. +.sp +If no command is given, some default command is assumed. +Usually it is +.B list +or, if the objects of this class cannot be listed, +.BR "help" . + +.SH EXIT STATUS +Exit status is 0 if command was successful or a positive integer upon failure. + +.SH SEE ALSO +.BR rdma-dev (8), +.BR rdma-link (8), +.br + +.SH REPORTING BUGS +Report any bugs to the Linux RDMA mailing list +.B <linux-rdma@vger.kernel.org> +where the development and maintenance is primarily done. +You do not have to be subscribed to the list to send a message there. + +.SH AUTHOR +Leon Romanovsky <leonro@mellanox.com> diff --git a/man/man8/rtacct.8 b/man/man8/rtacct.8 index 7cf97aa4..01321e6d 100644 --- a/man/man8/rtacct.8 +++ b/man/man8/rtacct.8 @@ -35,6 +35,7 @@ Dump absolute values of counters. The default is to calculate increments since t .TP .B \-s, \-\-noupdate Do not update history, so that the next time you will see counters including values accumulated to the moment of this measurement too. +.TP .B \-j, \-\-json Display results in JSON format. .TP diff --git a/man/man8/rtpr.8 b/man/man8/rtpr.8 index 5e32b2ee..1b04a821 100644 --- a/man/man8/rtpr.8 +++ b/man/man8/rtpr.8 @@ -13,7 +13,7 @@ flag. .SH EXAMPLES .TP -ip --onenline address show | rtpr +ip --oneline address show | rtpr Undo oneline converted .B ip-address output. diff --git a/man/man8/ss.8 b/man/man8/ss.8 index 758460c2..8565ccb4 100644 --- a/man/man8/ss.8 +++ b/man/man8/ss.8 @@ -21,6 +21,9 @@ Show summary of options. .B \-V, \-\-version Output version information. .TP +.B \-H, \-\-no-header +Suppress header line. +.TP .B \-n, \-\-numeric Do not try to resolve service names. .TP @@ -34,19 +37,196 @@ Display both listening and non-listening (for TCP this means established connect Display only listening sockets (these are omitted by default). .TP .B \-o, \-\-options -Show timer information. +Show timer information. For tcp protocol, the output format is: +.RS +.P +timer:(<timer_name>,<expire_time>,<retrans>) +.P +.TP +.B <timer_name> +the name of the timer, there are five kind of timer names: +.RS +.P +.BR on ": means one of these timers: tcp retrans timer, tcp early retrans timer and tail loss probe timer" +.P +.BR keepalive ": tcp keep alive timer" +.P +.BR timewait ": timewait stage timer" +.P +.BR persist ": zero window probe timer" +.P +.BR unknown ": none of the above timers" +.RE +.TP +.B <expire_time> +how long time the timer will expire +.P +.TP +.B <retrans> +how many times the retran occurs +.RE .TP .B \-e, \-\-extended -Show detailed socket information +Show detailed socket information. The output format is: +.RS +.P +uid:<uid_number> ino:<inode_number> sk:<cookie> +.P +.TP +.B <uid_number> +the user id the socket belongs to +.P +.TP +.B <inode_number> +the socket's inode number in VFS +.P +.TP +.B <cookie> +an uuid of the socket +.RE .TP .B \-m, \-\-memory -Show socket memory usage. +Show socket memory usage. The output format is: +.RS +.P +skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,bl<back_log>) +.P +.TP +.B <rmem_alloc> +the memory allocated for receiving packet +.P +.TP +.B <rcv_buf> +the total memory can be allocated for receiving packet +.P +.TP +.B <wmem_alloc> +the memory used for sending packet (which has been sent to layer 3) +.P +.TP +.B <snd_buf> +the total memory can be allocated for sending packet +.P +.TP +.B <fwd_alloc> +the memory allocated by the socket as cache, but not used for receiving/sending packet yet. If need memory to send/receive packet, the memory in this cache will be used before allocate additional memory. +.P +.TP +.B <wmem_queued> +The memory allocated for sending packet (which has not been sent to layer 3) +.P +.TP +.B <opt_mem> +The memory used for storing socket option, e.g., the key for TCP MD5 signature +.P +.TP +.B <back_log> +The memory used for the sk backlog queue. On a process context, if the process is receiving packet, and a new packet is received, it will be put into the sk backlog queue, so it can be received by the process immediately +.RE .TP .B \-p, \-\-processes Show process using socket. .TP .B \-i, \-\-info -Show internal TCP information. +Show internal TCP information. Below fields may appear: +.RS +.P +.TP +.B ts +show string "ts" if the timestamp option is set +.P +.TP +.B sack +show string "sack" if the sack option is set +.P +.TP +.B ecn +show string "ecn" if the explicit congestion notification option is set +.P +.TP +.B ecnseen +show string "ecnseen" if the saw ecn flag is found in received packets +.P +.TP +.B fastopen +show string "fastopen" if the fastopen option is set +.P +.TP +.B cong_alg +the congestion algorithm name, the default congestion algorithm is "cubic" +.P +.TP +.B wscale:<snd_wscale>:<rcv_wscale> +if window scale option is used, this field shows the send scale factory and receive scale factory +.P +.TP +.B rto:<icsk_rto> +tcp re-transmission timeout value, the unit is millisecond +.P +.TP +.B backoff:<icsk_backoff> +used for exponential backoff re-transmission, the actual re-transmission timeout value is icsk_rto << icsk_backoff +.P +.TP +.B rtt:<rtt>/<rttvar> +rtt is the average round trip time, rttvar is the mean deviation of rtt, their units are millisecond +.P +.TP +.B ato:<ato> +ack timeout, unit is millisecond, used for delay ack mode +.P +.TP +.B mss:<mss> +max segment size +.P +.TP +.B cwnd:<cwnd> +congestion window size +.P +.TP +.B ssthresh:<ssthresh> +tcp congestion window slow start threshold +.P +.TP +.B bytes_acked:<bytes_acked> +bytes acked +.P +.TP +.B bytes_received:<bytes_received> +bytes received +.P +.TP +.B segs_out:<segs_out> +segments sent out +.P +.TP +.B segs_in:<segs_in> +segments received +.P +.TP +.B send <send_bps>bps +egress bps +.P +.TP +.B lastsnd:<lastsnd> +how long time since the last packet sent, the unit is millisecond +.P +.TP +.B lastrcv:<lastrcv> +how long time since the last packet received, the unit is millisecond +.P +.TP +.B lastack:<lastack> +how long time since the last ack received, the unit is millisecond +.P +.TP +.B pacing_rate <pacing_rate>bps/<max_pacing_rate>bps +the pacing rate and max pacing rate +.P +.TP +.B rcv_space:<rcv_space> +a helper variable for TCP internal auto tuning socket receive buffer +.RE .TP .B \-K, \-\-kill Attempts to forcibly close sockets. This option displays sockets that are @@ -119,6 +299,9 @@ Display RAW sockets. .B \-x, \-\-unix Display Unix domain sockets (alias for -f unix). .TP +.B \-S, \-\-sctp +Display SCTP sockets. +.TP .B \-f FAMILY, \-\-family=FAMILY Display sockets of type FAMILY. Currently the following families are supported: unix, inet, inet6, link, netlink. @@ -126,7 +309,7 @@ Currently the following families are supported: unix, inet, inet6, link, netlink .B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY List of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, -unix_stream, unix_seqpacket, packet_raw, packet_dgram. +unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp. .TP .B \-D FILE, \-\-diag=FILE Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used. @@ -147,14 +330,14 @@ Available identifiers are: All standard TCP states: .BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", " -.BR listen " and " closing. +.BR listening " and " closing. .B all - for all the states .B connected - all the states except for -.BR listen " and " closed +.BR listening " and " closed .B synchronized - all the diff --git a/man/man8/tc-actions.8 b/man/man8/tc-actions.8 new file mode 100644 index 00000000..f46166e3 --- /dev/null +++ b/man/man8/tc-actions.8 @@ -0,0 +1,244 @@ +.TH "actions in tc" 8 "1 Aug 2017" "iproute2" "Linux" + +.SH NAME +actions \- independently defined actions in tc +.SH SYNOPSIS +.B tc +[ +.I TC_OPTIONS +] +.B actions +.BR add " | " change " | " replace +.I ACTSPEC + +.B tc +[ +.I TC_OPTIONS +] +.B actions +.BR get " | " delete +.I ACTISPEC + +.B tc +[ +.I TC_OPTIONS +] +.B actions flush +.I ACTNAMESPEC + +.B tc +[ +.I TC_OPTIONS +] +.B actions +.BR ls " | " list +.I ACTNAMESPEC +[ +.I ACTFILTER +] + +.in +8 +.I ACTSPEC +:= +.B action +.I ACTDETAIL +[ +.I INDEXSPEC +] [ +.I COOKIESPEC +] [ +.I CONTROL +] + +.I ACTISPEC +:= +.I ACTNAMESPEC INDEXSPEC + +.I ACTNAMESPEC +:= +.B action +ACTNAME + +.I INDEXSPEC +:= +.BI index " INDEX" + +.I ACTFILTER +:= +.BI since " MSTIME" + +.I COOKIESPEC +:= +.BI cookie " COOKIE" + +.I ACTDETAIL +:= +.I ACTNAME ACTPARAMS + +.I ACTNAME +may be any valid action type: gact, mirred, bpf, connmark, csum, police, etc. + +.I MSTIME +Time since last update. + +.I CONTROL +:= { +.IR reclassify " | " pipe " | " drop " | " continue " | " ok +} + +.I TC_OPTIONS +These are the options that are specific to +.B tc +and not only the options. Refer to +.BR tc(8) +for more information. +.in + +.SH DESCRIPTION + +The +.B actions +object in +.B tc +allows a user to define actions independently of a classifier (filter). These +actions can then be assigned to one or more filters, with any +packets matching the classifier's criteria having that action performed +on them. + +Each action type (mirred, police, etc.) will have its own table to store +all created actions. + +.SH OPERATIONS +.TP +.B add +Create a new action in that action's table. + +.TP +.B change +.TQ +.B replace +Make modifications to an existing action. +.TP +.B get +Display the action with the specified index value. When combined with the +.B -s +option for +.BR tc "," +display the statistics for that action. +.TP +.B delete +Delete the action with the specified index value. If the action is already +associated with a classifier, it does not delete the classifier. +.TP +.B ls +.TQ +.B list +List all the actions in the specified table. When combined with the +.B -s +option for +.BR tc "," +display the statistics for all actions in the specified table. +When combined with the option +.B since +allows doing a millisecond time-filter since the last time an +action was used in the datapath. +.TP +.B flush +Delete all actions stored in the specified table. + +.SH ACTION OPTIONS +Note that these options are available to all action types. +.TP +.BI index " INDEX" +Specify the table index value of an action. +.I INDEX +is a 32-bit value that is unique to the specific type of action referenced. + +.RS +For +.BR add ", " change ", and" +.B replace +operations, the index is +.BR optional. +When adding a new action, +specifying an index value will assign the action to that index unless that +index value has already been assigned. Omitting the index value for an add +operation will cause the kernel to assign a value to the new action. +.RE + +.RS +For +.BR get " and " delete +operations, the index is +.B required +to identify the specific action to be displayed or deleted. +.RE + +.TP +.BI cookie " COOKIE" +In addition to the specific action, mark the matching packet with the value +specified by +.IR COOKIE "." +The +.I COOKIE +is a 128-bit value that will not be interpreted by the kernel whatsoever. +As such, it can be used as a correlating value for maintaining user state. +The value to be stored is completely arbitrary and does not require a specific +format. It is stored inside the action structure itself. + +.TP +.BI since " MSTIME" +When dumping large number of actions, a millisecond time-filter can be +specified +.IR MSTIME "." +The +.I MSTIME +is a millisecond count since last time a packet hit the action. +As an example specifying "since 20000" implies to dump all actions +that have seen packets in the last 20 seconds. This option is useful +when the kernel has a large number of actions and you are only interested +in recently used actions. + +.TP +.I CONTROL +The +.I CONTROL +indicates how +.B tc +should proceed after executing the action. Any of the following are valid: +.RS +.TP +.B reclassify +Restart the classifiction by jumping back to the first filter attached to +the action's parent. +.TP +.B pipe +Continue with the next action. This is the default control. +.TP +.B drop +Drop the packed without running any further actions. +.TP +.B continue +Continue the classification with the next filter. +.TP +.B pass +Return to the calling qdisc for packet processing, and end classification of +this packet. +.RE + +.SH SEE ALSO +.BR tc (8), +.BR tc-bpf (8), +.BR tc-connmark (8), +.BR tc-csum (8), +.BR tc-ife (8), +.BR tc-mirred (8), +.BR tc-nat (8), +.BR tc-pedit (8), +.BR tc-police (8), +.BR tc-simple (8), +.BR tc-skbedit (8), +.BR tc-skbmod (8), +.BR tc-tunnel_key (8), +.BR tc-vlan (8), +.BR tc-xt (8) diff --git a/man/man8/tc-bpf.8 b/man/man8/tc-bpf.8 index c8d5c5f9..2e9812ed 100644 --- a/man/man8/tc-bpf.8 +++ b/man/man8/tc-bpf.8 @@ -14,6 +14,10 @@ CLS_NAME ] [ UDS_FILE ] [ .B verbose ] [ +.B skip_hw +| +.B skip_sw +] [ .B police POLICE_SPEC ] [ .B action @@ -71,9 +75,9 @@ In Linux, it's generally considered that eBPF is the successor of cBPF. The kernel internally transforms cBPF expressions into eBPF expressions and executes the latter. Execution of them can be performed in an interpreter or at setup time, they can be just-in-time compiled (JIT'ed) to run as -native machine code. Currently, x86_64, ARM64 and s390 architectures have -eBPF JIT support, whereas PPC, SPARC, ARM and MIPS have cBPF, but did not -(yet) switch to eBPF JIT support. +native machine code. Currently, x86_64, ARM64, s390, ppc64 and sparc64 +architectures have eBPF JIT support, whereas PPC, SPARC, ARM and MIPS have +cBPF, but did not (yet) switch to eBPF JIT support. eBPF's instruction set has similar underlying principles as the cBPF instruction set, it however is modelled closer to the underlying @@ -137,6 +141,16 @@ if set, it will dump the eBPF verifier output, even if loading the eBPF program was successful. By default, only on error, the verifier log is being emitted to the user. +.SS skip_hw | skip_sw +hardware offload control flags. By default TC will try to offload +filters to hardware if possible. +.B skip_hw +explicitly disables the attempt to offload. +.B skip_sw +forces the offload and disables running the eBPF program in the kernel. +If hardware offload is not possible and this flag was set kernel will +report an error and filter will not be installed at all. + .SS police is an optional parameter for an eBPF/cBPF classifier that specifies a police in diff --git a/man/man8/tc-connmark.8 b/man/man8/tc-connmark.8 new file mode 100644 index 00000000..44f29f50 --- /dev/null +++ b/man/man8/tc-connmark.8 @@ -0,0 +1,55 @@ +.TH "Connmark retriever action in tc" 8 "11 Jan 2016" "iproute2" "Linux" + +.SH NAME +connmark - netfilter connmark retriever action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action connmark " [ " zone" +.IR u16_zone_index " ] [ " CONTROL " ] [" +.BI index " u32_index " +] + +.ti -8 +.IR CONTROL " := { " reclassify " | " pipe " | " drop " | " continue " | " ok " }" +.SH DESCRIPTION +The connmark action is used to restore the connection's mark value into the +packet's fwmark. +.SH OPTIONS +.TP +.BI zone " u16_zone_index" +Specify the conntrack zone when doing conntrack lookups for packets. +.I u16_zone_index +is a 16bit unsigned decimal value. +.TP +.I CONTROL +How to continue after executing this action. +.RS +.TP +.B reclassify +Restarts classification by jumping back to the first filter attached to this +action's parent. +.TP +.B pipe +Continue with the next action, this is the default. +.TP +.B drop +.TQ +.B shot +Packet will be dropped without running further actions. +.TP +.B continue +Continue classification with next filter in line. +.TP +.B pass +Return to calling qdisc for packet processing. This ends the classification +process. +.RE +.TP +.BI index " u32_index " +Specify an index for this action in order to being able to identify it in later +commands. +.I u32_index +is a 32bit unsigned decimal value. +.SH SEE ALSO +.BR tc (8) diff --git a/man/man8/tc-csum.8 b/man/man8/tc-csum.8 new file mode 100644 index 00000000..409ab717 --- /dev/null +++ b/man/man8/tc-csum.8 @@ -0,0 +1,72 @@ +.TH "Checksum action in tc" 8 "11 Jan 2015" "iproute2" "Linux" + +.SH NAME +csum - checksum update action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action csum" +.I UPDATE + +.ti -8 +.IR UPDATE " := " TARGET " [ " UPDATE " ]" + +.ti -8 +.IR TARGET " := { " +.BR ip4h " |" +.BR icmp " |" +.BR igmp " |" +.BR tcp " |" +.BR udp " |" +.BR udplite " |" +.BR sctp " |" +.IR SWEETS " }" + +.ti -8 +.IR SWEETS " := { " +.BR and " | " or " | " + " }" +.SH DESCRIPTION +The +.B csum +action triggers checksum recalculation of specified packet headers. It is +commonly used to fix incorrect checksums after the +.B pedit +action has modified the packet content. +.SH OPTIONS +.TP +.I TARGET +Specify which headers to update: IPv4 header +.RB ( ip4h ), +ICMP header +.RB ( icmp ), +IGMP header +.RB ( igmp ), +TCP header +.RB ( tcp ), +UDP header +.RB ( udp ), +UDPLite header +.RB ( udplite ") or" +SCTP header +.RB ( sctp ). +.TP +.B SWEETS +These are merely syntactic sugar and ignored internally. +.SH EXAMPLES +The following performs stateless NAT for incoming packets from 192.168.1.100 to +new destination 18.52.86.120 (0x12345678 in hex). Assuming these are UDP +packets, both IP and UDP checksums have to be recalculated: + +.RS +.EX +# tc qdisc add dev eth0 ingress handle ffff: +# tc filter add dev eth0 prio 1 protocol ip parent ffff: \\ + u32 match ip src 192.0.2.100/32 flowid :1 \\ + action pedit munge ip dst set 198.51.100.1 pipe \\ + csum ip and udp +.EE +.RE + +.SH SEE ALSO +.BR tc (8), +.BR tc-pedit (8) diff --git a/man/man8/tc-flow.8 b/man/man8/tc-flow.8 index f1b7e2a4..54f6bf7d 100644 --- a/man/man8/tc-flow.8 +++ b/man/man8/tc-flow.8 @@ -73,8 +73,10 @@ An offset for the resulting class ID. .I ID may be .BR root ", " none -or a hexadecimal class ID in the form [\fIX\fB:\fR]\fIY\fR. If \fIX\fR is -omitted, it is assumed to be zero. +or a hexadecimal class ID in the form [\fIX\fB:\fR]\fIY\fR. \fIX\fR must +match qdisc's/class's major handle (if omitted, the correct value is chosen +automatically). If the whole \fBbaseclass\fR is omitted, \fIY\fR defaults +to 1. .TP .BI divisor " NUM" Number of buckets to use for sorting into. Keys are calculated modulo @@ -239,7 +241,7 @@ tc filter add ... flow hash \\ divisor 1024 .EE .TP -Map destination IPs of 192.168.0.0/24 to classids 1-257: +Map destination IPs of 192.168.0.0/24 to classids 1-256: .EX tc filter add ... flow map \\ diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8 index df4d8e19..be46f027 100644 --- a/man/man8/tc-flower.8 +++ b/man/man8/tc-flower.8 @@ -18,17 +18,47 @@ flower \- flow based traffic control filter .ti -8 .IR MATCH " := { " .B indev -.IR ifname " | { " +.IR ifname " | " +.BR skip_sw " | " skip_hw +.RI " | { " .BR dst_mac " | " src_mac " } " -.IR mac_address " | " -.BR eth_type " { " ipv4 " | " ipv6 " | " +.IR MASKED_LLADDR " | " +.B vlan_id +.IR VID " | " +.B vlan_prio +.IR PRIORITY " | " +.BR vlan_ethtype " { " ipv4 " | " ipv6 " | " .IR ETH_TYPE " } | " -.BR ip_proto " { " tcp " | " udp " | " -.IR IP_PROTO " } | { " -.BR dst_ip " | " src_ip " } { " -.IR ipv4_address " | " ipv6_address " } | { " +.BR ip_proto " { " tcp " | " udp " | " sctp " | " icmp " | " icmpv6 " | " +.IR IP_PROTO " } | " +.B ip_tos +.IR MASKED_IP_TOS " | " +.B ip_ttl +.IR MASKED_IP_TTL " | { " +.BR dst_ip " | " src_ip " } " +.IR PREFIX " | { " .BR dst_port " | " src_port " } " -.IR port_number " }" +.IR port_number " } | " +.B tcp_flags +.IR MASKED_TCP_FLAGS " | " +.B type +.IR MASKED_TYPE " | " +.B code +.IR MASKED_CODE " | { " +.BR arp_tip " | " arp_sip " } " +.IR IPV4_PREFIX " | " +.BR arp_op " { " request " | " reply " | " +.IR OP " } | { " +.BR arp_tha " | " arp_sha " } " +.IR MASKED_LLADDR " | " +.B enc_key_id +.IR KEY-ID " | {" +.BR enc_dst_ip " | " enc_src_ip " } { " +.IR ipv4_address " | " ipv6_address " } | " +.B enc_dst_port +.IR port_number " | " +.BR ip_flags +.IR IP_FLAGS .SH DESCRIPTION The .B flower @@ -55,56 +85,162 @@ is the name of an interface which must exist at the time of .B tc invocation. .TP -.BI dst_mac " mac_address" +.BI skip_sw +Do not process filter by software. If hardware has no offload support for this +filter, or TC offload is not enabled for the interface, operation will fail. +.TP +.BI skip_hw +Do not process filter by hardware. +.TP +.BI dst_mac " MASKED_LLADDR" .TQ -.BI src_mac " mac_address" -Match on source or destination MAC address. +.BI src_mac " MASKED_LLADDR" +Match on source or destination MAC address. A mask may be optionally +provided to limit the bits of the address which are matched. A mask is +provided by following the address with a slash and then the mask. It may be +provided in LLADDR format, in which case it is a bitwise mask, or as a +number of high bits to match. If the mask is missing then a match on all +bits is assumed. +.TP +.BI vlan_id " VID" +Match on vlan tag id. +.I VID +is an unsigned 12bit value in decimal format. .TP -.BI eth_type " ETH_TYPE" +.BI vlan_prio " PRIORITY" +Match on vlan tag priority. +.I PRIORITY +is an unsigned 3bit value in decimal format. +.TP +.BI vlan_ethtype " VLAN_ETH_TYPE" Match on layer three protocol. -.I ETH_TYPE +.I VLAN_ETH_TYPE may be either -.BR ipv4 , ipv6 +.BR ipv4 ", " ipv6 or an unsigned 16bit value in hexadecimal format. .TP .BI ip_proto " IP_PROTO" Match on layer four protocol. .I IP_PROTO -may be either -.BR tcp , udp +may be +.BR tcp ", " udp ", " sctp ", " icmp ", " icmpv6 or an unsigned 8bit value in hexadecimal format. .TP -.BI dst_ip " ADDRESS" +.BI ip_tos " MASKED_IP_TOS" +Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format. +A mask may be optionally provided to limit the bits which are matched. A mask +is provided by following the value with a slash and then the mask. If the mask +is missing then a match on all bits is assumed. +.TP +.BI ip_ttl " MASKED_IP_TTL" +Match on ipv4 TTL or ipv6 hop-limit - eight bits value in decimal or hexadecimal format. +A mask may be optionally provided to limit the bits which are matched. Same +logic is used for the mask as with matching on ip_tos. +.TP +.BI dst_ip " PREFIX" .TQ -.BI src_ip " ADDRESS" +.BI src_ip " PREFIX" Match on source or destination IP address. -.I ADDRESS -must be a valid IPv4 or IPv6 address, depending on -.BR ether_type , -which has to be specified in beforehand. +.I PREFIX +must be a valid IPv4 or IPv6 address, depending on the \fBprotocol\fR +option to tc filter, optionally followed by a slash and the prefix length. +If the prefix is missing, \fBtc\fR assumes a full-length host match. .TP .BI dst_port " NUMBER" .TQ .BI src_port " NUMBER" Match on layer 4 protocol source or destination port number. Only available for -.BR ip_proto " values " udp " and " tcp , -which has to be specified in beforehand. +.BR ip_proto " values " udp ", " tcp " and " sctp +which have to be specified in beforehand. +.TP +.BI tcp_flags " MASKED_TCP_FLAGS" +Match on TCP flags represented as 12bit bitfield in in hexadecimal format. +A mask may be optionally provided to limit the bits which are matched. A mask +is provided by following the value with a slash and then the mask. If the mask +is missing then a match on all bits is assumed. +.TP +.BI type " MASKED_TYPE" +.TQ +.BI code " MASKED_CODE" +Match on ICMP type or code. A mask may be optionally provided to limit the +bits of the address which are matched. A mask is provided by following the +address with a slash and then the mask. The mask must be as a number which +represents a bitwise mask If the mask is missing then a match on all bits +is assumed. Only available for +.BR ip_proto " values " icmp " and " icmpv6 +which have to be specified in beforehand. +.TP +.BI arp_tip " IPV4_PREFIX" +.TQ +.BI arp_sip " IPV4_PREFIX" +Match on ARP or RARP sender or target IP address. +.I IPV4_PREFIX +must be a valid IPv4 address optionally followed by a slash and the prefix +length. If the prefix is missing, \fBtc\fR assumes a full-length host +match. +.TP +.BI arp_op " ARP_OP" +Match on ARP or RARP operation. +.I ARP_OP +may be +.BR request ", " reply +or an integer value 0, 1 or 2. A mask may be optionally provided to limit +the bits of the operation which are matched. A mask is provided by +following the address with a slash and then the mask. It may be provided as +an unsigned 8 bit value representing a bitwise mask. If the mask is missing +then a match on all bits is assumed. +.TP +.BI arp_sha " MASKED_LLADDR" +.TQ +.BI arp_tha " MASKED_LLADDR" +Match on ARP or RARP sender or target MAC address. A mask may be optionally +provided to limit the bits of the address which are matched. A mask is +provided by following the address with a slash and then the mask. It may be +provided in LLADDR format, in which case it is a bitwise mask, or as a +number of high bits to match. If the mask is missing then a match on all +bits is assumed. +.TP +.BI enc_key_id " NUMBER" +.TQ +.BI enc_dst_ip " PREFIX" +.TQ +.BI enc_src_ip " PREFIX" +.TQ +.BI enc_dst_port " NUMBER" +Match on IP tunnel metadata. Key id +.I NUMBER +is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel). +.I PREFIX +must be a valid IPv4 or IPv6 address optionally followed by a slash and the +prefix length. If the prefix is missing, \fBtc\fR assumes a full-length +host match. Dst port +.I NUMBER +is a 16 bit UDP dst port. +.TP +.BI ip_flags " IP_FLAGS" +.I IP_FLAGS +may be either +.BR frag " or " nofrag +to match on fragmented packets or not respectively. .SH NOTES As stated above where applicable, matches of a certain layer implicitly depend -on the matches of the next lower layer. Precisely, layer one and two matches ( -.BR indev , dst_mac , src_mac " and " eth_type ) -have no dependency, layer three matches ( -.BR ip_proto , dst_ip " and " src_ip ) -require -.B eth_type -being set to either -.BR ipv4 " or " ipv6 , -and finally layer four matches ( -.BR dst_port " and " src_port ) +on the matches of the next lower layer. Precisely, layer one and two matches +(\fBindev\fR, \fBdst_mac\fR and \fBsrc_mac\fR) +have no dependency, layer three matches +(\fBip_proto\fR, \fBdst_ip\fR, \fBsrc_ip\fR, \fBarp_tip\fR, \fBarp_sip\fR, +\fBarp_op\fR, \fBarp_tha\fR, \fBarp_sha\fR and \fBip_flags\fR) +depend on the +.B protocol +option of tc filter, layer four port matches +(\fBdst_port\fR and \fBsrc_port\fR) depend on .B ip_proto -being set to either -.BR tcp " or " udp . +being set to +.BR tcp ", " udp " or " sctp, +and finally ICMP matches (\fBcode\fR and \fBtype\fR) depend on +.B ip_proto +being set to +.BR icmp " or " icmpv6. .P There can be only used one mask per one prio. If user needs to specify different mask, he has to use different prio. diff --git a/man/man8/tc-hfsc.8 b/man/man8/tc-hfsc.8 index 5444118e..fd0df8ff 100644 --- a/man/man8/tc-hfsc.8 +++ b/man/man8/tc-hfsc.8 @@ -54,8 +54,8 @@ parameters, you will specify linear service curve. . \fBtc\fR(8), \fBtc\-hfsc\fR(7), \fBtc\-stab\fR(8) -Please direct bugreports and patches to: <net...@vger.kernel.org> +Please direct bugreports and patches to: <netdev@vger.kernel.org> . .SH "AUTHOR" . -Manpage created by Michal Soltys (sol...@ziu.info) +Manpage created by Michal Soltys (soltys@ziu.info) diff --git a/man/man8/tc-ife.8 b/man/man8/tc-ife.8 new file mode 100644 index 00000000..fd2df6c3 --- /dev/null +++ b/man/man8/tc-ife.8 @@ -0,0 +1,143 @@ +.TH "IFE action in tc" 8 "22 Apr 2016" "iproute2" "Linux" + +.SH NAME +IFE - encapsulate/decapsulate metadata +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " " action ife" +.IR DIRECTION " [ " ACTION " ] " +.RB "[ " dst +.IR DMAC " ] " +.RB "[ " src +.IR SMAC " ] " +.RB "[ " type +.IR TYPE " ] " +.RI "[ " +.IR CONTROL " ] " +.RB "[ " index +.IR INDEX " ] " + +.ti -8 +.IR DIRECTION " := { " +.BR decode " | " encode " }" + +.ti -8 +.IR ACTION " := { " +.BI allow " ATTR" +.RB "| " use +.IR "ATTR value" " }" + +.ti -8 +.IR ATTR " := { " +.BR mark " | " prio " | " tcindex " }" + +.ti -8 +.IR CONTROL " := { " +.BR reclassify " | " use " | " pipe " | " drop " | " continue " | " ok " | " goto " " chain " " CHAIN_INDEX " }" +.SH DESCRIPTION +The +.B ife +action allows for a sending side to encapsulate arbitrary metadata, which is +then decapsulated by the receiving end. The sender runs in encoding mode and +the receiver in decode mode. Both sender and receiver must specify the same +ethertype. In the future, a registered ethertype may be available as a default. +.SH OPTIONS +.TP +.B decode +For the receiving side; decode the metadata if the packet matches. +.TP +.B encode +For the sending side. Encode the specified metadata if the packet matches. +.TP +.B allow +Encode direction only. Allows encoding specified metadata. +.TP +.B use +Encode direction only. Enforce static encoding of specified metadata. +.TP +.BR mark " [ " +.IR u32_value " ]" +The value to set for the skb mark. The u32 value is required only when +.BR use " is specified. If +.BR mark " value is zero, it will not be encoded, instead +"overlimits" statistics increment and +.BR CONTROL " action is taken. +.TP +.BR prio " [ " +.IR u32_value " ]" +The value to set for priority in the skb structure. The u32 value is required +only when +.BR use " is specified." +.TP +.BR tcindex " [" +.IR u16_value " ]" +Value to set for the traffic control index in the skb structure. The u16 value +is required only when +.BR use " is specified." +.TP +.BI dmac " DMAC" +.TQ +.BI smac " SMAC" +Optional six byte destination or source MAC address to encode. +.TP +.BI type " TYPE" +Optional 16-bit ethertype to encode. If not specified value of 0xED3E will be used. +.TP +.BI CONTROL +Action to take following an encode/decode. +.TP +.BI index " INDEX" +Assign a unique ID to this action instead of letting the kernel choose one +automatically. +.I INDEX +is a 32bit unsigned integer greater than zero. +.SH EXAMPLES + +On the receiving side, match packets with ethertype 0xdead and restart +classification so that it will match ICMP on the next rule, at prio 3: +.RS +.EX +# tc qdisc add dev eth0 handle ffff: ingress +# tc filter add dev eth0 parent ffff: prio 2 protocol 0xdead \\ + u32 match u32 0 0 flowid 1:1 \\ + action ife decode reclassify +# tc filter add dev eth0 parent ffff: prio 3 protocol ip \\ + u32 match ip protocol 0xff flowid 1:1 \\ + action continue +.EE +.RE + +Match with skb mark of 17: + +.RS +.EX +# tc filter add dev eth0 parent ffff: prio 4 protocol ip \\ + handle 0x11 fw flowid 1:1 \\ + action ok +.EE +.RE + +Configure the sending side to encode for the filters above. Use a destination +IP address of 192.168.122.237/24, then tag with skb mark of decimal 17. Encode +the packaet with ethertype 0xdead, add skb->mark to whitelist of metadatum to +send, and rewrite the destination MAC address to 02:15:15:15:15:15. + +.RS +.EX +# tc qdisc add dev eth0 root handle 1: prio +# tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \\ + match ip dst 192.168.122.237/24 \\ + match ip protocol 1 0xff \\ + flowid 1:2 \\ + action skbedit mark 17 \\ + action ife encode \\ + type 0xDEAD \\ + allow mark \\ + dst 02:15:15:15:15:15 +.EE +.RE + +.SH SEE ALSO +.BR tc (8), +.BR tc-u32 (8) diff --git a/man/man8/tc-matchall.8 b/man/man8/tc-matchall.8 new file mode 100644 index 00000000..e3cddb1f --- /dev/null +++ b/man/man8/tc-matchall.8 @@ -0,0 +1,87 @@ +.TH "Match-all classifier in tc" 8 "21 Oct 2015" "iproute2" "Linux" + +.SH NAME +matchall \- traffic control filter that matches every packet +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " " filter " ... " matchall " [ " +.BR skip_sw " | " skip_hw +.RI " ] [ " +.B action +.IR ACTION_SPEC " ] [ " +.B classid +.IR CLASSID " ]" +.SH DESCRIPTION +The +.B matchall +filter allows to classify every packet that flows on the port and run a +action on it. +.SH OPTIONS +.TP +.BI action " ACTION_SPEC" +Apply an action from the generic actions framework on matching packets. +.TP +.BI classid " CLASSID" +Push matching packets into the class identified by +.IR CLASSID . +.TP +.BI skip_sw +Do not process filter by software. If hardware has no offload support for this +filter, or TC offload is not enabled for the interface, operation will fail. +.TP +.BI skip_hw +Do not process filter by hardware. +.SH EXAMPLES +To create ingress mirroring from port eth1 to port eth2: +.RS +.EX + +tc qdisc add dev eth1 handle ffff: ingress +tc filter add dev eth1 parent ffff: \\ + matchall skip_sw \\ + action mirred egress mirror \\ + dev eth2 +.EE +.RE + +The first command creats an ingress qdisc with handle +.BR ffff: +on device +.BR eth1 +where the second command attaches a matchall filters on it that mirrors the +packets to device eth2. + +To create egress mirroring from port eth1 to port eth2: +.RS +.EX + +tc qdisc add dev eth1 handle 1: root prio +tc filter add dev eth1 parent 1: \\ + matchall skip_sw \\ + action mirred egress mirror \\ + dev eth2 +.EE +.RE + +The first command creats an egress qdisc with handle +.BR 1: +that replaces the root qdisc on device +.BR eth1 +where the second command attaches a matchall filters on it that mirrors the +packets to device eth2. + +To sample one of every 100 packets flowing into interface eth0 to psample group +12: +.RS +.EX + +tc qdisc add dev eth0 handle ffff: ingress +tc filter add dev eth0 parent ffff: matchall \\ + action sample rate 100 group 12 +.EE +.RE + +.EE +.SH SEE ALSO +.BR tc (8), diff --git a/man/man8/tc-mirred.8 b/man/man8/tc-mirred.8 new file mode 100644 index 00000000..38833b45 --- /dev/null +++ b/man/man8/tc-mirred.8 @@ -0,0 +1,99 @@ +.TH "Mirror/redirect action in tc" 8 "11 Jan 2015" "iproute2" "Linux" + +.SH NAME +mirred - mirror/redirect action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action mirred" +.I DIRECTION ACTION +.RB "[ " index +.IR INDEX " ] " +.BI dev " DEVICENAME" + +.ti -8 +.IR DIRECTION " := { " +.BR ingress " | " egress " }" + +.ti -8 +.IR ACTION " := { " +.BR mirror " | " redirect " }" +.SH DESCRIPTION +The +.B mirred +action allows packet mirroring (copying) or redirecting (stealing) the packet it +receives. Mirroring is what is sometimes referred to as Switch Port Analyzer +(SPAN) and is commonly used to analyze and/or debug flows. +.SH OPTIONS +.TP +.B ingress +.TQ +.B egress +Specify the direction in which the packet shall appear on the destination +interface. +.TP +.B mirror +.TQ +.B redirect +Define whether the packet should be copied +.RB ( mirror ) +or moved +.RB ( redirect ) +to the destination interface. +.TP +.BI index " INDEX" +Assign a unique ID to this action instead of letting the kernel choose one +automatically. +.I INDEX +is a 32bit unsigned integer greater than zero. +.TP +.BI dev " DEVICENAME" +Specify the network interface to redirect or mirror to. +.SH EXAMPLES +Limit ingress bandwidth on eth0 to 1mbit/s, redirect exceeding traffic to lo for +debugging purposes: + +.RS +.EX +# tc qdisc add dev eth0 handle ffff: ingress +# tc filter add dev eth0 parent ffff: u32 \\ + match u32 0 0 \\ + action police rate 1mbit burst 100k conform-exceed pipe \\ + action mirred egress redirect dev lo +.EE +.RE + +Mirror all incoming ICMP packets on eth0 to a dummy interface for examination +with e.g. tcpdump: + +.RS +.EX +# ip link add dummy0 type dummy +# ip link set dummy0 up +# tc qdisc add dev eth0 handle ffff: ingress +# tc filter add dev eth0 parent ffff: protocol ip \\ + u32 match ip protocol 1 0xff \\ + action mirred egress mirror dev dummy0 +.EE +.RE + +Using an +.B ifb +interface, it is possible to send ingress traffic through an instance of +.BR sfq : + +.RS +.EX +# modprobe ifb +# ip link set ifb0 up +# tc qdisc add dev ifb0 root sfq +# tc qdisc add dev eth0 handle ffff: ingress +# tc filter add dev eth0 parent ffff: u32 \\ + match u32 0 0 \\ + action mirred egress redirect dev ifb0 +.EE +.RE + +.SH SEE ALSO +.BR tc (8), +.BR tc-u32 (8) diff --git a/man/man8/tc-nat.8 b/man/man8/tc-nat.8 new file mode 100644 index 00000000..fdcc052a --- /dev/null +++ b/man/man8/tc-nat.8 @@ -0,0 +1,78 @@ +.TH "NAT action in tc" 8 "12 Jan 2015" "iproute2" "Linux" + +.SH NAME +nat - stateless native address translation action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action nat" +.I DIRECTION OLD NEW + +.ti -8 +.IR DIRECTION " := { " +.BR ingress " | " egress " }" + +.ti -8 +.IR OLD " := " IPV4_ADDR_SPEC + +.ti -8 +.IR NEW " := " IPV4_ADDR_SPEC + +.ti -8 +.IR IPV4_ADDR_SPEC " := { " +.BR default " | " any " | " all " | " +\fIin_addr\fR[\fB/\fR{\fIprefix\fR|\fInetmask\fR}] +.SH DESCRIPTION +The +.B nat +action allows to perform NAT without the overhead of conntrack, which is +desirable if the number of flows or addresses to perform NAT on is large. This +action is best used in combination with the +.B u32 +filter to allow for efficient lookups of a large number of stateless NAT rules +in constant time. +.SH OPTIONS +.TP +.B ingress +Translate destination addresses, i.e. perform DNAT. +.TP +.B egress +Translate source addresses, i.e. perform SNAT. +.TP +.I OLD +Specifies addresses which should be translated. +.TP +.I NEW +Specifies addresses which +.I OLD +should be translated into. +.SH NOTES +The accepted address format in +.IR OLD " and " NEW +is quite flexible. It may either consist of one of the keywords +.BR default ", " any " or " all , +representing the all-zero IP address or a combination of IP address and netmask +or prefix length separated by a slash +.RB ( / ) +sign. In any case, the mask (or prefix length) value of +.I OLD +is used for +.I NEW +as well so that a one-to-one mapping of addresses is assured. + +Address translation is done using a combination of binary operations. First, the +original (source or destination) address is matched against the value of +.IR OLD . +If the original address fits, the new address is created by taking the leading +bits from +.I NEW +(defined by the netmask of +.IR OLD ) +and taking the remaining bits from the original address. + +There is rudimental support for upper layer protocols, namely TCP, UDP and ICMP. +While for the first two only checksum recalculation is performed, the action +also takes care of embedded IP headers in ICMP packets by translating the +respective address therein, too. +.SH SEE ALSO +.BR tc (8) diff --git a/man/man8/tc-pedit.8 b/man/man8/tc-pedit.8 new file mode 100644 index 00000000..bbd725c4 --- /dev/null +++ b/man/man8/tc-pedit.8 @@ -0,0 +1,373 @@ +.TH "Generic packet editor action in tc" 8 "12 Jan 2015" "iproute2" "Linux" + +.SH NAME +pedit - generic packet editor action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action pedit [ex] munge " { +.IR RAW_OP " | " LAYERED_OP " | " EXTENDED_LAYERED_OP " } [ " CONTROL " ]" + +.ti -8 +.IR RAW_OP " := " +.BI offset " OFFSET" +.RB "{ " u8 " | " u16 " | " u32 " } [" +.IR AT_SPEC " ] " CMD_SPEC + +.ti -8 +.IR AT_SPEC " := " +.BI at " AT " offmask " MASK " shift " SHIFT" + +.ti -8 +.IR LAYERED_OP " := { " +.BI ip " IPHDR_FIELD" +| +.BI ip " BEYOND_IPHDR_FIELD" +.RI } " CMD_SPEC" + +.ti -8 +.IR EXTENDED_LAYERED_OP " := { " +.BI eth " ETHHDR_FIELD" +| +.BI ip " IPHDR_FIELD" +| +.BI ip " EX_IPHDR_FIELD" +| +.BI ip6 " IP6HDR_FIELD" +| +.BI tcp " TCPHDR_FIELD" +| +.BI udp " UDPHDR_FIELD" +.RI } " CMD_SPEC" + +.ti -8 +.IR ETHHDR_FIELD " := { " +.BR src " | " dst " | " type " }" + +.ti -8 +.IR IPHDR_FIELD " := { " +.BR src " | " dst " | " tos " | " dsfield " | " ihl " | " protocol " |" +.BR precedence " | " nofrag " | " firstfrag " | " ce " | " df " }" + +.ti -8 +.IR BEYOND_IPHDR_FIELD " := { " +.BR dport " | " sport " | " icmp_type " | " icmp_code " }" + +.ti -8 +.IR EX_IPHDR_FIELD " := { " +.BR ttl " }" + + +.ti -8 +.IR IP6HDR_FIELD " := { " +.BR src " | " dst " | " flow_lbl " | " payload_len " | " nexthdr " |" +.BR hoplimit " }" + +.ti -8 +.IR TCPHDR_FIELD " := { " +.BR sport " | " dport " | " flags " }" + +.ti -8 +.IR UDPHDR_FIELD " := { " +.BR sport " | " dport " }" + +.ti -8 +.IR CMD_SPEC " := {" +.BR clear " | " invert " | " set +.IR VAL " | " +.BR add +.IR VAL " | " +.BR preserve " } [ " retain +.IR RVAL " ]" + +.ti -8 +.IR CONTROL " := {" +.BR reclassify " | " pipe " | " drop " | " shot " | " continue " | " pass " | " goto " " chain " " CHAIN_INDEX " }" +.SH DESCRIPTION +The +.B pedit +action can be used to change arbitrary packet data. The location of data to +change can either be specified by giving an offset and size as in +.IR RAW_OP , +or for header values by naming the header and field to edit the size is then +chosen automatically based on the header field size. Currently this is supported +only for IPv4 headers. +.SH OPTIONS +.TP +.B ex +Use extended pedit. +.I EXTENDED_LAYERED_OP +and the add +.I CMD_SPEC +are allowed only in this mode. +.TP +.BI offset " OFFSET " "\fR{ \fBu32 \fR| \fBu16 \fR| \fBu8 \fR}" +Specify the offset at which to change data. +.I OFFSET +is a signed integer, it's base is automatically chosen (e.g. hex if prefixed by +.B 0x +or octal if prefixed by +.BR 0 ). +The second argument specifies the length of data to change, that is four bytes +.RB ( u32 ), +two bytes +.RB ( u16 ) +or a single byte +.RB ( u8 ). +.TP +.BI at " AT " offmask " MASK " shift " SHIFT" +This is an optional part of +.IR RAW_OP +which allows to have a variable +.I OFFSET +depending on packet data at offset +.IR AT , +which is binary ANDed with +.I MASK +and right-shifted by +.I SHIFT +before adding it to +.IR OFFSET . +.TP +.BI eth " ETHHDR_FIELD" +Change an ETH header field. The supported keywords for +.I ETHHDR_FIELD +are: +.RS +.TP +.B src +.TQ +.B dst +Source or destination MAC address in the standard format: XX:XX:XX:XX:XX:XX +.TP +.B type +Ether-type in numeric value +.RE +.TP +.BI ip " IPHDR_FIELD" +Change an IPv4 header field. The supported keywords for +.I IPHDR_FIELD +are: +.RS +.TP +.B src +.TQ +.B dst +Source or destination IP address, a four-byte value. +.TP +.B tos +.TQ +.B dsfield +.TQ +.B precedence +Type Of Service field, an eight-bit value. +.TP +.B ihl +Change the IP Header Length field, a four-bit value. +.TP +.B protocol +Next-layer Protocol field, an eight-bit value. +.TP +.B nofrag +.TQ +.B firstfrag +.TQ +.B ce +.TQ +.B df +.TQ +.B mf +Change IP header flags. Note that the value to pass to the +.B set +command is not just a bit value, but the full byte including the flags field. +Though only the relevant bits of that value are respected, the rest ignored. +.RE +.TP +.BI ip " BEYOND_IPHDR_FIELD" +Supported only for non-extended layered op. It is passed to the kernel as +offsets relative to the beginning of the IP header and assumes the IP header is +of minimum size (20 bytes). The supported keywords for +.I BEYOND_IPHDR_FIELD +are: +.RS +.TP +.B dport +.TQ +.B sport +Destination or source port numbers, a 16-bit value. Indeed, IPv4 headers don't +contain this information. Instead, this will set an offset which suits at least +TCP and UDP if the IP header is of minimum size (20 bytes). If not, this will do +unexpected things. +.TP +.B icmp_type +.TQ +.B icmp_code +Again, this allows to change data past the actual IP header itself. It assumes +an ICMP header is present immediately following the (minimal sized) IP header. +If it is not or the latter is bigger than the minimum of 20 bytes, this will do +unexpected things. These fields are eight-bit values. +.RE +.TP +.BI ip " EX_IPHDR_FIELD" +Supported only when +.I ex +is used. The supported keywords for +.I EX_IPHDR_FIELD +are: +.RS +.TP +.B ttl +.RE +.TP +.BI ip6 " IP6HDR_FIELD" +The supported keywords for +.I IP6HDR_FIELD +are: +.RS +.TP +.B src +.TQ +.B dst +.TQ +.B flow_lbl +.TQ +.B payload_len +.TQ +.B nexthdr +.TQ +.B hoplimit +.RE +.TP +.BI tcp " TCPHDR_FIELD" +The supported keywords for +.I TCPHDR_FIELD +are: +.RS +.TP +.B sport +.TQ +.B dport +Source or destination TCP port number, a 16-bit value. +.TP +.B flags +.RE +.TP +.BI udp " UDPHDR_FIELD" +The supported keywords for +.I UDPHDR_FIELD +are: +.RS +.TP +.B sport +.TQ +.B dport +Source or destination TCP port number, a 16-bit value. +.RE +.TP +.B clear +Clear the addressed data (i.e., set it to zero). +.TP +.B invert +Swap every bit in the addressed data. +.TP +.BI set " VAL" +Set the addressed data to a specific value. The size of +.I VAL +is defined by either one of the +.BR u32 ", " u16 " or " u8 +keywords in +.IR RAW_OP , +or the size of the addressed header field in +.IR LAYERED_OP . +.TP +.BI add " VAL" +Add the addressed data by a specific value. The size of +.I VAL +is defined by the size of the addressed header field in +.IR EXTENDED_LAYERED_OP . +This operation is supported only for extended layered op. +.TP +.B preserve +Keep the addressed data as is. +.TP +.BI retain " RVAL" +This optional extra part of +.I CMD_SPEC +allows to exclude bits from being changed. Supported only for 32 bits fields +or smaller. +.TP +.I CONTROL +The following keywords allow to control how the tree of qdisc, classes, +filters and actions is further traversed after this action. +.RS +.TP +.B reclassify +Restart with the first filter in the current list. +.TP +.B pipe +Continue with the next action attached to the same filter. +.TP +.B drop +.TQ +.B shot +Drop the packet. +.TP +.B continue +Continue classification with the next filter in line. +.TP +.B pass +Finish classification process and return to calling qdisc for further packet +processing. This is the default. +.RE +.SH EXAMPLES +Being able to edit packet data, one could do all kinds of things, such as e.g. +implementing port redirection. Certainly not the most useful application, but +as an example it should do: + +First, qdiscs need to be set up to attach filters to. For the receive path, a simple +.B ingress +qdisc will do, for transmit path a classful qdisc +.RB ( HTB +in this case) is necessary: + +.RS +.EX +tc qdisc replace dev eth0 root handle 1: htb +tc qdisc add dev eth0 ingress handle ffff: +.EE +.RE + +Finally, a filter with +.B pedit +action can be added for each direction. In this case, +.B u32 +is used matching on the port number to redirect from, while +.B pedit +then does the actual rewriting: + +.RS +.EX +tc filter add dev eth0 parent 1: u32 \\ + match ip dport 23 0xffff \\ + action pedit pedit munge ip dport set 22 +tc filter add dev eth0 parent ffff: u32 \\ + match ip sport 22 0xffff \\ + action pedit pedit munge ip sport set 23 +tc filter add dev eth0 parent ffff: u32 \\ + match ip sport 22 0xffff \\ + action pedit ex munge ip dst set 192.168.1.199 +tc filter add dev eth0 parent ffff: u32 \\ + match ip sport 22 0xffff \\ + action pedit ex munge ip6 dst set fe80::dacb:8aff:fec7:320e +tc filter add dev eth0 parent ffff: u32 \\ + match ip sport 22 0xffff \\ + action pedit ex munge eth dst set 11:22:33:44:55:66 +tc filter add dev eth0 parent ffff: u32 \\ + match ip dport 23 0xffff \\ + action pedit ex munge tcp dport set 22 +.EE +.RE +.SH SEE ALSO +.BR tc (8), +.BR tc-htb (8), +.BR tc-u32 (8) diff --git a/man/man8/tc-police.8 b/man/man8/tc-police.8 new file mode 100644 index 00000000..bcc5f438 --- /dev/null +++ b/man/man8/tc-police.8 @@ -0,0 +1,146 @@ +.TH "Policing action in tc" 8 "20 Jan 2015" "iproute2" "Linux" + +.SH NAME +police - policing action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action police" +.BI rate " RATE " burst +.IR BYTES [\fB/ BYTES "] [" +.B mtu +.IR BYTES [\fB/ BYTES "] ] [" +.BI peakrate " RATE" +] [ +.BI overhead " BYTES" +] [ +.BI linklayer " TYPE" +] [ +.IR CONTROL " ]" + +.ti -8 +.BR tc " ... " filter " ... [ " estimator +.IR "SAMPLE AVERAGE " ] +.BR "action police avrate" +.IR RATE " [ " CONTROL " ]" + +.ti -8 +.IR CONTROL " :=" +.BI conform-exceed " EXCEEDACT\fR[\fB/\fINOTEXCEEDACT" + +.ti -8 +.IR EXCEEDACT/NOTEXCEEDACT " := { " +.BR pipe " | " ok " | " reclassify " | " drop " | " continue " | " goto " " chain " " CHAIN_INDEX " }" +.SH DESCRIPTION +The +.B police +action allows to limit bandwidth of traffic matched by the filter it is +attached to. Basically there are two different algorithms available to measure +the packet rate: The first one uses an internal dual token bucket and is +configured using the +.BR rate ", " burst ", " mtu ", " peakrate ", " overhead " and " linklayer +parameters. The second one uses an in-kernel sampling mechanism. It can be +fine-tuned using the +.B estimator +filter parameter. +.SH OPTIONS +.TP +.BI rate " RATE" +The maximum traffic rate of packets passing this action. Those exceeding it will +be treated as defined by the +.B conform-exceed +option. +.TP +.BI burst " BYTES\fR[\fB/\fIBYTES\fR]" +Set the maximum allowed burst in bytes, optionally followed by a slash ('/') +sign and cell size which must be a power of 2. +.TP +.BI mtu " BYTES\fR[\fB/\fIBYTES\fR]" +This is the maximum packet size handled by the policer (larger ones will be +handled like they exceeded the configured rate). Setting this value correctly +will improve the scheduler's precision. +Value formatting is identical to +.B burst +above. Defaults to unlimited. +.TP +.BI peakrate " RATE" +Set the maximum bucket depletion rate, exceeding +.BR rate . +.TP +.BI avrate " RATE" +Make use of an in-kernel bandwidth rate estimator and match the given +.I RATE +against it. +.TP +.BI overhead " BYTES" +Account for protocol overhead of encapsulating output devices when computing +.BR rate " and " peakrate . +.TP +.BI linklayer " TYPE" +Specify the link layer type. +.I TYPE +may be one of +.B ethernet +(the default), +.BR atm " or " adsl +(which are synonyms). It is used to align the precomputed rate tables to ATM +cell sizes, for +.B ethernet +no action is taken. +.TP +.BI estimator " SAMPLE AVERAGE" +Fine-tune the in-kernel packet rate estimator. +.IR SAMPLE " and " AVERAGE +are time values and control the frequency in which samples are taken and over +what timespan an average is built. +.TP +.BI conform-exceed " EXCEEDACT\fR[\fB/\fINOTEXCEEDACT\fR]" +Define how to handle packets which exceed or conform the +configured bandwidth limit. Possible values are: +.RS +.IP continue +Don't do anything, just continue with the next action in line. +.IP drop +Drop the packet immediately. +.IP shot +This is a synonym to +.BR drop . +.IP ok +Accept the packet. This is the default for conforming packets. +.IP pass +This is a synonym to +.BR ok . +.IP reclassify +Treat the packet as non-matching to the filter this action is attached to and +continue with the next filter in line (if any). This is the default for +exceeding packets. +.IP pipe +Pass the packet to the next action in line. +.SH EXAMPLES +A typical application of the police action is to enforce ingress traffic rate +by dropping exceeding packets. Although better done on the sender's side, +especially in scenarios with lack of peer control (e.g. with dial-up providers) +this is often the best one can do in order to keep latencies low under high +load. The following establishes input bandwidth policing to 1mbit/s using the +.B ingress +qdisc and +.B u32 +filter: + +.RS +.EX +# tc qdisc add dev eth0 handle ffff: ingress +# tc filter add dev eth0 parent ffff: u32 \\ + match u32 0 0 \\ + police rate 1mbit burst 100k +.EE +.RE + +As an action can not live on it's own, there always has to be a filter involved as link between qdisc and action. The example above uses +.B u32 +for that, which is configured to effectively match any packet (passing it to the +.B police +action thereby). + +.SH SEE ALSO +.BR tc (8) diff --git a/man/man8/tc-sample.8 b/man/man8/tc-sample.8 new file mode 100644 index 00000000..3e03eba2 --- /dev/null +++ b/man/man8/tc-sample.8 @@ -0,0 +1,125 @@ +.TH "Packet sample action in tc" 8 "31 Jan 2017" "iproute2" "Linux" + +.SH NAME +sample - packet sampling tc action +.SH SYNOPSIS +.in +8 +.ti -8 + +.BR tc " ... " "action sample rate" +.I RATE +.BR "group" +.I GROUP +.RB "[ " trunc +.IR SIZE " ] " +.RB "[ " index +.IR INDEX " ] " +.ti -8 + +.BR tc " ... " "action sample index " +.I INDEX +.ti -8 + +.SH DESCRIPTION +The +.B sample +action allows sampling packets matching classifier. + +The packets are chosen randomly according to the +.B rate +parameter, and are sampled using the +.B psample +generic netlink channel. The user can also specify packet truncation to save +user-kernel traffic. Each sample includes some informative metadata about the +original packet, which is sent using netlink attributes, alongside the original +packet data. + +The user can either specify the sample action parameters as presented in the +first form above, or use an existing sample action using its index, as presented +in the second form. + +.SH SAMPLED PACKETS METADATA FIELDS +The metadata are delivered to userspace applications using the +.B psample +generic netlink channel, where each sample includes the following netlink +attributes: +.TP +.BI PSAMPLE_ATTR_IIFINDEX +The input interface index of the packet, if there is one. +.TP +.BI PSAMPLE_ATTR_OIFINDEX +The output interface index of the packet. This field is not relevant on ingress +sampling +.TP +.BI PSAMPLE_ATTR_ORIGSIZE +The size of the original packet (before truncation) +.TP +.BI PSAMPLE_ATTR_SAMPLE_GROUP +The +.B psample +group the packet was sent to +.TP +.BI PSAMPLE_ATTR_GROUP_SEQ +A sequence number of the sampled packet. This number is incremented with each +sampled packet of the current +.B psample +group +.TP +.BI PSAMPLE_ATTR_SAMPLE_RATE +The rate the packet was sampled with +.RE + +.SH OPTIONS +.TP +.BI rate " RATE" +The packet sample rate. +.I "RATE" +is the expected ratio between observed packets and sampled packets. For example, +.I "RATE" +of 100 will lead to an average of one sampled packet out of every 100 observed. +.TP +.BI trunc " SIZE" +Upon set, defines the maximum size of the sampled packets, and causes truncation +if needed +.TP +.BI group " GROUP" +The +.B psample +group the packet will be sent to. The +.B psample +module defines the concept of groups, which allows the user to match specific +sampled packets in the case of multiple sampling rules, thus identify only the +packets that came from a specific rule. +.TP +.BI index " INDEX" +Is a unique ID for an action. When creating new action instance, this parameter +allows to set the new action index. When using existing action, this parameter +allows to specify the existing action index. The index must 32bit unsigned +integer greater than zero. +.SH EXAMPLES +Sample one of every 100 packets flowing into interface eth0 to psample group 12: + +.RS +.EX +tc qdisc add dev eth0 handle ffff: ingress +tc filter add dev eth0 parent ffff: matchall \\ + action sample rate 100 group 12 index 19 +.EE +.RE + +Use the same action instance to sample eth1 too: + +.RS +.EX +tc qdisc add dev eth1 handle ffff: ingress +tc filter add dev eth1 parent ffff: matchall \\ + action sample index 19 +.EE +.RE + +.EE +.RE +.SH SEE ALSO +.BR tc (8), +.BR tc-matchall (8) +.BR psample (1) diff --git a/man/man8/tc-simple.8 b/man/man8/tc-simple.8 new file mode 100644 index 00000000..7363ab56 --- /dev/null +++ b/man/man8/tc-simple.8 @@ -0,0 +1,99 @@ +.TH "Simple action in tc" 8 "12 Jan 2015" "iproute2" "Linux" + +.SH NAME +simple - basic example action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action simple" +[ +.BI sdata " STRING" +] [ +.BI index " INDEX" +] [ +.I CONTROL +] + +.ti -8 +.IR CONTROL " := {" +.BR reclassify " | " pipe " | " drop " | " continue " | " ok " }" + +.SH DESCRIPTION +This is a pedagogical example rather than an actually useful action. Upon every access, it prints the given +.I STRING +which may be of arbitrary length. +.SH OPTIONS +.TP +.BI sdata " STRING" +The actual string to print. +.TP +.BI index " INDEX" +Optional action index value. +.TP +.I CONTROL +Indicate how +.B tc +should proceed after executing the action. For a description of the possible +.I CONTROL +values, see +.BR tc-actions (8). +.SH EXAMPLES +The following example makes the kernel yell "Incoming ICMP!" every time it sees +an incoming ICMP on eth0. Steps are: +.IP 1) 4 +Add an ingress qdisc point to eth0 +.IP 2) 4 +Start a chain on ingress of eth0 that first matches ICMP then invokes the +simple action to shout. +.IP 3) 4 +display stats and show that no packet has been seen by the action +.IP 4) 4 +Send one ping packet to google (expect to receive a response back) +.IP 5) 4 +grep the logs to see the logged message +.IP 6) 4 +display stats again and observe increment by 1 + +.RE +.EX + hadi@noma1:$ tc qdisc add dev eth0 ingress + hadi@noma1:$tc filter add dev eth0 parent ffff: protocol ip prio 5 \\ + u32 match ip protocol 1 0xff flowid 1:1 action simple sdata "Incoming ICMP" + + hadi@noma1:$ sudo tc -s filter ls dev eth0 parent ffff: + filter protocol ip pref 5 u32 + filter protocol ip pref 5 u32 fh 800: ht divisor 1 + filter protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 + match 00010000/00ff0000 at 8 + action order 1: Simple <Incoming ICMP> + index 4 ref 1 bind 1 installed 29 sec used 29 sec + Action statistics: + Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) + backlog 0b 0p requeues 0 + + + hadi@noma1$ ping -c 1 www.google.ca + PING www.google.ca (74.125.225.120) 56(84) bytes of data. + 64 bytes from ord08s08-in-f24.1e100.net (74.125.225.120): icmp_req=1 ttl=53 time=31.3 ms + + --- www.google.ca ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 31.316/31.316/31.316/0.000 ms + + hadi@noma1$ dmesg | grep simple + [135354.473951] simple: Incoming ICMP_1 + + hadi@noma1$ sudo tc/tc -s filter ls dev eth0 parent ffff: + filter protocol ip pref 5 u32 + filter protocol ip pref 5 u32 fh 800: ht divisor 1 + filter protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 + match 00010000/00ff0000 at 8 + action order 1: Simple <Incoming ICMP> + index 4 ref 1 bind 1 installed 206 sec used 67 sec + Action statistics: + Sent 84 bytes 1 pkt (dropped 0, overlimits 0 requeues 0) + backlog 0b 0p requeues 0 +.EE +.SH SEE ALSO +.BR tc (8) +.BR tc-actions (8) diff --git a/man/man8/tc-skbedit.8 b/man/man8/tc-skbedit.8 new file mode 100644 index 00000000..003f05c9 --- /dev/null +++ b/man/man8/tc-skbedit.8 @@ -0,0 +1,66 @@ +.TH "SKB editing action in tc" 8 "12 Jan 2015" "iproute2" "Linux" + +.SH NAME +skbedit - SKB editing action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action skbedit " [ " queue_mapping +.IR QUEUE_MAPPING " ] [" +.B priority +.IR PRIORITY " ] [" +.B mark +.IR MARK " ]" +.B ptype +.IR PTYPE " ]" +.SH DESCRIPTION +The +.B skbedit +action allows to change a packet's associated meta data. It complements the +.B pedit +action, which in turn allows to change parts of the packet data itself. + +The most unique feature of +.B skbedit +is it's ability to decide over which queue of an interface with multiple +transmit queues the packet is to be sent out. The number of available transmit +queues is reflected by sysfs entries within +.I /sys/class/net/<interface>/queues +with name +.I tx-N +(where +.I N +is the actual queue number). +.SH OPTIONS +.TP +.BI queue_mapping " QUEUE_MAPPING" +Override the packet's transmit queue. Useful when applied to packets transmitted +over MQ-capable network interfaces. +.I QUEUE_MAPPING +is an unsigned 16bit value in decimal format. +.TP +.BI priority " PRIORITY" +Override the packet classification decision. +.I PRIORITY +is either +.BR root ", " none +or a hexadecimal major class ID optionally followed by a colon +.RB ( : ) +and a hexadecimal minor class ID. +.TP +.BI mark " MARK" +Change the packet's firewall mark value. +.I MARK +is an unsigned 32bit value in automatically detected format (i.e., prefix with +.RB ' 0x ' +for hexadecimal interpretation, etc.). +.TP +.BI ptype " PTYPE" +Override the packet's type. Useful for setting packet type to host when +needing to allow ingressing packets with the wrong MAC address but +correct IP address. +.I PTYPE +is one of: host, otherhost, broadcast, multicast +.SH SEE ALSO +.BR tc (8), +.BR tc-pedit (8) diff --git a/man/man8/tc-skbmod.8 b/man/man8/tc-skbmod.8 new file mode 100644 index 00000000..46418b65 --- /dev/null +++ b/man/man8/tc-skbmod.8 @@ -0,0 +1,137 @@ +.TH "skbmod action in tc" 8 "21 Sep 2016" "iproute2" "Linux" + +.SH NAME +skbmod - user-friendly packet editor action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action skbmod " "{ [ " "set " +.IR SETTABLE " ] [ " +.BI swap " SWAPPABLE" +.RI " ] [ " CONTROL " ] [ " +.BI index " INDEX " +] } + +.ti -8 +.IR SETTABLE " := " +.RB " [ " dmac +.IR DMAC " ] " +.RB " [ " smac +.IR SMAC " ] " +.RB " [ " etype +.IR ETYPE " ] " + +.ti -8 +.IR SWAPPABLE " := " +.B mac +.ti -8 +.IR CONTROL " := {" +.BR reclassify " | " pipe " | " drop " | " shot " | " continue " | " pass " }" +.SH DESCRIPTION +The +.B skbmod +action is intended as a usability upgrade to the existing +.B pedit +action. Instead of having to manually edit 8-, 16-, or 32-bit chunks of an +ethernet header, +.B skbmod +allows complete substitution of supported elements. +.SH OPTIONS +.TP +.BI dmac " DMAC" +Change the destination mac to the specified address. +.TP +.BI smac " SMAC" +Change the source mac to the specified address. +.TP +.BI etype " ETYPE" +Change the ethertype to the specified value. +.TP +.BI mac +Used to swap mac addresses. The +.B swap mac +directive is performed +after any outstanding D/SMAC changes. +.TP +.I CONTROL +The following keywords allow to control how the tree of qdisc, classes, +filters and actions is further traversed after this action. +.RS +.TP +.B reclassify +Restart with the first filter in the current list. +.TP +.B pipe +Continue with the next action attached to the same filter. +.TP +.B drop +.TQ +.B shot +Drop the packet. +.TP +.B continue +Continue classification with the next filter in line. +.TP +.B pass +Finish classification process and return to calling qdisc for further packet +processing. This is the default. +.SH EXAMPLES +To start, observe the following filter with a pedit action: + +.RS +.EX +tc filter add dev eth1 parent 1: protocol ip prio 10 \\ + u32 match ip protocol 1 0xff flowid 1:2 \\ + action pedit munge offset -14 u8 set 0x02 \\ + munge offset -13 u8 set 0x15 \\ + munge offset -12 u8 set 0x15 \\ + munge offset -11 u8 set 0x15 \\ + munge offset -10 u16 set 0x1515 \\ + pipe +.EE +.RE + +Using the skbmod action, this command can be simplified to: + +.RS +.EX +tc filter add dev eth1 parent 1: protocol ip prio 10 \\ + u32 match ip protocol 1 0xff flowid 1:2 \\ + action skbmod set dmac 02:15:15:15:15:15 \\ + pipe +.EE +.RE + +Complexity will increase if source mac and ethertype are also being edited +as part of the action. If all three fields are to be changed with skbmod: + +.RS +.EX +tc filter add dev eth5 parent 1: protocol ip prio 10 \\ + u32 match ip protocol 1 0xff flowid 1:2 \\ + action skbmod \\ + set etype 0xBEEF \\ + set dmac 02:12:13:14:15:16 \\ + set smac 02:22:23:24:25:26 +.EE +.RE + +Finally, swap the destination and source mac addresses in the header: + +.RS +.EX +tc filter add dev eth3 parent 1: protocol ip prio 10 \\ + u32 match ip protocol 1 0xff flowid 1:2 \\ + action skbmod \\ + swap mac +.EE +.RE + +As mentioned above, the swap action will occur after any +.B " smac/dmac " +substitutions are executed, if they are present. + +.SH SEE ALSO +.BR tc (8), +.BR tc-u32 (8), +.BR tc-pedit (8) diff --git a/man/man8/tc-stab.8 b/man/man8/tc-stab.8 index 02caa7df..03a0659b 100644 --- a/man/man8/tc-stab.8 +++ b/man/man8/tc-stab.8 @@ -156,8 +156,8 @@ it's good to use \fBethtool\fR to turn off offloading features. .br \fB[2]\fR http://www.faqs.org/rfcs/rfc2684.html -Please direct bugreports and patches to: <net...@vger.kernel.org> +Please direct bugreports and patches to: <netdev@vger.kernel.org> . .SH "AUTHOR" . -Manpage created by Michal Soltys (sol...@ziu.info) +Manpage created by Michal Soltys (soltys@ziu.info) diff --git a/man/man8/tc-tcindex.8 b/man/man8/tc-tcindex.8 index 7fcf8254..9a4e5ffc 100644 --- a/man/man8/tc-tcindex.8 +++ b/man/man8/tc-tcindex.8 @@ -11,7 +11,7 @@ tcindex \- traffic control index filter .IR MASK " ] [ " .B shift .IR SHIFT " ] [ " -.BR pas_on " | " fall_through " ] [ " classid +.BR pass_on " | " fall_through " ] [ " classid .IR CLASSID " ] [ " .B action .BR ACTION_SPEC " ]" diff --git a/man/man8/tc-tunnel_key.8 b/man/man8/tc-tunnel_key.8 new file mode 100644 index 00000000..e979a747 --- /dev/null +++ b/man/man8/tc-tunnel_key.8 @@ -0,0 +1,136 @@ +.TH "Tunnel metadata manipulation action in tc" 8 "10 Nov 2016" "iproute2" "Linux" + +.SH NAME +tunnel_key - Tunnel metadata manipulation +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action tunnel_key" " { " unset " | " +.IR SET " }" + +.ti -8 +.IR SET " := " +.BR set " " src_ip +.IR ADDRESS +.BR dst_ip +.IR ADDRESS +.BI id " KEY_ID" +.BI dst_port " UDP_PORT" +.RB "[ " csum " | " nocsum " ]" + +.SH DESCRIPTION +The +.B tunnel_key +action combined with a shared IP tunnel device, allows to perform IP tunnel en- +or decapsulation on a packet, reflected by +the operation modes +.IR UNSET " and " SET . +The +.I UNSET +mode is optional - even without using it, the metadata information will be +released automatically when packet processing will be finished. +.IR UNSET +function could be used in cases when traffic is forwarded between two tunnels, +where the metadata from the first tunnel will be used for encapsulation done by +the second tunnel. +.IR SET +mode requires the source and destination ip +.I ADDRESS +and the tunnel key id +.I KEY_ID +which will be used by the ip tunnel shared device to create the tunnel header. The +.B tunnel_key +action is useful only in combination with a +.B mirred redirect +action to a shared IP tunnel device which will use the metadata (for +.I SET +) and unset the metadata created by it (for +.I UNSET +). + +.SH OPTIONS +.TP +.B unset +Unset the tunnel metadata created by the IP tunnel device. This function is +not mandatory and might be used only in some specific use cases (as explained +above). +.TP +.B set +Set tunnel metadata to be used by the IP tunnel device. Requires +.B id +, +.B src_ip +and +.B dst_ip +options. +.B dst_port +is optional. +.RS +.TP +.B id +Tunnel ID (for example VNI in VXLAN tunnel) +.TP +.B src_ip +Outer header source IP address (IPv4 or IPv6) +.TP +.B dst_ip +Outer header destination IP address (IPv4 or IPv6) +.TP +.B dst_port +Outer header destination UDP port +.TP +.RB [ no ] csum +Controlls outer UDP checksum. When set to +.B csum +(which is default), the outer UDP checksum is calculated and included in the +packets. When set to +.BR nocsum , +outer UDP checksum is zero. Note that when using zero UDP checksums with +IPv6, the other tunnel endpoint must be configured to accept such packets. +In Linux, this would be the +.B udp6zerocsumrx +option for the VXLAN tunnel interface. +.IP +If using +.B nocsum +with IPv6, be sure you know what you are doing. Zero UDP checksums provide +weaker protection against corrupted packets. See RFC6935 for details. +.RE +.SH EXAMPLES +The following example encapsulates incoming ICMP packets on eth0 into a vxlan +tunnel, by setting metadata to VNI 11, source IP 11.11.0.1 and destination IP +11.11.0.2, and by redirecting the packet with the metadata to device vxlan0, +which will do the actual encapsulation using the metadata: + +.RS +.EX +#tc qdisc add dev eth0 handle ffff: ingress +#tc filter add dev eth0 protocol ip parent ffff: \\ + flower \\ + ip_proto icmp \\ + action tunnel_key set \\ + src_ip 11.11.0.1 \\ + dst_ip 11.11.0.2 \\ + id 11 \\ + action mirred egress redirect dev vxlan0 +.EE +.RE + +Here is an example of the +.B unset +function: Incoming VXLAN traffic with outer IP's and VNI 11 is decapsulated by +vxlan0 and metadata is unset before redirecting to tunl1 device: + +.RS +.EX +#tc qdisc add dev eth0 handle ffff: ingress +#tc filter add dev vxlan0 protocol ip parent ffff: \ + flower \\ + enc_src_ip 11.11.0.2 enc_dst_ip 11.11.0.1 enc_key_id 11 \ + action tunnel_key unset \ + action mirred egress redirect dev tunl1 +.EE +.RE + +.SH SEE ALSO +.BR tc (8) diff --git a/man/man8/tc-u32.8 b/man/man8/tc-u32.8 index 47c8f2d0..e9475a93 100644 --- a/man/man8/tc-u32.8 +++ b/man/man8/tc-u32.8 @@ -29,6 +29,10 @@ u32 \- universal 32bit traffic control filter .IR HANDLE " ] [ " .B indev .IR ifname " ] [ " +.B skip_hw +.R "|" +.B skip_sw +.R " ] [ " .BR help " ]" .ti -8 @@ -331,6 +335,13 @@ option. Filter on the incoming interface of the packet. Obviously works only for forwarded traffic. .TP +.BI skip_sw +Do not process filter by software. If hardware has no offload support for this +filter, or TC offload is not enabled for the interface, operation will fail. +.TP +.BI skip_hw +Do not process filter by hardware. +.TP .BI help Print a brief help text about possible options. .SH SELECTORS @@ -370,6 +381,7 @@ then allows to match various header fields: .RS .TP .BI src " ADDR" +.TQ .BI dst " ADDR" Compare Source or Destination Address fields against the value of .IR ADDR . diff --git a/man/man8/tc-vlan.8 b/man/man8/tc-vlan.8 new file mode 100644 index 00000000..59c81e86 --- /dev/null +++ b/man/man8/tc-vlan.8 @@ -0,0 +1,126 @@ +.TH "VLAN manipulation action in tc" 8 "12 Jan 2015" "iproute2" "Linux" + +.SH NAME +vlan - vlan manipulation module +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action vlan" " { " pop " |" +.IR PUSH " | " MODIFY " } [ " CONTROL " ]" + +.ti -8 +.IR PUSH " := " +.BR push " [ " protocol +.IR VLANPROTO " ]" +.BR " [ " priority +.IR VLANPRIO " ] " +.BI id " VLANID" + +.ti -8 +.IR MODIFY " := " +.BR modify " [ " protocol +.IR VLANPROTO " ]" +.BR " [ " priority +.IR VLANPRIO " ] " +.BI id " VLANID" + +.ti -8 +.IR CONTROL " := { " +.BR reclassify " | " pipe " | " drop " | " continue " | " pass " | " goto " " chain " " CHAIN_INDEX " }" +.SH DESCRIPTION +The +.B vlan +action allows to perform 802.1Q en- or decapsulation on a packet, reflected by +the operation modes +.IR POP ", " PUSH " and " MODIFY . +The +.I POP +mode is simple, as no further information is required to just drop the +outer-most VLAN encapsulation. The +.IR PUSH " and " MODIFY +modes require at least a +.I VLANID +and allow to optionally choose the +.I VLANPROTO +to use. +.SH OPTIONS +.TP +.B pop +Decapsulation mode, no further arguments allowed. +.TP +.B push +Encapsulation mode. Requires at least +.B id +option. +.TP +.B modify +Replace mode. Existing 802.1Q tag is replaced. Requires at least +.B id +option. +.TP +.BI id " VLANID" +Specify the VLAN ID to encapsulate into. +.I VLANID +is an unsigned 16bit integer, the format is detected automatically (e.g. prefix +with +.RB ' 0x ' +for hexadecimal interpretation, etc.). +.TP +.BI protocol " VLANPROTO" +Choose the VLAN protocol to use. At the time of writing, the kernel accepts only +.BR 802.1Q " or " 802.1ad . +.TP +.BI priority " VLANPRIO" +Choose the VLAN priority to use. Decimal number in range of 0-7. +.TP +.I CONTROL +How to continue after executing this action. +.RS +.TP +.B reclassify +Restarts classification by jumping back to the first filter attached to this +action's parent. +.TP +.B pipe +Continue with the next action, this is the default. +.TP +.B drop +Packet will be dropped without running further actions. +.TP +.B continue +Continue classification with next filter in line. +.TP +.B pass +Return to calling qdisc for packet processing. This ends the classification +process. +.RE +.SH EXAMPLES +The following example encapsulates incoming ICMP packets on eth0 from 10.0.0.2 +into VLAN ID 123: + +.RS +.EX +#tc qdisc add dev eth0 handle ffff: ingress +#tc filter add dev eth0 parent ffff: pref 11 protocol ip \\ + u32 match ip protocol 1 0xff flowid 1:1 \\ + u32 match ip src 10.0.0.2 flowid 1:1 \\ + action vlan push id 123 +.EE +.RE + +Here is an example of the +.B pop +function: Incoming VLAN packets on eth0 are decapsulated and the classification +process then restarted for the plain packet: + +.RS +.EX +#tc qdisc add dev eth0 handle ffff: ingress +#tc filter add dev $ETH parent ffff: pref 1 protocol 802.1Q \\ + u32 match u32 0 0 flowid 1:1 \\ + action vlan pop reclassify +.EE +.RE + +.SH SEE ALSO +.BR tc (8) diff --git a/man/man8/tc-xt.8 b/man/man8/tc-xt.8 new file mode 100644 index 00000000..4fd800cf --- /dev/null +++ b/man/man8/tc-xt.8 @@ -0,0 +1,42 @@ +.TH "iptables action in tc" 8 "3 Mar 2016" "iproute2" "Linux" + +.SH NAME +xt - tc iptables action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action xt \-j" +.IR TARGET " [ " TARGET_OPTS " ]" +.SH DESCRIPTION +The +.B xt +action allows to call arbitrary iptables targets for packets matching the filter +this action is attached to. +.SH OPTIONS +.TP +.BI -j " TARGET \fR[\fI TARGET_OPTS \fR]" +Perform a jump to the given iptables target, optionally passing any target +specific options in +.IR TARGET_OPTS . +.SH EXAMPLES +The following will attach a +.B u32 +filter to the +.B ingress +qdisc matching ICMP replies and using the +.B xt +action to make the kernel yell 'PONG' each time: + +.RS +.EX +tc qdisc add dev eth0 ingress +tc filter add dev eth0 parent ffff: proto ip u32 \\ + match ip protocol 1 0xff \\ + match ip icmp_type 0 0xff \\ + action xt -j LOG --log-prefix PONG +.EE +.RE +.SH SEE ALSO +.BR tc (8), +.BR tc-u32 (8), +.BR iptables-extensions (8) diff --git a/man/man8/tc.8 b/man/man8/tc.8 index 4e99dcad..f96911ae 100644 --- a/man/man8/tc.8 +++ b/man/man8/tc.8 @@ -5,58 +5,59 @@ tc \- show / manipulate traffic control settings .B tc .RI "[ " OPTIONS " ]" .B qdisc [ add | change | replace | link | delete ] dev -DEV +\fIDEV\fR .B [ parent -qdisc-id +\fIqdisc-id\fR .B | root ] .B [ handle -qdisc-id ] qdisc +\fIqdisc-id\fR ] qdisc [ qdisc specific parameters ] .P .B tc .RI "[ " OPTIONS " ]" .B class [ add | change | replace | delete ] dev -DEV +\fIDEV\fR .B parent -qdisc-id +\fIqdisc-id\fR .B [ classid -class-id ] qdisc +\fIclass-id\fR ] qdisc [ qdisc specific parameters ] .P .B tc .RI "[ " OPTIONS " ]" -.B filter [ add | change | replace | delete ] dev -DEV +.B filter [ add | change | replace | delete | get ] dev +\fIDEV\fR .B [ parent -qdisc-id -.B | root ] protocol -protocol +\fIqdisc-id\fR +.B | root ] [ handle \fIfilter-id\fR ] +.B protocol +\fIprotocol\fR .B prio -priority filtertype +\fIpriority\fR filtertype [ filtertype specific parameters ] .B flowid -flow-id +\fIflow-id\fR .B tc .RI "[ " OPTIONS " ]" .RI "[ " FORMAT " ]" .B qdisc show [ dev -DEV +\fIDEV\fR .B ] .P .B tc .RI "[ " OPTIONS " ]" .RI "[ " FORMAT " ]" .B class show dev -DEV +\fIDEV\fR .P .B tc .RI "[ " OPTIONS " ]" .B filter show dev -DEV +\fIDEV\fR .P .ti 8 @@ -187,6 +188,11 @@ u32 Generic filtering on arbitrary packet data, assisted by syntax to abstract common operations. See .BR tc-u32 (8) for details. +.TP +matchall +Traffic control filter that matches every packet. See +.BR tc-matchall (8) +for details. .SH CLASSLESS QDISCS The classless qdiscs are: @@ -289,14 +295,14 @@ In the absence of classful qdiscs, classless qdiscs can only be attached at the root of a device. Full syntax: .P .B tc qdisc add dev -DEV +\fIDEV\fR .B root QDISC QDISC-PARAMETERS To remove, issue .P .B tc qdisc del dev -DEV +\fIDEV\fR .B root The @@ -381,7 +387,7 @@ Type of Service Some qdiscs have built in rules for classifying packets based on the TOS field. .TP skb->priority -Userspace programs can encode a class-id in the 'skb->priority' field using +Userspace programs can encode a \fIclass-id\fR in the 'skb->priority' field using the SO_PRIORITY option. .P Each node within the tree can have its own filters but higher level filters @@ -549,7 +555,7 @@ must be passed, either by passing its ID or by attaching directly to the root of When creating a qdisc or a filter, it can be named with the .B handle parameter. A class is named with the -.B classid +.B \fBclassid\fR parameter. .TP @@ -571,6 +577,15 @@ Performs a nearly atomic remove/add on an existing node id. If the node does not it is created. .TP +get +Displays a single filter given the interface \fIDEV\fR, \fIqdisc-id\fR, +\fIpriority\fR, \fIprotocol\fR and \fIfilter-id\fR. + +.TP +show +Displays all filters attached to the given interface. A valid parent ID must be passed. + +.TP link Only available for qdiscs and performs a replace where the node must exist already. diff --git a/man/man8/tipc-bearer.8 b/man/man8/tipc-bearer.8 index 565ee01d..d95b1e1c 100644 --- a/man/man8/tipc-bearer.8 +++ b/man/man8/tipc-bearer.8 @@ -11,6 +11,11 @@ tipc-bearer \- show or modify TIPC bearers .in +8 .ti -8 +.B tipc bearer add media udp name +.IB "NAME " "remoteip " REMOTEIP +.br + +.ti -8 .B tipc bearer enable .RB "[ " domain .IR DOMAIN " ]" @@ -39,14 +44,12 @@ tipc-bearer \- show or modify TIPC bearers .B tipc bearer disable media .br .RB "{ { " eth " | " ib " } " device -.IR DEVICE +.IR "DEVICE " } .RB "|" .br .RB "{ " udp .B name -.IR NAME -.B localip -.IR LOCALIP " } }" +.IR NAME " }" .br .ti -8 @@ -65,14 +68,12 @@ tipc-bearer \- show or modify TIPC bearers .br .RB "{ " udp .B name -.IR NAME -.B localip -.IR LOCALIP " } }" +.IR NAME " }" .br .ti -8 .B tipc bearer get -.RB "{ " "priority" " | " tolerance " | " window " } " media +.RB "[ " "priority" " | " tolerance " | " window " ] " media .br .RB "{ { " eth " | " ib " } " device .IR "DEVICE" " }" @@ -81,8 +82,7 @@ tipc-bearer \- show or modify TIPC bearers .RB "{ " udp .B name .IR NAME -.B localip -.IR LOCALIP " } }" +.RB "[ " "localip " "| " "localport " "| " "remoteip " "| " "remoteport " "] }" .br .ti -8 @@ -202,6 +202,25 @@ IP is specified the .B udp bearer runs in point-to-point mode. +Multiple +.B remoteip +addresses can be added via the +.B bearer add +command. Adding one or more unicast +.B remoteip +addresses to an existing +.B udp +bearer puts the bearer in replicast mode where IP +multicast is emulated by sending multiple unicast messages to each configured +.B remoteip. +When a peer sees a TIPC discovery message from an unknown peer the peer address +is automatically added to the +.B remoteip +(replicast) list, thus only one side of +a link needs to be manually configured. A +.B remoteip +address cannot be added to a multicast bearer. + .TP .BI "remoteport " REMOTEPORT .br diff --git a/man/man8/tipc-link.8 b/man/man8/tipc-link.8 index 2ee03a0b..fee283e5 100644 --- a/man/man8/tipc-link.8 +++ b/man/man8/tipc-link.8 @@ -39,6 +39,29 @@ tipc-link \- show links or modify link properties .B tipc link list .br +.ti -8 +.B tipc link monitor set +.RB "{ " "threshold" " } " + +.ti -8 +.B tipc link monitor get +.RB "{ " "threshold" " } " + +.ti -8 +.B tipc link monitor summary +.br + +.ti -8 +.B tipc link monitor list +.br +.RB "[ " "media " " { " eth " | " ib " } " device +.IR "DEVICE" " ]" +.RB "|" +.br +.RB "[ " "media udp name" +.IR NAME " ]" +.br + .SH OPTIONS Options (flags) that can be passed anywhere in the command chain. .TP @@ -204,6 +227,87 @@ The link window controls how many unacknowledged messages a link endpoint can have in its transmit queue before TIPC's congestion control mechanism is activated. +.SS Monitor properties + +.TP +.B threshold +.br +The threshold specifies the cluster size exceeding which the link monitoring +algorithm will switch from "full-mesh" to "overlapping-ring". +If set of 0 the overlapping-ring monitoring is always on and if set to a +value larger than anticipated cluster size the overlapping-ring is disabled. +The default value is 32. + +.SS Monitor information + +.TP +.B table_generation +.br +Represents the event count in a node's local monitoring list. It steps every +time something changes in the local monitor list, including changes in the +local domain. + +.TP +.B cluster_size +.br +Represents the current count of cluster members. + +.TP +.B algorithm +.br +The current supervision algorithm used for neighbour monitoring for the bearer. +Possible values are full-mesh or overlapping-ring. + +.TP +.B status +.br +The node status derived by the local node. +Possible status are up or down. + +.TP +.B monitored +.br +Represent the type of monitoring chosen by the local node. +Possible values are direct or indirect. + +.TP +.B generation +.br +Represents the domain generation which is the event count in a node's local +domain. Every time something changes (peer add/remove/up/down) the domain +generation is stepped and a new version of node record is sent to inform +the neighbors about this change. The domain generation helps the receiver +of a domain record to know if it should ignore or process the record. + +.TP +.B applied_node_status +.br +The node status reported by the peer node for the succeeding peers in +the node list. The Node list is a circular list of ascending addresses +starting with the local node. +Possible status are: U or D. The status U implies up and D down. + +.TP +.B [non_applied_node:status] +.br +Represents the nodes and their status as reported by the peer node. +These nodes were not applied to the monitoring list for this peer node. +They are usually transient and occur during the cluster startup phase +or network reconfiguration. +Possible status are: U or D. The status U implies up and D down. + +.SH EXAMPLES +.PP +tipc link monitor list +.RS 4 +Shows the link monitoring information for cluster members on device data0. +.RE +.PP +tipc link monitor summary +.RS 4 +The monitor summary command prints the basic attributes. +.RE + .SH EXIT STATUS Exit status is 0 if command was successful or a positive integer upon failure. |