[PATCHv7 0/5 + 3] Interface group patches

[PATCHv7 0/5 + 3] Interface group patches

[Laszlo Attila Toth]

Hello,

This is the 7th version of our interface group patches.

The interface group value can be used to manage different interfaces
at the same time such as in netfilter/iptables. 

As earlier discussed, it can be used for advanced routing, tc command
and so on [1].

An u_int32_t member was added to net devices indicating the interface
group number of the device which can be get/set via netlink.

The xt_ifgroup netfilter match is for checking this value with an
optional mask.

Changes:
  -  The first patch of the previous version splitted into 2 separate
  patches.

  - The ip command now let values larger than 0xff be set, octal, decimal
  and hexadecimal values are valid and in the range of 0x00-0xff any
  name can be used (from /etc/iproute2/rt_ifgroup).

  - added sysfs support to read/write the ifgroup value


Other patches are for userpace programs:
 * iptables

 * iproute2. Because kernel 2.6.24-rc1 introduced a new enum value,
   IFLA_NET_NS_PID, and it wasn't in the iproute2 code, the first
   patch simply adds this value. The second patch adds support of
   interface group.

Usage:
 ip link set eth0 group 684    # set
 ip link set eth0 group 0      # unset
 iptables -A INPUT -m ifgroup --ifgroup-in 4/0xf -j ACCEPT
 iptables -A FORWARD -m ifgroup --ifgroup-in 4  ! --ifgroup-out 5 -j DROP

Patches:
 [1/5] Remove unnecessary locks from rtnetlink (in do_setlink)
 [2/5] rtnetlink: send a single notification on device state changes
 [3/5] Interface group: core (netlink) part
 [4/5] Ifgroup read/write support in sysfs
 [5/5] Netfilter Interface group match
 [iptables]Interface group match
 [iproute2 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1
 [iproute2 2/2] Interface group as new ip link option



Rererences:
 [1] http://marc.info/?l=linux-netdev&m=119556459514598&w=2
--
Laszlo Attila Toth

Re: [PATCHv7 0/5 + 3] Interface group patches

[Patrick McHardy]

Laszlo Attila Toth wrote:
> Hello,
> 
> This is the 7th version of our interface group patches.


> Patches:
>  [1/5] Remove unnecessary locks from rtnetlink (in do_setlink)
>  [2/5] rtnetlink: send a single notification on device state changes
>  [3/5] Interface group: core (netlink) part
>  [4/5] Ifgroup read/write support in sysfs

I vote for these to go in, they're ready and there's no use in
reposting them again and again.

>  [5/5] Netfilter Interface group match

Then I'd queue this one and fix it up on top of my current tree

>  [iptables]Interface group match

This one I would queue until we have released the 1.4.0 version
of iptables. I don't want to release things that are not in
at least a -rc kernel yet.

>  [iproute2 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1
>  [iproute2 2/2] Interface group as new ip link option

And for these Stephen has to decide, but both look fine to me.

Re: [PATCHv7 0/5 + 3] Interface group patches

[Laszlo Attila Toth]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> Hello,
>>
>> This is the 7th version of our interface group patches.
> 
> 
>> Patches:
>>  [1/5] Remove unnecessary locks from rtnetlink (in do_setlink)
>>  [2/5] rtnetlink: send a single notification on device state changes
>>  [3/5] Interface group: core (netlink) part
>>  [4/5] Ifgroup read/write support in sysfs
> 
> I vote for these to go in, they're ready and there's no use in
> reposting them again and again.

I see, sorry.

In fact, I didn't missed it. But you said the removing of the locks in 
the rtnl needs a separate patch. This is why I resent _all_.


>>  [iptables]Interface group match
> 
> This one I would queue until we have released the 1.4.0 version
> of iptables. I don't want to release things that are not in
> at least a -rc kernel yet.

Later I'll resend it in two patches, one for extending iptables with 
hash tables and one for the ifgroup match.

> 
>>  [iproute2 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1
>>  [iproute2 2/2] Interface group as new ip link option
> 
> And for these Stephen has to decide, but both look fine to me.
> 
> 


-- 
Attila

[PATCHv7 1/5] Remove unnecessary locks from rtnetlink (in do_setlink)

[Laszlo Attila Toth]

The do_setlink function is protected by rtnl, additional locks are unnecessary,
and the set_operstate() function is called from protected parts. Locks removed
from both functions.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---

 net/core/rtnetlink.c |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4a07e83..f95c6c5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -562,9 +562,7 @@ static void set_operstate(struct net_device *dev, unsigned char transition)
 	}
 
 	if (dev->operstate != operstate) {
-		write_lock_bh(&dev_base_lock);
 		dev->operstate = operstate;
-		write_unlock_bh(&dev_base_lock);
 		netdev_state_change(dev);
 	}
 }
@@ -879,9 +877,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
 
 	if (tb[IFLA_LINKMODE]) {
-		write_lock_bh(&dev_base_lock);
 		dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
-		write_unlock_bh(&dev_base_lock);
 	}
 
 	err = 0;

Re: [PATCHv7 1/5] Remove unnecessary locks from rtnetlink (in do_setlink)

[Jarek Poplawski]

Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:

> The do_setlink function is protected by rtnl, additional locks are unnecessary,
> and the set_operstate() function is called from protected parts. Locks removed
> from both functions.

It doesn't look like in accordance with a comment to dev_base_lock in dev.c.
And it makes eg. rfc2863_policy() locking from link_watch.c looking strange.
Isn't there needed some additional comment to this?

Regards,
Jarek P.

Re: [PATCHv7 1/5] Remove unnecessary locks from rtnetlink (in do_setlink)

[Laszlo Attila Toth]

Jarek Poplawski írta:
> Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:
> 
>> The do_setlink function is protected by rtnl, additional locks are unnecessary,
>> and the set_operstate() function is called from protected parts. Locks removed
>> from both functions.
> 
> It doesn't look like in accordance with a comment to dev_base_lock in dev.c.
> And it makes eg. rfc2863_policy() locking from link_watch.c looking strange.
> Isn't there needed some additional comment to this?

I modified do_setlink(), but set_operstate() is also called from
rtnl_create_link() and from no other places.  In rtnl_create_link() none 
of the changes is protected by set_lock_bh() except inside 
set_operstate(), different locking scheme is not necessary for the 
operstate.

Also two solution can be made, one is locking everything and one is 
locking nothing (to unify the changes made by these parts). The second 
one is better if it is protected.

I tried to figure out how it is protected but I couldn't. But Patrick 
said it is protected by rtnl. And he suggested this patch.


Attila

[PATCHv7 1/5][RESEND] Remove unnecessary locks from rtnetlink

[Laszlo Attila Toth]

The do_setlink() function is protected by rtnl, additional locks are unnecessary.
and the set_operstate() function is called from protected parts. Locks removed
from both functions.

The set_operstate() is also called from rtnl_create_link() and from no other places.
In rtnl_create_link() none of the changes is protected by set_lock_bh() except
inside set_operstate(), different locking scheme is not necessary
for the operstate.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---

 net/core/rtnetlink.c |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4a07e83..f95c6c5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -562,9 +562,7 @@ static void set_operstate(struct net_device *dev, unsigned char transition)
 	}
 
 	if (dev->operstate != operstate) {
-		write_lock_bh(&dev_base_lock);
 		dev->operstate = operstate;
-		write_unlock_bh(&dev_base_lock);
 		netdev_state_change(dev);
 	}
 }
@@ -879,9 +877,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
 
 	if (tb[IFLA_LINKMODE]) {
-		write_lock_bh(&dev_base_lock);
 		dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
-		write_unlock_bh(&dev_base_lock);
 	}
 
 	err = 0;

[PATCHv7 2/5] rtnetlink: send a single notification on device state changes

[Laszlo Attila Toth]

In do_setlink() a single ntification is sent at the end of the function
if any modification occured. If the address has been changed, another
notification is sent.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---

 net/core/rtnetlink.c |   27 ++++++++++++++++++++-------
 1 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index f95c6c5..6be8608 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -542,7 +542,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct dst_entry *dst, u32 id,
 
 EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
 
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
 {
 	unsigned char operstate = dev->operstate;
 
@@ -563,8 +563,9 @@ static void set_operstate(struct net_device *dev, unsigned char transition)
 
 	if (dev->operstate != operstate) {
 		dev->operstate = operstate;
-		netdev_state_change(dev);
-	}
+		return 1;
+	} else
+		return 0;
 }
 
 static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -858,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 	if (tb[IFLA_BROADCAST]) {
 		nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
 		send_addr_notify = 1;
+		modified = 1;
 	}
 
 	if (ifm->ifi_flags || ifm->ifi_change) {
@@ -870,14 +872,21 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		dev_change_flags(dev, flags);
 	}
 
-	if (tb[IFLA_TXQLEN])
-		dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+	if (tb[IFLA_TXQLEN]) {
+		if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+			dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+			modified = 1;
+		}
+	}
 
 	if (tb[IFLA_OPERSTATE])
-		set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+		modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
 
 	if (tb[IFLA_LINKMODE]) {
-		dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+		if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+			dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+			modified = 1;
+		} 
 	}
 
 	err = 0;
@@ -891,6 +900,10 @@ errout:
 
 	if (send_addr_notify)
 		call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+
+	if (modified)
+		netdev_state_change(dev);
+
 	return err;
 }
 

Re: [PATCHv7 2/5] rtnetlink: send a single notification on device state changes

[Jarek Poplawski]

Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:

> In do_setlink() a single ntification is sent at the end of the function
> if any modification occured. If the address has been changed, another
> notification is sent.


...

> @@ -858,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
>  	if (tb[IFLA_BROADCAST]) {
>  		nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
>  		send_addr_notify = 1;
> +		modified = 1;
>  	}

...

>  	if (send_addr_notify)
>  		call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
> +
> +	if (modified)
> +		netdev_state_change(dev);
> +

The subject suggests there might be less notifications. The patch actually
adds a little. Any additional comment why they are necessary?

Jarek P.

Re: [PATCHv7 2/5] rtnetlink: send a single notification on device state changes

[Laszlo Attila Toth]

Jarek Poplawski írta:
> Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:
> 
>> In do_setlink() a single ntification is sent at the end of the function
>> if any modification occured. If the address has been changed, another
>> notification is sent.
> 
> 
> ...
> 
>> @@ -858,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
>>  	if (tb[IFLA_BROADCAST]) {
>>  		nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
>>  		send_addr_notify = 1;
>> +		modified = 1;
>>  	}
> 
> ..
> 
>>  	if (send_addr_notify)
>>  		call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
>> +
>> +	if (modified)
>> +		netdev_state_change(dev);
>> +
> 
> The subject suggests there might be less notifications. The patch actually
> adds a little. Any additional comment why they are necessary?

The actual state of a device contains its address(es), also address 
change implies state change, but these are different netlink messages 
also the NETDEV_CHANGEADDR cannot be dropped because the other one is used.

Attila

Re: [PATCHv7 2/5] rtnetlink: send a single notification on device state changes

[Jarek Poplawski]

On 03-12-2007 12:40, Laszlo Attila Toth wrote:
> Jarek Poplawski írta:
>> Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:
>>
>>> In do_setlink() a single ntification is sent at the end of the function
>>> if any modification occured. If the address has been changed, another
>>> notification is sent.
>>
>>
>> ...
>>
>>> @@ -858,6 +859,7 @@ static int do_setlink(struct net_device *dev, 
>>> struct ifinfomsg *ifm,
>>>      if (tb[IFLA_BROADCAST]) {
>>>          nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
>>>          send_addr_notify = 1;
>>> +        modified = 1;
>>>      }
>>
>> ..
>>
>>>      if (send_addr_notify)
>>>          call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
>>> +
>>> +    if (modified)
>>> +        netdev_state_change(dev);
>>> +
>>
>> The subject suggests there might be less notifications. The patch 
>> actually
>> adds a little. Any additional comment why they are necessary?
> 
> The actual state of a device contains its address(es), also address 
> change implies state change, but these are different netlink messages 
> also the NETDEV_CHANGEADDR cannot be dropped because the other one is used.

OK. But, since until this patch it seemed to be enough, it would be
nice to know from the changelog why exactly it's nececessary to add
this now, because it doesn't look like it was omitted here by mistake.
(Or to say that it was omitted by mistake.)

Regards,
Jarek P.

[PATCHv7 2/5][RESEND] rtnetlink: send a single notification on device state changes

[Laszlo Attila Toth]

In do_setlink() a single notification is sent at the end of the function
if any modification occured. If the address has been changed, another
notification is sent.

Both of them is required because originally only the NETDEV_CHANGEADDR notification
was sent and although device state change implies address change, some programs may
expect the original notification. It remains for compatibity.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---

 net/core/rtnetlink.c |   27 ++++++++++++++++++++-------
 1 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index f95c6c5..6be8608 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -542,7 +542,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct dst_entry *dst, u32 id,
 
 EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
 
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
 {
 	unsigned char operstate = dev->operstate;
 
@@ -563,8 +563,9 @@ static void set_operstate(struct net_device *dev, unsigned char transition)
 
 	if (dev->operstate != operstate) {
 		dev->operstate = operstate;
-		netdev_state_change(dev);
-	}
+		return 1;
+	} else
+		return 0;
 }
 
 static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -858,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 	if (tb[IFLA_BROADCAST]) {
 		nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
 		send_addr_notify = 1;
+		modified = 1;
 	}
 
 	if (ifm->ifi_flags || ifm->ifi_change) {
@@ -870,14 +872,21 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		dev_change_flags(dev, flags);
 	}
 
-	if (tb[IFLA_TXQLEN])
-		dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+	if (tb[IFLA_TXQLEN]) {
+		if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+			dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+			modified = 1;
+		}
+	}
 
 	if (tb[IFLA_OPERSTATE])
-		set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+		modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
 
 	if (tb[IFLA_LINKMODE]) {
-		dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+		if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+			dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+			modified = 1;
+		} 
 	}
 
 	err = 0;
@@ -891,6 +900,10 @@ errout:
 
 	if (send_addr_notify)
 		call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+
+	if (modified)
+		netdev_state_change(dev);
+
 	return err;
 }
 

[PATCHv7 3/5] Interface group: core (netlink) part

[Laszlo Attila Toth]

Interface groups let handle different interfaces together.
Modified net device structure and netlink interface.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---

 include/linux/if_link.h   |    2 ++
 include/linux/netdevice.h |    2 ++
 net/core/rtnetlink.c      |   11 +++++++++++
 3 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 84c3492..722b25c 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
 	IFLA_NET_NS_PID,
+	IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 1e6af4f..b1bdcb2 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -519,6 +519,8 @@ struct net_device
 	/* Interface index. Unique device identifier	*/
 	int			ifindex;
 	int			iflink;
+	/* interface group this interface belongs to */
+	u_int32_t		ifgroup;
 
 
 	struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 6be8608..61c7367 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -614,6 +614,7 @@ static inline size_t if_nlmsg_size(const struct net_device *dev)
 	       + nla_total_size(4) /* IFLA_MTU */
 	       + nla_total_size(4) /* IFLA_LINK */
 	       + nla_total_size(4) /* IFLA_MASTER */
+	       + nla_total_size(4) /* IFLA_IFGROUP */
 	       + nla_total_size(1) /* IFLA_OPERSTATE */
 	       + nla_total_size(1) /* IFLA_LINKMODE */
 	       + rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -651,6 +652,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
 	if (dev->master)
 		NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
 
+	if (dev->ifgroup)
+		NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
 	if (dev->qdisc_sleeping)
 		NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
 
@@ -889,6 +893,13 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		} 
 	}
 
+	if (tb[IFLA_IFGROUP]) {
+		if (dev->ifgroup != nla_get_u32(tb[IFLA_IFGROUP])) {
+			dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+			modified = 1;
+		}
+	}
+
 	err = 0;
 
 errout:

[PATCHv7 4/5] Ifgroup read/write support in sysfs

[Laszlo Attila Toth]

The ifgroup member of each net device can be read and changed in sysfs.

Author: Lutz Jaenicke <ljaenicke@innominate.com>
---

 net/core/net-sysfs.c |   15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 61ead1d..5bd6d35 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -219,6 +219,20 @@ static ssize_t store_tx_queue_len(struct device *dev,
 	return netdev_store(dev, attr, buf, len, change_tx_queue_len);
 }
 
+NETDEVICE_SHOW(ifgroup, fmt_hex);
+
+static int change_ifgroup(struct net_device *net, unsigned long new_ifgroup)
+{
+	net->ifgroup = new_ifgroup;
+	return 0;
+}
+
+static ssize_t store_ifgroup(struct device *dev, struct device_attribute *attr,
+			   const char *buf, size_t len)
+{
+	return netdev_store(dev, attr, buf, len, change_ifgroup);
+}
+
 static struct device_attribute net_class_attributes[] = {
 	__ATTR(addr_len, S_IRUGO, show_addr_len, NULL),
 	__ATTR(iflink, S_IRUGO, show_iflink, NULL),
@@ -235,6 +249,7 @@ static struct device_attribute net_class_attributes[] = {
 	__ATTR(flags, S_IRUGO | S_IWUSR, show_flags, store_flags),
 	__ATTR(tx_queue_len, S_IRUGO | S_IWUSR, show_tx_queue_len,
 	       store_tx_queue_len),
+	__ATTR(ifgroup, S_IRUGO | S_IWUSR, show_ifgroup, store_ifgroup),
 	{}
 };
 

[PATCHv7 5/5] Netfilter Interface group match

[Laszlo Attila Toth]

Interface group values can be checked on both input and output interfaces.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---

 include/linux/netfilter/xt_ifgroup.h |   17 +++++
 net/netfilter/Kconfig                |   10 +++
 net/netfilter/Makefile               |    1 
 net/netfilter/xt_ifgroup.c           |  120 ++++++++++++++++++++++++++++++++++
 4 files changed, 148 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/xt_ifgroup.h b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 0000000..3aa4d61
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,17 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN	0x01
+#define XT_IFGROUP_INVERT_OUT	0x02
+#define XT_IFGROUP_MATCH_IN	0x04
+#define XT_IFGROUP_MATCH_OUT	0x08
+
+struct xt_ifgroup_info {
+	u_int32_t in_group;
+	u_int32_t in_mask;
+	u_int32_t out_group;
+	u_int32_t out_mask;
+	u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 21a9fcc..07ee4a7 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -508,6 +508,16 @@ config NETFILTER_XT_MATCH_HELPER
 
 	  To compile it as a module, choose M here.  If unsure, say Y.
 
+config NETFILTER_XT_MATCH_IFGROUP
+	tristate '"ifgroup" interface group match support'
+	depends on NETFILTER_XTABLES
+	help
+	  Interface group matching allows you to match a packet by
+	  its incoming interface "group", settable using ip link set
+	  group
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_LENGTH
 	tristate '"length" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ad0e36e..5107c86 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -61,6 +61,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 0000000..712ee54
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,120 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006,2007 Balazs Scheidler <bazsi@balabit.hu>,
+ *   Laszlo Attila Toth <panther@balabit.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter/xt_ifgroup.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Laszlo Attila Toth <panther@balabit.hu>");
+MODULE_DESCRIPTION("Xtables interface group matching module");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+
+static inline bool
+ifgroup_match_in(const struct net_device *in,
+		 const struct xt_ifgroup_info *info)
+{
+	return ((in->ifgroup & info->in_mask) == info->in_group) ^
+		((info->flags & XT_IFGROUP_INVERT_IN) == XT_IFGROUP_INVERT_IN);
+}
+
+static inline bool
+ifgroup_match_out(const struct net_device *out,
+		 const struct xt_ifgroup_info *info)
+{
+	return ((out->ifgroup & info->out_mask) == info->out_group) ^
+		((info->flags & XT_IFGROUP_INVERT_OUT) == XT_IFGROUP_INVERT_OUT);
+}
+
+static bool
+ifgroup_match(const struct sk_buff *skb,
+	     const struct net_device *in,
+	     const struct net_device *out,
+	     const struct xt_match *match,
+	     const void *matchinfo,
+	     int offset,
+	     unsigned int protoff,
+	     bool *hotdrop)
+{
+	const struct xt_ifgroup_info *info = matchinfo;
+	
+	if (info->flags & XT_IFGROUP_MATCH_IN && !ifgroup_match_in(in, info))
+		return false;
+	if (info->flags & XT_IFGROUP_MATCH_OUT && !ifgroup_match_out(out, info))
+		return false;
+	
+	return true;
+}
+
+static bool ifgroup_checkentry(const char *tablename, const void *ip_void,
+			       const struct xt_match *match,
+			       void *matchinfo, unsigned int hook_mask)
+{
+	struct xt_ifgroup_info *info = matchinfo;
+
+	if (!(info->flags & (XT_IFGROUP_MATCH_IN|XT_IFGROUP_MATCH_OUT))) {
+		printk(KERN_ERR "xt_ifgroup: neither incoming nor "
+				"outgoing device selected\n");
+		return false;
+	}
+	if (hook_mask & (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_LOCAL_IN)
+	    && info->flags & XT_IFGROUP_MATCH_OUT) {
+		printk(KERN_ERR "xt_ifgroup: output device not valid in "
+				"PRE_ROUTING and INPUT\n");
+		return false;
+	}
+	if (hook_mask & (1 << NF_INET_POST_ROUTING | 1 << NF_INET_LOCAL_OUT)
+	    && info->flags & XT_IFGROUP_MATCH_IN) {
+		printk(KERN_ERR "xt_ifgroup: input device not valid in "
+				"POST_ROUTING and OUTPUT\n");
+		return false;
+	}
+	return true;
+}
+
+static struct xt_match xt_ifgroup_match[] __read_mostly  = {
+	{
+		.name		= "ifgroup",
+		.match		= ifgroup_match,
+		.checkentry	= ifgroup_checkentry,
+		.matchsize	= sizeof(struct xt_ifgroup_info),
+		.family		= AF_INET,
+		.me		= THIS_MODULE,
+	
+	},
+	{
+		.name		= "ifgroup",
+		.match		= ifgroup_match,
+		.checkentry	= ifgroup_checkentry,
+		.matchsize	= sizeof(struct xt_ifgroup_info),
+		.family		= AF_INET6,
+		.me		= THIS_MODULE,
+	},
+};
+
+static int __init xt_ifgroup_init(void)
+{
+	return xt_register_matches(xt_ifgroup_match,
+			ARRAY_SIZE(xt_ifgroup_match));
+}
+
+static void __exit xt_ifgroup_fini(void)
+{
+	xt_unregister_matches(xt_ifgroup_match,
+			ARRAY_SIZE(xt_ifgroup_match));
+}
+
+module_init(xt_ifgroup_init);
+module_exit(xt_ifgroup_fini);

[PATCHv7 iptables] Interface group match

[Laszlo Attila Toth]

Interface group values can be checked on both input and output interfaces
with optional mask.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 extensions/Makefile                  |    2 
 extensions/libxt_ifgroup.c           |  201 +++++++++++++++++++++++++++++++++++
 extensions/libxt_ifgroup.man         |   36 ++++++
 include/linux/netfilter/xt_ifgroup.h |   17 ++
 4 files changed, 255 insertions(+), 1 deletion(-)

Index: include/linux/netfilter/xt_ifgroup.h
===================================================================
--- include/linux/netfilter/xt_ifgroup.h	(revision 0)
+++ include/linux/netfilter/xt_ifgroup.h	(revision 0)
@@ -0,0 +1,17 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN	0x01
+#define XT_IFGROUP_INVERT_OUT	0x02
+#define XT_IFGROUP_MATCH_IN	0x04
+#define XT_IFGROUP_MATCH_OUT	0x08
+
+struct xt_ifgroup_info {
+	u_int32_t in_group;
+	u_int32_t in_mask;
+	u_int32_t out_group;
+	u_int32_t out_mask;
+	u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
Index: extensions/libxt_ifgroup.c
===================================================================
--- extensions/libxt_ifgroup.c	(revision 0)
+++ extensions/libxt_ifgroup.c	(revision 0)
@@ -0,0 +1,201 @@
+/* 
+ * Shared library add-on to iptables to match 
+ * packets by the incoming interface group.
+ *
+ * (c) 2006, 2007 Balazs Scheidler <bazsi@balabit.hu>,
+ * Laszlo Attila Toth <panther@balabit.hu>
+ */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_ifgroup.h>
+
+static void
+ifgroup_help(void)
+{
+	printf(
+"ifgroup v%s options:\n"
+"  --ifgroup-in  [!] group[/mask]  incoming interface group and its mask\n"
+"  --ifgroup-out [!] group[/mask]  outgoing interface group and its mask\n"
+"\n", IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{"ifgroup-in", 1, NULL, '1'},
+	{"ifgroup-out", 1, NULL, '2'},
+	{ }
+};
+
+#define PARAM_MATCH_IN	0x01
+#define PARAM_MATCH_OUT	0x02
+
+
+#define IFGROUP_DEFAULT_MASK 0xffffffffU
+
+static int
+ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+	      const void *entry, struct xt_entry_match **match)
+{
+	struct xt_ifgroup_info *info =
+			 (struct xt_ifgroup_info *) (*match)->data;
+	char *end;
+
+	switch (c) {
+	case '1':
+		if (*flags & PARAM_MATCH_IN)
+			exit_error(PARAMETER_PROBLEM,
+			    "ifgroup match: Can't specify --ifgroup-in twice");
+
+		check_inverse(optarg, &invert, &optind, 0);
+
+		info->in_group = strtoul(optarg, &end, 0);
+		info->in_mask = IFGROUP_DEFAULT_MASK;
+
+		if (*end == '/')
+			info->in_mask = strtoul(end+1, &end, 0);
+
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM,
+				  "ifgroup match: Bad ifgroup value `%s'", optarg);
+
+		if (invert)
+			info->flags |= XT_IFGROUP_INVERT_IN;
+
+		*flags |= PARAM_MATCH_IN;
+		info->flags |= XT_IFGROUP_MATCH_IN;
+		break;
+
+	case '2':
+		if (*flags & PARAM_MATCH_OUT)
+			exit_error(PARAMETER_PROBLEM,
+			    "ifgroup match: Can't specify --ifgroup-out twice");
+
+		check_inverse(optarg, &invert, &optind, 0);
+
+		info->out_group = strtoul(optarg, &end, 0);
+		info->out_mask = IFGROUP_DEFAULT_MASK;
+
+		if (*end == '/')
+			info->out_mask = strtoul(end+1, &end, 0);
+
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM,
+			    "ifgroup match: Bad ifgroup value `%s'", optarg);
+
+		if (invert)
+			info->flags |= XT_IFGROUP_INVERT_OUT;
+
+		*flags |= PARAM_MATCH_OUT;
+		info->flags |= XT_IFGROUP_MATCH_OUT;
+		break;
+
+	default: 
+		return 0;
+	}
+
+	return 1;
+}
+
+static void
+ifgroup_final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+		    "You must specify either "
+		    "`--ifgroup-in' or `--ifgroup-out'");
+}
+
+static void
+ifgroup_print_value_in(struct xt_ifgroup_info *info)
+{
+	printf("0x%x", info->in_group);
+	if (info->in_mask != IFGROUP_DEFAULT_MASK)
+		printf("/0x%x", info->in_mask);
+	printf(" ");
+}
+
+static void
+ifgroup_print_value_out(struct xt_ifgroup_info *info)
+{
+	printf("0x%x", info->out_group);
+	if (info->out_mask != IFGROUP_DEFAULT_MASK)
+		printf("/0x%x", info->out_mask);
+	printf(" ");
+}
+
+static void
+ifgroup_print(const void *ip,
+	      const struct xt_entry_match *match,
+	      int numeric)
+{
+	struct xt_ifgroup_info *info =
+		(struct xt_ifgroup_info *) match->data;
+
+	printf("ifgroup ");
+
+	if (info->flags & XT_IFGROUP_MATCH_IN) {
+		printf("in %s",
+		       info->flags & XT_IFGROUP_INVERT_IN ? "! " : "");
+		ifgroup_print_value_in(info);
+	}
+	if (info->flags & XT_IFGROUP_MATCH_OUT) {
+		printf("out %s",
+		       info->flags & XT_IFGROUP_INVERT_OUT ? "! " : "");
+		ifgroup_print_value_out(info);
+	}
+}
+
+static void
+ifgroup_save(const void *ip, const struct xt_entry_match *match)
+{
+	struct xt_ifgroup_info *info =
+		(struct xt_ifgroup_info *) match->data;
+
+	if (info->flags & XT_IFGROUP_MATCH_IN) {
+		printf("%s--ifgroup-in ",
+		       info->flags & XT_IFGROUP_INVERT_IN ? "! " : "");
+		ifgroup_print_value_in(info);
+	}
+	if (info->flags & XT_IFGROUP_MATCH_OUT) {
+		printf("%s--ifgroup-out ",
+		       info->flags & XT_IFGROUP_INVERT_OUT ? "! " : "");
+		ifgroup_print_value_out(info);
+	}
+}
+
+static struct xtables_match ifgroup_match = {
+	.family		= AF_INET,
+	.name		= "ifgroup",
+	.version	= IPTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct xt_ifgroup_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_ifgroup_info)),
+	.help		= ifgroup_help,
+	.parse		= ifgroup_parse,
+	.final_check	= ifgroup_final_check,
+	.print		= ifgroup_print,
+	.save		= ifgroup_save,
+	.extra_opts	= opts
+};
+
+static struct xtables_match ifgroup_match6 = {
+	.family		= AF_INET6,
+	.name		= "ifgroup",
+	.version	= IPTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct xt_ifgroup_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_ifgroup_info)),
+	.help		= ifgroup_help,
+	.parse		= ifgroup_parse,
+	.final_check	= ifgroup_final_check,
+	.print		= ifgroup_print,
+	.save		= ifgroup_save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	xtables_register_match(&ifgroup_match);
+	xtables_register_match(&ifgroup_match6);
+}
Index: extensions/Makefile
===================================================================
--- extensions/Makefile	(revision 7090)
+++ extensions/Makefile	(working copy)
@@ -7,7 +7,7 @@
 #
 PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
 PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper ifgroup length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
 
 PF_EXT_SELINUX_SLIB:=
 PF6_EXT_SELINUX_SLIB:=
Index: extensions/libxt_ifgroup.man
===================================================================
--- extensions/libxt_ifgroup.man	(revision 0)
+++ extensions/libxt_ifgroup.man	(revision 0)
@@ -0,0 +1,36 @@
+Maches packets on an interface if it is in the same interface group
+as specified by the
+.B "--ifgroup-in"
+or
+.B "--ifgroup-in"
+parameter. If a mask is also specified, the masked value of
+the inteface's group must be equal to the given value of the
+.B "--ifgroup-in"
+or
+.B "--ifgroup-out"
+parameter to match. This match is available in all tables.
+.TP
+.BR "[!] --ifgroup-in \fIgroup[/mask]\fR"
+This specifies the interface group of input interface and the optional mask.
+Valid only in the in the
+.B PREROUTING
+and
+.B INPUT
+and
+.B FORWARD
+chains, and user-defined chains which are only called from those
+chains. 
+.TP
+.BR "[!] --ifgroup-out \fIgroup[/mask]\fR"
+This specifies the interface group of out interface and the optional mask.
+Valid only in the in the
+.B FORWARD
+and
+.B OUTPUT
+and
+.B POSTROUTING
+chains, and user-defined chains which are only called from those
+chains. 
+.RS
+.PP
+

Re: [PATCHv7 iptables] Interface group match

[Jarek Poplawski]

Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:
...

> Index: extensions/libxt_ifgroup.man
> ===================================================================
> --- extensions/libxt_ifgroup.man	(revision 0)
> +++ extensions/libxt_ifgroup.man	(revision 0)
> @@ -0,0 +1,36 @@
> +Maches packets on an interface if it is in the same interface group


  +Matches packets on an interface if it is in the same interface group

> +as specified by the
> +.B "--ifgroup-in"
> +or
> +.B "--ifgroup-in"


  +.B "--ifgroup-out"

> +parameter. If a mask is also specified, the masked value of
> +the inteface's group must be equal to the given value of the


  +the interface's group must be equal to the given value of the

> +.B "--ifgroup-in"
> +or
> +.B "--ifgroup-out"
> +parameter to match. This match is available in all tables.
> +.TP
> +.BR "[!] --ifgroup-in \fIgroup[/mask]\fR"
> +This specifies the interface group of input interface and the optional mask.
> +Valid only in the in the


  +Valid only in the

> +.B PREROUTING
> +and
> +.B INPUT
> +and
> +.B FORWARD
> +chains, and user-defined chains which are only called from those
> +chains. 
> +.TP
> +.BR "[!] --ifgroup-out \fIgroup[/mask]\fR"
> +This specifies the interface group of out interface and the optional mask.


  +This specifies the interface group of output interface and the optional mask.

> +Valid only in the in the
> +.B FORWARD
> +and
> +.B OUTPUT
> +and
> +.B POSTROUTING
> +chains, and user-defined chains which are only called from those
> +chains. 
> +.RS
> +.PP
> +

Regards,
Jarek P.

Re: [PATCHv7 iptables] Interface group match

[Jarek Poplawski]

Jarek Poplawski wrote, On 12/01/2007 10:19 PM:

> Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:
> ...
> 
>> Index: extensions/libxt_ifgroup.man


...

>> +Valid only in the in the

   +Valid only in the

>> +.B FORWARD
>> +and
>> +.B OUTPUT
>> +and
>> +.B POSTROUTING
>> +chains, and user-defined chains which are only called from those
>> +chains. 
>> +.RS
>> +.PP
>> +
> 
> Regards,
> Jarek P.

[PATCHv7 iproute2 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1

[Laszlo Attila Toth]

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..c948395 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,7 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_NET_NS_PID,
 	__IFLA_MAX
 };
 
-- 
1.5.2.5

[PATCHv7 iproute2 2/2] Interface group as new ip link option

[Laszlo Attila Toth]

Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup. Any value of unsigned int32 is valid.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index c948395..5a2d071 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
 	IFLA_NET_NS_PID,
+	IFLA_IFGROUP,
+#define	IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..ea2d46a 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
 char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
 char* rtnl_rtrealm_n2a(int id, char *buf, int len);
 char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(__u32 id, char *buf, int len);
 int rtnl_rtprot_a2n(__u32 *id, char *arg);
 int rtnl_rtscope_a2n(__u32 *id, char *arg);
 int rtnl_rttable_a2n(__u32 *id, char *arg);
 int rtnl_rtrealm_a2n(__u32 *id, char *arg);
 int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
 
 const char *inet_proto_n2a(int proto, char *buf, int len);
 int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
 		fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
 	if (tb[IFLA_QDISC])
 		fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+	if (tb[IFLA_IFGROUP]) {
+		SPRINT_BUF(b1);
+		fprintf(fp, "group %s ", rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+	}
 #ifdef IFLA_MASTER
 	if (tb[IFLA_MASTER]) {
 		SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index f28f91c..cdef533 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
 #include <string.h>
 #include <sys/ioctl.h>
 #include <linux/sockios.h>
+#include <linux/rtnetlink.h>
 
 #include "rt_names.h"
 #include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
 	fprintf(stderr, "	                     promisc { on | off } |\n");
 	fprintf(stderr, "	                     trailers { on | off } |\n");
 	fprintf(stderr, "	                     txqueuelen PACKETS |\n");
+	fprintf(stderr, "	                     group GROUP |\n");
 	fprintf(stderr, "	                     name NEWNAME |\n");
 	fprintf(stderr, "	                     address LLADDR | broadcast LLADDR |\n");
 	fprintf(stderr, "	                     mtu MTU }\n");
@@ -146,6 +148,7 @@ static int iplink_have_newlink(void)
 static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 {
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	int len;
 	char abuf[32];
@@ -198,6 +201,14 @@ static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
 			addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv))
+				invarg("\"group\" value is invalid\n", *argv);
+			addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group, sizeof(group));
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..ec6638c 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -439,10 +439,72 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
 		}
 	}
 
-	res = strtoul(arg, &end, 16);
+	res = strtoul(arg, &end, 0);
 	if (!end || end == arg || *end || res > 255)
 		return -1;
 	*id = res;
 	return 0;
 }
 
+static char * rtnl_rtifgroup_tab[256] = {
+	"0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+	rtnl_rtifgroup_init = 1;
+	rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+			    rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(__u32 id, char *buf, int len)
+{
+	if (id>=256) {
+		snprintf(buf, len, "0x%x", id);
+		return buf;
+	}
+	if (!rtnl_rtifgroup_tab[id]) {
+		if (!rtnl_rtifgroup_init)
+			rtnl_rtifgroup_initialize();
+	}
+	if (rtnl_rtifgroup_tab[id])
+		return rtnl_rtifgroup_tab[id];
+	snprintf(buf, len, "0x%02x", id);
+	return buf;
+}
+
+
+int rtnl_ifgroup_a2n(__u32 *id, char *arg)
+{
+	static char *cache = NULL;
+	static unsigned long res;
+	char *end;
+	int i;
+
+	if (cache && strcmp(cache, arg) == 0) {
+		*id = res;
+		return 0;
+	}
+
+	if (!rtnl_rtifgroup_init)
+		rtnl_rtifgroup_initialize();
+
+	for (i=0; i<256; i++) {
+		if (rtnl_rtifgroup_tab[i] &&
+		    strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
+			cache = rtnl_rtifgroup_tab[i];
+			res = i;
+			*id = res;
+			return 0;
+		}
+	}
+
+	res = strtoul(arg, &end, 0);
+	if (!end || end == arg || *end)
+		return -1;
+	*id = res;
+	return 0;
+}
+
diff --git a/man/man8/ip.8 b/man/man8/ip.8
index 8fd6d52..0338dab 100644
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -511,6 +511,11 @@ already configured.
 change the transmit queue length of the device.
 
 .TP
+.BI group " GROUP"
+.TP 
+change the interface group identifier of the device.
+
+.TP
 .BI mtu " NUMBER"
 change the 
 .I MTU
-- 
1.5.2.5

Re: [PATCHv7 iproute2 2/2] Interface group as new ip link option

[Jarek Poplawski]

Laszlo Attila Toth wrote, On 11/29/2007 05:11 PM:

> Interfaces can be grouped and each group has an unique positive integer ID.
> It can be set via ip link. Symbolic names can be specified in
> /etc/iproute2/rt_ifgroup. Any value of unsigned int32 is valid.

...

> diff --git a/lib/rt_names.c b/lib/rt_names.c
> index 8d019a0..ec6638c 100644
> --- a/lib/rt_names.c
> +++ b/lib/rt_names.c
> @@ -439,10 +439,72 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
>  		}
>  	}
>  
> -	res = strtoul(arg, &end, 16);
> +	res = strtoul(arg, &end, 0);


Won't this break any scripts?

Jarek P.

[PATCHv7 iproute2 2/2][RESEND] Interface group as new ip link option

[Laszlo Attila Toth]

Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup. Any value of unsigned int32 is valid.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h |    2 +
 include/rt_names.h      |    2 +
 ip/ipaddress.c          |    4 +++
 ip/iplink.c             |   11 ++++++++
 lib/rt_names.c          |   62 +++++++++++++++++++++++++++++++++++++++++++++++
 man/man8/ip.8           |    5 ++++
 6 files changed, 86 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index c948395..5a2d071 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
 	IFLA_NET_NS_PID,
+	IFLA_IFGROUP,
+#define	IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..ea2d46a 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
 char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
 char* rtnl_rtrealm_n2a(int id, char *buf, int len);
 char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(__u32 id, char *buf, int len);
 int rtnl_rtprot_a2n(__u32 *id, char *arg);
 int rtnl_rtscope_a2n(__u32 *id, char *arg);
 int rtnl_rttable_a2n(__u32 *id, char *arg);
 int rtnl_rtrealm_a2n(__u32 *id, char *arg);
 int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
 
 const char *inet_proto_n2a(int proto, char *buf, int len);
 int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
 		fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
 	if (tb[IFLA_QDISC])
 		fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+	if (tb[IFLA_IFGROUP]) {
+		SPRINT_BUF(b1);
+		fprintf(fp, "group %s ", rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+	}
 #ifdef IFLA_MASTER
 	if (tb[IFLA_MASTER]) {
 		SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index f28f91c..cdef533 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
 #include <string.h>
 #include <sys/ioctl.h>
 #include <linux/sockios.h>
+#include <linux/rtnetlink.h>
 
 #include "rt_names.h"
 #include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
 	fprintf(stderr, "	                     promisc { on | off } |\n");
 	fprintf(stderr, "	                     trailers { on | off } |\n");
 	fprintf(stderr, "	                     txqueuelen PACKETS |\n");
+	fprintf(stderr, "	                     group GROUP |\n");
 	fprintf(stderr, "	                     name NEWNAME |\n");
 	fprintf(stderr, "	                     address LLADDR | broadcast LLADDR |\n");
 	fprintf(stderr, "	                     mtu MTU }\n");
@@ -146,6 +148,7 @@ static int iplink_have_newlink(void)
 static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 {
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	int len;
 	char abuf[32];
@@ -198,6 +201,14 @@ static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
 			addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv))
+				invarg("\"group\" value is invalid\n", *argv);
+			addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group, sizeof(group));
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..8837e4f 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
 	return 0;
 }
 
+static char * rtnl_rtifgroup_tab[256] = {
+	"0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+	rtnl_rtifgroup_init = 1;
+	rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+			    rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(__u32 id, char *buf, int len)
+{
+	if (id>=256) {
+		snprintf(buf, len, "0x%x", id);
+		return buf;
+	}
+	if (!rtnl_rtifgroup_tab[id]) {
+		if (!rtnl_rtifgroup_init)
+			rtnl_rtifgroup_initialize();
+	}
+	if (rtnl_rtifgroup_tab[id])
+		return rtnl_rtifgroup_tab[id];
+	snprintf(buf, len, "0x%02x", id);
+	return buf;
+}
+
+
+int rtnl_ifgroup_a2n(__u32 *id, char *arg)
+{
+	static char *cache = NULL;
+	static unsigned long res;
+	char *end;
+	int i;
+
+	if (cache && strcmp(cache, arg) == 0) {
+		*id = res;
+		return 0;
+	}
+
+	if (!rtnl_rtifgroup_init)
+		rtnl_rtifgroup_initialize();
+
+	for (i=0; i<256; i++) {
+		if (rtnl_rtifgroup_tab[i] &&
+		    strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
+			cache = rtnl_rtifgroup_tab[i];
+			res = i;
+			*id = res;
+			return 0;
+		}
+	}
+
+	res = strtoul(arg, &end, 0);
+	if (!end || end == arg || *end)
+		return -1;
+	*id = res;
+	return 0;
+}
+
diff --git a/man/man8/ip.8 b/man/man8/ip.8
index 8fd6d52..0338dab 100644
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -511,6 +511,11 @@ already configured.
 change the transmit queue length of the device.
 
 .TP
+.BI group " GROUP"
+.TP 
+change the interface group identifier of the device.
+
+.TP
 .BI mtu " NUMBER"
 change the 
 .I MTU
-- 
1.5.2.5