ss provides some selinux stub functions, useful when iproute2 is
compiled without selinux support.
Move them to lib/ so we can use them in other iproute2 tools.
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
getfilecon() and security_get_initial_context() use the const qualifier
for their first paramater in SELinux APIs.
This commit adds the const qualifier to these functions, making them
conformant to API definitions.
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
From the is_selinux_enabled() manpage:
is_selinux_enabled() returns 1 if SELinux is running or 0 if it is not.
This makes the is_selinux_enabled() stub functions works exactly like
the SELinux function it is supposed to replace.
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
These new counters have been added in different kernel versions:
- v5.12: local_addr_used, local_addr_max
- v5.13: csum_enabled
- v6.5: retransmits, bytes_retrans, bytes_sent, bytes_received,
bytes_acked
It is interesting to display them if they are available.
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/415
Acked-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
This is aligned with what is printed for TCP sockets.
The main difference here is that these counters can be larger (u32 vs
u64) but WireShark and TCPDump are also printing these MPTCP counters as
decimal and they look fine.
So it sounds better to do the same here with ss for those who want to
easily count how many bytes have been exchanged between two runs without
having to think in hexa.
Acked-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Some counters from mptcp_info structure were stored as an unsigned
number (u8) but displayed as a signed one.
Even if it is unlikely these u8 counters -- number of subflows and
ADD_ADDR -- have a value bigger than 2^7, it still sounds better to
display them as unsigned.
Fixes: 9c3be2c0 ("ss: mptcp: add msk diag interface support")
Acked-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
The field is accessed before being assigned a meaningful value,
effectively disabling the checks.
Fixes: 4a0053b606a34 ("ss: Unify packet stats output from netlink and proc")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
The aafilter struct considers the port as (usually) 32 bit signed
integer. In case of a unix socket, the port is used with an inode
number which is an unsigned int. In this case, the 'ss' command
fails because it assumes that the value does not look like a port
(<0).
Here an example of command call where the inode is passed and
is larger than a signed integer:
ss -H -A unix_stream src :2259952798
Signed-off-by: Mathieu Schroeter <mathieu@schroetersa.ch>
Signed-off-by: David Ahern <dsahern@kernel.org>
Similarly to RO ZC report when RxNoPad is set.
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Due to this bug, in json mode (with the -j flag), the output was
always in absolute mode (as if passing in the -a flag) and not in
relative mode.
Signed-off-by: Chander Govindarajan <mail@chandergovind.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Due to this bug, in json mode (with the -j flag), the output was
always in absolute mode (as if passing in the -a flag) and not in
relative mode.
Signed-off-by: Chander Govindarajan <mail@chandergovind.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Gcc with warnings enabled complains because the conditional.
if ((long)(a - b) < 0)
could be construed as never true. Change to simple comparison.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
With all warnings enabled gcc wants brackets around the
empty if() clause. "Yes I really want an empty clause"
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
TIPC support has been introduced in 'iproute-master' (not -next) in
commit 5caf79a0 ("ss: Add support for TIPC socket diag in ss tool"), at
the same time a refactoring introducing filter_db_parse() was done, see
commit 67d5fd55 ("ss: Put filter DB parsing into a separate function")
from iproute2-next.
When the two commits got merged, the support for TIPC has been
apparently accidentally dropped.
This simply adds the missing entry for TIPC.
Fixes: 2c62a64d ("Merge branch 'iproute2-master' into iproute2-next")
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
These query entries were in the man page but not in 'ss -h':
- packet_raw
- packet_dgram
- dccp
- sctp
- xdp (+ the --xdp option)
I only created one commit with all: this fixes multiple commits but all
on the same line.
The only exception is with '--xdp' parameter which is linked to
commit 2abc3d76 ("ss: add AF_XDP support").
Fixes: aba5acdf ("(Logical change 1.3)") # packet raw/dgram
Fixes: 351efcde ("Update header files to 2.6.14") # dccp
Fixes: f89d46ad ("ss: Add support for SCTP protocol") # sctp
Fixes: 2abc3d76 ("ss: add AF_XDP support") # xdp
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
No need to include rt_names.h twice.
Fixes: 31f45088c9c8 ("build: fix build failure with -fno-common")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Commit 21c07b45688f ("ss: Show zerocopy sendfile status of TLS
sockets") started displaying the activation status of zerocopy sendfile
on TLS sockets, exposed via sock_diag. This commit makes the format more
compact: the flag's name is shorter and is printed only when the feature
is active, similar to other flag options.
The flag's name is also generalized ("sendfile" -> "tx") to embrace
possible future optimizations, and includes an explicit indication that
the underlying data must not be modified during transfer ("ro").
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
The -p, -Z and -z options only show process (thread group leader)
information. For example, if the thread group leader has exited, but
another thread in the group is still using a socket, ss -[pZz] does not
show it.
Add a new option, -T (--threads), to show thread information. It implies
the -p option. For example, imagine process A and thread B (in the same
group) using the same socket. ss -p only shows A:
$ ss -ltp "sport = 1234"
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 0.0.0.0:1234 0.0.0.0:* users:(("test",pid=2932547,fd=3))
ss -T shows A and B:
$ ss -ltT "sport = 1234"
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 0.0.0.0:1234 0.0.0.0:* users:(("test",pid=2932547,tid=2932548,fd=3),("test",pid=2932547,tid=2932547,fd=3))
If -T is used, -Z and -z also show SELinux contexts for threads.
Rename some variables (from "process" to "task", for example) since we
use them for both processes and threads.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
We are planning to add a thread version of the -p, --process option.
Move the logic iterating $PROC_ROOT/$PID/fd/ into a new function,
user_ent_hash_build_task(), to make it easier.
Since we will use this function for both processes and threads, rename
local variables as such (e.g. from "process" to "task").
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Make checkpatch.pl --strict happy about user_ent_hash_build().
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
'name' is already $PROC_ROOT/$PID/fd/$FD there, no need to rebuild the
string.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Call user_ent_hash_build() once after the getopt_long() loop if -p, -z
or -Z is used.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Commit 116ac9270b6d ("ss: Add support for retrieving SELinux contexts")
added an unnecessary stack variable, 'char *p', in
user_ent_hash_build(). Delete it for readability.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Use the '*' assignment-suppression character, instead of an
inappropriately named temporary variable.
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Print the activation status of zerocopy sendfile on TLS sockets.
Zerocopy sendfile was recently added to Linux and exposed via sock_diag.
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
A number of functions in the rtnl_*_req family accept a caller-provided
callback to set up arbitrary filtering. rtnl_statsdump_req_filter()
currently only allows setting a field in the IFSM header, not custom
attributes. So far these were not necessary, but with introduction of more
detailed filtering settings, the callback becomes necessary.
To that end, add a filter_fn and filter_data arguments to the function.
Unlike the other filters, this one is typed to expect an IFSM pointer, to
permit tweaking the header itself as well.
Pass NULLs in the existing callers.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
ss uses rpcinfo to get info about rpc services socket. This makes it
dependent on a tool not included in iproute2, and makes it impossible to
get info on rpc sockets if rpcinfo is not installed.
This reworks init_service_resolver() to use libtirpc, thus avoiding the
implicity dependency on rpcinfo. Moreover, this also makes it possible
to display info about ipv6 rpc socket that are not included in the
rpcinfo -p output.
For example, before this patch:
$ ss -rtap
LISTEN 0 5 localhost:ipp [::]:* users:(("cupsd",pid=1600,fd=9))
LISTEN 0 64 [::]:34265 [::]:*
LISTEN 0 64 [::]:rpc.nfs_acl [::]:*
LISTEN 0 128 [::]:42253 [::]:* users:(("rpc.statd",pid=146164,fd=12))
After this patch:
$ ss -rtap
LISTEN 0 5 localhost:ipp [::]:* users:(("cupsd",pid=1600,fd=9))
LISTEN 0 64 [::]:rpc.nlockmgr [::]:*
LISTEN 0 64 [::]:rpc.nfs_acl [::]:*
LISTEN 0 128 [::]:rpc.status [::]:* users:(("rpc.statd",pid=146164,fd=12))
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
these members of TCP_INFO have been included in v5.4.
tested with:
# ss -nti
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
'tmp' string is used for safe tokenizing, but it is not required after
getting all the widths in -w option. As 'tmp' string is obtained by strdup
call, the caller has to deallocate it to avoid memory leak.
Signed-off-by: Maxim Petrov <mmrmaximuzz@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
According to SELinux API, when resources are allocated using getpidcon()
of getfilecon(), they should be freed using freecon().
This commit makes ss use freecon() where appropriate, defining a stub
function executing a free() useful when iproute2 is compiled without
SELinux support.
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Running lnstat will cause core dump from reading past end of array.
Segmentation fault (core dumped)
The maximum value of th.num_lines is HDR_LINES(10), h should not be equal to th.num_lines, array th.hdr may be out of bounds.
Signed-off-by jiangheng <jiangheng12@huawei.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Fix rogue "tab after spaces" used for indentation of the documentation.
This causes rendering issues on terminals using a non-standard tab width.
Signed-off-by: Frank Villaro-Dixon <frank.villaro@infomaniak.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Jonas reports that ss -awp does not display any RAW sockets
on a Knoppix 4.4 kernel.
sockdiag_send() diverts to tcpdiag_send() to try the older
netlink interface. tcpdiag_send() works for TCP and DCCP
but not other protocols. Instead of rejecting unsupported
protocols (and missing RAW and SCTP) match on supported ones.
Link: https://lore.kernel.org/netdev/20210815231738.7b42bad4@mmluhan/
Reported-and-tested-by: Jonas Bechtel <post@jbechtel.de>
Fixes: 41fe6c34de50 ("ss: Add inet raw sockets information gathering via netlink diag interface")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
The sport and dport conditions in expressions were inconsistent on
whether there should be a ":" at the beginning of the port when only a
port was provided depending on the family. The link and netlink
families required a ":" to work. The vsock family required the ":"
to be absent. The inet and inet6 families work with or without a leading
":".
This makes the leading ":" optional in all cases, so if sport or dport
are used, then it works with a leading ":" or without one, as inet and
inet6 did.
Signed-off-by: Thayne McCombs <astrothayne@gmail.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
ss accepts an address family both with the -f option and as part of a
host condition. However, if the family in the host condition is
different than the the last -f option, then which family is actually
used depends on the order that different families are checked.
This changes parse_hostcond to check all family prefixes before parsing
the rest of the address, so that the host condition's family always has
a higher priority than the "preferred" family.
Signed-off-by: Thayne McCombs <astrothayne@gmail.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Prior to this commit, running 'ss' on a kernel older than v5.9
bumps an error message:
RTNETLINK answers: Invalid argument
When asked to dump protocol number > 255 - that is: MPTCP - 'ss'
adds an INET_DIAG_REQ_PROTOCOL attribute, unsupported by the older
kernel.
Avoid the warning ignoring filter issues when INET_DIAG_REQ_PROTOCOL
is used.
Additionally older kernel end-up invoking tcpdiag_send(), which
in turn will try to dump DCCP socks. Bail early in such function,
as the kernel does not implement an MPTCPDIAG_GET request.
Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" <tommi.t.rantala@nokia.com>
Fixes: 9c3be2c0eee0 ("ss: mptcp: add msk diag interface support")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
add_addr_accepted value is not printed if add_addr_signal value is 0.
Fix this properly looking for add_addr_accepted value, instead.
Fixes: 9c3be2c0eee01 ("ss: mptcp: add msk diag interface support")
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
The code here was doing strncpy() in a way that causes gcc 10
warning about possible string overflow. Just use strlcpy() which
will null terminate and bound the string as expected.
This has existed since start of git era so no Fixes tag.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
The patch exposes statistics for XDP sockets which can be useful for
debugging purposes.
The stats exposed are:
rx dropped
rx invalid
rx queue full
rx fill ring empty
tx invalid
tx ring empty
Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
This commit adds support to expose the following inet socket options:
-- recverr
-- is_icsk
-- freebind
-- hdrincl
-- mc_loop
-- transparent
-- mc_all
-- nodefrag
-- bind_address_no_port
-- recverr_rfc4884
-- defer_connect
with the option --inet-sockopt. The individual option is only shown
when set.
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Replace the iproute2 snapshot with a version string which is
autogenerated as part of the build process using git describe.
This will also allow seeing if the version of the command
is built from the same sources is as upstream.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
To improve the usability better use case-insensitive pattern-matching
in ifstat, nstat and ss tools.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
