summaryrefslogtreecommitdiff
path: root/curvetun.zsh
blob: 16a1fd332212c01bd9d773458393013570035a43 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

#compdef curvetun
#
# curvetun.zsh -- zsh completion function for curvetun
#
# Copyright (C) 2013 Hideo Hattori <hhatto.jp@gmail.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.

typeset -A opt_args

_interfaces () {
    _wanted interfaces expl 'network interface' \
    _net_interfaces
    _values "Pseudo-device that captures on all interfaces" "any"
}

_arguments -s -S \
    "(-k --keygen)"{-k,--keygen}"[Generate public/private keypair]" \
    "(-x --export)"{-x,--export}"[Export your public data for remote servers]" \
    "(-C --dumpc)"{-C,--dumpc}"[Dump parsed clients]" \
    "(-S --dumps)"{-S,--dumps}"[Dump parsed servers]" \
    "(-D --nofork)"{-D,--nofork}"[Do not daemonize]" \
    "(-d --dev)"{-d,--dev}"[Networking tunnel device, e.g. tun0]:device:_interfaces" \
    {-v,--version}"[Print version]:" \
    {-h,--help}"[Print this help]:" \
    "(-s --server -N --no-logging -p --port -t --stun -u --udp -4 --ipv4 -6 --ipv6 -c --client)"{-c,--client}"[Client mode, server alias optional]:client:_gnu_generic" \
    "(-c --client -s --server)"{-s,--server}"[Server mode]" \
    "(-c --client -N --no-logging)"{-N,--no-logging}"[Disable server logging (for better anonymity)]" \
    "(-c --client -p --port)"{-p,--port}"[Port number (mandatory)]:port:_gnu_generic" \
    "(-c --client -t --stun)"{-t,--stun}"[Show public IP/Port mapping via STUN]:stun:_gnu_generic" \
    "(-c --client -u --udp)"{-u,--udp}"[Use UDP as carrier instead of TCP]" \
    "(-c --client -4 --ipv4)"{-4,--ipv4}"[Tunnel devices are IPv4]" \
    "(-c --client -6 --ipv6)"{-6,--ipv6}"[Tunnel devices are IPv6 (default: same as carrier protocol)]" \
    "*::args:_gnu_generic"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-09-15 09:08:45 +0000
decision purposes, with the premise that the admissibility of tracked connections reply packets (as well as original direction packets), and both direction packets of any related connections may be based on ACL rules applying to the master connection's original direction 5-tuple. This also makes it easier to make policy decisions when the actual packet headers might have been transformed by NAT, as the original direction 5-tuple represents the packet headers before any such transformation. When using the original direction 5-tuple the admissibility of return and/or related packets need not be based on the mere existence of a conntrack entry, allowing separation of admission policy from the established conntrack state. While existence of a conntrack entry is required for admission of the return or related packets, policy changes can render connections that were initially admitted to be rejected or dropped afterwards. If the admission of the return and related packets was based on mere conntrack state (e.g., connection being in an established state), a policy change that would make the connection rejected or dropped would need to find and delete all conntrack entries affected by such a change. When using the original direction 5-tuple matching the affected conntrack entries can be allowed to time out instead, as the established state of the connection would not need to be the basis for packet admission any more. It should be noted that the directionality of related connections may be the same or different than that of the master connection, and neither the original direction 5-tuple nor the conntrack state bits carry this information. If needed, the directionality of the master connection can be stored in master's conntrack mark or labels, which are automatically inherited by the expected related connections. The fact that neither ARP nor ND packets are trackable by conntrack allows mutual exclusion between ARP/ND and the new conntrack original tuple fields. Hence, the IP addresses are overlaid in union with ARP and ND fields. This allows the sw_flow_key to not grow much due to this patch, but it also means that we must be careful to never use the new key fields with ARP or ND packets. ARP is easy to distinguish and keep mutually exclusive based on the ethernet type, but ND being an ICMPv6 protocol requires a bit more attention. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Joe Stringer <joe@ovn.org> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--include/uapi/linux/openvswitch.h20
-rw-r--r--net/openvswitch/actions.c2
-rw-r--r--net/openvswitch/conntrack.c86
-rw-r--r--net/openvswitch/conntrack.h10
-rw-r--r--net/openvswitch/flow.c34
-rw-r--r--net/openvswitch/flow.h49
-rw-r--r--net/openvswitch/flow_netlink.c85
-rw-r--r--net/openvswitch/flow_netlink.h7
8 files changed, 246 insertions, 47 deletions
diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h