…93d350

- Preserve results when NLM_F_DUMP_INTR is set
  vishvananda/netlink#1018
- Fix SetSendTimeout/SetReceiveTimeout
  vishvananda/netlink#1012

full diff: vishvananda/netlink@v1.3.0...084abd9

Signed-off-by: Rob Murray <rob.murray@docker.com>

According to the kernel docs[^1], the kernel can return incomplete
results for netlink state dumps if the state changes while we are
dumping it. The result is then marked by `NLM_F_DUMP_INTR`. The
`vishvananda/netlink` library returned `EINTR` since v1.2.1, but more
recent versions have changed it such that it returns
`netlink.ErrDumpInterrupted` instead[^2].

These interruptions seem common in high-churn environments. If the error
occurs, it is in most cases best to just try again.  Therefore, this
commit adds a wrapper for all `netlink` functions marked to return
`ErrDumpInterrupted` that retries the function up to 30 times until it
either succeeds or returns a different error.

While may call sites do have their own high-level retry mechanism (see
e.g. cilium#32099), the logged error message can still cause CI
to fail (e.g. cilium#35259). Long high-level retry intervals can
also become problematic: For example, if the routing setup fails due to
`NLM_F_DUMP_INTR` during an CNI ADD invocation, the retry adds add
several seconds of additional delay to an already overloaded system,
instead of resolving the issue quickly.

A subsequent commit will add an additional linter that nudges developers
to use this new `safenetlink` package for function calls that can be
interrupted. This ensures that we don't have to add retries in all
subsystems individually.

[^1]: https://docs.kernel.org/userspace-api/netlink/intro.html
[^2]: vishvananda/netlink#1018

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

According to the kernel docs[^1], the kernel can return incomplete
results for netlink state dumps if the state changes while we are
dumping it. The result is then marked by `NLM_F_DUMP_INTR`. The
`vishvananda/netlink` library returned `EINTR` since v1.2.1, but more
recent versions have changed it such that it returns
`netlink.ErrDumpInterrupted` instead[^2].

These interruptions seem common in high-churn environments. If the error
occurs, it is in most cases best to just try again.  Therefore, this
commit adds a wrapper for all `netlink` functions marked to return
`ErrDumpInterrupted` that retries the function up to 30 times until it
either succeeds or returns a different error.

While may call sites do have their own high-level retry mechanism (see
e.g. cilium#32099), the logged error message can still cause CI
to fail (e.g. cilium#35259). Long high-level retry intervals can
also become problematic: For example, if the routing setup fails due to
`NLM_F_DUMP_INTR` during an CNI ADD invocation, the retry adds add
several seconds of additional delay to an already overloaded system,
instead of resolving the issue quickly.

A subsequent commit will add an additional linter that nudges developers
to use this new `safenetlink` package for function calls that can be
interrupted. This ensures that we don't have to add retries in all
subsystems individually.

[^1]: https://docs.kernel.org/userspace-api/netlink/intro.html
[^2]: vishvananda/netlink#1018

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

According to the kernel docs[^1], the kernel can return incomplete
results for netlink state dumps if the state changes while we are
dumping it. The result is then marked by `NLM_F_DUMP_INTR`. The
`vishvananda/netlink` library returned `EINTR` since v1.2.1, but more
recent versions have changed it such that it returns
`netlink.ErrDumpInterrupted` instead[^2].

These interruptions seem common in high-churn environments. If the error
occurs, it is in most cases best to just try again.  Therefore, this
commit adds a wrapper for all `netlink` functions marked to return
`ErrDumpInterrupted` that retries the function up to 30 times until it
either succeeds or returns a different error.

While may call sites do have their own high-level retry mechanism (see
e.g. cilium#32099), the logged error message can still cause CI
to fail (e.g. cilium#35259). Long high-level retry intervals can
also become problematic: For example, if the routing setup fails due to
`NLM_F_DUMP_INTR` during an CNI ADD invocation, the retry adds add
several seconds of additional delay to an already overloaded system,
instead of resolving the issue quickly.

A subsequent commit will add an additional linter that nudges developers
to use this new `safenetlink` package for function calls that can be
interrupted. This ensures that we don't have to add retries in all
subsystems individually.

[^1]: https://docs.kernel.org/userspace-api/netlink/intro.html
[^2]: vishvananda/netlink#1018

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

According to the kernel docs[^1], the kernel can return incomplete
results for netlink state dumps if the state changes while we are
dumping it. The result is then marked by `NLM_F_DUMP_INTR`. The
`vishvananda/netlink` library returned `EINTR` since v1.2.1, but more
recent versions have changed it such that it returns
`netlink.ErrDumpInterrupted` instead[^2].

These interruptions seem common in high-churn environments. If the error
occurs, it is in most cases best to just try again.  Therefore, this
commit adds a wrapper for all `netlink` functions marked to return
`ErrDumpInterrupted` that retries the function up to 30 times until it
either succeeds or returns a different error.

While may call sites do have their own high-level retry mechanism (see
e.g. cilium#32099), the logged error message can still cause CI
to fail (e.g. cilium#35259). Long high-level retry intervals can
also become problematic: For example, if the routing setup fails due to
`NLM_F_DUMP_INTR` during an CNI ADD invocation, the retry adds add
several seconds of additional delay to an already overloaded system,
instead of resolving the issue quickly.

A subsequent commit will add an additional linter that nudges developers
to use this new `safenetlink` package for function calls that can be
interrupted. This ensures that we don't have to add retries in all
subsystems individually.

[^1]: https://docs.kernel.org/userspace-api/netlink/intro.html
[^2]: vishvananda/netlink#1018

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

According to the kernel docs[^1], the kernel can return incomplete
results for netlink state dumps if the state changes while we are
dumping it. The result is then marked by `NLM_F_DUMP_INTR`. The
`vishvananda/netlink` library returned `EINTR` since v1.2.1, but more
recent versions have changed it such that it returns
`netlink.ErrDumpInterrupted` instead[^2].

These interruptions seem common in high-churn environments. If the error
occurs, it is in most cases best to just try again.  Therefore, this
commit adds a wrapper for all `netlink` functions marked to return
`ErrDumpInterrupted` that retries the function up to 30 times until it
either succeeds or returns a different error.

While may call sites do have their own high-level retry mechanism (see
e.g. cilium#32099), the logged error message can still cause CI
to fail (e.g. cilium#35259). Long high-level retry intervals can
also become problematic: For example, if the routing setup fails due to
`NLM_F_DUMP_INTR` during an CNI ADD invocation, the retry adds add
several seconds of additional delay to an already overloaded system,
instead of resolving the issue quickly.

A subsequent commit will add an additional linter that nudges developers
to use this new `safenetlink` package for function calls that can be
interrupted. This ensures that we don't have to add retries in all
subsystems individually.

[^1]: https://docs.kernel.org/userspace-api/netlink/intro.html
[^2]: vishvananda/netlink#1018

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

According to the kernel docs[^1], the kernel can return incomplete
results for netlink state dumps if the state changes while we are
dumping it. The result is then marked by `NLM_F_DUMP_INTR`. The
`vishvananda/netlink` library returned `EINTR` since v1.2.1, but more
recent versions have changed it such that it returns
`netlink.ErrDumpInterrupted` instead[^2].

These interruptions seem common in high-churn environments. If the error
occurs, it is in most cases best to just try again.  Therefore, this
commit adds a wrapper for all `netlink` functions marked to return
`ErrDumpInterrupted` that retries the function up to 30 times until it
either succeeds or returns a different error.

While may call sites do have their own high-level retry mechanism (see
e.g. #32099), the logged error message can still cause CI
to fail (e.g. #35259). Long high-level retry intervals can
also become problematic: For example, if the routing setup fails due to
`NLM_F_DUMP_INTR` during an CNI ADD invocation, the retry adds add
several seconds of additional delay to an already overloaded system,
instead of resolving the issue quickly.

A subsequent commit will add an additional linter that nudges developers
to use this new `safenetlink` package for function calls that can be
interrupted. This ensures that we don't have to add retries in all
subsystems individually.

[^1]: https://docs.kernel.org/userspace-api/netlink/intro.html
[^2]: vishvananda/netlink#1018

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

[ upstream commit 5d1951b ]

According to the kernel docs[^1], the kernel can return incomplete
results for netlink state dumps if the state changes while we are
dumping it. The result is then marked by `NLM_F_DUMP_INTR`. The
`vishvananda/netlink` library returned `EINTR` since v1.2.1, but more
recent versions have changed it such that it returns
`netlink.ErrDumpInterrupted` instead[^2].

These interruptions seem common in high-churn environments. If the error
occurs, it is in most cases best to just try again.  Therefore, this
commit adds a wrapper for all `netlink` functions marked to return
`ErrDumpInterrupted` that retries the function up to 30 times until it
either succeeds or returns a different error.

While may call sites do have their own high-level retry mechanism (see
e.g. #32099), the logged error message can still cause CI
to fail (e.g. #35259). Long high-level retry intervals can
also become problematic: For example, if the routing setup fails due to
`NLM_F_DUMP_INTR` during an CNI ADD invocation, the retry adds add
several seconds of additional delay to an already overloaded system,
instead of resolving the issue quickly.

A subsequent commit will add an additional linter that nudges developers
to use this new `safenetlink` package for function calls that can be
interrupted. This ensures that we don't have to add retries in all
subsystems individually.

[^1]: https://docs.kernel.org/userspace-api/netlink/intro.html
[^2]: vishvananda/netlink#1018

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

[ upstream commit 5d1951b ]

According to the kernel docs[^1], the kernel can return incomplete
results for netlink state dumps if the state changes while we are
dumping it. The result is then marked by `NLM_F_DUMP_INTR`. The
`vishvananda/netlink` library returned `EINTR` since v1.2.1, but more
recent versions have changed it such that it returns
`netlink.ErrDumpInterrupted` instead[^2].

These interruptions seem common in high-churn environments. If the error
occurs, it is in most cases best to just try again.  Therefore, this
commit adds a wrapper for all `netlink` functions marked to return
`ErrDumpInterrupted` that retries the function up to 30 times until it
either succeeds or returns a different error.

While may call sites do have their own high-level retry mechanism (see
e.g. #32099), the logged error message can still cause CI
to fail (e.g. #35259). Long high-level retry intervals can
also become problematic: For example, if the routing setup fails due to
`NLM_F_DUMP_INTR` during an CNI ADD invocation, the retry adds add
several seconds of additional delay to an already overloaded system,
instead of resolving the issue quickly.

A subsequent commit will add an additional linter that nudges developers
to use this new `safenetlink` package for function calls that can be
interrupted. This ensures that we don't have to add retries in all
subsystems individually.

[^1]: https://docs.kernel.org/userspace-api/netlink/intro.html
[^2]: vishvananda/netlink#1018

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

Similar to vishvananda#1018, but for
ConntrackDeleteFilters()

Relates to kubernetes/kubernetes#129562

Similar to vishvananda#1018, but for
ConntrackDeleteFilters()

Relates to kubernetes/kubernetes#129562

Similar to vishvananda#1018, but for
ConntrackDeleteFilters()

Relates to kubernetes/kubernetes#129562

Similar to #1018, but for
ConntrackDeleteFilters()

Relates to kubernetes/kubernetes#129562

Hunch is that the change in vishvananda/netlink#1018,
will prevent EBUSY by draining the remaining messages from the kernel
before returning.

Before vishvananda/netlink#925, all messages
would be read but the "interrupted" flag was ignored.  That PR made it
so that the dump would return early, but that would leave some messages
unconsumed.  There was logic elsewhere to discard these messages,
but the kernel has a check for "dump in progress" at the start of a new
dump and it returns EBUSY in that case:

```
int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
			 const struct nlmsghdr *nlh,
			 struct netlink_dump_control *control)
{
...
	mutex_lock(&nlk->nl_cb_mutex);
	/* A dump is in progress... */
	if (nlk->cb_running) {
		ret = -EBUSY;
		goto error_unlock;
	}
```

I wasn't able to trace the exact path through the kernel code to verify
when cb_running would be set, or that the error would be returned
on the NLMSG_DONE as we see here but it seemed like a solid bet.

1. fix rule test failed when rule add slow.

disable broadcast if broadcast is set to net.IPv4zero

remove comments about broadcast when deleting address

remove another comment about broadcast auto calculation

.github/workflows: Bump CI Go version to v1.22

Update the Go version we test against to Go v1.22 which is currently the
oldest version still receiving security updates.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

1. filter match support vlanId and srcMac, dstMac.
2. filter action support vlan pop/push.

link_linux: Add deserialization of `IFF_RUNNING` flag

Add deserialization of the `IFF_RUNNING` link flag which translates to
`net.FlagRunning`.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

Preserve results when NLM_F_DUMP_INTR is set

Similar to vishvananda#1018, but for
ConntrackDeleteFilters()

Relates to kubernetes/kubernetes#129562

Add IFLA_PARENT_DEV_NAME / IFLA_PARENT_DEV_BUS_NAME to links

These attributes are supported since kernel v5.14 (see [1]). Here's
what iproute2 shows:

```
$ ip -d link show eth0
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65535 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    ... parentbus virtio parentdev virtio0
```

[1]: torvalds/linux@00e77ed

Signed-off-by: Albin Kerouanton <albinker@gmail.com>

conntrack: prevent potential memory leak

Currently, the ConntrackDeleteFilters captures all flow entries
it fails to delete and reports them as errors. This behavior
can potentially lead to memory leaks in high-traffic systems,
where thousands of conntrack flow entries are cleared in a single
batch. With this commit, instead of returning all the un-deleted
flow entries, we now return a single error message for all of them.

Signed-off-by: Daman Arora <aroradaman@gmail.com>

Fix parsing 4-bytes attribute

What if the data length of attribute is 4? The attribute will be ignored,
because `i+4 < len(data)`.

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>

fix: Use correct offset for unix socket diagnosis

Signed-off-by: Sven Rebhan <srebhan@influxdata.com>

vxlan: Fix parseVxlanData for source port range

binary.Read() != nil check means error case, so the vxlan.Port{Low,High}
are never populated. Fix the check.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

netkit: Allow setting MAC address in L2 mode

Signed-off-by: Jordan Rife <jrife@google.com>

Add support for MTU Lock

When adding a route with "mtu lock <mtu>" path MTU discovery (PMTUD)
will not be tried and packets will be sent without DF bit set. Upon
receiving an ICMP needs frag due to PMTUD, the kernel will not install a
cached route and lower the MTU.

Signed-off-by: Tim Rozet <trozet@redhat.com>

pedit: Fix EncodeActions to add TcGen for pedit action

TcGen was missing in pedit action and the kernel cannont correctly process pedit action.

Signed-off-by: Chen Tang <tangchen.1@bytedance.com>

go.mod: github.com/vishvananda/netns v0.0.5

- Adding file path for nerdctl and finch

full diff: vishvananda/netns@v0.0.4...v0.0.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Add `OifIndex` option for `RouteGetWithOptions`

The `RouteGetWithOptions` function currently has a `Oif` option which
gets translated from link name to link index via a `LinkByName` call.
This adds unnecessary overhead when the link index is already known.

This commit adds a new `OifIndex` option to `RouteGetWithOptions` which
can be specified instead of `Oif` to skip the internal link index
translation.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

Support "sample" filter action

This change adds support for packet sampling using "psample" kernel
module.

Added PCPU and SA fields to XfrmState

Add support for ARP/ND Timestamps when retriving neighbors

On Linux, Netlink provides NDA_CACHEINFO which carries timestamps about
when ARP/ND was updated, used, and confirmed.

Expose these fields in the Neigh type

tuntap: parse additional netlink attributes for flags and queues

Signed-off-by: Ivan Tsvetkov <ivanfromearth@gmail.com>

tuntap: add support for dynamically managing multi-queue FDs

Introduce AddQueues and RemoveQueues methods for attaching and detaching
queue file descriptors to an existing TUN/TAP interface in multi-queue mode.
This enables controlled testing of disabled queues and fine-grained queue
management without relying on interface recreation.

Signed-off-by: Ivan Tsvetkov <ivanfromearth@gmail.com>

add SRv6 support for END.DT4

fix: add missing CLOEXEC flag

Some calls were already using it, some were not, but fix the remaining
ones.

Without this flag, the file descriptor would to the child process after
fork/exec.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

tests: Improve address unit test infrastructure

Signed-off-by: kayos@tcp.direct <kayos@tcp.direct>

addr_linux: don't require label to be prefixed with interface name

This requirement limits the usefulness of labels (given the total label
length can only be 15 characters).

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

feat: add IFLA_INET6_ADDR_GEN_MODE support

geneve: Support setting/getting source port range

Add support for geneve feature to specify source port range, see
kernel commits:

- e1f95b1992b8 ("geneve: Allow users to specify source port range")
- 5a41a00cd5d5 ("geneve, specs: Add port range to rt_link specification")

This is exactly equivalent on what is done in case of vxlan today.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

feat: add support for RtoMin lock

veth: allow configuring peer attributes beyond namespace and address

Signed-off-by: Gwendolyn <me@gwendolyn.dev>

qdisc: fix wrong type info of tc_sfq_qopt

Mimic `ipset` C code for determining correct default ipset revision

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

bugfix: parse ipv4 src/dst error

rdma: support rdma metrics: resource and statistic

Signed-off-by: bingshen.wbs <bingshen.wbs@alibaba-inc.com>

feat: add vlanid - tunnelid mapping support

filter: add classid and port range support for flower

vlan: add support for flags and qos maps

Signed-off-by: Gwendolyn <me@gwendolyn.dev>

Add support for the `expires` option of `ip route`

1. fix rule test failed when rule add slow.

disable broadcast if broadcast is set to net.IPv4zero

remove comments about broadcast when deleting address

remove another comment about broadcast auto calculation

.github/workflows: Bump CI Go version to v1.22

Update the Go version we test against to Go v1.22 which is currently the
oldest version still receiving security updates.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

1. filter match support vlanId and srcMac, dstMac.
2. filter action support vlan pop/push.

link_linux: Add deserialization of `IFF_RUNNING` flag

Add deserialization of the `IFF_RUNNING` link flag which translates to
`net.FlagRunning`.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

Preserve results when NLM_F_DUMP_INTR is set

Similar to vishvananda#1018, but for
ConntrackDeleteFilters()

Relates to kubernetes/kubernetes#129562

Add IFLA_PARENT_DEV_NAME / IFLA_PARENT_DEV_BUS_NAME to links

These attributes are supported since kernel v5.14 (see [1]). Here's
what iproute2 shows:

```
$ ip -d link show eth0
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65535 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    ... parentbus virtio parentdev virtio0
```

[1]: torvalds/linux@00e77ed

Signed-off-by: Albin Kerouanton <albinker@gmail.com>

conntrack: prevent potential memory leak

Currently, the ConntrackDeleteFilters captures all flow entries
it fails to delete and reports them as errors. This behavior
can potentially lead to memory leaks in high-traffic systems,
where thousands of conntrack flow entries are cleared in a single
batch. With this commit, instead of returning all the un-deleted
flow entries, we now return a single error message for all of them.

Signed-off-by: Daman Arora <aroradaman@gmail.com>

Fix parsing 4-bytes attribute

What if the data length of attribute is 4? The attribute will be ignored,
because `i+4 < len(data)`.

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>

fix: Use correct offset for unix socket diagnosis

Signed-off-by: Sven Rebhan <srebhan@influxdata.com>

vxlan: Fix parseVxlanData for source port range

binary.Read() != nil check means error case, so the vxlan.Port{Low,High}
are never populated. Fix the check.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

netkit: Allow setting MAC address in L2 mode

Signed-off-by: Jordan Rife <jrife@google.com>

Add support for MTU Lock

When adding a route with "mtu lock <mtu>" path MTU discovery (PMTUD)
will not be tried and packets will be sent without DF bit set. Upon
receiving an ICMP needs frag due to PMTUD, the kernel will not install a
cached route and lower the MTU.

Signed-off-by: Tim Rozet <trozet@redhat.com>

pedit: Fix EncodeActions to add TcGen for pedit action

TcGen was missing in pedit action and the kernel cannont correctly process pedit action.

Signed-off-by: Chen Tang <tangchen.1@bytedance.com>

go.mod: github.com/vishvananda/netns v0.0.5

- Adding file path for nerdctl and finch

full diff: vishvananda/netns@v0.0.4...v0.0.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Add `OifIndex` option for `RouteGetWithOptions`

The `RouteGetWithOptions` function currently has a `Oif` option which
gets translated from link name to link index via a `LinkByName` call.
This adds unnecessary overhead when the link index is already known.

This commit adds a new `OifIndex` option to `RouteGetWithOptions` which
can be specified instead of `Oif` to skip the internal link index
translation.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

Support "sample" filter action

This change adds support for packet sampling using "psample" kernel
module.

Added PCPU and SA fields to XfrmState

Add support for ARP/ND Timestamps when retriving neighbors

On Linux, Netlink provides NDA_CACHEINFO which carries timestamps about
when ARP/ND was updated, used, and confirmed.

Expose these fields in the Neigh type

tuntap: parse additional netlink attributes for flags and queues

Signed-off-by: Ivan Tsvetkov <ivanfromearth@gmail.com>

tuntap: add support for dynamically managing multi-queue FDs

Introduce AddQueues and RemoveQueues methods for attaching and detaching
queue file descriptors to an existing TUN/TAP interface in multi-queue mode.
This enables controlled testing of disabled queues and fine-grained queue
management without relying on interface recreation.

Signed-off-by: Ivan Tsvetkov <ivanfromearth@gmail.com>

add SRv6 support for END.DT4

fix: add missing CLOEXEC flag

Some calls were already using it, some were not, but fix the remaining
ones.

Without this flag, the file descriptor would to the child process after
fork/exec.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

tests: Improve address unit test infrastructure

Signed-off-by: kayos@tcp.direct <kayos@tcp.direct>

addr_linux: don't require label to be prefixed with interface name

This requirement limits the usefulness of labels (given the total label
length can only be 15 characters).

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

feat: add IFLA_INET6_ADDR_GEN_MODE support

geneve: Support setting/getting source port range

Add support for geneve feature to specify source port range, see
kernel commits:

- e1f95b1992b8 ("geneve: Allow users to specify source port range")
- 5a41a00cd5d5 ("geneve, specs: Add port range to rt_link specification")

This is exactly equivalent on what is done in case of vxlan today.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

feat: add support for RtoMin lock

veth: allow configuring peer attributes beyond namespace and address

Signed-off-by: Gwendolyn <me@gwendolyn.dev>

qdisc: fix wrong type info of tc_sfq_qopt

Mimic `ipset` C code for determining correct default ipset revision

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

bugfix: parse ipv4 src/dst error

rdma: support rdma metrics: resource and statistic

Signed-off-by: bingshen.wbs <bingshen.wbs@alibaba-inc.com>

feat: add vlanid - tunnelid mapping support

filter: add classid and port range support for flower

vlan: add support for flags and qos maps

Signed-off-by: Gwendolyn <me@gwendolyn.dev>

Add support for the `expires` option of `ip route`