Age | Commit message (Collapse) | Author | Files | Lines |
|
Added scripts to reparing setups for testing
To prepare and run containers:
sudo ./extras/strongswan/vpp_sswan/docker/run.sh prepare_containers
To prepare setups:
sudo ./extras/strongswan/vpp_sswan/docker/run.sh config
To clean-up settups:
sudo ./extras/strongswan/vpp_sswan/docker/run.sh clean
To deleted all containers and images in Docker:
sudo ./extras/strongswan/vpp_sswan/docker/run.sh deleted
Type: feature
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I77f01c0419dccc95f610046c8552ae825f2c7e12
|
|
Added plugin vpp-swan is a plugin that helps offloading
Strongswan IPsec ESP process from Linux Kernel to VPP.
Type: feature
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: Iec77945892453fac1890d3c49d7d86fc6b09c893
|
|
Type: test
"test_wg_handshake_ratelimiting_multi_peer" has been unstable recently
because the test strongly relies on execution speed. Currently, the test
triggers ratelimiting for peer 1 and sends handshake initiations from
peer 1 and 2 mixed up. After that, the test expects that all handshake
initiations for peer 1 are ratelimited and a handshake response for peer
2 is received.
Ratelimiting is based on the token bucket algorithm. The more time
passes between triggering ratelimiting for peer 1 and sending a mixture
of handshake initiations from peer 1 and 2, the more tokens will be
added into the bucket for peer 1. Depending on delays between these
steps, the number of tokens might be enough to process handshake
initiations from peer 1 while they are expected to be rejected due to
ratelimiting.
With this change, these two steps are combined into one and the logic
modified. The test triggers ratelimiting for both peer 1 and 2. Packets
that trigger ratelimiting and that are to be rejected are sent in one
batch that is going to reduce delays between packet processing. Also,
verify that number of rejected handshake messages is in expected range
instead of verifying the exact number as it still may slightly vary.
Also, this should finish making the wireguard tests stable on Ubuntu
22.04 and Debian 11.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3407d15abe1356dde23a241ac3650e84401c9802
|
|
default RLIMIT_MEMLOCK is 64. if we use multi af_xdp interfaces or
load complex bpf program, libbpf will return permission error.
root cause is default 64 is not large enough. So we change it before
load bpf program.
Type: fix
Change-Id: Ia6aed19c9256c498cf1155586a54a32b3f444105
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
|
|
Type: test
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I016fd169813e369208089df122477152aaf9ffc2
|
|
Type: fix
Currently, when a wg interface is administratively disabled initially or
during operation, handshake packets continue to be sent. Data packets
stop being sent because routes pointing to the wg interface will not be
used. But data keys remain.
With this fix, when a wg interface is administratively disabled during
peer creation, avoid connection initialization to the peer. Data keys
and timers should be empty at this point. When a wg interface is
disabled during operation, disable all peers (i.e. stop all timers,
clear data keys, etc.). Thus, state should be identical in both cases.
When a wg interface is administratively enabled, enable all peers (i.e.
get ready to exchange data packets and initiate a connection). Also,
cover these scenarios with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ie9a620077e55d519d21b0abc8c0d3c87b378bca3
|
|
Internaly, vpp uses it's own padding, so all the data
is padded using blocksize in /src/vnet/ipsec/ipsec.c
Openssl should add it's own padding, but the data
is already padded. So on decrypt stage when padding
should be removed, it can't be done. And it produces
error `bad decrypt`
Previous versions of openSSL decrypted data almost
at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex
and produced the same error, but data was already decrypted.
Now it's not, so some algorithms could have some problems
with it
PS. openSSL 3.x.x
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: If715a80228548b4e588cee222968d9da9024c438
|
|
Type: fix
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
Change-Id: Ia447420f692f1487d343886845d648d766e43c27
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
|
|
Validate version and IHL regardless of present options.
Originally VPP would accept seriously damaged headers in case IHL != 5.
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: Ifd59622efa63dfad7f6e4858dec40ccac3274574
|
|
Type: fix
As per the protocol:
A handshake initiation is retried after "REKEY_TIMEOUT + jitter" ms,
if a response has not been received...
Currently, if retransmit handshake timer is started, it will trigger
after "REKEY_TIMEOUT + jitter" ms and will try to send a handshake
initiation via wg_send_handshake() given that no responses have been
received. wg_send_handshake() will verify that time stored in
REKEY_TIMEOUT has passed since last handshake initiation sending and if
has, will send a handshake initiation. Time when a handshake initiation
was last sent is stored in last_sent_handshake.
The problem is that last_sent_handshake is not only updated in
wg_send_handshake() when sending handshake initiations but also in
wg_send_handshake_response() when sending handshake responses. When
retransmit handshake timer triggers and a handshake response has been
sent recently, a handshake initiation will not be sent because for
wg_send_handshake() it will look like that time stored in REKEY_TIMEOUT
has not passed yet. Also, the timer will not be restarted.
wg_send_handshake_response() must not update last_sent_handshake,
because this time is used only when sending handshake intitiations. And
the protocol does not say that handshake initiation retransmission and
handshake response sending (i.e. replying to authenticated handshake
initiations) must coordinate.
With this fix, stop updating last_sent_handshake in
wg_send_handshake_response().
Also, this fixes tests that used to wait for "REKEY_TIMEOUT + 1" seconds
and did not receive any handshake initiations. Then they fail.
Also, long-running tests that send wrong packets and do not expect
anything in reply may now receive handshake intiations, consider them as
replies to the wrond packets, and fail. Those are updated to filter out
handshake initiations in such verifications. Moreover, after sending
wrong packets, error counters are already inspected there to confirm
packet processing was unsuccessful.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I43c428c97ce06cb8a79d239453cb5f6d1ed609d6
|
|
The previous patch[37164] was a bit flawed.
Type: fix
Signed-off-by: Yacan Liu <liuyacan@corp.netease.com>
Change-Id: Ia9d8b9c7853e8f4b960ce7de26d0384243deb667
|
|
Type: test
Change-Id: I7b2314a731c83b3dcd69c999edb8ebed53839724
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: improvement
Change-Id: I7f7050c19453a69a7fb6c5e62f8f57db847d9144
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: refactor
Change-Id: I6edbff9a02fcb3c592ccfe8f47ddb3f848be1b6d
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Outgoing packets can be now traced via:
trace add bfd-process <count>
Type: improvement
Change-Id: Ia19af6054289b18f55e518dbea251a2bee9b9457
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
|
|
This patch introduces fast path matching for inbound traffic ipv6.
Fast path uses bihash tables in order to find matching policy.
Adding and removing policies in fast path is much faster than in current
implementation. It is still new feature and further work needs
and can be done in order to improve the perfromance.
Type: feature
Change-Id: Iaef6638033666ad6eb028ffe0c8a4f4374451753
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
|
|
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ie89d68ea4e462dfd7276a75f420268f15394258d
|
|
Type: docs
Change-Id: Ic1439ce658d9d53208b29d85440a6cc225ed5b74
Signed-off-by: fatelei <fatelei@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: docs
Change-Id: Icfa2bdc9367f8438b53da7c89caec263ed6ab056
Signed-off-by: Filip Varga <fivarga@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
This adds the ability to specify we want an IPv4 route via an IPv6 adj
and vice-versa.
Type: improvement
Change-Id: I5f7f1ab89fc60244d31c26155bbd9b0db690257c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
When manually adding neighbor entries for proxy-arp, those will be
fib-adj entries. Check for proxy-arp instead of dropping immediately.
Type: improvement
Change-Id: Id311159f2966c99719dc2a67d4d2bc92bf366029
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
The script accepts zero or one argument (the commit hash), and outputs
the detected components, the component maintainers,
and the final suggested reviewer list. See the script
for the example output.
Change-Id: Ief671fe837c6201bb11fd05d02af881822b0bb33
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Add a new tool packetforge to extras. This tool is to support generic flow.
Packetforge is a library to translate naming or json profile format flow
pattern to the required input of generic flow, i.e. spec and mask. Using
python script flow_create.py, it can add and enable a new flow rule for
an interface via flow VAPI, and can delete an existed flow rule as well.
Command examples are shown below. Json profile examples can be found in
./parsegraph/samples.
Naming format input:
python flow_create.py --add -p "mac()/ipv4(src=1.1.1.1,dst=2.2.2.2)/udp()"
-a "redirect-to-queue 3" -i 1
python flow_create.py --del -i 1 -I 0
Json profile format input:
python flow_create.py -f "./flow_rule_examples/mac_ipv4.json" -i 1
With this command, flow rule can be added or deleted, and the flow
entry can be listed with "show flow entry" command in VPP CLI.
Packetforge is based on a parsegraph. The parsegraph can be built by
users. A Spec can be found in ./parsegraph as guidance. More details
about packetforge are in README file.
Type: feature
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: Ia9f539741c5dca27ff236f2bcc493c5dd48c0df1
|
|
When ESTABLISHED TCP connection is terminated by an RST packet,
EPOLLHUP + EPOLLRDHUP would be updeliever by VCL. If not using
VPP, app would receive EPOLLHUP + EPOLLERR + EPOLLIN(if requested) +
EPOLLRDHUP(if requested).
libevent will interpret the two cases as different EV combinations.
Below is the code snippet for libevent v2.12:
if (what & EPOLLERR) {
ev = EV_READ | EV_WRITE;
} else if ((what & EPOLLHUP) && !(what & EPOLLRDHUP)) {
ev = EV_READ | EV_WRITE;
} else {
if (what & EPOLLIN)
ev |= EV_READ;
if (what & EPOLLOUT)
ev |= EV_WRITE;
if (what & EPOLLRDHUP)
ev |= EV_CLOSED;
}
Type: fix
Signed-off-by: Yacan Liu <liuyacan@corp.netease.com>
Change-Id: Ice3d2861183b6ea499f66b727bbe175eeae5cb05
|
|
Usage:
test/run.py -r -t {test_filter}
Instead of starting a new instance of VPP, when the -r argument
is provided, test is run against a running VPP instance. Optionally,
one can also set the VPP socket directory using the -d
argument. The default location for socket files is
/var/run/user/${uid}/vpp and /var/run/vpp if VPP is started
as root.
Type: improvement
Change-Id: I05e57a067fcb90fb49973f8159fc17925b741f1a
Signed-off-by: Naveen Joy <najoy@cisco.com>
|
|
Type: feature
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I5a64a2c095cae3a4d5f8fdc73e624b010339ec8e
|
|
Type: fix
Change-Id: Ib127331507724f853071e66ca1ddfc773a8ed200
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: test
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I218059de5d05680d661f302293475b6c2a7bf81d
|
|
It's known there're one or more 32-bit increments in the ip
header. So just check ip router alert option length with minimal
performance impact, and don't care of the total options length.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I46dd06516f793846b931a1dc8612f2735f8d24d3
|
|
Also check for non-zero rpath length in CLI cmd.
While there, no need to use "else" after a return.
Also while there, notice and fix numerous input_line
buffer leaks and fix them.
Type: fix
Fixes: 669d07dc016757b856e1014a415996cf9f0ebc58
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I18ea44b7b82e8938c3e793e7c2a04dfe157076d8
|
|
Type: fix
Change-Id: I4eb2a7190de90553c91133f940e068ed649120cb
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
If an attempt is made to delete a teib entry and the entry does not
exist, a message is logged. The format string contained an extra "%U",
which results in a segv.
Change-Id: I9b1d6ba63601982ba6ac8607cf710e34c311702a
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
When we follow arp feature arc for proxy-arp, we should still update
the error reason in case proxy-arp cannot handle the arp request and
drops it.
Type: improvement
Change-Id: I046df017ca2056cfc12af0f0a968b401058bcd6d
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
If unrecognized input was provided to the commands which add or delete a
pair, the error message was being created incorrectly and only displayed
something like "unknown input `'". Provide the correct argument to
format_unformat_error so that the actual unrecognized input is printed.
There also was no error or useful information printed if only the base
command were provided without any additional arguments. This should
print a warning about what required data was missing. Reorganize code to
handle this and to make sure that memory gets freed appropriately.
Change-Id: If454714f50cf41b3b56cfadfbf017f1d160e13a4
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Handle the case of the mapping not being found by GID.
Type: fix
Change-Id: Ibce3b9e8419c0dddca97b4d0d5a71f25dfd529d8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I21a701a556b88a9d81f0e074a59fa34b3746b1d9
|
|
add hugepage for vcl configure and svm
Type: feature
Signed-off-by: Junfeng Wang <drenfong.wang@intel.com>
Change-Id: I6a8905e3fec23d840e629114b1e5a403d0a258ef
|
|
add dma support to session, acclerate host-stack with dma
Type: feature
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Signed-off-by: Junfeng Wang <drenfong.wang@intel.com>
Change-Id: I3d492921d69d9e3e0b34d33adc33fba3bde9e1cc
|
|
If one attempts to add a pattern with zero length, first time
it will succeed, and the second time it will cause an invalid memcmp call.
Solution: do not allow to add zero-length patterns.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ic08e021486153be605a4b12a2fe4422307bf68d2
|
|
The number of available dynamic ports is set to (0xffff - 1024) =
64511, which is not divisable by the pow2 number of workers - the
only integer divisors are 31 and 2081.
So, total dynamic port range of all workers will be less than it:
1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536
2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535
4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533
8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529
...
As seen, with multiple workers there are unused trailing ports for every
nat pool address and that is the reason of out-of-bound index in the
worker array on out2in path due (port - 1024) / port_per_thread math.
This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets
to unused ports will go to existing worker and dropped there.
Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6:
6. Port Number Ranges
o the System Ports, also known as the Well Known Ports, from 0-1023
(assigned by IANA)
o the User Ports, also known as the Registered Ports, from 1024-
49151 (assigned by IANA)
o the Dynamic Ports, also known as the Private or Ephemeral Ports,
from 49152-65535 (never assigned)
According that let's allocate dynamic ports from 1024 and have full port
range with a wide range of the workers number - 64 integer divisors in
total, including pow2 ones:
1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536
2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536
3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536
4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536
5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534
6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536
7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536
8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536
...
Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required
when the numbers of workers is not the integer divisor of 64512.
Type: fix
Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a
Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
Type: fix
Signed-off-by: luoyaozu <luoyaozu@foxmail.com>
Change-Id: Ibfebe4da0197d1f60bf9edd3873fe1f776b680a4
|
|
Type: improvement
Change-Id: I371237803e2c3cb0e1b42b94f422867465e2bff6
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
Type: feature
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I4e03f60f34acd7809ddc5a743650bedbb95b2e98
|
|
Type: improvement
Change-Id: I2f3fab893a10b060f91b07ee17b8727d241830ea
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
This patch introduces fast path matching for inbound traffic ipv4.
Fast path uses bihash tables in order to find matching policy. Adding
and removing policies in fast path is much faster than in current
implementation. It is still new feature and further work needs
and can be done in order to improve perfromance.
Type: feature
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: Ifbd5bfecc21b76ddf8363f5dc089d77595196675
|
|
DPO in the new copy was not locked ...
Type: fix
Fixes: 0bfe5d8
Change-Id: I39f1368de459af91c4bb857d98a4b531bd5692a6
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
Free node frames in worker mains on refork. Otherwise these frames are
never returned to free pool and it causes massive memory leaks if
performed under traffic load
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I15cbf024a3f4b4082445fd5e5aaa10bfcf77f363
|
|
Type: improvement
Change-Id: Idf1fb054d5ff495d772d01a79cbc6cd1b409d377
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
When a session is found expired, the next node of in2out fast path
should be in2out slow path instead of out2in slow path.
Type: fix
Signed-off-by: Jing Peng <jing@meter.com>
Change-Id: If1dd920502089c25b33bea5434823b0496a44499
|
|
Type: improvement
Change-Id: I7f52222706200c31a731fadfb84513549ccb532d
Signed-off-by: Damjan Marion <dmarion@me.com>
|