aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-02-17BFD: put session admin-up/admin-downKlement Sekera3-20/+57
Change-Id: I7d8889dce8495607106593ad83320c9af0f2fa07 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-17Implemented IKEv2 initiator features:Radu Nicolau14-186/+2534
- IKE_SA_INIT and IKE_AUTH initial exchanges - Delete IKA SA - Rekey and delete Child SA - Child SAs lifetime policy To set up one VPP instance as the initiator use the following CLI commands (or API equivalents): ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> and finally ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange Child SA re-keying process: 1. Child SA expires 2. A new Child SA is created using the Child SA rekey exchange 3. For a set time both SAs are alive 4. After the set time interval expires old SA is deleted Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA) CLI API additions: ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> ikev2 initiate sa-init <profile id> ikev2 initiate del-child-sa <child sa ispi> ikev2 initiate del-sa <sa ispi> ikev2 initiate rekey-child-sa <profile id> <child sa ispi> Sample configurations: Responder: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.responder ikev2 profile set pr1 id remote fqdn vpp.home.initiator ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 Initiator: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.initiator ikev2 profile set pr1 id remote fqdn vpp.home.responder ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20 ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048 ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256 ikev2 profile set pr1 sa-lifetime 3600 10 5 0 Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-02-17Fix handling of ping to SNAT out interfaceJuraj Sloboda2-8/+37
Change-Id: I322bfb3469b3d0d5b0cac39a6c2dba1c6f83ce3d Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-02-17ipsec: changed ipsec-input-ip6 node to be a sibling of ipsec-input-ip4, ↵Radu Nicolau1-6/+1
fixes a problem that occurs with cryptodev ipv6 input. Change-Id: I1f0c0db45b2aabc243dd785c8d5d5ef990cac903 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-02-17l2 input: avoid per-packet trace checks in the fast pathDave Barach4-25/+54
Change-Id: Ib0c8572773499d8dd4d81b3a565c24412ccc3510 Signed-off-by: Dave Barach <dave@barachs.net>
2017-02-17Fix comment for num-mbufs default in startup.confDave Wallace1-1/+1
Change-Id: I8bb175cc9673895d4a8856786ecabfd66dd906e9 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2017-02-17dpdk: quad loop and prefetch in fill_free_listDamjan Marion1-15/+71
Change-Id: I19ec3b769b6512f7408044751393d9faf10d01d5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-17dpdk: bump to DPDK 17.02Damjan Marion1-2/+3
Change-Id: I4563208d97c43a200fcee948db491706a8d3e211 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-17ioam: declare export_node instead of defining it in header fileDamjan Marion1-1/+1
Change-Id: Ib1760312df759c29a2c2220e7b783af311d91d1a Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-17api: remove debug print in api_main_initDamjan Marion1-1/+0
Change-Id: I8f5cf447c131a790e4bbd46ef75063329fec7451 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-16tw_timer_expire_timers() - add a maximum to the number of expiration per callGabriel Ganne2-3/+10
The idea is to prevent a huge processing burst if, say, the network goes down 10' for some reason, and so that we don't need to expire 1M timer sessions on the first call. The maximum is not an exact value, but a value after which the expiration process is postponed until the next call. That way, we don't have to process the same tick twice, nor to unlink timers once at a time when processing a tick. The fact that a timer slot could contain many entries should be dealt with by changing the number of ticks per second. Change-Id: I892d07f965094102a3d53e7dbf4e6f5ad22d4967 Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2017-02-16Add NSH load-balance and drop DPOFlorin Coras5-15/+148
Also adds missing gpe nsh address type functions. Change-Id: I3353a23c0518da9ce3b221ddf8c5bd0364930154 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-02-16Fix NSH-LISP interface additionFlorin Coras1-15/+16
Change-Id: I3925d2ebb2d26c676fc61f118d25bdf7fd522f26 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-02-16Fix crash on deleting previously activated IPv6 interface - VPP-636Wojciech Dec1-0/+4
RADV Pool index was not getting updated Change-Id: I2d2f14c56f51034d39049d1c7e13c248180a865f Signed-off-by: Wojciech Dec <wdec@cisco.com>
2017-02-16Fix sample plugin breakage.Anlu Yan3-23/+10
Add vat_helper_macros.h to be installed in /usr/include/vlibapi Define a version for the sample plugin (separate from the VPP versioning). Hook up vnet_main in plugin init. Change-Id: I293b9dc824d0813ea2bb8747d535e4210a88b385 Signed-off-by: Anlu Yan <ayan@cisco.com>
2017-02-16Add handling of ICMP error packets in SNAT (VPP-629)Juraj Sloboda3-57/+534
Change-Id: I8d2022b7cb3ef3da736c085bccbb5b9c057a8d76 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-02-16VPP-638: 'set interface ipsec key garbage' causes infinite loopBilly McFall1-0/+5
In the CLI parsing of 'set interface ipsec key garbage', the token 'garbage' enters the processing code for the <key>. This enters unformat_hex_string(..) which looks through the input for 0-9,a-f and drops out if a non-hex digit is encountered. The problem is that it returns 1, indicating that input has been processed, but in this case, no characters have been removed from the input string. This causes the calling function to go to the top of the loop and process the next token, which is now the same token and gets stuck in an infinite loop. Updated unformat_hex_string(..) to return 0 if no characters were processed. This funcitons is used in multiple CLI Commands, but most have token that preceeds the hex string. Since the token is stripped, the CLI command is able to avoid an infinte loop. Change-Id: Ib54f04f23c4d3563ec57a2450982d3648cedec0e Signed-off-by: Billy McFall <bmcfall@redhat.com>
2017-02-16add tw_timer_template.c to vpp devel packagesGabriel Ganne1-0/+1
Change-Id: Ia25a8827ed94877e8fe6c0b2ff6d05c1568eb0e1 Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2017-02-16tw_timer_expire_timers() return the number of expirationsGabriel Ganne2-9/+14
to be used for node statistics Also fix tw_timer_stop() description Change-Id: I84b529e330c4534fd55487e7e2b8b089ee68ca11 Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2017-02-16LISP: minor enhacementsFilip Tehlar1-13/+13
* use RLOC for IP version detection * don't check whether RLOC is local when deleting Change-Id: Icdb84025dd5511eb5348b654bf7b373def15406c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-02-15LISP: fix deleting src/dst entry from GID dictionaryFilip Tehlar2-5/+24
Change-Id: Ic674cc953b45ddd4811e07821e1a0af28b5f6214 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-02-15SNAT: add static mappings with unresolved external interface address to ↵Matus Fabian4-6/+86
snat_static_mapping_dump Change-Id: Ib560b397700fe058ad1e2970989d98e3debf54aa Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-02-15BFD: loop back echo packetsKlement Sekera7-58/+353
Change-Id: I772b63ac25ebfccaff9ab9d8d0b1445e85f21df7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-15Fix bug in definition of tcp_header_tJuraj Sloboda1-1/+4
Change-Id: Ic814b805ef77913ffe86f82c009602c75258acfb Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-02-14VPP-279: Document changes for vnet/vnet/devicesBilly McFall2-52/+210
Add doxygen documentation for pcap tx trace CLI command. In the process of adding the documentation, made the following changes to the way the command worked: * If there is an error with any of the attributes, the whole command fails. The existing behavior was to apply attribute by attribute, then bail if there was an issue, with partial apply. * Move the 'on' processing to the end. The existing behavior was to process the 'on' as it was encountered on the commandline. That meant that any attributes after the 'on' in the commandline were saved and displayed, but not really being used in the packet trace. * Enhanced the 'status' to show all the configured attributes. NOTE: The packet capture has some weird behavior with regards to how many packets are written to file and if the file is appended or overwritten. VPP-634 written to document the issue. Change-Id: Iab241228b125385052de242865afd9515fa2524f Signed-off-by: Billy McFall <bmcfall@redhat.com>
2017-02-14BFD: respect remote demand modeKlement Sekera3-348/+590
Change-Id: I5063d31f5305c848043afb32fcacff6e61aed79f Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-14make test: improve stabilityKlement Sekera6-88/+149
Disable automatic garbage collection and run it manually before running each test case to minimize stalls. Improve vpp subprocess cleanup. Reduce helper thread count to one and properly clean that thread once it's not needed. Change-Id: I3ea78ed9628552b5ef3ff29cc7bcf2d3fc42f2c3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-14BFD: set per session UDP source port per RFCKlement Sekera4-16/+43
Change-Id: Id294dbbd6499ae8221cc8143e1027adc08866ae6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-14Fix coverity issues: ioamShwetha Bhandari3-8/+15
Change-Id: I0963760a7da95612d5cab19596919b369a4d0f8e Signed-off-by: Shwetha Bhandari <shwethab@cisco.com>
2017-02-14Fix is_server flag in vhost dump (VPP-562)Marek Gradzki1-0/+1
Change-Id: I5b308eb39ae770d58d1498d7fafa49b236b3f534 Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
2017-02-14Fix typo in API warning message.Jon Loeliger1-1/+1
Change-Id: I51488620a7eeaf7a0edba71437d2b49ae3cf0bf5 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-02-14vhost-user: fix crash when descriptor points to unknown regionDamjan Marion1-1/+2
This happens only on when compiled for older microarchitectures, where BSF insutruction is used instead of TZCNT. BSF provides undefined result if operand is 0. Change-Id: I7a13350786a533428168595097ef01a560fde53b Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-14Update CSIT tests 170129 -> 170213Jan Gelety1-1/+1
- update of CSIT operational branch to be used for VPP-patch test Change-Id: I43cc99ea3ad6266b4792a7721968de89b7328306 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2017-02-13Out-of-tree Build Error fixAkshayaNadahalli2-22/+20
File vnet/fib/fib_urpf_list.h was included in vnet/fib/ip6_fib.h but was exported to be installed in /usr/include/vnet. So out-of-tree builds relying on an installed package was failing. Fix is to inlcude fib_urpf_list.h in source file rather than including it in header file. Change-Id: Iae39c1d9417dbd31ee67fa1bd2d1915d5e813c73 Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
2017-02-13Augment IP_DETAILS, IP_ADDRESS_DETAILS with a few context fields.Jon Loeliger2-5/+15
When handling the IP_DETAILS and IP_ADDRESS_DETAILS replies, it is almost certainly going to require having both the is_ipv6 and sw_if_index context to handle them properly. Placing these values in an essentially global location as the current VAT does isn't thread-safe. Fruthermore, rather than forcing every API user to hoop-jump to establish these context values, simply provide them in their DETAILS reply messages. Change-Id: I6a9e0cb16ecdbf87fca8fc5c7663e98d3a53c26c Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-02-13Basic support for LISP-GPE encapsulated NSH packetsFlorin Coras28-22/+944
Change-Id: I97fedb0f70dd18ed9bbe985407cc5fe714e8a2e2 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-02-13VPP-632 : InBand OAM AnalyserAkshayaNadahalli33-336/+2797
Refer to jira ticket for more details. Change-Id: I6facb9ef8553a21464f9a2e612706f152badbb68 Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
2017-02-10Update plugin templatesDave Barach3-118/+106
Disguise the string "fd.io coding-style blah blah blah" to avoid spurious checkstyle failures on the emacs lisp code. DGMS. Change-Id: I6b88d9588dff7d67c6e509052ae4f32529684de7 Signed-off-by: Dave Barach <dave@barachs.net>
2017-02-09make test: work around scapy truncated packetsKlement Sekera2-0/+65
Under stress, it's possible to hit a race condition, when the packet header is fully written to pcap, but not all packet data - yet. Scapy is stupid enough to: 1. not detect and report this error, truncating the packet instead 2. continue munching more data from wrong offset The work around is to scan the file ahead, parse the packet header, figure out how much data we need, wait for the file to be big enough, then restore the file position back to where it was and finally let scapy parse the packet. Change-Id: I9fc71d3ebdc62ecab6c90b90f177d0eaeb09b8bb Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-09Improve MFIB doxygen helpNeale Ranns4-4/+12
Change-Id: Ie490b7fd5238cbad23f0199161cc14324fd9c554 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-02-08BFD: minor fixesKlement Sekera2-5/+3
Change-Id: I1c93f96a752eb2ffd1117a656552131cde1fa489 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-08make test: BFD tests speedupKlement Sekera1-2/+4
Change-Id: I0b3064a311f28ebf7cd9db0a59cb04c7c25c9d58 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-08BFD: modify session parametersKlement Sekera13-127/+601
Change-Id: I666e5c0cc71a3693640960c93cdd1907f84fbe23 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-08Fix source address reachability check for ip6 local packetsAkshayaNadahalli2-7/+26
Currently ip6 local check fails with error - source lookup miss if route to source of packet is over a dpo object such as load balance - recurssive route, tunnel adj - GRE, SR etc. So unless packet source is of a directly connected neibhor or has route with both interface and nexthop specified, it will be dropped. Fix is to check urpf list and if at least one link exists in the list, then allow packets to be processed, else drop. Change-Id: Id426311bb63bab506754a79409c602fdb6d0f190 Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
2017-02-07VPP-630: Null pointer dereferences in vlib/unix/plugin.cOle Troan1-1/+1
Change-Id: Iafb071c684a43e21925e3a43019cd86372347898 Signed-off-by: Ole Troan <ot@cisco.com>
2017-02-07Multiple platofrm support for dpdk/Makefile, fix optimizationsDamjan Marion4-78/+25
Using -march=native was causing SIGILLs on Atoms. Change-Id: I98c7fdaa139e3db70c972950dc9c167bf5803656 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-07Fix M(), M2() macros in VATFilip Tehlar1-2/+4
Change-Id: I76593632cde97f7cb80bbc395735404f39f3bd3f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-02-07LISP: reject remote mappings that have as locators local IPsFilip Tehlar2-1/+29
Change-Id: Ifaf46554e45557ebf82009d9c46a9e905a46f884 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-02-06Add pool_get[_aligned]_will_expand(...)Dave Barach2-0/+67
Change-Id: Iefffcf7843dc11803d69a875a72704a2543911a1 Signed-off-by: Dave Barach <dave@barachs.net>
2017-02-06make test: improve test filteringKlement Sekera3-5/+81
Implement fine-grained test filtering by supporting more complicated filters beside the original file name suffix filter. Change-Id: If5a166d08cffe8c58cc6cf174e6df861c34dbaa6 Signed-off-by: Klement Sekera <ksekera@cisco.com>