aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2023-12-01flowprobe: fix tx flows generated for rewritten trafficAlexander Chernavin2-5/+82
Currently, when IPFIX records generation is enabled for an interface in the TX direction, some rewritten traffic is being sent from that interface, and the Ethernet header's location has changed due to rewriting, generated TX flows will contain fields with wrong and zero values. For example, that can be observed when traffic is rewritten from a subinterface to a hardware interface (i.e. when tags are removed). A TX flow generated in this case will have wrong L2 fields because of an incorrectly located Ethernet header. And zero L3/L4 fields because the Ethernet type will match neither IP4 nor IP6. The same code is executed to generate flows for both input and output features. And the same mechanism is applied to identify the Ethernet header in the buffer's data. However, such general code usually works with the buffer's data conditionally based on the direction. For most input features, the buffer's current_data will likely point to the IP header. For most output features, the buffer's current_data will likely point to the Ethernet header. With this fix: - Keep relying on ethernet_buffer_get_header() to locate the Ethernet header for input features. And start using vlib_buffer_get_current() to locate the Ethernet header for output features. The function will account for the Ethernet header's position change in the buffer's data if there is rewriting. - After fixing Ethernet header determination in the buffer's data, L3/L4 fields will contain non-zero but still incorrect data. That is because IP header determination needs to be fixed too. It currently relies on the fact that the Ethernet header is always located at the beginning of the buffer's data and that l2_hdr_sz can be used as an IP header offset. However, this may not be the case after rewriting. So start calculating the actual offset of the IP header in the buffer's data. - Add a unit test to cover the case. Type: fix Change-Id: Icf3f9e6518912d06dff0d5aa48e103b3dc94edb7 Signed-off-by: Alexander Chernavin <achernavin@netgate.com> (cherry picked from commit 64d6463d2eac0c0fe434f3a7aa56fe4d85c046d9)
2023-12-01flowprobe: fix clearing interface state on feature disablingAlexander Chernavin2-1/+23
As a result of recent fixes, all currently stored flows of an interface are deleted when the feature is being disabled for the interface. This includes stopping the timer and freeing the flow entries for further reuse. The problem is that meta information is not cleared in the flow entries being deleted. For example, packet delta count will keep its value. The next flow that gets one of these pool entries will already have a non-zero packet count. So the counting of packets will start from a non-zero value. And incorrect packet delta count will be exported for that flow. With this fix, clear meta information too when clearing interface state. Also, update the corresponding test to cover this case. Type: fix Change-Id: I9a73b3958adfd1676e66b0ed50f1478920671cca Signed-off-by: Alexander Chernavin <achernavin@netgate.com> (cherry picked from commit dab1dfeea9fec04a9a90a82dc5d770fbff344540)
2023-12-01flowprobe: fix accumulation of tcp flags in flow entriesAlexander Chernavin2-0/+75
Currently, TCP flags of a flow entry don't get reset once the flow is exported (unlike other meta information about a flow - packet delta count and octet delta count). So TCP flags are accumulated as long as the flow is active. When the flow expires, it is exported the last time, and its pool entry is freed for further reuse. The next flow that gets this pool entry will already have non-zero TCP flags. If it's a TCP flow, the flags will keep being accumulated. This might look fine when exported. If it's a non-TCP flow, that will definitely look erroneous. With this fix, reset TCP flags once the flow is exported. Also, cover the reuse case with tests. Type: fix Change-Id: I5f8560afffcfe107909117d3d063e8a69793437e Signed-off-by: Alexander Chernavin <achernavin@netgate.com> (cherry picked from commit 21922cec7339f48989f230248de36a98816c4b1b)
2023-12-01fib: only update glean for interface if necessaryMatthew Smith3-17/+93
Type: improvement If an interface address is added, the glean adjacency for it's covering prefix is updated with that address. In the case of multiple addresses within the same prefix being added, the most recently added one will end up being used as the sender protocol address for ARP requests. Similar behavior occurs when an interface address is deleted. The glean adjacency is updated to some appropriate entry under it's covering prefix. If there were multiple interface addresses configured, we may update the address on the adjacency even though the address currently in use is not the one being deleted. Add a new value PROVIDES_GLEAN to fib_entry_src_flag_t. The flag identifies whether a source interface entry is being used as the address for the glean adjacency for the covering prefix. Update logic so that the glean is only updated on adding an interface address if there is not already a sibling entry in use which has the flag set. Also, only update the glean on deleting an interface address if the address being deleted has the flag set. Also update unit test which validates expected behavior in the case where multiple addresses within a prefix are configured on an interface. Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I7d918b8dd703735b20ec76e0a60af6d7e571b766 (cherry picked from commit 9e5694b405e0200725a993f0c17d452fab508435)
2023-12-01flowprobe: fix sending L4 fields in L2 template and flowsAlexander Chernavin3-10/+53
Currently, when L2 and L4 recording is enabled on the L2 datapath, the L2 template will contain L4 fields and L2 flows will be exported with those fields always set to zero. With this fix, when L4 recording is enabled, add L4 fields to templates other than the L2 template (i.e. to the IP4, IP6, L2_IP4, and L2_IP6 templates). And export L2 flows without L4 fields. Also, cover that case in the tests. Type: fix Change-Id: Id5ed8b99af5634fb9d5c6e695203344782fdac01 Signed-off-by: Alexander Chernavin <achernavin@netgate.com> (cherry picked from commit 6b027cfdbcb750b8aa1b8ab9a3904c1b2dca6f15)
2023-12-01flowprobe: fix corrupted packets sent after feature disablingAlexander Chernavin4-2/+92
When IPFIX flow record generation is enabled on an interface and the active timer is set, flows will be saved and then exported according to the active and passive timers. If then disable the feature on the interface, the flow entries currently saved will remain in the state tables. They will gradually expire and be exported. The problem is that the template for them has already been removed. And they will be sent with zero template ID which will make them unreadable. A similar problem will occur if feature settings are "changed" on the interface - i.e. disable the feature and re-enable it with different settings (e.g. set a different datapath). The remaining flows that correspond to the previous feature settings will be eventually sent either with zero template ID or with template ID that corresponds to the current feature settings on the interface (and look like garbage data). With this fix, flush the current buffers before template removal and clear the remaining flows of the interface during feature disabling. Type: fix Change-Id: I1e57db06adfdd3a02fed1a6a89b5418f85a35e16 Signed-off-by: Alexander Chernavin <achernavin@netgate.com> (cherry picked from commit f68afe85a6e4d5e00fdad1af19a76eb40fdfa388)
2023-12-01ethernet: run callbacks for subifs too when mac changesAlexander Chernavin2-4/+113
When MAC address changes for an interface, address change callbacks are executed for it. In turn adjacencies register a callback for MAC address changes to be able to update their rewrite strings accordingly. Subinterfaces inherit MAC address from the parent interface. When MAC address of the parent interface changes, it also implies MAC address change for its subinterfaces. The problem is that this is currently not considered when address change callbacks are executed. After MAC address change on the parent interface, packets sent from subinterfaces might have wrong source MAC address as the result of stale adjacencies. For example, ARP messages might be sent with the wrong (previous) MAC address and address resolution will fail. With this fix, when address change callbacks are executed for an interface, they will be also executed for its subinterfaces. And adjacencies will be able to update accordingly. Type: fix Change-Id: I87349698c10b9c3a31a28c0287e6dc711d9413a2 Signed-off-by: Alexander Chernavin <achernavin@netgate.com> (cherry picked from commit 8a92b68bc8eaaec48d144fba62490a32f28eb422)
2023-12-01flowprobe: fix sending L2 flows using L2_IP6 templateAlexander Chernavin2-13/+81
Currently, L2 flows are exported using L2_IP6 template if L3 or L4 recording is enabled on L2 datapath. That occurs because during feature enable, L2 template is added and its ID is not saved immediately. Then L2_IP4 and L2_IP6 templates are added overwriting "template_id" each time. And in the end, the current value of "template_id" is saved for L2 template. The problem is that "template_id" at that point contains the ID of L2_IP6 template. With this fix, save the template ID immediately after adding a template for all variants (datapaths). Also, cover the case with a test. Type: fix Change-Id: Id27288043b3b8f0e89e77f45ae9a01fa7439e20e Signed-off-by: Alexander Chernavin <achernavin@netgate.com> (cherry picked from commit 120095d3d33bfac64c1f3c870f8a332eeaf638f0)
2023-12-01memif: contention between memif_disconnect and memif RX/TX threadsSteven Luong1-0/+11
memif_disconect may be called without barrier sync. It removes stuff in mq without protection which may cause troubles for memif RX/TX worker threads. The fix is to protect mq removal in memif_disconnect. Type: fix Change-Id: I368c466d1f13df98980dfa87e8442fbcd822a428 Signed-off-by: Steven Luong <sluong@cisco.com> (cherry picked from commit 34c721fb47155135bf2173ca7b9a31aaacfde190)
2023-11-30fib: Don't use an address from an attached prefix when sending ARP requests.Neale Ranns3-4/+34
Change-Id: I4c3144794dd0bd7de6150929e53f6d305c496b17 Type: fix Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I7b0c2c2dec5e867970599b8f2f2da17f2ff0b17c (cherry picked from commit 39528796098973fe9a5411e0f6f94268c3324e94)
2023-10-25tcp: allow fins in syns in syn-rcvdFlorin Coras1-7/+11
Also make sure connection is properly cleaned up. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I02f83e9a1e17cbbbd2ee74044d02049b2fd2f21c (cherry picked from commit da2ae9af61fbdb3b68eb72f8d35294fdb3720303)
2023-10-25tcp: handle syn-ack in fin-wait-2 in rcv processFlorin Coras1-0/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If74e04498423bed42593e79ec92482421cfda8d2 (cherry picked from commit 61d63e8323d11240edab44ff714def1c573fc987)
2023-10-25tcp: initialize connection index on rst w packetFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie01d7e8d6eddf3ba88f2cd6eb8369c8ec8179cb4 (cherry picked from commit 0094fe0190b623dbef0e57b7f4032ba3cf5f36b0)
2023-10-25session: fix duplicate rx eventsFlorin Coras1-10/+0
Be less aggressive with rx events on connect/accept notification. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie93a08c7eef69383bf0301a163fd2131dd51372a (cherry picked from commit 054aa8c2f2681e3a4a4af02d9119fb6eaa5dbad6)
2023-10-25session: ignore connecting half_open session in session_tx_fifo_dequeue_internalSteven Luong1-1/+3
s->tx_fifo is 0 for the connecting half open session. Type: fix Change-Id: I2ba1ae99a2fa4fae1896587f40e0e4fb73c1edcb Signed-off-by: Steven Luong <sluong@cisco.com> (cherry picked from commit 947aa8fffcd85563ed0bad620f739e76c6002f50)
2023-10-25tls: Fix SSL_CTX leak on every client sessionBrian Morris2-11/+12
Type: fix Change-Id: I35b3920288269073cdd35f79c938396128d169c9 Signed-off-by: Brian Morris <bmorris2@cisco.com> (cherry picked from commit 733e093e7099552a4609dc5efadf9261df7778d4)
2023-10-25session: fix tx deq ntf assert for clFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I97a04ed0417f1a3433665f6aa1a9424138fd54cb (cherry picked from commit fa9f37c15ceb32c4b4d6fd0d352cfd5a38a6ab94)
2023-10-25dpdk-cryptodev: improve dequeue behavior, fix cache stats loggingPiotr Bronowski4-76/+88
This patch provides minor improvements to the logic governing dequeuing from the ring. Previously whenever a frame was dequeued we've been trying to dequeue from the ring another one till inflight == 0. Now threshold is set for 8 frames pending in the cache to be consumed by the vnet. This threshold has been chosen based on cache ring stats observation in the system under load. Some unnecessary logic for setting deq_tail has been removed. Also logging has been corrected, and cache ring logic simplied. Type: improvement Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I19f3daf5913006e9cb23e142a163f596e85f5bda (cherry picked from commit 7cc17f6df9b3f4b45aaac16ba0aa098d6cd58794)
2023-10-20misc: VPP 23.10 Release Notesv23.10Andrew Yourtchenko2-0/+630
Type: docs Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Icd40064c06ccc53efba1cd9564613108b999b656
2023-10-11session: ignore app rx ntf if transport closedFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id56a101a6350903b00f7c96705fb86039e70e12c (cherry picked from commit a0b8c8fdf3fc555fc2ed7792d67bf3fb4fb99b9f)
2023-10-11vppinfra: fix coverity issue CID 323952v23.10-rc2Dave Wallace1-1/+1
Type: fix Fixes: 08600ccfa Change-Id: I53ba0d96507b55ab7cd735073d6c4cf20a3cc948 Signed-off-by: Dave Wallace <dwallacelf@gmail.com> (cherry picked from commit 05cc62dd504bbb0fb230fcf3786ed7f4d5be2364)
2023-10-10session: maintain old state on premature closeFlorin Coras1-7/+14
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I2ea821e0499a3874c4579f5480ea86f30ebe615f (cherry picked from commit 84c9ee3d696ef5c1162530a30ba591b806a7e175)
2023-10-09session: propagate delayed rx evts after connect/acceptFlorin Coras1-5/+20
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4a2e8f864df7269ec5a3c4fd4d8785a67b687d58 (cherry picked from commit 431b489c5a4f60a82781ace60d07471d003787af)
2023-10-09tls: propagate reads to app irrespective of stateFlorin Coras2-3/+2
Session input node handles rx notifications even if session not fully accepted/connected Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6560c45db8f8e0b7f0dc3bdd0939f13ca2f43f15 (cherry picked from commit aa7b88120ad83a29a05522bed4e5aa71524b8aba)
2023-10-09session: handle accept and connect errorsFlorin Coras2-6/+29
If builtin apps refuse connections, they should be cleaned up. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I95ef22902ac3fe873e15e250aa5f03031c2dc0c4 (cherry picked from commit 9ffec14a2202e1268c4a2f189c39a90986090a25)
2023-10-09tls: no read after app closeFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I34f8ee2e36d07e8e55e21561528fc6b73feb852f (cherry picked from commit 3843d0dd03a3ebbdb5d13b54e1b871a8ea72498c)
2023-10-09tls: report error if connected cannot be initializedFlorin Coras1-4/+6
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I987ac6b461b473836917bce6ce0d4ac109cc8ddb (cherry picked from commit a3d55df1e91a7df4ad4c0e1b639ba12a1ed04c79)
2023-10-09vppinfra: fix string termination in clib_file_get_resolved_basenameDamjan Marion1-0/+2
Type: fix Fixes: 40f4810 Change-Id: Idf51462c8154663de23154f17a894b7245c9fbf0 Signed-off-by: Damjan Marion <damarion@cisco.com> (cherry picked from commit 08600ccfa12f529d6ca7b852106227fc5f7addbf)
2023-10-09tls: limit openssl engine max read burstFlorin Coras2-4/+6
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic7a8fd37d79fc9c09c8b1539d630f3b8983b8bb3 (cherry picked from commit c1b038001e1f18effb3c9ff5daa9e9cac1cd66e8)
2023-10-09tls: init connection for prealloced app sessionsFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Icd62dc110e3a73b24372f3a5162f8008b7edee9f (cherry picked from commit a127d3c157cb6e7658451a877abbfe0dd16c982a)
2023-10-09tls: ignore tx events for not fully established sessionsFlorin Coras1-6/+9
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I401a116a1a46c0dc5d591115de5ff0eef2f6440b
2023-10-02tls: fix formatting of half open connectionsFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If96dc748a716a261edfcb1020210bd73058e382f
2023-09-20misc: Initial changes for stable/2310 branchv23.10-rc1Andrew Yourtchenko1-0/+1
Type: docs Change-Id: I82d323c6e4585772e5c9a9f5b5bbb77b65c1da85 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2023-09-20tests: remove unsupported qemu featureNaveen Joy1-1/+1
pretty=on|off has been removed from qemu and its presence causes VM boot up issues. Type: fix Change-Id: I4a9f15dba5015e81fbd32278b1c74b2606c32c8f Signed-off-by: Naveen Joy <najoy@cisco.com>
2023-09-19npt66: ensure feature is not configured multiple timesOle Troan2-12/+23
If the control agent enabled a binding on an interface multiple times, we would add the node in the feature arc multiple times. Type: fix Change-Id: I2ca247db0a0211f5fa3974a18ca4fcae8485cb12 Signed-off-by: Ole Troan <otroan@employees.org>
2023-09-18vcl: unset fifo evt before size checkFlorin Coras1-6/+8
For blocking sessions, if fifo event still active before size check it could lead to vpp not generating an event because of race to check flag in vpp and to eventually unset flag in vcl. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0e350b9ff92a4e08a9249345ae224589c09d305b
2023-09-16vapi: fix coverity warningsDave Wallace1-12/+13
- CID-322713, CID-322712, CID-314881, CID-314880, CID-314878 COPY_INSTEAD_OF_MOVE Type: fix Change-Id: Idad6806fcd4e1a89a750dcc0584b5b1f0432bf3c Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2023-09-16misc: VPP 23.06 Release NotesAndrew Yourtchenko2-0/+620
Type: docs Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Id39d7d6a6340e65885ab0845b6fc9a2b81e4f565 (cherry picked from commit 493b8990d1185f818890560101e13e1b69f54b1d)
2023-09-15vpp-swan: fix configuration of policiesGabriel Oginski1-15/+16
This patch fixes configuration of priority, port and type of protocol for inbound and outbound policies in policy-based IPsec of this plugin. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I01ddc2e13ebbe87380e66a525aac1b615f619604
2023-09-13nat: fix nat44_ed set_session_limit crashVladislav Grishenko2-10/+9
Setting session limit should return error for unknown fib. Optimize max_translations_per_fib expanding and drop unnecessary trailing fib entry. Type: fix Change-Id: Ie7d2b363ade48f53598faa617a49cce7b2db6400 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2023-09-13quic: fix quic sessions state updatesFlorin Coras2-11/+6
Session state cannot be updated after async notification event is generated for app. Instead, make sure quic sessions that accept new streams are switched to listening state only on accept. Type: fix Fixes: 0242d30 Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I9663ccadbea99d555ad49e871f7dff897239dc84
2023-09-13sr: mark sr_policies_v2_details message as productionAndrew Yourtchenko1-1/+0
As per discussion on the VPP community call, since the message is used in CSIT tests and did not see the changes in a while, mark as production for the purposes of change process. Type: improvement Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I4a79aafb1a9f37ac87faea7abea28cf01d1ffb4c
2023-09-13adl: stabilize the APIAndrew Yourtchenko1-1/+1
As discussed on the VPP call, since CSIT tests use these messages and they have not been changedfor quite a while, bump the version so these messages are considered as "production" from the change process standpoint. Type: improvement Change-Id: I93a04b10b273d5904c0678fa0b85d47f9f683a9b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2023-09-13flow: mark API as productionAndrew Yourtchenko1-1/+1
As per discussion on the VPP call - since the APIs are used in CSIT tests, mark them as production from the change process perspective. Type: improvement Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I9164073425384e8aa281445a2852fee49b777e2f
2023-09-13wireguard: stabilize the APIAndrew Yourtchenko1-1/+1
As per discussion on VPP call - since the APIs are used in CSIT tests, and there has not been changes in a while, mark them as stable from the API change process PoV. Type: improvement Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Ia644e1dfcd9d182cc6f10089fc44397a61e8aaf6
2023-09-13crypto-sw-scheduler: stabilize the APIAndrew Yourtchenko1-1/+1
As per discussion on the VPP call: since the CSIT tests use these APIs and the APIs have not changed in quite a while, stabilize the API from the change process point of view. Type: improvement Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Id81999d03cce37764f6ed7d4f77ef5a71fe41ad1
2023-09-13hsa: fix coverity issue CID-313635Dave Wallace2-2/+8
Type: fix Change-Id: Ieb50ab548bb34bdbb44d973037ee452d48f412ea Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2023-09-13api: fix vlibmemory coverity warning CID-300152Dave Wallace1-0/+4
Type: fix Change-Id: Icdebc8629946e0e7c8dde3e45ee93ff9027e7c68 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2023-09-13vppinfra: add ARM Neoverse-N2 supportDamjan Marion3-94/+131
Type: improvement Change-Id: Ief77ae7338667ede290aece6933bb5ae2e76ffc6 Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-09-13build: fix clang-16 buildDamjan Marion1-1/+3
Change-Id: I882bef6f45fd276587fb93944ff4e21dc57dbca2 Type: fix Fixes: 1c82cd4 Signed-off-by: Damjan Marion <damarion@cisco.com>