summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2022-03-08classify: add API to retrieve punt ACL tablesBenoît Ganne3-0/+55
Type: feature Change-Id: Ica3e60836c0f26518ba2c238a8c03ce3648ea69b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-08ipsec: input: drop by default for non-matching pktsZachary Leaf4-11/+214
As per IPSec RFC4301 [1], any non-matching packets should be dropped by default. This is handled correctly in ipsec_output.c, however in ipsec_input.c non-matching packets are allowed to pass as per a matched BYPASS rule. For full details, see: https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480 It appears the ipsec6_input_node only matches PROTECT policies. Until this is extended to handle BYPASS + DISCARD, we may wish to not drop by default here, since all IPv6 traffic not matching a PROTECT policy will be dropped. [1]: https://datatracker.ietf.org/doc/html/rfc4301 Type: fix Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
2022-03-08ip: set fib_index before exiting input ACL nodeArthur de Kerhor1-40/+75
While setting an ACL, a user can specify the adjacency to follow after the input ACL node. Thus, we may skip a lookup and enter directly a local node (ex: ip4_local). To prevent the local source check from failing, we need to specify the fib index. And, we have to do it just before exiting the input ACL node because the l2_classify object is overlapping with the fib_index in the vnet_buffer_opaque_t struct. We could have added a padding to avoid this overlap but there is no place for that in the structure. Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: I383c36e4aec08d181f966f28565aefed950d2a74
2022-03-08crypto-ipsecmb: bump to ipsecmb v1.2Marcel Cornu2-1/+15
Type: feature This patch bumps ipsecmb library version from 1.1 to 1.2 Signed-off-by: Marcel Cornu <marcel.d.cornu@intel.com> Change-Id: I181e43c711fe530296c037d59b53fe3c5f2719ea
2022-03-07linux-cp: handle ipv4 routes when interface is disabledAlexander Chernavin1-2/+88
Type: improvement Currently, when an interface is brought down administratively, IPv4 routes that resolve through that interface remain in the FIB. However, the kernel removes those routes but doesn't send any notifications about that. Desynchronization between the kernel and VPP happens. With this change, when a notification received from the kernel indicating that an interface was brought down, in addition to bringing the VPP interface down, walk the IPv4 FIB bound to that interface and remove any entries that resolve through that interface and were added with one of the linux-cp FIB sources. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I0cd14bb63c9e6616ae1c5739b17c3bf33b186bc2
2022-03-07ip: Fixes for IPv6 and MPLS fragmentationNeale Ranns5-53/+191
Type: fix - IPv6 fragmentation did not work if the packet spaneed multiple buffers, because the 'len' calculation to did max out at the size of a buffer - IPv6 fragmentation did not work when the l2unfragmentable size was non-zero, it was not used in the correct places - IPv6oMPLS fragmentation would fragment all IPv6, it should do so only for link local - IPv6oMPLS should send back TooBig ICMP6 for non locally generated Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie8f02cdfdd7b7e8474e62b6d0acda8f20c371184
2022-03-04linux-cp: fix issue of possibly closing negative fdAlexander Chernavin1-5/+14
Type: fix Primarily fix an issue reported by Coverity in lcp_nl_open_sync_socket() that close() could possibly be run with negative fd. Also, add more checks and error logging there. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I9a88520d068392977a6eba0766451e5652fe512c
2022-03-04linux-cp: stop signaling read event on every notifAlexander Chernavin1-7/+9
Type: improvement Currently, read event signal is sent on every notification message received and added in the queue. With this change, signal read event only when all currently available notification messages are received. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib86d189311ce01f50167e4e97feb99df0292ad96
2022-03-04linux-cp: stop ignoring ENOBUFS while reading notifAlexander Chernavin1-9/+2
Type: improvement Currently, while reading notifications, ENOBUFS error is ignored and reading continues. This was done to minimize the number of notifications that are lost due to reopening the socket. Now that synchronization is implemented to recover from socket errors, ignoring ENOBUFS and reading as much notifications as possible is not actual. Before synchronization, all currently enqueued notification are discarded in any case. With this change, stop reading notifications if any error occurs. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I1184d9a3aa99df63ef59bc2a67be2b1e5e0e9329
2022-03-04api: harden api trace parsingBenoît Ganne1-23/+22
- make sure we do not overflow - skip unknown messages if we can Type: fix Change-Id: I0efbe7376d9d78f6b0ec8018c0813400e6653698 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-04ping: correct the fib-index used for the replyNeale Ranns2-29/+62
Type: fix if original packet was to the link local, then the fib index in the buffer is that of the LL table, we can't use that to foward the response if the new destination is global, so reset to the fib index of the link. In other case, the fib index we need has been written to the buffer already. Add a test for IPv6 ping in an MPLS-VPN where int inout interface is not the the same VRF as the response should be sent. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I18a232d90ddd3ef051a52476c5d861c87060e76f
2022-03-04ip: rate-limit the sending of ICMP error messagesNeale Ranns12-49/+107
Type: improvement For error conditions, such as TTL expired, dest unreach, etc, Rate limit the sending of ICMP error messages. The rate limiting is done based on src,dst IP address of the received packet. the rate limit has been chosen, somewhat arbitrarily, to be 1e-3. This is the same limit as the ARP throttling. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I4a0b791cde8c941a9bf37de6aa5da56779d3cef4
2022-03-04linux-cp: ignore neighbors if ip addr is multicastAlexander Chernavin1-0/+17
Type: improvement When dump of neighbors is requested, the replies will also include neighbor entries for IPv6 multicast addresses: GigabitEthernet0/8/0 S ff02::16 33:33:00:00:00:16 GigabitEthernet0/8/0 S ff02::1:ff76:7135 33:33:ff:76:71:35 GigabitEthernet0/8/0 S ff02::2 33:33:00:00:00:02 Such entries are not reported in netlink notification messages and VPP is unlikely to use these. With this change, ignore neighbor entries when the IP address is a multicast address. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ic712aa4904f1d559f31fd89ff4541268e2340f84
2022-03-04ip: fix overflow in ip6_ext_header_walkBenoît Ganne1-1/+1
ip6_ext_hdr_chain_t->eh is IP6_EXT_HDR_MAX elements. Type: fix Change-Id: I28b8d610d8f5c0c520c8391c37b86e837655ab12 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-04pg: fixing the cliMohsin Kazmi1-2/+0
Type: fix This patch removes the assert and it is unnecessary. Because given variable is used for branch testing. Change-Id: I64f57f909fcba205216296e86c1cde2a5dadbb45 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2022-03-04pg: add support for ip mode through cliMohsin Kazmi1-2/+8
Type: improvement Change-Id: I5dda196ab8f1b634fcac46acd5c57a6dd726759c Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2022-03-04ipfix-export: fix the warning message for uninitialized variableMohsin Kazmi1-2/+2
Type: fix Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I2b8b6a3b5a6df71e84ce2f15ef7117f390121c2f
2022-03-04classify: skip l2 header in CLIArthur de Kerhor1-14/+50
Add the possibility to create masks and matches without l2 header in the CLI when creating tables and entries. This is useful for tables working on l3 and l4 only. Type: improvement Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: I7da9e47d810c0b4a0938e2cb3bc31aa69ace3649
2022-03-04mpls: Fix the fragmentation in mpls-output.Neale Ranns1-84/+80
Type: fix the MTU needs to be adjusted to account for the label stack, since the size of fragments produced is stack+mtu. these changes are to the use of the stack variable 'mtu' most of the patch results from appeasing checkstyle. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I8d0e10cf52ca4dd8ecdc224ed6c54a13e4768fdd
2022-03-04tunnel: Fix the format of tunnel flagsNeale Ranns1-10/+17
Type: fix it only display the first flag set Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I45cddbac0d4eed8bda10bf5e0f7c9db0faf183c5
2022-03-03vnet: use system time for pcap traceBenoît Ganne1-0/+1
Use system wall-clock time for packets timestamps instead of the time since VPP started for pcap traces. Type: improvement Change-Id: I716165912efe8db3a8861d5c10597dc7629d2293 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-03vcl: validate vls_epoll_ctl inputsFlorin Coras1-2/+18
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I315ef0122ccb21ccfef117a58b1dc998127618ce
2022-03-03session: improve tx tracingFlorin Coras1-10/+10
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4fd7ae435514eb986543302c7e3e69e04acba8cf
2022-03-03linux-cp: detect and delete stale entries after syncAlexander Chernavin1-0/+95
Type: improvement During synchronization, only the current actual set of entries is loaded. If some entries are no longer present in the set being loaded but present in VPP, they should be removed to fully syncronize. With this change, add handlers for sync begin and end events. Begin handlers will mark the entries as stale. End handlers will remove the entries that are still marked as stale. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I4f7e872af3e1c9ffa6c63bcc3984ec76def1bb43
2022-03-03ipsec: remove ipsec vnet scriptRay Kinsella2-80/+14
An updated ipsec script was identical to the existing ipsec_tun_protect script. Remove the ipsec vnet script, and rename the ipsec_tun_protect to become the default ipsec vnet script. Type: fix Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: Ie05ca3e089b67a5b9499d83d4cb2adf1b6c6ffba
2022-03-03linux-cp: resync with kernel after nl socket errorAlexander Chernavin2-27/+503
Type: improvement Currently, if an error happens on the netlink notification socket, the socket gets reopened. A portion of notification messages have been lost because of this and will never arrive on the socket. VPP will be out of sync with the kernel networking state. With this change, synchronize VPP state and the kernel networking state if there was an error polling or reading the notification socket. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I8cdff89b505cd227535a0acaadb6ee757204c45e
2022-03-03ip: Path MTU DPO allocation function is publicNeale Ranns2-7/+23
Type: refactor check for pool expansion in the DPO allocation, just in case. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6ba7dd66313630d3f24a51700ab4486ba43d856b
2022-03-03linux-cp: make check of message ts null-tolerantAlexander Chernavin1-0/+3
Type: improvement For some message types, timestamps are checked on netlink message to decide whether the message should be applied. For notification messages timestamps are expected to be always available. With this change, before accessing the timestamp, make sure the message info object that carries it is not null. If it is null, pass the check. This is to be ready to process dump replies that will not need the timestamp check and will have the message info object set to null. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ic7211c0d451d72f6a5248898b3a8f8e0bca8f7aa
2022-03-03linux-cp: reflect hw link state on tap on pair creationAlexander Chernavin1-0/+14
Type: fix Currently, a tap interface created to be a member of a linux-cp pair has default link state (down) and default link speed (10Mb/s). Then the plugin monitors the link state of the paired hardware interface and if it changes, the new link state is reflected on the tap interface. And when the new link state is "up", the link speed is also reflected on the tap interface. The problem is that this scheme implies that the hardware interface's link state is "down" at the moment of the linux-cp pair creation and then changes. But there are cases when the link state is already "up" at that moment. If that is the case, the link speed on the tap interface will remain the default one until the link comes down and then comes up. With this fix, when a linux-cp pair is created, reflect current link state of the hardware interface being paired on the created tap interface. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I73664d753f4daaa6d439c9ca898fb7363d21c06d
2022-03-02linux-cp: lcp fib fixesVladimir Ratnikov1-5/+6
Some possible side effects for multicast routes appears to be in lcp_router_table_add_or_lock. so ff00/8 route will be processed for ospf purposes the right way Ignore IPv6 kernel routes Skip adding auto routes into FIB Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I35f73d629a7fffca7f7d4547adc2549b72c2048f
2022-03-02vcl: fix segment detach post api disconnectFlorin Coras2-9/+36
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0982f0f5c8186f9ed962db49a14f35aa19f6a276
2022-03-02wireguard: improve sending WG interface dump detailsJon Loeliger2-2/+11
Include the user_instance in wireguard interface details. In addition to dumping all wireguard interface details, also allow selective dumping of just one interface. Type: improvement Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: Iaf1093c6ae3eb00a685f34b2e0171285b02fae2b
2022-03-02tap: fix tun set mtuBenoît Ganne1-1/+1
Type: fix Fixes: 1cd0e5dd533f4209dde453eaa43215e52cd42985 Change-Id: I64318585fb3b12369b78735c681f3b747c67b53b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-02build: fix missing dependency for libraryGuillaume Solignac1-0/+4
When building a VPP library out of tree using add_vpp_library, the build sometimes fails because the library API files are not necessarily generated before compiling this library. This is fixed by adding the lib API files as dependencies of the lib compilation. Type: fix Signed-off-by: Guillaume Solignac <gsoligna@cisco.com> Change-Id: I69dffaecbfd547f10115504494a47358c4624258
2022-03-01hsa: add tps support for random closesFlorin Coras1-23/+94
Useful for stress testing. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0b1701682494a9fbf7deac311b4afd3036c50b56
2022-03-01virtio: refactor codeMohsin Kazmi19-355/+351
Type: refactor Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I3788cc857023fafcc8eb6d6ff4524425026a75d8
2022-03-01vat2: include src/vlibmemory/vlib.api messagesDave Wallace1-0/+3
- cli_inband is missing from vat2 Type: improvement Change-Id: I1f22dee3ee29f3cf0f1f7c6076d5f2b2b2bf969d Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-02-28tls: handle read write ssl errorsFlorin Coras3-3/+42
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If5eed7dac4951f0510a4b4b092f66f44d0d3cacd
2022-02-28tls: Receive only when the app_session is availableSaravanan Murugesan1-0/+5
Type: fix Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com> Change-Id: Icfd5e3c0bb034684c7bc43be46927294536ba08a
2022-02-28tls: Handle transport disconnect during client HS failuresSaravanan Murugesan1-1/+2
Type: fix Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com> Change-Id: I5f7f4b925b3d250c5b8616d1fb35edbde50a7a23
2022-02-25misc: VPP 22.02 Release NotesAndrew Yourtchenko2-0/+658
type: docs Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I32291160f0d22a804929d0a040472ff952f02544 Signed-off-by: Maciek Konstantynowicz <mkonstan@cisco.com> (cherry picked from commit 7911f29c518c6b2a678e13874f7f16eba03dab75)
2022-02-24vapi: Missing include file in vlib.api.vapi.hDave Wallace1-17/+17
- A call to vapi_msg_control_ping_hton() is generated in a static inline function in vlib.api.vapi.h, which is defined/generated in memclnt.api.vapi.h without including memclnt.api.vapi.h in vlib.api.vapi.h. This breaks the compilation of plugins which include only vlib.api.vapi.h (e.g. hicn_plugin from the HICN project). Type: fix Fixes: a1400cecb Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I5574f4ed496183ea93265f493bf3624254a865a2
2022-02-24hsa: add support for vrfs in tpsFlorin Coras1-44/+98
The app keeps on using the default app ns but each listen will be done in the vrf configured. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0947e03188d55231b299916351115038e0b1f5da
2022-02-24hsa: fix tps data offset on connection reuseFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ibe92497cc5446ac5c734f8fe5c63c0167204dd09
2022-02-24session: fix session layer socket readFilip Tehlar2-3/+32
This fixes an issue caused by session layer reading expected part of data (cert + key) before the client actually sends it. Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I6ddddb08f9576211b302e814d7c2b040383e5fb7
2022-02-24tests: better reporting for unexpected packetsKlement Sekera3-22/+37
Raise a new UnexpectedPacketErrror, when a packet is captured unexpectedly. This pretty-prints a terse description of said packet. Type: improvement Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: Ibac19fc5bbd82a150fec3c90940a37af6344fd4f
2022-02-23build: export missing header files required by hicn_pluginDave Wallace1-0/+2
- HICN project's hicn_plugin requires vnet header files fib/fib_entry_track.h and udp/udp_encap.h to be included in build-root/install-vpp*-*/vpp/include/vnet Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Iabd3f8fe0aee8d727758fc6ef202e859d68d63a3
2022-02-23http hsa: use octet-stream content type for tpsFlorin Coras2-2/+3
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I925618e426b325f4fafb9ed39a2d7c2d7c7b38f3
2022-02-23http: improvement reset and close handlingFlorin Coras2-13/+31
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I37ff8099c6c8044881379b4cd47ca8843746c315
2022-02-23http hsa: support multiple listeners for http tpsFlorin Coras4-32/+195
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie89326ed4e599231fc20de67c5dadbb428568bec