Age | Commit message (Collapse) | Author | Files | Lines |
|
(re-)applied
There were several discussions in which users would expect the sessions to be deleted
if the new policy after the change does not permit them.
There is no right or wrong answer to this question - it is a policy decision.
This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate
a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to
an interface, this counter increments.
The newly created connections inherit the current policy epoch in a given direction.
Likewise, this counter increments if anyone updates an ACL applied to an interface.
There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]"
(with default being 0) which allows to enable the checking of the existing sessions
against the current policy epoch in a given direction.
The session is not verified unless there is traffic hitting that session
*in the direction of the policy creation* - if the epoch has changed,
the session is deleted and within the same processing cycle is evaluated
against the ACL rule base and recreated - thus, it should allow traffic-driven
session state refresh without affecting the connectivity for the existing sessions.
If the packet is coming in the direction opposite to which the session was initially
created, the state adjustment is never done, because doing so generically
is not really possible without diving too deep into the special cases,
which may or may not work.
Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Id2884a4c2208b4382fce56019b11e4b7fdc4275b
Signed-off-by: Maciek Konstantynowicz <mkonstan@cisco.com>
|
|
Change-Id: I1ce5106d99dd4d4b1c033d4873b4511e9a170afc
Signed-off-by: John DeNisco <jdenisco@cisco.com>
|
|
Coverity has started whining about uint32_t missing in this .h
Change-Id: I57992121c0593d6a0ada35917802d0300cf91259
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
Do fast-rate if we are not yet synchronized with the partner.
Stop sending LACP updates as a flash in the worker thread. Just expire the
timer and let the lacp_process handle sending LACP PDU.
Change-Id: I8b36fe74e752e7f45bd4a8d70512c0341cc197a1
Signed-off-by: Steven <sluong@cisco.com>
|
|
For the debug image, if the interface is removed and the trace was
collected prior to the interface delete, show trace may cause a crash.
This is because vnet_get_sw_interface_name and vnet_get_sup_hw_interface
are not safe if the interface is deleted.
The fix is to use format_vnet_sw_if_index_name if all we need is to
get the interface name in the trace to display. It would show "DELETED"
which is better than a crash.
Change-Id: I912402d3e71592ece9f49d36c8a6b7af97f3b69e
Signed-off-by: Steven <sluong@cisco.com>
|
|
xd->flags is set incorrectly when a slave link is down in bonded interface mode.
This can result in VPP crash when data traffic flows to the interface.
Change-Id: Ideb9f5231db1211e8452c52fde646d681310c951
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Minor bug fixes
CID 183000: double close
CID 180996: dead code
CID 180995: NULL deref
CID 181957: NULL deref
CID 182676: NULL deref
CID 182675: NULL deref
Change-Id: Id35e391c95fafb8cd771984ee8a1a6e597056d37
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
Use sw_if_index[VLIB_TX] if set as fib index when doing the urpf check.
Change-Id: I5ec3e7f7a54c6782704d91e9a5614fd0f7f9e3de
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
only one counter update per frame (was updated per iteration)
only access ethertype for casts (was always accessing ethertype)
Change-Id: I3a3c3219ec63e975cf5bd8cf2d93103932a4aaa3
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Change-Id: I373cc252df3621d44879b8eca70aed17d7752a2a
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Causes subtle misbehavior elsewhere
Change-Id: I3a0ade26e8e03b8c5dc8e722f6a01fb99ec7a1e0
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I5695d51dd4f6daff472877fe1cce3ddcb924b187
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: I7e808b5bcbb74343a4ed6782f115ed07e9bfe3a6
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
rename "enslave interface <slave> to <BondEthernetx>" to
"bond add <BondEthernetx> <slave>
"detach interface <slave>" to
"bond del <slave>"
Change-Id: I1bf8f017517b1f8a823127c7efedd3766e45cd5b
Signed-off-by: Steven <sluong@cisco.com>
|
|
Following TCP fixes from Florin (11430), this patch follows the same
approach to indicate a fib (not just using the default one).
Change-Id: Ib883aa0e9a1c6157acfea69c44426ba07d6c932a
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
Change-Id: I09567c8ee9c92e91918840f80942a005069d9842
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
Static mapping is not deleted from resolution vector after address is set on
interface.
Change-Id: Ib7c45ca2e307123d101248c5a1b17d130ac32cd0
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I2a879ee9d5065a14eb351eccd0350693eb1ff521
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Change-Id: I9a0105aa2373bd4db218851b1bbee50c6b6dfc7d
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
worker (VPP-1213)
Change-Id: I8e0c7ed2ff462b9ab59c233f56be262ec03c29ff
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I33ba5a011100baf1c786f9a63a0cf3d2e1020493
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Change-Id: I59b4142daab439d60a1ebd48b2c1366df0160288
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This address crash with gcc-7 observed when -o3 is used.
Change-Id: I10e87da8e5037ad480eba7fb0aaa9a657d3bf48d
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- autosize the ACL plugin heap size based on the number of workers
- for manual heap size setting, use the proper types (uword),
and proper format/unformat functions (unformat_memory_size)
Change-Id: I7c46134e949862a0abc9087d7232402fc5a95ad8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I4851b2245f81bcf3cf5f40909c4d158a51af7068
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
private header size allows to reserve firs X bytes of payload to be
considered as private metadata. For now we just support value 0
but adding this field to address future needs without changing protocol
version.
Change-Id: Id77336584c0194a303b20210aff584c7372cba01
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
coverity complains about statements in function A
function A
{
x % vec_len (y)
}
because vec_len (y) is a macro and may return 0 if the pointer y is null.
But coverity fails to realize the same statement vec_len (y) was already
invoked and checked in the caller of function A and punt if vec_len (y) is 0.
We can fix the coverity warning and shave off a few cpu cycles by caching
the result of vec_len (y) and pass it around to avoid calling vec_len (y)
again in multiple places.
Change-Id: I095166373abd3af3859646f860ee97c52f12fb50
Signed-off-by: Steven <sluong@cisco.com>
|
|
Change-Id: I0245263b212142858d3305b0f365d8342912dbb9
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: If3827828062a46f1cce43642535333f677f06e62
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Changes the source of the l3 offset to a more
proper one, same as I5d9f41599ba8d8eb14ce2d9d523f82ea6e0fd10d.
Change-Id: I5ff05d7d89507ecb378a2bd62f5b149189ca9e99
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
Change-Id: I007d48aeb934e5d2f087ca3b8ddc6f7a0e48d411
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Ic83971d8d9d8d0bb90a35932e60761cd728457f3
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I47768ea50140222fec54e97cbaff2049bd3cb599
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: Ic07ea5b0a7addec7b0ccfbe0570f341056e6d55b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
until it is needed
Registering ACL plugin user module within the "ACL as a service" infra during the plugin init
causes an unnecesary ACL heap allocation and prevents the changing of the ACL heap size
from the startup config.
Defer this registration until just before it is needed - i.e. when applying an ACL to
an interface.
Change-Id: Ied79967596b3b76d6630f136c998e59f8cdad962
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
How to use:
plugins
{
plugin default {disable}
plugin dpdk_plugin.so {enable}
plugin acl_plugin.so {enable}
}
It also preserves the old behavior.
Change-Id: I9901c56d82ec4410e69c917992b78052aa6a99e0
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: Ia2532695aa9199d2a7b684aebef43df0b8235531
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
Change-Id: If168a9c54baaa516ecbe78de2141f11c17aa2f53
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Select the right segment manager for local sessions established via
global table.
Change-Id: I88ad4bf70d0cae160a0c744950098a954dfbc911
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: I5a7fa3b1c247ad5611907db27835724dcd31f575
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I2b01f73c4b10a230310a65b6f35526818bf4f76d
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ia87d55cad1d466a4cc624f06abbc322cddb5608c
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
If defined, Use MAKE_PARALLEL_JOBS as number of concurrent jobs for
build process instead of the internal calculation based on /proc/cpuinfo.
Change-Id: I18d1f526dc5c156c1cd9c9cf6dbbfd9cb8dbbad7
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I1283960a9a49f6d70b9d7b7793cfb345c22ccdea
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
When a user session is allocated/reused, only increase
one of the session counters for that user if the counters
are below the per-user limit.
THis addresses a SEGV that arises after the following
sequence of events:
- an outside interface IP address is put in a pool
- a user exceeds the number of per-user translations by
an amount greater than the number of per-user translations
(nsessions + nstaticsessions > 100 + 100)
- the outside interface IP address is deleted and then added
again (observed when using DHCP client, likely happens if
address changed via CLI, API also)
- the user sends more packets that should be translated
When nsessions is > the per-user limit,
nat_session_alloc_or_recycle() reclaims the oldest existing
user session. When an outside address is deleted, the
corresponding user sessions are deleted. If the counters were
far above the per-user limit, the deletions wouldn't result
in the counters dropping back below the limit. So no session
could be reclaimed -> SEGV.
Change-Id: I940bafba0fd5385a563e2ce87534688eb9469f12
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Ifc9bb4ea39b504372a6a39bbf56c29761d0c6111
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
- allow to optionally specify the specific MACIP ACL index:
'show acl-plugin macip acl [index N]'
- after showing the MACIP ACL, show the sw_if_index of
interface(s) where it is applied.
Also, add some executions of this debug commands
to the MACIP test case for easy verification.
Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Add a few dhcp client rx packet/state counters
Temporarily disable the dhcp client unit test, since it trips over the
newly-added hardware address check.
Change-Id: I7f68607e6ed3d738cba357c3fe76664a99b71cd8
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
The init-path for IPSEC_AH where the CTX gets initialized is broken
since the for-loop never executes due to the wrong usage of
tm->n_vlib_mains which being subtracted by 1.
Change-Id: I4d967f52cd3ca061aa60d824d65f446e06162403
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|