summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2021-08-13wireguard: add flag to check hmac for decryptionGabriel Oginski1-0/+1
Type: fix Originally the decryption doesn't check the hmac for chacha20-poly1305. This patch fixes the problem by adding flag to crypto op to check hmac. Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
2021-08-12misc: 21.06 Release NotesAndrew Yourtchenko1-5/+1273
Change-Id: Iedd1263a971e50aceb2d579982484dd8873814dc Type: docs Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> (cherry picked from commit fc83f8cc67e65c734df3c47518f724c1617e1a5c)
2021-08-12nat: NAT44ED configuration refactorFilip Varga4-378/+365
Refactoring and cleaning up address allocation functions & ip table update callbacks. Type: refactor Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-12nat: correct pool ops when disable nat44 pluginAlexander Skorichenko1-10/+10
Type: fix Replace vec ops with pool ops when iterating over pool of interfaces in plugin_disable() functions. With this change plugin disabling function and interface role disabling functions iterate over identical sets of registered interfaces, preventing 'interface couldn't be found' errors. Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
2021-08-12session vcl: cert key add/del with socket apiFlorin Coras6-10/+218
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I70791285cbf427479d2dcbf70ffdce2253add2fb
2021-08-12tls: add start_listen openssl API return value checkOfer Heifetz1-4/+30
Type: improvement Check SSL_CTX_use_* API return value and exit on error. Check BIO_new return code. Release allocated BIO on error cases. Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978 Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-12build: consistent debhelper 10 supportNick Brown3-4/+2
Type: fix debian/compat contents were set to 10, but debhelper build dependency, which is the same thing, was set to only 9. Both are not needed, debian/compat being deprecated, so use only the latter. At compat level 10, dh-systemd is integrated directly into debhelper, so build dependency not needed (And in Debian Bullseye dh-systemd transitional package is completely removed). See: https://manpages.debian.org/testing/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS Signed-off-by: Nick Brown <nickbroon@gmail.com> Change-Id: I5809b739334076d7fa8389b076a97f1648726e6e
2021-08-11svm: make more fifo segment header fields privateFlorin Coras4-45/+28
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Idab0f455b52a38efd2cf3781497d8cc7f57bfa42
2021-08-11fib: Compiile time option to use 8-8-8-8 stride tries for FIB ratherNeale Ranns3-0/+124
than 16-8-8-8 Type: feature the memory trade-off is: for 8-8-8-8 tries DBGvpp# sh ip fib mtrie mem ipv4-VRF:0 mtrie:8068 hash:3499 totals: mtrie:8068 hash:3499 all:11567 for 16-8-8 DBGvpp# sh ip fib mtrie mem ipv4-VRF:0 mtrie:333056 hash:3499 totals: mtrie:333056 hash:3499 all:336555 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I5271a4322d786de6e47613cff9bd432762dbed2a
2021-08-11fib: A 16-8-8 and a 8-8-8-8 versions of an ip4_fib_tNeale Ranns14-423/+936
Type: feature The difference being the MTRIE type they contain. THE FIB continues to use the 16-8-8 version. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I5a54d4e6e6cc639f18a3fb65ef2925507a7ef1de
2021-08-11ip: [re]introduce the 8-8-8-8 stride MTRIENeale Ranns3-64/+229
Type: improvement there's a time-space trade-off between the 16-8-8 and 8-8-8-8 stride. FIB continues to use the 16-8-8. Other features are now free to make the choice. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6691a163486ce62e75e629f6ef0c990f253df8e5
2021-08-11ip: Rename the ip4 mtrie function to be 16_8_8 specificNeale Ranns4-218/+202
Type: improvement the existing mtrie functions use the existing 16_8_8 mtrie. Rename them to make that explicit. Then we can add the 8_8_8_8 types and functions alongside. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: If5ce7a282d5d3742dc65bcd0523220235d9c510d
2021-08-10vppinfra: Fix bihash del warningNathan Skrzypczak2-0/+7
Type: fix When freeing an uninstantiated bihash created with dont_add_to_all_bihash_list = 1 we get a warning. This removes the warning & the search for the bihash on cleanup. Change-Id: Iac50ce7e30b97925768f7ad3cb1d30af14686e21 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-08-10tls: picotls optimize rx pathFlorin Coras1-69/+113
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0dfa8d60739bc781c37e0d8fced8280b9af93367
2021-08-10tls: picotls optimize writesFlorin Coras2-113/+188
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I76a1cd516849cfe5bc87ed2b3707c6f2257126d2
2021-08-10misc: do not capture tx packets twiceBenoît Ganne1-13/+30
When a packet goes through interface-output, whether it should be captured or not will be evaluated twice: in interface-output and in interface-output-template (<interface_name>-out) node. interface-output should only capture packets if there is an interface filter, otherwise it should defer evaluation to interface-output-template. Type: fix Change-Id: Ia720c5d184a236335e1d7d44d8c04caf87af5630 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-10ip: Use the IP4 lookup functionsNeale Ranns5-177/+84
Type: refactor as opposed to wrtiing out the mtrie steps one by one each time. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I1248861350f9189f9a67ac6e68940813af279e03
2021-08-10ip: Remove the 'test lookup' CLI commandNeale Ranns1-97/+0
Type: fix There's no such thing as a conflict between the FIB and adj tables. This is code that should have been removed way back in 16.04. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I4524e7921b03b89106dd1f35aa1171d0945367cf
2021-08-09ip6-nd: only respond to RS if sending RA is enabledOle Troan2-2/+21
Even when periodic RAs are disabled VPP would respond to router solicitations. Making it impossible to have an IPv6 enabled interface with hosts connected to it without VPP acting as a default router. This change drops RS messages if the radv_info->send_radv is off. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I9a68f8e12c93c1c00125b54f8fd454f48fa22caa Signed-off-by: Ole Troan <ot@cisco.com>
2021-08-06tls: avoid picotls buffer allocs on rxFlorin Coras2-3/+9
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6cf0c141ab4a4f5a46feb6119fa142148366f0a6
2021-08-06tls: avoid ptls ctx free on transport closeFlorin Coras1-2/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0537fa590b11abddf05550e42c7258549729f8a7
2021-08-05classify: fix parsing for l4 matchBenoît Ganne1-1/+1
l4 match parsing should not try to consume the whole input, otherwise it breaks cli such as: 'classify session ... match l4 dst_port 22 action set-ip4-fib-id 2' Type: fix Change-Id: I81a1b5779811f7df8286a371f85fafe09c947b87 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-05ip: fix ip punt redirect cliBenoît Ganne2-13/+12
- restore fib paths support for ip4 - initialize payload_proto to the relevant default protocol so that 'via <dev>' paths are supported - fix 'rx all' - fix temp path vector mem leak Type: fix Change-Id: I564d88dc4dce86884ff6791af69974e6d70ff7ca Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-05nat: nat44-ed disable protection for api/cliFilip Varga4-60/+67
Return unsupported error if user calls one of the configuration functions that can run only after nat44-ed plugin is enabled via appropriate api/cli call. Type: fix Change-Id: I0d4ab0684ba5ae23fc2ecc668554a34537c2904a Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-04vppinfra: fix the array mask functionMohsin Kazmi2-2/+20
Type: fix Fixes: 0ec7dad7a00852663eb88554561347987f87bb53 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I7fab80b3c7e86ac712a34c24ea3e526b0b5bb7ad
2021-08-04memif: fix offsetArtem Glazychev1-1/+1
signs were changed here when calculating the offset: d78ba5aa01ff1415bff0b06069ce21e0a78df89c Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I62b7a409caaf478e40efbdd6000922dcc7e92860
2021-08-03quic: do not update crypto keys from workersAloys Augustin3-20/+59
The vnet_crypto_key_add should only be called from the main thread. This patch works around this limitation by allocating one key per worker and updating it on the fly everytime we need to do a crypto operation. This solution is far from ideal, but quicly has a strong assumption that it can use a key immediately after determining it, so making the key creation asynchronous is not a possibility. Signed-off-by: Aloys Augustin <aloaugus@cisco.com> Change-Id: I19fc5814195156003c36a73bb616738ba9d828f7 Type: fix
2021-08-03tls: picotls handle accept failuresFlorin Coras1-3/+15
Should also fix coverity warning. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I068b837377b329a22ace5b2235c6dd9f067ead77
2021-08-02vcl: fix sendto for dgramsliuyacan1-4/+4
We need to set rmt address before sending connect, otherwise VPP would connect to 0.0.0.0:0 and return invalid remote ip. Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: I85ae6931c2ba9f2f77c9ab19a2f801f50745449c
2021-08-02vcl: fix sleep time in ldp_pselect()liuyacan1-1/+2
Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: Ic9c5b23be4bde88880972be35525f12fa2c6dc10
2021-07-31vcl: fix ldp for __recv_chk socket callsSivaprasad Tummala2-0/+17
add ldp support for handling __recv_chk socket calls. Type: fix Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: I33221c465ac607bc665fcba500dd399a56b32df6
2021-07-30tls: picotls rx fixes and improvementsFlorin Coras2-149/+126
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I9ea41b8b271e9123e676acdc581ef429072fe843
2021-07-29vcl: move vls pool lock to process local stateFlorin Coras1-6/+7
We only support one vls worker per process and therefore should not share lock between processes. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I57bb536cf3bf04e8de031b07cb885f80b4fa03c9
2021-07-29vcl: vls cleanup and more docsFlorin Coras1-101/+167
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If32dd21842b99e176db1d4eb9f6c6a51fbff1bfe
2021-07-29ip: add api test fileFilip Tehlar3-0/+1541
Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I49c4183a443b7b39924328900e6a6ac2e09be426
2021-07-29nat: fix ICMP checksum validationKlement Sekera2-9/+53
Handle case where extra data is present in buffer which is not part of IP/ICMP headers. Type: fix Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76 Change-Id: Icfef811470056d38c60fc45cc302139ed7594385 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-29ipsec: move startup config to common fileZachary Leaf3-51/+55
The ipsec startup.conf config currently exists in ipsec_tun.c. This is because currently the only ipsec{...} options are tunnel related. This patch moves the ipsec config to a common file (ipsec.c) for future extensibility/addition of non-tunnel related config options. Type: refactor Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: I1569dd7948334fd2cc28523ccc6791a22dea8d32
2021-07-28gre: set proper fib index for unnumbered interfaces, unset fib index before ↵Stanislav Zaikin6-14/+76
forwarding gre payload This commit introduces 2 fixes: 1) After GRE decapsulation sw_if_index[VLIB_TX] is set as fib index of GRE tunnel. But since GRE tunnel can work on v4 endpoints and have v6 payload, we need to reset it. In case we get IPv6 packet inside IPv4 GRE tunnel (or vice-versa) fib index can be (and usually is) invalid. 2) Check that ip-table and ip6-table are the same when setting interface as an unnumbered one. Also, fix for the pipe test include setting the right unnumbered interface for the pipes Type: fix Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com> Change-Id: Id13d239cfdd21e0db6b1c9725f01c40d4af4d800
2021-07-28dpdk: fix cryptodev raw data path dequeueFan Zhang1-0/+40
This patch fixes the dpdk cryptodev raw data path dequeue problem. The fix involves DPDK QAT PMD changes and is to be upstreamed as a patch. The patch is also sent to DPDK mailing list. Type: fix Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I1a9253c8a7fbc2aa43f19f90da45e64e2840356a
2021-07-27vppinfra: introduce CLIB_CACHE_PREFETCH_BYTESDamjan Marion3-70/+56
Type: improvement Change-Id: Ic07010f11ef303f5213a33b0faf24aaedb62f110 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-07-27vlib: don't ASSERT(vm) in worker thread bootstrapDave Barach1-2/+4
Otherwise, threads declared with .no_data_structure_clone=1 crash on startup. Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I5dcb25d1b61330fc9eee5427b815fcfcb9bf2153
2021-07-27vcl: configure the cert-key pair from appSivaprasad Tummala1-4/+4
add the cert/key pair as selected by app. Type: fix Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: I3cef5bebadd8b192a65857d5f4aa6883c2a8d372
2021-07-27vppinfra: fix sock init netnsNathan Skrzypczak1-1/+5
Type: fix Change-Id: I0ce8183ded601bdab031c9689ca361414fed165f Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-07-27udp: add option to disable icmp unreachablesFlorin Coras3-82/+49
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I90c2a191ab34a2a7df3fb0a951e5fc78f40ccfe2
2021-07-27vcl: fix some risk after fork()liuyacan1-9/+17
1.Not only the session in state VCL_STATE_LISTEN_NO_MQ has no queue. Session in CLOSED also didn't. 2.Refresh vls->wrk_index in child process, or this value will become invalid if parent exit. 3.Set vlsh->vls_wrk_index once vls_worker_alloc() is called, then vls_get_worker_index() can be simplified. Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: If4f5e134915eafd74ce38f585d65ce8836b2e553
2021-07-25vcl: fix shutdown deadlock issueliuyacan1-1/+1
Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: I4974815ecb0e3bff01af983f086ca15d77fd6fb4
2021-07-24session: avoid vpp deadlock due to app crashliuyacan1-0/+6
In high traffic scenarios, if app crashed or hang on somewhere, app_mq will quickly accumulate to full, after which vpp worker will try 100 times before giving up allocating slot for every msg. This will cause vpp main thread barrier sync to fail. Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: I2b2bf2b272c5b3ca7e4a56af179af12bbcde149d
2021-07-23session vcl: support abstract sockets for app nsFlorin Coras4-16/+132
App namespaces can now be associated to a linux ip netns, e.g.: app ns add id <ns_id> secret <n> sw_if_index <n> netns <netns> If session layer's app sock api is enabled, this triggers the creation of an abstract listening socket in the netns that has been configured. For the example above that would be @vpp/session/<ns_id>. Consequently, vcl, or other apps attaching to vpp, can connect to said abstract socket from an ip netns without the need to share unix domain socket files. In particular, for vcl it's enough to set app-socket-api to @vpp/session/<ns_id> in the conf file. Type: feature Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I26fdc626a760a3f423c5b8be4251623f6e9cd73a
2021-07-22session vcl: explit mq indices in ctrl messagesFlorin Coras5-18/+21
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I8e80252b85dda9a8f5699109264dc1b913581442
2021-07-22vppinfra: add abstract socket & netns fnsNathan Skrzypczak7-58/+164
* Add clib_socket_init support for abstract sockets if name starts with an '@' * Add clib_socket_init_netns to open socket in netns * Add clib_netns_open Type: feature Change-Id: I89637ad657c702ec38ddecb5c03a1673d0dfb104 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>