Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
Originally the decryption doesn't check the hmac for chacha20-poly1305.
This patch fixes the problem by adding flag to crypto op to check hmac.
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
|
|
Change-Id: Iedd1263a971e50aceb2d579982484dd8873814dc
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
(cherry picked from commit fc83f8cc67e65c734df3c47518f724c1617e1a5c)
|
|
Refactoring and cleaning up address allocation functions &
ip table update callbacks.
Type: refactor
Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Replace vec ops with pool ops when iterating over pool of
interfaces in plugin_disable() functions.
With this change plugin disabling function and interface role
disabling functions iterate over identical sets of registered
interfaces, preventing 'interface couldn't be found' errors.
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I70791285cbf427479d2dcbf70ffdce2253add2fb
|
|
Type: improvement
Check SSL_CTX_use_* API return value and exit on error.
Check BIO_new return code.
Release allocated BIO on error cases.
Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
|
|
Type: fix
debian/compat contents were set to 10, but debhelper build dependency,
which is the same thing, was set to only 9. Both are not needed,
debian/compat being deprecated, so use only the latter.
At compat level 10, dh-systemd is integrated directly into debhelper, so
build dependency not needed (And in Debian Bullseye dh-systemd
transitional package is completely removed).
See: https://manpages.debian.org/testing/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS
Signed-off-by: Nick Brown <nickbroon@gmail.com>
Change-Id: I5809b739334076d7fa8389b076a97f1648726e6e
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Idab0f455b52a38efd2cf3781497d8cc7f57bfa42
|
|
than 16-8-8-8
Type: feature
the memory trade-off is:
for 8-8-8-8 tries
DBGvpp# sh ip fib mtrie mem
ipv4-VRF:0 mtrie:8068 hash:3499
totals: mtrie:8068 hash:3499 all:11567
for 16-8-8
DBGvpp# sh ip fib mtrie mem
ipv4-VRF:0 mtrie:333056 hash:3499
totals: mtrie:333056 hash:3499 all:336555
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I5271a4322d786de6e47613cff9bd432762dbed2a
|
|
Type: feature
The difference being the MTRIE type they contain.
THE FIB continues to use the 16-8-8 version.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I5a54d4e6e6cc639f18a3fb65ef2925507a7ef1de
|
|
Type: improvement
there's a time-space trade-off between the 16-8-8 and 8-8-8-8 stride.
FIB continues to use the 16-8-8. Other features are now free to make the
choice.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6691a163486ce62e75e629f6ef0c990f253df8e5
|
|
Type: improvement
the existing mtrie functions use the existing 16_8_8 mtrie. Rename them
to make that explicit. Then we can add the 8_8_8_8 types and functions
alongside.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If5ce7a282d5d3742dc65bcd0523220235d9c510d
|
|
Type: fix
When freeing an uninstantiated bihash
created with dont_add_to_all_bihash_list = 1
we get a warning. This removes the
warning & the search for the bihash on
cleanup.
Change-Id: Iac50ce7e30b97925768f7ad3cb1d30af14686e21
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0dfa8d60739bc781c37e0d8fced8280b9af93367
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I76a1cd516849cfe5bc87ed2b3707c6f2257126d2
|
|
When a packet goes through interface-output, whether it should be
captured or not will be evaluated twice: in interface-output and in
interface-output-template (<interface_name>-out) node.
interface-output should only capture packets if there is an interface
filter, otherwise it should defer evaluation to
interface-output-template.
Type: fix
Change-Id: Ia720c5d184a236335e1d7d44d8c04caf87af5630
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: refactor
as opposed to wrtiing out the mtrie steps one by one each time.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I1248861350f9189f9a67ac6e68940813af279e03
|
|
Type: fix
There's no such thing as a conflict between the FIB and adj tables. This
is code that should have been removed way back in 16.04.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4524e7921b03b89106dd1f35aa1171d0945367cf
|
|
Even when periodic RAs are disabled VPP would respond to
router solicitations. Making it impossible to have an IPv6
enabled interface with hosts connected to it without VPP
acting as a default router.
This change drops RS messages if the radv_info->send_radv is
off.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I9a68f8e12c93c1c00125b54f8fd454f48fa22caa
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I6cf0c141ab4a4f5a46feb6119fa142148366f0a6
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0537fa590b11abddf05550e42c7258549729f8a7
|
|
l4 match parsing should not try to consume the whole input, otherwise
it breaks cli such as:
'classify session ... match l4 dst_port 22 action set-ip4-fib-id 2'
Type: fix
Change-Id: I81a1b5779811f7df8286a371f85fafe09c947b87
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
- restore fib paths support for ip4
- initialize payload_proto to the relevant default protocol so that
'via <dev>' paths are supported
- fix 'rx all'
- fix temp path vector mem leak
Type: fix
Change-Id: I564d88dc4dce86884ff6791af69974e6d70ff7ca
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Return unsupported error if user calls one
of the configuration functions that can
run only after nat44-ed plugin is
enabled via appropriate api/cli
call.
Type: fix
Change-Id: I0d4ab0684ba5ae23fc2ecc668554a34537c2904a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Fixes: 0ec7dad7a00852663eb88554561347987f87bb53
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I7fab80b3c7e86ac712a34c24ea3e526b0b5bb7ad
|
|
signs were changed here when calculating the offset:
d78ba5aa01ff1415bff0b06069ce21e0a78df89c
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I62b7a409caaf478e40efbdd6000922dcc7e92860
|
|
The vnet_crypto_key_add should only be called from the main thread.
This patch works around this limitation by allocating one key per worker
and updating it on the fly everytime we need to do a crypto operation.
This solution is far from ideal, but quicly has a strong assumption that
it can use a key immediately after determining it, so making the key
creation asynchronous is not a possibility.
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Change-Id: I19fc5814195156003c36a73bb616738ba9d828f7
Type: fix
|
|
Should also fix coverity warning.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I068b837377b329a22ace5b2235c6dd9f067ead77
|
|
We need to set rmt address before sending connect, otherwise VPP
would connect to 0.0.0.0:0 and return invalid remote ip.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: I85ae6931c2ba9f2f77c9ab19a2f801f50745449c
|
|
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: Ic9c5b23be4bde88880972be35525f12fa2c6dc10
|
|
add ldp support for handling __recv_chk socket calls.
Type: fix
Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
Change-Id: I33221c465ac607bc665fcba500dd399a56b32df6
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I9ea41b8b271e9123e676acdc581ef429072fe843
|
|
We only support one vls worker per process and therefore should not
share lock between processes.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I57bb536cf3bf04e8de031b07cb885f80b4fa03c9
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If32dd21842b99e176db1d4eb9f6c6a51fbff1bfe
|
|
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I49c4183a443b7b39924328900e6a6ac2e09be426
|
|
Handle case where extra data is present in buffer which is not part of
IP/ICMP headers.
Type: fix
Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76
Change-Id: Icfef811470056d38c60fc45cc302139ed7594385
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
The ipsec startup.conf config currently exists in ipsec_tun.c. This is
because currently the only ipsec{...} options are tunnel related.
This patch moves the ipsec config to a common file (ipsec.c) for future
extensibility/addition of non-tunnel related config options.
Type: refactor
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: I1569dd7948334fd2cc28523ccc6791a22dea8d32
|
|
forwarding gre payload
This commit introduces 2 fixes:
1) After GRE decapsulation sw_if_index[VLIB_TX] is set as fib index of GRE tunnel.
But since GRE tunnel can work on v4 endpoints and have v6 payload, we need to reset it.
In case we get IPv6 packet inside IPv4 GRE tunnel (or vice-versa) fib index can be (and usually is) invalid.
2) Check that ip-table and ip6-table are the same when setting interface as an unnumbered one.
Also, fix for the pipe test include setting the right unnumbered interface for the pipes
Type: fix
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
Change-Id: Id13d239cfdd21e0db6b1c9725f01c40d4af4d800
|
|
This patch fixes the dpdk cryptodev raw data path dequeue problem.
The fix involves DPDK QAT PMD changes and is to be upstreamed
as a patch. The patch is also sent to DPDK mailing list.
Type: fix
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: I1a9253c8a7fbc2aa43f19f90da45e64e2840356a
|
|
Type: improvement
Change-Id: Ic07010f11ef303f5213a33b0faf24aaedb62f110
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Otherwise, threads declared with .no_data_structure_clone=1 crash on
startup.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I5dcb25d1b61330fc9eee5427b815fcfcb9bf2153
|
|
add the cert/key pair as selected by app.
Type: fix
Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
Change-Id: I3cef5bebadd8b192a65857d5f4aa6883c2a8d372
|
|
Type: fix
Change-Id: I0ce8183ded601bdab031c9689ca361414fed165f
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I90c2a191ab34a2a7df3fb0a951e5fc78f40ccfe2
|
|
1.Not only the session in state VCL_STATE_LISTEN_NO_MQ
has no queue. Session in CLOSED also didn't.
2.Refresh vls->wrk_index in child process, or this value will
become invalid if parent exit.
3.Set vlsh->vls_wrk_index once vls_worker_alloc() is called, then
vls_get_worker_index() can be simplified.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: If4f5e134915eafd74ce38f585d65ce8836b2e553
|
|
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: I4974815ecb0e3bff01af983f086ca15d77fd6fb4
|
|
In high traffic scenarios, if app crashed or hang on somewhere, app_mq
will quickly accumulate to full, after which vpp worker will try 100
times before giving up allocating slot for every msg. This will cause
vpp main thread barrier sync to fail.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: I2b2bf2b272c5b3ca7e4a56af179af12bbcde149d
|
|
App namespaces can now be associated to a linux ip netns, e.g.:
app ns add id <ns_id> secret <n> sw_if_index <n> netns <netns>
If session layer's app sock api is enabled, this triggers the creation
of an abstract listening socket in the netns that has been configured.
For the example above that would be @vpp/session/<ns_id>.
Consequently, vcl, or other apps attaching to vpp, can connect to said
abstract socket from an ip netns without the need to share unix domain
socket files. In particular, for vcl it's enough to set app-socket-api
to @vpp/session/<ns_id> in the conf file.
Type: feature
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I26fdc626a760a3f423c5b8be4251623f6e9cd73a
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I8e80252b85dda9a8f5699109264dc1b913581442
|
|
* Add clib_socket_init support for abstract sockets
if name starts with an '@'
* Add clib_socket_init_netns to open socket in netns
* Add clib_netns_open
Type: feature
Change-Id: I89637ad657c702ec38ddecb5c03a1673d0dfb104
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|