summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2023-02-27wireguard: fix potential leaks of async frameGabriel Oginski1-12/+12
The current implementation can cause memory leaks of async frames and exhaust the async frames pool. Wireguard can early get async frame, even when later it turns out it is not needed. Then such frame won't be freed. This fix changes the moment of acquiring async frame from the pool, so it doesn't leak. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: If7696de6a6f5db84e0dffef60caa31d4a5e6280e
2023-02-25tcp: fix error countersFilip Tehlar4-44/+43
Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I9f4944f77ecf94f16f809392f28466e33f7f779d
2023-02-24hs-test: store logsMaros Ondrejicka3-2/+79
Type: test Signed-off-by: Maros Ondrejicka <mondreji@cisco.com> Change-Id: I50ad5d8c2e5066d8d24f7959aeb534a2f0a6fae0
2023-02-24hs-test: modify nginx testsMaros Ondrejicka1-2/+2
This will make name of the test unique so that executing specifically this test won't execute also other tests starting with same name. Type: test Signed-off-by: Maros Ondrejicka <mondreji@cisco.com> Change-Id: I8013aa453c2a1c3c156e6476a93fd58bbb850b93
2023-02-24hs-test: improve test infraFilip Tehlar7-40/+141
- add support for building/running debug/release images - have one point of control (Makefile) - list all test cases Type: test Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I97949abc2fff85d7a2b3784122be159aeec72b52
2023-02-23srtp: fix build on ubuntu-22.04Dave Wallace1-1/+1
- The version of libsrtp2 (2.4.2) on ubuntu-22.04 changed the 'ekt' field in srtp_policy_t to 'deprecated_ekt'. Type: fix Change-Id: Icb9d8f3b56c8305bcdac5066a5f8e3e5d17d37cf Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2023-02-22hs-test: fix install/build on new ubuntu instanceDave Wallace2-4/+4
Type: test Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I9c59d98d16e387925057626ba9080210f4334c53
2023-02-21hs-test: clean-up ip address generationMaros Ondrejicka4-84/+126
Type: test Signed-off-by: Maros Ondrejicka <mondreji@cisco.com> Change-Id: I74c505920d1363d0ff2b3213fd831c181b70a173
2023-02-20session: track app session closesFlorin Coras2-2/+9
Make sure applications, especially builtin ones, cannot close a session multiple times. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I960a1ae89a48eb359e7e1873a59d47c298c37ef1
2023-02-20vcl: ldp support for ip_pktinfoFlorin Coras4-87/+245
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I3c15f38a4a3f5e92506059277948e7fca9cd8b55
2023-02-16vcl: fix incorrect ldp worker in ldp_epoll_pwait()Liangxing Wang1-1/+5
For some apps(e.g. wrk2) upon vpp hoststack, ldp_epoll_pwait() is called. In this function, epoll fd was created on one thread, but it is now used on another thread. The vcl worker index is still invalid, so the fetched ldp worker is also invalid and can corrupt some already allocated memory. Just as the ldp_epoll_pwait_eventfd(), make sure the vcl worker is valid before getting the ldp worker in ldp_epoll_pwait(). Type: fix Signed-off-by: Liangxing Wang <liangxing.wang@arm.com> Change-Id: I2ec23a4b5d5b0879a06642ffd80f95e948af4274
2023-02-16hs-test: check for missing output in nginx testsMaros Ondrejicka4-0/+22
Type: test Signed-off-by: Maros Ondrejicka <mondreji@cisco.com> Change-Id: I08cd492fff4b9d50a1761a29c2b231cc8544313b
2023-02-16wireguard: move buffer when insufficient pre_data leftAlexander Skorichenko1-14/+24
Currently wg-output-tun() doesn't check if a buffer has enough space for prepending an ethernet header (wg header over ipv6 vxlan header case leaves only 8 bytes free). In such a case move buffer's content. Type: fix Change-Id: Iad18860e6b86a3d81f3d96d782de7c59556152d0 Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
2023-02-16session: ignore zero length dgramsFlorin Coras1-1/+9
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I70596ffcf90fa4cd57092584cb7a454f44208943
2023-02-14hs-test: clean-up obsolete codeMaros Ondrejicka6-88/+17
Type: test Signed-off-by: Maros Ondrejicka <mondreji@cisco.com> Change-Id: I52cd825f903e41c35f6c4a9db71f00dbedbb8680
2023-02-14build: add missing dependences for centos 8Tianyu Li1-0/+1
VPP build failed on Centos stream 8 when build xdp-tool and dpdk mlx driver, Add the missing tools, libraries and headers. Type: fix Signed-off-by: Tianyu Li <tianyu.li@arm.com> Change-Id: Ie705dc8f558ceb872029f9ab4f1351b514c87405
2023-02-14tests: support tmp-dir on different filesystemDmitry Valter4-4/+6
Support running tests with `--tmp-dir` on a filesystem different from /tmp. os.rename withs only within a single FS whereas shutil.move works accross different filesystems. Type: improvement Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I5371f5d75386bd2b82a75b3e6c1f2c850bc62356
2023-02-14vpp-swan: removed adding the same rule in SPDGabriel Oginski1-0/+61
The current implementation of vpp-swan plugin adds the same policy rule in SPD twice, and it is not necessary to have two the same rules in inbound-protect database. This patch fixes an issue that prevents the addition of a second identical policy rule in SPD. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: Ieef74288e5301455658e4e101433147d6d2482e9
2023-02-13rdma: always use 64 byte CQEs for MLX5Nathan Brown1-5/+23
When DPDK MLX PMDs are built, and the DPDK plugin is loaded, DPDK may set the MLX5_CQE_SIZE environment variable to 128. This causes the RDMA plugin to be unable to create completion queues. Since the RDMA plugin expects the CQEs to be 64 bytes, set the cqe_size explicitly when creating the CQ. This avoids any issues with different values for the MLX5_CQE_SIZE environment variable. Type: improvement Signed-off-by: Nathan Brown <nathan.brown@arm.com> Change-Id: Idfd078d3045a4dcb674325ef36f85a89df6fbebc
2023-02-11misc: VPP 22.10.1 Release NotesDave Wallace2-0/+13
Type: docs Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I70374ea376c895d92d5789debf4b437113e3d884 (cherry picked from commit 57302fe52f141c19b5448997774271d2eedf5cb1)
2023-02-10misc: VPP 22.06.1 Release NotesDave Wallace3-1/+13
Type: docs Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I8770a35c801126ffd2de8f58d79e6616642709a9 (cherry picked from commit 1513b381d8879d9d437bbbc9a270b4ff5f4b19ba)
2023-02-10sr: support define src ipv6 per encap policyTakeru Hayasaka7-50/+506
Can to define src ip of outer IPv6 Hdr for each encap policy. Along with that, I decided to develop it as API version V2. This is useful in the SRv6 MUP case. For example, it will be possible to handle multiple UPF destinations. Type: feature Change-Id: I44ff7b54e8868619069621ab53e194e2c7a17435 Signed-off-by: Takeru Hayasaka <hayatake396@gmail.com>
2023-02-10hs-test: refactor test cases from no-topo suiteMaros Ondrejicka19-649/+207
This converts remaining tests to configation of VPP from test context. Type: test Change-Id: I386714f6b290e03d1757c2a033a25fae0340f5d6 Signed-off-by: Maros Ondrejicka <mondreji@cisco.com>
2023-02-10hs-test: refactor test cases from ns suiteMaros Ondrejicka20-524/+333
This converts more tests to configure VPP from test context. Type: test Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech> Change-Id: Idf26b0c16f87e87c97b198412af39b99d947ced6
2023-02-10tests: use existing pip compiled req file for building the run.py venvNaveen Joy1-18/+1
pip compiled requirements file named requirements-3.txt exists in the test directory. No need to auto-generate it again Type: improvement Change-Id: Ib2b51c983af8d0e4b000e4544012b6cd94405519 Signed-off-by: Naveen Joy <najoy@cisco.com>
2023-02-10tests: use iperf3 for running interface tests on the hostNaveen Joy1-1/+20
Type: improvement Change-Id: I7123591932d51ce0c5b372893454945bbd3913b2 Signed-off-by: Naveen Joy <najoy@cisco.com>
2023-02-09hs-test: configure VPP from test contextMaros Ondrejicka16-417/+891
Instead of configuring VPP instances running inside of a container, now the configuration is going to be done from within the test context by using binary API and shared volume that exposes api socket. This converts just some of the test cases, rest is to follow. Type: test Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech> Change-Id: I87e4ab15de488f0eebb01ff514596265fc2a787f
2023-02-08session: accept lcl ip updates on cl sessionsFlorin Coras1-0/+2
Allow apps/vcl to provide updated local ips for dgrams. In particular, allow sessions bound to 0/0 to send data with valid local ips. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I50a086b1c252731a32a15b6a181ad3dba0c687e0
2023-02-08build: allow skipping external-depsMohammed Hawari2-0/+22
Change-Id: I0e5090ec6978af0dc4baecc7654918cf40663f42 Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: feature
2023-02-08avf dpdk: fix incorrect handling of IPv6 src address in flowTing Xu2-3/+4
In current flow creating process in native avf and dpdk-plugins, when parsing the input arguments, it does not copy IPv6 src address correctly, so that IPv6 src address will not be configured in any flow rule, and any packet with the same address will not be matched. Type: fix Signed-off-by: Ting Xu <ting.xu@intel.com> Change-Id: Ic957c57e3e1488b74e6281f4ed1df7fd491af35c
2023-02-08avf: fix incorrect flag for flow directorTing Xu1-2/+1
When parsing flow action type in avf, there is an incorrect flag for flow director, which makes flow director rule created unexpectedly. Type: fix Signed-off-by: Ting Xu <ting.xu@intel.com> Change-Id: Id9fed5db8ccacd5cc6c2f4833183364d763188c1
2023-02-08avf: fix checksum offload configurationTing Xu2-3/+1
Fix some configurations of avf checksum offload to get the correct udp and tcp checksum. Change Tx checksum offload capability since avf supports ipv4, tcp and udp offload all. Remove the operation to swap bit of checksum. Type: fix Signed-off-by: Ting Xu <ting.xu@intel.com> Change-Id: I55a916cc9ee6bef5b2074b5b6bb5f517fc2c178d
2023-02-08avf: fix bit calculation function fls_u32Ting Xu1-1/+1
In avf the function fls_u32 is used to calculate the power of 2. Fix the expression of this function. Type: fix Signed-off-by: Ting Xu <ting.xu@intel.com> Change-Id: I27160de8588a5efb3f24306597a5a240deb3ab74
2023-02-08ip6-nd: support dump/details for IPv6 RAAlexander Chernavin6-98/+549
Type: improvement With this change, add support for dumping IPv6 Router Advertisements details on a per-interface basis (or all). Also, cover that with a test. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I89fa93439d33cc36252377f27187b18b3d30a1d4
2023-02-08ipsec: fix AES CBC IV generation (CVE-2022-46397)Benoît Ganne3-29/+65
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix C). Chaining IVs like is done by ipsecmb and native backends for the VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable. Encrypt a counter as part of the message, making the (predictable) counter-generated IV unpredictable. Fixes: VPP-2037 Type: fix Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-02-07vcl: drop lock on segment attach failureFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I3bc2c7986f492b7b7dfbc84e4893202354223790
2023-02-07vcl: add ldp implementation for recvmmsgFlorin Coras1-31/+39
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7322abc3d3b0aa81399667bf02b03786fc62c958
2023-02-07vcl: better handlig of ldp apis that rely on gnu sourceFlorin Coras6-91/+139
Control use of apis that rely on _GNU_SOURCE being defined with compile time macro. Also fixes sendmmsg and recvmmsg which were not probably wrapped. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I207de23210d4b9dc960bb4289159502760c5614d
2023-02-07packetforge: fix lack of edge for ipv6 after gtppscTing Xu1-0/+5
Add one new edge for ipv6 after gtppsc so that packetforge can parse this protocol combination. Type: fix Signed-off-by: Ting Xu <ting.xu@intel.com> Change-Id: I1bae1ec617c4867de2e0b3de27eda77b89e5580c
2023-02-06hs-test: add nginx perf testsFilip Tehlar2-1/+74
Type: test Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Ic609cf70c1d381afa78f393700359434c8bd0452
2023-02-06vppinfra: refactor clib_socket_init, add linux netns supportDamjan Marion8-347/+494
Type: improvement Change-Id: Ida2d044bccf0bc8914b4fe7d383f827400fa6a52 Signed-off-by: Damjan Marion <dmarion@me.com>
2023-02-06ipsec: fix SA names consistency in testsArthur de Kerhor5-127/+127
In some IPsec tests, the SA called scapy_sa designs the SA that encrypts Scapy packets and decrypts them in VPP, and the one called vpp_sa the SA that encrypts VPP packets and decrypts them with Scapy. However, this pattern is not consistent across all tests. Some tests use the opposite logic. Others even mix both correlating scapy_tra_spi with vpp_tra_sa_id and vice-versa. Because of that, sometimes, the SA called vpp_sa_in is used as an outbound SA and vpp_sa_out as an inbound one. This patch forces all the tests to follow the same following logic: - scapy_sa is the SA used to encrypt Scapy packets and decrypt them in VPP. It matches the VPP inbound SA. - vpp_sa is the SA used to encrypt VPP packets and decrypt them in Scapy. It matches the VPP outbound SA. Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: Iadccdccbf98e834add13b5f4ad87af57e2ea3c2a
2023-02-06ipsec: fix async crypto linked keys memory leakBenoît Ganne1-1/+6
Type: fix Change-Id: I7bd2696541c8b3824837e187de096fdde19b2c44 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-02-03session: fix out of bounds event memcpyFlorin Coras1-3/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If5300653edd2dad470985f4591959d00cad2a43b
2023-02-03nat: fix accidental o2i deletion/reuseDmitry Valter2-2/+79
Nat session is allocated before the port allocation. During port allocation candidate address+port are set to o2i 6-tuple and tested against the flow hash. If insertion fails, the port is busy and rejected. When all N attempts are unsuccessful, "out-of-ports" error is recorded and the session is to be deleted. During session deletion o2i and i2o tuples are deleted from the flow hash. In case of "out-of-ports" i2o tuple is not valid, however o2i is and it refers to **some other** session that's known to be allocated. By backing match tuple up session should be invalidated well enough not to collide with any valid one. Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: Id30be6f26ecce7a5a63135fb971bb65ce318af82
2023-02-03vpp-swan: allow SAs to be used to the route-based IPsecAtzm Watanabe1-1/+17
This patch adds a "charon.plugins.kernel-vpp.use_tunnel_mode_sa" key into strongswan.conf. If this is turned off, SAs will be installed without tunnel information and can be used to "ipsec tunnel protect". For the route-based IPsec, it will be used with turning "policies" off in swanctl.conf. Type: feature Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I58fb94bfe56627fa7002d9b95c48930a32993d2d
2023-02-03vppapigen: fix incorrect comments in jsonOndrej Fabry2-1/+4
Type: fix Signed-off-by: Ondrej Fabry <ofabry@cisco.com> Change-Id: I241cefbbce98cf6fef83f36bd87ae2c1f4b067f0
2023-02-02tls: openssl: fix SSL_read partial read scenarioOfer Heifetz1-8/+10
When application performs SSL_read from the app rx-fifo, it can pre-allocate multiple segments, but there is an issue if the OpenSSL manages to partially fill in the first segment, in this case, since data is assumed to be copied over by OpenSSL to the pre-allocated segments(s), vpp uses svm_fifo_enqueue_nocopy API which performs zero copy by passing the pre-allocated segment to SSL_read. If the decrypted data size is smaller than the pre-allocated fifo segment buffer size, application will fetch buffers including zero in the area not filled in by SSL_read. Type: fix Signed-off-by: Ofer Heifetz <oferh@marvell.com> Change-Id: I941a89b17d567d86e5bd2c35785f1df043c33f38
2023-02-02linux-cp: fix auto-sub-intStanislav Zaikin2-1/+5
lcp_itf_pair_pool could grew during sub-interface creation. Type: fix Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com> Change-Id: Ideafe392f9bb2b418ce9d6faa4f08dfe26f4a273
2023-02-02ip: fix ip ACL tracesBenoît Ganne1-6/+9
If we match a next table, we must save its index in the trace instead of the index of the 1st table. Type: fix Change-Id: Idd862242e7fc200eb3ab29b17a26131b844af2c0 Signed-off-by: Benoît Ganne <bganne@cisco.com>