summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2021-06-29ipsec: Fix setting the hi-sequence number for decryptNeale Ranns9-327/+1245
Type: fix two problems; 1 - just because anti-reply is not enabled doesn't mean the high sequence number should not be used. - fix, there needs to be some means to detect a wrapped packet, so we use a window size of 2^30. 2 - The SA object was used as a scratch pad for the high-sequence number used during decryption. That means that once the batch has been processed the high-sequence number used is lost. This means it is not possible to distinguish this case: if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl)) { ... if (post_decrypt) { if (hi_seq_used == sa->seq_hi) /* the high sequence number used to succesfully decrypt this * packet is the same as the last-sequnence number of the SA. * that means this packet did not cause a wrap. * this packet is thus out of window and should be dropped */ return 1; else /* The packet decrypted with a different high sequence number * to the SA, that means it is the wrap packet and should be * accepted */ return 0; } - fix: don't use the SA as a scratch pad, use the 'packet_data' - the same place that is used as the scratch pad for the low sequence number. other consequences: - An SA doesn't have seq and last_seq, it has only seq; the sequence numnber of the last packet tx'd or rx'd. - there's 64bits of space available on the SA's first cache line. move the AES CTR mode IV there. - test the ESN/AR combinations to catch the bugs this fixes. This doubles the amount of tests, but without AR on they only run for 2 seconds. In the AR tests, the time taken to wait for packets that won't arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of these tests from 10-15 to about 5 sceonds. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5
2021-06-29tcp: add ACK flag to RST packetliuyacan1-1/+1
According to RFC 793, the ACK control bit is always sent once the connection is established. Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: Id0fe19114a0cc468dbce4c0938b345c2ac339e73
2021-06-29vcl: improvements to epoll ltFlorin Coras3-52/+85
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If585b9c48f67599c56a8c4b4a5139375bc4287f6
2021-06-29ipsec: increment SPD policy counters for bypass and discard actions in ↵Zachary Leaf1-0/+20
ipsec4_input_node ipsec_spd_policy_counters are incremented only for matched inbound PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have SPD policy counters that should be incremented on match. This fix increments the counters for inbound BYPASS and DISCARD actions. Type: fix Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49
2021-06-29vcl: Don't use app_socket_api to notify VPP in parent when child exitedwanghanlin1-1/+5
Type: fix Signed-off-by: wanghanlin <wanghanlin@corp.netease.com> Change-Id: Icd2fc3cc2d0a0a6060abfb262044cf9e09ab4ba2
2021-06-29vcl: Don't memset events to optimize CPU usagewanghanlin1-8/+6
In stress test case, memset may consume a lot of CPU because vls_epoll_wait is called very frequently. Type: improvement Signed-off-by: wanghanlin <wanghanlin@corp.netease.com> Change-Id: I9b4e1d6e1c4d7217cf0b2529d8efed792dea7b40
2021-06-28vcl: epoll fix postponed evt handlingFlorin Coras1-6/+33
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I3d208f8ef4638e7557929f4b2bca4d640af85baa
2021-06-28ipsec: Split the SA add_del API into an separate add and delNeale Ranns3-56/+100
Type: improvement the rationale being that the del only requires the SA's ID, so it's a bit mean to require the client to fill out all the other information as well. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
2021-06-28ipsec: Enable the extended Sequence Number IPSec tests for GCMNeale Ranns1-2/+72
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie691b1c8841f5e195525bfff990f12ab918ba394
2021-06-26vrrp: prevent segfault in multicast join due to missing LL AddrJon Loeliger1-2/+5
If an IPv6 Link Layer Address is missing from an interface, treat it as a down interface. While this fails to send a VRRP multicast group join, it also prevents a seg fault. Type: fix Fixes: 39e9428b90bc74d1bb15fc17759c8ef6ad712418 Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: Iebf69bb30604a96de6587655eb872aa818158a56
2021-06-25stats: reverts part of a fix on Python clientArthur de Kerhor1-12/+4
Puts return statements back inside code blocks under the lock Type: fix Change-Id: I76d426f336200035026b92bcb0ffe2b472a3142d Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2021-06-25stats: revert "add a retry mechanism in a symlink test"Beno�t Ganne1-15/+1
This reverts commit d70777aa60a87001f323f3b226d7e5cee2cd23d8. Reason for revert: wrong fix Type: fix Change-Id: Ibff1b977eae8d2cc85888165ebf83c42eb661698 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-06-25stats: fix race conditions in vpp-api stats clientArthur de Kerhor1-4/+12
Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Ie5c197f6ec0d41d5e405b22662701d83ad94d29e
2021-06-24session: fix session formated str output truncated in cliXiaoming Jiang2-12/+16
Type: fix Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com> Change-Id: I2c2b739a5aa246bbf53d6663efd403c3aee9dddd
2021-06-24linux-cp: stop managing adjacencies for tunnelsAlexander Chernavin1-0/+12
Type: fix Outbound packets which arrive on tun/L3 interfaces use a default adjacency for the interface & address family from the corresponding interface pair. However, there are entries in the linux-cp adj table that are created for them. Managing these entries might cause a segfault because the rewrite data might exceed the reserved space for it of 28 bytes in the linux-cp adj key (e.g. in case of GRE IPv6). With this change, stop creating adjacencies for tun/L3 interfaces in the linux-cp adj table and delegating them. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I4bcd685860053ab87c65064c182e3ed53fd4fae9
2021-06-24svm: fix asan check failed @svm_map_region on armTianyu Li1-4/+3
==283032==AddressSanitizer CHECK failed: compiler-rt/lib/asan/asan_mapping.h:366 "((AddrIsInMem(p))) != (0)" (0x0, 0x0) #0 0x49c128 in __asan::AsanCheckFailed #1 0x4ae8dc in __sanitizer::CheckFailed #2 0x495dec in __asan::ShadowSegmentEndpoint::ShadowSegmentEndpoint #3 0x495e48 in __asan_unpoison_memory_region #4 0xfffff4e851f8 in svm_map_region /home/vpp/src/svm/svm.c:611:7 #5 0xfffff4e86d9c in svm_region_init_internal /home/vpp/src/svm/svm.c:797:8 #6 0xfffff4e87ce4 in svm_region_init_args /home/vpp/src/svm/svm.c:880:3 #7 0xfffff7f30d30 in vlibmemory_init /home/vpp/src/vlibmemory/memory_api.c:974:3 #8 0xfffff4fd5368 in vlib_main /home/vpp/src/vlib/main.c:1986:16 svm_global_region_base_va 0x200000000000 is not in the aarch64 mapping range, leading check failure and vpp cannot start. aarch64 asan mapping || `[0x201000000000, 0xffffffffffff]` || HighMem || || `[0x041200000000, 0x200fffffffff]` || HighShadow || || `[0x001200000000, 0x0411ffffffff]` || ShadowGap || || `[0x001000000000, 0x0011ffffffff]` || LowShadow || || `[0x000000000000, 0x000fffffffff]` || LowMem || x86 asan mapping || `[0x10007fff8000, 0x7fffffffffff]` || HighMem || || `[0x02008fff7000, 0x10007fff7fff]` || HighShadow || || `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap || || `[0x00007fff8000, 0x00008fff6fff]` || LowShadow || || `[0x000000000000, 0x00007fff7fff]` || LowMem || Type: fix Signed-off-by: Tianyu Li <tianyu.li@arm.com> Change-Id: I55ddbdcd361d66d4cfaf6459b2fa20fd8b64af37
2021-06-24vcl: fix vcl_session_write_ready when connectingliuyacan1-0/+4
Applications like curl will poll the fd after a non-blocking connect, so we need to avoid returning the wrong event. Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: I7ea146fc954fda631b3d88b46bb80adfbcdf137c
2021-06-24l2: api cleanupFilip Tehlar5-1748/+25
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I7b84767e75d5f8310ec071036a5780fa4530f79f
2021-06-24linux-cp: add callbacks for pair managementMatthew Smith2-15/+41
Type: improvement Allow callbacks to be registered which will be called when an interface pair is added or deleted. Change-Id: I1c413ac2ada802021f9e56e2f878ce67e5eda2f5 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-06-23virtio: api cleanupFilip Tehlar4-363/+13
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I4f9316b16f16a48e2042aa17db596bfd181bd314
2021-06-23mss_clamp: iterate enabled direction as a vector, not poolJon Loeliger1-2/+2
Type: fix Fixes: bf55e9931ce203049385fbf55dde291ead556679 Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: I5410a7a5a8cdc1d41abcc42fe5b42e6e2991dc06
2021-06-23nat: ICMP handling fixesKlement Sekera4-24/+110
If ICMP comes from a router on path, source address must not be rewritten in o2i path to avoid getting wrong checksum. Fix ICMP checksum computations. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I035debccf966d7dbd63c364cb1e43380d641f708
2021-06-23mpls: api cleanupFilip Tehlar4-688/+10
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I148022278a792b3687402b6915fe6fb513858a2a
2021-06-23span: api cleanupFilip Tehlar4-226/+16
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I7ec4bbb21a079c6f6adfb4f954054b2b07bf19c5
2021-06-22syslog: api cleanupFilip Tehlar3-47/+8
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I0971f12b7b82d5134d06ed0539d41624429c992b
2021-06-22tcp: api cleanupFilip Tehlar4-93/+9
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I3c06e9cb3fabdcdce9c17e93cfedfd771295f589
2021-06-22session: avoid reordering unlisten and connect msgFlorin Coras1-6/+33
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ibe32f7965f8cf457c39845713b029c8a4647ee55
2021-06-22virtio: api cleanupFilip Tehlar3-606/+22
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I047310b8c9fcc51dcfb187710ff59b7895abe217
2021-06-22misc: punt: api cleanupFilip Tehlar4-93/+9
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I13dae61ddb7150c7fe9a7fd0eae73055ff3f2816
2021-06-22dpdk: enable igc devicesMatthew Smith2-27/+29
Type: improvement Set port type and supported flow actions on 2.5G Intel NICs which are managed by the igc PMD. Change-Id: Id144eaa158e24a3f10effb6b517d1c62fba0d2e8 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-06-22devices: af_packet api cleanupFilip Tehlar3-229/+8
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Ic7979755494a2fd23b9fa3d74e14f6b9ea0a46d0
2021-06-22qos: api cleanupFilip Tehlar3-108/+11
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I39505763371c98b75ff7b697dacd3eeb0d41d40a
2021-06-22api: asan: use vec_set_len() so ASan can keep track of buffer lenBenoît Ganne1-6/+6
ASan poison/unpoison vectors based on the vector length, but _vec_len() bypass ASan annotations, contrary to vec_set_len(). Type: fix Change-Id: I5265a5adcddef1aa11c77e0c3827346b1a66c306 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-06-22vcl: validate vep handle when copying sessions on forkwanghanlin1-0/+31
When copying sessions from parent on fork, we should validate vep handle in order to EPOLL_CTL_DEL in vcl_session_cleanup correctly when child exit. Type: fix Signed-off-by: wanghanlin <wanghanlin@corp.netease.com> Change-Id: I7696ecd898460c9a296d2800e46c7140e2218ed7
2021-06-22vcl: move child wrk cleanup from sighandler to vls_epoll_waitwanghanlin1-1/+42
Main process may enter sighandler with a lock, such as lock in localtime or in mspace_free, and child wrk cleanup may try to get such locks and cause deadlock. The patch move cleanup to vls_epoll_wait to wait app's next call. Type: fix Signed-off-by: wanghanlin <wanghanlin@corp.netease.com> Change-Id: I9b208038a0f49b0ace44684189234aeac9d94730
2021-06-22devices: tapv2 api cleanupFilip Tehlar3-453/+12
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I0a2c1cbbe798ddf9d08da78bf0b458a0f54fa13a
2021-06-22sr: api cleanupFilip Tehlar4-245/+12
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I0bdf870e2e9b0ebc11a3ce252fbd0667a83de4e6
2021-06-22devices: api cleanupFilip Tehlar2-53/+8
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I03f51393a92bae45608d9fc9f53164f3b0add3cd
2021-06-22bonding: api cleanupFilip Tehlar3-714/+16
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I1de45c4db57444d2d2c9fb91b8a66a4f01be699b
2021-06-22nat: don't drop packet with ttl=1 if output featureKlement Sekera2-2/+28
TTL was already decremented in ip4-rewrite so it's okay if it's 1. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc
2021-06-22ipsec: api cleanupFilip Tehlar4-527/+19
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I0db7343e907524af5adb2f4771b45712927d5833
2021-06-22ethernet: api cleanupFilip Tehlar4-163/+8
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Iacaefbf04834f000a14f151c4b848f280ac46d63
2021-06-22policer: api cleanupFilip Tehlar4-539/+9
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I5dd30870443a22a7da65f6b5a6d3967991e2aceb
2021-06-22bfd: api cleanupFilip Tehlar3-63/+11
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I7a0a189ce635a4a74e63ac4cb133686b8b7ba53a
2021-06-22stats: add a retry mechanism in a symlink testArthur de Kerhor1-1/+15
When creating a new node, a corresponding node symlink is created when the nodes counters update. To be sure we are able to access this symlink, a retry mechanism was added. Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: Ieb08d8554b4fd13d01e79062b5f820b235be9a13
2021-06-22build: vpp-ext-deps rpm version check may fail if system language is not Englishjiangxiaoming1-1/+1
Type: fix Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com> Change-Id: Ib691d8f66b0d6047d23a0bdc4f3d15e6380f31eb
2021-06-21vlib: fix coverity warningDave Barach1-0/+3
Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ib563e2c09d46cc26fb983ffde3d5fcb88166f6a5
2021-06-21vppinfra: asan: fix overflow supportBenoît Ganne3-14/+89
In some part of VPP we are accessing memory past what was allocated for efficiency when we know it is safe to do so. We need to tell ASan about it so it does not complain. The initial attempt was too simple and could not manage cases where the poisoned memory was scattered. This new attempt is more robust as we save and restore the full shadow state. Note it will still not work properly if we poison/unpoison memory while in an overflow context, but this should not be a big issue as overflow should only be temporary. Type: fix Change-Id: I636f44eb59aa8455a4d13929a3791b56619af7b4 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-06-21udp: api cleanupFilip Tehlar3-48/+9
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I0994241df94ad7536be323b9d7c48caf38cc4267
2021-06-21feature: api cleanupFilip Tehlar3-114/+6
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I76be91715953c7cbe704961d1a56c48334656e19