summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith2-0/+67
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-19acl: add API call for setting the toggle to select between linear and ↵Andrew Yourtchenko3-1/+148
bihash-based lookups In some cases (ACL of a few lines long with a lot of different subnet masks), linear lookup may be more efficient than the hash-based lookup. Expose the API to allow the control plane to choose what lookup algorithm to use. Type: improvement Change-Id: I540dd1b4ce63c5106a556d550f911f3a578b33e0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-08-18vhost: interrupt mode support with mqSteven Luong3-138/+209
vhost interrupt mode support with mq does not work when coalesce frame is not configured to 0. When packed-ring is configured, we were also setting the wrong flag for want-interrupt. No need to trigger an interrupt to RX infra if there is at least one queue in the same thread that is doing polling. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I8e64250f2aa6bf611a777a53e4d2c1076d83305f
2021-08-18vat2: add shared memory argumentOle Troan5-99/+226
Add prefix argument to specifiy shared memory segment. Add long arguments. Add argument to dump apis. Add help. Add template argument E.g: vat2 --template sw_interface_add_del_address { "_msgname": "sw_interface_add_del_address", "sw_if_index": 0, "is_add": false, "del_all": false, "prefix": "0.0.0.0" } Usage: vat2 [OPTION] <message-name> <JSON object> Send API message to VPP and print reply -d, --debug Print additional information -p, --prefix Specify shared memory prefix to connect to a given VPP instance -f, --file File containing a JSON object with the arguments for the message to send --dump-apis List all APIs available from connected VPP instance Type: improvement Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I2d32483a727bc16990c9a30dfa9bc1fa7b1fa85a Signed-off-by: Ole Troan <ot@cisco.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin4-69/+94
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-17docs: fix missing dependency on pip-tools for docs-venvDave Wallace1-0/+2
Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Iadb72fd0cb434a7ca2f6cbda7d78209f0746f0c6
2021-08-17ip: reassembly cleanupKlement Sekera4-246/+139
Remove unused parameters and fix warnings. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I2d0e7b84b56817999283ecb6be606159dcb26a28
2021-08-17build: install ethernet/ethernet_types_api.hMohammed Hawari1-0/+1
ip/ip_types_api.h is already installed by the build system Change-Id: Iec43e0ad50e32473d93ea8f7281b5a6477ddc87f Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: improvement
2021-08-17build: remove dh-systemd from dependenciesAndrew Yourtchenko1-1/+0
b8e7a45d56be9f3e11b07b82fd899160e2af1bf1 has removed dh-systemd from the DEB_DEPENDS, however this causes the make pkg-deb to fail on a clean lxd or docker install of debian10 as follows: dpkg-buildpackage: info: source package vpp dpkg-buildpackage: info: source version 21.10-rc0~252-g76b19ceaf dpkg-buildpackage: info: source distribution unstable dpkg-buildpackage: info: source changed by fd.io VPP <vpp-dev@fd.io> dpkg-buildpackage: info: host architecture amd64 dpkg-source --before-build . dpkg-checkbuilddeps: error: Unmet build dependencies: dh-systemd dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting dpkg-buildpackage: warning: (Use -d flag to override.) FAILED: CMakeFiles/pkg/CMakeFiles/pkg-deb cd /root/t/t/vpp/build-root/build-vpp-native/vpp/CMakeFiles && dpkg-buildpackage -us -uc -b ninja: build stopped: subcommand failed. make[1]: *** [/root/t/t/vpp/build-data/packages/vpp.mk:46: vpp-package-deb] Error 1 Thanks to Nick Brown for the help! Type: fix Fixes: b8e7a45d56be9f3e11b07b82fd899160e2af1bf1 Change-Id: I08b3a1efcdf6e6096b4ab28263764c1d66be43ef Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-08-16dpdk: patch i40e PMD to disable source pruningMatthew Smith1-0/+43
Type: improvement X710/XL710 devices have source pruning enabled by default and DPDK provides no option to disable it. This prevents VRRP from working properly. Disable source pruning while setting up the main VSI. Change-Id: Iaf89f7dae8992e3bd0b9fae83878daa27a5bb931 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-14ip: Fix crash in ip address add on sub-int without exact-matchPim van Pelt4-12/+32
Type: fix Creating a sub-int without exact-match set, and subsequently adding an IPv4 or IPv6 address will crash VPP. This fix catches this situation and refuses to allow the caller to add an IPv4 or IPv6 address on an ethernet sub-int that does not have exact-match set. TESTED: Before this change, the following crashes VPP: ``` DBGvpp# cre sub TenGigabitEthernet3/0/0 1 dot1q 10 TenGigabitEthernet3/0/0.1 DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 2001:db8::1/64 <crash> ``` After the change, VPP refuses to act: ``` DBGvpp# cre sub TenGigabitEthernet3/0/0 1 dot1q 10 TenGigabitEthernet3/0/0.1 DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 192.0.2.1/30 set interface ip address: sub-interface without exact-match doesn't support IP addressing DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 2001:db8:1/64 set interface ip address: sub-interface without exact-match doesn't support IP addressing ``` Signed-off-by: Pim van Pelt <pim@ipng.nl> Change-Id: I42997db314225cd186ebb54013b5717ace7f7bd6
2021-08-13ip: punt redirect add nh in apiNathan Skrzypczak9-100/+243
Type: feature Change-Id: Ia970f444ba2f38b7a42ea94942c906f1b541511b Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-08-13ip: source address selectionOle Troan7-201/+310
Implement a simple source address selection algorithm for IPv4 and IPv6. IPv6 does not yet implement RFC6724 but supports link-locals. ping now chooses correct source address for link-local destination. Added ping support for link-local multicast (e.g. allnodes). Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I1a3382c1f7d4ace0386c2c19e4e47b045b73a3ed Signed-off-by: Ole Troan <ot@cisco.com>
2021-08-13tests docs: upgrade python packagesDave Wallace20-409/+447
- Upgrade python package requirements for test & docs - Clean up docs generation warnings - Consolidate python requirements for docs in test requirements specs. - Upgrade pip Type: make Change-Id: I74a3924b43ed93d15b32ec9f6fc41ed1ba95b69b Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-08-13wireguard: add flag to check hmac for decryptionGabriel Oginski1-0/+1
Type: fix Originally the decryption doesn't check the hmac for chacha20-poly1305. This patch fixes the problem by adding flag to crypto op to check hmac. Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
2021-08-12misc: 21.06 Release NotesAndrew Yourtchenko1-5/+1273
Change-Id: Iedd1263a971e50aceb2d579982484dd8873814dc Type: docs Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> (cherry picked from commit fc83f8cc67e65c734df3c47518f724c1617e1a5c)
2021-08-12nat: NAT44ED configuration refactorFilip Varga4-378/+365
Refactoring and cleaning up address allocation functions & ip table update callbacks. Type: refactor Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-12nat: correct pool ops when disable nat44 pluginAlexander Skorichenko1-10/+10
Type: fix Replace vec ops with pool ops when iterating over pool of interfaces in plugin_disable() functions. With this change plugin disabling function and interface role disabling functions iterate over identical sets of registered interfaces, preventing 'interface couldn't be found' errors. Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
2021-08-12session vcl: cert key add/del with socket apiFlorin Coras6-10/+218
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I70791285cbf427479d2dcbf70ffdce2253add2fb
2021-08-12tls: add start_listen openssl API return value checkOfer Heifetz1-4/+30
Type: improvement Check SSL_CTX_use_* API return value and exit on error. Check BIO_new return code. Release allocated BIO on error cases. Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978 Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-12build: consistent debhelper 10 supportNick Brown3-4/+2
Type: fix debian/compat contents were set to 10, but debhelper build dependency, which is the same thing, was set to only 9. Both are not needed, debian/compat being deprecated, so use only the latter. At compat level 10, dh-systemd is integrated directly into debhelper, so build dependency not needed (And in Debian Bullseye dh-systemd transitional package is completely removed). See: https://manpages.debian.org/testing/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS Signed-off-by: Nick Brown <nickbroon@gmail.com> Change-Id: I5809b739334076d7fa8389b076a97f1648726e6e
2021-08-11svm: make more fifo segment header fields privateFlorin Coras4-45/+28
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Idab0f455b52a38efd2cf3781497d8cc7f57bfa42
2021-08-11fib: Compiile time option to use 8-8-8-8 stride tries for FIB ratherNeale Ranns3-0/+124
than 16-8-8-8 Type: feature the memory trade-off is: for 8-8-8-8 tries DBGvpp# sh ip fib mtrie mem ipv4-VRF:0 mtrie:8068 hash:3499 totals: mtrie:8068 hash:3499 all:11567 for 16-8-8 DBGvpp# sh ip fib mtrie mem ipv4-VRF:0 mtrie:333056 hash:3499 totals: mtrie:333056 hash:3499 all:336555 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I5271a4322d786de6e47613cff9bd432762dbed2a
2021-08-11fib: A 16-8-8 and a 8-8-8-8 versions of an ip4_fib_tNeale Ranns14-423/+936
Type: feature The difference being the MTRIE type they contain. THE FIB continues to use the 16-8-8 version. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I5a54d4e6e6cc639f18a3fb65ef2925507a7ef1de
2021-08-11ip: [re]introduce the 8-8-8-8 stride MTRIENeale Ranns3-64/+229
Type: improvement there's a time-space trade-off between the 16-8-8 and 8-8-8-8 stride. FIB continues to use the 16-8-8. Other features are now free to make the choice. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6691a163486ce62e75e629f6ef0c990f253df8e5
2021-08-11ip: Rename the ip4 mtrie function to be 16_8_8 specificNeale Ranns4-218/+202
Type: improvement the existing mtrie functions use the existing 16_8_8 mtrie. Rename them to make that explicit. Then we can add the 8_8_8_8 types and functions alongside. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: If5ce7a282d5d3742dc65bcd0523220235d9c510d
2021-08-10vppinfra: Fix bihash del warningNathan Skrzypczak2-0/+7
Type: fix When freeing an uninstantiated bihash created with dont_add_to_all_bihash_list = 1 we get a warning. This removes the warning & the search for the bihash on cleanup. Change-Id: Iac50ce7e30b97925768f7ad3cb1d30af14686e21 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-08-10tls: picotls optimize rx pathFlorin Coras1-69/+113
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0dfa8d60739bc781c37e0d8fced8280b9af93367
2021-08-10tls: picotls optimize writesFlorin Coras2-113/+188
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I76a1cd516849cfe5bc87ed2b3707c6f2257126d2
2021-08-10misc: do not capture tx packets twiceBenoît Ganne1-13/+30
When a packet goes through interface-output, whether it should be captured or not will be evaluated twice: in interface-output and in interface-output-template (<interface_name>-out) node. interface-output should only capture packets if there is an interface filter, otherwise it should defer evaluation to interface-output-template. Type: fix Change-Id: Ia720c5d184a236335e1d7d44d8c04caf87af5630 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-10ip: Use the IP4 lookup functionsNeale Ranns5-177/+84
Type: refactor as opposed to wrtiing out the mtrie steps one by one each time. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I1248861350f9189f9a67ac6e68940813af279e03
2021-08-10ip: Remove the 'test lookup' CLI commandNeale Ranns1-97/+0
Type: fix There's no such thing as a conflict between the FIB and adj tables. This is code that should have been removed way back in 16.04. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I4524e7921b03b89106dd1f35aa1171d0945367cf
2021-08-09ip6-nd: only respond to RS if sending RA is enabledOle Troan2-2/+21
Even when periodic RAs are disabled VPP would respond to router solicitations. Making it impossible to have an IPv6 enabled interface with hosts connected to it without VPP acting as a default router. This change drops RS messages if the radv_info->send_radv is off. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I9a68f8e12c93c1c00125b54f8fd454f48fa22caa Signed-off-by: Ole Troan <ot@cisco.com>
2021-08-06tls: avoid picotls buffer allocs on rxFlorin Coras2-3/+9
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6cf0c141ab4a4f5a46feb6119fa142148366f0a6
2021-08-06tls: avoid ptls ctx free on transport closeFlorin Coras1-2/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0537fa590b11abddf05550e42c7258549729f8a7
2021-08-05classify: fix parsing for l4 matchBenoît Ganne1-1/+1
l4 match parsing should not try to consume the whole input, otherwise it breaks cli such as: 'classify session ... match l4 dst_port 22 action set-ip4-fib-id 2' Type: fix Change-Id: I81a1b5779811f7df8286a371f85fafe09c947b87 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-05ip: fix ip punt redirect cliBenoît Ganne2-13/+12
- restore fib paths support for ip4 - initialize payload_proto to the relevant default protocol so that 'via <dev>' paths are supported - fix 'rx all' - fix temp path vector mem leak Type: fix Change-Id: I564d88dc4dce86884ff6791af69974e6d70ff7ca Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-05nat: nat44-ed disable protection for api/cliFilip Varga4-60/+67
Return unsupported error if user calls one of the configuration functions that can run only after nat44-ed plugin is enabled via appropriate api/cli call. Type: fix Change-Id: I0d4ab0684ba5ae23fc2ecc668554a34537c2904a Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-04vppinfra: fix the array mask functionMohsin Kazmi2-2/+20
Type: fix Fixes: 0ec7dad7a00852663eb88554561347987f87bb53 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I7fab80b3c7e86ac712a34c24ea3e526b0b5bb7ad
2021-08-04memif: fix offsetArtem Glazychev1-1/+1
signs were changed here when calculating the offset: d78ba5aa01ff1415bff0b06069ce21e0a78df89c Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I62b7a409caaf478e40efbdd6000922dcc7e92860
2021-08-03quic: do not update crypto keys from workersAloys Augustin3-20/+59
The vnet_crypto_key_add should only be called from the main thread. This patch works around this limitation by allocating one key per worker and updating it on the fly everytime we need to do a crypto operation. This solution is far from ideal, but quicly has a strong assumption that it can use a key immediately after determining it, so making the key creation asynchronous is not a possibility. Signed-off-by: Aloys Augustin <aloaugus@cisco.com> Change-Id: I19fc5814195156003c36a73bb616738ba9d828f7 Type: fix
2021-08-03tls: picotls handle accept failuresFlorin Coras1-3/+15
Should also fix coverity warning. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I068b837377b329a22ace5b2235c6dd9f067ead77
2021-08-02vcl: fix sendto for dgramsliuyacan1-4/+4
We need to set rmt address before sending connect, otherwise VPP would connect to 0.0.0.0:0 and return invalid remote ip. Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: I85ae6931c2ba9f2f77c9ab19a2f801f50745449c
2021-08-02vcl: fix sleep time in ldp_pselect()liuyacan1-1/+2
Type: fix Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: Ic9c5b23be4bde88880972be35525f12fa2c6dc10
2021-07-31vcl: fix ldp for __recv_chk socket callsSivaprasad Tummala2-0/+17
add ldp support for handling __recv_chk socket calls. Type: fix Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: I33221c465ac607bc665fcba500dd399a56b32df6
2021-07-30tls: picotls rx fixes and improvementsFlorin Coras2-149/+126
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I9ea41b8b271e9123e676acdc581ef429072fe843
2021-07-29vcl: move vls pool lock to process local stateFlorin Coras1-6/+7
We only support one vls worker per process and therefore should not share lock between processes. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I57bb536cf3bf04e8de031b07cb885f80b4fa03c9
2021-07-29vcl: vls cleanup and more docsFlorin Coras1-101/+167
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If32dd21842b99e176db1d4eb9f6c6a51fbff1bfe
2021-07-29ip: add api test fileFilip Tehlar3-0/+1541
Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I49c4183a443b7b39924328900e6a6ac2e09be426
2021-07-29nat: fix ICMP checksum validationKlement Sekera2-9/+53
Handle case where extra data is present in buffer which is not part of IP/ICMP headers. Type: fix Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76 Change-Id: Icfef811470056d38c60fc45cc302139ed7594385 Signed-off-by: Klement Sekera <ksekera@cisco.com>