summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2022-08-24ipsec: fix coverity 249204Andrew Yourtchenko1-1/+1
Zero-initialize the temporary struct, else coverity complains about a bunch of uninitialized fields. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I45dc42134f06917a7459d615804f978a175bec0f
2022-08-23linux-cp: handle AF_BRIDGE neighborsMatthew Smith1-2/+8
Type: improvement VPP crashes when a linux-cp tap is added to a bridge on the host system because rtnl_neigh_get_dst() returns NULL for the neighbor message that is sent by the kernel. Check for NULL before trying to use the address from a neighbor in a netlink message. Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I8a683d815a09620df9c0cc76e18df39828428e2c Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-08-23lisp: address the issues raised by coverity 249165Andrew Yourtchenko1-4/+12
Add the error checks in parsing, aimed to avoid parser walking past the end of packet in case the data is garbage. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I9541b555a18baf63cb8081bcd7a4c2750f2ed012
2022-08-23rdma: fix coverity 249197Benoît Ganne1-2/+2
flags is u64, makes sure we do not overflow when shifting. Type: fix Change-Id: Ieea34187c0b568dc4d24c9415b9cff36907a5a87 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-23vppinfra: fix coverity 249217Andrew Yourtchenko1-1/+1
Zero-initialize the temporary struct. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I8d73feae427a17470c47d1551ba7078213b589fc
2022-08-23classify: fix coverity 249223Andrew Yourtchenko1-1/+1
Day1 latent integer overflow. vnet_classify_add_del defines new_hash as u32 - so replace a u64 type with u32 in split_and_rehash as well. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I51384a2db1caa4099b4d2ac25cd185bd108da037
2022-08-19nat: simplify per-protocol code by using an arrayJon Loeliger4-243/+158
rather than using obfuscated macro hacery, simplify the per-protocol data management by directly using an array of NAT protocol types. Type: refactor Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: I6fe987556ac9f402f8d490da0740e2b91440304c
2022-08-19vlib: memory leak in vlib_register_errors on create and delete interfaceSteven Luong1-0/+1
format returns a vector which must be free or memory is leaked. From show memory 3716528 66716 0x7fffbfeb0db0 _vec_resize_internal + 0xe6 _vec_add + 0x164 do_percent + 0xb82 va_format + 0xb9 format + 0x156 vlib_register_errors + 0x76c setup_tx_node + 0x5c vnet_register_interface + 0xca6 vnet_eth_register_interface + 0xdd memif_create_if + 0x975 memif_create_command_fn + 0x461 vlib_cli_dispatch_sub_commands + 0xec8 (gdb) list *(vlib_register_errors + 0x76c) 0x7ffff6e8280c is in vlib_register_errors (/home/sluong/vpp/vpp/src/vlib/error.c:224). 219 220 vec_validate (nm->node_by_error, n->error_heap_index + n_errors - 1); 221 222 for (u32 i = 0; i < n_errors; i++) 223 { 224 t.format = (char *) format (0, "%v %s: %%d", n->name, cd[i].name); 225 vm->error_elog_event_types[n->error_heap_index + i] = t; 226 nm->node_by_error[n->error_heap_index + i] = n->index; 227 } Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I2983f081b7e2c1b2d18d66afe45282933efbe127
2022-08-19ipsec: enable UDP encap for IPv6 ESP tun protectMatthew Smith11-51/+261
Type: improvement If an SA protecting an IPv6 tunnel interface has UDP encapsulation enabled, the code in esp_encrypt_inline() inserts a UDP header but does not set the next protocol or the UDP payload length, so the peer that receives the packet drops it. Set the next protocol field and the UDP payload length correctly. The port(s) for UDP encapsulation of IPsec was not registered for IPv6. Add this registration for IPv6 SAs when UDP encapsulation is enabled. Add punt handling for IPv6 IKE on NAT-T port. Add registration of linux-cp for the new punt reason. Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
2022-08-18unittest: fix coverity 274736Andrew Yourtchenko1-0/+1
Free up the vapi context in case of failure. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I4f64e8718014d714f1b82877e69d2354b5fa44fb
2022-08-18wireguard: fix error type for crypto backendBenoît Ganne1-1/+1
Crypto backend errors should not be using the same error as missing keypair. Type: fix Change-Id: I78c2b3df3f08a354463b7824349b08627f2b023c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-18wireguard: fix ipv6 handshake packetBenoît Ganne1-3/+1
IPv6 payload length should not include the size of the IPv6 header. Type: fix Change-Id: Iedcd17d0af8d72d9b5f8f9b605da7c99e151bc9d Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-18vppinfra: correct clib_bitmap_set() return commentJon Loeliger1-1/+1
Fix a copy-n-paste issue that left clib_bitmap_set()'s return type documentation incorrect. Chnage it to indicate that the function returns a new pointer for the bitmap that could be different due to a possible reallocation. Type: docs Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: Ia193c4673c0e4d1760e91cd7f80ebe1868a3c9b5
2022-08-18nat: Replace port refcounts with simple bitvectorsJon Loeliger2-17/+80
Previously, each address maintained an array of 32-bit reference counts for each of 65K possible ports for each of 4 NAT protocols. Totalling 1MB per address. Wow. A close read of the code shows that an "is used" check precedes each attempted reference count increment. That means the refcount never actually gets above 1. That in turn means algorithmically, a bit vector is sufficient. And one need not be allocated for more than the highest validated port referenced. These changes introduce a dynamically sized bit vector replacing the reference counts, for a maximum of 32K if all 4 protocols use port 65535. In fact, protocol OTHER is never used, so at most 24K will be used, and none of it will be "statically" allocated per address. Type: fix Fixes: 85bee7548bc5a360851d92807dae6d4159b68314 Change-Id: I7fd70050e7bf4871692a862231f8f38cf0158132 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2022-08-18dns: fix coverity 249189, 249198Andrew Yourtchenko1-2/+2
Zero-initialize the temporary struct on stack. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I89ced4cca8e832827fe054e2e60986de5910360c
2022-08-18nsh: fix coverity 249169Andrew Yourtchenko1-1/+1
Zero-initialize the temporary struct on stack. Type: fix Change-Id: I651f87deeb79c6c073d5c510435fa268893a3b0e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-08-18ip-neighbor: Declarative .api counters.Neale Ranns4-56/+109
Type: improvement plus the addition of the 'thorttle' counter of IP6. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ic845247a9f3288caa755c33e79ae2eb6d2029d09
2022-08-18ip: Use .api declarative counters for ICMP.Neale Ranns6-85/+247
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I3d36faa60075658fd59eb5bbe16efcb48664691b
2022-08-18ikev2: accept key exchange on CREATE_CHILD_SAAtzm Watanabe3-72/+179
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload to enable stronger guarantees of forward secrecy. When the KEi payload is included in the CREATE_CHILD_SA request, responder should reply with the KEr payload and complete the key exchange, in accordance with the RFC. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
2022-08-18ikev2: fix possible SEGVAtzm Watanabe1-3/+3
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: Icbd452b43ecaafe46def1276c98f7e8cbf761e51
2022-08-17svm: fix coverity 249207,249209Andrew Yourtchenko1-2/+2
Zero-initialize the temporary struct. Type: fix Change-Id: I6f7a35ace6002aa75dc986c7c7eca614c9c5c3ed Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-08-17vlib: fix coverity 274744Andrew Yourtchenko1-1/+4
Add a missing null check Type: fix Change-Id: Id1b27341480c9d62185496ae1d832360119ec198 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-08-17vlib: fix coverity 274750Andrew Yourtchenko1-1/+4
Add a missing null check. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Ie6234804e2b89adc918ef9075f9defbb1fd35e44
2022-08-17memif: crash on recceiving a bad descriptorSteven Luong1-1/+1
We validate each descriptor via memif_validate_desc_data and set desc_status to non-zero for the corresponding descriptor when the descriptor is bad. However, desc_status is not propagated back to xor_status in memif_validate_desc_data which eventually sets ptd->xor_status. Not setting ptd->xor_status causes us to treat all descriptors as "simple". In that case, when we try to copy also the bad descriptors to the buffers, it results a crash since desc_data is not set to point to the correct memory in the descriptor. The fix is to set xor_status in memif_validate_desc_data such that if there is a bad descriptor in the frame, "is_simple" is set to false and we have to selectively copy only the good descriptors to the buffers. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I780f51a42aa0f8745edcddebbe02b2961c183598
2022-08-17wireguard: fix fib entry trackingAlexander Chernavin3-53/+118
Type: fix After peers roaming support addition, FIB entry tracking stopped working. For example, it can be observed when an adjacency is stacked on a FIB entry by the plugin and the FIB entry hasn't got ARP resolution yet. Once the FIB entry gets ARP resolution, the adjacency is not re-stacked as it used to. This results in endless ARP requests when a traffic is sent via the adjacency. This is broken because the plugin stopped using "midchain delegate" with peers roaming support addition. The reason is that "midchain delegate" didn't support stacking on a different FIB entry which is needed when peer's endpoint changes. Now it is supported there (added in 36892). With this fix, start using "midchane delegate" again and thus, fix FIB entry tracking. Also, cover this in tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
2022-08-17fib: support "midchain delegate" removalAlexander Chernavin2-0/+31
Type: improvement Currently, once an adjacency is stacked on a FIB entry via adj_midchain_delegate_stack(), "midchain delegate" is created for the adjacency and the FIB index is stored there. And all further calls to adj_midchain_delegate_stack() even passing another FIB index will cause the function to still use the stored one. In other words, there is currently no way to stack an adjacency on another FIB index if "midchain delegate" already exists for it. Being able to stack on another FIB index is needed for the wireguard plugin. As per the protocol, peers can roam between different external endpoints. When an authenticated packet is received and it was sent from a different endpoint than currently stored, the endpoint needs to be updated and all futher communication needs to happen with that endpoint. Thus, the corresponding to that peer adjacencies need to be stacked on the FIB entry that corresponds to the new endpoint. With this change, add adj_midchain_delegate_remove() that removes "midchain delegate". When stacking on another FIB entry is needed, existing "midchain delegate" can be removed and then, a new one created with a new FIB index via adj_midchain_delegate_stack(). Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ibc1c99b248a5ef8ef64867f39f494fab627a1741
2022-08-16tests: move "venv" to "build-root" directory from "test" directorySaima Yunus6-11/+9
Type: refactor - refactored VPP test code to remove "ignore_path" variable from "discover_tests" function and "run_test" code - configured VPP test makefile, config file, and 'run.sh' shell script to move "venv" directory from "test" dir to "build-root" dir Signed-off-by: Saima Yunus <yunus.saima.234@gmail.com> Change-Id: Id2beecbb99f24ce13ed118a1869c5adbef247e50
2022-08-16nat: fix potential out-of-bound worker array indexJing Peng3-24/+36
In several NAT submodules, the number of available ports (0xffff - 1024) may not be divisible by the number of workers, so port_per_thread is determined by integer division, which is the floor of the quotient. Later when a worker index is needed, dividing the port with port_per_thread may yield an out-of-bound array index into the workers array. As an example, assume 2 workers are configured, then port_per_thread will be (0xffff - 1024) / 2, which is 32255. When we compute a worker index with port 0xffff, we get (0xffff - 1024) / 32255, which is 2, but since we only have 2 workers, only 0 and 1 are valid indices. This patch fixes the problem by adding a modulo at the end of the division. Type: fix Signed-off-by: Jing Peng <pj.hades@gmail.com> Change-Id: Ieae3d5faf716410422610484a68222f1c957f3f8
2022-08-14vrrp: fix SIGABRT crash by ASSERT() when deleting vrrp vr(MASTER state)luoyaozu1-0/+1
we need cancel vrrp_vr_timer when deleting vrrp vr Type: fix Signed-off-by: luoyaozu <luoyaozu@chinatelecom.cn> Change-Id: I8ea01f1943d6e3e60c4990c5be945de613bc8b53
2022-08-12docs: fix spellcheck error for Ubuntu 22.04Saima Yunus1-0/+1
Type: fix Signed-off-by: Saima Yunus <yunus.saima.234@gmail.com> Change-Id: I975990aeead6d34f0317a37e917bd92c0c89276e
2022-08-12http_static: validate session before sendingFlorin Coras1-0/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I18b9d0d67f5fe4c1714427259df29026153d8dd1
2022-08-11build: remove cnxk support from dpdk external depsDave Wallace1-0/+5
- the cnxk code fails to link using the gcc-11 toolchain included in the ARM64 Ubuntu-22.04 distro. This is required for Ubuntu-22.04 CI jobs (both docker image building & CI job execution on ARM64) - Currently unable to replicate this failure on the dpdk repo. Type: fix Change-Id: Ice44aef9f0f721b4c88ac78f92a14bda87dc80a6 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-08-11ip: only set rx_sw_if_index when connection found to avoid following crash ↵Xiaoming Jiang1-5/+5
like tcp punt Type: fix Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com> Change-Id: I894a881cec1888b392d26fdfb385f97c31113ef1
2022-08-11mpls: Use the .api for the definition of error/info countersNeale Ranns8-64/+111
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I9d25f5459ab70d9cf8556e44cfddfd7029e5b540
2022-08-11ip: Use .api declared error countersNeale Ranns25-449/+689
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I822ead1495edb96ee62e53dc5920aa6c565e3621
2022-08-11ipsec: Use .api declared error countersNeale Ranns8-203/+348
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ica7de5a493389c6f53b7cf04e06939473a63d2b9
2022-08-11arp: Use the new style error count declarationNeale Ranns5-136/+230
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ifda8ca8d26912c750a77d2ca889e1638ca83d85a
2022-08-11linux-cp: FIB lookup for P2MP tunnel interfacesMatthew Smith1-4/+22
Type: improvement If a tun/L3 interface is paired with a multipoint tunnel interface, pass packets arriving from the host to ip[46]-lookup instead of cross-connecting them to the tunnel interface. Adjacencies are used to drive the rewrite for Multipoint tunnel interfaces, so the generic adjacency used with a P2P tunnel will not work correctly. Change-Id: I2d8be56dc5029760978c05bc4953f84c8924a412 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-08-11tunnel: Fix API encoding of tunnel flagsNeale Ranns1-2/+7
Type: fix API and internal flags do not match 1:1. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I0f4e53b2e071d1c9fffd1b97bf28b4789887b032
2022-08-10ikev2: do not accept rekey until old SA is deletedAtzm Watanabe3-23/+75
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
2022-08-10bfd: Express node stats using the .api fileNeale Ranns2-59/+77
Type: improvement This method allows the assignment of a severity to the error. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Id1a414a88018390d03bd6b16bd048a98903bab5a
2022-08-10bfd: More descriptive error codes during packet receive handlingNeale Ranns3-59/+74
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I8907fecde6d48f5362f0f91372d5a9a1bba6f931
2022-08-09wireguard: add peers roaming supportAlexander Chernavin8-68/+434
Type: feature With this change, peers are able to roam between different external endpoints. Successfully authenticated handshake or data packet that is received from a new endpoint will cause the peer's endpoint to be updated accordingly. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
2022-08-09wireguard: add handshake rate limiting supportAlexander Chernavin7-7/+346
Type: feature With this change, if being under load a handshake message with both valid mac1 and mac2 is received, the peer will be rate limited. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
2022-08-09ip-neighbor: ARP and ND stats per-interface.Neale Ranns17-61/+422
Type: feature stats of the like from: https://datatracker.ietf.org/doc/html/draft-ietf-rtgwg-arp-yang-model-03#section-4 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Icb1bf4f6f7e6ccc2f44b0008d4774b61cae96184
2022-08-09vnet: install reass headersMohammed Hawari1-0/+2
Change-Id: I42a138628b06a412b8fce7fb4fc500caf9057169 Type: improvement Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2022-08-09vlib: vlib_validate_buffer_enqueue_with_aux_x1Mohammed Hawari2-0/+71
This change implement a flavour of vlib_validate_buffer_enqueue_x1 with aux data support Change-Id: I2ecf7af49cf15ecd23b12d8acd57fe90546c1af7 Type: improvement Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2022-08-09interface: fix show_or_clear_hw_interfacesMohammed Hawari1-1/+2
Change-Id: I2f3163a7a158afa8e2debc6f545c3d1a2a12ac1d Type: fix Fixes: 3414977152ae6362277158dc732e6b9958a6e618 Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2022-08-08devices: af_packet, fix tx stall by retrying failed sendtoMohammed Hawari3-6/+24
Change-Id: I6bed66f740b34673a4883eda1c7f7310c57e131b Type: fix Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-08wireguard: add dos mitigation supportAlexander Chernavin11-68/+411
Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717