Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: improvement
Motivation for this addition is to add support for cipher suites
that use Diffie-Hellman Ephemeral (DHE) for key exchange.
Using ephemeral DH key exchange yields forward secrecy as the
connection can only be decrypted when the DH key is known.
Configure OpenSSL to use the default built-in DH parameters for the
SSL_CTX object.
Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
|
|
Tcp may want to send acks in established, but the app
has not called accept() yet.
Type: improvement
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: I43b8cd386e533ca95c8ec260a0a1f695ea140358
|
|
Type: improvement
Change-Id: I2640148b8959f9a8303520ba2815fe02f1e47928
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Running a batch file which contains many vppctl commands, occasionally,
VPP may spit out the banner for some of the commands. This happens
when VPP erroneously views the vppctl session as interactive.
A simple way to recreate the problem is to run a batch script as followed
while [ 1 ]
do
vppctl create loopback interface
vppctl delete loopback interface intfc loop0
done
We have two processes which may display the banner,
unix_cli_new_session_process and unix_cli_process. Normally,
unix_cli_process parses the input tokens and displays the banner after
it negotiates the terminal type with the vppctl app.
unix_cli_new_session_process only displays the banner just in case the
client fails to negotiate terminal type. It runs on a timer and expires
in 1 second to display the banner if by then the terminal type is still
not yet negotiated.
The problem is when the session is killed or exitted, VPP does not remove
the element that was enqueued for cli_new_session_process. The index
for the connection (cf) is recycled. The timer for the queue element
continues to run. When the timer expires for the queue element, it
finds the wrong new session due to index recycling. If the new
session has not had negotiated the terminal type, the banner is printed
erroneously to the new session from cli_new_session_process.
The fix is to clean up the queue element to stop cli_new_session_process
from processing the wrong connection when the session is killed.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ife2f1b1c95661e442f0fc6b73505e330e6641fc1
|
|
set the right data length to decode the packet properly.
Type: fix
Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
Change-Id: I6a35fa54851496d0a958f1a64a547b7f08bb4c19
|
|
This plugin allow to keep track of buffer usage in VPP graph nodes. The
main use is to detect buffer leakages.
Type: feature
Change-Id: Iadcf4ab98207fab6e2fa375060879bc2a25b711e
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
fix vpp daq to break out-of-loop when interrupted.
Type: fix
Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
Change-Id: I04594a0b872d16f803d7d7c3b7d9bb60e94bc707
|
|
Take advantage of the new TX infra and support manual thread placement
Type: improvement
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Id8023846a2eb59125fcf2f80f4f11eb681cf14dc
|
|
Type: improvement
Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
VPP DNS resolver expects NULL-terminated C string, whereas the ikev2
plugin only uses non-NULL terminated vectors.
Type: fix
Change-Id: I4a2afffb9e1b6b5dd11842621d5f13bc5a145862
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
xsk objects keep pointers to the rx and tx objects. If we re-allocate
the rx and tx vectors after initializing the associated xsk object, the
pointers in the xsk object will be staled.
To avoid this, we allocate the vectors to the max expected size instead
of growing them.
Type: fix
Change-Id: If30433a28c186787d66c12dbab34bf210c95b519
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Extend the srv6 sid list structure with policy type to support
different SR policy types
Type: feature
Signed-off-by: Ahmed Abdelsalam <ahabdels@cisco.com>
Change-Id: I6a8cf82b1269e1c46f3757df0047b306f613112b
|
|
fa_session_t *sess;
CLIB_PREFETCH (sess, 2 * CLIB_CACHE_LINE_BYTES, STORE);
sizeof(fa_session_t) is 128 bytes
i) on 64B cacheline size Arm machine,
above CLIB_PREFETCH () macro will be expand to
__builtin_prefetch(sess)
__builtin_prefetch(sess + 64)
__builtin_prefetch(sess + 128) << prefetch is out of range of *sess.
__builtin_prefetch(sess + 192) <<
ii) on 128B cacheline size Arm machine, CLIB_PREFETCH () expands to
__builtin_prefetch(sess)
__builtin_prefetch(sess + 128) << still out of bound
Solution:
Change to CLIB_PREFETCH (sess, sizeof(*sess), STORE);
Type: fix
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Reviewed-by: Lijian Zhang <lijian.zhang@arm.com>
Change-Id: I4b3d4fc55747f3d9ad1bcf24f8834601a03ef55e
|
|
Type: fix
Signed-off-by: jxm <jiangxiaoming@outlook.com>
Change-Id: I5a6a1ce9f232d4ed0fd4707cd5aa9b46cc8a2a5a
|
|
Type: fix
while xsk fd closed by clib_file_del_by_index fisrt,
xsk_get_mmap_offsets will get wrong off in xsk_socket__delete,
so munmap wrong place.
Signed-off-by: arikachen <eaglesora@gmail.com>
Change-Id: I95464e9b4eec99814bd32d7402c0d60a0605cef5
|
|
Type: fix
Change-Id: I9d3344374738f8cf883cffb4715c76b50bb4bfce
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
|
|
Type: fix
Building an RPM with 'make pkg-rpm' fails because /usr/bin/vat2 is
installed but is not included in %files. Add it.
Change-Id: I686b291e4419d39141f0f87da963b413d11ab0f8
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Change-Id: Ia3bacefdad674807de873b5c457b8470f66193f3
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Remove aggressive inlining outside of the main loop to improve build
time (from 146s to 22s).
Type: refactor
Change-Id: I3824516a85b5e8d02894e66f19d891569c1a68fb
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
When using cached bytes:
- do not overflow
- do not return the same bytes twice
Type: fix
Change-Id: I2a87b47a79300e56a2201b8fc3cb6cb15b592e28
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
vlib_buffer_chain_linearize() truncates partial data in chained buffers
in corner cases when current_data is negative.
Strengthen test cases to reproduce the errors and fix it.
Type: fix
Change-Id: Ida621923711c5755508224bdc3842b31003c6c0b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
When mmap()-ing perf event in userspace, we must adhere to the kernel
update protocol to read consistent values.
Also, 'offset' is an offset to add to the counter value, not to apply
to the PMC index.
Type: fix
Change-Id: I59106bb3a48185ff3fcb0d2f09097269a67bb6d6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
- add format_vnet_buffer and format_vnet_buffer_no_chain to mirror
format_vlib_buffer and format_vlib_buffer_no_chain
- format_vnet_buffer used to be the "no chain" version, replace all of
its current use with the corresponding format_vnet_buffer_no_chain
- add a function to dump vnet buffer details from gdb
Type: improvement
Change-Id: I143ce845f80e7ef937ea33a557b6e3b5988c5b8f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
IKEv2 is not optimized for dataplane processing and do not really
benefit from aggressive inlining. Let the compiler decide to improve
build time (from 205s to 30s).
Type: refactor
Change-Id: I5286880b35d338d669ec9382bf049d4486c04947
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Fixes: 88b2e3682be6303973fc59c3c62141d64a9e10d7
Change-Id: I4b29924246e2cdc307cf238c5cb8624f14317452
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
With endpoint dependent NAT44, When there are multiple workers we look
for a flow which matches the packet in order to figure out which worker
should handle the packet. If the packet is an ICMP error, it may be
associated with an existing flow by inspecting the L3/L4 headers that
are included in the message payload.
This was not being done for in2out packets in
nat44_ed_get_in2out_worker_index(), so some packets which were related
to an open session were not being associated with that session and were
being passed to a different thread than the one where the session was
created. Later on, when the packet was processed by the fast path in2out
node, the L3/L4 headers in the payload are inspected and the fast path
node finds the existing session. Since that session is owned by a
different thread than the one the packet is being processed by, the
in2out fast path node can potentially access the wrong session and/or
memory adjacent to the session pool. This can cause a SEGV.
Make nat44_ed_get_in2out_worker_index() look at the inner headers when
processing an ICMP error. THis is already done in
nat44_ed_get_out2in_worker_index() and in the fast path in2out node.
Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
bihash-based lookups
In some cases (ACL of a few lines long with a lot of different subnet masks), linear lookup
may be more efficient than the hash-based lookup. Expose the API to allow the control plane
to choose what lookup algorithm to use.
Type: improvement
Change-Id: I540dd1b4ce63c5106a556d550f911f3a578b33e0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
vhost interrupt mode support with mq does not work when coalesce frame
is not configured to 0.
When packed-ring is configured, we were also setting the wrong flag
for want-interrupt.
No need to trigger an interrupt to RX infra if there is at least one
queue in the same thread that is doing polling.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I8e64250f2aa6bf611a777a53e4d2c1076d83305f
|
|
Add prefix argument to specifiy shared memory segment.
Add long arguments.
Add argument to dump apis.
Add help.
Add template argument
E.g:
vat2 --template sw_interface_add_del_address
{
"_msgname": "sw_interface_add_del_address",
"sw_if_index": 0,
"is_add": false,
"del_all": false,
"prefix": "0.0.0.0"
}
Usage: vat2 [OPTION] <message-name> <JSON object>
Send API message to VPP and print reply
-d, --debug Print additional information
-p, --prefix Specify shared memory prefix to connect to a given VPP instance
-f, --file File containing a JSON object with the arguments for the message to send
--dump-apis List all APIs available from connected VPP instance
Type: improvement
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I2d32483a727bc16990c9a30dfa9bc1fa7b1fa85a
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
The NAT plugin stores packet counters and a counter represents a vector
indexed by interface index. When an interface is assigned a NAT role,
the counters are validated to be long enough for the given interface
index.
When a packet traverses NAT in2out and output feature is disabled, the
appropriate counters are updated by the RX interface index. In this
case, translation happens on the inside interface and its index was
ensured to be valid in all of the counters during NAT role assignment.
When a packet traverses NAT in2out and output feature is enabled, the
appropriate counters are updated by the RX interface index too. In this
case, translation happens on the outside interface and the packet could
be received on any interface, even with no NAT role assigned. If that's
the case and its index is greater than the greatest index validated in
the counters, a new counter value will be written to memory that does
not belong to the counter. As a result, a crash will occur at some
point.
With this change, use TX interface index to update the counters when
output feature is enabled. TX interface is an actual interface where
translation happens and its index is always valid in the counters.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
|
|
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Iadb72fd0cb434a7ca2f6cbda7d78209f0746f0c6
|
|
Remove unused parameters and fix warnings.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I2d0e7b84b56817999283ecb6be606159dcb26a28
|
|
ip/ip_types_api.h is already installed by the build system
Change-Id: Iec43e0ad50e32473d93ea8f7281b5a6477ddc87f
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
Type: improvement
|
|
b8e7a45d56be9f3e11b07b82fd899160e2af1bf1 has removed dh-systemd from the DEB_DEPENDS,
however this causes the make pkg-deb to fail on a clean lxd or docker install of debian10 as follows:
dpkg-buildpackage: info: source package vpp
dpkg-buildpackage: info: source version 21.10-rc0~252-g76b19ceaf
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: source changed by fd.io VPP <vpp-dev@fd.io>
dpkg-buildpackage: info: host architecture amd64
dpkg-source --before-build .
dpkg-checkbuilddeps: error: Unmet build dependencies: dh-systemd
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)
FAILED: CMakeFiles/pkg/CMakeFiles/pkg-deb
cd /root/t/t/vpp/build-root/build-vpp-native/vpp/CMakeFiles && dpkg-buildpackage -us -uc -b
ninja: build stopped: subcommand failed.
make[1]: *** [/root/t/t/vpp/build-data/packages/vpp.mk:46: vpp-package-deb] Error 1
Thanks to Nick Brown for the help!
Type: fix
Fixes: b8e7a45d56be9f3e11b07b82fd899160e2af1bf1
Change-Id: I08b3a1efcdf6e6096b4ab28263764c1d66be43ef
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: improvement
X710/XL710 devices have source pruning enabled by default and DPDK
provides no option to disable it. This prevents VRRP from working
properly.
Disable source pruning while setting up the main VSI.
Change-Id: Iaf89f7dae8992e3bd0b9fae83878daa27a5bb931
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Creating a sub-int without exact-match set, and subsequently adding an
IPv4 or IPv6 address will crash VPP. This fix catches this situation and
refuses to allow the caller to add an IPv4 or IPv6 address on an
ethernet sub-int that does not have exact-match set.
TESTED:
Before this change, the following crashes VPP:
```
DBGvpp# cre sub TenGigabitEthernet3/0/0 1 dot1q 10
TenGigabitEthernet3/0/0.1
DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 2001:db8::1/64
<crash>
```
After the change, VPP refuses to act:
```
DBGvpp# cre sub TenGigabitEthernet3/0/0 1 dot1q 10
TenGigabitEthernet3/0/0.1
DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 192.0.2.1/30
set interface ip address: sub-interface without exact-match doesn't support IP addressing
DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 2001:db8:1/64
set interface ip address: sub-interface without exact-match doesn't support IP addressing
```
Signed-off-by: Pim van Pelt <pim@ipng.nl>
Change-Id: I42997db314225cd186ebb54013b5717ace7f7bd6
|
|
Type: feature
Change-Id: Ia970f444ba2f38b7a42ea94942c906f1b541511b
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Implement a simple source address selection algorithm
for IPv4 and IPv6.
IPv6 does not yet implement RFC6724 but supports link-locals.
ping now chooses correct source address for link-local destination.
Added ping support for link-local multicast (e.g. allnodes).
Type: feature
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I1a3382c1f7d4ace0386c2c19e4e47b045b73a3ed
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
- Upgrade python package requirements for test & docs
- Clean up docs generation warnings
- Consolidate python requirements for docs in test
requirements specs.
- Upgrade pip
Type: make
Change-Id: I74a3924b43ed93d15b32ec9f6fc41ed1ba95b69b
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: fix
Originally the decryption doesn't check the hmac for chacha20-poly1305.
This patch fixes the problem by adding flag to crypto op to check hmac.
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
|
|
Change-Id: Iedd1263a971e50aceb2d579982484dd8873814dc
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
(cherry picked from commit fc83f8cc67e65c734df3c47518f724c1617e1a5c)
|
|
Refactoring and cleaning up address allocation functions &
ip table update callbacks.
Type: refactor
Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Replace vec ops with pool ops when iterating over pool of
interfaces in plugin_disable() functions.
With this change plugin disabling function and interface role
disabling functions iterate over identical sets of registered
interfaces, preventing 'interface couldn't be found' errors.
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I70791285cbf427479d2dcbf70ffdce2253add2fb
|
|
Type: improvement
Check SSL_CTX_use_* API return value and exit on error.
Check BIO_new return code.
Release allocated BIO on error cases.
Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
|
|
Type: fix
debian/compat contents were set to 10, but debhelper build dependency,
which is the same thing, was set to only 9. Both are not needed,
debian/compat being deprecated, so use only the latter.
At compat level 10, dh-systemd is integrated directly into debhelper, so
build dependency not needed (And in Debian Bullseye dh-systemd
transitional package is completely removed).
See: https://manpages.debian.org/testing/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS
Signed-off-by: Nick Brown <nickbroon@gmail.com>
Change-Id: I5809b739334076d7fa8389b076a97f1648726e6e
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Idab0f455b52a38efd2cf3781497d8cc7f57bfa42
|
|
than 16-8-8-8
Type: feature
the memory trade-off is:
for 8-8-8-8 tries
DBGvpp# sh ip fib mtrie mem
ipv4-VRF:0 mtrie:8068 hash:3499
totals: mtrie:8068 hash:3499 all:11567
for 16-8-8
DBGvpp# sh ip fib mtrie mem
ipv4-VRF:0 mtrie:333056 hash:3499
totals: mtrie:333056 hash:3499 all:336555
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I5271a4322d786de6e47613cff9bd432762dbed2a
|
|
Type: feature
The difference being the MTRIE type they contain.
THE FIB continues to use the 16-8-8 version.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I5a54d4e6e6cc639f18a3fb65ef2925507a7ef1de
|
|
Type: improvement
there's a time-space trade-off between the 16-8-8 and 8-8-8-8 stride.
FIB continues to use the 16-8-8. Other features are now free to make the
choice.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6691a163486ce62e75e629f6ef0c990f253df8e5
|