summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2021-08-30tls: use default OpenSSL built-in DH parametersOfer Heifetz1-0/+8
Type: improvement Motivation for this addition is to add support for cipher suites that use Diffie-Hellman Ephemeral (DHE) for key exchange. Using ephemeral DH key exchange yields forward secrecy as the connection can only be decrypted when the DH key is known. Configure OpenSSL to use the default built-in DH parameters for the SSL_CTX object. Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-30tcp: Allow accepting session to send custom packetliuyacan1-1/+9
Tcp may want to send acks in established, but the app has not called accept() yet. Type: improvement Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: I43b8cd386e533ca95c8ec260a0a1f695ea140358
2021-08-27vppinfra: add compress functions for u64, u16 and u8Mohsin Kazmi3-4/+352
Type: improvement Change-Id: I2640148b8959f9a8303520ba2815fe02f1e47928 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-08-27vlib: vpp banner is outputted to non-interactive vppctl sessionSteven Luong1-0/+11
Running a batch file which contains many vppctl commands, occasionally, VPP may spit out the banner for some of the commands. This happens when VPP erroneously views the vppctl session as interactive. A simple way to recreate the problem is to run a batch script as followed while [ 1 ] do vppctl create loopback interface vppctl delete loopback interface intfc loop0 done We have two processes which may display the banner, unix_cli_new_session_process and unix_cli_process. Normally, unix_cli_process parses the input tokens and displays the banner after it negotiates the terminal type with the vppctl app. unix_cli_new_session_process only displays the banner just in case the client fails to negotiate terminal type. It runs on a timer and expires in 1 second to display the banner if by then the terminal type is still not yet negotiated. The problem is when the session is killed or exitted, VPP does not remove the element that was enqueued for cli_new_session_process. The index for the connection (cf) is recycled. The timer for the queue element continues to run. When the timer expires for the queue element, it finds the wrong new session due to index recycling. If the new session has not had negotiated the terminal type, the banner is printed erroneously to the new session from cli_new_session_process. The fix is to clean up the queue element to stop cli_new_session_process from processing the wrong connection when the session is killed. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ife2f1b1c95661e442f0fc6b73505e330e6641fc1
2021-08-27snort: fix incorrect data length for snort inspectionSivaprasad Tummala1-0/+1
set the right data length to decode the packet properly. Type: fix Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: I6a35fa54851496d0a958f1a64a547b7f08bb4c19
2021-08-27bufmon: add buffer monitoring pluginBenoît Ganne8-24/+422
This plugin allow to keep track of buffer usage in VPP graph nodes. The main use is to detect buffer leakages. Type: feature Change-Id: Iadcf4ab98207fab6e2fa375060879bc2a25b711e Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-27snort: fix snort hang issue when interruptedSivaprasad Tummala1-1/+20
fix vpp daq to break out-of-loop when interrupted. Type: fix Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: I04594a0b872d16f803d7d7c3b7d9bb60e94bc707
2021-08-26vhost: migrate to new TX infraSteven Luong3-88/+67
Take advantage of the new TX infra and support manual thread placement Type: improvement Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Id8023846a2eb59125fcf2f80f4f11eb681cf14dc
2021-08-26ikev2: check for valid cipher + integrityBenoît Ganne2-7/+7
Type: improvement Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-26ikev2: fix DNS resolution overflowBenoît Ganne1-1/+7
VPP DNS resolver expects NULL-terminated C string, whereas the ikev2 plugin only uses non-NULL terminated vectors. Type: fix Change-Id: I4a2afffb9e1b6b5dd11842621d5f13bc5a145862 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-26af_xdp: fix stale rx/tx pointers in xsk objectsBenoît Ganne1-10/+47
xsk objects keep pointers to the rx and tx objects. If we re-allocate the rx and tx vectors after initializing the associated xsk object, the pointers in the xsk object will be staled. To avoid this, we allocate the vectors to the max expected size instead of growing them. Type: fix Change-Id: If30433a28c186787d66c12dbab34bf210c95b519 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-26sr: extend the srv6 sid list structureAhmed Abdelsalam2-42/+51
Extend the srv6 sid list structure with policy type to support different SR policy types Type: feature Signed-off-by: Ahmed Abdelsalam <ahabdels@cisco.com> Change-Id: I6a8cf82b1269e1c46f3757df0047b306f613112b
2021-08-26acl: fix prefetch out of struct bound on ArmTianyu Li1-1/+1
fa_session_t *sess; CLIB_PREFETCH (sess, 2 * CLIB_CACHE_LINE_BYTES, STORE); sizeof(fa_session_t) is 128 bytes i) on 64B cacheline size Arm machine, above CLIB_PREFETCH () macro will be expand to __builtin_prefetch(sess) __builtin_prefetch(sess + 64) __builtin_prefetch(sess + 128) << prefetch is out of range of *sess. __builtin_prefetch(sess + 192) << ii) on 128B cacheline size Arm machine, CLIB_PREFETCH () expands to __builtin_prefetch(sess) __builtin_prefetch(sess + 128) << still out of bound Solution: Change to CLIB_PREFETCH (sess, sizeof(*sess), STORE); Type: fix Signed-off-by: Tianyu Li <tianyu.li@arm.com> Reviewed-by: Lijian Zhang <lijian.zhang@arm.com> Change-Id: I4b3d4fc55747f3d9ad1bcf24f8834601a03ef55e
2021-08-25fib: fix source address get error for p2p ifjxm1-0/+24
Type: fix Signed-off-by: jxm <jiangxiaoming@outlook.com> Change-Id: I5a6a1ce9f232d4ed0fd4707cd5aa9b46cc8a2a5a
2021-08-23af_xdp: fix xsk_socket__delete left un-cleanuparikachen1-3/+3
Type: fix while xsk fd closed by clib_file_del_by_index fisrt, xsk_get_mmap_offsets will get wrong off in xsk_socket__delete, so munmap wrong place. Signed-off-by: arikachen <eaglesora@gmail.com> Change-Id: I95464e9b4eec99814bd32d7402c0d60a0605cef5
2021-08-20ip: check if interface has link-local addressStanislav Zaikin1-1/+6
Type: fix Change-Id: I9d3344374738f8cf883cffb4715c76b50bb4bfce Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
2021-08-20build: include vat2 in RPM file listMatthew Smith1-0/+1
Type: fix Building an RPM with 'make pkg-rpm' fails because /usr/bin/vat2 is installed but is not included in %files. Add it. Change-Id: I686b291e4419d39141f0f87da963b413d11ab0f8 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-20ikev2: fix use-after-freeBenoît Ganne1-2/+3
Type: fix Change-Id: Ia3bacefdad674807de873b5c457b8470f66193f3 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20rdma: decrease inliningBenoît Ganne1-26/+19
Remove aggressive inlining outside of the main loop to improve build time (from 146s to 22s). Type: refactor Change-Id: I3824516a85b5e8d02894e66f19d891569c1a68fb Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20vppinfra: fix clib_random_buffer_get_data cachingBenoît Ganne1-2/+2
When using cached bytes: - do not overflow - do not return the same bytes twice Type: fix Change-Id: I2a87b47a79300e56a2201b8fc3cb6cb15b592e28 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20buffers: fix buffer linearizationBenoît Ganne2-131/+376
vlib_buffer_chain_linearize() truncates partial data in chained buffers in corner cases when current_data is negative. Strengthen test cases to reproduce the errors and fix it. Type: fix Change-Id: Ida621923711c5755508224bdc3842b31003c6c0b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20perfmon: fix perf event user page readBenoît Ganne1-45/+76
When mmap()-ing perf event in userspace, we must adhere to the kernel update protocol to read consistent values. Also, 'offset' is an offset to add to the counter value, not to apply to the PMC index. Type: fix Change-Id: I59106bb3a48185ff3fcb0d2f09097269a67bb6d6 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20vlib: add format_vnet_buffer_no_chainBenoît Ganne9-27/+40
- add format_vnet_buffer and format_vnet_buffer_no_chain to mirror format_vlib_buffer and format_vlib_buffer_no_chain - format_vnet_buffer used to be the "no chain" version, replace all of its current use with the corresponding format_vnet_buffer_no_chain - add a function to dump vnet buffer details from gdb Type: improvement Change-Id: I143ce845f80e7ef937ea33a557b6e3b5988c5b8f Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20ikev2: decrease inliningBenoît Ganne1-26/+26
IKEv2 is not optimized for dataplane processing and do not really benefit from aggressive inlining. Let the compiler decide to improve build time (from 205s to 30s). Type: refactor Change-Id: I5286880b35d338d669ec9382bf049d4486c04947 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20build: fix external plugin buildBenoît Ganne1-0/+1
Type: fix Fixes: 88b2e3682be6303973fc59c3c62141d64a9e10d7 Change-Id: I4b29924246e2cdc307cf238c5cb8624f14317452 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith2-0/+67
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-19acl: add API call for setting the toggle to select between linear and ↵Andrew Yourtchenko3-1/+148
bihash-based lookups In some cases (ACL of a few lines long with a lot of different subnet masks), linear lookup may be more efficient than the hash-based lookup. Expose the API to allow the control plane to choose what lookup algorithm to use. Type: improvement Change-Id: I540dd1b4ce63c5106a556d550f911f3a578b33e0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-08-18vhost: interrupt mode support with mqSteven Luong3-138/+209
vhost interrupt mode support with mq does not work when coalesce frame is not configured to 0. When packed-ring is configured, we were also setting the wrong flag for want-interrupt. No need to trigger an interrupt to RX infra if there is at least one queue in the same thread that is doing polling. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I8e64250f2aa6bf611a777a53e4d2c1076d83305f
2021-08-18vat2: add shared memory argumentOle Troan5-99/+226
Add prefix argument to specifiy shared memory segment. Add long arguments. Add argument to dump apis. Add help. Add template argument E.g: vat2 --template sw_interface_add_del_address { "_msgname": "sw_interface_add_del_address", "sw_if_index": 0, "is_add": false, "del_all": false, "prefix": "0.0.0.0" } Usage: vat2 [OPTION] <message-name> <JSON object> Send API message to VPP and print reply -d, --debug Print additional information -p, --prefix Specify shared memory prefix to connect to a given VPP instance -f, --file File containing a JSON object with the arguments for the message to send --dump-apis List all APIs available from connected VPP instance Type: improvement Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I2d32483a727bc16990c9a30dfa9bc1fa7b1fa85a Signed-off-by: Ole Troan <ot@cisco.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin4-69/+94
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-17docs: fix missing dependency on pip-tools for docs-venvDave Wallace1-0/+2
Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Iadb72fd0cb434a7ca2f6cbda7d78209f0746f0c6
2021-08-17ip: reassembly cleanupKlement Sekera4-246/+139
Remove unused parameters and fix warnings. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I2d0e7b84b56817999283ecb6be606159dcb26a28
2021-08-17build: install ethernet/ethernet_types_api.hMohammed Hawari1-0/+1
ip/ip_types_api.h is already installed by the build system Change-Id: Iec43e0ad50e32473d93ea8f7281b5a6477ddc87f Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: improvement
2021-08-17build: remove dh-systemd from dependenciesAndrew Yourtchenko1-1/+0
b8e7a45d56be9f3e11b07b82fd899160e2af1bf1 has removed dh-systemd from the DEB_DEPENDS, however this causes the make pkg-deb to fail on a clean lxd or docker install of debian10 as follows: dpkg-buildpackage: info: source package vpp dpkg-buildpackage: info: source version 21.10-rc0~252-g76b19ceaf dpkg-buildpackage: info: source distribution unstable dpkg-buildpackage: info: source changed by fd.io VPP <vpp-dev@fd.io> dpkg-buildpackage: info: host architecture amd64 dpkg-source --before-build . dpkg-checkbuilddeps: error: Unmet build dependencies: dh-systemd dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting dpkg-buildpackage: warning: (Use -d flag to override.) FAILED: CMakeFiles/pkg/CMakeFiles/pkg-deb cd /root/t/t/vpp/build-root/build-vpp-native/vpp/CMakeFiles && dpkg-buildpackage -us -uc -b ninja: build stopped: subcommand failed. make[1]: *** [/root/t/t/vpp/build-data/packages/vpp.mk:46: vpp-package-deb] Error 1 Thanks to Nick Brown for the help! Type: fix Fixes: b8e7a45d56be9f3e11b07b82fd899160e2af1bf1 Change-Id: I08b3a1efcdf6e6096b4ab28263764c1d66be43ef Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-08-16dpdk: patch i40e PMD to disable source pruningMatthew Smith1-0/+43
Type: improvement X710/XL710 devices have source pruning enabled by default and DPDK provides no option to disable it. This prevents VRRP from working properly. Disable source pruning while setting up the main VSI. Change-Id: Iaf89f7dae8992e3bd0b9fae83878daa27a5bb931 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-14ip: Fix crash in ip address add on sub-int without exact-matchPim van Pelt4-12/+32
Type: fix Creating a sub-int without exact-match set, and subsequently adding an IPv4 or IPv6 address will crash VPP. This fix catches this situation and refuses to allow the caller to add an IPv4 or IPv6 address on an ethernet sub-int that does not have exact-match set. TESTED: Before this change, the following crashes VPP: ``` DBGvpp# cre sub TenGigabitEthernet3/0/0 1 dot1q 10 TenGigabitEthernet3/0/0.1 DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 2001:db8::1/64 <crash> ``` After the change, VPP refuses to act: ``` DBGvpp# cre sub TenGigabitEthernet3/0/0 1 dot1q 10 TenGigabitEthernet3/0/0.1 DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 192.0.2.1/30 set interface ip address: sub-interface without exact-match doesn't support IP addressing DBGvpp# set interface ip address TenGigabitEthernet3/0/0.1 2001:db8:1/64 set interface ip address: sub-interface without exact-match doesn't support IP addressing ``` Signed-off-by: Pim van Pelt <pim@ipng.nl> Change-Id: I42997db314225cd186ebb54013b5717ace7f7bd6
2021-08-13ip: punt redirect add nh in apiNathan Skrzypczak9-100/+243
Type: feature Change-Id: Ia970f444ba2f38b7a42ea94942c906f1b541511b Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-08-13ip: source address selectionOle Troan7-201/+310
Implement a simple source address selection algorithm for IPv4 and IPv6. IPv6 does not yet implement RFC6724 but supports link-locals. ping now chooses correct source address for link-local destination. Added ping support for link-local multicast (e.g. allnodes). Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I1a3382c1f7d4ace0386c2c19e4e47b045b73a3ed Signed-off-by: Ole Troan <ot@cisco.com>
2021-08-13tests docs: upgrade python packagesDave Wallace20-409/+447
- Upgrade python package requirements for test & docs - Clean up docs generation warnings - Consolidate python requirements for docs in test requirements specs. - Upgrade pip Type: make Change-Id: I74a3924b43ed93d15b32ec9f6fc41ed1ba95b69b Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-08-13wireguard: add flag to check hmac for decryptionGabriel Oginski1-0/+1
Type: fix Originally the decryption doesn't check the hmac for chacha20-poly1305. This patch fixes the problem by adding flag to crypto op to check hmac. Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
2021-08-12misc: 21.06 Release NotesAndrew Yourtchenko1-5/+1273
Change-Id: Iedd1263a971e50aceb2d579982484dd8873814dc Type: docs Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> (cherry picked from commit fc83f8cc67e65c734df3c47518f724c1617e1a5c)
2021-08-12nat: NAT44ED configuration refactorFilip Varga4-378/+365
Refactoring and cleaning up address allocation functions & ip table update callbacks. Type: refactor Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-12nat: correct pool ops when disable nat44 pluginAlexander Skorichenko1-10/+10
Type: fix Replace vec ops with pool ops when iterating over pool of interfaces in plugin_disable() functions. With this change plugin disabling function and interface role disabling functions iterate over identical sets of registered interfaces, preventing 'interface couldn't be found' errors. Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
2021-08-12session vcl: cert key add/del with socket apiFlorin Coras6-10/+218
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I70791285cbf427479d2dcbf70ffdce2253add2fb
2021-08-12tls: add start_listen openssl API return value checkOfer Heifetz1-4/+30
Type: improvement Check SSL_CTX_use_* API return value and exit on error. Check BIO_new return code. Release allocated BIO on error cases. Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978 Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-12build: consistent debhelper 10 supportNick Brown3-4/+2
Type: fix debian/compat contents were set to 10, but debhelper build dependency, which is the same thing, was set to only 9. Both are not needed, debian/compat being deprecated, so use only the latter. At compat level 10, dh-systemd is integrated directly into debhelper, so build dependency not needed (And in Debian Bullseye dh-systemd transitional package is completely removed). See: https://manpages.debian.org/testing/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS Signed-off-by: Nick Brown <nickbroon@gmail.com> Change-Id: I5809b739334076d7fa8389b076a97f1648726e6e
2021-08-11svm: make more fifo segment header fields privateFlorin Coras4-45/+28
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Idab0f455b52a38efd2cf3781497d8cc7f57bfa42
2021-08-11fib: Compiile time option to use 8-8-8-8 stride tries for FIB ratherNeale Ranns3-0/+124
than 16-8-8-8 Type: feature the memory trade-off is: for 8-8-8-8 tries DBGvpp# sh ip fib mtrie mem ipv4-VRF:0 mtrie:8068 hash:3499 totals: mtrie:8068 hash:3499 all:11567 for 16-8-8 DBGvpp# sh ip fib mtrie mem ipv4-VRF:0 mtrie:333056 hash:3499 totals: mtrie:333056 hash:3499 all:336555 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I5271a4322d786de6e47613cff9bd432762dbed2a
2021-08-11fib: A 16-8-8 and a 8-8-8-8 versions of an ip4_fib_tNeale Ranns14-423/+936
Type: feature The difference being the MTRIE type they contain. THE FIB continues to use the 16-8-8 version. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I5a54d4e6e6cc639f18a3fb65ef2925507a7ef1de
2021-08-11ip: [re]introduce the 8-8-8-8 stride MTRIENeale Ranns3-64/+229
Type: improvement there's a time-space trade-off between the 16-8-8 and 8-8-8-8 stride. FIB continues to use the 16-8-8. Other features are now free to make the choice. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6691a163486ce62e75e629f6ef0c990f253df8e5