| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The RFC7857 state machine introduced in 56c492a is a trade-off.
It tries to retain sessions as much as possible and also offers
some protection against spurious RST by re-establishing sessions if data
is received after the RST. From experience in the wild, this algorithm is
a little too liberal, as it leaves too many spurious established sessions
in the session table.
E.g. a oberserved pattern is:
client server
<- FIN, ACK
ACK ->
ACK ->
RST, ACK ->
With the current state machine this would leave the session in established state.
These proposed changes do:
- require 3-way handshake to establish session.
(current requires only to see SYNs from both sides)
- RST will move session to transitory without recovery if data is sent after
- Only a single FIN is needed to move to transitory
Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
current_data is set to 0 for each packet in af-packet input node.
It is not required to include it to calculate the headers offset.
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I538d8c04e24c758155b3f8d6a1532472ef549459
|
|
Listener proxies are allowed to listen on IPs that are not local.
Configurable only by builtin apps for now.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Idb380ee3584a088878a03d45fd85e7bb0deeb590
|
|
Type: fix
Set is_add function argument to 0 when deleting interface role.
Change-Id: I6ca88d6511e1c88285e51b3750eb501fde2b341b
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Idf325b7f1ce75e973dbea4d5836609590c85dc38
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If7dd56e76efc31ed66b865e2c7231d22ec2322b4
|
|
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I5e49f43b18ff011ce0b7259ed58854d81f910826
|
|
Type: improvement
Change-Id: I878803d14d1070ef5a00ed9d3f72022906d55191
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: make
Change-Id: I9455da47f03383df822436d1adc4c4b5e58c7cf9
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
The following illustrates the problem:
./build-root/install-vpp_debug-native/vpp/bin/vpp api-trace { on } unix { cli-listen /tmp/vpp-api-cli.sock } plugins { plugin dpdk_plugin.so { disable } }
sleep 5
./build-root/install-vpp_debug-native/vpp/bin/vppctl -s /tmp/vpp-api-cli.sock show version
./build-root/install-vpp_debug-native/vpp/bin/vppctl -s /tmp/vpp-api-cli.sock show api dump file /tmp/api-table.master-api-baseline compare
The last CLI hangs in an infinite loop.
Fix the typo which got in during the conversion of _vec_len to read-only:
.@@ -1285,7 +1285,7 @@ extract_name (u8 * s)
. rv = vec_dup (s);
.
. while (vec_len (rv) && rv[vec_len (rv)] != '_')
.- _vec_len (rv)--;
.+ vec_dec_len (rv, 0);
.
Type: fix
Fixes: 8bea589cfe0fca1a6f560e16ca66a4cf199041a2
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I4f895348ae0ebaaba9da97c3a440912d38210f10
|
|
In some environment like when running a lot of functional tests, it can
be useful to run more VPP instances than CPU and let the Linux scheduler
decide what to do. This change disable cpu pinning altogether in the
single-threaded case, provided that no main-core is explicitely
specified in the config
Type: improvement
Change-Id: I8c2f36fdd49c00f9adaaeb4c81aefb27c3420a9b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Type: fix
Free the old rewrite string before assigning a new rewrite string for the updated new tteid value.
Signed-off-by: Leung Lai Yung <benkerbuild@gmail.com>
Change-Id: I1ec19bce6afda3dfdc31c8724b32ac7b9bc84e89
|
|
During deb package build, a .buildinfo file is created at build-root.
Add this to .gitignore.
Type: make
Signed-off-by: Renato Botelho do Couto <renato@netgate.com>
Change-Id: Id86c21e22aa2b9e4b559cfc0bc662de835fa1621
|
|
Adding flow cache support to improve inbound IPv4/IPSec Security Policy
Database (SPD) lookup performance. By enabling the flow cache in startup
conf, this replaces a linear O(N) SPD search, with an O(1) hash table
search.
This patch is the ipsec4_input_node counterpart to
https://gerrit.fd.io/r/c/vpp/+/31694, and shares much of the same code,
theory and mechanism of action.
Details about the flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using a hash table without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, the old entry
will be overwritten by the new entry. Worst case is when all the
256 packets in a batch result in collision, falling back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows,
but is configurable by a startup.conf option.
4. Whenever a SPD rule is added/deleted by the control plane, all
current flow cache entries will be invalidated. As the SPD API is
not mp-safe, the data plane will wait for the control plane
operation to complete.
Cache invalidation is via an epoch counter that is incremented on
policy add/del and stored with each entry in the flow cache. If the
epoch counter in the flow cache does not match the current count,
the entry is considered stale, and we fall back to linear search.
The following configurable options are available through startup
conf under the ipsec{} entry:
1. ipv4-inbound-spd-flow-cache on/off - enable SPD flow cache
(default off)
2. ipv4-inbound-spd-hash-buckets %d - set number of hash buckets
(default 4,194,304: ~1 million flows with 25% load factor)
Performance with 1 core, 1 ESP Tunnel, null-decrypt then bypass,
94B (null encrypted packet) for different SPD policy matching indices:
SPD Policy index : 2 10 100 1000
Throughput : Mbps/Mbps Mbps/Mbps Mbps/Mbps Mbps/Mbps
(Baseline/Optimized)
ARM TX2 : 300/290 230/290 70/290 8.5/290
Type: improvement
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I8be2ad4715accbb335c38cd933904119db75827b
|
|
The sys/random.h header, which provides the getrandom syscall wrapper,
was only added in glibc2.25. To make it compatible with older version,
we can directly call the syscall.
Type: improvement
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
Change-Id: I93c5f8a49c0323511a4e34273f0b3c0e24663bfd
|
|
GCC added asm inline in 8.3, so we change asm inline to asm volatile.
Type: fix
Fixes: d5045e68a782 ("vppinfra: introduce clib_perfmom")
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
Change-Id: I9f7781ba9de66211404348ff477a17059b408a78
|
|
Type: make
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I7ac1d0472edf8d48eac21a7b580a06456bf60c30
|
|
clang start to support parse asm inline from clang-11,
Use asm volatile instead.
Type: fix
Fixes: d5045e68a782 ("vppinfra: introduce clib_perfmom")
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I00e5e19856caaed94e22f8fa6cf4f918483976a4
|
|
Type: improvement
Change-Id: I37c187af80c21b8fb1ab15af112527a837e0df9e
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
After changes made in f840880, VRRP IPv6 cannot reply for neighbor
solicitations requesting the link layer address of the configured
virtual address.
VRRP IPv6 enables the vrrp6-nd-input feature in the ip6-local feature
arc for an interface on which a virtual router is configured. When
neighbor solicitations arrive on that interface, ip6-local should start
feature arc walk for that interface and the messages should be processed
by vrrp6-nd-input. The problem is that currently, the feature arc is
started for the interface obtained from the receive DPO that has
interface unset (i.e. max u32) for local mfib entries. Thus, the feature
arc is started not on the interface the messages were received on and
vrrp6-nd-input is not traversed.
With this fix, if interface obtained from the receive DPO is unset, use
RX interface from the buffer to start the ip46-local feature arc.
Also, enable tests of this case for both IPv4 and IPv6 address families
that are currently tagged as extended and not run on every change. They
configure VRRP with priority 255 and are expected to be stable.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I11ef3d5a7a986e04431e8613d1510b8666094bd7
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I9cf21ee7ad363dd1af5ca75f07bfe38d8fe749f9
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I45c63e0a7d7179a0f27ca3f093bd3cf7458a12d3
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie1ae401d5105aa42761d3cac5dfbe523f3995c87
|
|
In test_bihash_threads, if a test thread fails to be created,
it is still counted towards the total thread count, which could
lead to never-ending test loop. This patch fixes the issue.
Type: fix
Signed-off-by: Jing Peng <pj.hades@gmail.com>
Change-Id: Ic0f1d4dde9c5ea672b52f0e2e49f16d42f982b77
|
|
Use the specified nexthop table id instead of the interface table id.
Type: fix
Change-Id: I61bf61d50d2716fcd9a6e35df4d60222dc4f36d5
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I9f3d1a8574b15f09a458baad98c815e087fd60b8
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I805131b4e3d0cb2fab1d3bf76db659c67522c2e8
|
|
This patch fixes test_bihash_unittest in two ways:
1. The number of searches, namely tm->search_iter, defaults to 0,
thus disabling the test. This patch changes the default to 1.
2. Test errors are reported by clib_warning() instead of being
returned, thus the caller test/test_bihash.py is never aware of them.
This patch returns the errors constructed by clib_error_return().
Type: fix
Signed-off-by: Jing Peng <pj.hades@gmail.com>
Change-Id: I60e99a829ebe6aa2a56e7a9332cf973afa100311
|
|
Type: refactor
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I9e68ecb91f6433f68a8a87dd066f3e369f25a3c9
|
|
clang-14 is default for Upcoming Ubuntu 22.04 LTS...
Type: make
Change-Id: I65328d0e90a4c13d5766e51da8b90a8899b773d9
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I12b2e53ddb797cc809a2d742d17a1a60edde385d
|
|
Type: fix
Fixes: 616447c39231
In lcp_router_link_mtu(), either vnet_hw_interface_set_mtu() or
vnet_sw_interface_set_mtu() is called, based on whether this appears to
be a physical interface. The test to determine whether this is true was
incorrect and probably never worked right so vnet_sw_interface_set_mtu()
was always being called. This causes some breakage with Recent changes
to code which manages interface MTUs. Fix the test so the right function
is called.
Change-Id: I1ecccbce37d5a1e53b2349ed40f3d0d27eb03569
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I9f061a05d947bc2867e1b962bf0522ad344bcc1a
|
|
Type: make
Signed-off-by: Laszlo Kiraly <laszlo.kiraly@est.tech>
Change-Id: I3951be5be95a7fb76f54c4ce0daab0748cb8419c
|
|
Do not access allocated elements beyond the end of the vector. They are
allocated, but not yet valid both logically (they are at best NULLs) and
according to ASAN.
Type: fix
Change-Id: Iaf43767d6d3bd4c24c7c5a0ba9b3410bbeeb0556
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
|
|
Type: improvement
Change-Id: I85a90774eb313020435c9bc2297c1bdf23d52efc
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
The clib interrupt structure has a couple of fields at the start of
the cacheline, and then in the next cacheline it has a bitmap, which
is then followed by an atomic bitmap. The size of the bitmaps is
based on the number of interrupts, and when the memory is allocated
the number of interrupts needed is used to size the overall block of
memory. The interrupts typically map to pool entries, so if we want
to store 512 entries then we store them in indices 0..511. This
would then take 8 6 4bit words, so each bitmap would be this size
when the struct is allocated.
It is possible to walk over the end of the allocated data with certain
sizes, one of which is 512. The reason this happens with 512 is that
the check to see when to exit the loop is returning when offset is
greater than the value needed to fit all the values. In this case
512 >> 6 = 8. If there had only been 511 entries then the size would
have been 511 >> 6 = 7, and so it would have fitted in the space.
Therefore modify the check to also check that we are not looking into
the memory beyond what we have allocated in the case where the
number of interrupt is one of the boundary values like 512.
Also add a similar check first time round the loop as it is
possible we could have ate same problem there too.
Add a new test file to verify the new code works. The old version
of the code made this test fail when run with the address
sanitizer. Without the sanitiser it tended to pass because the
following memory was typically set to 0 even though it was
uninitialised.
Type: fix
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I2ec4afae43d296a5c30299bd7694c072ca76b9a4
|
|
Type: improvement
Change-Id: I21de21af6dea9e39df5e912e20e56d878a40659f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Short message lengths are correctly handled by the code, asserting makes unit tests that verify this behaviour (e.g. test_ip_punt_api_validation) fail/crash with a debug image.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ib3a377e5d49fde0eee252b92f0e58a8a0d0d83ec
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia4d8aaafeb3629f421601edffefe9c61c3e69dba
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I68ada775810bb4a4f280962a979605b211562a52
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I33a29cf11998736347eca5016eee112619d847c1
|
|
Type: improvement
Change-Id: Iab3d65b6276829ad1e522e66380d1797e37579b8
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ie5f2bdb8fb559680bab863a7c24a49360e005b58
|
|
Type: improvement
Change-Id: Ie4cdc6d8906da3d1cd18a8f1d7076283546d3003
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Change-Id: I2562ae5833b542c29bcd5025a9a6756e5de95a42
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: I1bca733d2a35733275efa46ee0a23bf572365c74
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Change-Id: If4a7ac244832ef72d82c71b0277bc110b9500537
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
|
|
Type: make
Change-Id: I5ee34e9d7156ccdc7a8310e8332347d850459495
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
An unexpected packet that shows up on a Wireguard interace
that happens not to have a forwarding peer will cause a
segfault trying to index the vector of peers by adjacency.
Rather than segfaulting, recognize a non-adjacent packet
and drop it instead.
This leaves open the question of what _should_ be
happening to, say, IPv6 multicast packets.
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Type: fix
Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88
Change-Id: Ic0a29e6cf6fe812a4895ec11bedcca86c62e590b
|
Ole Troan
Mohsin Kazmi
Florin Coras
Alexander Skorichenko
Damjan Marion
Andrew Yourtchenko
Benoît Ganne
Leung Lai Yung
Renato Botelho do Couto
Zachary Leaf
Guillaume Solignac
Tianyu Li
Alexander Chernavin
Jing Peng
Damjan Marion
Matthew Smith
Laszlo Kiraly
Dmitry Valter
Paul Atkins
Neale Ranns
Stanislav Zaikin
Jon Loeliger