aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/map
AgeCommit message (Collapse)AuthorFilesLines
2020-03-25map: fix hop limit expiration at brVladimir Ratnikov2-2/+29
Before this patch, packet was dropped in ip4-input, but ip4-map-t node dropped response due to 'security check failed' This patch checkes if hop_limit==1 and sets error and next frame and sends icmp6 response correctly Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I85a6af58205b05754ef8c45a94817bb84f915c85
2020-03-24map: fix translation of icmp6 error messagesAlexander Chernavin1-1/+80
Translation of ICMPv6 error messages to ICMP error messages fails because the sender port is not set that leads to securtiy check failure. With this commit, during ICMPv6 error messages translation, get the sender port value from the inner packet. Type: fix Change-Id: I1ee295a3685fab4837172edfb629a699f49afbee Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-15map: fix translation of icmp4 error messagesAlexander Chernavin2-6/+51
ICMP error messages are translated to ICMPv6 error messages with erroneous destination address in the outer IPv6 header because sender port is used instead of receiver port. Both source and destination addresses in the inner IPv6 header are translated erroneously because source and destination addresses of the inner IPv4 header are getting zeroed during the translation. With this commit, use receiver port for translation and save addresses of the inner IPv4 header before translation of the inner header. Type: fix Change-Id: I1e93d54c1bbc154b401adcbb0fb661299655d01a Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-04map: fix map port calculation for ICMPVladimir Isaev4-14/+78
type should be used to get ICMP type instead of code. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: Iabf4ae38befde18309caff8efd9e1d956a2fde82
2020-02-26map: handle IPv6 extension headers for TCP/UDPVladimir Isaev1-2/+2
Without this patch offset for TCP/UDP headers was not calculated correctly if there is one or more IPv6 extension headers. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: I04d6f5e42f8f072987192d6236085afbd74a4420
2020-02-20map: honor pre-resolve param in map-tAlexander Chernavin6-30/+154
With this commit, forward the translated packet directly to the specified next-hop if pre-resolve param is enabled in MAP-T. Type: fix Change-Id: Ie26080c7820318c7982599577a4af6e4d01a0574 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-02-20map: honor icmp6-unreachables param in map-tAlexander Chernavin2-2/+47
With this commit, send ICMPv6 unreachable messages back if security check fails and icmp6-unreachables param enabled in MAP-T. Type: fix Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-02-04ip: translate fragmented icmp to fragmented icmp6Alexander Chernavin1-7/+32
The first translated ICMPv6 packet of a fragmented ICMP message does not have a IPv6 fragment header. All subsequent have. With this commit, add a IPv6 fragment header to the first translated ICMPv6 packet. Type: fix Change-Id: Id89409ce7273cbeed801e2e18a09d3e7c3c4e4bc Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-01-30map: Add several more MAP-T BR testsJon Loeliger1-8/+294
Add several more MAP-T BR tests for normal packet flow. Type: test Change-Id: Ica880dd23c923795279e9d08dca2796f2925069a Signed-off-by: Jon Loeliger <jdl@netgate.com>
2020-01-30map: Prevent IPv4 prefix spoofing during IPv6 -> IPv4Jon Loeliger2-2/+279
Prevent malicious packets with spoofed embedded IPv4 addresses by limiting the IPv6 ingress packets to known MAP-T domains. Drop spoofed packets. Add several tests that ensure spoofing isn't allowed. Type: fix Fixes: fc7344f9be Change-Id: I80a5dd10d5fe7492e3a1b04de389d649a78065e2 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2020-01-30map: handle ip4 ttl=1 packets in map-tAlexander Chernavin3-10/+20
With this commit, ICMP Time Exceeded is sent to sender when TTL expires at MAP BR. Type: fix Change-Id: I8effe163beab32596883127b819308cc355512c3 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-01-29tests: add map-t fragmentation verificationsAlexander Chernavin1-10/+36
Type: test Change-Id: I5522e88ee178d0563c246895393e835d125f1b81 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-01-28map: ip4-map-t more RFC compliantVladimir Ratnikov1-8/+20
When MTU is not set, ignore_df and mtu check always returns true and packets are dropped. This patch puts MTU checks after it was compared with 0 and set to maximum if not set. Added trace node. If MTU is less than the total length value of the IPv4 packet plus 20, the translator MUST send an ICMPv4 "Fragmentation Needed" error message to the IPv4 source address Type: fix Fixes: 87663cdf644fb7c94c0fec9460829b7e4e7c35ca Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I35b99bc2648984cdbf5b6a57ddec91c586b15bef
2020-01-27map: api: fix tag overflow and leakBenoît Ganne2-4/+6
The 'tag' parameter is expected to be a NULL-terminated C-string in callees: - make sure it is null-terminated in both API and CLI cases - do not allocate & copy the string into a non-NULL-terminated vector in API case - fix leak in CLI case Type: fix Change-Id: I221a489a226240548cdeb5e3663bbfb94eee4600 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-01-10docs: Edit FEATURE.yaml files so they can be publishedJohn DeNisco1-2/+2
Type: docs Signed-off-by: John DeNisco <jdenisco@cisco.com> Change-Id: I7280e5c5ad10a66c0787a5282291a2ef000bff5f
2020-01-03map: fix ip4-map-t DF behaviorVladimir Ratnikov1-11/+12
ip4_is_fragment(header) or ip4_is_first_fragment(header) didn't changed when packet with fragmentation needed arrives. This patch checks DF flag and MTU with packet length and if DF is set and length > MTU, packet is dropped. In case if ignore_df is set, DF flag makes no sense. Type: fix Fixes: d6d50cebde647f9a5ee7251a7fef977506f315d7 Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I720e25167c19a0b13ac5fdfb41b12c0bbdc00d09
2020-01-03nat: use SVRKlement Sekera2-17/+20
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-12-14tests: changes for scapy 2.4.3 migrationsnaramre1-1/+2
Type: fix Change-Id: I7e041b666dabd90df23a920a1f1d99db4c10ddfe Signed-off-by: snaramre <snaramre@cisco.com>
2019-12-07map: use explicit types in apiOle Troan1-2/+3
Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I8f01f9e71c788fbca989d43d5b87da9c33fba0b1
2019-12-05map: fix MAP-T ip6 port checkMatthew Smith2-5/+60
Type: fix Ticket: VPP-1804 Fix a regression introduced by 640edcd90. The port set ID on received IPv6 packets for MAP-T was being checked against the destination port. It should be checked against the source port. Added a new unit test to verify that a v6 packet with a good source port is translated and forwarded and a v6 packet with a bad source port is dropped. The important part of the test which will prevent similar future regressions is that the source port and destination port are not equal. The existing unit test used the same source and destination port which is why it did not fail when the regression was introduced. Change-Id: Idc144ea509722bb9e0f80b3887d220384a04e6d6 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-12-04map: Fix a coverity MAP dead-code issue.Jon Loeliger1-3/+0
Type: fix Change-Id: I5467bbe3b25b1ea3fb44157abe6e7bfb3f191e77 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2019-12-03map: Avoid null dereference in 'map show' and 'map del'Jon Loeliger1-12/+22
If a map domain is created without a tag name, inspecting the map data will segfault looking for an unset name in the so-called "domain extras" vector. Enhance "show map domain" to show all map domains. Type: fix Change-Id: Ic55662b84eec58221816da270b2ef9e89c3a31c3 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2019-11-26map: Fix inverted 'map security check enable' CLI flag.Jon Loeliger1-2/+2
Type: fix Fixes: 5a2e278a09726be627b8310e03f0522d60aafedf Change-Id: Ibdc2f0be44e382bfa4a8f3e16be8d6239d7a0ec1 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2019-11-19map: fix coverity issue 205684Andrew Yourtchenko1-2/+2
ip4_map_get_domain returns d0 = 0 in case of no domain, and sets error MAP_ERROR_NO_DOMAIN. Rearrange the clauses in the logical check that relies on dereferencing d0 such that boolean shortcutting takes care of not referencing the null pointer. Change-Id: I378adc120836ea920fc530808ac3c1f98ab8d593 Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-11-19map: Fix TCP MSS clamping for MAP-E traffic.Jon Loeliger2-2/+84
Original MSS clamp patch by Vladimir Ratnikov. Modified to apply only to TCP packets. Type: fix Test: Wrote new unit test to ensure MAP-E TCP MSS clamping. Change-Id: I77c69714a2e3cc3b7473aa12b645243bb595c2a2 Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Signed-off-by: Jon Loeliger <jdl@netgate.com>
2019-11-15tests: Remove the unrequired VPP IP address/prefix class wrappersNeale Ranns1-1/+0
Type: refactor Change-Id: I204f3f8eebc5f5d5a377e91262f91c615fd00168 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-11ip: functional interface to ip fragmentationOle Troan5-214/+148
This provides a functional interface to IP fragmentation. Allowing external features to fragment. Supports arbitrary encap size, for e.g. MPLS or inner fragmentation of tunnels. This also removed dual loop in MAP that was fundamentally broken. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ia89ecec8ee3cbe2416edbe87630fdb714898c2a8 Signed-off-by: Ole Troan <ot@cisco.com>
2019-11-06build: add yaml file linting to make checkstylePaul Vinciguerra1-1/+2
Type: feature fts and trex rely on yaml config files. Verify that they are valid, so comitters can catch errors early. Change-Id: Ide0bb276659119c59bdbbc8b8155e37562a648b8 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-11-05misc: Fix python scripts shebang lineRenato Botelho do Couto3-3/+3
Type: fix Since CentOS 8, RPM build script doesn't accept '#!/usr/bin/env python' as a valid shebang line. It requires scripts to explicitly chose between python2 or python3. Change all to use python3 as suggested by Paul Vinciguerra. Depends-On: https://gerrit.fd.io/r/23170 Signed-off-by: Renato Botelho do Couto <renato@netgate.com> Change-Id: Ie72af9f60fd0609e07f05b70f8d96e738b2754d1
2019-10-18map: python3 support in testsOle Troan1-8/+8
Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Icbe9ca3dc738c6575fe382740a1cc9d29a4a74ff
2019-10-09map: use ip6-full-reassembly instead of own codeKlement Sekera6-978/+30
Remove map's implementation of reassembly and use common ip6-full-reassembly functionality. This makes it easier to maintain by removing duplicate code/functionality. Type: refactor Change-Id: I430e888b704e28c100a9ce075d1460cb529e4676 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-10-03map: fix DF[Don't fragment] ip4-map-t behaviourVladimir Ratnikov1-0/+11
This patch allows ip4-map-t plugin to drop packets if DF flag is set and packet size is bigger than MTU Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I0c1531a1f876d9efc8e7e2bff9804f298becdb68
2019-10-03map: fix indent-offKlement Sekera1-121/+133
Replace erroneous INDENT-OFF with INDENT-ON and reformat code which is non-conforming wrt to code style. Type: style Change-Id: Ia3310371e96b248e5da143fad8fdca3b2fb6650b Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-10-01map: use SVR for MAP-TKlement Sekera9-624/+69
This change is part of an effort to unify reassembly code. By removing shallow virtual reassembly functionality in MAP and using the common vnet provided shallow virtual reassembly, code size and complexity is reduced. Type: refactor Change-Id: Iec8edd039f7b967b53e17bb9bca228a8b452ac0c Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-09-26map: use SVR for MAP-EKlement Sekera5-456/+172
This change is part of an effort to unify reassembly code. By removing shallow virtual reassembly functionality in MAP and using the common vnet provided shallow virtual reassembly, code size and complexity is reduced. Type: refactor Change-Id: I431f47d4db97154fecaeaecd6719cfc3b83cfc4a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-09-25api: split api generated filesOle Troan4-129/+6
Split generation of API message enum and the typedefs into separate files, so that the type file can be included from elsewhere. Generate a C file for VPP that contains the API registration, this was previously done via X macros by the C pre- processor. This allows deleting lots of skeleton/copy paste code for each feature. plugins/flowprobe plugins/map examples/sample-plugin vnet/ipip used as Guinea pigs. Generate a C Test file for VAT, that does the same for VAT plugins. Also add support for a per-message CLI option, that is currently limited to VAT help text. option vat_help = "<help text>"; Type: refactor Change-Id: I245e3104bb76f7e1fb69a59ab20cc7c8dfcdd460 Signed-off-by: Ole Troan <ot@cisco.com>
2019-09-16api: autogenerate api trace print/endianOle Troan2-0/+6
In addition to the external vppapitrace tool, VPP itself supports dumping of API trace files. In two formats, "custom-dump" and "dump". "dump" gives a human friendly list, and "custom-dump" is meant to give a list of commands that can be fed to VAT. This patch only deals with "dump". Prior to this fix, auto-generation was only done for the basic types. This fix adds support for any type, including lists, and supports pretty-printing of enums, strings, IP addresses, MAC addresses and so on. Usage: api trace dump <api-trace-file> For example Change-Id: I4e485680e6dcfce7489299ae6cf31d835071ac40 ---------- trace 48 ----------- vl_api_sw_interface_set_flags_t: _vl_msg_id: 75 client_index: 0 context: 10 sw_if_index: 1 flags: IF_STATUS_API_FLAG_ADMIN_UP ---------- trace 49 ----------- vl_api_sw_interface_add_del_address_t: _vl_msg_id: 88 client_index: 0 context: 11 sw_if_index: 1 is_add: 1 del_all: 0 prefix: 172.16.1.1/24 ---------- trace 51 ----------- vl_api_cli_inband_t: _vl_msg_id: 819 client_index: 0 context: 13 cmd: packet-generator capture pg0 pcap /tmp/vpp-unittest-TestMAP-YhcmDX/pg0_out.pcap disable ---------- trace 58 ----------- vl_api_ip_neighbor_add_del_t: _vl_msg_id: 199 client_index: 0 context: 20 is_add: 1 neighbor: sw_if_index: 2 flags: IP_API_NEIGHBOR_FLAG_NONE mac_address: 0202.0000.ff02 ip_address: fd01:2::2 Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I5556d06008de2762e7c2d35a8b0963ae670b3db1 Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com>
2019-09-12map: fix non-null-terminated C-stringBenoît Ganne1-3/+4
Type: fix Change-Id: Ia3a4693acd5eab234f60b37436c5b642b00bda46 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-09-03api: enforce vla is last and fixed string typeOle Troan2-9/+8
Enforce that variable length fields are the last element of API messages. Add a 'fixed' version of string type, since dealing with multiple variable length strings turned out too painful for the C language bindings. The string type is now: { string name[64]; // NUL terminated C-string. Essentially decays to u8 name[64] string name[]; // Variable length string with embedded len field (vl_api_string_t) }; The latter notation could be made available to other types as well. e.g. { vl_api_address_t addresses[]; } instead of { u32 n_addr; vl_api_address_t addresses[n_addr]; }; Type: fix Change-Id: I18fa17ef47227633752ab50453e8d20a652a9f9b Signed-off-by: Ole Troan <ot@cisco.com>
2019-08-22tests: move plugin tests to src/plugins/*/testDave Wallace1-0/+437
- Relocate plugin tests for 'make test' into src/plugins/*/test so that plugin test cases are co-located with the plugin source code. Type: refactor Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I503e6a43528e14981799b735fa65674155713f67 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-08-19vppapigen map: raise ValueError when fieldname is python keywordPaul Vinciguerra2-6/+6
When working on the lb api, one of the field names was chosen as 'as' (application server). Since 'as' is a python keyword, the field was renamed to _1 in vpp_papi. This changeset instead fails early with a descriptive message, hopefully saving others time troubleshooting the issue. ValueError: Fieldname 'as' is a python keyword and is not accessible via the python API. Type: feature Change-Id: Ib048d97de0e392645540092e356cf8989848c947 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-07-31vppinfra: refactor test_and_set spinlocks to use clib_spinlock_tjaszha032-12/+9
Spinlock performance improved when implemented with compare_and_exchange instead of test_and_set. All instances of test_and_set locks were refactored to use clib_spinlock_t when possible. Some locks e.g. ssvm synchronize between processes rather than threads, so they cannot directly use clib_spinlock_t. Type: refactor Change-Id: Ia16b5d4cd49209b2b57b8df6c94615c28b11bb60 Signed-off-by: Jason Zhang <jason.zhang2@arm.com> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com> Reviewed-by: Lijian Zhang <Lijian.Zhang@arm.com>
2019-07-30vppinfra: refactor use of CLIB_MEMORY_BARRIER ()jaszha031-2/+2
All instances of test_and_set locks used the following sequence to release the locks: CLIB_MEMORY_BARRIER (); p->lock = 0; // p is a generic struct with a TAS lock Use clib_atomic_release to generate more efficient assembly code. Type: refactor Change-Id: Idca3a38b1cf43578108bdd1afe83b6ebc17a4c68 Signed-off-by: Jason Zhang <jason.zhang2@arm.com> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com> Reviewed-by: Lijian Zhang <Lijian.Zhang@arm.com>
2019-07-30vppinfra: conformed spinlocks to use CLIB_PAUSEjaszha031-2/+3
Modified test-and-set spin locks to call CLIB_PAUSE () when spinning for code consistency. Decreases the memory bandwidth consumed. Type: fix Change-Id: I1cca4f87f44f23f257c7a35466cd2e7767072f51 Signed-off-by: Jason Zhang <jason.zhang2@arm.com> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com> Reviewed-by: Lijian Zhang <Lijian.Zhang@arm.com>
2019-07-23vlib: address vlib_error_t scaling issueDave Barach1-1/+1
Encoding the vpp node index into the vlib_error_t as a 10-bit quantity limits us to 1K graph nodes. Unfortunately, a few nodes need 6 bit per-node error codes. Only a very few nodes have so many counters. It turns out that there are about 2K total error counters in the system, which is (approximately) the maximum error heap index. The current (index,code) encoding limits the number of interfaces to around 250, since each interface has two associated graph nodes and we have about 500 "normal, interior" graph node This patch adds an error-index to node-index map, so we can store error heap indices directly in the vlib_buffer_t. Type: refactor Change-Id: I28101cad3d8750819e27b8785fc0cf71ff54f79a Signed-off-by: Dave Barach <dave@barachs.net>
2019-07-19fib: FIB Entry trackingNeale Ranns1-13/+4
Instead of all clients directly RR sourcing the entry they are tracking, use a deidcated 'tracker' object. This tracker object is a entry delegate and a child of the entry. The clients are then children of the tracker. The benefit of this aproach is that each time a new client tracks the entry it doesn't RR source it. When an entry is sourced all its children are updated. Thus, new clients tracking an entry is O(n^2). With the tracker as indirection, the entry is sourced only once. Type: feature Change-Id: I5b80bdda6c02057152e5f721e580e786cd840a3b Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-08map gbp papi: match endianess of f64Paul Vinciguerra1-5/+3
clib_net_to_host_f64, clib_host_to_net_f64 are now implemented as '=', https://gerrit.fd.io/r/#/c/20406/ set papi to match. - all f64 api references are now wrapped with clib_net_to_host_f64 or clib_host_to_net_f64. IEEE f64 endianess is not defined. If clib_net_to_host_f64 and clib_host_to_net_f64 are later defined in VPP as big-endian, it is a single character change in the papi vpp_serializer. Note: This breaks the api in a manner that would not be detected by the flag day initiative. The scope is small. This only impacts map.api, which applied the u64 transformation, while the gbp api uses '='. The implementation of "=" raises issues for the papi socket implementation if used between systems of differing endianess. See Vratko's comments. - Added get_f64_endian_value() to api to allow client to verify endianess of f64's. Type: fix Depends-on: https://gerrit.fd.io/r/#/c/20484/ Change-Id: I00fc64a6557ba0190398df211aa0ea5c7eb101df Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-06-26api: refactor format_vl_api_prefix_t return keysPaul Vinciguerra1-6/+6
format_vl_api_prefix_t returns a dict with keys 'address' and 'address_length', but other format_vl_api_prefix functions return a dict with 'prefix', and 'len'. Refactor all format_vl_api_prefix_t to return consistent keys 'address' and 'len'. Type: refactor Change-Id: I5f9558fc2da8742a303266e011102f5b2db80aad Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-06-26api: Remove the inlines file and replace with library functionsNeale Ranns1-1/+0
using inlines exposes the users to the internal data types used by VPP, namely vec.h. This file does not compile with a C++ compiler. Type: feature Change-Id: I1544fdd9eae998309f865df61df78571bdb96903 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18api: string type to convert to vectorOle Troan3-23/+18
Previous use of strndup() required user to remember to call free(). Now return a vector pointing directly to the API message string. Of course user must remember to copy the string out if lifetime is longer than API message lifetime. Change-Id: Ib5e2b3d52d258e1a42ea9ea9a9e04abbe360e2bf Type: fix Signed-off-by: Ole Troan <ot@cisco.com>