Age | Commit message (Collapse) | Author | Files | Lines |
|
Before this patch, packet was dropped in ip4-input,
but ip4-map-t node dropped response due to
'security check failed'
This patch checkes if hop_limit==1 and sets error
and next frame and sends icmp6 response correctly
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I85a6af58205b05754ef8c45a94817bb84f915c85
|
|
Translation of ICMPv6 error messages to ICMP error messages fails
because the sender port is not set that leads to securtiy check
failure.
With this commit, during ICMPv6 error messages translation, get the
sender port value from the inner packet.
Type: fix
Change-Id: I1ee295a3685fab4837172edfb629a699f49afbee
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
ICMP error messages are translated to ICMPv6 error messages with
erroneous destination address in the outer IPv6 header because sender
port is used instead of receiver port.
Both source and destination addresses in the inner IPv6 header are
translated erroneously because source and destination addresses of the
inner IPv4 header are getting zeroed during the translation.
With this commit, use receiver port for translation and save addresses
of the inner IPv4 header before translation of the inner header.
Type: fix
Change-Id: I1e93d54c1bbc154b401adcbb0fb661299655d01a
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
type should be used to get ICMP type instead of code.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Iabf4ae38befde18309caff8efd9e1d956a2fde82
|
|
Without this patch offset for TCP/UDP headers was not calculated
correctly if there is one or more IPv6 extension headers.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I04d6f5e42f8f072987192d6236085afbd74a4420
|
|
With this commit, forward the translated packet directly to the
specified next-hop if pre-resolve param is enabled in MAP-T.
Type: fix
Change-Id: Ie26080c7820318c7982599577a4af6e4d01a0574
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
With this commit, send ICMPv6 unreachable messages back if security
check fails and icmp6-unreachables param enabled in MAP-T.
Type: fix
Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
The first translated ICMPv6 packet of a fragmented ICMP message does
not have a IPv6 fragment header. All subsequent have.
With this commit, add a IPv6 fragment header to the first translated
ICMPv6 packet.
Type: fix
Change-Id: Id89409ce7273cbeed801e2e18a09d3e7c3c4e4bc
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Add several more MAP-T BR tests for normal packet flow.
Type: test
Change-Id: Ica880dd23c923795279e9d08dca2796f2925069a
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Prevent malicious packets with spoofed embedded IPv4 addresses
by limiting the IPv6 ingress packets to known MAP-T domains.
Drop spoofed packets.
Add several tests that ensure spoofing isn't allowed.
Type: fix
Fixes: fc7344f9be
Change-Id: I80a5dd10d5fe7492e3a1b04de389d649a78065e2
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
With this commit, ICMP Time Exceeded is sent to sender when TTL
expires at MAP BR.
Type: fix
Change-Id: I8effe163beab32596883127b819308cc355512c3
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: test
Change-Id: I5522e88ee178d0563c246895393e835d125f1b81
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
When MTU is not set, ignore_df and mtu check
always returns true and packets are dropped.
This patch puts MTU checks after it was
compared with 0 and set to maximum if not set.
Added trace node.
If MTU is less than the total length value of
the IPv4 packet plus 20, the translator MUST
send an ICMPv4 "Fragmentation Needed" error message
to the IPv4 source address
Type: fix
Fixes: 87663cdf644fb7c94c0fec9460829b7e4e7c35ca
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I35b99bc2648984cdbf5b6a57ddec91c586b15bef
|
|
The 'tag' parameter is expected to be a NULL-terminated C-string in
callees:
- make sure it is null-terminated in both API and CLI cases
- do not allocate & copy the string into a non-NULL-terminated vector
in API case
- fix leak in CLI case
Type: fix
Change-Id: I221a489a226240548cdeb5e3663bbfb94eee4600
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: docs
Signed-off-by: John DeNisco <jdenisco@cisco.com>
Change-Id: I7280e5c5ad10a66c0787a5282291a2ef000bff5f
|
|
ip4_is_fragment(header)
or ip4_is_first_fragment(header) didn't changed
when packet with fragmentation needed arrives.
This patch checks DF flag and MTU with packet
length and if DF is set and length > MTU, packet
is dropped. In case if ignore_df is set, DF flag
makes no sense.
Type: fix
Fixes: d6d50cebde647f9a5ee7251a7fef977506f315d7
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I720e25167c19a0b13ac5fdfb41b12c0bbdc00d09
|
|
Remove NAT's implementation of shallow virtual reassembly with
corresponding CLIs, APIs & tests. Replace with standalone shallow
virtual reassembly provided by ipX-sv-reass* nodes.
Type: refactor
Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Change-Id: I7e041b666dabd90df23a920a1f1d99db4c10ddfe
Signed-off-by: snaramre <snaramre@cisco.com>
|
|
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I8f01f9e71c788fbca989d43d5b87da9c33fba0b1
|
|
Type: fix
Ticket: VPP-1804
Fix a regression introduced by 640edcd90.
The port set ID on received IPv6 packets for MAP-T was being
checked against the destination port. It should be checked
against the source port.
Added a new unit test to verify that a v6 packet with a good
source port is translated and forwarded and a v6 packet with
a bad source port is dropped. The important part of the test
which will prevent similar future regressions is that the
source port and destination port are not equal. The existing
unit test used the same source and destination port which is
why it did not fail when the regression was introduced.
Change-Id: Idc144ea509722bb9e0f80b3887d220384a04e6d6
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Change-Id: I5467bbe3b25b1ea3fb44157abe6e7bfb3f191e77
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
If a map domain is created without a tag name, inspecting
the map data will segfault looking for an unset name in
the so-called "domain extras" vector.
Enhance "show map domain" to show all map domains.
Type: fix
Change-Id: Ic55662b84eec58221816da270b2ef9e89c3a31c3
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Type: fix
Fixes: 5a2e278a09726be627b8310e03f0522d60aafedf
Change-Id: Ibdc2f0be44e382bfa4a8f3e16be8d6239d7a0ec1
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
ip4_map_get_domain returns d0 = 0 in case of no domain,
and sets error MAP_ERROR_NO_DOMAIN. Rearrange the clauses
in the logical check that relies on dereferencing d0
such that boolean shortcutting takes care of not
referencing the null pointer.
Change-Id: I378adc120836ea920fc530808ac3c1f98ab8d593
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Original MSS clamp patch by Vladimir Ratnikov.
Modified to apply only to TCP packets.
Type: fix
Test: Wrote new unit test to ensure MAP-E TCP MSS clamping.
Change-Id: I77c69714a2e3cc3b7473aa12b645243bb595c2a2
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Type: refactor
Change-Id: I204f3f8eebc5f5d5a377e91262f91c615fd00168
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This provides a functional interface to IP fragmentation.
Allowing external features to fragment. Supports
arbitrary encap size, for e.g. MPLS or inner fragmentation
of tunnels.
This also removed dual loop in MAP that was fundamentally broken.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ia89ecec8ee3cbe2416edbe87630fdb714898c2a8
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: feature
fts and trex rely on yaml config files. Verify
that they are valid, so comitters can catch
errors early.
Change-Id: Ide0bb276659119c59bdbbc8b8155e37562a648b8
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: fix
Since CentOS 8, RPM build script doesn't accept '#!/usr/bin/env python'
as a valid shebang line. It requires scripts to explicitly chose
between python2 or python3.
Change all to use python3 as suggested by Paul Vinciguerra.
Depends-On: https://gerrit.fd.io/r/23170
Signed-off-by: Renato Botelho do Couto <renato@netgate.com>
Change-Id: Ie72af9f60fd0609e07f05b70f8d96e738b2754d1
|
|
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Icbe9ca3dc738c6575fe382740a1cc9d29a4a74ff
|
|
Remove map's implementation of reassembly and use common
ip6-full-reassembly functionality. This makes it easier to maintain by
removing duplicate code/functionality.
Type: refactor
Change-Id: I430e888b704e28c100a9ce075d1460cb529e4676
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This patch allows ip4-map-t plugin to drop
packets if DF flag is set and packet size
is bigger than MTU
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I0c1531a1f876d9efc8e7e2bff9804f298becdb68
|
|
Replace erroneous INDENT-OFF with INDENT-ON and reformat code which is
non-conforming wrt to code style.
Type: style
Change-Id: Ia3310371e96b248e5da143fad8fdca3b2fb6650b
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This change is part of an effort to unify reassembly code. By removing
shallow virtual reassembly functionality in MAP and using the common
vnet provided shallow virtual reassembly, code size and complexity
is reduced.
Type: refactor
Change-Id: Iec8edd039f7b967b53e17bb9bca228a8b452ac0c
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This change is part of an effort to unify reassembly code. By removing
shallow virtual reassembly functionality in MAP and using the common
vnet provided shallow virtual reassembly, code size and complexity is
reduced.
Type: refactor
Change-Id: I431f47d4db97154fecaeaecd6719cfc3b83cfc4a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Split generation of API message enum and the typedefs into
separate files, so that the type file can be included from
elsewhere.
Generate a C file for VPP that contains the API registration,
this was previously done via X macros by the C pre-
processor.
This allows deleting lots of skeleton/copy paste code
for each feature.
plugins/flowprobe
plugins/map
examples/sample-plugin
vnet/ipip
used as Guinea pigs.
Generate a C Test file for VAT, that does the same for VAT plugins.
Also add support for a per-message CLI option, that is currently
limited to VAT help text. option vat_help = "<help text>";
Type: refactor
Change-Id: I245e3104bb76f7e1fb69a59ab20cc7c8dfcdd460
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
In addition to the external vppapitrace tool, VPP itself supports dumping of API trace files.
In two formats, "custom-dump" and "dump". "dump" gives a human friendly list,
and "custom-dump" is meant to give a list of commands that can be fed to VAT.
This patch only deals with "dump".
Prior to this fix, auto-generation was only done for the basic types.
This fix adds support for any type, including lists, and supports pretty-printing
of enums, strings, IP addresses, MAC addresses and so on.
Usage: api trace dump <api-trace-file>
For example
Change-Id: I4e485680e6dcfce7489299ae6cf31d835071ac40
---------- trace 48 -----------
vl_api_sw_interface_set_flags_t:
_vl_msg_id: 75
client_index: 0
context: 10
sw_if_index: 1
flags: IF_STATUS_API_FLAG_ADMIN_UP
---------- trace 49 -----------
vl_api_sw_interface_add_del_address_t:
_vl_msg_id: 88
client_index: 0
context: 11
sw_if_index: 1
is_add: 1
del_all: 0
prefix: 172.16.1.1/24
---------- trace 51 -----------
vl_api_cli_inband_t:
_vl_msg_id: 819
client_index: 0
context: 13
cmd: packet-generator capture pg0 pcap /tmp/vpp-unittest-TestMAP-YhcmDX/pg0_out.pcap disable
---------- trace 58 -----------
vl_api_ip_neighbor_add_del_t:
_vl_msg_id: 199
client_index: 0
context: 20
is_add: 1
neighbor:
sw_if_index: 2
flags: IP_API_NEIGHBOR_FLAG_NONE
mac_address: 0202.0000.ff02
ip_address: fd01:2::2
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I5556d06008de2762e7c2d35a8b0963ae670b3db1
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Change-Id: Ia3a4693acd5eab234f60b37436c5b642b00bda46
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Enforce that variable length fields are the last element of API messages.
Add a 'fixed' version of string type, since dealing with
multiple variable length strings turned out too painful
for the C language bindings.
The string type is now:
{
string name[64]; // NUL terminated C-string. Essentially decays to u8 name[64]
string name[]; // Variable length string with embedded len field (vl_api_string_t)
};
The latter notation could be made available to other types as well.
e.g.
{
vl_api_address_t addresses[];
}
instead of
{
u32 n_addr;
vl_api_address_t addresses[n_addr];
};
Type: fix
Change-Id: I18fa17ef47227633752ab50453e8d20a652a9f9b
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
- Relocate plugin tests for 'make test' into
src/plugins/*/test so that plugin test cases
are co-located with the plugin source code.
Type: refactor
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I503e6a43528e14981799b735fa65674155713f67
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
When working on the lb api, one of the field names was chosen as 'as'
(application server). Since 'as' is a python keyword, the field was
renamed to _1 in vpp_papi.
This changeset instead fails early with a descriptive message,
hopefully saving others time troubleshooting the issue.
ValueError: Fieldname 'as' is a python keyword and
is not accessible via the python API.
Type: feature
Change-Id: Ib048d97de0e392645540092e356cf8989848c947
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Spinlock performance improved when implemented with compare_and_exchange
instead of test_and_set. All instances of test_and_set locks were refactored
to use clib_spinlock_t when possible. Some locks e.g. ssvm synchronize
between processes rather than threads, so they cannot directly use
clib_spinlock_t.
Type: refactor
Change-Id: Ia16b5d4cd49209b2b57b8df6c94615c28b11bb60
Signed-off-by: Jason Zhang <jason.zhang2@arm.com>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
Reviewed-by: Lijian Zhang <Lijian.Zhang@arm.com>
|
|
All instances of test_and_set locks used the following sequence
to release the locks:
CLIB_MEMORY_BARRIER ();
p->lock = 0; // p is a generic struct with a TAS lock
Use clib_atomic_release to generate more efficient assembly code.
Type: refactor
Change-Id: Idca3a38b1cf43578108bdd1afe83b6ebc17a4c68
Signed-off-by: Jason Zhang <jason.zhang2@arm.com>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
Reviewed-by: Lijian Zhang <Lijian.Zhang@arm.com>
|
|
Modified test-and-set spin locks to call CLIB_PAUSE () when spinning
for code consistency. Decreases the memory bandwidth consumed.
Type: fix
Change-Id: I1cca4f87f44f23f257c7a35466cd2e7767072f51
Signed-off-by: Jason Zhang <jason.zhang2@arm.com>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
Reviewed-by: Lijian Zhang <Lijian.Zhang@arm.com>
|
|
Encoding the vpp node index into the vlib_error_t as a 10-bit quantity
limits us to 1K graph nodes. Unfortunately, a few nodes need 6 bit
per-node error codes. Only a very few nodes have so many counters.
It turns out that there are about 2K total error counters in the system,
which is (approximately) the maximum error heap index.
The current (index,code) encoding limits the number of interfaces to
around 250, since each interface has two associated graph nodes and we
have about 500 "normal, interior" graph node
This patch adds an error-index to node-index map, so we can store
error heap indices directly in the vlib_buffer_t.
Type: refactor
Change-Id: I28101cad3d8750819e27b8785fc0cf71ff54f79a
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Instead of all clients directly RR sourcing the entry they are tracking,
use a deidcated 'tracker' object. This tracker object is a entry
delegate and a child of the entry. The clients are then children of the
tracker.
The benefit of this aproach is that each time a new client tracks the
entry it doesn't RR source it. When an entry is sourced all its children
are updated. Thus, new clients tracking an entry is O(n^2). With the
tracker as indirection, the entry is sourced only once.
Type: feature
Change-Id: I5b80bdda6c02057152e5f721e580e786cd840a3b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
clib_net_to_host_f64, clib_host_to_net_f64 are now implemented as '=',
https://gerrit.fd.io/r/#/c/20406/ set papi to match.
- all f64 api references are now wrapped with
clib_net_to_host_f64 or clib_host_to_net_f64.
IEEE f64 endianess is not defined. If clib_net_to_host_f64 and
clib_host_to_net_f64 are later defined in VPP as big-endian, it is
a single character change in the papi vpp_serializer.
Note: This breaks the api in a manner that would not be detected by
the flag day initiative. The scope is small. This only impacts map.api,
which applied the u64 transformation, while the gbp api uses '='.
The implementation of "=" raises issues for the papi socket implementation
if used between systems of differing endianess. See Vratko's comments.
- Added get_f64_endian_value() to api to allow client to verify endianess of f64's.
Type: fix
Depends-on: https://gerrit.fd.io/r/#/c/20484/
Change-Id: I00fc64a6557ba0190398df211aa0ea5c7eb101df
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
format_vl_api_prefix_t returns a dict with keys 'address' and 'address_length',
but other format_vl_api_prefix functions return a dict with 'prefix', and 'len'.
Refactor all format_vl_api_prefix_t to return consistent keys 'address' and 'len'.
Type: refactor
Change-Id: I5f9558fc2da8742a303266e011102f5b2db80aad
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
using inlines exposes the users to the internal data types used by VPP, namely vec.h. This file does not compile with a C++ compiler.
Type: feature
Change-Id: I1544fdd9eae998309f865df61df78571bdb96903
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Previous use of strndup() required user to remember to call free().
Now return a vector pointing directly to the API message string.
Of course user must remember to copy the string out if lifetime
is longer than API message lifetime.
Change-Id: Ib5e2b3d52d258e1a42ea9ea9a9e04abbe360e2bf
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
|