summaryrefslogtreecommitdiffstats
path: root/src/plugins/vrrp
AgeCommit message (Collapse)AuthorFilesLines
2021-09-08vrrp: fix source address on advertisementsMatthew Smith1-2/+13
Type: fix Advertisements are dropped by anti spoofing check in some situations. When a VR has "accept mode" enabled, we must add the virtual IP addresses to the interface when the VR transitions to master state. When this happens, fib_sas4_get() starts selecting the newly added virtual IP address as the source address for packets sent on the interface, so advertisements are sent with that source address. When the virtual IP address is being used as a NAT pool address on a peer in the backup state, the peer sees the address as a local address and drops incoming advertisements with that source address. RFC 5798 section 5.1.1.1 says advertisements should use the primary IPv4 address of the interface they are being sent on as the source IP address. Since the virtual IP address is only temporarily added while the VR is in the master state, the virtual IP address should probably not be considered the primary address of the interface. The definition of Primary IP Address in section 1.6 says that selecting the first address is a valid selection algorithm. Do that instead of calling fib_sas4_get(). Change-Id: Id92f0e3237c7fd491dd8d695bb27307d494f8573 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-06-26vrrp: prevent segfault in multicast join due to missing LL AddrJon Loeliger1-2/+5
If an IPv6 Link Layer Address is missing from an interface, treat it as a down interface. While this fails to send a VRRP multicast group join, it also prevents a seg fault. Type: fix Fixes: 39e9428b90bc74d1bb15fc17759c8ef6ad712418 Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: Iebf69bb30604a96de6587655eb872aa818158a56
2021-05-13tests: move test source to vpp/testDave Wallace1-1293/+0
- Generate copyright year and version instead of using hard-coded data Type: refactor Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
2021-05-01vlib: refactor trajectory trace debug featureBenoît Ganne1-3/+0
trajectory trace has been broken for a while because we used to save the buffer trajectory in a vector pointed to in opaque2. This does not work well when opaque2 is copied (eg. because of a clone) as 2 buffers end up sharing the same vector. This dedicates a full cacheline in the buffer metadata instead when trajectory is compiled in. No dynamic allocation, no sharing, no tears. Type: refactor Change-Id: I6a028ca1b48d38f393a36979e5e452c2dd48ad3f Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-04-27vrrp: increase stack size of process nodeMatthew Smith1-2/+2
Type: fix The process node which wakes up when a timer expires and transitions a backup node to master state may call a function to add a MAC address to an interface. This works fine for some devices, but with DPDK 20.11 on i40e interfaces, the i40e PMD functions which enact the change cause the stack to be exhausted. Increase the stack size for the node. Change-Id: I824603e162f4f6d680486706210986572f0d9845 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-04-15vrrp: refactor testPaul Vinciguerra1-36/+38
Move scapy packet generation code out of vpp object and into the test case. Type: test Change-Id: Ib4de7409eefb79fc59f9815bed3befe5ecde483c Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-12-14misc: move to new pool_foreach macrosDamjan Marion3-21/+20
Type: refactor Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-08fib: Source Address SelectionNeale Ranns2-6/+5
Type: feature Use the FIB to provide SAS (in so far as it is today) - Use the glean adjacency as the record of the connected prefixes = there's a glean per-{interface, protocol, connected-prefix} - Keep the glean up to date with whatever the recieve host prefix is (since it can change) Signed-off-by: Neale Ranns <neale.ranns@cisco.com> Change-Id: I0f3dd1edb1f3fc965af1c7c586709028eb9cdeac
2020-10-24vrrp: asynchronous events on VR state changeMatthew Smith5-22/+128
Type: feature Add API message for an API client to subscribe/unsubscribe to receive an event when a VRRP VR changes state. Add code to build and send the events. Change-Id: Ie92cadd4850d4352c1aaa79c4b0a7daa0f3b04e7 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-10-07misc: Purge unused pg includesNeale Ranns1-1/+0
Type: style Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I26a19e42076e031ec5399d5ca05cb49fd6fbe1cd
2020-09-21vrrp: set up multicast for both address familiesMatthew Smith1-2/+14
Type: fix When a VR is added, multicast accept routes are added which allow inbound packets sent to the VRRP group address on the interface of the VR so advertisements from peers can be received. If this is the first VR added, also add a local forward route for the VRRP group address so the packets will be processed by the VRRP input nodes. When deciding whether to add/delete the local forward route, the total number of VRs configured was being checked. If there are no VRs configured initially and a VR is added for IPv4, this check would correctly see that this was the first VR and add an IPv4 route. If an IPv6 VR was configured subsequently, this check would find that a VR was already configured and incorrectly decide that no route needed to be added and IPv6 VRRP advertisements from peers would be dropped as a result. The opposite would occur if you first added an IPv6 VR followed by adding an IPv4 VR - whichever address family was added first would work correctly and the other one would not work. Since a route is needed for each address family, check on the per address family count of VRs when deciding whether to add/delete the local forward route instead of checking on the global count of VRs. Change-Id: I851a7ef8a4f9e4e370d08b0832284a13387eb083 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-09-04vrrp: improve RFC compliance for ARP/NDMatthew Smith2-38/+48
Type: fix The ARP/ND feature nodes reply to requests for a VR virtual IP address when a VR is in the master state. If the VR is in the backup state, the request is passed to the next node on the feature arc. This can cause an incorrect response to be sent. If some other feature (e.g. NAT) causes a virtual IP address to be configured as a "local" address on the system, a later node on the feature arc may respond to an ARP/ND request with the real MAC address of the interface. RFC 5798 says that a router must respond to ARP/ND requests for VR virtual IP addresses with the VR virtual MAC address. And it says a router must not respond to ARP/ND requests for VR virtual IP addresses when the VR is in the backup state. Ensure that ARP/ND requests for VR virtual IP addresses are dropped when in the backup state rather than allowing them to continue on the feature arc where another node may end up responding. In order to do this, enable/disable the feature nodes when leaving or entering the init state instead of the master state. Change-Id: I416f83e125cbf91deb90c3b6eb00ba3207de24ad Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-08-07vrrp: change init of vrrp key in VR lookupMatthew Smith1-5/+7
Type: fix A struct that is used as a hash key was being initialized in its declaration. On CentOS 8 this caused some hash lookups to fail. This seems to be caused by uninitialized padding. Use clib_memset() to initialize the key with 0's to avoid the issue. Change-Id: I00555c201a1ab34133971313ba14f20f4e867a30 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-07-02vrrp: fix feature declaration for v6 accept-modeMatthew Smith1-1/+1
Type: fix The v6 accept mode input feature was being declared with the node added to ip4-multicast instead of ip6-multicast. Add to the correct arc. Change-Id: I08f6e5e7dde84a37687fa0af750a7a16fe537ea6 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-06-27vrrp: backup processes priority 255 advertisementMatthew Smith2-1/+381
Type: fix When accept mode is enabled, a backup VR will configure the VR virtual addresses locally and respond to packets sent to those addresses. This did not work when the primary VR is the address owner and sends advertisements using the virtual address as the source address. It also did not work when NAT was configured on the interface with the virtual address as the NAT pool address. In both cases, advertisements from other VRs would arrive and be dropped because they appeared to be spoofed - the source address would be an address that is configured as an interface address on the instance receiving it. When accept mode is enabled for a VR and the VR enters the master state, add an input feature on ip[46]-multicast for the interface which looks for VRRP advertisements, figures out whether they are for a VR which is configured with accept mode and is in the master state and kicks them straight to the VRRP nodes to avoid dropping them. Change-Id: I240ba1ee0b3fd6d693de729698c1181dc71bb08b Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-04-06misc: fix python sonarcloud BLOCKER level issuesPaul Vinciguerra1-4/+5
Fix of the top 11 python issues flagged as BLOCKER. Ticket: VPP-1856 Type: fix Change-Id: Icf4691e62f4a69d6ee196b6d6e2ab52d961b5c76 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-04-03ip: remove vl_api_address_family_t byte order swapJakub Grajciar1-4/+4
Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I8074db3623ee4b37ac70ce8ea0d1912b97e5c059
2020-03-12vrrp: unit tests do not run by defaultMatthew Smith1-1/+3
Type: fix Fixes: 39e9428b90 VRRP unit tests fail sometimes for changes which have not touched any code related to VRRP. There were some timing-related changes recently which probably made the VRRP tests, which rely on a VR changing state within a certain amount of time, start failing. Set the VRRP tests to only run with the extended tests rather than running by default. This is temporary so VRRP will not cause spurious build failures while a proper solution is figured out. Change-Id: I5826ea39b944dfb9b0ca4bdfa2ebbe86d269f935 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-02-28vrrp: fix api-related coverity warningsDave Barach2-1/+11
Type: fix Ticket: VPP-1837 Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I13c0e4771defaebccc976a6f6703493de29434dd
2020-02-21vrrp: fix coverity errorsMatthew Smith2-1/+12
Type: fix Fixes: 39e9428b90 Fix warnings about potential problems with an implicit type cast and a null pointer dereference. Change-Id: I8c8d220e79ba45b62ba783cfe53cb49eef175fc8 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-02-18vrrp: do not define _details as autoreplyVratko Polak1-4/+3
Without this, _details_reply messages also end up defined; which is not intended, as there are no _details_t_handler functions. Type: fix Fixes: 39e9428b90bc74d1bb15fc17759c8ef6ad712418 Change-Id: Id052b00b00623ca92e5ddce4cc5e1bdfbb1031db Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2020-02-14vrrp dns: fix coverity warningsDave Barach2-1/+8
Type: fix Ticket: VPP-1837 Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I0d164147173b452fee7e720e01e6a9991f43b64a
2020-02-13vrrp: add plugin providing vrrp supportMatthew Smith17-0/+6872
Type: feature Add a new plugin to support HA using VRRPv3 (RFC 5798). Change-Id: Iaa2c37e6172f8f41e9165f178f44d481f6e247b9 Signed-off-by: Matthew Smith <mgsmith@netgate.com>