aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins
AgeCommit message (Collapse)AuthorFilesLines
2022-10-24docs: update cnat docs to current vpp versionMiguel Borges de Freitas1-5/+13
The documentation for the cnat plugin is highly outdated specially on the snat section. Type: docs Signed-off-by: Miguel Borges de Freitas <miguel-r-freitas@alticelabs.com> Change-Id: I30b0c6295d3c812b636374753af3c37f29b0cc53 (cherry picked from commit 938bff8084d6f79b368fabd4a60b49117cad11be)
2022-10-20crypto-sw-scheduler: fix queue iteratorVladimir Ratnikov1-0/+10
When there are several workers, iterator can and will skip head iterator and it will last until BARRIER_SYNC_TIMEOUT won't expire and will cause SIGABRT with `worker thread deadlock` Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: Id4def4d5894e077ae27592367b141ecd822e86af Signed-off-by: Matthew Smith <mgsmith@netgate.com> (cherry picked from commit 65bff88c3671ec6ee561e70f17c60ea9784a39dd)
2022-10-17vlib: Counter free needs to NULL the allocated counter vectorNeale Ranns1-0/+6
otherwise the next time the counter is validated this is dangling. Type: fix Fixes: 58fd481d73 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ifa8d5ff27175cf6dfb30cbf023fa3251fe5c780e (cherry picked from commit 80c0ae24378f249b3be9a02774d844c13143cd99)
2022-10-05rdma: unhackish build of rdma-coreMohammed Hawari2-11/+5
Change-Id: I2040b560b2a00f8bd176ae6ad46035678a2b249e Type: improvement Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> (cherry picked from commit 45e4e9444d961351178ee108b20525a9c929902d)
2022-09-20nat: adding docs for nat44-ed sub pluginFilip Varga1-0/+729
Type: docs Change-Id: Icfa2bdc9367f8438b53da7c89caec263ed6ab056 Signed-off-by: Filip Varga <fivarga@cisco.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-09-19cnat: coverity fixNathan Skrzypczak1-0/+4
Type: fix Change-Id: Ib127331507724f853071e66ca1ddfc773a8ed200 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2022-09-19abf: add API parameter n_paths range checksJon Loeliger3-43/+56
Also check for non-zero rpath length in CLI cmd. While there, no need to use "else" after a return. Also while there, notice and fix numerous input_line buffer leaks and fix them. Type: fix Fixes: 669d07dc016757b856e1014a415996cf9f0ebc58 Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: I18ea44b7b82e8938c3e793e7c2a04dfe157076d8
2022-09-19linux-cp: fix some CLI error messagesMatthew Smith1-79/+71
Type: fix If unrecognized input was provided to the commands which add or delete a pair, the error message was being created incorrectly and only displayed something like "unknown input `'". Provide the correct argument to format_unformat_error so that the actual unrecognized input is printed. There also was no error or useful information printed if only the base command were provided without any additional arguments. This should print a warning about what required data was missing. Reorganize code to handle this and to make sure that memory gets freed appropriately. Change-Id: If454714f50cf41b3b56cfadfbf017f1d160e13a4 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-09-18lisp: fix coverity 277315Andrew Yourtchenko1-0/+5
Handle the case of the mapping not being found by GID. Type: fix Change-Id: Ibce3b9e8419c0dddca97b4d0d5a71f25dfd529d8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-09-15prom: fix coverity 277312, 277317Andrew Yourtchenko1-0/+2
If one attempts to add a pattern with zero length, first time it will succeed, and the second time it will cause an invalid memcmp call. Solution: do not allow to add zero-length patterns. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Ic08e021486153be605a4b12a2fe4422307bf68d2
2022-09-15nat: fix nat44-ed port range with multiple workersVladislav Grishenko4-8/+15
The number of available dynamic ports is set to (0xffff - 1024) = 64511, which is not divisable by the pow2 number of workers - the only integer divisors are 31 and 2081. So, total dynamic port range of all workers will be less than it: 1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536 2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535 4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533 8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529 ... As seen, with multiple workers there are unused trailing ports for every nat pool address and that is the reason of out-of-bound index in the worker array on out2in path due (port - 1024) / port_per_thread math. This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets to unused ports will go to existing worker and dropped there. Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6: 6. Port Number Ranges o the System Ports, also known as the Well Known Ports, from 0-1023 (assigned by IANA) o the User Ports, also known as the Registered Ports, from 1024- 49151 (assigned by IANA) o the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned) According that let's allocate dynamic ports from 1024 and have full port range with a wide range of the workers number - 64 integer divisors in total, including pow2 ones: 1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536 2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536 3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536 4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536 5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534 6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536 7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536 8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536 ... Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required when the numbers of workers is not the integer divisor of 64512. Type: fix Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-09vlib: don't leak node frames on reforkDmitry Valter1-2/+1
Free node frames in worker mains on refork. Otherwise these frames are never returned to free pool and it causes massive memory leaks if performed under traffic load Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I15cbf024a3f4b4082445fd5e5aaa10bfcf77f363
2022-09-09nat: fix nat44-ed-in2out fast path next nodeJing Peng1-1/+1
When a session is found expired, the next node of in2out fast path should be in2out slow path instead of out2in slow path. Type: fix Signed-off-by: Jing Peng <jing@meter.com> Change-Id: If1dd920502089c25b33bea5434823b0496a44499
2022-09-08wireguard: eliminate some calls to main threadMatthew Smith1-4/+10
Type: improvement Roaming functionality allows the peer address to change. The main thread was being called to update a peer's address if necessary after processing a received packet. Check in the worker whether this is necessary before incurring the overhead of the RPC to the main thread. Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I02184b92dc658e0f57dd39993a3b2f9944187b45
2022-09-08avf: check for VLAN_TOGGLE capabilityMohammed Hawari1-0/+6
The ability to modify the vlan setting must be checked prior to using VIRTCHNL_OP_DISABLE_VLAN_STRIPPING_V2 both for inner and outer vlan stripping Change-Id: Iffe306c34b81a6077ad6ba5deb3f5b61b5475897 Type: fix Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2022-09-07dpdk-cryptodev: reduce request to enable asyncGabriel Oginski1-1/+0
Originally initialization cryptodev device(s) calls double request to enabled async mode and increased ref count twice for async mode. Due to this cannot be change any assigned async handlers to other async crypto engine. The fixes reduce double request to enable async mode in initialization cryptodev device(s) and VPP can be change assigned async handlers to other crypto engine after disabled all async feature, for example: ipsec, wireguard. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: If22e682c3c10de781d05c2e09b5420f75be151c3
2022-09-06vrrp: fix cli functions according to short_helpluoyaozu1-0/+6
test output before fix: DBGvpp# vrrp proto start sw_if_index 1 vr_id 1 vrrp proto: unknown input `sw_if_index 1 vr_id 1' DBGvpp# vrrp vr track-if add sw_if_index 1 vr_id 1 track-index 1 priority 30 vrrp vr track-if: Please specify an interface Type: fix Signed-off-by: luoyaozu <luoyaozu@foxmail.com> Change-Id: Ib8ba67e920b23008d9246318ec8f8f17bf0bea95
2022-08-31nat: fix coverity 249194Andrew Yourtchenko1-1/+1
Zero-initialize a variable. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Iccf2eb4bf26755d6cd93fc70df3c5481d69ce7eb
2022-08-31nat: fix coverity 249178Andrew Yourtchenko1-1/+1
Zero-initialize the variable Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I4ee127ac3e2a3beffa11bbc96db1f3254b3f7c5d
2022-08-31pppoe: fix coverity 218437, 218401Andrew Yourtchenko1-0/+3
Initialize the session index in case of error to ~0, so is defined in case trace needs to copy it. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Iddf6df42c09d2abc11e5821944eb4f41692e6e3e
2022-08-30dma_intel: fix the wrong unformat typeHaiyue Wang1-1/+1
The unformat type for "%d" should be u32 or int, otherwise the 'did' in high stack address will be overflow to zero by the 'qid' which is in the low stack address. Like input "dev wq3.2" will return "did=0, qid=2". Type: fix Signed-off-by: Haiyue Wang <haiyue.wang@intel.com> Change-Id: I0fe1d5b03e2c47e0a7925193e2c2f1ccc31d3e90
2022-08-30memif: Process bad descriptors correctly in memif_process_descSteven Luong1-10/+35
When there is a bad descriptor, it may in the beginning, in the middle, or at the end of the batch if the batch has more than 3 descriptors. When processing a bad descriptor is encountered in the batch, we need to rollback n_buffers in memif_process_desc(), or the statement in the same function memif_add_copy_op (ptd, mb0 + src_off, bytes_to_copy, dst_off, n_buffers - 1); is wrong because it picks up the wrong buffer_vec_index of the bad descriptor while parsing a good descriptor immediately following the bad descriptor. n_buffers was incremented in the beginning of while (n_left) loop. The other problem is we should count the number of bad packets and reduce ptd->n_packets to get the correct number of packets for subsequent processing in device_input. The last fix is to check if n_buffers == 0 in device_input and skip doing any descriptor copy. This case can happen when all the descriptors are bad in the batch. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I28ed1d87236b045657006755747b5750a9a733be
2022-08-29nat: fix coverity 249202Benoît Ganne1-2/+2
In case of a bad packet, the bihash kv is not initialized before being copied in the trace. Make sure it is initialized to 0. Type: fix Change-Id: I22fcfe99f3586d0fa128493059547a56557b8fb5 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-26linux-cp: fix coverity 216937Andrew Yourtchenko1-1/+1
Initialize the host_sw_if_index to ~0 so in the error cases the variable is set to something predictable. Type: fix Change-Id: Ic55e4f0cbfa286e85dfb54b89b5321af18a439a1 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-08-26nsh: fix coverity 249201Andrew Yourtchenko1-1/+1
Zero-initialize the temporary struct, else a->map.adj_index is being used unset. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Ia02636ea1e911250d6aa5e413de48e1e09863880
2022-08-25vlib: introduce DMA infrastructureMarvin Liu6-0/+890
This patch introduces DMA infrastructure into vlib. This is well known that large amount of memory movements will drain core resource. Nowadays more and more hardware accelerators were designed out for freeing core from this burden. Meanwhile some restrictions still remained when utilizing hardware accelerators, e.g. cross numa throughput will have a significant drop compared to same node. Normally the number of hardware accelerator instances will less than cores number, not to mention that applications number will even beyond the number of cores. Some hardware may support share virtual address with cores, while others are not. Here we introduce new DMA infrastructure which can fulfill the requirements of vpp applications like session and memif and in the meantime dealing with hardware limitations. Here is some design backgrounds: Backend is the abstract of resource which allocated from DMA device and can do some basic operations like configuration, DMA copy and result query. Config is the abstract of application DMA requirement. Application need to request an unique config index from DMA infrastructure. This unique config index is associated with backend resource. Two options cpu fallback and barrier before last can be specified in config. DMA transfer will be performed by CPU when backend is busy if cpu fallback option is enabled. DMA transfer callback will be in order if barrier before last option is enabled. We constructs all the stuffs that DMA transfer request needed into DMA batch. It contains the pattern of DMA descriptors and function pointers for submission and callback. One DMA transfer request need multiple times batch update and one time batch submission. DMA backends will assigned to config's workers threads equally. Lock will be used for thread-safety if same backends assigned to multiple threads. Backend node will check all the pending requests in worker thread and do callback with the pointer of DMA batch if transfer completed. Application can utilize cookie in DMA batch for selves usage. DMA architecture: +----------+ +----------+ +----------+ +----------+ | Config1 | | Config2 | | Config1 | | Config2 | +----------+ +----------+ +----------+ +----------+ || || || || +-------------------------+ +-------------------------+ | DMA polling thread A | | DMA polling thread B | +-------------------------+ +-------------------------+ || || +----------+ +----------+ | Backend1 | | Backend2 | +----------+ +----------+ Type: feature Signed-off-by: Marvin Liu <yong.liu@intel.com> Change-Id: I1725e0c26687985aac29618c9abe4f5e0de08ebf
2022-08-25wireguard: fix ipv6 payload_length computationAloys Augustin1-4/+3
The ipv6 header length should not be counted in the ipv6 payload length. This is similar to https://gerrit.fd.io/r/c/vpp/+/36945. Type: fix Change-Id: I22de0ff828175829102a85288513ee3f55709108 Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2022-08-23linux-cp: handle AF_BRIDGE neighborsMatthew Smith1-2/+8
Type: improvement VPP crashes when a linux-cp tap is added to a bridge on the host system because rtnl_neigh_get_dst() returns NULL for the neighbor message that is sent by the kernel. Check for NULL before trying to use the address from a neighbor in a netlink message. Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I8a683d815a09620df9c0cc76e18df39828428e2c Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-08-23lisp: address the issues raised by coverity 249165Andrew Yourtchenko1-4/+12
Add the error checks in parsing, aimed to avoid parser walking past the end of packet in case the data is garbage. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I9541b555a18baf63cb8081bcd7a4c2750f2ed012
2022-08-23rdma: fix coverity 249197Benoît Ganne1-2/+2
flags is u64, makes sure we do not overflow when shifting. Type: fix Change-Id: Ieea34187c0b568dc4d24c9415b9cff36907a5a87 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-19nat: simplify per-protocol code by using an arrayJon Loeliger4-243/+158
rather than using obfuscated macro hacery, simplify the per-protocol data management by directly using an array of NAT protocol types. Type: refactor Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: I6fe987556ac9f402f8d490da0740e2b91440304c
2022-08-19ipsec: enable UDP encap for IPv6 ESP tun protectMatthew Smith2-2/+6
Type: improvement If an SA protecting an IPv6 tunnel interface has UDP encapsulation enabled, the code in esp_encrypt_inline() inserts a UDP header but does not set the next protocol or the UDP payload length, so the peer that receives the packet drops it. Set the next protocol field and the UDP payload length correctly. The port(s) for UDP encapsulation of IPsec was not registered for IPv6. Add this registration for IPv6 SAs when UDP encapsulation is enabled. Add punt handling for IPv6 IKE on NAT-T port. Add registration of linux-cp for the new punt reason. Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
2022-08-18unittest: fix coverity 274736Andrew Yourtchenko1-0/+1
Free up the vapi context in case of failure. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I4f64e8718014d714f1b82877e69d2354b5fa44fb
2022-08-18wireguard: fix error type for crypto backendBenoît Ganne1-1/+1
Crypto backend errors should not be using the same error as missing keypair. Type: fix Change-Id: I78c2b3df3f08a354463b7824349b08627f2b023c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-18wireguard: fix ipv6 handshake packetBenoît Ganne1-3/+1
IPv6 payload length should not include the size of the IPv6 header. Type: fix Change-Id: Iedcd17d0af8d72d9b5f8f9b605da7c99e151bc9d Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-18nat: Replace port refcounts with simple bitvectorsJon Loeliger2-17/+80
Previously, each address maintained an array of 32-bit reference counts for each of 65K possible ports for each of 4 NAT protocols. Totalling 1MB per address. Wow. A close read of the code shows that an "is used" check precedes each attempted reference count increment. That means the refcount never actually gets above 1. That in turn means algorithmically, a bit vector is sufficient. And one need not be allocated for more than the highest validated port referenced. These changes introduce a dynamically sized bit vector replacing the reference counts, for a maximum of 32K if all 4 protocols use port 65535. In fact, protocol OTHER is never used, so at most 24K will be used, and none of it will be "statically" allocated per address. Type: fix Fixes: 85bee7548bc5a360851d92807dae6d4159b68314 Change-Id: I7fd70050e7bf4871692a862231f8f38cf0158132 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2022-08-18dns: fix coverity 249189, 249198Andrew Yourtchenko1-2/+2
Zero-initialize the temporary struct on stack. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I89ced4cca8e832827fe054e2e60986de5910360c
2022-08-18nsh: fix coverity 249169Andrew Yourtchenko1-1/+1
Zero-initialize the temporary struct on stack. Type: fix Change-Id: I651f87deeb79c6c073d5c510435fa268893a3b0e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-08-18ikev2: accept key exchange on CREATE_CHILD_SAAtzm Watanabe2-63/+126
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload to enable stronger guarantees of forward secrecy. When the KEi payload is included in the CREATE_CHILD_SA request, responder should reply with the KEr payload and complete the key exchange, in accordance with the RFC. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
2022-08-18ikev2: fix possible SEGVAtzm Watanabe1-3/+3
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: Icbd452b43ecaafe46def1276c98f7e8cbf761e51
2022-08-17memif: crash on recceiving a bad descriptorSteven Luong1-1/+1
We validate each descriptor via memif_validate_desc_data and set desc_status to non-zero for the corresponding descriptor when the descriptor is bad. However, desc_status is not propagated back to xor_status in memif_validate_desc_data which eventually sets ptd->xor_status. Not setting ptd->xor_status causes us to treat all descriptors as "simple". In that case, when we try to copy also the bad descriptors to the buffers, it results a crash since desc_data is not set to point to the correct memory in the descriptor. The fix is to set xor_status in memif_validate_desc_data such that if there is a bad descriptor in the frame, "is_simple" is set to false and we have to selectively copy only the good descriptors to the buffers. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I780f51a42aa0f8745edcddebbe02b2961c183598
2022-08-17wireguard: fix fib entry trackingAlexander Chernavin2-53/+35
Type: fix After peers roaming support addition, FIB entry tracking stopped working. For example, it can be observed when an adjacency is stacked on a FIB entry by the plugin and the FIB entry hasn't got ARP resolution yet. Once the FIB entry gets ARP resolution, the adjacency is not re-stacked as it used to. This results in endless ARP requests when a traffic is sent via the adjacency. This is broken because the plugin stopped using "midchain delegate" with peers roaming support addition. The reason is that "midchain delegate" didn't support stacking on a different FIB entry which is needed when peer's endpoint changes. Now it is supported there (added in 36892). With this fix, start using "midchane delegate" again and thus, fix FIB entry tracking. Also, cover this in tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
2022-08-16nat: fix potential out-of-bound worker array indexJing Peng3-24/+36
In several NAT submodules, the number of available ports (0xffff - 1024) may not be divisible by the number of workers, so port_per_thread is determined by integer division, which is the floor of the quotient. Later when a worker index is needed, dividing the port with port_per_thread may yield an out-of-bound array index into the workers array. As an example, assume 2 workers are configured, then port_per_thread will be (0xffff - 1024) / 2, which is 32255. When we compute a worker index with port 0xffff, we get (0xffff - 1024) / 32255, which is 2, but since we only have 2 workers, only 0 and 1 are valid indices. This patch fixes the problem by adding a modulo at the end of the division. Type: fix Signed-off-by: Jing Peng <pj.hades@gmail.com> Change-Id: Ieae3d5faf716410422610484a68222f1c957f3f8
2022-08-14vrrp: fix SIGABRT crash by ASSERT() when deleting vrrp vr(MASTER state)luoyaozu1-0/+1
we need cancel vrrp_vr_timer when deleting vrrp vr Type: fix Signed-off-by: luoyaozu <luoyaozu@chinatelecom.cn> Change-Id: I8ea01f1943d6e3e60c4990c5be945de613bc8b53
2022-08-12http_static: validate session before sendingFlorin Coras1-0/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I18b9d0d67f5fe4c1714427259df29026153d8dd1
2022-08-11linux-cp: FIB lookup for P2MP tunnel interfacesMatthew Smith1-4/+22
Type: improvement If a tun/L3 interface is paired with a multipoint tunnel interface, pass packets arriving from the host to ip[46]-lookup instead of cross-connecting them to the tunnel interface. Adjacencies are used to drive the rewrite for Multipoint tunnel interfaces, so the generic adjacency used with a P2P tunnel will not work correctly. Change-Id: I2d8be56dc5029760978c05bc4953f84c8924a412 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-08-10ikev2: do not accept rekey until old SA is deletedAtzm Watanabe2-14/+36
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
2022-08-09wireguard: add peers roaming supportAlexander Chernavin7-49/+187
Type: feature With this change, peers are able to roam between different external endpoints. Successfully authenticated handshake or data packet that is received from a new endpoint will cause the peer's endpoint to be updated accordingly. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
2022-08-09wireguard: add handshake rate limiting supportAlexander Chernavin6-7/+178
Type: feature With this change, if being under load a handshake message with both valid mac1 and mac2 is received, the peer will be rate limited. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
2022-08-09ip-neighbor: ARP and ND stats per-interface.Neale Ranns1-2/+6
Type: feature stats of the like from: https://datatracker.ietf.org/doc/html/draft-ietf-rtgwg-arp-yang-model-03#section-4 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Icb1bf4f6f7e6ccc2f44b0008d4774b61cae96184