Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: improvement
Currently, NAT44-ED users sessions details are returned for both active
and timed out NAT sessions. It may confuse users that expect to see only
active sessions in the response and make them think that timeouts for
NAT sessions do not work.
With this change, introduce an indicator of timing out for NAT sessions
returned in NAT44-ED user session details.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib81ed90369d4b495117538f521e5112e289cf7e6
|
|
lip->lip_host_name is a non-NULL terminated vector.
Type: fix
Change-Id: Ic154ad7f57f0b507204e55f78995cc0e89132e57
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Linux Control Plane interface creation logic is currently only able to
create untagged interfaces, and dot1q VLAN sub-interfaces. This change
makes it possible to create dot1ad VLAN sub-ints, and Q-in-AD as well
as Q-in-Q sub-interfaces as well.
It makes the plugin a bit more robust by catching a few common errors,
such as creating an lcp on a sub-interface without its parent having
one, and creating an lcp on a sub-interface that is not exact-match.
This change has a bunch of smaller improvemnets as well. I documented
my work in this post:
https://ipng.ch/s/articles/2021/08/12/vpp-1.html
It shows that after the change is merged, all VPP interface types now
create and operate cleanly as LCP interfaces as well.
Type: improvement
Signed-off-by: Pim van Pelt <pim@ipng.nl>
Change-Id: I322669f7316d44c227090b83d6a574fb9c00e76a
|
|
Type: fix
Signed-off-by: Pim van Pelt <pim@ipng.nl>
Change-Id: I390282ecc63600728cf11413510c0169178e305c
|
|
Type: fix
Advertisements are dropped by anti spoofing check in some situations.
When a VR has "accept mode" enabled, we must add the virtual IP addresses
to the interface when the VR transitions to master state. When this
happens, fib_sas4_get() starts selecting the newly added virtual IP
address as the source address for packets sent on the interface, so
advertisements are sent with that source address.
When the virtual IP address is being used as a NAT pool address on a peer
in the backup state, the peer sees the address as a local address and
drops incoming advertisements with that source address.
RFC 5798 section 5.1.1.1 says advertisements should use the primary
IPv4 address of the interface they are being sent on as the source
IP address. Since the virtual IP address is only temporarily added
while the VR is in the master state, the virtual IP address should
probably not be considered the primary address of the interface. The
definition of Primary IP Address in section 1.6 says that selecting
the first address is a valid selection algorithm. Do that instead of
calling fib_sas4_get().
Change-Id: Id92f0e3237c7fd491dd8d695bb27307d494f8573
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
This patch sorts 'show perfmon bundle' output in alphabetical order.
Type: improvement
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: I26b379b5d6766b9f87f9a3a5013ea92b207fb5d4
|
|
Added memory bandwidth boundedness bundle, closely related to cache-hierarchy.
This bundle works on ICX only, due to an ICX specific counter.
Type: improvement
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: Id385bd5f4e645ac020774e311c623afb64b79b1e
|
|
Adding support for Linux papi TMAM on Intel Snowridge. Adds the ability to
indicate that a bundle should be thread or node bundle type based on available
cpu features (rdpmc support).
Type: feature
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: Ib871b2644fdb2410fbb580e0d21c3a8e2be13aba
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4f7b3d5354a7658d7271c28444f2f4641f05b28b
|
|
Coverity does not seem happy about exotic control
flows in switch/case statements
Change-Id: Ie006190058f811aacf85125ebc58330d9c53510f
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
Type: fix
Fixes: 0b42ac565b970c186a9ad734f980b440f56fb25b
|
|
Change-Id: Ifa09dcdfd567ac3c2afab4bd3bd468260f766e1d
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
Type: improvement
|
|
Type: docs
Signed-off-by: Ahmed Abdelsalam <ahabdels@cisco.com>
Change-Id: I0cbc1b21f156425e067e9ce90769a62983ca5d01
|
|
Fixed FIB entry per interface, pool and
static mapping registrations in NAT control plane.
Improved FIB configuration handling in NAT -
added functions to generalize handling of FIB & NAT,
cleaned up interface callback functions. Changed "is_"
macros to inline functions for easier debugging.
Type: improvement
Change-Id: I68a17761a975dd819139ae94e52a8a85d3f27ffc
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
When an RX thread handles more than one RX queue and has a mix of
queues in interrupt mode and polling mode, the RX input routine is
naturally in polling mode. In that case, there is no need to set RX
interrupt pending when descriptor is available in the queue for
interrupt mode.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Iedbe57941eca3152c0e8ab9096cc81f315e0a915
|
|
Type: feature
This patch adds IPsec ESP SPI as RSS key for better IPsec
inbound processing scaling. With this feature enabled,
The NIC will use the packets' SPI index as the RSS key
to distribute them to different queues.
The dpdk-input is also updated to support this feature.
Sample CLI command to enable Ipsec ESP SPI as RSS key:
test flow add src-ip any dst-ip any rss types esp
test flow enable eth0 index 0
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I8b7d01cfc065e9099fad33042ce76898e16ddbf0
|
|
Type: improvement
Motivation for this addition is to add support for cipher suites
that use Diffie-Hellman Ephemeral (DHE) for key exchange.
Using ephemeral DH key exchange yields forward secrecy as the
connection can only be decrypted when the DH key is known.
Configure OpenSSL to use the default built-in DH parameters for the
SSL_CTX object.
Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
|
|
set the right data length to decode the packet properly.
Type: fix
Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
Change-Id: I6a35fa54851496d0a958f1a64a547b7f08bb4c19
|
|
This plugin allow to keep track of buffer usage in VPP graph nodes. The
main use is to detect buffer leakages.
Type: feature
Change-Id: Iadcf4ab98207fab6e2fa375060879bc2a25b711e
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
fix vpp daq to break out-of-loop when interrupted.
Type: fix
Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
Change-Id: I04594a0b872d16f803d7d7c3b7d9bb60e94bc707
|
|
Type: improvement
Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
VPP DNS resolver expects NULL-terminated C string, whereas the ikev2
plugin only uses non-NULL terminated vectors.
Type: fix
Change-Id: I4a2afffb9e1b6b5dd11842621d5f13bc5a145862
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
xsk objects keep pointers to the rx and tx objects. If we re-allocate
the rx and tx vectors after initializing the associated xsk object, the
pointers in the xsk object will be staled.
To avoid this, we allocate the vectors to the max expected size instead
of growing them.
Type: fix
Change-Id: If30433a28c186787d66c12dbab34bf210c95b519
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
fa_session_t *sess;
CLIB_PREFETCH (sess, 2 * CLIB_CACHE_LINE_BYTES, STORE);
sizeof(fa_session_t) is 128 bytes
i) on 64B cacheline size Arm machine,
above CLIB_PREFETCH () macro will be expand to
__builtin_prefetch(sess)
__builtin_prefetch(sess + 64)
__builtin_prefetch(sess + 128) << prefetch is out of range of *sess.
__builtin_prefetch(sess + 192) <<
ii) on 128B cacheline size Arm machine, CLIB_PREFETCH () expands to
__builtin_prefetch(sess)
__builtin_prefetch(sess + 128) << still out of bound
Solution:
Change to CLIB_PREFETCH (sess, sizeof(*sess), STORE);
Type: fix
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Reviewed-by: Lijian Zhang <lijian.zhang@arm.com>
Change-Id: I4b3d4fc55747f3d9ad1bcf24f8834601a03ef55e
|
|
Type: fix
while xsk fd closed by clib_file_del_by_index fisrt,
xsk_get_mmap_offsets will get wrong off in xsk_socket__delete,
so munmap wrong place.
Signed-off-by: arikachen <eaglesora@gmail.com>
Change-Id: I95464e9b4eec99814bd32d7402c0d60a0605cef5
|
|
Type: fix
Change-Id: Ia3bacefdad674807de873b5c457b8470f66193f3
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Remove aggressive inlining outside of the main loop to improve build
time (from 146s to 22s).
Type: refactor
Change-Id: I3824516a85b5e8d02894e66f19d891569c1a68fb
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
vlib_buffer_chain_linearize() truncates partial data in chained buffers
in corner cases when current_data is negative.
Strengthen test cases to reproduce the errors and fix it.
Type: fix
Change-Id: Ida621923711c5755508224bdc3842b31003c6c0b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
When mmap()-ing perf event in userspace, we must adhere to the kernel
update protocol to read consistent values.
Also, 'offset' is an offset to add to the counter value, not to apply
to the PMC index.
Type: fix
Change-Id: I59106bb3a48185ff3fcb0d2f09097269a67bb6d6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
- add format_vnet_buffer and format_vnet_buffer_no_chain to mirror
format_vlib_buffer and format_vlib_buffer_no_chain
- format_vnet_buffer used to be the "no chain" version, replace all of
its current use with the corresponding format_vnet_buffer_no_chain
- add a function to dump vnet buffer details from gdb
Type: improvement
Change-Id: I143ce845f80e7ef937ea33a557b6e3b5988c5b8f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
IKEv2 is not optimized for dataplane processing and do not really
benefit from aggressive inlining. Let the compiler decide to improve
build time (from 205s to 30s).
Type: refactor
Change-Id: I5286880b35d338d669ec9382bf049d4486c04947
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
With endpoint dependent NAT44, When there are multiple workers we look
for a flow which matches the packet in order to figure out which worker
should handle the packet. If the packet is an ICMP error, it may be
associated with an existing flow by inspecting the L3/L4 headers that
are included in the message payload.
This was not being done for in2out packets in
nat44_ed_get_in2out_worker_index(), so some packets which were related
to an open session were not being associated with that session and were
being passed to a different thread than the one where the session was
created. Later on, when the packet was processed by the fast path in2out
node, the L3/L4 headers in the payload are inspected and the fast path
node finds the existing session. Since that session is owned by a
different thread than the one the packet is being processed by, the
in2out fast path node can potentially access the wrong session and/or
memory adjacent to the session pool. This can cause a SEGV.
Make nat44_ed_get_in2out_worker_index() look at the inner headers when
processing an ICMP error. THis is already done in
nat44_ed_get_out2in_worker_index() and in the fast path in2out node.
Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
bihash-based lookups
In some cases (ACL of a few lines long with a lot of different subnet masks), linear lookup
may be more efficient than the hash-based lookup. Expose the API to allow the control plane
to choose what lookup algorithm to use.
Type: improvement
Change-Id: I540dd1b4ce63c5106a556d550f911f3a578b33e0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: fix
The NAT plugin stores packet counters and a counter represents a vector
indexed by interface index. When an interface is assigned a NAT role,
the counters are validated to be long enough for the given interface
index.
When a packet traverses NAT in2out and output feature is disabled, the
appropriate counters are updated by the RX interface index. In this
case, translation happens on the inside interface and its index was
ensured to be valid in all of the counters during NAT role assignment.
When a packet traverses NAT in2out and output feature is enabled, the
appropriate counters are updated by the RX interface index too. In this
case, translation happens on the outside interface and the packet could
be received on any interface, even with no NAT role assigned. If that's
the case and its index is greater than the greatest index validated in
the counters, a new counter value will be written to memory that does
not belong to the counter. As a result, a crash will occur at some
point.
With this change, use TX interface index to update the counters when
output feature is enabled. TX interface is an actual interface where
translation happens and its index is always valid in the counters.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
|
|
Implement a simple source address selection algorithm
for IPv4 and IPv6.
IPv6 does not yet implement RFC6724 but supports link-locals.
ping now chooses correct source address for link-local destination.
Added ping support for link-local multicast (e.g. allnodes).
Type: feature
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I1a3382c1f7d4ace0386c2c19e4e47b045b73a3ed
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Originally the decryption doesn't check the hmac for chacha20-poly1305.
This patch fixes the problem by adding flag to crypto op to check hmac.
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
|
|
Refactoring and cleaning up address allocation functions &
ip table update callbacks.
Type: refactor
Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Replace vec ops with pool ops when iterating over pool of
interfaces in plugin_disable() functions.
With this change plugin disabling function and interface role
disabling functions iterate over identical sets of registered
interfaces, preventing 'interface couldn't be found' errors.
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
|
|
Type: improvement
Check SSL_CTX_use_* API return value and exit on error.
Check BIO_new return code.
Release allocated BIO on error cases.
Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
|
|
Type: feature
The difference being the MTRIE type they contain.
THE FIB continues to use the 16-8-8 version.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I5a54d4e6e6cc639f18a3fb65ef2925507a7ef1de
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0dfa8d60739bc781c37e0d8fced8280b9af93367
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I76a1cd516849cfe5bc87ed2b3707c6f2257126d2
|
|
Type: refactor
as opposed to wrtiing out the mtrie steps one by one each time.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I1248861350f9189f9a67ac6e68940813af279e03
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I6cf0c141ab4a4f5a46feb6119fa142148366f0a6
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0537fa590b11abddf05550e42c7258549729f8a7
|
|
Return unsupported error if user calls one
of the configuration functions that can
run only after nat44-ed plugin is
enabled via appropriate api/cli
call.
Type: fix
Change-Id: I0d4ab0684ba5ae23fc2ecc668554a34537c2904a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
signs were changed here when calculating the offset:
d78ba5aa01ff1415bff0b06069ce21e0a78df89c
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I62b7a409caaf478e40efbdd6000922dcc7e92860
|
|
The vnet_crypto_key_add should only be called from the main thread.
This patch works around this limitation by allocating one key per worker
and updating it on the fly everytime we need to do a crypto operation.
This solution is far from ideal, but quicly has a strong assumption that
it can use a key immediately after determining it, so making the key
creation asynchronous is not a possibility.
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Change-Id: I19fc5814195156003c36a73bb616738ba9d828f7
Type: fix
|
|
Should also fix coverity warning.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I068b837377b329a22ace5b2235c6dd9f067ead77
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I9ea41b8b271e9123e676acdc581ef429072fe843
|
|
Handle case where extra data is present in buffer which is not part of
IP/ICMP headers.
Type: fix
Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76
Change-Id: Icfef811470056d38c60fc45cc302139ed7594385
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|