aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins
AgeCommit message (Collapse)AuthorFilesLines
2021-09-09nat: nat44-ed add session timing out indicator in apiAlexander Chernavin2-1/+150
Type: improvement Currently, NAT44-ED users sessions details are returned for both active and timed out NAT sessions. It may confuse users that expect to see only active sessions in the response and make them think that timeouts for NAT sessions do not work. With this change, introduce an indicator of timing out for NAT sessions returned in NAT44-ED user session details. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib81ed90369d4b495117538f521e5112e289cf7e6
2021-09-09linux-cp: fix non-NULL terminated stringBenoît Ganne1-1/+1
lip->lip_host_name is a non-NULL terminated vector. Type: fix Change-Id: Ic154ad7f57f0b507204e55f78995cc0e89132e57 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-09-09linux-cp: Complete interface creation logicPim van Pelt6-86/+268
Linux Control Plane interface creation logic is currently only able to create untagged interfaces, and dot1q VLAN sub-interfaces. This change makes it possible to create dot1ad VLAN sub-ints, and Q-in-AD as well as Q-in-Q sub-interfaces as well. It makes the plugin a bit more robust by catching a few common errors, such as creating an lcp on a sub-interface without its parent having one, and creating an lcp on a sub-interface that is not exact-match. This change has a bunch of smaller improvemnets as well. I documented my work in this post: https://ipng.ch/s/articles/2021/08/12/vpp-1.html It shows that after the change is merged, all VPP interface types now create and operate cleanly as LCP interfaces as well. Type: improvement Signed-off-by: Pim van Pelt <pim@ipng.nl> Change-Id: I322669f7316d44c227090b83d6a574fb9c00e76a
2021-09-08linux-cp: fix crash on failed vlib_buffer_copyPim van Pelt1-12/+24
Type: fix Signed-off-by: Pim van Pelt <pim@ipng.nl> Change-Id: I390282ecc63600728cf11413510c0169178e305c
2021-09-08vrrp: fix source address on advertisementsMatthew Smith1-2/+13
Type: fix Advertisements are dropped by anti spoofing check in some situations. When a VR has "accept mode" enabled, we must add the virtual IP addresses to the interface when the VR transitions to master state. When this happens, fib_sas4_get() starts selecting the newly added virtual IP address as the source address for packets sent on the interface, so advertisements are sent with that source address. When the virtual IP address is being used as a NAT pool address on a peer in the backup state, the peer sees the address as a local address and drops incoming advertisements with that source address. RFC 5798 section 5.1.1.1 says advertisements should use the primary IPv4 address of the interface they are being sent on as the source IP address. Since the virtual IP address is only temporarily added while the VR is in the master state, the virtual IP address should probably not be considered the primary address of the interface. The definition of Primary IP Address in section 1.6 says that selecting the first address is a valid selection algorithm. Do that instead of calling fib_sas4_get(). Change-Id: Id92f0e3237c7fd491dd8d695bb27307d494f8573 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-09-08perfmon: sort 'show perfmon bundle' outputZachary Leaf1-0/+11
This patch sorts 'show perfmon bundle' output in alphabetical order. Type: improvement Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: I26b379b5d6766b9f87f9a3a5013ea92b207fb5d4
2021-09-08perfmon: add membw-bound bundleRay Kinsella4-1/+80
Added memory bandwidth boundedness bundle, closely related to cache-hierarchy. This bundle works on ICX only, due to an ICX specific counter. Type: improvement Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: Id385bd5f4e645ac020774e311c623afb64b79b1e
2021-09-08perfmon: adding support for papi TMAMRay Kinsella4-54/+113
Adding support for Linux papi TMAM on Intel Snowridge. Adds the ability to indicate that a bundle should be thread or node bundle type based on available cpu features (rdpmc support). Type: feature Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: Ib871b2644fdb2410fbb580e0d21c3a8e2be13aba
2021-09-08nat: remove unusued parameters and use correct parameter typesKlement Sekera2-20/+15
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4f7b3d5354a7658d7271c28444f2f4641f05b28b
2021-09-08dpdk: fix coverityMohammed Hawari1-0/+2
Coverity does not seem happy about exotic control flows in switch/case statements Change-Id: Ie006190058f811aacf85125ebc58330d9c53510f Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: fix Fixes: 0b42ac565b970c186a9ad734f980b440f56fb25b
2021-09-07dpdk: lro supportMohammed Hawari5-19/+110
Change-Id: Ifa09dcdfd567ac3c2afab4bd3bd468260f766e1d Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: improvement
2021-09-03sr: fixing typo in srv6 End.AS Proxy documentationAhmed Abdelsalam1-2/+2
Type: docs Signed-off-by: Ahmed Abdelsalam <ahabdels@cisco.com> Change-Id: I0cbc1b21f156425e067e9ce90769a62983ca5d01
2021-09-02nat: NAT44 ED improvements and fixesFilip Varga8-392/+353
Fixed FIB entry per interface, pool and static mapping registrations in NAT control plane. Improved FIB configuration handling in NAT - added functions to generalize handling of FIB & NAT, cleaned up interface callback functions. Changed "is_" macros to inline functions for easier debugging. Type: improvement Change-Id: I68a17761a975dd819139ae94e52a8a85d3f27ffc Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-31vmxnet3: set RX interrupt pending only when neededSteven Luong3-6/+59
When an RX thread handles more than one RX queue and has a mix of queues in interrupt mode and polling mode, the RX input routine is naturally in polling mode. In that case, there is no need to set RX interrupt pending when descriptor is available in the queue for interrupt mode. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Iedbe57941eca3152c0e8ab9096cc81f315e0a915
2021-08-31flow: add esp spi rss typePiotr Bronowski2-26/+35
Type: feature This patch adds IPsec ESP SPI as RSS key for better IPsec inbound processing scaling. With this feature enabled, The NIC will use the packets' SPI index as the RSS key to distribute them to different queues. The dpdk-input is also updated to support this feature. Sample CLI command to enable Ipsec ESP SPI as RSS key: test flow add src-ip any dst-ip any rss types esp test flow enable eth0 index 0 Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I8b7d01cfc065e9099fad33042ce76898e16ddbf0
2021-08-30tls: use default OpenSSL built-in DH parametersOfer Heifetz1-0/+8
Type: improvement Motivation for this addition is to add support for cipher suites that use Diffie-Hellman Ephemeral (DHE) for key exchange. Using ephemeral DH key exchange yields forward secrecy as the connection can only be decrypted when the DH key is known. Configure OpenSSL to use the default built-in DH parameters for the SSL_CTX object. Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-27snort: fix incorrect data length for snort inspectionSivaprasad Tummala1-0/+1
set the right data length to decode the packet properly. Type: fix Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: I6a35fa54851496d0a958f1a64a547b7f08bb4c19
2021-08-27bufmon: add buffer monitoring pluginBenoît Ganne4-0/+362
This plugin allow to keep track of buffer usage in VPP graph nodes. The main use is to detect buffer leakages. Type: feature Change-Id: Iadcf4ab98207fab6e2fa375060879bc2a25b711e Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-27snort: fix snort hang issue when interruptedSivaprasad Tummala1-1/+20
fix vpp daq to break out-of-loop when interrupted. Type: fix Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: I04594a0b872d16f803d7d7c3b7d9bb60e94bc707
2021-08-26ikev2: check for valid cipher + integrityBenoît Ganne1-6/+6
Type: improvement Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-26ikev2: fix DNS resolution overflowBenoît Ganne1-1/+7
VPP DNS resolver expects NULL-terminated C string, whereas the ikev2 plugin only uses non-NULL terminated vectors. Type: fix Change-Id: I4a2afffb9e1b6b5dd11842621d5f13bc5a145862 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-26af_xdp: fix stale rx/tx pointers in xsk objectsBenoît Ganne1-10/+47
xsk objects keep pointers to the rx and tx objects. If we re-allocate the rx and tx vectors after initializing the associated xsk object, the pointers in the xsk object will be staled. To avoid this, we allocate the vectors to the max expected size instead of growing them. Type: fix Change-Id: If30433a28c186787d66c12dbab34bf210c95b519 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-26acl: fix prefetch out of struct bound on ArmTianyu Li1-1/+1
fa_session_t *sess; CLIB_PREFETCH (sess, 2 * CLIB_CACHE_LINE_BYTES, STORE); sizeof(fa_session_t) is 128 bytes i) on 64B cacheline size Arm machine, above CLIB_PREFETCH () macro will be expand to __builtin_prefetch(sess) __builtin_prefetch(sess + 64) __builtin_prefetch(sess + 128) << prefetch is out of range of *sess. __builtin_prefetch(sess + 192) << ii) on 128B cacheline size Arm machine, CLIB_PREFETCH () expands to __builtin_prefetch(sess) __builtin_prefetch(sess + 128) << still out of bound Solution: Change to CLIB_PREFETCH (sess, sizeof(*sess), STORE); Type: fix Signed-off-by: Tianyu Li <tianyu.li@arm.com> Reviewed-by: Lijian Zhang <lijian.zhang@arm.com> Change-Id: I4b3d4fc55747f3d9ad1bcf24f8834601a03ef55e
2021-08-23af_xdp: fix xsk_socket__delete left un-cleanuparikachen1-3/+3
Type: fix while xsk fd closed by clib_file_del_by_index fisrt, xsk_get_mmap_offsets will get wrong off in xsk_socket__delete, so munmap wrong place. Signed-off-by: arikachen <eaglesora@gmail.com> Change-Id: I95464e9b4eec99814bd32d7402c0d60a0605cef5
2021-08-20ikev2: fix use-after-freeBenoît Ganne1-2/+3
Type: fix Change-Id: Ia3bacefdad674807de873b5c457b8470f66193f3 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20rdma: decrease inliningBenoît Ganne1-26/+19
Remove aggressive inlining outside of the main loop to improve build time (from 146s to 22s). Type: refactor Change-Id: I3824516a85b5e8d02894e66f19d891569c1a68fb Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20buffers: fix buffer linearizationBenoît Ganne1-36/+272
vlib_buffer_chain_linearize() truncates partial data in chained buffers in corner cases when current_data is negative. Strengthen test cases to reproduce the errors and fix it. Type: fix Change-Id: Ida621923711c5755508224bdc3842b31003c6c0b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20perfmon: fix perf event user page readBenoît Ganne1-45/+76
When mmap()-ing perf event in userspace, we must adhere to the kernel update protocol to read consistent values. Also, 'offset' is an offset to add to the counter value, not to apply to the PMC index. Type: fix Change-Id: I59106bb3a48185ff3fcb0d2f09097269a67bb6d6 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20vlib: add format_vnet_buffer_no_chainBenoît Ganne2-7/+5
- add format_vnet_buffer and format_vnet_buffer_no_chain to mirror format_vlib_buffer and format_vlib_buffer_no_chain - format_vnet_buffer used to be the "no chain" version, replace all of its current use with the corresponding format_vnet_buffer_no_chain - add a function to dump vnet buffer details from gdb Type: improvement Change-Id: I143ce845f80e7ef937ea33a557b6e3b5988c5b8f Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20ikev2: decrease inliningBenoît Ganne1-26/+26
IKEv2 is not optimized for dataplane processing and do not really benefit from aggressive inlining. Let the compiler decide to improve build time (from 205s to 30s). Type: refactor Change-Id: I5286880b35d338d669ec9382bf049d4486c04947 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith1-0/+22
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-19acl: add API call for setting the toggle to select between linear and ↵Andrew Yourtchenko3-1/+148
bihash-based lookups In some cases (ACL of a few lines long with a lot of different subnet masks), linear lookup may be more efficient than the hash-based lookup. Expose the API to allow the control plane to choose what lookup algorithm to use. Type: improvement Change-Id: I540dd1b4ce63c5106a556d550f911f3a578b33e0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin3-68/+93
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-13ip: source address selectionOle Troan2-167/+49
Implement a simple source address selection algorithm for IPv4 and IPv6. IPv6 does not yet implement RFC6724 but supports link-locals. ping now chooses correct source address for link-local destination. Added ping support for link-local multicast (e.g. allnodes). Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I1a3382c1f7d4ace0386c2c19e4e47b045b73a3ed Signed-off-by: Ole Troan <ot@cisco.com>
2021-08-13wireguard: add flag to check hmac for decryptionGabriel Oginski1-0/+1
Type: fix Originally the decryption doesn't check the hmac for chacha20-poly1305. This patch fixes the problem by adding flag to crypto op to check hmac. Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
2021-08-12nat: NAT44ED configuration refactorFilip Varga4-378/+365
Refactoring and cleaning up address allocation functions & ip table update callbacks. Type: refactor Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-12nat: correct pool ops when disable nat44 pluginAlexander Skorichenko1-10/+10
Type: fix Replace vec ops with pool ops when iterating over pool of interfaces in plugin_disable() functions. With this change plugin disabling function and interface role disabling functions iterate over identical sets of registered interfaces, preventing 'interface couldn't be found' errors. Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
2021-08-12tls: add start_listen openssl API return value checkOfer Heifetz1-4/+30
Type: improvement Check SSL_CTX_use_* API return value and exit on error. Check BIO_new return code. Release allocated BIO on error cases. Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978 Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-11fib: A 16-8-8 and a 8-8-8-8 versions of an ip4_fib_tNeale Ranns1-6/+4
Type: feature The difference being the MTRIE type they contain. THE FIB continues to use the 16-8-8 version. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I5a54d4e6e6cc639f18a3fb65ef2925507a7ef1de
2021-08-10tls: picotls optimize rx pathFlorin Coras1-69/+113
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0dfa8d60739bc781c37e0d8fced8280b9af93367
2021-08-10tls: picotls optimize writesFlorin Coras2-113/+188
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I76a1cd516849cfe5bc87ed2b3707c6f2257126d2
2021-08-10ip: Use the IP4 lookup functionsNeale Ranns1-52/+23
Type: refactor as opposed to wrtiing out the mtrie steps one by one each time. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I1248861350f9189f9a67ac6e68940813af279e03
2021-08-06tls: avoid picotls buffer allocs on rxFlorin Coras2-3/+9
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6cf0c141ab4a4f5a46feb6119fa142148366f0a6
2021-08-06tls: avoid ptls ctx free on transport closeFlorin Coras1-2/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0537fa590b11abddf05550e42c7258549729f8a7
2021-08-05nat: nat44-ed disable protection for api/cliFilip Varga4-60/+67
Return unsupported error if user calls one of the configuration functions that can run only after nat44-ed plugin is enabled via appropriate api/cli call. Type: fix Change-Id: I0d4ab0684ba5ae23fc2ecc668554a34537c2904a Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-04memif: fix offsetArtem Glazychev1-1/+1
signs were changed here when calculating the offset: d78ba5aa01ff1415bff0b06069ce21e0a78df89c Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I62b7a409caaf478e40efbdd6000922dcc7e92860
2021-08-03quic: do not update crypto keys from workersAloys Augustin3-20/+59
The vnet_crypto_key_add should only be called from the main thread. This patch works around this limitation by allocating one key per worker and updating it on the fly everytime we need to do a crypto operation. This solution is far from ideal, but quicly has a strong assumption that it can use a key immediately after determining it, so making the key creation asynchronous is not a possibility. Signed-off-by: Aloys Augustin <aloaugus@cisco.com> Change-Id: I19fc5814195156003c36a73bb616738ba9d828f7 Type: fix
2021-08-03tls: picotls handle accept failuresFlorin Coras1-3/+15
Should also fix coverity warning. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I068b837377b329a22ace5b2235c6dd9f067ead77
2021-07-30tls: picotls rx fixes and improvementsFlorin Coras2-149/+126
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I9ea41b8b271e9123e676acdc581ef429072fe843
2021-07-29nat: fix ICMP checksum validationKlement Sekera1-9/+9
Handle case where extra data is present in buffer which is not part of IP/ICMP headers. Type: fix Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76 Change-Id: Icfef811470056d38c60fc45cc302139ed7594385 Signed-off-by: Klement Sekera <ksekera@cisco.com>