Age | Commit message (Collapse) | Author | Files | Lines |
|
When a packet with an unknown proto arrives
on an inside interface and there are no existing sessions
for the source address, a segv occurs.
snat_in2out_unknown_proto() finds the head of the sessions
dlist, fetches the address of the next element using
head->next, and then dereferences the next element. On the
first packet received from a source address, head->next is
~0, so this results in a segv.
Check that the session list is not empty before trying to
traverse it.
Also removed unnecessary lookup against tsm->user_hash.
Prior call to nat_user_get_or_create() already performed
that lookup and added a user if one didn't exist.
Change-Id: If73e79aa2f8e3962ab7b876ecf55aea40d7a5472
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: If33854f9c32736edf571fb66cdfa759db1c9de25
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
Change-Id: I2794384557c6272fe217269b14a9db09eda19220
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Icd42abf4e35db550df496592cffce655f1987d68
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Be gentle with people who run VPP in the noisy envirement where
not-for-us IGMP messages are flying around...
Change-Id: I07e74e29bc12ecdcc83faead9182d861c7ea1add
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: If174d189de40e6f9ffae99997bba93a2519d9fda
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I379150a88f2d53d6281be41e8bad6fc4f4e88a71
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
recompile each time
Change-Id: I97ef0ef5f694062e5867e11d434e3b521a57f649
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I69fee1dcf07a4d2eed69a59f0a36e63e3741ed4e
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Fixes:
- the parsing of the packet falsely assume an ethernet header at offset 0
- it causes a frame leak
Change-Id: Ib9ac9535173ed216de613baaa06d0e1dea3640ca
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I927c9358915e03187cf7d3098c00b85b5ea2f92d
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Improve igmp membership report performance, introduce group and source specific timers.
(side effect compatible with Group-specific query).
Change-Id: Ie3dd2c0dabe5f7138c2f8029e6bbbbfcb5e4904f
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
[VPP-1251]
Problem:
When the bond subinterface is removed, it was observed that we lost the lacp
partner. Show hardware shows rx counter goes up, but show interface does not
for the slave interfaces.
Cause:
We reset the interface promiscuous mode when the bond subinterface is deleted.
This causes dpdk not to accept any packet. Leave the interface in promiscuous
mode fixes the problem.
Other fixes:
There are few places we use hw_if_index as if they are sw_if_index. But they
don't necessarily have the same value. As soon as a subinterface is created,
they start to diverge. The fix is to use the correct API for the hw_if_index
and sw_if_index.
Change-Id: I1e6b8bca0a4aae396d217a141271cbf968500c91
Signed-off-by: Steven <sluong@cisco.com>
(cherry picked from commit 42c6599bf3057a7e8f4f00f5b6a9dd72af48d283)
|
|
Change-Id: I228728bacfca6056dc409a96de1bffb9cadcd3e6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
We should be sending LACP PDU every second if the partner has LACP_TIMEOUT flag
set which means it will time us out in 3 seconds.
Add interface name for lacp trace
Change-Id: If7d816c062d03e80cc0dd7d10dba0b76ace0664a
Signed-off-by: Steven <sluong@cisco.com>
|
|
When enabled then Twice-NAT is applied only when
source IP equals destination IP after DNAT
Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
- use of vlib_log for non-dataplane logging
- redirect of dpdk logs trough unix pipe into vlib_log
- "show dpdk physmem" cli
Change-Id: I5da70f9c130273072a8cc80d169df31fc216b2c2
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
https://gerrit.fd.io/r/#/c/7701/ accidentally removed 3 lines of code in
dpdk/device/init.c which were added by https://gerrit.fd.io/r/#/c/7826/
case VNET_DPDK_PMD_VHOST_ETHER:
xd->port_type = VNET_DPDK_PORT_TYPE_VHOST_ETHER;
break;
Those lines were needed to recognize vhost-user interface which is created
via vdev command in dpdk and display VhostEthernet. Without them,
UnknownEthernet is displayed.
Change-Id: I6d7ee6aecc6a415fbb7308595d515649475bcd5f
Signed-off-by: Steven <sluong@cisco.com>
|
|
Change-Id: I3792c524323ce9e300648abe85454cff5d19aba7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I0d10f13a56420b119fdfad97dcc135b245c269e1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
A poor man's flow switching or policy based rounting.
An ACL is used to match packets and is associated with a [set of] forwarding paths
that determine how to forward matched packets - collectively this association is a
'policy'.
Policies are then 'attached', in a priority order, to an interface when thaey are
encountered as an input feature. If a packet matches no policies it is forwarded
normally in the IP FIB.
This commit is used to test the "ACL-as-a-service" functionality,
which currently compiles, and the existing traffic ACL tests pass in both hash and linear modes.
Change-Id: I0b274ec9f2e645352fa898b43eb54c457e195964
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
It is a relatively rarely used low level command for code that didn't change,
but due to infra changes it did not survive. Having it working may be very
useful for corner-case debugging. So, fix it for working with
the acl-as-a-service infra.
Change-Id: I11b60e0c78591cc340b043ec240f0311ea1eb2f9
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 18bde8a579960aa46f43ffbe5c2905774bd81a35)
|
|
Change-Id: I071d4cfcf6ea9763dd4842a3594c486a8e400e8c
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
interface)"
This reverts commit 70083ee74c3141bbefb185525315f1b34497dcaa.
Reverting as this patch is causing following crash:
0: /home/damarion/cisco/vpp3/build-data/../src/vnet/devices/devices.h:131 (vnet_get_device_input_thread_index) assertion `queue_id < vec_len (hw->input_node_thread_index_by_queue)' fails
Aborted
Change-Id: Ie2a365032110b1f67be7a9d832885b9899813d39
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
only in lookup context 0
In process of extracting the matching out of the ACL plugin internals,
a couple of pieces setting the miscellaneout fields in the 5tuple structure
did not make it, so they are initialized to zeroes. Move the assignments
to the right place to make both traffic acls and acl-as-a-service working.
Change-Id: I66a7540a13b05113b599f0541999a18fad60385d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit d3b96ef0d75889f09dc51efb89e5123cdbe7ffe8)
|
|
Change-Id: Id5a2a90d81cc9cb87cb6fb89ac2f4ca3cbcb51e2
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Change-Id: I98bd454a761a1032738a21edeb0fe847e801f901
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
update the GBP plugin to implement the full NAT feature set of opflex agent
Change-Id: Ic06a039c889445ed0b9087fa1f292634192b0f8d
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Change-Id: I994649761fe2e66e12ae0e49a84fb1d0a966ddfb
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
When in deterministic mode disable nondeterministic CLI/API.
When not in deterministic mode disable deterministic CLI/API.
Change-Id: Ibf485c14612297e51d3815a6fde541542c8fe7ab
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
When NAT44 forwarding is disabled, if a DHCP server-to-
client packet arrives on an outside interface, it is
handled correctly by setting the next node to the next
feature on the ip4-unicast feature arc, where it can be
processed.
When NAT44 forwarding is enabled, if a DHCP server-to-
client packet arrives, it is not handled any differently
than other packets and ends up going to ip4-lookup
which results in the packet being dropped.
Move the check for DHCP server-to-client packets outside
of the block that is executed if forwarding is disabled so
DHCP replies will be processed in either case.
Change-Id: Ia795cce3fd459f3252c2c17d53bb88ceaeaafca4
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
The users of ACL lookup contexts might not check the data they supply,
so do it on their behalf in this function, and return an error if
an ACL does not exist or if they attempt to apply the same ACL twice.
Change-Id: I89d871e60f267ce643f88574c83baf9cd0a2d7b3
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit e5cbccf35f4d230afafa633abbc88e64ef33d758)
|
|
using the inline functions
The acl_main struct, which is defined in the acl_plugin, is not visible when
the ACL plugin inline code is being compiled within the context of other plugins.
Fix that by using the global pointer variable, which exists in both the ACL plugin
context and is set in the context of the external plugins using ACL plugin.
Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
|
|
Change-Id: If536ae142dc0109b587d92981d337bc6f15e070a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
lb session with the same user maybe deleted.
Change-Id: Ie58579cf4f8babb594f3c44aa185720134c58c3d
Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
|
|
Change-Id: I6400b77de388c01e85209e5dc5f11ccafb79a459
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: Iaadfbc75832e37ae52511b25448da14116214fc1
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
Change-Id: I32f68e2ee8f5d32962acdefb0193583f71d342b3
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I71660eb327124179ff200763c4743cc81dc6e1c6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Id775efb2e85d850e510d00f1b48bb711a3342397
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I92ca28d3007f7ea43cd3e8b20659e400dfa6c75c
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Change-Id: Ibcffee7d20dbb79720199bcd82d2353f39d5544f
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
Change-Id: I65306fb1f8e39221dd1d8c00737a7fb1c0129ba8
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ia99490180683e8649784f7d9d18c509c3ca78438
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I32b30210c2f1aec10a1b614d04f427662326a3d2
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ifb4d23059b7989c32a52eaf0c25c275b35e83010
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
dpdk-input was dropping packets with bad ip-checksum on l2 interfaces
Change-Id: Ife5b52766bb71e878b1da6e94ae7b8a1e59fc478
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
(re-)applied
There were several discussions in which users would expect the sessions to be deleted
if the new policy after the change does not permit them.
There is no right or wrong answer to this question - it is a policy decision.
This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate
a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to
an interface, this counter increments.
The newly created connections inherit the current policy epoch in a given direction.
Likewise, this counter increments if anyone updates an ACL applied to an interface.
There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]"
(with default being 0) which allows to enable the checking of the existing sessions
against the current policy epoch in a given direction.
The session is not verified unless there is traffic hitting that session
*in the direction of the policy creation* - if the epoch has changed,
the session is deleted and within the same processing cycle is evaluated
against the ACL rule base and recreated - thus, it should allow traffic-driven
session state refresh without affecting the connectivity for the existing sessions.
If the packet is coming in the direction opposite to which the session was initially
created, the state adjustment is never done, because doing so generically
is not really possible without diving too deep into the special cases,
which may or may not work.
Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|