Age | Commit message (Collapse) | Author | Files | Lines |
|
until it is needed
Registering ACL plugin user module within the "ACL as a service" infra during the plugin init
causes an unnecesary ACL heap allocation and prevents the changing of the ACL heap size
from the startup config.
Defer this registration until just before it is needed - i.e. when applying an ACL to
an interface.
Change-Id: Ied79967596b3b76d6630f136c998e59f8cdad962
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: If168a9c54baaa516ecbe78de2141f11c17aa2f53
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
When a user session is allocated/reused, only increase
one of the session counters for that user if the counters
are below the per-user limit.
THis addresses a SEGV that arises after the following
sequence of events:
- an outside interface IP address is put in a pool
- a user exceeds the number of per-user translations by
an amount greater than the number of per-user translations
(nsessions + nstaticsessions > 100 + 100)
- the outside interface IP address is deleted and then added
again (observed when using DHCP client, likely happens if
address changed via CLI, API also)
- the user sends more packets that should be translated
When nsessions is > the per-user limit,
nat_session_alloc_or_recycle() reclaims the oldest existing
user session. When an outside address is deleted, the
corresponding user sessions are deleted. If the counters were
far above the per-user limit, the deletions wouldn't result
in the counters dropping back below the limit. So no session
could be reclaimed -> SEGV.
Change-Id: I940bafba0fd5385a563e2ce87534688eb9469f12
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
- allow to optionally specify the specific MACIP ACL index:
'show acl-plugin macip acl [index N]'
- after showing the MACIP ACL, show the sw_if_index of
interface(s) where it is applied.
Also, add some executions of this debug commands
to the MACIP test case for easy verification.
Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The functions which get called by other plugins need to set the acl plugin heap,
such that the other plugins do not have to think about it.
Change-Id: I673073f17116ffe444c163bf3dff40821d0c2686
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I3e4bbfe205c86cb0839dd5c542f083dbe6bea881
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ic2eddc803f9ba8215e37388a686004830211cf6f
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Change-Id: Iacb32e6e855f7b77108154d956ef27ee141bbde0
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
This reverts commit 378ac0533e5ac8c3121d8f66ba61a8548e55282f.
Change-Id: If34b1c964453adb0e4c44e3eab4f6e306bd9c9e9
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
other plugins
This code implements the functionality required for other plugins wishing
to perform ACL lookups in the contexts of their choice, rather than only
in the context of the interface in/out.
The lookups are the stateless ACLs - there is no concept of "direction"
within the context, hence no concept of "connection" either.
The plugins need to include the
The file acl_lookup_context.md has more info.
Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ia0f659b810f2c79b1a6c98ce566a86ce413c7448
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Do not translate packet which go out via nat44-in2out-output and was tranlated
in nat44-out2in before. On way back forward packet to nat44-in2out node.
Change-Id: I934d69856f0178c86ff879bc691c9e074b8485c8
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
In version 1 of the protocol sender was always ring producer and
receiver was consumer. In version 2 slave is always producer,
and in case of master-to-slave rings, slave is responsible for
populating ring with empty buffers.
As this is major change, we need to bump version number.
In addition, descriptor size is reduced to 16 bytes.
This change allows zero-copy-slave operation (to be privided in the separate
patch).
Change-Id: I02115d232f455ffc05c0bd247f7d03f47252cfaf
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
- Show interface on which given MACIP ACL is applied
- index is added for show acl-plugin macip acl:
ex) show acl-plugin macip acl [index N]
Change-Id: I3e888c8e3267060fe157dfc1bbe3e65371bd858a
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Add bonding driver to support creation of bond interface which composes of
multiple slave interfaces. The slave interfaces could be physical interfaces,
or just any virtual interfaces. For example, memif interfaces.
The syntax to create a bond interface is
create bond mode <lacp | xor | acitve-backup | broadcast | round-robin>
To enslave an interface to the bond interface,
enslave interface TenGigabitEthernet6/0/0 to BondEthernet0
Please see src/plugins/lacp/lacp_doc.md for more examples and additional
options.
LACP is a control plane protocol which manages and monitors the status of
the slave interfaces. The protocol is part of 802.3ad standard. This patch
implements LACPv1. LACPv2 is not supported.
To enable LACP on the bond interface, specify "mode lacp" when the bond
interface is created. The syntax to enslave a slave interface is the same as
other bonding modes.
Change-Id: I06581d3b87635972f9f0e1ec50b67560fc13e26c
Signed-off-by: Steven <sluong@cisco.com>
|
|
Change-Id: If9d7b266c4b49d4e7810ebc7d18fa154532d0322
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
pair (VPP-1199)
Change-Id: Iad8c626e83bbc58d5c85b6736f5a3dd5bc9ceafb
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
ARP packets need to be allowed for dot1q interface when MACIP is enabled.
Change-Id: I33dd3cb6c6100c49420d57360a277f65c55ac816
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
- host mode:
igmp_listen - API to signal that the host has joined an (S,G)
- route mode:
igmp_enable - API to enable the reception of host IGMP messages
igmp_event - API to report the host join/leave from an (S,G)
Change-Id: Id180ec27dee617d33ab3088f5dcf6125d3aa9c8f
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
Change-Id: Ie5a50def4ec1e4a3b3404a8b6ab9ec248bc16744
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I6c215858d2c9c620787632b570950b15274c0df2
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
- buffer_main is no longer part of vlib_main_t
- pool of free lists is still part of vlib_main_t
- mheap is not used anymore for buffer allocation
- simple bitmap bassed buffer alloc scheme is introduced
Change-Id: I3e1e6d00e2c8122293ed0a741245eb841315a1ff
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
DPDK API forbids calling rte_eth_xstats_get on a port
which has not been setup up yet.
Citing the DPDK docs (reformated):
"
The functions exported by the application Ethernet API to setup a device
designated by its port identifier must be invoked in the following order:
rte_eth_dev_configure()
rte_eth_tx_queue_setup()
rte_eth_rx_queue_setup()
rte_eth_dev_start()
Then, the network application can invoke, in any order, the functions
exported by the Ethernet API to get the MAC address of a given device,
to get the speed and the status of a device physical link, to
receive/transmit [burst of] packets, and so on.
"
original can be found here:
http://dpdk.org/doc/api/rte__ethdev_8h.html#a36ba70a5a6fce2c2c1f774828ba78f8d
Change-Id: I91854b8b0dd12dd028b4b36665cca49f16eac24c
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
Change-Id: I166301c9e2388bae5f70ec0179d663a2703e27f5
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: I72439df585e56b3cbb7051f056fc35cddf0c864b
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
Change-Id: Icb858414145db0e5fef495e155903b3b935e50ba
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I1552e1418b704fdf1f1fa2c0174313b9b82a37a3
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Packet trace initiated by dpdk-input node would occasionally
not fully function if next node is ip4-input.
Change packet trace saving order in the quad-loop so "sho trace"
will display trace in packet receive order.
Fold calling of vlib_trace_buffer() into dpdk_add_trace().
Change-Id: I9d7a9bf3b9391f95590e66150b26b0b15912d803
Signed-off-by: John Lo <loj@cisco.com>
|
|
Add a binary API and debug cli to enable/disable cdp. cdp is disabled
by default.
Change-Id: I307c7e38dfda38e36ff3325f65de7036c34d89b1
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Linux kernel and DPDK recognize the following Ethernet speeds:
10M, 100M, 1G, 2.5G, 5G, 10G, 20G, 25G, 40G, 50G, 56G and 100G.
Add consistent Ethernet speeds to VPP.
Change-Id: I4cfcf378fb34425c1206db5aa2f6bdcc66e0a6ab
Signed-off-by: Lee Roberts <lee.roberts@hpe.com>
|
|
Change-Id: I806cbf8c6c49643fe6c317bcceab93c1b9d441ab
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
frag packet can't get reass.
adding bihash,it can rewrite new hash value.
so need to delete hash after compare hash value.
Change-Id: I83b5c47890110e9a598b78cfbe8fcd27bbe291bb
Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
|
|
Change-Id: Ie8b4effbd25e1e26b625d451ec059bac58a5a5a1
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
- add infra for pluggable tls "engines"
- makes mbedtls specific code a plugin
Change-Id: I2c5b099e2b69d2be0038e3ef02b208ff907727e7
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
The gerrit 10434 which added the support for whitelist model on ethertypes,
did not include the support to dump the current state.
This patch fills that gap.
Change-Id: I3222078ccb1839dc366140fa5f6b8999b2926fd2
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
(VPP-1192)
following is not possible:
set interface nat44 out GigabitEthernet0/3/0 output-feature
set interface nat44 out GigabitEthernet0/3/0
Change-Id: I1592cc18390881fda66f98316700886b8f5295f0
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I0ff13962ab6855663b9aec31c95e4a88cc809ff0
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Though dst-IP address would be change in LB plugin with L3DSR method,
layer-4 checksum would not be recomputed after this change.
Related changes:
- L3DSR: https://gerrit.fd.io/r/#/c/10203/
Change-Id: I98de7b8d80186ac77608a68050208c08d90b7c3b
Signed-off-by: Yusuke Tatsumi <ytatsumi@yahoo-corp.jp>
|
|
in2out and out2in protocol are not same
Change-Id: I4ce680ad1f088cb079e1f2aeb15ca59225fca0d1
Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
|
|
Change-Id: I8a4a7a85e86acbfe411e6dfa22e3976d7d4c903b
Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
|
|
dlopen linkage allow more transparent use for Mellanox nics.
Mellanox shared library librte_pmd_mlx5/4_glue.so* placed in LD_LIBRARY_PATH
At run time Mellanox code will be loaded only when Mellanox nics explicty used.
i.e if VPP is used with other vendor Mellanox code is not loaded.
Change-Id: Ib05bdbfc4cbb6e447c67186c98361f9c5b447140
Signed-off-by: Amir Zeidner <amirzei@mellanox.com>
|
|
Change-Id: I99cf3e7cc991aa7d32385a155c707a6516516117
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
If forwarding is enabled, inbound packets on an outside
interface should not be dropped and instead pass on to
the FIB lookup. This works for TCP and UDP but not other
IP protocols. Enable it for unknown protocols.
Change-Id: I1da84b5633a36b3e5e64079754db2fcc50f29819
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Ib94e9e9e9fcdad9cdb0e3402b3de7d78bd644abe
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
forwarding mode:
session initiaded from service host - translate
session initiaded from remote host - do not translate
Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ic30fbcb2630f39e45345d7215babf5d7ed4b33a0
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: I94f6c35bf751d25ca7fe7c67054e676a3ad2241b
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
The VAT calls to MEMIF_SOCKET_FILENAME_ADD_DEL erroneously
cleared the message memory after the M() macro call and
thus lost their message id. Don't do that.
While in the neighborhood, prevent a string copy from
referencing data that doesn't belong to the filename string.
Change-Id: Ib4309608ed617ef4f193880ecf4a0b35fda65e51
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Change-Id: I1d3ede2b043e1fd4abc54f540bb1d3ac9863016e
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
The expression to determine whether to delete a session
from the disposal list only evaluates true if some,
but not all, of the sessions in the list were freed.
When all sessions in the list are freed, it evaluates
false and the sessions are left in the list to be freed
again later, which can result in a session pool element
that was reallocated to a different SA being freed,
breaking crypto for the newer SA.
Add an 'else' that handles the case where all sessions
were freed.
Change-Id: I3ae54d5b3bfc3658bf406caa50646924baaae589
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|