Age | Commit message (Collapse) | Author | Files | Lines |
|
When echo client fails to connect to remote, it should quit.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I787423bdc61a58eea48bab7bd8b73137626c02b4
|
|
Type: refactor
1) Removed deprecated API.
- These specific APIs do not have repleacement
because features that they controled
aren't part of current NAT44-ED
implementation anymore.
2) Removed unused typedef of port allocation funciton.
- Missed left over removed.
Change-Id: Ib3f763449065eda7cdcb2c6565a9cae51baf23d6
Signed-off-by: Filip Varga <filipvarga89@gmail.com>
|
|
_clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7fffb3a7e1b5 "%s:%d (%s) assertion `%s' fails") at src/vppinfra/error.c:143
mbedtls_ctx_get (ctx_index=0) at src/plugins/tlsmbedtls/tls_mbedtls.c:114
tls_ctx_get (ctx_handle=536870912) at src/vnet/tls/tls.c:310
tls_app_session_cleanup (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/tls/tls.c:624
app_worker_cleanup_notify (app_wrk=0x7fffbef95f80, s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/application_worker.c:445
session_cleanup_notify (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/session.c:262
session_free_w_fifos (s=0x7fffbf102040) at src/vnet/session/session.c:268
session_delete (s=0x7fffbf102040) at src/vnet/session/session.c:287
session_transport_delete_notify (tc=0x7fffbdf63c40) at src/vnet/session/session.c:1159
tcp_handle_cleanups (wrk=0x7fffbef46d40, now=133.30033046694487) at src/vnet/tcp/tcp.c:1298
tcp_update_time (now=133.30033046694487, thread_index=2 '\002') at src/vnet/tcp/tcp.c:1309
session_update_time_subscribers (smm=0x7ffff7f75ce0 <session_main>, now=133.30033046694487, thread_index=2) at src/vnet/session/session_node.c:1817
session_queue_node_fn (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, frame=0x0) at src/vnet/session/session_node.c:1934
dispatch_node (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT, dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0, last_time_stamp=4722227957546624) at src/vlib/main.c:960
Putting a breakpoint in gdb, I found out ctx was free in mbedtls_app_close.
Looking at app_close function in picotls and openssl, I don't see they
free ctx and they don't crash when processing cleanup. I am inclined to
think that mbedtls_ctx_free should not be called in mbedtls_app_close
at src/plugins/tlsmbedtls/tls_mbedtls.c:92
at src/plugins/tlsmbedtls/tls_mbedtls.c:559
at src/vnet/tls/tls.c:360
thread_index=2) at src/vnet/tls/tls.c:762
conn_index=536870912, thread_index=2 '\002')
at src/vnet/session/transport.c:332
at src/vnet/session/session.c:1608
elt=0x7fffbdfef3dc)
at src/vnet/session/session_node.c:1672
node=0x7fffbe0b1340, frame=0x0)
at src/vnet/session/session_node.c:1966
node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT,
dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0,
last_time_stamp=4721919444027682)
at src/vlib/main.c:960
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ic5c13e659aee618c8accee42af9f40931b62f467
|
|
Type: fix
Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech>
Change-Id: I03cbd05d6d887d2ce8e7b7d20522e04012c5fe7a
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia03c3fe0ca669b319dec8decd503254d0a95e58b
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia2c771cbf826526d2d06b6da022509ab02917350
|
|
Fix initialization of the table u32 var which is leading to the incorrect
unformat of interface map type
Type: fix
Signed-off-by: Miguel Borges de Freitas <miguel-r-freitas@alticelabs.com>
Change-Id: I1e56acd0e4c735df755e85b172bb6623bf47a57b
|
|
CQE flags located in bits 16-31 at offset 0x1c should be defined as
actual numbers instead of indexes. Besides, L3 header type for IPv4 is
10(2 in decimal) and for IPv6 is 01(1 in decimal) according to CQE entry
fields description of page 120 in Mellanox Programmer Reference Manual.
(https://network.nvidia.com/files/doc-2020/ethernet-adapters-programming-manual.pdf)
Fixing this issue will lead to correct CQE flags printing for rdma-input
node when buffer trace is enabled.
Type: fix
Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I9b578ca5cbd8cd93a577aa83131e31c79f60430e
|
|
- cqe_flags pointer should be incremented accordingly otherwise only the
first element in cqe_flags will be updated
- flag l3_ok should be set for match variable when verifying if packets
are IPv4 packets with flag l3_ok set
- mask/match variables should be converted to network byte order to
match the endianness of cqe_flags
- vector processing of checking cqe flags will set return value to
0xFFFF by mistake if packet numbers are not multiple of 16(VEC256) or
8(VEC128)
Type: fix
Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I9fec09e449fdffbb0ace8e5a6ccfeb6869b5cac1
|
|
The documentation for the cnat plugin is highly outdated specially on
the snat section.
Type: docs
Signed-off-by: Miguel Borges de Freitas <miguel-r-freitas@alticelabs.com>
Change-Id: I30b0c6295d3c812b636374753af3c37f29b0cc53
|
|
Type: feature
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I2fd1e321983ac5caa03aac8705dfc596985c35f7
|
|
When there are several workers, iterator can and will skip
head iterator and it will last until BARRIER_SYNC_TIMEOUT won't
expire and will cause SIGABRT with `worker thread deadlock`
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: Id4def4d5894e077ae27592367b141ecd822e86af
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Backward compatibility was broken when updating ipsecmb version to 1.3.
Type: improvement
Signed-off-by: marcel.d.cornu@intel.com
Change-Id: I87a76859ec5e2ef6be0bc2af0960fa2494ce4297
|
|
This patch adds SCTP support in the CNat translation primitives.
It also exposes a clib_crc32c_with_init function allowing to set
the init value to start the crc32 with instead of 0.
Type: feature
Change-Id: I86add4cfcac08f2a5a34d1e1841122fafd349fe7
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
- Use the latest IPsec Multi-Buffer library release v1.3
- Use ipsec-mb burst API for HMAC-SHAx algorithms
- Use ipsec-mb burst API for AES-CBC and AES-CTR algorithms
The new burst API available in ipsecmb v1.3 brings significant
performance improvements for certain algorithms compared to the job API.
Type: feature
Signed-off-by: marcel.d.cornu@intel.com
Change-Id: I3490b35a616a2ea77607f103426df62438c22b2b
|
|
otherwise the next time the counter is validated this is dangling.
Type: fix
Fixes: 58fd481d73
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ifa8d5ff27175cf6dfb30cbf023fa3251fe5c780e
|
|
CLI lcp default clear or lcp default netns hangs in an infinite while loop.
Type: fix
Signed-off-by: luoyaozu <luoyaozu@foxmail.com>
Change-Id: I699338abc045c84361707260adbb5b574a383170
|
|
Type: improvement
Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
existing details report the last_heard as the seconds since VPP
started, this is not very useful, so report additionaly
time_since_last_heard in seconds between VPP time and
last_heard.
Change-Id: Ifd34b1449e57919242b1f0e22156d3590af3c738
Type: improvement
Signed-off-by: Dave Cornejo <dcornejo@netgate.com>
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
|
|
Fix vpp crash when create vxlan/vxlan-gpe/geneve/gtpu tunnel
with 0.0.0.0 dst ip in debug build. The ASSERT should be move
out of fib_prefix_from_ip46_addr, which may be called when
create vxlan/vxlan-gpe/geneve/gtpu tunnel with 0.0.0.0 dst ip.
How to reproduce:
1. build debug vpp and run vpp
2. create vxlan t src 192.168.0.2 dst 0.0.0.0 vni 1 instance 1
create vxlan-gpe tunnel local 192.168.0.2 remote 0.0.0.0 vni 1
create geneve tunnel local 192.168.0.2 remote 0.0.0.0 vni 1
create gtpu tunnel src 192.168.0.2 dst 0.0.0.0 teid 1
Type: fix
Change-Id: I19972f6af588f4ff7fd17de1b16b9301e43d596f
Signed-off-by: Huawei LI <lihuawei_zzu@163.com>
|
|
this patch adds a mode to urpf in order to perform the lookup in a specified vrf instead of the interface vrf
Type: feature
Change-Id: Ieb91de6ccdfbf32b6939364f3bebeecd2d57af19
Signed-off-by: hedi bouattour <hedibouattour2010@gmail.com>
|
|
Type: fix
The handler for abf_itf_attach_add_del was always returning 0. Set rv to
the return value of call to abf_itf_attach() or abf_itf_detach().
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: Ibb888bb148e6e03fc2776e2384b3a6e26148a429
|
|
Change-Id: I2040b560b2a00f8bd176ae6ad46035678a2b249e
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Encode entropy value in UDP source port when requested per RFC 7510.
CLI already has "src-port-is-entropy", use zero UDP source port in API
to avoid breaking changes, since zero port is not something to be used
in wild.
Also, mark UDP encapsualtion API as mp-safe as already done for CLI.
Type: feature
Change-Id: Ieb61ee11e058179ed566ff1f251a3391eb169d52
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
Type: refactor
Change-Id: I7b7ca9ec62cb70243c5b7e87968eab1338d67ec8
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
default RLIMIT_MEMLOCK is 64. if we use multi af_xdp interfaces or
load complex bpf program, libbpf will return permission error.
root cause is default 64 is not large enough. So we change it before
load bpf program.
Type: fix
Change-Id: Ia6aed19c9256c498cf1155586a54a32b3f444105
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
|
|
Type: fix
Currently, when a wg interface is administratively disabled initially or
during operation, handshake packets continue to be sent. Data packets
stop being sent because routes pointing to the wg interface will not be
used. But data keys remain.
With this fix, when a wg interface is administratively disabled during
peer creation, avoid connection initialization to the peer. Data keys
and timers should be empty at this point. When a wg interface is
disabled during operation, disable all peers (i.e. stop all timers,
clear data keys, etc.). Thus, state should be identical in both cases.
When a wg interface is administratively enabled, enable all peers (i.e.
get ready to exchange data packets and initiate a connection). Also,
cover these scenarios with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ie9a620077e55d519d21b0abc8c0d3c87b378bca3
|
|
Internaly, vpp uses it's own padding, so all the data
is padded using blocksize in /src/vnet/ipsec/ipsec.c
Openssl should add it's own padding, but the data
is already padded. So on decrypt stage when padding
should be removed, it can't be done. And it produces
error `bad decrypt`
Previous versions of openSSL decrypted data almost
at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex
and produced the same error, but data was already decrypted.
Now it's not, so some algorithms could have some problems
with it
PS. openSSL 3.x.x
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: If715a80228548b4e588cee222968d9da9024c438
|
|
Type: fix
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
Change-Id: Ia447420f692f1487d343886845d648d766e43c27
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
|
|
Type: fix
As per the protocol:
A handshake initiation is retried after "REKEY_TIMEOUT + jitter" ms,
if a response has not been received...
Currently, if retransmit handshake timer is started, it will trigger
after "REKEY_TIMEOUT + jitter" ms and will try to send a handshake
initiation via wg_send_handshake() given that no responses have been
received. wg_send_handshake() will verify that time stored in
REKEY_TIMEOUT has passed since last handshake initiation sending and if
has, will send a handshake initiation. Time when a handshake initiation
was last sent is stored in last_sent_handshake.
The problem is that last_sent_handshake is not only updated in
wg_send_handshake() when sending handshake initiations but also in
wg_send_handshake_response() when sending handshake responses. When
retransmit handshake timer triggers and a handshake response has been
sent recently, a handshake initiation will not be sent because for
wg_send_handshake() it will look like that time stored in REKEY_TIMEOUT
has not passed yet. Also, the timer will not be restarted.
wg_send_handshake_response() must not update last_sent_handshake,
because this time is used only when sending handshake intitiations. And
the protocol does not say that handshake initiation retransmission and
handshake response sending (i.e. replying to authenticated handshake
initiations) must coordinate.
With this fix, stop updating last_sent_handshake in
wg_send_handshake_response().
Also, this fixes tests that used to wait for "REKEY_TIMEOUT + 1" seconds
and did not receive any handshake initiations. Then they fail.
Also, long-running tests that send wrong packets and do not expect
anything in reply may now receive handshake intiations, consider them as
replies to the wrond packets, and fail. Those are updated to filter out
handshake initiations in such verifications. Moreover, after sending
wrong packets, error counters are already inspected there to confirm
packet processing was unsuccessful.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I43c428c97ce06cb8a79d239453cb5f6d1ed609d6
|
|
Type: improvement
Change-Id: I7f7050c19453a69a7fb6c5e62f8f57db847d9144
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: docs
Change-Id: Icfa2bdc9367f8438b53da7c89caec263ed6ab056
Signed-off-by: Filip Varga <fivarga@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: fix
Change-Id: Ib127331507724f853071e66ca1ddfc773a8ed200
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Also check for non-zero rpath length in CLI cmd.
While there, no need to use "else" after a return.
Also while there, notice and fix numerous input_line
buffer leaks and fix them.
Type: fix
Fixes: 669d07dc016757b856e1014a415996cf9f0ebc58
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I18ea44b7b82e8938c3e793e7c2a04dfe157076d8
|
|
Type: fix
If unrecognized input was provided to the commands which add or delete a
pair, the error message was being created incorrectly and only displayed
something like "unknown input `'". Provide the correct argument to
format_unformat_error so that the actual unrecognized input is printed.
There also was no error or useful information printed if only the base
command were provided without any additional arguments. This should
print a warning about what required data was missing. Reorganize code to
handle this and to make sure that memory gets freed appropriately.
Change-Id: If454714f50cf41b3b56cfadfbf017f1d160e13a4
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Handle the case of the mapping not being found by GID.
Type: fix
Change-Id: Ibce3b9e8419c0dddca97b4d0d5a71f25dfd529d8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
If one attempts to add a pattern with zero length, first time
it will succeed, and the second time it will cause an invalid memcmp call.
Solution: do not allow to add zero-length patterns.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ic08e021486153be605a4b12a2fe4422307bf68d2
|
|
The number of available dynamic ports is set to (0xffff - 1024) =
64511, which is not divisable by the pow2 number of workers - the
only integer divisors are 31 and 2081.
So, total dynamic port range of all workers will be less than it:
1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536
2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535
4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533
8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529
...
As seen, with multiple workers there are unused trailing ports for every
nat pool address and that is the reason of out-of-bound index in the
worker array on out2in path due (port - 1024) / port_per_thread math.
This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets
to unused ports will go to existing worker and dropped there.
Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6:
6. Port Number Ranges
o the System Ports, also known as the Well Known Ports, from 0-1023
(assigned by IANA)
o the User Ports, also known as the Registered Ports, from 1024-
49151 (assigned by IANA)
o the Dynamic Ports, also known as the Private or Ephemeral Ports,
from 49152-65535 (never assigned)
According that let's allocate dynamic ports from 1024 and have full port
range with a wide range of the workers number - 64 integer divisors in
total, including pow2 ones:
1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536
2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536
3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536
4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536
5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534
6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536
7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536
8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536
...
Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required
when the numbers of workers is not the integer divisor of 64512.
Type: fix
Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a
Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
Free node frames in worker mains on refork. Otherwise these frames are
never returned to free pool and it causes massive memory leaks if
performed under traffic load
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I15cbf024a3f4b4082445fd5e5aaa10bfcf77f363
|
|
When a session is found expired, the next node of in2out fast path
should be in2out slow path instead of out2in slow path.
Type: fix
Signed-off-by: Jing Peng <jing@meter.com>
Change-Id: If1dd920502089c25b33bea5434823b0496a44499
|
|
Type: improvement
Roaming functionality allows the peer address to change. The main thread
was being called to update a peer's address if necessary after
processing a received packet. Check in the worker whether this is
necessary before incurring the overhead of the RPC to the main thread.
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I02184b92dc658e0f57dd39993a3b2f9944187b45
|
|
The ability to modify the vlan setting must be checked prior to using
VIRTCHNL_OP_DISABLE_VLAN_STRIPPING_V2 both for inner and outer vlan
stripping
Change-Id: Iffe306c34b81a6077ad6ba5deb3f5b61b5475897
Type: fix
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Originally initialization cryptodev device(s) calls double request
to enabled async mode and increased ref count twice for async mode.
Due to this cannot be change any assigned async handlers to other
async crypto engine.
The fixes reduce double request to enable async mode in initialization
cryptodev device(s) and VPP can be change assigned async handlers
to other crypto engine after disabled all async feature, for example:
ipsec, wireguard.
Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: If22e682c3c10de781d05c2e09b5420f75be151c3
|
|
test output before fix:
DBGvpp# vrrp proto start sw_if_index 1 vr_id 1
vrrp proto: unknown input `sw_if_index 1 vr_id 1'
DBGvpp# vrrp vr track-if add sw_if_index 1 vr_id 1 track-index 1
priority 30
vrrp vr track-if: Please specify an interface
Type: fix
Signed-off-by: luoyaozu <luoyaozu@foxmail.com>
Change-Id: Ib8ba67e920b23008d9246318ec8f8f17bf0bea95
|
|
Zero-initialize a variable.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Iccf2eb4bf26755d6cd93fc70df3c5481d69ce7eb
|
|
Zero-initialize the variable
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I4ee127ac3e2a3beffa11bbc96db1f3254b3f7c5d
|
|
Initialize the session index in case of error to ~0,
so is defined in case trace needs to copy it.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Iddf6df42c09d2abc11e5821944eb4f41692e6e3e
|
|
The unformat type for "%d" should be u32 or int, otherwise the 'did' in
high stack address will be overflow to zero by the 'qid' which is in the
low stack address.
Like input "dev wq3.2" will return "did=0, qid=2".
Type: fix
Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
Change-Id: I0fe1d5b03e2c47e0a7925193e2c2f1ccc31d3e90
|
|
When there is a bad descriptor, it may in the beginning, in the middle,
or at the end of the batch if the batch has more than 3 descriptors.
When processing a bad descriptor is encountered in the batch, we need to
rollback n_buffers in memif_process_desc(), or the statement in the same
function
memif_add_copy_op (ptd, mb0 + src_off, bytes_to_copy,
dst_off, n_buffers - 1);
is wrong because it picks up the wrong buffer_vec_index of the bad
descriptor while parsing a good descriptor immediately following the
bad descriptor. n_buffers was incremented in the beginning of
while (n_left) loop.
The other problem is we should count the number of bad packets and
reduce ptd->n_packets to get the correct number of packets for subsequent
processing in device_input.
The last fix is to check if n_buffers == 0 in device_input and skip
doing any descriptor copy. This case can happen when all the descriptors
are bad in the batch.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I28ed1d87236b045657006755747b5750a9a733be
|
|
In case of a bad packet, the bihash kv is not initialized before being
copied in the trace. Make sure it is initialized to 0.
Type: fix
Change-Id: I22fcfe99f3586d0fa128493059547a56557b8fb5
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|