summaryrefslogtreecommitdiffstats
path: root/src/plugins
AgeCommit message (Collapse)AuthorFilesLines
2018-02-25Fix bug in dpdk_crypto_session_disposal()Matthew Smith1-0/+2
The expression to determine whether to delete a session from the disposal list only evaluates true if some, but not all, of the sessions in the list were freed. When all sessions in the list are freed, it evaluates false and the sessions are left in the list to be freed again later, which can result in a session pool element that was reallocated to a different SA being freed, breaking crypto for the newer SA. Add an 'else' that handles the case where all sessions were freed. Change-Id: I3ae54d5b3bfc3658bf406caa50646924baaae589 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-02-24Fix crypto session deletion crashMatthew Smith1-6/+9
When using a DPDK cryptodev with IPsec, deleting a session often results in a SEGV. A bad pointer is being passed to rte_cryptodev_sym_session_free(). Put the correct value on the crypto disposal list and add a check to determine whether the call to free the session is going to result in a crash before doing it. Change-Id: I8a6b0a594585ebcfa56b555ede7ef7d67e5e2b33 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-02-23Disable scatter-gather for ENAMatthew Smith1-0/+1
ENA doesn't support scatter-gather. The PMD started failing rte_eth_dev_rx_queue_config() in DPDK 18.02 if the flag to enable it is set. Turn the flag off in dpdk_lib_init(). Change-Id: Ifdd9f188c89b46efe82412c75fb935a92436da1c Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-02-19dpdk: Fix MTU calc for NICs that support mtu<9216Nitin Saxena1-34/+66
Problem: rte_eth_dev_set_mtu() returns with failure from ThunderX NICVF DPDK PMD driver which supports MTU less than ETHERNET_MAX_PACKET_BYTES. rte_eth_dev_set_mtu() being called twice from dpdk_lib_init(): one via dpdk_device_setup() and second in dpdk_lib_init() itself. Currently dpdk_lib_init() passes vnet_hardware_interface->max_packet_bytes as an argument to rte_eth_dev_set_mtu() without consulting dev_info.max_rx_pktlen. NICs like i4oe, ixgbe can support MTU much greater than 9216 hence its not a problem for those NICS. Fix: This patch calculates dpdk_device->port_conf.rxmode.max_rx_pkt_len, vnet_hardware_interface->max_packet_bytes and MTU by consulting dev_info.max_rx_pktlen. Change-Id: If04bbfae49ee971dac0063ff1835e4a9c3087865 Signed-off-by: Nitin Saxena <nitin.saxena@cavium.com>
2018-02-16memif: VPP-1172: Ensure memif_create reply contains sw_if_indexJon Loeliger1-1/+6
Change-Id: If5cd2e913770adac4e7320f54584da63012f925d Signed-off-by: Jon Loeliger <jdl@netgate.com>
2018-02-15dpdk: add support for DPDK 18.02, deprecate 17.08Damjan Marion4-24/+0
17.11 is still default. Change-Id: I524d232579db8a59c717c5d760398b6b7f811d03 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-02-14VOM: build with plugins disabledNeale Ranns1-1/+1
Change-Id: I1384d16deb3fa38b988dd2fc98f436124e381536 Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2018-02-14NAT44 out2in DHCP client next nodeMatthew Smith1-8/+24
Call vnet_feature_next() for DHCP replies instead of using default ip4-lookup. This allows DHCP replies to reach an outside interface if it's configured as a DHCP client. Change-Id: Icce1cd68b21256fcd6b1fad6792c06578b0e4e36 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-02-14NAT44: run NAT nodes after ACL (VPP-1160)Matus Fabian1-15/+15
NAT input features run after acl-plugin-in-ip4-fa NAT output features run after acl-plugin-out-ip4-fa Change-Id: I1e4487a0d6fdb99a90b8db640d9ad0e0eb7347a5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-02-12dpdk:fix trace to follow feature arcEyal Bari3-87/+66
Change-Id: Icd2184dec16d30cdcc689ca37c834b5df2f0a1a3 Signed-off-by: Eyal Bari <ebari@cisco.com>
2018-02-09acl-plugin: Stale classify table after deleting macip ACLSteve Shin1-0/+22
Classify table for output node should be cleaned up after deleting macip ACL. Change-Id: Ibbc46c8465bec02fe6fa6a8d33a1f06bcf28e9ad Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-02-09GBP pluginNeale Ranns8-0/+1366
Group Base Policy (GBP) defines: - endpoints: typically a VM or container that is connected to the virtual switch/router (i.e. to VPP) - endpoint-group: (EPG) a collection of endpoints - policy: rules determining which traffic can pass between EPGs a.k.a a 'contract' Here, policy is implemented via an ACL. EPG classification for transit packets is determined by: - source EPG: from the packet's input interface - destination EPG: from the packet's destination IP address. Change-Id: I7b983844826b5fc3d49e21353ebda9df9b224e25 Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2018-02-09memif: fix crash caused by zero pkt len in memif and clear dirty cache while ↵Chun Li5-12/+102
interface reconnect. Change-Id: Ifc7eb2494a22c334d8899422545fca1a4bba4d05 Signed-off-by: Chun Li <chunl2@cisco.com>
2018-02-08add CLIB_HAVE_VEC128 with NEON intrinsics (VPP-1127)Gabriel Ganne1-1/+1
Enable CLIB_HAVE_VEC128 if both aarch64 and __ARM_NEON ie. armv8 only, not armv7 Add more neon compare intrinsics wrappers. I only add simple intrinsics wrappers. More complex ones can be added later as they are needed, with performance tests on the corresponding feature to back them up. Remove wrongly added 128bits definitions defined on both armv7 and armv8 without concern for NEON instructions presence. Notable correspondinf code activations: * MHEAP_FLAG_SMALL_OBJECT_CACHE in mheap.c * ip4 fib mtrie leaves access * enable ixge plugin compilation for aarch64 (conf still disables it by default) Change-Id: I99953823627bdff6f222d232c78aa7b655aaf77a Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2018-02-08acl-plugin: add whitelisted ethertype mode (VPP-1163)Andrew Yourtchenko5-5/+308
Currently, ACL plugin largely does not care about the ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6), the only exception being 0x0806 (ARP), which is dealt with by the MACIP ACLs. The other ethertypes in L2 mode are just let through. This adds a new API message acl_interface_set_etype_whitelist, which allows to flip the mode of a given interface into "ethertype whitelist mode": the caller of this message must supply the two lists (inbound and outbound) of the ethertypes that are to be permitted, the rest of the ethertypes are dropped. The whitelisting for a given interface and direction takes effect only when a policy ACL is also applied. This operates on the same classifier node as the one used for dispatching the policy ACL, thus, if one wishes for most of the reasonable IPv4 deployments to continue to operate within the whitelist mode, they must permit ARP ethertype (0x0806) The empty list for a given direction resets the processing to allow the unknown ethertypes. So, if one wants to just permit the IPv4 and IPv6 and nothing else, one can add their ethertypes to the whitelist. Add the "show acl-plugin interface" corresponding outputs about the whitelists, vat command, and unittests. Change-Id: I4659978c801f36d554b6615e56e424b77876662c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: VPP-1088: add support for egress filter in macip ACLsAndrew Yourtchenko2-16/+244
This is the second patch, using the new functionality from the change 10002 in order to implement the egress filtering on the MACIP ACLs. This adds an action "2" which means "add also egress filtering rules for this MACIP ACL. The reason for having the two choices is that the egress filtering really takes care of a fairly corner case scenario, and I am not convinced that always adding the performance cost of the egress lookup check is worth it. Also, of course, not breaking the existing implementations is a nice plus, too. Change-Id: I3d7883ed45b1cdf98d7303771bcc75951dff38f0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: an elog-based tracing implementation for troubleshooting the ↵Andrew Yourtchenko4-32/+153
conn cleaner threads interactions This replaces some of the early-stage commented-out printf()s with an elog-based debug collector. It is aimed to be "better than nothing" initial implementation to be available in the field. It will be refined/updated based on use. This initial code is focused on the main/worker threads interactions, hence uses just the worker tracks. This code adds a developer debug CLI "set acl-plugin session table event-trace 1", which allows to gather the events pertaining to connection cleaning. The CLI is deliberately not part of the online help, as the express declaration that the semantics/trace levels, etc. are subject to change without notice. Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-07acl-plugin: multicore: send the interrupts to thread0 tooAndrew Yourtchenko1-1/+1
The thread0 in some configurations can handle the traffic. Some of the previous fixes accomodated for that, but the interrupt sending for connection clearing was not adapted to that, resulting in a deadlock during clearing of all connections... Change-Id: I32b4c7bac09c91c22b796baab843bdaf41f7045c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-07classifier-based ACL: refactor + add output ACLAndrew Yourtchenko1-1/+1
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound classifier-based ACL would be needed. There was an existing incomplete code for outbound ACLs, it looked almost exact copy of input ACLs, minus the various enhancements, trying to sync that code seemed error-prone and cumbersome to maintain in the longer run. This change refactors the input+output ACLs processing into a unified routine (thus any changes will have effect on both), and also adds the API to set the output interface ACL, with the same format and semantics as the existing input one (except working on output ACL of course). WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields in the vnet_buffer_opaque_t, since the code is using l2_classify.* The net_buffer (p0)->ip.save_rewrite_length is rescued into l2_classify.pad.l2_len, and used to rewind the header in case of drop, so that ipX_drop prints something sensible. Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-07Refactor vlib_buffer flagsDamjan Marion5-21/+12
Change-Id: I853386aebfe488ebb10328435b81b6e3403c5dd0 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-02-06vlib: epoll on worker threadsDamjan Marion2-0/+11
This patch teaches worer threads to sleep and to be waken up by kernel if there is activity on file desctiptors assigned to that thread. It also adds counters to epoll file descriptors and new debug cli 'show unix file'. Change-Id: Iaf67869f4aa88ff5b0a08982e1c08474013107c4 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-02-06Reflexive ACL support on ICMPSteve Shin1-25/+113
Normally session keys are generated by mirroring the packets sent. ICMP message type should be used and inverted for the stateful ACL. Supported ICMP messages with this patch: - ICMPv4: Echo/Timestamp/Information/Address Mask requests - ICMPv6: Echo request/Node Information Queury The invmap & valid_new tables can be modified to make any other ICMP messages to be reflexive ACL. Change-Id: Ia47b08b79fe0a5b1f7a995af78de3763d275dbd9 Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-02-05NAT64: Run nat64-expire-worker-walk only when NAT64 is configured (VPP-1162)Matus Fabian2-4/+48
Change-Id: Ic5e8d74bf5ac84cce5661de44778c89541c67636 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-02-02Add L3DSR feature in LB pluginHongjun Ni8-88/+246
L3DSR is used to overcome Layer 2 limitations of Direct Server Return Load Balancing. It maps VIP to DSCP bits, and reuse TOS bits to transfer it to server, and then server will get VIP from DSCP-to-VIP mapping. Please refer to https://www.nanog.org/meetings/nanog51/presentations/Monday/NANOG51.Talk45.nanog51-Schaumann.pdf Change-Id: I403ffeadfb04ed0265086eb2dc41f2e17f8f34cb Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
2018-02-01FIB: Consolidate several copies of fib_ip_proto() into one.Jon Loeliger1-6/+0
Rather than having multiple copies of the same function scattered around, promote the function into the FIB PROTOCOL definitions in fib_types.h. Change-Id: I11c4d85931167d3a5f3dc1278afecc8845b23cd7 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2018-02-01dpdk:fix typo in prefetch sequenceEyal Bari1-2/+2
Change-Id: I7110436626352d45ffe0ca71fb88dea2c77ab639 Signed-off-by: Eyal Bari <ebari@cisco.com>
2018-02-01srv6-ad: fixing coverity issuesFrancois Clad1-8/+32
Change-Id: Ica6d8dd773bb3b478f1c7e40d59dfbdd4b588b85 Signed-off-by: Francois Clad <fclad@cisco.com>
2018-02-01srv6-as: fixing coverity issuesFrancois Clad1-8/+32
Change-Id: I911e09aadd3df1123634fd97098920f107f9a2fc Signed-off-by: Francois Clad <fclad@cisco.com>
2018-01-31vlib: allocating buffers on thread-x and freeing them on thread-y causesSteven1-12/+6
a crash on debug image (VPP-1151) In debug image, there is extra code to validate the buffer when it is freed. It uses the hash table to lookup the buffer index with spinlock to prevent contention. However, there is one spinlock for each worker thread. So allocating the buffer on thread-x and freeing the same buffer on thread-y causes the validation to fail on thread-y. The fix is to have only one spinlock, stored in vlib_global_main. Change-Id: Ic383846cefe84a3e262255afcf82276742f0f62e Signed-off-by: Steven <sluong@cisco.com> (cherry picked from commit a7effa1b072463f12305a474f082aeaffb7ada4b)
2018-01-31Improved tracing for the IP[46] not-enabled case.Neale Ranns1-2/+4
now we get 00:00:03:665501: pg-input ... 00:00:03:665681: ethernet-input ... 00:00:03:665691: ip6-input UDP: 2001::1 -> ffef::1 tos 0x00, flow label 0x0, hop limit 64, payload length 108 UDP: 1234 -> 1234 length 108, checksum 0x7b25 00:00:03:665695: ip6-not-enabled UDP: 2001::1 -> ffef::1 tos 0x00, flow label 0x0, hop limit 64, payload length 108 UDP: 1234 -> 1234 length 108, checksum 0x7b25 00:00:03:665706: error-drop ethernet-input: no error Same goes for IPv4 Change-Id: Ia360df39b43281d3a0aa1b686f04b73cfa37c546 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-01-31NAT66 1:1 mapping (VPP-1108)Matus Fabian9-2/+1378
Support the 1:1 translation of source address for IPv6 Change-Id: I934d18e5ec508bf7422d796ee5f172b79c048011 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT44: in2out output feature skip translation for already translated packets ↵Matus Fabian2-15/+74
(VPP-1156) Change-Id: I5395245c9e49f741a949ada1f725c34f9379c249 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT44: Delete dynamic sessions matching new 1:1NAT (VPP-1158)Matus Fabian1-8/+52
Change-Id: Ib99b597502b8335e57ecfa122b12e2e5aa45ee1a Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT44: nat44_static_mapping_details protocol=0 if addr_only=0 (VPP-1158)Matus Fabian2-13/+19
Change-Id: I1e3cfc751e7657464fc850dc56ddf763df45f62e Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-30NAT: add missing CLI and API documentation (VPP-1142)Matus Fabian2-0/+105
Change-Id: I4e93595665b8d0e373c4df27311c27a51222961c Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-30NAT: replace format_vnet_sw_interface_name with format_vnet_sw_if_index_name ↵Matus Fabian3-39/+33
(VPP-1149) Avoid crash when interface was deleted. Change-Id: I2ac3031c13ca5ad3360495e1c4cb90b0002be5ff Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-30Allow the provider of a midchain adjacency to pass context data that is ↵Neale Ranns1-5/+12
returned in the fixup function Change-Id: I458e6e03b03e27775df33a2fd302743126d6ac44 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-01-29memif: Add new API calls to manage memif socket names.Jon Loeliger7-102/+647
New API calls and corresponding CLI commands allow the user to manage the socket filenames for memif connections using: vppctl# create memif id <u32> filename <socket-filename> vppctl# delete memif id <u32> and then referencing it later in a memif interface: vppctl# create memif <u32> socket-id <id> mode <mode> <master|slave> ... Corresponding VAT cli entries have also been added. The default memif socket file at id 0 are still always present. The existing memif create/delete CLI commands have been slightly altered into the new syntax: vppctl# create interface memif ... vppctl# delete interface memif ... Change-Id: If2bdc7eac3d81e1d9011a5869747e52fc5e11639 Signed-off-by: Jon Loeliger <jdl@netgate.com> Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-01-29SRv6 dynamic proxy pluginFrancois Clad6-0/+1005
Change-Id: Ie460005510b8a70d00de31b6651e762cc3a63229 Signed-off-by: Francois Clad <fclad@cisco.com>
2018-01-26NAT44: fix ICMP error translation for endpoint dependent sessions (VPP-1150)Matus Fabian2-4/+150
Change-Id: I85c799f28c4246884107e569a36482af10d9be9d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-25NAT44: add opaque string tag to static mapping APIs (VPP-1147)Matus Fabian5-16/+62
Change-Id: I620e2081285ca8ac5c2da8efc12fe6f540ea4fd1 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-25srv6-as: fixing versionFrancois Clad1-1/+2
Change-Id: I0ce60729e82536d9a97823bc6701e62bf364ea6c Signed-off-by: Francois Clad <fclad@cisco.com>
2018-01-25NAT: nat.c refactor (split out CLI) (VPP-1140)Matus Fabian4-1547/+1824
Moved CLI from nat.c to nat44_cli.c Split "show nat44" to: show nat44 addresses show nat44 interfaces show nat44 static mappings show nat44 interface address show nat44 sessions detail show nat44 deterministic mappings show nat44 deterministic timeouts show nat44 deterministic sessions show nat workers Change-Id: I2d1be8941dd0e4a9e037f4a4d2cd192389beb8ed Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-25SRv6 masquerading proxy pluginFrancois Clad6-0/+788
Change-Id: Ia65cf2c7b7fdf84c64e60af4cc815251022c53a9 Signed-off-by: Francois Clad <fclad@cisco.com>
2018-01-24Improve tunnel interface creation performanceJohn Lo1-14/+5
Modify interface creation to allow creation of tunnel interfaces without dedicated per tunnel output and tx nodes which are not used for most tunnel types. Also changed interface-output node function vnet_per_buffer_interface_output() so it does not rely on hw_if_index as the next node index which is not flexible nor efficient for large scale tunnel interfaces. The improvenemts are done for VXLAN, VXLAN-GPE, GENEVE and GTPU tunnels. GRE tunnel is still using per tunnel output nodes which will be changed in a separate patch with other GRE enhencements. Change-Id: I4123c01c0d2ead814417a867adb8c8a407e4df55 Signed-off-by: John Lo <loj@cisco.com>
2018-01-24NAT44: asymmetrical static mapping and one-armed NAT (VPP-1138)Matus Fabian1-1/+10
One-armed NAT should work for asymmetrical static mappings without adding external address to the NAT44 pool. Change-Id: Ie886b75b55c3b552d1029a50bd967625fde80f09 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-24docs: Clean up TOCDave Wallace1-1/+1
Change-Id: I5415c002a431d84372f56d4a77dc2aabd6ef55f7 Signed-off-by: Dave Wallace <dwallacelf@gmail.com> (cherry picked from commit 1eb970d16028e9a987c1dd2bfe217d1313262b81)
2018-01-23VPPAPIGEN: vppapigen replacement in Python PLY.Ole Troan18-18/+19
This is a version of the VPP API generator in Python PLY. It supports the existing language, and has a plugin architecture for generators. Currently C and JSON are supported. Changes: - vl_api_version to option version = "major.minor.patch" - enum support - Added error checking and reporting - import support (removed the C pre-processor) - services (tying request/reply together) Version: option version = "1.0.0"; Enum: enum colours { RED, BLUE = 50, }; define foo { vl_api_colours_t colours; }; Services: service { rpc foo returns foo_reply; rpc foo_dump returns stream foo_details; rpc want_stats returns want_stats_reply events ip4_counters, ip6_counters; }; Future planned features: - unions - bool, text - array support (including length) - proto3 output plugin - Refactor C/C++ generator as a plugin - Refactor Java generator as a plugin Change-Id: Ifa289966c790e1b1a8e2938a91e69331e3a58bdf Signed-off-by: Ole Troan <ot@cisco.com>
2018-01-23NAT44: Fix interface feature removal.Milan Lenco1-3/+14
Change-Id: Ie7cd809f30decc36cb8e1f4d8acc4b41f17cd390 Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech>
2018-01-22NAT44: asymmetrical static mapping rule (VPP-1135)Matus Fabian4-24/+40
add option to NAT44 static mapping API/CLI to make rule asymmetrical (rule match only out2in direction) Change-Id: If262a3ff375a24d3059f0de1f1ac387a4fe09475 Signed-off-by: Matus Fabian <matfabia@cisco.com>