summaryrefslogtreecommitdiffstats
path: root/src/plugins
AgeCommit message (Collapse)AuthorFilesLines
2022-11-11srtp: use safe pool reallocsFlorin Coras1-2/+5
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I15fea1f90640ea54cafe3ea929e871ec6e86fc67
2022-11-10linux-cp: fix lcp_itf_pair_create()'s memory leakluoyaozu1-0/+3
need free args.error if args.rv < 0 Type: fix Signed-off-by: luoyaozu <luoyaozu@foxmail.com> Change-Id: I8ceebfc36f51798d8d1a8e4c41bec33d74344396
2022-11-10http: support client connectFilip Tehlar5-53/+979
Type: feature Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I0738c0aefb41ab6c0ff717cfccd1df75ddb481fa
2022-11-10nat: updating my maintainer email addressFilip Varga1-1/+1
Type: fix Signed-off-by: Filip Varga <filipvarga89@gmail.com> Change-Id: I1f5069df2dc743ecd1269e947dd375cb1b84970f
2022-11-09sr: fix added for configuring vlan sub interface as iif interface in ↵ChinmayaAgarwal1-8/+0
End.AD.Flow localsid Type: fix Signed-off-by: ChinmayaAgarwal <chinmaya.agarwal@hsc.com> Change-Id: Ifad23978b98c5e05d86f6254bfb65baa0b380436
2022-11-09acl: verify that src and dst have sane and same address familyAndrew Yourtchenko1-1/+5
API refactoring moved the address-family tag from rule level down to prefix level. This necessarily warrants the check that they are the same. Also, add a check that the address family is sane. Change-Id: Ia63b688cc9e7c9e9cc773e89708d9e9f99185fb7 Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-11-07prom: fix stats vector leakFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I620447c9aa8606a125063cdd724bfe74f8a870f6
2022-11-07nat: fix per-vrf session bookkeepingJing Peng3-34/+26
Each NAT44 ED session has a per_vrf_sessions_index referencing an element in the thread-local vector per_vrf_sessions_vec. However this index can be possibly invalidated by vec_del1() in per_vrf_sessions_cleanup(), before a session is registered. Such a stale index can cause an assertion failure in function per_vrf_sessions_is_expired() when we use it to locate the per_vrf_sessions object. A possible sequence to reproduce is: 1. Create two NAT44 ED sessions s1, s2 so that two per_vrf_sessions are created: index 0: between VRF pair 10 and 11 (expired=0, ses_count=1) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s1->per_vrf_sessions_index == 0 s2->per_vrf_sessions_index == 1 2. Delete the first session via CLI, now the two per_vrf_sessions become: index 0: between VRF pair 10 and 11 (expired=0, ses_count=0) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s2->per_vrf_sessions_index == 1 3. Delete the VRF 11: index 0: between VRF pair 10 and 11 (expired=1, ses_count=0) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s2->per_vrf_sessions_index == 1 4. Create a new session s3 between VRF pair 20 and 21 so that the first per_vrf_sessions will be deleted: index 0: between VRF pair 20 and 21 (expired=0, ses_count=2) For the sessions we have: s2->per_vrf_sessions_index == 1 s3->per_vrf_sessions_index == 0 Here, note that the actual index of per_vrf_session is changed due to vec_del1(). The new session is added after the cleanup so it gets the correct index. But the index held by the existing session is not updated. 5. Trigger the fast path of the session s2. To achieve this, session s2 could be created in step 1 by ping -i20 -Iiface_in_vrf_10 1.1.1.1 and steps 2-4 should then be performed within the 20-second interval. This patch fixes this by changing per_vrf_sessions_vec to a pool so that indicies are kept intact. Type: fix Signed-off-by: Jing Peng <jing@meter.com> Change-Id: I4c08f9bfd50134bcb5f08e50ad61af2bddbcb645
2022-11-07nat: fix byte order error.Huawei LI1-6/+4
fix byte order error about the struct snat_address_t's member net. for example configurations: set interface ip table loop1 1 set interface ip addr loop1 10.10.10.2/24 nat44 add address 10.10.10.2 tenant-vrf 1 the snat address's net should be "as_u8 = {0xa, 0xa, 0xa, 0x0}", but now it's "as_u8 = {0x0, 0xa, 0xa, 0x2}" because of missing transition of byte order about the member net of snat_address_t. (gdb) p/x *snat_main->addresses $3 = {addr = {data = {0xa, 0xa, 0xa, 0x2}, data_u32 = 0x20a0a0a, as_u8 = {0xa, 0xa, 0xa, 0x2}, as_u16 = {0xa0a, 0x20a}, as_u32 = 0x20a0a0a}, net = {data = {0x0, 0xa, 0xa, 0x2}, data_u32 = 0x20a0a00, as_u8 = {0x0, 0xa, 0xa, 0x2}, as_u16 = {0xa00, 0x20a}, as_u32 = 0x20a0a00}, sw_if_index = 0x3, fib_index = 0x1,addr_len = 0x18} (gdb) Type: fix Signed-off-by: Huawei LI <lihuawei_zzu@163.com> Change-Id: I4f25f0639ae90a7f2e8715b44f825571283d994d
2022-11-05hsa: echo client crash when it fails to connect to remoteSteven Luong1-1/+1
When echo client fails to connect to remote, it should quit. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I787423bdc61a58eea48bab7bd8b73137626c02b4
2022-11-04nat: cleanup of deprecated featuresFilip Varga3-296/+0
Type: refactor 1) Removed deprecated API. - These specific APIs do not have repleacement because features that they controled aren't part of current NAT44-ED implementation anymore. 2) Removed unused typedef of port allocation funciton. - Missed left over removed. Change-Id: Ib3f763449065eda7cdcb2c6565a9cae51baf23d6 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2022-11-03tls: crash in mbedtls due to ctx is already freeSteven Luong1-1/+0
_clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7fffb3a7e1b5 "%s:%d (%s) assertion `%s' fails") at src/vppinfra/error.c:143 mbedtls_ctx_get (ctx_index=0) at src/plugins/tlsmbedtls/tls_mbedtls.c:114 tls_ctx_get (ctx_handle=536870912) at src/vnet/tls/tls.c:310 tls_app_session_cleanup (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/tls/tls.c:624 app_worker_cleanup_notify (app_wrk=0x7fffbef95f80, s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/application_worker.c:445 session_cleanup_notify (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/session.c:262 session_free_w_fifos (s=0x7fffbf102040) at src/vnet/session/session.c:268 session_delete (s=0x7fffbf102040) at src/vnet/session/session.c:287 session_transport_delete_notify (tc=0x7fffbdf63c40) at src/vnet/session/session.c:1159 tcp_handle_cleanups (wrk=0x7fffbef46d40, now=133.30033046694487) at src/vnet/tcp/tcp.c:1298 tcp_update_time (now=133.30033046694487, thread_index=2 '\002') at src/vnet/tcp/tcp.c:1309 session_update_time_subscribers (smm=0x7ffff7f75ce0 <session_main>, now=133.30033046694487, thread_index=2) at src/vnet/session/session_node.c:1817 session_queue_node_fn (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, frame=0x0) at src/vnet/session/session_node.c:1934 dispatch_node (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT, dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0, last_time_stamp=4722227957546624) at src/vlib/main.c:960 Putting a breakpoint in gdb, I found out ctx was free in mbedtls_app_close. Looking at app_close function in picotls and openssl, I don't see they free ctx and they don't crash when processing cleanup. I am inclined to think that mbedtls_ctx_free should not be called in mbedtls_app_close at src/plugins/tlsmbedtls/tls_mbedtls.c:92 at src/plugins/tlsmbedtls/tls_mbedtls.c:559 at src/vnet/tls/tls.c:360 thread_index=2) at src/vnet/tls/tls.c:762 conn_index=536870912, thread_index=2 '\002') at src/vnet/session/transport.c:332 at src/vnet/session/session.c:1608 elt=0x7fffbdfef3dc) at src/vnet/session/session_node.c:1672 node=0x7fffbe0b1340, frame=0x0) at src/vnet/session/session_node.c:1966 node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT, dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0, last_time_stamp=4721919444027682) at src/vlib/main.c:960 Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ic5c13e659aee618c8accee42af9f40931b62f467
2022-11-03misc: fix failing TestNs/TestHttpTps test in hstfMaros Ondrejicka1-1/+6
Type: fix Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech> Change-Id: I03cbd05d6d887d2ce8e7b7d20522e04012c5fe7a
2022-10-31quic: use safe pool reallocFlorin Coras1-1/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia03c3fe0ca669b319dec8decd503254d0a95e58b
2022-10-31tls: use safe pool reallocsFlorin Coras3-5/+7
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia2c771cbf826526d2d06b6da022509ab02917350
2022-10-28cnat: Fix unformat_cnat_snat_interface_map_typeMiguel Borges de Freitas1-1/+1
Fix initialization of the table u32 var which is leading to the incorrect unformat of interface map type Type: fix Signed-off-by: Miguel Borges de Freitas <miguel-r-freitas@alticelabs.com> Change-Id: I1e56acd0e4c735df755e85b172bb6623bf47a57b
2022-10-25rdma: set correct CQE flagsJieqiang Wang1-6/+6
CQE flags located in bits 16-31 at offset 0x1c should be defined as actual numbers instead of indexes. Besides, L3 header type for IPv4 is 10(2 in decimal) and for IPv6 is 01(1 in decimal) according to CQE entry fields description of page 120 in Mellanox Programmer Reference Manual. (https://network.nvidia.com/files/doc-2020/ethernet-adapters-programming-manual.pdf) Fixing this issue will lead to correct CQE flags printing for rdma-input node when buffer trace is enabled. Type: fix Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I9b578ca5cbd8cd93a577aa83131e31c79f60430e
2022-10-25rdma: fix ipv4 checksum check in rdma-input nodeJieqiang Wang1-23/+40
- cqe_flags pointer should be incremented accordingly otherwise only the first element in cqe_flags will be updated - flag l3_ok should be set for match variable when verifying if packets are IPv4 packets with flag l3_ok set - mask/match variables should be converted to network byte order to match the endianness of cqe_flags - vector processing of checking cqe flags will set return value to 0xFFFF by mistake if packet numbers are not multiple of 16(VEC256) or 8(VEC128) Type: fix Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I9fec09e449fdffbb0ace8e5a6ccfeb6869b5cac1
2022-10-24docs: update cnat docs to current vpp versionMiguel Borges de Freitas1-5/+13
The documentation for the cnat plugin is highly outdated specially on the snat section. Type: docs Signed-off-by: Miguel Borges de Freitas <miguel-r-freitas@alticelabs.com> Change-Id: I30b0c6295d3c812b636374753af3c37f29b0cc53
2022-10-24dpdk: add Intel QAT 200xx series supportVladimir Ratnikov1-1/+2
Type: feature Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I2fd1e321983ac5caa03aac8705dfc596985c35f7
2022-10-20crypto-sw-scheduler: fix queue iteratorVladimir Ratnikov1-0/+10
When there are several workers, iterator can and will skip head iterator and it will last until BARRIER_SYNC_TIMEOUT won't expire and will cause SIGABRT with `worker thread deadlock` Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: Id4def4d5894e077ae27592367b141ecd822e86af Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-10-19crypto-ipsecmb: support previous ipsecmb versionsMarcel Cornu1-11/+125
Backward compatibility was broken when updating ipsecmb version to 1.3. Type: improvement Signed-off-by: marcel.d.cornu@intel.com Change-Id: I87a76859ec5e2ef6be0bc2af0960fa2494ce4297
2022-10-17cnat: Add sctp supportNathan Skrzypczak2-0/+52
This patch adds SCTP support in the CNat translation primitives. It also exposes a clib_crc32c_with_init function allowing to set the init value to start the crc32 with instead of 0. Type: feature Change-Id: I86add4cfcac08f2a5a34d1e1841122fafd349fe7 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2022-10-17crypto-ipsecmb: bump ipsecmb library to v1.3Marcel Cornu1-64/+79
- Use the latest IPsec Multi-Buffer library release v1.3 - Use ipsec-mb burst API for HMAC-SHAx algorithms - Use ipsec-mb burst API for AES-CBC and AES-CTR algorithms The new burst API available in ipsecmb v1.3 brings significant performance improvements for certain algorithms compared to the job API. Type: feature Signed-off-by: marcel.d.cornu@intel.com Change-Id: I3490b35a616a2ea77607f103426df62438c22b2b
2022-10-17vlib: Counter free needs to NULL the allocated counter vectorNeale Ranns1-0/+6
otherwise the next time the counter is validated this is dangling. Type: fix Fixes: 58fd481d73 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ifa8d5ff27175cf6dfb30cbf023fa3251fe5c780e
2022-10-15linux-cp: fix infinite loop in CLI lcp defaultluoyaozu1-3/+12
CLI lcp default clear or lcp default netns hangs in an infinite while loop. Type: fix Signed-off-by: luoyaozu <luoyaozu@foxmail.com> Change-Id: I699338abc045c84361707260adbb5b574a383170
2022-10-12misc: fix issues reported by clang-15Damjan Marion13-48/+23
Type: improvement Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a Signed-off-by: Damjan Marion <dmarion@me.com>
2022-10-11nat: report time between current vpp time and last_heardDave Cornejo4-0/+274
existing details report the last_heard as the seconds since VPP started, this is not very useful, so report additionaly time_since_last_heard in seconds between VPP time and last_heard. Change-Id: Ifd34b1449e57919242b1f0e22156d3590af3c738 Type: improvement Signed-off-by: Dave Cornejo <dcornejo@netgate.com> Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
2022-10-11fib: fix crash when create vxlan/vxlan-gpe/geneve/gtpu tunnel.Huawei LI2-6/+4
Fix vpp crash when create vxlan/vxlan-gpe/geneve/gtpu tunnel with 0.0.0.0 dst ip in debug build. The ASSERT should be move out of fib_prefix_from_ip46_addr, which may be called when create vxlan/vxlan-gpe/geneve/gtpu tunnel with 0.0.0.0 dst ip. How to reproduce: 1. build debug vpp and run vpp 2. create vxlan t src 192.168.0.2 dst 0.0.0.0 vni 1 instance 1 create vxlan-gpe tunnel local 192.168.0.2 remote 0.0.0.0 vni 1 create geneve tunnel local 192.168.0.2 remote 0.0.0.0 vni 1 create gtpu tunnel src 192.168.0.2 dst 0.0.0.0 teid 1 Type: fix Change-Id: I19972f6af588f4ff7fd17de1b16b9301e43d596f Signed-off-by: Huawei LI <lihuawei_zzu@163.com>
2022-10-07urpf: add mode for specific fib index lookuphedi bouattour5-38/+175
this patch adds a mode to urpf in order to perform the lookup in a specified vrf instead of the interface vrf Type: feature Change-Id: Ieb91de6ccdfbf32b6939364f3bebeecd2d57af19 Signed-off-by: hedi bouattour <hedibouattour2010@gmail.com>
2022-10-07abf: return status of attachment add/delMatthew Smith1-7/+5
Type: fix The handler for abf_itf_attach_add_del was always returning 0. Set rv to the return value of call to abf_itf_attach() or abf_itf_detach(). Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb888bb148e6e03fc2776e2384b3a6e26148a429
2022-10-04rdma: unhackish build of rdma-coreMohammed Hawari2-11/+5
Change-Id: I2040b560b2a00f8bd176ae6ad46035678a2b249e Type: improvement Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2022-09-30udp: add udp encap source port entropy supportVladislav Grishenko1-1/+2
Encode entropy value in UDP source port when requested per RFC 7510. CLI already has "src-port-is-entropy", use zero UDP source port in API to avoid breaking changes, since zero port is not something to be used in wild. Also, mark UDP encapsualtion API as mp-safe as already done for CLI. Type: feature Change-Id: Ieb61ee11e058179ed566ff1f251a3391eb169d52 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-29api: deprecate vl_msg_api_set_handlersDamjan Marion2-11/+24
Type: refactor Change-Id: I7b7ca9ec62cb70243c5b7e87968eab1338d67ec8 Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-09-28af_xdp: change RLIMIT_MEMLOCK before load bpf programChen Yahui1-0/+7
default RLIMIT_MEMLOCK is 64. if we use multi af_xdp interfaces or load complex bpf program, libbpf will return permission error. root cause is default 64 is not large enough. So we change it before load bpf program. Type: fix Change-Id: Ia6aed19c9256c498cf1155586a54a32b3f444105 Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
2022-09-27wireguard: stop sending handshakes when wg intf is downAlexander Chernavin1-3/+66
Type: fix Currently, when a wg interface is administratively disabled initially or during operation, handshake packets continue to be sent. Data packets stop being sent because routes pointing to the wg interface will not be used. But data keys remain. With this fix, when a wg interface is administratively disabled during peer creation, avoid connection initialization to the peer. Data keys and timers should be empty at this point. When a wg interface is disabled during operation, disable all peers (i.e. stop all timers, clear data keys, etc.). Thus, state should be identical in both cases. When a wg interface is administratively enabled, enable all peers (i.e. get ready to exchange data packets and initiate a connection). Also, cover these scenarios with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ie9a620077e55d519d21b0abc8c0d3c87b378bca3
2022-09-27crypto-openssl: use no padding for encrypt/decryptVladimir Ratnikov1-6/+1
Internaly, vpp uses it's own padding, so all the data is padded using blocksize in /src/vnet/ipsec/ipsec.c Openssl should add it's own padding, but the data is already padded. So on decrypt stage when padding should be removed, it can't be done. And it produces error `bad decrypt` Previous versions of openSSL decrypted data almost at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex and produced the same error, but data was already decrypted. Now it's not, so some algorithms could have some problems with it PS. openSSL 3.x.x Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: If715a80228548b4e588cee222968d9da9024c438
2022-09-27af_xdp: compile error undeclared identifier 'SOL_XDP'Chen Yahui1-0/+3
Type: fix Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com> Change-Id: Ia447420f692f1487d343886845d648d766e43c27 Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
2022-09-27wireguard: fix re-handshake timer when response sentAlexander Chernavin1-1/+0
Type: fix As per the protocol: A handshake initiation is retried after "REKEY_TIMEOUT + jitter" ms, if a response has not been received... Currently, if retransmit handshake timer is started, it will trigger after "REKEY_TIMEOUT + jitter" ms and will try to send a handshake initiation via wg_send_handshake() given that no responses have been received. wg_send_handshake() will verify that time stored in REKEY_TIMEOUT has passed since last handshake initiation sending and if has, will send a handshake initiation. Time when a handshake initiation was last sent is stored in last_sent_handshake. The problem is that last_sent_handshake is not only updated in wg_send_handshake() when sending handshake initiations but also in wg_send_handshake_response() when sending handshake responses. When retransmit handshake timer triggers and a handshake response has been sent recently, a handshake initiation will not be sent because for wg_send_handshake() it will look like that time stored in REKEY_TIMEOUT has not passed yet. Also, the timer will not be restarted. wg_send_handshake_response() must not update last_sent_handshake, because this time is used only when sending handshake intitiations. And the protocol does not say that handshake initiation retransmission and handshake response sending (i.e. replying to authenticated handshake initiations) must coordinate. With this fix, stop updating last_sent_handshake in wg_send_handshake_response(). Also, this fixes tests that used to wait for "REKEY_TIMEOUT + 1" seconds and did not receive any handshake initiations. Then they fail. Also, long-running tests that send wrong packets and do not expect anything in reply may now receive handshake intiations, consider them as replies to the wrond packets, and fail. Those are updated to filter out handshake initiations in such verifications. Moreover, after sending wrong packets, error counters are already inspected there to confirm packet processing was unsuccessful. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I43c428c97ce06cb8a79d239453cb5f6d1ed609d6
2022-09-26api: replace print functions wth formatDamjan Marion22-109/+70
Type: improvement Change-Id: I7f7050c19453a69a7fb6c5e62f8f57db847d9144 Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-09-20nat: adding docs for nat44-ed sub pluginFilip Varga1-0/+729
Type: docs Change-Id: Icfa2bdc9367f8438b53da7c89caec263ed6ab056 Signed-off-by: Filip Varga <fivarga@cisco.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-09-19cnat: coverity fixNathan Skrzypczak1-0/+4
Type: fix Change-Id: Ib127331507724f853071e66ca1ddfc773a8ed200 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2022-09-19abf: add API parameter n_paths range checksJon Loeliger3-43/+56
Also check for non-zero rpath length in CLI cmd. While there, no need to use "else" after a return. Also while there, notice and fix numerous input_line buffer leaks and fix them. Type: fix Fixes: 669d07dc016757b856e1014a415996cf9f0ebc58 Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: I18ea44b7b82e8938c3e793e7c2a04dfe157076d8
2022-09-19linux-cp: fix some CLI error messagesMatthew Smith1-79/+71
Type: fix If unrecognized input was provided to the commands which add or delete a pair, the error message was being created incorrectly and only displayed something like "unknown input `'". Provide the correct argument to format_unformat_error so that the actual unrecognized input is printed. There also was no error or useful information printed if only the base command were provided without any additional arguments. This should print a warning about what required data was missing. Reorganize code to handle this and to make sure that memory gets freed appropriately. Change-Id: If454714f50cf41b3b56cfadfbf017f1d160e13a4 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-09-18lisp: fix coverity 277315Andrew Yourtchenko1-0/+5
Handle the case of the mapping not being found by GID. Type: fix Change-Id: Ibce3b9e8419c0dddca97b4d0d5a71f25dfd529d8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-09-15prom: fix coverity 277312, 277317Andrew Yourtchenko1-0/+2
If one attempts to add a pattern with zero length, first time it will succeed, and the second time it will cause an invalid memcmp call. Solution: do not allow to add zero-length patterns. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Ic08e021486153be605a4b12a2fe4422307bf68d2
2022-09-15nat: fix nat44-ed port range with multiple workersVladislav Grishenko4-8/+15
The number of available dynamic ports is set to (0xffff - 1024) = 64511, which is not divisable by the pow2 number of workers - the only integer divisors are 31 and 2081. So, total dynamic port range of all workers will be less than it: 1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536 2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535 4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533 8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529 ... As seen, with multiple workers there are unused trailing ports for every nat pool address and that is the reason of out-of-bound index in the worker array on out2in path due (port - 1024) / port_per_thread math. This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets to unused ports will go to existing worker and dropped there. Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6: 6. Port Number Ranges o the System Ports, also known as the Well Known Ports, from 0-1023 (assigned by IANA) o the User Ports, also known as the Registered Ports, from 1024- 49151 (assigned by IANA) o the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned) According that let's allocate dynamic ports from 1024 and have full port range with a wide range of the workers number - 64 integer divisors in total, including pow2 ones: 1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536 2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536 3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536 4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536 5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534 6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536 7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536 8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536 ... Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required when the numbers of workers is not the integer divisor of 64512. Type: fix Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-09vlib: don't leak node frames on reforkDmitry Valter1-2/+1
Free node frames in worker mains on refork. Otherwise these frames are never returned to free pool and it causes massive memory leaks if performed under traffic load Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I15cbf024a3f4b4082445fd5e5aaa10bfcf77f363
2022-09-09nat: fix nat44-ed-in2out fast path next nodeJing Peng1-1/+1
When a session is found expired, the next node of in2out fast path should be in2out slow path instead of out2in slow path. Type: fix Signed-off-by: Jing Peng <jing@meter.com> Change-Id: If1dd920502089c25b33bea5434823b0496a44499
2022-09-08wireguard: eliminate some calls to main threadMatthew Smith1-4/+10
Type: improvement Roaming functionality allows the peer address to change. The main thread was being called to update a peer's address if necessary after processing a received packet. Check in the worker whether this is necessary before incurring the overhead of the RPC to the main thread. Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I02184b92dc658e0f57dd39993a3b2f9944187b45