summaryrefslogtreecommitdiffstats
path: root/src/plugins
AgeCommit message (Collapse)AuthorFilesLines
2022-12-02avf: support generic flowTing Xu8-52/+638
Support generic flow in native avf. Enable necessary RSS hash function for generic flow. Extend some structures and functions from for FDIR only to for both RSS and FDIR flows. Modify virtual channel message to align with ice kernel driver. Add functions to parse generic flow patterns. The parsing results will be delivered to the kernel driver and create corresponding flow rules. Type: feature Signed-off-by: Ting Xu <ting.xu@intel.com> Change-Id: I82ce102a21993f1bae8a8bf23e491d5e1c261f61
2022-12-01wireguard: add atomic mutexGabriel Oginski3-2/+19
The initiate handshake process can be called a numbers times for each peers, then the main VPP thread called by Wireguard starting to allocate memory. This behaviour can lead to out of memory when VPP has a lot of Wireguard tunnels concurrently. This fix add mutex to send only once handshake initiate at time for each peers. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I13b4b2d47021753926d42a38ccadb36a411c5b79
2022-11-30hsa: session rpc for echo client cli notificationsFlorin Coras1-7/+12
Also, use connected udp for builtin echo apps Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie24d7e97f4f27b67df9ceff3c268954485255c2d
2022-11-29wireguard: compute checksum for outer ipv6 headerArtem Glazychev2-2/+41
Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I477e92712e441c91789afdf9be389d967acfa799
2022-11-29rdma: fix for-loop initialization in scalar pathJieqiang Wang1-20/+35
When n_rx_packets is less then 16(VEC256) or 8(VEC128), code execution will fall into scalar path of processing packets. But with a wrong initialization value for n_left set to zero, i in the for-loop will equal to n_rx_packets. This leads to the bypass of required ip4 checksum validation and byte count endianness conversion in scalar path. Besides, refactor the code using while instead of for-loop to keep consistency with VPP code style. Type: fix Fixes: bf93670c515d ("rdma: fix ipv4 checksum check in rdma-input node") Signed-off-by: Lijian Zhang <lijian.zhang@arm.com> Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: Ib4e8cb5202735f8b060c99caddf26035657551e1
2022-11-23linux-cp: fix FIB_ENTRY_FLAG_ATTACHEDAlexander Skorichenko1-0/+10
Type: fix     Fib entries for attached routes when sourced from FIB_SOURCE_API or FIB_SOURCE_CLI get the FIB_ENTRY_FLAG_ATTACHED flag raised on the source. Such a route added from linux-cp doesn't get this flag.     Fix this flag for linux-cp sources by passing it to the fib entry's update/create function in lcp_router_route_add(). Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: I24278ef86886cfee8a14acb250fb6992a754cc3c
2022-11-22acl: fix set acl-plugin cli unformat free.Huawei LI1-1/+2
Type: fix Signed-off-by: Huawei LI <lihuawei_zzu@163.com> Change-Id: Icb5450f4bd0eaef7684eb7e3816d1d6051e889d7
2022-11-18tls: memory leak due to missing call to vnet_crypto_key_delSteven Luong1-1/+6
We add the crypto key to the vnet crypto library via vnet_crypto_key_add. However, when the session is disconnected, we don't call vnet_crypto_key_del and the memory is leaked in vnet_crypto library as well as in pico tls key store. It seems dispose crypto is the appropriate place to add vnet_crypto_key_del. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: If6d1266baf686fefe5bb81330ce60b35c8ff574e
2022-11-18ipsec: Failure at the start of the batch should not invalidate the rest of ↵Neale Ranns1-14/+24
the batch Type: fix Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Icd1e43a5764496784c355c93066273435f16dd35
2022-11-14crypto-ipsecmb: fix plugin crash in VirtualBoxMaros Ondrejicka1-1/+1
Plugin checks just for AVX2 instruction set, while the v1.3 of IPsec Multi-Buffer library checks for both AVX2 and BMI2 sets during init. VirtualBox VM doesn't provide BMI2 by default to guest operating system. Result is that VPP plugin decides to use AVX2 initialization and library then doesn't do it. Since flush_job remains empty, the self-check fails and with that the whole VPP crashes on start-up. Type: fix Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech> Change-Id: I6b661f2b9bbe6dd03b499c55c38a9b814e6d718a
2022-11-11http: use safe pool reallocFlorin Coras1-1/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I572017433a1ba0f8576522f02138928e303e10ab
2022-11-11srtp: use safe pool reallocsFlorin Coras1-2/+5
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I15fea1f90640ea54cafe3ea929e871ec6e86fc67
2022-11-10linux-cp: fix lcp_itf_pair_create()'s memory leakluoyaozu1-0/+3
need free args.error if args.rv < 0 Type: fix Signed-off-by: luoyaozu <luoyaozu@foxmail.com> Change-Id: I8ceebfc36f51798d8d1a8e4c41bec33d74344396
2022-11-10http: support client connectFilip Tehlar5-53/+979
Type: feature Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I0738c0aefb41ab6c0ff717cfccd1df75ddb481fa
2022-11-10nat: updating my maintainer email addressFilip Varga1-1/+1
Type: fix Signed-off-by: Filip Varga <filipvarga89@gmail.com> Change-Id: I1f5069df2dc743ecd1269e947dd375cb1b84970f
2022-11-09sr: fix added for configuring vlan sub interface as iif interface in ↵ChinmayaAgarwal1-8/+0
End.AD.Flow localsid Type: fix Signed-off-by: ChinmayaAgarwal <chinmaya.agarwal@hsc.com> Change-Id: Ifad23978b98c5e05d86f6254bfb65baa0b380436
2022-11-09acl: verify that src and dst have sane and same address familyAndrew Yourtchenko1-1/+5
API refactoring moved the address-family tag from rule level down to prefix level. This necessarily warrants the check that they are the same. Also, add a check that the address family is sane. Change-Id: Ia63b688cc9e7c9e9cc773e89708d9e9f99185fb7 Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-11-07prom: fix stats vector leakFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I620447c9aa8606a125063cdd724bfe74f8a870f6
2022-11-07nat: fix per-vrf session bookkeepingJing Peng3-34/+26
Each NAT44 ED session has a per_vrf_sessions_index referencing an element in the thread-local vector per_vrf_sessions_vec. However this index can be possibly invalidated by vec_del1() in per_vrf_sessions_cleanup(), before a session is registered. Such a stale index can cause an assertion failure in function per_vrf_sessions_is_expired() when we use it to locate the per_vrf_sessions object. A possible sequence to reproduce is: 1. Create two NAT44 ED sessions s1, s2 so that two per_vrf_sessions are created: index 0: between VRF pair 10 and 11 (expired=0, ses_count=1) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s1->per_vrf_sessions_index == 0 s2->per_vrf_sessions_index == 1 2. Delete the first session via CLI, now the two per_vrf_sessions become: index 0: between VRF pair 10 and 11 (expired=0, ses_count=0) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s2->per_vrf_sessions_index == 1 3. Delete the VRF 11: index 0: between VRF pair 10 and 11 (expired=1, ses_count=0) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s2->per_vrf_sessions_index == 1 4. Create a new session s3 between VRF pair 20 and 21 so that the first per_vrf_sessions will be deleted: index 0: between VRF pair 20 and 21 (expired=0, ses_count=2) For the sessions we have: s2->per_vrf_sessions_index == 1 s3->per_vrf_sessions_index == 0 Here, note that the actual index of per_vrf_session is changed due to vec_del1(). The new session is added after the cleanup so it gets the correct index. But the index held by the existing session is not updated. 5. Trigger the fast path of the session s2. To achieve this, session s2 could be created in step 1 by ping -i20 -Iiface_in_vrf_10 1.1.1.1 and steps 2-4 should then be performed within the 20-second interval. This patch fixes this by changing per_vrf_sessions_vec to a pool so that indicies are kept intact. Type: fix Signed-off-by: Jing Peng <jing@meter.com> Change-Id: I4c08f9bfd50134bcb5f08e50ad61af2bddbcb645
2022-11-07nat: fix byte order error.Huawei LI1-6/+4
fix byte order error about the struct snat_address_t's member net. for example configurations: set interface ip table loop1 1 set interface ip addr loop1 10.10.10.2/24 nat44 add address 10.10.10.2 tenant-vrf 1 the snat address's net should be "as_u8 = {0xa, 0xa, 0xa, 0x0}", but now it's "as_u8 = {0x0, 0xa, 0xa, 0x2}" because of missing transition of byte order about the member net of snat_address_t. (gdb) p/x *snat_main->addresses $3 = {addr = {data = {0xa, 0xa, 0xa, 0x2}, data_u32 = 0x20a0a0a, as_u8 = {0xa, 0xa, 0xa, 0x2}, as_u16 = {0xa0a, 0x20a}, as_u32 = 0x20a0a0a}, net = {data = {0x0, 0xa, 0xa, 0x2}, data_u32 = 0x20a0a00, as_u8 = {0x0, 0xa, 0xa, 0x2}, as_u16 = {0xa00, 0x20a}, as_u32 = 0x20a0a00}, sw_if_index = 0x3, fib_index = 0x1,addr_len = 0x18} (gdb) Type: fix Signed-off-by: Huawei LI <lihuawei_zzu@163.com> Change-Id: I4f25f0639ae90a7f2e8715b44f825571283d994d
2022-11-05hsa: echo client crash when it fails to connect to remoteSteven Luong1-1/+1
When echo client fails to connect to remote, it should quit. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I787423bdc61a58eea48bab7bd8b73137626c02b4
2022-11-04nat: cleanup of deprecated featuresFilip Varga3-296/+0
Type: refactor 1) Removed deprecated API. - These specific APIs do not have repleacement because features that they controled aren't part of current NAT44-ED implementation anymore. 2) Removed unused typedef of port allocation funciton. - Missed left over removed. Change-Id: Ib3f763449065eda7cdcb2c6565a9cae51baf23d6 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2022-11-03tls: crash in mbedtls due to ctx is already freeSteven Luong1-1/+0
_clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7fffb3a7e1b5 "%s:%d (%s) assertion `%s' fails") at src/vppinfra/error.c:143 mbedtls_ctx_get (ctx_index=0) at src/plugins/tlsmbedtls/tls_mbedtls.c:114 tls_ctx_get (ctx_handle=536870912) at src/vnet/tls/tls.c:310 tls_app_session_cleanup (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/tls/tls.c:624 app_worker_cleanup_notify (app_wrk=0x7fffbef95f80, s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/application_worker.c:445 session_cleanup_notify (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/session.c:262 session_free_w_fifos (s=0x7fffbf102040) at src/vnet/session/session.c:268 session_delete (s=0x7fffbf102040) at src/vnet/session/session.c:287 session_transport_delete_notify (tc=0x7fffbdf63c40) at src/vnet/session/session.c:1159 tcp_handle_cleanups (wrk=0x7fffbef46d40, now=133.30033046694487) at src/vnet/tcp/tcp.c:1298 tcp_update_time (now=133.30033046694487, thread_index=2 '\002') at src/vnet/tcp/tcp.c:1309 session_update_time_subscribers (smm=0x7ffff7f75ce0 <session_main>, now=133.30033046694487, thread_index=2) at src/vnet/session/session_node.c:1817 session_queue_node_fn (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, frame=0x0) at src/vnet/session/session_node.c:1934 dispatch_node (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT, dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0, last_time_stamp=4722227957546624) at src/vlib/main.c:960 Putting a breakpoint in gdb, I found out ctx was free in mbedtls_app_close. Looking at app_close function in picotls and openssl, I don't see they free ctx and they don't crash when processing cleanup. I am inclined to think that mbedtls_ctx_free should not be called in mbedtls_app_close at src/plugins/tlsmbedtls/tls_mbedtls.c:92 at src/plugins/tlsmbedtls/tls_mbedtls.c:559 at src/vnet/tls/tls.c:360 thread_index=2) at src/vnet/tls/tls.c:762 conn_index=536870912, thread_index=2 '\002') at src/vnet/session/transport.c:332 at src/vnet/session/session.c:1608 elt=0x7fffbdfef3dc) at src/vnet/session/session_node.c:1672 node=0x7fffbe0b1340, frame=0x0) at src/vnet/session/session_node.c:1966 node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT, dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0, last_time_stamp=4721919444027682) at src/vlib/main.c:960 Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ic5c13e659aee618c8accee42af9f40931b62f467
2022-11-03misc: fix failing TestNs/TestHttpTps test in hstfMaros Ondrejicka1-1/+6
Type: fix Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech> Change-Id: I03cbd05d6d887d2ce8e7b7d20522e04012c5fe7a
2022-10-31quic: use safe pool reallocFlorin Coras1-1/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia03c3fe0ca669b319dec8decd503254d0a95e58b
2022-10-31tls: use safe pool reallocsFlorin Coras3-5/+7
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia2c771cbf826526d2d06b6da022509ab02917350
2022-10-28cnat: Fix unformat_cnat_snat_interface_map_typeMiguel Borges de Freitas1-1/+1
Fix initialization of the table u32 var which is leading to the incorrect unformat of interface map type Type: fix Signed-off-by: Miguel Borges de Freitas <miguel-r-freitas@alticelabs.com> Change-Id: I1e56acd0e4c735df755e85b172bb6623bf47a57b
2022-10-25rdma: set correct CQE flagsJieqiang Wang1-6/+6
CQE flags located in bits 16-31 at offset 0x1c should be defined as actual numbers instead of indexes. Besides, L3 header type for IPv4 is 10(2 in decimal) and for IPv6 is 01(1 in decimal) according to CQE entry fields description of page 120 in Mellanox Programmer Reference Manual. (https://network.nvidia.com/files/doc-2020/ethernet-adapters-programming-manual.pdf) Fixing this issue will lead to correct CQE flags printing for rdma-input node when buffer trace is enabled. Type: fix Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I9b578ca5cbd8cd93a577aa83131e31c79f60430e
2022-10-25rdma: fix ipv4 checksum check in rdma-input nodeJieqiang Wang1-23/+40
- cqe_flags pointer should be incremented accordingly otherwise only the first element in cqe_flags will be updated - flag l3_ok should be set for match variable when verifying if packets are IPv4 packets with flag l3_ok set - mask/match variables should be converted to network byte order to match the endianness of cqe_flags - vector processing of checking cqe flags will set return value to 0xFFFF by mistake if packet numbers are not multiple of 16(VEC256) or 8(VEC128) Type: fix Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I9fec09e449fdffbb0ace8e5a6ccfeb6869b5cac1
2022-10-24docs: update cnat docs to current vpp versionMiguel Borges de Freitas1-5/+13
The documentation for the cnat plugin is highly outdated specially on the snat section. Type: docs Signed-off-by: Miguel Borges de Freitas <miguel-r-freitas@alticelabs.com> Change-Id: I30b0c6295d3c812b636374753af3c37f29b0cc53
2022-10-24dpdk: add Intel QAT 200xx series supportVladimir Ratnikov1-1/+2
Type: feature Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I2fd1e321983ac5caa03aac8705dfc596985c35f7
2022-10-20crypto-sw-scheduler: fix queue iteratorVladimir Ratnikov1-0/+10
When there are several workers, iterator can and will skip head iterator and it will last until BARRIER_SYNC_TIMEOUT won't expire and will cause SIGABRT with `worker thread deadlock` Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: Id4def4d5894e077ae27592367b141ecd822e86af Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-10-19crypto-ipsecmb: support previous ipsecmb versionsMarcel Cornu1-11/+125
Backward compatibility was broken when updating ipsecmb version to 1.3. Type: improvement Signed-off-by: marcel.d.cornu@intel.com Change-Id: I87a76859ec5e2ef6be0bc2af0960fa2494ce4297
2022-10-17cnat: Add sctp supportNathan Skrzypczak2-0/+52
This patch adds SCTP support in the CNat translation primitives. It also exposes a clib_crc32c_with_init function allowing to set the init value to start the crc32 with instead of 0. Type: feature Change-Id: I86add4cfcac08f2a5a34d1e1841122fafd349fe7 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2022-10-17crypto-ipsecmb: bump ipsecmb library to v1.3Marcel Cornu1-64/+79
- Use the latest IPsec Multi-Buffer library release v1.3 - Use ipsec-mb burst API for HMAC-SHAx algorithms - Use ipsec-mb burst API for AES-CBC and AES-CTR algorithms The new burst API available in ipsecmb v1.3 brings significant performance improvements for certain algorithms compared to the job API. Type: feature Signed-off-by: marcel.d.cornu@intel.com Change-Id: I3490b35a616a2ea77607f103426df62438c22b2b
2022-10-17vlib: Counter free needs to NULL the allocated counter vectorNeale Ranns1-0/+6
otherwise the next time the counter is validated this is dangling. Type: fix Fixes: 58fd481d73 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ifa8d5ff27175cf6dfb30cbf023fa3251fe5c780e
2022-10-15linux-cp: fix infinite loop in CLI lcp defaultluoyaozu1-3/+12
CLI lcp default clear or lcp default netns hangs in an infinite while loop. Type: fix Signed-off-by: luoyaozu <luoyaozu@foxmail.com> Change-Id: I699338abc045c84361707260adbb5b574a383170
2022-10-12misc: fix issues reported by clang-15Damjan Marion13-48/+23
Type: improvement Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a Signed-off-by: Damjan Marion <dmarion@me.com>
2022-10-11nat: report time between current vpp time and last_heardDave Cornejo4-0/+274
existing details report the last_heard as the seconds since VPP started, this is not very useful, so report additionaly time_since_last_heard in seconds between VPP time and last_heard. Change-Id: Ifd34b1449e57919242b1f0e22156d3590af3c738 Type: improvement Signed-off-by: Dave Cornejo <dcornejo@netgate.com> Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
2022-10-11fib: fix crash when create vxlan/vxlan-gpe/geneve/gtpu tunnel.Huawei LI2-6/+4
Fix vpp crash when create vxlan/vxlan-gpe/geneve/gtpu tunnel with 0.0.0.0 dst ip in debug build. The ASSERT should be move out of fib_prefix_from_ip46_addr, which may be called when create vxlan/vxlan-gpe/geneve/gtpu tunnel with 0.0.0.0 dst ip. How to reproduce: 1. build debug vpp and run vpp 2. create vxlan t src 192.168.0.2 dst 0.0.0.0 vni 1 instance 1 create vxlan-gpe tunnel local 192.168.0.2 remote 0.0.0.0 vni 1 create geneve tunnel local 192.168.0.2 remote 0.0.0.0 vni 1 create gtpu tunnel src 192.168.0.2 dst 0.0.0.0 teid 1 Type: fix Change-Id: I19972f6af588f4ff7fd17de1b16b9301e43d596f Signed-off-by: Huawei LI <lihuawei_zzu@163.com>
2022-10-07urpf: add mode for specific fib index lookuphedi bouattour5-38/+175
this patch adds a mode to urpf in order to perform the lookup in a specified vrf instead of the interface vrf Type: feature Change-Id: Ieb91de6ccdfbf32b6939364f3bebeecd2d57af19 Signed-off-by: hedi bouattour <hedibouattour2010@gmail.com>
2022-10-07abf: return status of attachment add/delMatthew Smith1-7/+5
Type: fix The handler for abf_itf_attach_add_del was always returning 0. Set rv to the return value of call to abf_itf_attach() or abf_itf_detach(). Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb888bb148e6e03fc2776e2384b3a6e26148a429
2022-10-04rdma: unhackish build of rdma-coreMohammed Hawari2-11/+5
Change-Id: I2040b560b2a00f8bd176ae6ad46035678a2b249e Type: improvement Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2022-09-30udp: add udp encap source port entropy supportVladislav Grishenko1-1/+2
Encode entropy value in UDP source port when requested per RFC 7510. CLI already has "src-port-is-entropy", use zero UDP source port in API to avoid breaking changes, since zero port is not something to be used in wild. Also, mark UDP encapsualtion API as mp-safe as already done for CLI. Type: feature Change-Id: Ieb61ee11e058179ed566ff1f251a3391eb169d52 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-29api: deprecate vl_msg_api_set_handlersDamjan Marion2-11/+24
Type: refactor Change-Id: I7b7ca9ec62cb70243c5b7e87968eab1338d67ec8 Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-09-28af_xdp: change RLIMIT_MEMLOCK before load bpf programChen Yahui1-0/+7
default RLIMIT_MEMLOCK is 64. if we use multi af_xdp interfaces or load complex bpf program, libbpf will return permission error. root cause is default 64 is not large enough. So we change it before load bpf program. Type: fix Change-Id: Ia6aed19c9256c498cf1155586a54a32b3f444105 Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
2022-09-27wireguard: stop sending handshakes when wg intf is downAlexander Chernavin1-3/+66
Type: fix Currently, when a wg interface is administratively disabled initially or during operation, handshake packets continue to be sent. Data packets stop being sent because routes pointing to the wg interface will not be used. But data keys remain. With this fix, when a wg interface is administratively disabled during peer creation, avoid connection initialization to the peer. Data keys and timers should be empty at this point. When a wg interface is disabled during operation, disable all peers (i.e. stop all timers, clear data keys, etc.). Thus, state should be identical in both cases. When a wg interface is administratively enabled, enable all peers (i.e. get ready to exchange data packets and initiate a connection). Also, cover these scenarios with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ie9a620077e55d519d21b0abc8c0d3c87b378bca3
2022-09-27crypto-openssl: use no padding for encrypt/decryptVladimir Ratnikov1-6/+1
Internaly, vpp uses it's own padding, so all the data is padded using blocksize in /src/vnet/ipsec/ipsec.c Openssl should add it's own padding, but the data is already padded. So on decrypt stage when padding should be removed, it can't be done. And it produces error `bad decrypt` Previous versions of openSSL decrypted data almost at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex and produced the same error, but data was already decrypted. Now it's not, so some algorithms could have some problems with it PS. openSSL 3.x.x Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: If715a80228548b4e588cee222968d9da9024c438
2022-09-27af_xdp: compile error undeclared identifier 'SOL_XDP'Chen Yahui1-0/+3
Type: fix Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com> Change-Id: Ia447420f692f1487d343886845d648d766e43c27 Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
2022-09-27wireguard: fix re-handshake timer when response sentAlexander Chernavin1-1/+0
Type: fix As per the protocol: A handshake initiation is retried after "REKEY_TIMEOUT + jitter" ms, if a response has not been received... Currently, if retransmit handshake timer is started, it will trigger after "REKEY_TIMEOUT + jitter" ms and will try to send a handshake initiation via wg_send_handshake() given that no responses have been received. wg_send_handshake() will verify that time stored in REKEY_TIMEOUT has passed since last handshake initiation sending and if has, will send a handshake initiation. Time when a handshake initiation was last sent is stored in last_sent_handshake. The problem is that last_sent_handshake is not only updated in wg_send_handshake() when sending handshake initiations but also in wg_send_handshake_response() when sending handshake responses. When retransmit handshake timer triggers and a handshake response has been sent recently, a handshake initiation will not be sent because for wg_send_handshake() it will look like that time stored in REKEY_TIMEOUT has not passed yet. Also, the timer will not be restarted. wg_send_handshake_response() must not update last_sent_handshake, because this time is used only when sending handshake intitiations. And the protocol does not say that handshake initiation retransmission and handshake response sending (i.e. replying to authenticated handshake initiations) must coordinate. With this fix, stop updating last_sent_handshake in wg_send_handshake_response(). Also, this fixes tests that used to wait for "REKEY_TIMEOUT + 1" seconds and did not receive any handshake initiations. Then they fail. Also, long-running tests that send wrong packets and do not expect anything in reply may now receive handshake intiations, consider them as replies to the wrond packets, and fail. Those are updated to filter out handshake initiations in such verifications. Moreover, after sending wrong packets, error counters are already inspected there to confirm packet processing was unsuccessful. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I43c428c97ce06cb8a79d239453cb5f6d1ed609d6