summaryrefslogtreecommitdiffstats
path: root/src/plugins
AgeCommit message (Collapse)AuthorFilesLines
2021-03-01nat: pick outside addr based on local addrKlement Sekera6-107/+215
Use outside addresses more evenly by using local address to pick from pool of addresses. This ensures stability from POV of remote host - an internal host always gets translated using the same outside address, so it doesn't appear to be "hopping". Also, this avoids all hosts being translated using the first address, which helps avoid needless recaptchas and the like. Exact assignment depends on internal ordering of addresses - local address is used to pick an offset into internal vector. If that address cannot be used, a linear search is performed as a fallback mechanism to find a possible translation. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I7ccb1da1dda5537f5d30d2f4cb48024f4b51c1a4
2021-02-26cnat: coverity fixNathan Skrzypczak1-2/+4
Type: fix Change-Id: I9d562abc8d8f59cfe73ddd4c03a25085f6ad1f84 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-02-26nat: optimize flow matching in ED NATKlement Sekera5-81/+87
This saves 6 clocks in nat44-ed-in2out node. (112->106 per packet) Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I48e757e7f4b6b0d250a432a4659fe6955fc52a07
2021-02-26nat: NAT44ED fail if using old plugin optionFilip Varga4-450/+498
Fail if obsolete flag is used. Type: fix Change-Id: Id7000de9c82fa2c22692104b2fc1d463e5961f39 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-02-26ipsec: move the IPSec SA pool out of ipsec_mainNeale Ranns5-14/+9
Type: refactor this allows the ipsec_sa_get funtion to be moved from ipsec.h to ipsec_sa.h where it belongs. Also use ipsec_sa_get throughout the code base. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
2021-02-26cnat: add input feature nodeNathan Skrzypczak6-0/+507
This allows to configure nat on a per-interface basis. Special care must be taken to ensure the configuration remains consistent. Type: feature Change-Id: I352b2dce182e09d30813ce958333bb1ff37d9b4e Signed-off-by: Aloys Augustin <aloaugus@cisco.com> Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-02-26cnat: Add maglev supportNathan Skrzypczak9-25/+253
* Backend choice in translations is controlled by lb_type switch allowing to enable Maglev. * Size of pool is set with cnat { maglev-len 1009 } Type: feature Change-Id: I956e19d70bc9f3b997b4f8042831164e4b559d17 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-02-26cnat: fixes & prepare maglevNathan Skrzypczak16-366/+390
Notable changes: - ip[46]-cnat-snat is renamed to cnat-snat-ip[46] - indent fixes - common trace primitives - bihash is now 40_56 with alias Type: refactor Change-Id: I0a82cfe3b40efd96473e51061d7135ffe412ddfc Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-02-25sr: Fix the coverity issue on srv6-mobile pluginTetsuya Murakami1-2/+2
Type: fix Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com> Change-Id: I55e6d7dd193f83f70d27e27fe2e383939d677ef1
2021-02-25ikev2: Use the IPSec functions for UDP port managementNeale Ranns2-46/+2
Type: refactor IKEv2 registers the IPSec node as the port handler, so it can use the IPSec functions to do that. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: If398dde0a8eb0407eba3ede62a3d5a8c12fe68a7
2021-02-25linux-cp: fix vector-used-a-C-string overflowBenoît Ganne2-4/+3
lip_host_name is a non-NULL terminated vector, not a NULL-terminated C-string. Type: fix Change-Id: Ie5da59bc5680be72251904467d77b18263c882f8 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-02-24nat: Final NAT44 EI/ED split patchFilip Varga44-5781/+10760
This patch achieves complete separation of endpoint-dependent and endpoint-independent IPv4 NAT features. Some common stuff is also moved to NAT library. Type: refactor Change-Id: I52468b7e2b5ac28958a2baf8e2ea01787322e801 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-02-24wireguard: coverity fixArtem Glazychev1-11/+12
explicit null dereferenced Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: Id1e4b0e048dbd0a68063c63374172ab6d3653aff
2021-02-24docs: move pnat doc link into dev doc sectionDave Wallace1-1/+1
- "PNAT: 1:1 match and rewrite programmable NAT" link was hanging out on the top level of the doc tree. Move it to VPP->Developer Documentation. Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Iadb7d3463567a2414eece68db0a3743237ab26f9
2021-02-23hsa: fifo detach cleanupFlorin Coras2-0/+27
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I907b2e560d6ecd748aa7c6d775c4f7122a39b4cb
2021-02-19dpdk: fix cryptodev offset updateFan Zhang1-11/+8
Type: fix This patch fixes the missed crypto and integ offset update for every packet. Previously the offset is updated only when the key is changed. This is ok for encryption but not always true for decryption. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: Iccd0011f4ae488746ce487a14b94ddd24fb0c07c
2021-02-19ikev2: start counting msgid from 0Filip Tehlar1-2/+2
This fixes an issue when initiator is expecting request with intitial msgid being 0 but 1 is received instead which results in retransmission (instead of normally processing the new request). Type: fix Change-Id: I60062276bd93de78128847c5b15f5d6cecf1df65 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-18tests: re-enable NAT44ED tests for multiworkerAndrew Yourtchenko1-1/+0
Re-enable the test for 2-worker config test Change-Id: Ie108c5d244c6704ffa152177ca77f6b6055fe38e Type: test Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-02-18tests: policer test check unformat return valuesBrian Russell1-4/+6
Keep coverity happy by checking the return value of unformat calls. Type: test Signed-off-by: Brian Russell <brian@graphiant.com> Change-Id: Iccd0296da527d079f79cc7bd8b57af1b524299bd
2021-02-17linux-cp: fix coverity defectMatthew Smith1-0/+6
Type: fix If no host interface name is passed to the CLI command which creates an interface pair, NULL gets passed to lcp_itf_pair_create() and a seg fault occurs. Check whether a host interface name was provided and fail gracefully if none was given. Change-Id: I82886f4c2ee710e206c751c34a74399112e9062c Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-16hsa: coverity fixFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I30fde452fdeeb9877f3e3fecb0dd723f10f61019
2021-02-16ikev2: fix coverity warningsFilip Tehlar2-100/+117
Type: fix Change-Id: Ia22b1189b82e885eb380f638ea6d05923a858f01 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-15lisp: coverity fixesFlorin Coras1-6/+0
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I2a55a2fe0c483359c3b42ebe93cd0e8e279131d1
2021-02-15vlib: refactor checksum offload supportMohsin Kazmi6-38/+39
Type: refactor This patch refactors the offload flags in vlib_buffer_t. There are two main reasons behind this refactoring. First, offload flags are insufficient to represent outer and inner headers offloads. Second, room for these flags in first cacheline of vlib_buffer_t is also limited. This patch introduces a generic offload flag in first cacheline. And detailed offload flags in 2nd cacheline of the structure for performance optimization. Change-Id: Icc363a142fb9208ec7113ab5bbfc8230181f6004 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-02-15ip: Path MTUNeale Ranns1-4/+26
Type: feature Support setting the MTU for a peer on an interface. The minimum value of the path and interface MTU is used at forwarding time. the path MTU is specified for a given peer, by address and table-ID. In the forwarding plane the MTU is enfored either: 1 - if the peer is attached, then the MTU is set on the peer's adjacency 2 - if the peer is not attached, it is remote, then a DPO is added to the peer's FIB entry to perform the necessary fragmentation. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I8b9ea6a07868b50e97e2561f18d9335407dea7ae
2021-02-15policer: improve policer structBrian Russell1-1/+1
Ensure policer struct is cache aligned and fits in one cache line. Give it a simpler name to reflect its job as the representation of a policer. Type: improvement Signed-off-by: Brian Russell <brian@graphiant.com> Change-Id: If1ae4931c818b86eee20306e503f4e5d6b84bd0d
2021-02-15quic: Coverity fixNathan Skrzypczak1-1/+1
Type: fix Change-Id: I744cedb9c1b57945af5e83057e4759964fd2e104 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-02-15ikev2: fix rekey against strongSwanFilip Tehlar2-52/+94
When strongSwan rekeys it sends create child sa request first and then delete request for the old child sa (or vice versa depending on configuration) as opposed to sending just a single create child sa with rekey notify message. Type: fix Change-Id: I1fa55a607ca623cd3a6d887436207153c6f6bbf6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-15rdma: rdma_log__ argument dev is a pointerVratko Polak1-5/+8
Also apply style edits as proprosed by checkstyle. Ticket: VPP-1971 Type: fix Change-Id: I4332a4e32220f3076b4a373da01cc0022cde32f5 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2021-02-13nat: pnat only use save_rewrite_length on output pathOle Troan1-3/+2
Don't expect save_rewrite_length to be set correctly on RX path. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ieee40d119213f617c3d836181e5879f084b74548 Signed-off-by: Ole Troan <ot@cisco.com>
2021-02-12dpdk: use whole vmbus address as hash key for devconfVladimir Ratnikov2-21/+22
u32[0] is not enough unique for some platforms like azure where several devices(not only network) can have almost the same addresses and this can cause collisions. Change hash to mhash type for vmbus devices with key of whole 16 bytes of vmbus address. Type: improvement Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: Ic6c6a657ae29f45beddd0c69d8e785e702349460
2021-02-11tests: tag the tests that do not work with multi-worker configurationAndrew Yourtchenko12-0/+42
If the multi-worker default VPP configuration is triggered by setting VPP_WORKER_CONFIG="workers 2", some of the tests fail for various reasons. It's a substantial number, so this change marks all of the testsets that have this issue, such that they can be addressed later independently. Type: test Change-Id: I4f77196499edef3300afe7eabef9cbff91f794d3 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-02-11wireguard: testing alternative timer dispatchMohammed Hawari3-3/+10
Change-Id: I645bb0a31b333a6160c74987dddb3fb50ff154d8 Type: improvement Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2021-02-10tests: add policer test helperBrian Russell2-0/+72
Add a helper CLI to exercise a policer pre-configured by the test harness. The test harness will check the stats afterwards. Type: test Signed-off-by: Brian Russell <brian@graphiant.com> Change-Id: I913dda4a9f8179c1c6b3061a68164bf1e698a392
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns2-29/+43
support Type: feature attmpet 2. this includes changes in ah_encrypt that don't use uninitialised memory when doing tunnel mode fixups. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-10nat: fix EI hairpinning thread safetyKlement Sekera6-64/+810
Avoid doing inter-thread reads without locks by doing a handoff before destination address rewrite. Destination address is read from a session which is possibly owned by a different thread. By splitting the work in two parts with a handoff in the middle, we can do both in a thread safe way. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I1c50d188393a610f5564fa230c75771a8065f273
2021-02-09tls: dtls initial implementationFlorin Coras8-22/+470
Type: feature Basic dtls transport protocol implementation that relies on openssl wire protocol implementation. Retries/timeouts not yet supported. To test using vcl test apps, first ensure all arp entries are properly resolved and subsequently: server: vcl_server -p dtls 1234 client: vcl_client -p dtls <server-ip> 1234 -U -N 2000000 -T 1460 -X Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I04b4516a8fe9ce85ba230bcdd891f33a900046ed
2021-02-09crypto: fix bad-hmac in sw scheduler if async modeAlexander Chernavin1-0/+1
When IPsec async mode is enabled, packets don't pass through the tunnel if ciphers other than AES GCM are used for child SAs. An error that arises is "bad-hmac" in the "crypto-dispatch" node. On the encryption stage, the VNET_CRYPTO_OP_FLAG_HMAC_CHECK flag is set for the integrity crypto operation when it's not supposed to. It seems that the flag remains from the previous operation. With this change, zero flags of crypto operations in the SW scheduler during operation filling. Type: fix Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Iabac253474e95cb01f9ec0933f3c4860f8a5289c
2021-02-09gbp: fix typo in macroPaul Vinciguerra2-7/+7
Type: fix Change-Id: I1f8245e8cccacb5bbb511aef39e31d0a76bba95f Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2021-02-09nat: bump default max translations to 63KKlement Sekera1-1/+1
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ibea7ec844d1d910e8a3235e11154b1ecea8302ac
2021-02-09nat: deny adding intf addr if static-mapping-onlyAlexander Chernavin1-0/+8
If static-mapping-only is enabled, NAT pool cannot be configured, only static mappings. There're two ways to add addresses to the NAT pool: by address range, or by first found address from an interface. NAT44_ADD_DEL_ADDRESS_RANGE already tests if dynamic mappings are available but NAT44_ADD_DEL_INTERFACE_ADDR doesn't. If static-mapping-only is enabled, adding addresses by range is rejected but by interface not. With this change, if static-mapping-only is enabled, do not allow to add addresses to the NAT pool both ways. Type: fix Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ifc055ea9a71a5e579388833a2990aef21bf7ed29
2021-02-09nat: fix coverity errorsOle Troan3-7/+6
Including a general missing free in fromjson autogenerated code. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I9ab2b0193135e2fb3d62d51b3c114df56969e341 Signed-off-by: Ole Troan <ot@cisco.com>
2021-02-09nat: improve type safety and remove unused paramKlement Sekera3-96/+76
Type: improvement Change-Id: I456f9b14e6a4eb46c9c49f6e09acccae530e4ebc Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith2-43/+29
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns2-29/+43
support Type: feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2021-02-08tests: allow for externally supplied VPP workers config for testsAndrew Yourtchenko1-0/+2
Allow to supply the external VPP worker config for tests which do not specify the workers config explicitly, and use the tags infra to flag those that need attention in this configuration. This commit shows one example use of such a tag, there will be a separate commit with the rest of the places needing it, since that change is rather mechanical. Thus, the assumption is that the test should by default be agnostic of the VPP configuration, unless it explicitly specifies so. Type: test Change-Id: I3c0077e4e22a75cb9561fb98d3b783b93486b2be Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-02-08ping: fix aborting on keypressIvan Shvedunov1-2/+3
Type: fix Currently ping stops on events like SOCKET_READ_EVENT, which makes it hard to use over e.g. govpp as it aborts immediately most of the time. With this patch, ping only stops upon real CLI read / quit events. Signed-off-by: Ivan Shvedunov <ivan4th@gmail.com> Change-Id: Id7a8d0b0fdeb7bbc7b85240e398d27bd5199345b
2021-02-08misc: support api generated dependency for multiarch sourceOle Troan2-0/+5
Fix dependency issues where multi-arch file is using API generated file. Type: improvement Change-Id: I5d4af7a630529bc138c35841723e38938f36d963 Signed-off-by: Ole Troan <ot@cisco.com>
2021-02-07flowprobe: set collector port for data from settingjan_cavojsky1-2/+2
Type: fix Ticket: VPP-1859 Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech> Change-Id: Iaa5045001621ec99dc8579e8e989adf81dc60525
2021-02-05session svm: non blocking mqFlorin Coras2-16/+5
Avoid synchronizing producers and the consumer. Instead, only use mutex or spinlock (if eventfds are configured) to synchronize producers. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie2aafbdc2e07fced5d5e46ee2df6b30a186faa2f