Age | Commit message (Collapse) | Author | Files | Lines |
|
Use outside addresses more evenly by using local address to pick from
pool of addresses. This ensures stability from POV of remote host -
an internal host always gets translated using the same outside address,
so it doesn't appear to be "hopping". Also, this avoids all hosts
being translated using the first address, which helps avoid needless
recaptchas and the like.
Exact assignment depends on internal ordering of addresses - local address
is used to pick an offset into internal vector. If that address cannot be
used, a linear search is performed as a fallback mechanism to find a possible
translation.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I7ccb1da1dda5537f5d30d2f4cb48024f4b51c1a4
|
|
Type: fix
Change-Id: I9d562abc8d8f59cfe73ddd4c03a25085f6ad1f84
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
This saves 6 clocks in nat44-ed-in2out node. (112->106 per packet)
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I48e757e7f4b6b0d250a432a4659fe6955fc52a07
|
|
Fail if obsolete flag is used.
Type: fix
Change-Id: Id7000de9c82fa2c22692104b2fc1d463e5961f39
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: refactor
this allows the ipsec_sa_get funtion to be moved from ipsec.h to
ipsec_sa.h where it belongs.
Also use ipsec_sa_get throughout the code base.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
|
|
This allows to configure nat on a per-interface basis. Special care must
be taken to ensure the configuration remains consistent.
Type: feature
Change-Id: I352b2dce182e09d30813ce958333bb1ff37d9b4e
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
* Backend choice in translations is controlled
by lb_type switch allowing to enable Maglev.
* Size of pool is set with cnat { maglev-len 1009 }
Type: feature
Change-Id: I956e19d70bc9f3b997b4f8042831164e4b559d17
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Notable changes:
- ip[46]-cnat-snat is renamed to cnat-snat-ip[46]
- indent fixes
- common trace primitives
- bihash is now 40_56 with alias
Type: refactor
Change-Id: I0a82cfe3b40efd96473e51061d7135ffe412ddfc
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: fix
Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
Change-Id: I55e6d7dd193f83f70d27e27fe2e383939d677ef1
|
|
Type: refactor
IKEv2 registers the IPSec node as the port handler, so it can use the
IPSec functions to do that.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If398dde0a8eb0407eba3ede62a3d5a8c12fe68a7
|
|
lip_host_name is a non-NULL terminated vector, not a NULL-terminated
C-string.
Type: fix
Change-Id: Ie5da59bc5680be72251904467d77b18263c882f8
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
This patch achieves complete separation of
endpoint-dependent and endpoint-independent IPv4 NAT
features. Some common stuff is also moved to NAT
library.
Type: refactor
Change-Id: I52468b7e2b5ac28958a2baf8e2ea01787322e801
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
explicit null dereferenced
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: Id1e4b0e048dbd0a68063c63374172ab6d3653aff
|
|
- "PNAT: 1:1 match and rewrite programmable NAT" link
was hanging out on the top level of the doc tree.
Move it to VPP->Developer Documentation.
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Iadb7d3463567a2414eece68db0a3743237ab26f9
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I907b2e560d6ecd748aa7c6d775c4f7122a39b4cb
|
|
Type: fix
This patch fixes the missed crypto and integ offset update for
every packet. Previously the offset is updated only when the
key is changed. This is ok for encryption but not always true
for decryption.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: Iccd0011f4ae488746ce487a14b94ddd24fb0c07c
|
|
This fixes an issue when initiator is expecting request with intitial
msgid being 0 but 1 is received instead which results in retransmission
(instead of normally processing the new request).
Type: fix
Change-Id: I60062276bd93de78128847c5b15f5d6cecf1df65
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Re-enable the test for 2-worker config test
Change-Id: Ie108c5d244c6704ffa152177ca77f6b6055fe38e
Type: test
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Keep coverity happy by checking the return value of unformat calls.
Type: test
Signed-off-by: Brian Russell <brian@graphiant.com>
Change-Id: Iccd0296da527d079f79cc7bd8b57af1b524299bd
|
|
Type: fix
If no host interface name is passed to the CLI command which creates
an interface pair, NULL gets passed to lcp_itf_pair_create() and a
seg fault occurs. Check whether a host interface name was provided
and fail gracefully if none was given.
Change-Id: I82886f4c2ee710e206c751c34a74399112e9062c
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I30fde452fdeeb9877f3e3fecb0dd723f10f61019
|
|
Type: fix
Change-Id: Ia22b1189b82e885eb380f638ea6d05923a858f01
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I2a55a2fe0c483359c3b42ebe93cd0e8e279131d1
|
|
Type: refactor
This patch refactors the offload flags in vlib_buffer_t.
There are two main reasons behind this refactoring.
First, offload flags are insufficient to represent outer
and inner headers offloads. Second, room for these flags
in first cacheline of vlib_buffer_t is also limited.
This patch introduces a generic offload flag in first
cacheline. And detailed offload flags in 2nd cacheline
of the structure for performance optimization.
Change-Id: Icc363a142fb9208ec7113ab5bbfc8230181f6004
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: feature
Support setting the MTU for a peer on an interface. The minimum value of
the path and interface MTU is used at forwarding time.
the path MTU is specified for a given peer, by address and table-ID.
In the forwarding plane the MTU is enfored either:
1 - if the peer is attached, then the MTU is set on the peer's
adjacency
2 - if the peer is not attached, it is remote, then a DPO is added to
the peer's FIB entry to perform the necessary fragmentation.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8b9ea6a07868b50e97e2561f18d9335407dea7ae
|
|
Ensure policer struct is cache aligned and fits in one cache line.
Give it a simpler name to reflect its job as the representation of
a policer.
Type: improvement
Signed-off-by: Brian Russell <brian@graphiant.com>
Change-Id: If1ae4931c818b86eee20306e503f4e5d6b84bd0d
|
|
Type: fix
Change-Id: I744cedb9c1b57945af5e83057e4759964fd2e104
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
When strongSwan rekeys it sends create child sa request first and then
delete request for the old child sa (or vice versa depending on
configuration) as opposed to sending just a single create child sa with
rekey notify message.
Type: fix
Change-Id: I1fa55a607ca623cd3a6d887436207153c6f6bbf6
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Also apply style edits as proprosed by checkstyle.
Ticket: VPP-1971
Type: fix
Change-Id: I4332a4e32220f3076b4a373da01cc0022cde32f5
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
Don't expect save_rewrite_length to be set correctly on RX path.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ieee40d119213f617c3d836181e5879f084b74548
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
u32[0] is not enough unique for some platforms like azure
where several devices(not only network) can have almost
the same addresses and this can cause collisions.
Change hash to mhash type for vmbus devices with key
of whole 16 bytes of vmbus address.
Type: improvement
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: Ic6c6a657ae29f45beddd0c69d8e785e702349460
|
|
If the multi-worker default VPP configuration is triggered by
setting VPP_WORKER_CONFIG="workers 2", some of the tests fail
for various reasons.
It's a substantial number, so this change marks all of the
testsets that have this issue, such that they can be addressed
later independently.
Type: test
Change-Id: I4f77196499edef3300afe7eabef9cbff91f794d3
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I645bb0a31b333a6160c74987dddb3fb50ff154d8
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Add a helper CLI to exercise a policer pre-configured by the test
harness. The test harness will check the stats afterwards.
Type: test
Signed-off-by: Brian Russell <brian@graphiant.com>
Change-Id: I913dda4a9f8179c1c6b3061a68164bf1e698a392
|
|
support
Type: feature
attmpet 2. this includes changes in ah_encrypt that don't use
uninitialised memory when doing tunnel mode fixups.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
|
|
Avoid doing inter-thread reads without locks by doing a handoff before
destination address rewrite. Destination address is read from a session
which is possibly owned by a different thread. By splitting the work in
two parts with a handoff in the middle, we can do both in a thread safe
way.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I1c50d188393a610f5564fa230c75771a8065f273
|
|
Type: feature
Basic dtls transport protocol implementation that relies on openssl
wire protocol implementation. Retries/timeouts not yet supported.
To test using vcl test apps, first ensure all arp entries are properly
resolved and subsequently:
server: vcl_server -p dtls 1234
client: vcl_client -p dtls <server-ip> 1234 -U -N 2000000 -T 1460 -X
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I04b4516a8fe9ce85ba230bcdd891f33a900046ed
|
|
When IPsec async mode is enabled, packets don't pass through the tunnel
if ciphers other than AES GCM are used for child SAs. An error that
arises is "bad-hmac" in the "crypto-dispatch" node.
On the encryption stage, the VNET_CRYPTO_OP_FLAG_HMAC_CHECK flag is set
for the integrity crypto operation when it's not supposed to. It seems
that the flag remains from the previous operation.
With this change, zero flags of crypto operations in the SW scheduler
during operation filling.
Type: fix
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Iabac253474e95cb01f9ec0933f3c4860f8a5289c
|
|
Type: fix
Change-Id: I1f8245e8cccacb5bbb511aef39e31d0a76bba95f
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ibea7ec844d1d910e8a3235e11154b1ecea8302ac
|
|
If static-mapping-only is enabled, NAT pool cannot be configured, only
static mappings. There're two ways to add addresses to the NAT pool:
by address range, or by first found address from an interface.
NAT44_ADD_DEL_ADDRESS_RANGE already tests if dynamic mappings are
available but NAT44_ADD_DEL_INTERFACE_ADDR doesn't. If
static-mapping-only is enabled, adding addresses by range is rejected
but by interface not.
With this change, if static-mapping-only is enabled, do not allow to
add addresses to the NAT pool both ways.
Type: fix
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ifc055ea9a71a5e579388833a2990aef21bf7ed29
|
|
Including a general missing free in fromjson autogenerated code.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I9ab2b0193135e2fb3d62d51b3c114df56969e341
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: improvement
Change-Id: I456f9b14e6a4eb46c9c49f6e09acccae530e4ebc
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f.
Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged.
Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
support
Type: feature
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
|
|
Allow to supply the external VPP worker config for tests which
do not specify the workers config explicitly, and use
the tags infra to flag those that need attention in this configuration.
This commit shows one example use of such a tag, there will be
a separate commit with the rest of the places needing it,
since that change is rather mechanical.
Thus, the assumption is that the test should by default be agnostic
of the VPP configuration, unless it explicitly specifies so.
Type: test
Change-Id: I3c0077e4e22a75cb9561fb98d3b783b93486b2be
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: fix
Currently ping stops on events like SOCKET_READ_EVENT,
which makes it hard to use over e.g. govpp as it aborts
immediately most of the time. With this patch, ping only
stops upon real CLI read / quit events.
Signed-off-by: Ivan Shvedunov <ivan4th@gmail.com>
Change-Id: Id7a8d0b0fdeb7bbc7b85240e398d27bd5199345b
|
|
Fix dependency issues where multi-arch file is using API generated file.
Type: improvement
Change-Id: I5d4af7a630529bc138c35841723e38938f36d963
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Ticket: VPP-1859
Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech>
Change-Id: Iaa5045001621ec99dc8579e8e989adf81dc60525
|
|
Avoid synchronizing producers and the consumer. Instead, only use mutex
or spinlock (if eventfds are configured) to synchronize producers.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie2aafbdc2e07fced5d5e46ee2df6b30a186faa2f
|