summaryrefslogtreecommitdiffstats
path: root/src/plugins
AgeCommit message (Collapse)AuthorFilesLines
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith1-0/+22
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-19acl: add API call for setting the toggle to select between linear and ↵Andrew Yourtchenko3-1/+148
bihash-based lookups In some cases (ACL of a few lines long with a lot of different subnet masks), linear lookup may be more efficient than the hash-based lookup. Expose the API to allow the control plane to choose what lookup algorithm to use. Type: improvement Change-Id: I540dd1b4ce63c5106a556d550f911f3a578b33e0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin3-68/+93
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-13ip: source address selectionOle Troan2-167/+49
Implement a simple source address selection algorithm for IPv4 and IPv6. IPv6 does not yet implement RFC6724 but supports link-locals. ping now chooses correct source address for link-local destination. Added ping support for link-local multicast (e.g. allnodes). Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I1a3382c1f7d4ace0386c2c19e4e47b045b73a3ed Signed-off-by: Ole Troan <ot@cisco.com>
2021-08-13wireguard: add flag to check hmac for decryptionGabriel Oginski1-0/+1
Type: fix Originally the decryption doesn't check the hmac for chacha20-poly1305. This patch fixes the problem by adding flag to crypto op to check hmac. Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
2021-08-12nat: NAT44ED configuration refactorFilip Varga4-378/+365
Refactoring and cleaning up address allocation functions & ip table update callbacks. Type: refactor Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-12nat: correct pool ops when disable nat44 pluginAlexander Skorichenko1-10/+10
Type: fix Replace vec ops with pool ops when iterating over pool of interfaces in plugin_disable() functions. With this change plugin disabling function and interface role disabling functions iterate over identical sets of registered interfaces, preventing 'interface couldn't be found' errors. Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
2021-08-12tls: add start_listen openssl API return value checkOfer Heifetz1-4/+30
Type: improvement Check SSL_CTX_use_* API return value and exit on error. Check BIO_new return code. Release allocated BIO on error cases. Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978 Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-11fib: A 16-8-8 and a 8-8-8-8 versions of an ip4_fib_tNeale Ranns1-6/+4
Type: feature The difference being the MTRIE type they contain. THE FIB continues to use the 16-8-8 version. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I5a54d4e6e6cc639f18a3fb65ef2925507a7ef1de
2021-08-10tls: picotls optimize rx pathFlorin Coras1-69/+113
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0dfa8d60739bc781c37e0d8fced8280b9af93367
2021-08-10tls: picotls optimize writesFlorin Coras2-113/+188
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I76a1cd516849cfe5bc87ed2b3707c6f2257126d2
2021-08-10ip: Use the IP4 lookup functionsNeale Ranns1-52/+23
Type: refactor as opposed to wrtiing out the mtrie steps one by one each time. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I1248861350f9189f9a67ac6e68940813af279e03
2021-08-06tls: avoid picotls buffer allocs on rxFlorin Coras2-3/+9
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6cf0c141ab4a4f5a46feb6119fa142148366f0a6
2021-08-06tls: avoid ptls ctx free on transport closeFlorin Coras1-2/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0537fa590b11abddf05550e42c7258549729f8a7
2021-08-05nat: nat44-ed disable protection for api/cliFilip Varga4-60/+67
Return unsupported error if user calls one of the configuration functions that can run only after nat44-ed plugin is enabled via appropriate api/cli call. Type: fix Change-Id: I0d4ab0684ba5ae23fc2ecc668554a34537c2904a Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-04memif: fix offsetArtem Glazychev1-1/+1
signs were changed here when calculating the offset: d78ba5aa01ff1415bff0b06069ce21e0a78df89c Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I62b7a409caaf478e40efbdd6000922dcc7e92860
2021-08-03quic: do not update crypto keys from workersAloys Augustin3-20/+59
The vnet_crypto_key_add should only be called from the main thread. This patch works around this limitation by allocating one key per worker and updating it on the fly everytime we need to do a crypto operation. This solution is far from ideal, but quicly has a strong assumption that it can use a key immediately after determining it, so making the key creation asynchronous is not a possibility. Signed-off-by: Aloys Augustin <aloaugus@cisco.com> Change-Id: I19fc5814195156003c36a73bb616738ba9d828f7 Type: fix
2021-08-03tls: picotls handle accept failuresFlorin Coras1-3/+15
Should also fix coverity warning. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I068b837377b329a22ace5b2235c6dd9f067ead77
2021-07-30tls: picotls rx fixes and improvementsFlorin Coras2-149/+126
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I9ea41b8b271e9123e676acdc581ef429072fe843
2021-07-29nat: fix ICMP checksum validationKlement Sekera1-9/+9
Handle case where extra data is present in buffer which is not part of IP/ICMP headers. Type: fix Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76 Change-Id: Icfef811470056d38c60fc45cc302139ed7594385 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-27vppinfra: introduce CLIB_CACHE_PREFETCH_BYTESDamjan Marion1-2/+0
Type: improvement Change-Id: Ic07010f11ef303f5213a33b0faf24aaedb62f110 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-07-22vppinfra: add abstract socket & netns fnsNathan Skrzypczak1-23/+10
* Add clib_socket_init support for abstract sockets if name starts with an '@' * Add clib_socket_init_netns to open socket in netns * Add clib_netns_open Type: feature Change-Id: I89637ad657c702ec38ddecb5c03a1673d0dfb104 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-07-22nat: nat44-ed configuration refactor & cleanupFilip Varga9-896/+1195
Refactoring static mapping configuration functions based on feature type. Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I007d9b0e9717ced613fbcef2b11b6853f479be1e
2021-07-21hsa: separate ctrl and test session accept vcl serverFlorin Coras1-1/+43
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id6bcf6511c904c8625c0845cd9758539f35e6b50
2021-07-19nat: harden ICMP handlingKlement Sekera4-49/+110
Verify that headers are not truncated and that checksums are valid. Correct checksum computation in translation code. Type: fix Change-Id: I6acfcec4661411f83c86b15aafac90cd4538c0b5 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-16dpdk: improve tx offload formattingMohsin Kazmi1-16/+32
Type: improvement Change-Id: I06eaf39b1e441045c3402cbf40339054ad26ade9 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-07-16snort: snort3 plugin and DAQDamjan Marion8-0/+2326
Zero copy interface which exposes VPP buffers to snort instance(s). Includes VPP DAQ which is compiled only if libdaq 3 API headers are available. Type: feature Change-Id: I96611b43f94fbae091e7391589e0454ae66de88b Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-07-15dpdk: enable RX interrupts for the virtio driverRobert Shearman1-0/+8
Type: improvement Request use of RX interrupts for virtio if the system will support it, which is done by applying the same check as in the virtio driver, namely whether multiple interrupts are supported. This allows the use of RX adaptive/interrupt mode instead of just polling, which is useful in virtualised environments where functionality may be more important than performance and so using polling mode is wasteful. Signed-off-by: Robert Shearman <robertshearman@gmail.com> Change-Id: I29527b6f04b0b1d0c9f9424751b2bd252ed10505
2021-07-15acl: Fix the CLI to accept IPv6 prefixesNeale Ranns1-16/+5
Type: fix DBGvpp# set acl-plugin acl src 1::1/128 dst 2::/64 DBGvpp# sh acl-plugin acl acl-index 0 count 1 tag {cli} 0: ipv4 permit src 1.1.1.1/32 dst 1.1.1.2/32 proto 0 sport 0-65535 dport 0-65535 acl-index 1 count 1 tag {cli} 0: ipv6 permit src 1::1/128 dst 2::/64 proto 0 sport 0-65535 dport 0-65535 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ibb8e20dd4ec2792f423a61eefe7398175e45a577
2021-07-15linux-cp: clear all db entries when deleting a pairSergio Gonzalez Monroy1-1/+2
Type: fix Change-Id: I5677cbb183b10c974a3a2e569d1a7a525a7eb45d Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2021-07-15misc: replace CLIB_PREFETCH with clib_prefetch_{load,store}Damjan Marion30-121/+110
Type: refactor Change-Id: Id10cbf52e8f2dd809080a228d8fa282308be84ac Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-07-15nat: nat44-ed sm fixFilip Varga1-15/+13
Fixing nat44-ed identity map in2out communication. TCP packets would get dropped because of the order of testing TCP state. Type: fix Change-Id: Ib11e7e75c66945224fecc0bb311733672e315c7d Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-07-14nat: refactoring NAT44ED cfg functionsFilip Varga4-344/+500
Refactored & fixed NAT44ED configuration functions used for handling interfaces and nodes. Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I6fbbb7f0fe35d572675997745d53290152987424
2021-07-13misc: remove vnet_all_api_h and vnet_msg_enumFilip Tehlar1-1/+0
These file are no longer needed Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I34f8e0b7e17d9e8c06dcd6c5ffe51aa273cdec07
2021-07-13mss_clamp: coverity test fixMiklos Tirpak1-3/+6
Silence the coverity test with setting the interface index in a variable before the boundary check. Type: fix Change-Id: I9bd6db08bfef93142581dada0b6a7d78b7de91e7 Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com>
2021-07-13misc: fix init order to avoid startup warningsBin Zhou (bzhou2)2-8/+8
Put plugin init order inside plugin instead of in vnet Type: improvement Signed-off-by: Bin Zhou (bzhou2) <bzhou2@cisco.com> Change-Id: Icbacdb3f1cb4ac9d74e3f78458e8bc333793b4d6
2021-07-13dpdk: add base-virtaddr config optionRobert Shearman1-1/+4
Type: improvement Allow the use of the base-virtaddr config option to be passed through to DPDK. This is useful to allow use of devices with an IOMMU in nested VMs without resorting to PA IOVA mode. Signed-off-by: Robert Shearman <robertshearman@gmail.com> Change-Id: I32b6513377e6d20bf155e12c45f902d51ea982c4
2021-07-12papi: remove shared memory transportOle Troan2-2/+0
This patch removes the papi transport shared memory plugin. It also removes any dependency on CFFI. Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ia81701c0dc506871e511495d837e41420e1fdf72 Signed-off-by: Ole Troan <ot@cisco.com>
2021-07-12session: api cleanupFilip Tehlar3-29/+39
Use autogenerated code. Does not change API definitions. Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Iacc58d27ac51c8a1c571087f98297e046b3477c2
2021-07-06l3xc: reset dpo on deleteBenoît Ganne1-0/+1
When removing a l3xc path we must release the corresponding dpo. Type: fix Change-Id: Ib6309797cb11374264c786e064f262ad13c6f0a1 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-07-02crypto: fix sw async crypto with chained buffersBenoît Ganne1-31/+30
When a buffer in the chain comes with a negative current_data offset, the conversion to sgl will skip it because of resetting offset to 0. Moreover, crypto_start_offset is relative to the 1st buffer data pointer so we should not check it against subsequent buffers anyway. Type: fix Change-Id: Id177a90bfda242a5372c7e8836cf6668e98c780e Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-07-01vmxnet3: support manual thread assignment to tx queueSteven Luong3-18/+26
Thread assignment to tx queue has always been automatic and there was no way to modify it. With this patch, it is now possible to use the cli "set interface tx-queue" to change the thread assignment to tx queue for vmxnet3 interface, thanks to the new tx infra. Type: feature Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I1544e3557f70251d4bd423cc3d9f28ee1d44db4a
2021-06-30memif: fix tx desc length for chained buffers in copy modeBenoît Ganne1-0/+1
When enqueuing chained buffer, we must update the descriptor length for each fragment descriptor in addition to the last. Type: fix Change-Id: I9bc95fe557a049eeea4abd41c695153632d52a52 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-06-30rdma: fix chained buffer tx path in dv modeBenoît Ganne1-24/+20
When switching to the direct verb chain buffer tx path, we must account for all remaining packets, including the packets that would wrapped around. Previously we were using the 'n' counter but ignoring the 'n_wrap' counter: if some packets would have wrapped around in the default path, it would be ignored by the chained buffer tx path. Compute the correct number of remaining packets based on the old and current txq tail instead. Also simplify the chained tx function parameters. Type: fix Change-Id: If12b41a8f143fda80290342e2904792f7501c559 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-06-30memif: fix chain buffer length in zero-copy modeBenoît Ganne1-0/+1
The total_length_not_including_first_buffer field must be reset before being updated otherwise it will quicly grows as stale values are reused. Type: fix Change-Id: Ic48c0822660998b0dfc0b5fdeadae6071b2d03f7 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-06-26vrrp: prevent segfault in multicast join due to missing LL AddrJon Loeliger1-2/+5
If an IPv6 Link Layer Address is missing from an interface, treat it as a down interface. While this fails to send a VRRP multicast group join, it also prevents a seg fault. Type: fix Fixes: 39e9428b90bc74d1bb15fc17759c8ef6ad712418 Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: Iebf69bb30604a96de6587655eb872aa818158a56
2021-06-24linux-cp: stop managing adjacencies for tunnelsAlexander Chernavin1-0/+12
Type: fix Outbound packets which arrive on tun/L3 interfaces use a default adjacency for the interface & address family from the corresponding interface pair. However, there are entries in the linux-cp adj table that are created for them. Managing these entries might cause a segfault because the rewrite data might exceed the reserved space for it of 28 bytes in the linux-cp adj key (e.g. in case of GRE IPv6). With this change, stop creating adjacencies for tun/L3 interfaces in the linux-cp adj table and delegating them. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I4bcd685860053ab87c65064c182e3ed53fd4fae9
2021-06-24linux-cp: add callbacks for pair managementMatthew Smith2-15/+41
Type: improvement Allow callbacks to be registered which will be called when an interface pair is added or deleted. Change-Id: I1c413ac2ada802021f9e56e2f878ce67e5eda2f5 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-06-23mss_clamp: iterate enabled direction as a vector, not poolJon Loeliger1-2/+2
Type: fix Fixes: bf55e9931ce203049385fbf55dde291ead556679 Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: I5410a7a5a8cdc1d41abcc42fe5b42e6e2991dc06
2021-06-23nat: ICMP handling fixesKlement Sekera4-24/+110
If ICMP comes from a router on path, source address must not be rewritten in o2i path to avoid getting wrong checksum. Fix ICMP checksum computations. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I035debccf966d7dbd63c364cb1e43380d641f708