Age | Commit message (Collapse) | Author | Files | Lines |
|
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This is the second patch, using the new functionality from the change 10002
in order to implement the egress filtering on the MACIP ACLs.
This adds an action "2" which means "add also egress filtering rules for this
MACIP ACL.
The reason for having the two choices is that the egress filtering really takes
care of a fairly corner case scenario, and I am not convinced that
always adding the performance cost of the egress lookup check is worth it.
Also, of course, not breaking the existing implementations is a nice plus,
too.
Change-Id: I3d7883ed45b1cdf98d7303771bcc75951dff38f0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
conn cleaner threads interactions
This replaces some of the early-stage commented-out printf()s with
an elog-based debug collector.
It is aimed to be "better than nothing" initial implementation to be available
in the field. It will be refined/updated based on use. This initial code
is focused on the main/worker threads interactions, hence uses just
the worker tracks.
This code adds a developer debug CLI "set acl-plugin session table event-trace 1",
which allows to gather the events pertaining to connection cleaning.
The CLI is deliberately not part of the online help, as the express
declaration that the semantics/trace levels, etc. are subject to change
without notice.
Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The thread0 in some configurations can handle the traffic.
Some of the previous fixes accomodated for that, but
the interrupt sending for connection clearing
was not adapted to that, resulting in a deadlock
during clearing of all connections...
Change-Id: I32b4c7bac09c91c22b796baab843bdaf41f7045c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound
classifier-based ACL would be needed. There was an existing incomplete
code for outbound ACLs, it looked almost exact copy of input ACLs, minus
the various enhancements, trying to sync that code seemed error-prone
and cumbersome to maintain in the longer run.
This change refactors the input+output ACLs processing into a unified
routine (thus any changes will have effect on both), and also adds
the API to set the output interface ACL, with the same format
and semantics as the existing input one (except working on output
ACL of course).
WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields
in the vnet_buffer_opaque_t, since the code is using l2_classify.*
The net_buffer (p0)->ip.save_rewrite_length is rescued into
l2_classify.pad.l2_len, and used to rewind the header in case of
drop, so that ipX_drop prints something sensible.
Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I853386aebfe488ebb10328435b81b6e3403c5dd0
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This patch teaches worer threads to sleep and to be waken up by
kernel if there is activity on file desctiptors assigned to that thread.
It also adds counters to epoll file descriptors and new
debug cli 'show unix file'.
Change-Id: Iaf67869f4aa88ff5b0a08982e1c08474013107c4
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Normally session keys are generated by mirroring the packets sent.
ICMP message type should be used and inverted for the stateful ACL.
Supported ICMP messages with this patch:
- ICMPv4: Echo/Timestamp/Information/Address Mask requests
- ICMPv6: Echo request/Node Information Queury
The invmap & valid_new tables can be modified to make any other
ICMP messages to be reflexive ACL.
Change-Id: Ia47b08b79fe0a5b1f7a995af78de3763d275dbd9
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Change-Id: Ic5e8d74bf5ac84cce5661de44778c89541c67636
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
L3DSR is used to overcome Layer 2 limitations
of Direct Server Return Load Balancing.
It maps VIP to DSCP bits, and reuse TOS bits to transfer it
to server, and then server will get VIP from DSCP-to-VIP mapping.
Please refer to https://www.nanog.org/meetings/nanog51/presentations/Monday/NANOG51.Talk45.nanog51-Schaumann.pdf
Change-Id: I403ffeadfb04ed0265086eb2dc41f2e17f8f34cb
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
|
|
Rather than having multiple copies of the same function
scattered around, promote the function into the FIB
PROTOCOL definitions in fib_types.h.
Change-Id: I11c4d85931167d3a5f3dc1278afecc8845b23cd7
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Change-Id: I7110436626352d45ffe0ca71fb88dea2c77ab639
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Change-Id: Ica6d8dd773bb3b478f1c7e40d59dfbdd4b588b85
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
Change-Id: I911e09aadd3df1123634fd97098920f107f9a2fc
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
a crash on debug image (VPP-1151)
In debug image, there is extra code to validate the buffer when it is
freed. It uses the hash table to lookup the buffer index with spinlock
to prevent contention. However, there is one spinlock for each worker
thread. So allocating the buffer on thread-x and freeing the same buffer
on thread-y causes the validation to fail on thread-y. The fix is to
have only one spinlock, stored in vlib_global_main.
Change-Id: Ic383846cefe84a3e262255afcf82276742f0f62e
Signed-off-by: Steven <sluong@cisco.com>
(cherry picked from commit a7effa1b072463f12305a474f082aeaffb7ada4b)
|
|
now we get
00:00:03:665501: pg-input
...
00:00:03:665681: ethernet-input
...
00:00:03:665691: ip6-input
UDP: 2001::1 -> ffef::1
tos 0x00, flow label 0x0, hop limit 64, payload length 108
UDP: 1234 -> 1234
length 108, checksum 0x7b25
00:00:03:665695: ip6-not-enabled
UDP: 2001::1 -> ffef::1
tos 0x00, flow label 0x0, hop limit 64, payload length 108
UDP: 1234 -> 1234
length 108, checksum 0x7b25
00:00:03:665706: error-drop
ethernet-input: no error
Same goes for IPv4
Change-Id: Ia360df39b43281d3a0aa1b686f04b73cfa37c546
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Support the 1:1 translation of source address for IPv6
Change-Id: I934d18e5ec508bf7422d796ee5f172b79c048011
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
(VPP-1156)
Change-Id: I5395245c9e49f741a949ada1f725c34f9379c249
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ib99b597502b8335e57ecfa122b12e2e5aa45ee1a
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I1e3cfc751e7657464fc850dc56ddf763df45f62e
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I4e93595665b8d0e373c4df27311c27a51222961c
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
(VPP-1149)
Avoid crash when interface was deleted.
Change-Id: I2ac3031c13ca5ad3360495e1c4cb90b0002be5ff
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
returned in the fixup function
Change-Id: I458e6e03b03e27775df33a2fd302743126d6ac44
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
New API calls and corresponding CLI commands allow the user
to manage the socket filenames for memif connections using:
vppctl# create memif id <u32> filename <socket-filename>
vppctl# delete memif id <u32>
and then referencing it later in a memif interface:
vppctl# create memif <u32> socket-id <id> mode <mode> <master|slave> ...
Corresponding VAT cli entries have also been added.
The default memif socket file at id 0 are still always present.
The existing memif create/delete CLI commands have been slightly
altered into the new syntax:
vppctl# create interface memif ...
vppctl# delete interface memif ...
Change-Id: If2bdc7eac3d81e1d9011a5869747e52fc5e11639
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ie460005510b8a70d00de31b6651e762cc3a63229
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
Change-Id: I85c799f28c4246884107e569a36482af10d9be9d
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I620e2081285ca8ac5c2da8efc12fe6f540ea4fd1
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I0ce60729e82536d9a97823bc6701e62bf364ea6c
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
Moved CLI from nat.c to nat44_cli.c
Split "show nat44" to:
show nat44 addresses
show nat44 interfaces
show nat44 static mappings
show nat44 interface address
show nat44 sessions detail
show nat44 deterministic mappings
show nat44 deterministic timeouts
show nat44 deterministic sessions
show nat workers
Change-Id: I2d1be8941dd0e4a9e037f4a4d2cd192389beb8ed
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ia65cf2c7b7fdf84c64e60af4cc815251022c53a9
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
Modify interface creation to allow creation of tunnel interfaces
without dedicated per tunnel output and tx nodes which are not
used for most tunnel types. Also changed interface-output node
function vnet_per_buffer_interface_output() so it does not rely
on hw_if_index as the next node index which is not flexible nor
efficient for large scale tunnel interfaces.
The improvenemts are done for VXLAN, VXLAN-GPE, GENEVE and GTPU
tunnels. GRE tunnel is still using per tunnel output nodes which
will be changed in a separate patch with other GRE enhencements.
Change-Id: I4123c01c0d2ead814417a867adb8c8a407e4df55
Signed-off-by: John Lo <loj@cisco.com>
|
|
One-armed NAT should work for asymmetrical static mappings without adding external address to the NAT44 pool.
Change-Id: Ie886b75b55c3b552d1029a50bd967625fde80f09
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I5415c002a431d84372f56d4a77dc2aabd6ef55f7
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
(cherry picked from commit 1eb970d16028e9a987c1dd2bfe217d1313262b81)
|
|
This is a version of the VPP API generator in Python PLY. It supports
the existing language, and has a plugin architecture for generators.
Currently C and JSON are supported.
Changes:
- vl_api_version to option version = "major.minor.patch"
- enum support
- Added error checking and reporting
- import support (removed the C pre-processor)
- services (tying request/reply together)
Version:
option version = "1.0.0";
Enum:
enum colours {
RED,
BLUE = 50,
};
define foo {
vl_api_colours_t colours;
};
Services:
service {
rpc foo returns foo_reply;
rpc foo_dump returns stream foo_details;
rpc want_stats returns want_stats_reply
events ip4_counters, ip6_counters;
};
Future planned features:
- unions
- bool, text
- array support (including length)
- proto3 output plugin
- Refactor C/C++ generator as a plugin
- Refactor Java generator as a plugin
Change-Id: Ifa289966c790e1b1a8e2938a91e69331e3a58bdf
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: Ie7cd809f30decc36cb8e1f4d8acc4b41f17cd390
Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech>
|
|
add option to NAT44 static mapping API/CLI to make rule asymmetrical (rule match only out2in direction)
Change-Id: If262a3ff375a24d3059f0de1f1ac387a4fe09475
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ia0654461d9fa36503323a8375997719c873d23b9
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
Change-Id: I6ae99c00e76058654f2c5e71377e9fd1bd13b47b
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
(cherry picked from commit c287cd550b91be7a93bae76d0086db87f575e3d3)
|
|
Change-Id: I6eef2ca258ff5b4aa9b21b98543d814633e295af
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: Ifba0a4a297b6c01d75b86bc211a32740af5e48ed
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
One worker thread may be processing the packets
for session owned by another worker thread.
During session access the validity of the pool
index is checked - however, the free bitmap pointer
might change just at that moment, potentially resulting
in a crash.
Thus, use the pool_init_fixed() when initializing the per-worker pools,
so that the free bitmaps are as well staying in their place.
Change-Id: I5796e6b62fdc1efd4299124a388b84a7c0dc19cd
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Error messages:
ERROR:VAPI CPP GEN:Cannot find reply to message `udp_ping_add_del_req'
ERROR:VAPI CPP GEN:Cannot find reply to message `udp_ping_export_req'
ERROR:VAPI C GEN:Cannot find reply to message `udp_ping_add_del_req'
ERROR:VAPI C GEN:Cannot find reply to message `udp_ping_export_req'
Api was *_req/*_resp, but when explicitely declared, the reply should
then have been *_req_reply.
Both api response are empty, so I propose to remove them, and use
autoreply
API changes:
rename udp_ping_add_del_req -> udp_ping_add_del
rename udp_ping_export_req -> udp_ping_export
delete udp_ping_add_del_reply (empty response)
delete udp_ping_export_reply (empty response)
vl_api_version 1.0.0 ->2.0.0
Change-Id: Id3456c8101a7689fbc56dc2d9076625c2b3af0ad
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
Depends in musdk 17.10 [1], tested on MACCHIATObin [2] board.
currently only coves PP2.
musdk must be compiled with:
./configure --enable-bpool-dma=64
[1] https://github.com/MarvellEmbeddedProcessors/musdk-marvell
[2] http://macchiatobin.net
Change-Id: I0247a6b860b0a067c54190eae0bd3fe08de234ad
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Improve "show xxx tunnel" output functions format_xxx_tunnel() for
GRE, VXLAN, VXLAN-GPE, GENEVE and GTPU tunnels to make their output
more consistent and provide better information.
Improved the output of "show int addr" to make its info more
consistent with tunnels and provide fib-index info.
Change-Id: Icd4b5b85a5bec417f8ee19afea336c770ad3b4c5
Signed-off-by: John Lo <loj@cisco.com>
|
|
This does not update api client code. In other words, if the client
assumes the transport is shmem based, this patch does not change that.
Furthermore, code that checks queue size, for tail dropping, is not
updated.
Done for the following apis:
Plugins
- acl
- gtpu
- memif
- nat
- pppoe
VNET
- bfd
- bier
- tapv2
- vhost user
- dhcp
- flow
- geneve
- ip
- punt
- ipsec/ipsec-gre
- l2
- l2tp
- lisp-cp/one-cp
- lisp-gpe
- map
- mpls
- policer
- session
- span
- udp
- tap
- vxlan/vxlan-gpe
- interface
VPP
- api/api.c
OAM
- oam_api.c
Stats
- stats.c
Change-Id: I0e33ecefb2bdab0295698c0add948068a5a83345
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
If I remember correctly, I added the interface name filter catalog to
avoid cluttering up the vat interface table with [unused] packet
generator interfaces. Since we no longer create pg interfaces we're
not planning to use, the filter catalog does more harm than
good. Every new interface name prefix would have had to be added to
the list, and folks wouldn't likely know they should do that...
Change-Id: I4067f8ba70ad13c8dc5ebaf21a23759a2cf2675e
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I3ce014da7b514aa766a90cacddd76cd2247406a8
Signed-off-by: Billy McFall <bmcfall@redhat.com>
(cherry picked from commit bbdfeaebf25525a55d9a87ba4c0f789c176cc7bf)
|
|
Add option to NAT44 load balancing static mapping API/CLI to make rule asymmetrical (rule match only in out2in direction).
Change-Id: I325ecef5591e4bf44ce4469a24d44fe56c3bb2e9
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ifcca60da3f77c0a4959f98b3365c846badbdc2d0
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Change-Id: If9e9e4fc348d20396713d9017100dda63a107edb
Signed-off-by: Florin Coras <fcoras@cisco.com>
|