vpp - Vector Packet Processing

Age	Commit message (Collapse)	Author	Files	Lines
2019-03-28	Typos. A bunch of typos I've been collecting.	Paul Vinciguerra	1	-3/+3
	Change-Id: I53ab8d17914e6563110354e4052109ac02bf8f3b Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-03-12	VPP-1585: fix dns test cli	Filip Tehlar	1	-1/+3
	Change-Id: Iac105e09bb88434fe55365fc1546d769f034e0e2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-01-19	buffers: remove free-list information from buffer metadata	Damjan Marion	1	-1/+0
	Change-Id: I6048c6a51efa826ac333f7d15919cb87dd766d74 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-10-23	dns, dhcp: on-demand udp port registration	Dave Barach	1	-11/+18
	Change-Id: I8bf411adc6c5f4caa349d161174b544d2de3ad1d Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-23	c11 safe string handling support	Dave Barach	1	-11/+11
	Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-02-07	Refactor vlib_buffer flags	Damjan Marion	1	-1/+1
	Change-Id: I853386aebfe488ebb10328435b81b6e3403c5dd0 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-01-11	Handle a mix of CNAME, A/AAAA records	Dave Barach	1	-10/+30
	Poster-child: 8.8.8.8 resolving mag.ncep.noaa.gov Change-Id: I600cd0274b9017e9c91817511d3d3366f0bd02b9 Signed-off-by: Dave Barach <dave@barachs.net>
2018-01-10	Functional improvements, bug fixes	Dave Barach	1	-24/+80
	At least when testing against "known good" DNS servers: it turns out that sending 2x requests - one for an A-record and another for a AAAA-record - seems to work better than sending a single DNS_TYPE_ALL request. Fix c-string vs. u8 vector mistakes. Fix server failover. Change-Id: I26554f0a9c1744376f21372506ebec8658e351e2 Signed-off-by: Dave Barach <dave@barachs.net>
2017-11-27	vlib: make vlib_buffer_alloc inline function	Damjan Marion	1	-1/+1
	Currently, every alloc involves callback function call. With this change callback function is called only if there is no empty buffers on the free list. Change-Id: I2238c19ece7ce182c49ba0f2485add52f335f3b6 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-11-16	Deal with double name-pointer chases	Dave Barach	1	-48/+167
	Change-Id: I153b07b4348133535b16b6bf55527d19a6b927c6 Signed-off-by: Dave Barach <dave@barachs.net>
2017-11-05	ip4 network request processing	Dave Barach	1	-34/+306
	Change-Id: I6eb0681cc2595f81ac3bf5ffa3e9b2adfff04a36 Signed-off-by: Dave Barach <dave@barachs.net>
2017-10-20	Add reverse DNS (ip to name) resolution	Dave Barach	1	-17/+225
	Change-Id: Ic531d820b1846ff7363e5c396ac0b1176e87b401 Signed-off-by: Dave Barach <dave@barachs.net>
2017-10-17	VPP-1032: fix coverity warnings	Dave Barach	1	-3/+12
	Change-Id: Ic3a0c51e5408921051deaf2e50372d9654574b27 Signed-off-by: Dave Barach <dave@barachs.net>
2017-10-16	DNS name resolver improvements	Dave Barach	1	-26/+205
	- Cache intermediate CNAME records - Bug fixes Change-Id: I06dcb558212fc5e9434281493c872577cf9b83e1 Signed-off-by: Dave Barach <dave@barachs.net>
2017-10-13	VPP-1027: DNS name resolver	Dave Barach	1	-0/+2114
	This patch is a plausible first-cut, suitable for initial testing by vcl (host stack client library). Main features; - recursive name resolution - multiple ip4/ip6 name servers - cache size limit enforcement - currently limited to 65K - ttl / aging - static mapping support - show / clear / debug CLI commands Binary APIs provided for the following: - add/delete name servers - enable/disable the name cache - resolve a name To Do list: - Respond to ip4/ip6 client DNS requests (vs. binary API requests) - Perf / scale tuning - map pending transaction ids to pool indices, so the cache can (greatly) exceed 65K entries - Security improvements - Use unpredictable dns transaction IDs, related to previous item - Make sure that response-packet src ip addresses match the server - Add binary APIs - deliver raw response data to clients - control recursive name resolution - Documentation Change-Id: I48c373d5c05d7108ccd814d4055caf8c75ca10b7 Signed-off-by: Dave Barach <dave@barachs.net>

import socket import unittest from util import ppp from framework import VppTestRunner from template_ipsec import IPSecIPv4Fwd """ When an IPSec SPD is configured on an interface, any inbound packets not matching inbound policies, or outbound packets not matching outbound policies, must be dropped by default as per RFC4301. This test uses simple IPv4 forwarding on interfaces with IPSec enabled to check if packets with no matching rules are dropped by default. The basic setup is a single SPD bound to two interfaces, pg0 and pg1. ┌────┐ ┌────┐ │SPD1│ │SPD1│ ├────┤ ─────> ├────┤ │PG0 │ │PG1 │ └────┘ └────┘ First, both inbound and outbound BYPASS policies are configured allowing traffic to pass from pg0 -> pg1. Packets are captured and verified at pg1. Then either the inbound or outbound policies are removed and we verify packets are dropped as expected. """ class IPSecInboundDefaultDrop(IPSecIPv4Fwd): """IPSec: inbound packets drop by default with no matching rule""" def test_ipsec_inbound_default_drop(self): # configure two interfaces and bind the same SPD to both self.create_interfaces(2) self.spd_create_and_intf_add(1, self.pg_interfaces) pkt_count = 5 # catch-all inbound BYPASS policy, all interfaces inbound_policy = self.spd_add_rem_policy( 1, None, None, socket.IPPROTO_UDP, is_out=0, priority=10, policy_type="bypass", all_ips=True, ) # outbound BYPASS policy allowing traffic from pg0->pg1 outbound_policy = self.spd_add_rem_policy( 1, self.pg0, self.pg1, socket.IPPROTO_UDP, is_out=1, priority=10, policy_type="bypass", ) # create a packet stream pg0->pg1 + add to pg0 packets0 = self.create_stream(self.pg0, self.pg1, pkt_count) self.pg0.add_stream(packets0) # with inbound BYPASS rule at pg0, we expect to see forwarded # packets on pg1 self.pg_interfaces[1].enable_capture() self.pg_start() cap1 = self.pg1.get_capture() for packet in cap1: try: self.logger.debug(ppp("SPD - Got packet:", packet)) except Exception: self.logger.error(ppp("Unexpected or invalid packet:", packet)) raise self.logger.debug("SPD: Num packets: %s", len(cap1.res)) # verify captures on pg1 self.verify_capture(self.pg0, self.pg1, cap1) # verify policies matched correct number of times self.verify_policy_match(pkt_count, inbound_policy) self.verify_policy_match(pkt_count, outbound_policy) # remove inbound catch-all BYPASS rule, traffic should now be dropped self.spd_add_rem_policy( # inbound, all interfaces 1, None, None, socket.IPPROTO_UDP, is_out=0, priority=10, policy_type="bypass", all_ips=True, remove=True, ) # create another packet stream pg0->pg1 + add to pg0 packets1 = self.create_stream(self.pg0, self.pg1, pkt_count) self.pg0.add_stream(packets1) self.pg_interfaces[1].enable_capture() self.pg_start() # confirm traffic has now been dropped self.pg1.assert_nothing_captured( remark="inbound pkts with no matching" "rules NOT dropped by default" ) # both policies should not have matched any further packets # since we've dropped at input stage self.verify_policy_match(pkt_count, outbound_policy) self.verify_policy_match(pkt_count, inbound_policy) class IPSecOutboundDefaultDrop(IPSecIPv4Fwd): """IPSec: outbound packets drop by default with no matching rule""" def test_ipsec_inbound_default_drop(self): # configure two interfaces and bind the same SPD to both self.create_interfaces(2) self.spd_create_and_intf_add(1, self.pg_interfaces) pkt_count = 5 # catch-all inbound BYPASS policy, all interfaces inbound_policy = self.spd_add_rem_policy( 1, None, None, socket.IPPROTO_UDP, is_out=0, priority=10, policy_type="bypass", all_ips=True, ) # outbound BYPASS policy allowing traffic from pg0->pg1 outbound_policy = self.spd_add_rem_policy( 1, self.pg0, self.pg1, socket.IPPROTO_UDP, is_out=1, priority=10, policy_type="bypass", ) # create a packet stream pg0->pg1 + add to pg0 packets0 = self.create_stream(self.pg0, self.pg1, pkt_count) self.pg0.add_stream(packets0) # with outbound BYPASS rule allowing pg0->pg1, we expect to see # forwarded packets on pg1 self.pg_interfaces[1].enable_capture() self.pg_start() cap1 = self.pg1.get_capture() for packet in cap1: try: self.logger.debug(ppp("SPD - Got packet:", packet)) except Exception: self.logger.error(ppp("Unexpected or invalid packet:", packet)) raise self.logger.debug("SPD: Num packets: %s", len(cap1.res)) # verify captures on pg1 self.verify_capture(self.pg0, self.pg1, cap1) # verify policies matched correct number of times self.verify_policy_match(pkt_count, inbound_policy) self.verify_policy_match(pkt_count, outbound_policy) # remove outbound rule self.spd_add_rem_policy( 1, self.pg0, self.pg1, socket.IPPROTO_UDP, is_out=1, priority=10, policy_type="bypass", remove=True, ) # create another packet stream pg0->pg1 + add to pg0 packets1 = self.create_stream(self.pg0, self.pg1, pkt_count) self.pg0.add_stream(packets1) self.pg_interfaces[1].enable_capture() self.pg_start() # confirm traffic was dropped and not forwarded self.pg1.assert_nothing_captured( remark="outbound pkts with no matching rules NOT dropped " "by default" ) # inbound rule should have matched twice the # of pkts now self.verify_policy_match(pkt_count * 2, inbound_policy) # as dropped at outbound, outbound policy is the same self.verify_policy_match(pkt_count, outbound_policy) if __name__ == "__main__": unittest.main(testRunner=VppTestRunner)