summaryrefslogtreecommitdiffstats
path: root/src/vnet/ip/ip4_error.h
AgeCommit message (Collapse)AuthorFilesLines
2019-05-20reassembly: prevent long chain attackKlement Sekera1-0/+2
limit max # of fragments to 3 per packet by default add API option to configure the limit at runtime Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-02-25buffer chain linearizationKlement Sekera1-1/+0
Rewrite vlib_buffer_chain_linearize function so that it works as intended. Linearize buffer chains coming out of reassembly to work around some dpdk-tx issues. Note that this is not a complete workaround as a sufficiently large packet will still cause the resulting chain to be too long. Drop features from reassembly code which relies on knowing which and how many buffers were freed during linearization, buffer counts and tracing capabilities for these cases. Change-Id: Ic65de53ecb5c78cd96b178033f6a576ab4060ed1 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-12-20reassembly: replace asserts with error countersKlement Sekera1-1/+2
Change-Id: Iaa39aea990bc04147f6a049215e990a567d30106 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-12-13VPP-1522: harden reassembly codeKlement Sekera1-1/+2
Change-Id: Ib5a20bff7d8a340ecf50bcd4a023d6bf36382ba3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-07-09IGMP improvementsNeale Ranns1-1/+1
- Enable/Disable an interface for IGMP - improve logging - refactor common code - no orphaned timers - IGMP state changes in main thread only - Large groups split over multiple state-change reports - SSM range configuration API. - more tests Change-Id: If5674f1044e7e97274a711f47807c9ba689d7b9a Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-02-07classifier-based ACL: refactor + add output ACLAndrew Yourtchenko1-0/+3
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound classifier-based ACL would be needed. There was an existing incomplete code for outbound ACLs, it looked almost exact copy of input ACLs, minus the various enhancements, trying to sync that code seemed error-prone and cumbersome to maintain in the longer run. This change refactors the input+output ACLs processing into a unified routine (thus any changes will have effect on both), and also adds the API to set the output interface ACL, with the same format and semantics as the existing input one (except working on output ACL of course). WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields in the vnet_buffer_opaque_t, since the code is using l2_classify.* The net_buffer (p0)->ip.save_rewrite_length is rescued into l2_classify.pad.l2_len, and used to rewind the header in case of drop, so that ipX_drop prints something sensible. Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-01IPv4/6 reassemblyKlement Sekera1-2/+7
Change-Id: Ic5dcadd13c88b8a5e7896dab82404509c081614a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-01-24Improve the error reporting for a IP multicast RPF miss.Neale Ranns1-1/+4
now we get: 00:00:04:288925: pg-input ... 00:00:04:289345: ethernet-input ... 00:00:04:289524: ip6-input ... 00:00:04:289553: ip6-mfib-forward-lookup ... 00:00:04:289584: ip6-mfib-forward-rpf entry 14 itf 2 flags Forward, 00:00:04:289754: ip6-drop UDP: 2002::1 -> ff01:2::255 tos 0x00, flow label 0x0, hop limit 64, payload length 21 UDP: 1234 -> 1234 length 21, checksum 0x90d1 00:00:04:289802: error-drop ip4-input: Multicast RPF check failed 08:36:44,517 Count Node Reason 182 ip4-input Multicast RPF check failed 8 ip6-icmp-input neighbor advertisements sent 8 ip6-icmp-input router advertisements sent 8 arp-input ARP replies sent Change-Id: I1b29cda4ec77a88db45bfb25c7473cd64bbf501a Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-12-13IP bi-direction multicast - same cable check on egressNeale Ranns1-0/+1
Change-Id: I655382f7f74181dd7c795a2b22f151f76b50e793 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-10-10punt and drop features:Neale Ranns1-2/+2
- new IPv4 and IPv6 feature arcs on the punt and drop nodes - new features: - redirect punted traffic to an interface and nexthop - police punted traffic. Change-Id: I53be8bf4e06545add8a3619e462de5ffedd0a95c Signed-off-by: Neale Ranns <nranns@cisco.com>
2016-12-28Reorganize source tree to use single autotools instanceDamjan Marion1-0/+95
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23 Signed-off-by: Damjan Marion <damarion@cisco.com>