Age | Commit message (Collapse) | Author | Files | Lines |
|
While setting an ACL, a user can specify the adjacency to follow after
the input ACL node. Thus, we may skip a lookup and enter directly a
local node (ex: ip4_local). To prevent the local source check from
failing, we need to specify the fib index. And, we have to do it just
before exiting the input ACL node because the l2_classify object
is overlapping with the fib_index in the vnet_buffer_opaque_t struct.
We could have added a padding to avoid this overlap but there is no
place for that in the structure.
Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: I383c36e4aec08d181f966f28565aefed950d2a74
|
|
Type: fix
- IPv6 fragmentation did not work if the packet spaneed multiple buffers, because the 'len' calculation to did max out at the size of a buffer
- IPv6 fragmentation did not work when the l2unfragmentable size was non-zero, it was not used in the correct places
- IPv6oMPLS fragmentation would fragment all IPv6, it should do so only for link local
- IPv6oMPLS should send back TooBig ICMP6 for non locally generated
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie8f02cdfdd7b7e8474e62b6d0acda8f20c371184
|
|
Type: improvement
For error conditions, such as TTL expired, dest unreach, etc, Rate limit the sending of ICMP error messages.
The rate limiting is done based on src,dst IP address of the received packet.
the rate limit has been chosen, somewhat arbitrarily, to be 1e-3. This is the same limit as the ARP throttling.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a0b791cde8c941a9bf37de6aa5da56779d3cef4
|
|
ip6_ext_hdr_chain_t->eh is IP6_EXT_HDR_MAX elements.
Type: fix
Change-Id: I28b8d610d8f5c0c520c8391c37b86e837655ab12
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: refactor
check for pool expansion in the DPO allocation, just in case.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6ba7dd66313630d3f24a51700ab4486ba43d856b
|
|
Type: refactor
To be consistent with the location of the IPv4 responder
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie3a5c3ecc10755317591d7ff57b74770c2798e77
|
|
Type: refactor
IP4 does not depend on TCP (it's the other way around).
This upside down dependency leads to some nasty circular includes when trying to use ip46_address.h in interface.h
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a1bd21543b08b9c1cf1e5563da738414734a878
|
|
IGMP packets with Router Alert option are delivered to ip4-local
without going through ip4-lookup. Make sure fib_index is initialized
properly.
Type: fix
Change-Id: Iab090a33c4c759b6d7f68c28a0b3f4da7a9de864
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
This also changes the behavior of the nat44-ei hairpinning feature.
Rather then enabling the feature on every nat interface, it is enabled
only on local0.
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I4e16a83c9e328aa75fc61df508b620ef743ca775
|
|
Add API to disable full reassembly of "forus" packets. Mark packets
passing through ip[4|6]-local nodes with a new buffer flag and check for
that flag in reassembly.
Enable IP6 "forus" full reassembly by default to be consistent with
existing IP4 setting.
Type: improvement
Change-Id: I7067792fcd4304182654237968e4c4d9293c6143
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Replace unconditional usage of
buffer->total_length_not_including_first_buffer with a logic checking
whether that length is set to a valid value.
Type: fix
Fixes: 17478e4eb81d384f171ca27c9110a051cd434f16
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I161d0957d62cc23826edd821aa5560bcfc5c1a33
|
|
Initialize ip6 memory owner thread index in reassembly context to avoid
unnecessary handovers.
Type: fix
Fixes: 630ab5846bceddf8d663e9f488a2dc0378949827
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I2996caf1f82a0649c97d481b74dce24a96dce326
|
|
*** CID 243670: Memory - illegal accesses (OVERRUN)
/src/vnet/ip/ip6_packet.h: 713 in ip6_ext_header_walk()
CID 243670: Memory - illegal accesses (OVERRUN)
Overrunning array "res->eh" of 4 4-byte elements at
element index 5 (byte offset 23) using index "i" (which evaluates to 5).
Type: fix
Fixes: 03092c1
Change-Id: I27e0435cf10534f3b41e11bf7a5629b5428b0651
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
fib_table->ft_locks
name string for parsing the ip table add|del name <tag> command
path list for ip4_specials in mfib
mfib->fib_entry_by_dst_address[0..32]
mfib entry path_ext, msrc->mfes_exts
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ia1e0cac577a73608ee1e4b1664b60a66322e81ce
|
|
Type: improvement
Change-Id: Ib39478a2e6991d721c4ba3ea61c97bfb07238016
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
There could be a race condition where two fragments of one chain end up
at the same time on different workers, one overwriting others hash
entry. Add a check for that and restart processing on the unlucky worker
who ends up being second from hash table POV. This will then result in a
proper handover to worker now owning this reassembly.
Type: fix
Fixes: de34c35fc73226943538149fae9dbc5cfbdc6e75
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I9eb29c5cb1ffe3b5eb1d5a638e17ab7ba2628d28
|
|
When a message is received, verify that it's sufficiently large to
accomodate any VLAs within message. To do that, we need a way to
calculate message size including any VLAs. This patch adds such
funcionality to vppapigen and necessary C code to use those to validate
message size on receipt. Drop messages which are malformed.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I2903aa21dee84be6822b064795ba314de46c18f4
|
|
Zero length fragments are invalid and should be dropped. This patch adds
that.
Type: improvement
Change-Id: Ic6466c39ca8bf376efe06bb3b7f5d7f1ae812866
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
If a fragment arrives with fragment offset = 0 and M = 0, it means that
this is actually a complete packet and per RFC 8200, it should be
treated independently from other fragments. This patch does that.
Fragmentation header is stripped and fragment is forwarded irregardles
of other existing reassemblies in case of full reassembly and treated
the same way as regular packet in shallow virtual reassembly.
Type: improvement
Change-Id: If3322d5e3160cd755b8465a642702a9166d46cc2
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Refactor and improve boundary checking on IPv6 extension header handling.
Limit parsing of IPv6 extension headers to a maximum of 4 headers and a
depth of 256 bytes.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ide40aaa2b482ceef7e92f02fa0caeadb3b8f7556
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
When registering a new FIB node type, no name was required on the API, and so no name was printed.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8a99cf29c194637a550061b0a5e9782ffe8b31dd
|
|
Fixing the mutliarch versions of vxlan, geneve and friends. Ensures that
main struct is correctly sized for all multiarch permutations.
Type: fix
Fixes: 290526e3c
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I7c4c435763a5dcb0c3b429cd4f361d373d480c03
|
|
On interface delete we were not removing
the lock taken by a previous ip_table_bind()
call thus preventing the VRFs to be removed.
Type: fix
Change-Id: I11abbb51a09b45cd3390b23d5d601d029c5ea485
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: improvement
make the ip_prefix_cmp take const paramenters.
plus some other miscellaneous functions.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ib69bacfb09483a8a8f8b89900c92d3d55c354ac6
|
|
The node ip6_not_enabled should be marked as sibling of
ip6-drop as both are start nodes of the ip6-drop arc.
Type: fix
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I212c25444a81b11d8085ba7930ddb67b47502d5c
|
|
Type: feature
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I817b1503ada1ae53c1134a85263f9b801d74e88a
|
|
Type: improvement
Change-Id: Id5810b7f4a6d6e4ce16b73c235b50db5d475ebf7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Encounter a crash for the line
shrx edi,eax,edi
in ip_csum_fold. The target cpu is ivy bridge which does not support
shrx instruction.
Type: fix
Fixes: e6709ff37dc0f3a58ed5ad98aace73fe801f1e9d
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Icc922d3b2ebfcfa721f63946a213b6c492874a9a
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I43f6bfa028ee37227f27a2fe0303662bf2631b10
|
|
Type: refactor
Change-Id: Ia8e8834b635025d07e1028b1d5779b21c4e05e58
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Refactor code so that code is inlined in one place instead of in
multiple to speed up compilation.
Type: refactor
Change-Id: I41357b89715b66ebdc8c0d5ccd69347a254fc266
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Check if L4 headers are truncated and if so, set a flag for (future)
consumers instead of reading/writing garbage data.
Type: fix
Fixes: de34c35fc73226943538149fae9dbc5cfbdc6e75
Change-Id: I0b656ec103a11c356b98a6f36cad98536a78d1dc
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Remove unnecessary NULL check of t0, which causes coverity to scream. t0
is always initilised to *something* by doing pool_elt_at_index().
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I7cf21767c43a24923e490ad40622743c17142fe2
|
|
Change-Id: I102f84d6d72a7f17e62fb8c16a1d4a3234753476
Type: fix
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
New code seems to be 1.5 clocks faster.
old:
mov eax,edi
shr rdi,0x20
add rdi,rax
movzx edx,di
shr rdi,0x10
add rdx,rdi
movzx eax,dx
shr rdx,0x10
add rax,rdx
mov rdx,rax
shr rdx,0x10
add eax,edx
new:
mov rax,rdi
shr rax,0x20
add eax,edi
mov edi,0x10
shrx edi,eax,edi
adc ax,di
adc ax,0x0
Type: improvement
Change-Id: I3c565812c67ff4c3db197a9d4137a6c131b5b66c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
When an mfib entry was created with both paths and entry_flags then
the entry flags were being ignored. If there are no paths then the
flags were passed into mfib_table_entry_update, but in the case where
the entry didn't exist and there were paths and flags, the entry was
created within mfib_table_entry_paths_update() which used a default
of MFIB_ENTRY_FLAG_NONE.
Pass the flags through into the mfib_table_entry_paths_update fn. All
existing callers other than the create case will now pass in
MFIB_ENTRY_FLAG_NONE.
Type: fix
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I256375ba2fa863a62a88474ce1ea6bf2accdd456
|
|
Type: improvement
This adds a new ip[46]-receive node, sibling
of ip[46]-local. Its goal is to set
vnet_buffer (b)->ip.rx_sw_if_index to the
sw_if_index of the local interface.
In dependant nodes further down the line (e.g.
hoststack) we then set sw_if_idx[rx] to this
value. So that we know which local interface
did receive the packet.
The TCP issue this fixes is that :
On accepts, we were setting tc->sw_if_index
to the source sw_if_index. We should use
the dest sw_if_index, so that packets
coming back on this connection have the
right source sw_if_index. And also setting
it in the tx-ed packet.
Change-Id: I569ed673e15c21e71f365c3ad45439b05bd14a9f
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: fix
When VPP generates an ICMP echo reply in response to an incoming
echo request to a local address, set VNET_BUFFER_F_LOCALLY_ORIGINATED
on the buffer. It will prevent ip6-rewrite from decrementing the hop
limit.
Outbound IPv4 echo replies also get this flag set.
Change-Id: Iaa229294eb158edb58cf1bf1b7a90da281321406
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Using VPP CLI "ip route add" to add static IPv6 entries outputs wrong
results. Fix this error by correctly calculating IPv6 addresses with
different increased ranges and grouping ip4/ip6 prefix calculation
functionality into two functions.
Type: fix
Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
Reviewed-by: Lijian Zhang <lijian.zhang@arm.com>
Reviewed-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: If954876301ca2095f9331799a086f75db936f246
|
|
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Ib07029204ecf12bf2adb5a39afa54bc98fb81f34
|
|
Type: fix
the only change to the mfib forwarding node is to set the error code, the rest is checkstyle formatting.
The traces previously showed some bogus reason:
00:04:27:325550: ip6-mfib-forward-rpf
entry 10 itf -1 flags
00:04:27:325551: ip6-drop
fib:0 adj:10 flow:0
UDP: fe80::b203:eaff:fe02:604 -> ff02::1:2
tos 0x00, flow label 0x651ed, hop limit 1, payload length 64
UDP: 546 -> 547
length 64, checksum 0xec9a
00:04:27:325551: error-drop
rx:GigabitEthernet6/0/0
00:04:27:325553: drop
ip6-input: drops due to concurrent reassemblies limit
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I294684c36edc346b4ebdd83ba66888b3b2197704
|
|
This patches fixes an issue that could cause
fib locks to underflow: if an API user deletes
a fib and quickly recreates it, the fib may not
have been actually deleted. As a result, the
lock would not be incremented on the create call
leading to the fib potentially disappearing
afterwards - or to the lock to underflow when
the fib is deleted again.
In order to keep the existing API semantics,
we use the locks with API and CLI source as flags.
This means we need to use a different counter
for the interface-related locks.
This also prevents an issue where an interface being
bound to a vrf via API and released via CLI could
mess up the lock counter.
Finally, this will help with cleaning up the
interface-related locks on interface deletion
in a later patch.
Type: fix
Change-Id: I93030a7660646d6dd179ddf27fe4e708aa11b90e
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
The path mtu node uses errors defined by ip fragmentation.
Type: fix
Change-Id: I1f173955919a4f555ab0309cd8201ec342a0ae92
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
previous - b31fbc47f5fcf8234c757558d7b0285348774086
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I7ea2d693d3ad5bf41ece066b3511fbfa156c1e4b
|
|
Type: improvement
Change-Id: Iac01d7830b53819ace8f199554be10ab89ecdb97
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
This feature allows one to add classifier-based ACLs on packets punted
from the ip infra, eg. to only whitelist specific sender(s).
Type: feature
Change-Id: Idab37b188583efbca980038875fc3e540cb2e880
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Change-Id: I583c30e9b63c0b0b6cd5fef0b2cb9ed7ec9856e2
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Linux uses pseudo header checksum when checksum of l4 is offloaded.
This patch adds similar support in virtual interfaces.
Change-Id: I6a94d1104e59356f95057e7c122e3be9cd8659a3
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Move control ping and change dependencies from vpe.api_types to
memclnt.api_types
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I9f8bc442e28738c48d64d1f6794082c8c4f5725b
|
|
This prevents going through the same sequence every time the api is
called.
Type: fix
Change-Id: I3ca3587ab5d1c060e2913ca88501b8dbcdd9c196
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|