Age | Commit message (Collapse) | Author | Files | Lines |
|
1) stats are accessed via the stat segment which is more condusive to
monitoring
2) stats are accurate in the presence of multiple threads. There's no
guarantee that an SA is access from only one worker.
Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
1. unformat_ip46_address must have ip-type specified
2. cannot unformat ip46_address_t with unformat_ip4_address
Change-Id: I5f1eecfe71a808302428afb39f910ebf0c7cef71
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
in the same maaner as with other tunnel tyeps we use
the FIB to cache and track the destination used to reach
the tunnel endpoint. Post encap we can then ship the packet
straight to this adjacency and thus elide the costly second
lookup.
- SA add and del function so they can be used both directly
from the API and for tunnels.
- API change for the SA dump to use the SA type
- ipsec_key_t type for convenience (copying, [un]formating)
- no matching tunnel counters in ipsec-if-input
Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
- return the stats_index of each SPD in the create API call
- no ip_any in the API as this creates 2 SPD entries. client must add both v4 and v6 explicitly
- only one pool of SPD entries (rhter than one per-SPD) to support this
- no packets/bytes in the dump API. Polling the stats segment is much more efficient
(if the SA lifetime is based on packet/bytes)
- emit the policy index in the packet trace and CLI commands.
Change-Id: I7eaf52c9d0495fa24450facf55229941279b8569
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
use-esp use-anti-replay
Change-Id: I977b65eee926adaded0cb923e14feb0ee90fc32c
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
this means we test the dumps - to some extent
Change-Id: I8d90745701012012b41a7b3aaf9be97b4dd2bdf8
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This patch adds a configuration parameter to IPSec tunnels, enabling
custom FIB selection for encapsulated packets.
Although this option could also be used for policy-based IPSec,
this change only enables it for virtual-tunnel-interface mode.
Note that this patch does change the API default behavior regarding
TX fib selection for encapsulated packets.
Previous behavior was to use the same FIB after and before encap.
The new default behavior consists in using the FIB 0 as default.
Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452
Signed-off-by: Pierre Pfister <ppfister@cisco.com>
|
|
Change-Id: Ia5d45db73e4bdb32214ed4f365d5eec8e28115f3
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
strncpy stops copying when a byte set to 0 is read.
The fix is to use mempcy instead.
This patch also adds spd id to ipsec input trace.
Change-Id: Ibed071d3607fa76c3f6ee065f94128f1aca9b2e2
Signed-off-by: Pierre Pfister <ppfister@cisco.com>
|
|
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Change-Id: I3195afd952f6783da87224d7ceb9df13ddd39459
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: I843d094b6bbd1cefba82d6026174be005e66d510
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I1f7c634328f25b33580a215af2daeb498cd3b181
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic1e189c22e3d344d165e0eab05ccb667eef088a9
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
When creating an IPsec tunnel interface, allow a numeric
identifier to be set for use in the interface's name in
place of the dev instance. Default to using the dev instance
if no value is explicitly set.
When an IPsec tunnel is deleted, the interface is deleted
now instead of being kept in a pool of available hw
interfaces. Otherwise there was the possibility of
conflicting tx node names between deleted tunnels and
newly created ones.
Change-Id: Ic525466622a0dec38a845fa5871c084f6d9da380
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Iec5804d768485f4015bbf732d8d19ef2f24e6939
Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
|
|
In the CLI parsing, below is a common pattern:
/* Get a line of input. */
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
{
if (unformat (line_input, "x"))
x = 1;
:
else
return clib_error_return (0, "unknown input `%U'",
format_unformat_error, line_input);
}
unformat_free (line_input);
The 'else' returns if an unknown string is encountered. There a memory
leak because the 'unformat_free(line_input)' is not called. There is a
large number of instances of this pattern.
Replaced the previous pattern with:
/* Get a line of input. */
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
{
if (unformat (line_input, "x"))
x = 1;
:
else
{
error = clib_error_return (0, "unknown input `%U'",
format_unformat_error, line_input);
goto done:
}
}
/* ...Remaining code... */
done:
unformat_free (line_input);
return error;
}
In multiple files, 'unformat_free (line_input);' was never called, so
there was a memory leak whether an invalid string was entered or not.
Also, there were multiple instance where:
error = clib_error_return (0, "unknown input `%U'",
format_unformat_error, line_input);
used 'input' as the last parameter instead of 'line_input'. The result
is that output did not contain the substring in error, instead just an
empty string. Fixed all of those as well.
There are a lot of file, and very mind numbing work, so tried to keep
it to a pattern to avoid mistakes.
Change-Id: I8902f0c32a47dd7fb3bb3471a89818571702f1d2
Signed-off-by: Billy McFall <bmcfall@redhat.com>
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Build Cryptodev IPsec support by default when DPDK is enabled but only build
hardware Cryptodev PMDs.
To enable Cryptodev support, a new startup.conf option for dpdk has been
introduced 'enable-cryptodev'.
During VPP init, if Cryptodev support is not enabled or not enough cryptodev
resources are available then default to OpenSSL ipsec implementation.
Change-Id: I5aa7e0d5c2676bdb41d775ef40364536a081956d
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23
Signed-off-by: Damjan Marion <damarion@cisco.com>
|