| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Originally after remove the policy entry in spd, macro "vec_del1"
can change localization of the last entry in vector and finally the
entry list has not been sorted.
This patch fixes this issue by change executed macro "vec_delete"
instead of "vec_del1".
Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I396591cbbe17646e1d243aedb4cdc272ed4d5e25
(cherry picked from commit aacd3ed6d5c9c32b646795583a634ca5925603d2)
|
|
User can define first_seg_size and add-segment-size in the tls
configuration section, but current code does not take this configuration
into account and sets a default value to first_seg_size and add_seg_size
respectively.
This commit checks if configuration was set and only if not uses the
default values.
Type: fix
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
Change-Id: I0077f7d54fe7773dd92522476f882c924fda22df
|
|
When computing the inner packet checksum, the code wrongly
assumes that the IP version of the inner packet is the
same of the outer one. On the contrary, it is perfectly
possible to encapsulate v6 packets into v4 and viceversa,
so we need to check the IP format of the inner header before
calling vnet_calc_checksums_inline.
Ticket: VPP-2020
Type: fix
Signed-off-by: Mauro Sardara <msardara@cisco.com>
Change-Id: Ia4515563c164f6dd5096832c831a48cb0a29b3ad
Signed-off-by: Mauro Sardara <msardara@cisco.com>
(cherry picked from commit 9539647b895c456ca53892a9259e3127c6b92d35)
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ib2e1d847607c9c7d928b174b87e5c21d53153ebe
(cherry picked from commit e8d67719fde74eee34d2a36f0d00343de4bbac7d)
|
|
- HICN project's hicn_plugin requires vnet header files
fib/fib_entry_track.h and udp/udp_encap.h to be
included in build-root/install-vpp*-*/vpp/include/vnet
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Iabd3f8fe0aee8d727758fc6ef202e859d68d63a3
(cherry picked from commit 40cfc1560ee6fa11e4d6c74e9730541a8a45b68a)
|
|
mpls fib DB size was 2^20 instead of intended 2^21.
Therefore large mpls labels caused DB to overflow and write
to other tables or some random objects. Or crash with ASAN.
Sometimes.
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I6db65680037a266fe47e8213464a0c16de63c06c
(cherry picked from commit cf2595dfc0b446dd9bd5311d972cfb53b5567df8)
|
|
This is required after distinguishing between max_frame_size and MTU
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: Ie642bee4e30ca76903bb8be5eeb6914c2c09bf35
(cherry picked from commit 66593a6a63fe30ed4b8bed96844244d78274e8f2)
|
|
Revert "vxlan: crash on configuring vxlan tunnel on l3 mode"
This reverts commit b8de7d43e4955bb4025cd0e0e7390279841b6d7d.
Reason for revert: VPP-2014
Type: fix
Fixes: b8de7d43e4955bb4025cd0e0e7390279841b6d7d
Change-Id: Ic4d10f28985ee10e0550a1bbfd465ada915e4aa6
Signed-off-by: Ed Warnicke <hagbard@gmail.com>
|
|
When the ipfix address was changed to be an ip_address instead of
an ip4_address the output when creating an exporter via the cli
should have been modified to take the address of the v4 part of
the addr.
Type: fix
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I141456cd9092c861a4c4aefba4035dbde23efcd6
(cherry picked from commit bf9918a7e0c6bf116b90780cbc2c111ca7995399)
|
|
Originally wireguard doesn't support async mode for encryption packets.
This patch add async mode for encryption in wireguard and also adds
support chacha20-poly1305 algorithm in cryptodev for async handler.
In addition it contains new command line to activate async mode for wireguard:
set wireguard async mode on|off
and also add new command to check active mode for wireguard:
show wireguard mode
Type: improvement
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I141d48b42ee8dbff0112b8542ab5205268089da6
(cherry picked from commit 492d7790ff26c569bee81617c662363652891140)
|
|
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I8ea0193ebb2a721a0582451ffd64c4063ac6d233
|
|
Type: fix
During the interface creation time, (by default) admin-up
flag is locally set for tap and virtio interfaces.
While, in VPP the state of these interfaces are still
admin-down. User needs to explicitly call
'set interface state <interface-name> up' to admin-up the
newly created tap or virtio interface(s) in VPP. So, this
behavior is inconsistent.
This patch fixes the issue to have consistent behavior
for given interface between local and global administration
state.
Change-Id: Ifd8904a09fbdbe7b386874ac3231dc0527064518
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: improvement
Change-Id: I3659de6599f402c92e3855e3bf0e5e3388f2bea0
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
When an IPSec interface is first constructed, the end node of the feature arc is not changed, which means it is interface-output.
This means that traffic directed into adjacencies on the link, that do not have protection (w/ an SA), drop like this:
...
00:00:01:111710: ip4-midchain
tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:6 flags:[]
stacked-on:
[@1]: dpo-drop ip4 flow hash: 0x00000000
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111829: local0-output
ipsec0
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 5858585858585858585858585858585858585858585858585858585858585858
00000040: 58585858585858585858585858585858585858585858585858585858c2cf08c0
00000060: 2a2c103cd0126bd8b03c4ec20ce2bd02dd77b3e3a4f49664
00:00:01:112017: error-drop
rx:pg1
00:00:01:112034: drop
local0-output: interface is down
although that's a drop, no packets should go to local0, and we want all IPvX packets to go through ipX-drop.
This change sets the interface's end-arc node to the appropriate drop node when the interface is created, and when the last protection is removed.
The resulting drop is:
...
00:00:01:111504: ip4-midchain
tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:0 flags:[]
stacked-on:
[@1]: dpo-drop ip4 flow hash: 0x00000000
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111533: ip4-drop
ICMP: 172.16.2.2 -> 1.1.1.1
tos 0x00, ttl 63, length 92, checksum 0xcb8c dscp CS0 ecn NON_ECN
fragment id 0x0001
ICMP echo_request checksum 0xecf4 id 0
00:00:01:111620: error-drop
rx:pg1
00:00:01:111640: drop
null-node: blackholed packets
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I7e7de23c541d9f1210a05e6984a688f1f821a155
|
|
- per hw-interface-class handlers
- ethernet set_mtu callback
- driver can now refuse MTU change
Type: improvement
Change-Id: I3d37c9129930ebec7bb70caf4263025413873048
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Decouples vnet return values from API return codes.
New vnet_error() creates vnet_error_t whicgh contains both vnet function
return value and return string.
vnet_api_error() converts vlib_error_t constructed with vnet_error() to
API return value.
Type: improvement
Change-Id: I17042954d48c010150fc1dfc5fce9330e8149e87
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: refactor
Change-Id: I7fa113e924640f9d798c1eb6ae64b9c0a9e2104c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1025cccd784f80b557847f69c3ea1ada5c9de60d
|
|
*** CID 243670: Memory - illegal accesses (OVERRUN)
/src/vnet/ip/ip6_packet.h: 713 in ip6_ext_header_walk()
CID 243670: Memory - illegal accesses (OVERRUN)
Overrunning array "res->eh" of 4 4-byte elements at
element index 5 (byte offset 23) using index "i" (which evaluates to 5).
Type: fix
Fixes: 03092c1
Change-Id: I27e0435cf10534f3b41e11bf7a5629b5428b0651
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
This fix adds check that will omit loop iteration
in case dequeue handler is zero.
Type: fix
Signed-off-by: Dastin Wilski <dastin.wilski@gmail.com>
Change-Id: I7526e3fe7d8c8da9662b4e9204efd5e2d8be1908
|
|
Part 1 -- notes in https://ipng.ch/s/articles/2021/08/13/vpp-2.html
Add the ability for VPP to copy out (sync) its state from the dataplane
to Linux Interface Pairs, when they exist. Gated by a configuration
flag (linux-cp { lcp-sync }), and by a CLI option to toggle on/off,
synchronize the following events:
- Interface state changes
- Interface MTU changes
- Interface IPv4/IPv6 address add/deletion
In VPP, subints can have any link state and MTU, orthogonal to their
phy. In Linux, setting admin-down on a phy forces its children to be
down as well. Also, in Linux, MTU of children must not exceed that of
the phy. Add a state synchronizer which walks over phy+subints to
ensure Linux and VPP end up in the same consistent state.
Part 2 -- notes in https://ipng.ch/s/articles/2021/08/15/vpp-3.html
Add the ability for VPP to autocreate sub-interfaces of existing Linux
Interface pairs. Gated by a configuration flag
(linux-cp { lcp-auto-subint }), and by a CLI option to toggle on/off,
synchronize the following event:
- Sub-interface creation (dot1q, dot1ad, QinQ and QinAD)
A few other changes:
- Add two functions into netlink.[ch] to delete ip4 and ip6 addresses.
- Remove a spurious logline (printing MTU) in netlink.c.
- Resolve a TODO around vnet_sw_interface_supports_addressing()
Type: improvement
Signed-off-by: Pim van Pelt <pim@ipng.nl>
Change-Id: I34fc070e80af4013be58d7a8cbf64296cc760e4e
Signed-off-by: Pim van Pelt <pim@ipng.nl>
|
|
Type: fix
| src/vppinfra/vector/toeplitz.c:69:9: error: ‘kv’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
| src/vppinfra/memcpy_x86_64.h:45:17: error: ‘*((void *)&key+16)’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
| *(u8x16u *) d = *(u8x16u *) s;
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
| src/vnet/gre/interface.c:356:20: note: ‘*((void *)&key+16)’ was declared here
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I71614da2821ebda5200a0cb9437a7aad0c42fbb2
|
|
Reported by coverity
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ib1db0d120321b061f4c2c20117acdfb6e7dc0626
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia32536a76aa3f92f80ee2cd027a9a010c19b861a
|
|
Type: improvement
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ie595e69af8657b0ee18a84ac71c5d433108d9ef8
|
|
So after bucket reset session can send max burst of bytes.
Also, reset pacer bucket to 0 not min burst
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Iced8948c407e6647e6eb4caff5c62c06d45ce0bf
|
|
This ensures the scheduler always tracks sessions that are descheduled,
i.e., do not have events in the old io events list. When app retries to
send, clear descheduled flag and potentially the pacer.
Consequently, transports no longer need to reset the pacer when
sessions are rescheduled after a long app tx pause.
This also fixes a tcp bug whereby the pacer was reset too often when
snd_una was equal to snd_nxt as there was no way to distinguish betwen
app tx breaks and congestion.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id3cc6c98cd76299e15030e504380dcf3c04c5189
|
|
Make sure comparison is done between two i64 values.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ief5706f2bd9415587994a5b665d5e380b8e14f68
|
|
fib_table->ft_locks
name string for parsing the ip table add|del name <tag> command
path list for ip4_specials in mfib
mfib->fib_entry_by_dst_address[0..32]
mfib entry path_ext, msrc->mfes_exts
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ia1e0cac577a73608ee1e4b1664b60a66322e81ce
|
|
Use what was provided instead of tc->bytes_acked
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0ed736d2ee247e231fccdf4a969fcf6bc15b7978
|
|
When parsing bad "create bond" command, we should call unformat_free
prior to return
Type: fix
Fixes: 9cd2d7a5a4fafadb65d772c48109d55d1e19d425
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I8f20a0e7f29de670e09633880d0aa50a51444e11
|
|
Prep for supporting multiple callbacks, optional args, etc.
Type: improvement
Change-Id: I96244c098712e8213374678623f12527b0e7f387
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I196ee5f4630cec637245493f370b5f83a939fe44
|
|
If running without sacks, if snd_una does not cover snd_congestion fast
recovery can be missed but the two heuristics from RFC6582 should avoid
that.
Also snd_congestion was used as a means of inferring if the connection
recently exited congestion while setting the persist timer but that does
not always work correctly if not congested.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I94d4ac738cdd4f7f23f62e97dd63059de1cd4af9
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1abff943f3fe3ff0219126b5b8beded4ad859758
|
|
If app was idle update start time of current congestion avoidance phase
unless tcp connection was not idle.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Idf6a03a9ef96c409462de9f9cb19df609f730afe
|
|
Stay in fast recovery only if it's already on.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Idcdbbacfed3e5f3c991fa293c532be1c671f5217
|
|
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I5838e4c370d0c02a21b5eadb4af3baae781df097
|
|
Should estimated cwnd better with loss
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Idd75d40dbab212ac0a5d533009c5540b1a58f4c4
|
|
tc->rto * TCP_TO_TIMER_TICK can return garbage if not cast to u32 and
that confuses clib_max
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
signed-off-by: Vipul Agrawal <Vipul.Agrawal@enea.com>
Change-Id: Ief4d29b9625e2ef2e75e0c7e3d731ab147465f6d
|
|
This adds a create_tap_v3 api that has a num_tx_queues
parameter allowing to create more than num_workers queues,
following on multi TX support
Type: feature
Change-Id: Idce433147e8dd165f842241d6c76e041e1b1c9b8
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Make it shorter to type, easier to debug, make adding callbacks in
future simpler.
Type: improvement
Change-Id: I6cdd6375e36da23bd452a7c7273ff42789e94433
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Previously multiple sw crypto scheduler queues per core design
caused unaverage frame processing rate for each async op ID –
the lower the op ID is the highly likely they are processed first.
For example, when a RX core is feeding both encryption and
decryption jobs of the same crypto algorithm to the queues at a
high rate, in the mean time the crypto cores have no enough
cycles to process all: the jobs in the decryption queue are less
likely being processed, causing packet drop.
To improve the situation this patch makes every core only owning
a two queues, one for encrypt operations and one for decrypt.
The queue is changed either after checking each core
or after founding a frame to process.
All crypto jobs with different algorithm are pushed to
thoses queues and are treated evenly.
In addition, the crypto async infra now uses unified dequeue handler,
one per engine. Only the active engine will be registered its
dequeue handler in crypto main.
Signed-off-by: DariuszX Kazimierski <dariuszx.kazimierski@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Jakub Wysocki <jakubx.wysocki@intel.com>
Change-Id: I517ee8e31633980de5e0dd4b05e1d5db5dea760e
|
|
Type: fix
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8734c72cf15533d6614fbeb53b95c824dbd251a9
|
|
Type: refactor
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I92496501360ee073795206bde87f4731a5ce074c
|
|
the receive dpo added by tcp src-address cli do not have a valid sw_if_index ,
ip4_local_check_src() and tcp_input_lookup_buffer() will set ~0 to vnet_buffer(b)->sw_if_index[VLIB_RX],
which will cause crash in tcp46_reset_inline,
Type: fix
Signed-off-by: Mercury <mercury124185@gmail.com>
Change-Id: Ie01c31f3575e14187c6380ebcfff96fcb6098cde
|
|
Type: improvement
Change-Id: Ib39478a2e6991d721c4ba3ea61c97bfb07238016
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
fix ipv4 key uninitialized in local_endpoints_table,
which will cause transport_endpoint_cleanup() failed
to lookup the endpoint and can not delete it,
as for ipv6, clib_memcpy_fast() will change all bytes of lcl_addr
and there maybe no need to initalize,
Type: fix
Signed-off-by: Mercury <mercury124185@gmail.com>
Change-Id: I56676493a393b1d64eaa438224e256094ca75d2f
|
|
Simplifies allocation of fifos as fifo segment and segment manager
indices can be set at alloc time.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ibd357b3ff0279d8deefcdcb17010b4068007ccb7
|
Benoît Ganne
Gabriel Oginski
Ofer Heifetz
Mauro Sardara
Florin Coras
Dave Wallace
Dmitry Valter
Artem Glazychev
Ed Warnicke
Paul Atkins
Dave Barach
Mohsin Kazmi
Damjan Marion
Neale Ranns
Ole Troan
Dastin Wilski
Pim van Pelt
Steven Luong
Nathan Skrzypczak
Jakub Wysocki
Mercury