| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Type: fix
Fixes: c4c205b091934d96a173f4c0d75ef7e888298ac7
Change-Id: I110729601a9f19451297883b781ec56e2b31465b
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
(cherry picked from commit 4332082093c267818899476d563c73298a491014)
|
|
In esp_encrypt_inline(), if two or more consecutive packets are
associated with the same SA which has no crypto or integrity algorithms
set, only the first one gets dropped. Subsequent packets either get sent
(synchronous crypto) or cause a segv (asynchronous crypto).
The current SA's index and pool entry are cached before it can be
determined whether the packet should be dropped due to no algorithms
being set. The check for no algorithms is only performed when the cached
SA index is different than the SA index for the current packet. So
packets after the first one associated with the "none" alg SA aren't
handled properly.
This was broken by my previous commit ("ipsec: keep esp encrypt pointer
and index synced") which fixed a segv that occurred under a different
set of circumstances.
Check whether each packet should be dropped instead of only checking
when a new SA is encountered.
Update unit tests:
- Add a test for no algs on tunnel interface which enables
asynchronous crypto.
- Send more than one packet in the tests for no algs.
Type: fix
Fixes: dac9e566cd16fc375fff14280b37cb5135584fc6
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I69e951f22044051eb8557da187cb58f5535b54bf
(cherry picked from commit ff71939c30ae81241808da1843e82cf2dfa92344)
|
|
Type: improvement
The vnet buffer metadata for full IP reassembly and shallow virtual
reassembly overlaps. If you have full reassembly and virtual reassembly
enabled on the same interface and virtual reassembly happens to process
packets first, full reassembly will stomp on the metadata populated by
virtual reassembly.
Virtual reassembly gets enabled implicitly when NAT feature nodes
are enabled. Those NAT feature nodes rely on the virtual reassembly
metadata being populated correctly in order to find L4 proto & ports.
When NAT and IP full reassembly are both enabled on an interface, NAT
can drop fragmented packets because the virtual reassembly metadata
can be overwritten by full reassembly.
Ensure that full reassembly runs before virtual reassembly. Add a
runs_before dependency to ensure that ip4-full-reassembly-feature
runs before ip4-sv-reassembly-feature.
There was a duplicate VNET_FEATURE_INIT() for
ip4-full-reassembly-feature. It seems to have been intended for enabling
ip4-full-reassembly-custom as a feature node, but its contents are
identical to the earlier VNET_FEATURE_INIT() for
ip4-full-reassembly-feature. Removed the duplicate.
Change-Id: Ie600b854d4ceb90a7cb736810140d410b8f72447
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
(cherry picked from commit 205ed8f8845a8ea36f38ed29df158a5a07c2e2c3)
|
|
Make sure ctx is initialized before ho is marked as done.
Type: fix
Change-Id: If0525a9890a56e289e2ab006c669a9d64dc6505d
Signed-off-by: Florin Coras <fcoras@cisco.com>
(cherry picked from commit 0ded4890beaa3aa1f36c61ff6125d19582b25391)
|
|
Type: fix
Change-Id: I8cfaa62abd38d5356263b0ffd428638d1a027617
Signed-off-by: Florin Coras <fcoras@cisco.com>
(cherry picked from commit 3efcbaf3b1119b4312ae1f3a1c59dea2d746bec4)
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I40345d635b8067dcffbbdd39d0a5b0c0934a6d54
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0a0d0b8721f5a15da47c7ac0e58cd50e159b2f54
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I3d44ff851da00573343e15712284af3b9c3912e3
|
|
Avoid situations when notifications are delayed for long enough for
transports to start closing/cleaning up.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id35b0099adb5242108154a5e19d5ee15e6ca0058
|
|
debug+asan build will fail on initialisation when loglevel==debug
Type: fix
Fixes: 1cd0e5dd533f4209dde453eaa43215e52cd42985
Change-Id: I2005ebf9b95ec3b753c4e6d29337be460c77ffed
Signed-off-by: Georgy Borodin <bor1-go@yandex-team.ru>
|
|
Type: fix
Change-Id: Icdc9d1c8b7b29827ce17920dae64a365bb8a4e40
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Type: fix
Change-Id: I9c48b163f174b824df1a76e75c272dc985386bf2
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
One less pointer chase when accepting sessions.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I20dbb21d15d4a703f76e3b12f04a6f5b5d2a3cd8
|
|
Adds support for connectionless listener port reuse. Until now, cl
listeners had fifos allocated to them and therefore only one app worker
could ever listen, i.e., a session cannot have multiple fifos.
To circumvent the limitation, this separates the fifos from the listener
by allocating new cl sessions for each app worker that reuses the app
listener. Flows are hashed to app worker cl sessions but, for now, this
is not a consistent/fixed hash.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic6533cd47f2765903669f88c288bd592fb17a19e
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia98556e7ae61547cf153c78ec085cd4248bee74a
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0bb6aba26f1cd974d6bb3b5fe6234aacfee0d30c
|
|
Incase the ack for the fin is lost twice or want to dup ack
packets with incorrect ack/seq # at different times and
session state is already closed, this fifo event is set for
the first ack that went out and prevents queuing of further events.
Type: fix
Change-Id: I102019fca26918a51e055a751db7209011bd43ad
Signed-off-by: emmanuel <emmanuelscaria11@gmail.com>
|
|
Change-Id: Ia9fa6fab6288b4d0876022e72bf4f49bd00a19d2
Type: improvement
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This patch allows the formatting of deleted Load-balancer
objects. This is needed in the case a trace references a DPO
that went away in the interim.
Type: improvement
Change-Id: I6d67519b8d62f69aafde3c8fe3065bc85a7adbde
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
In the API there is a difference between enum and enumflags.
The latter one allowing multiple set entitires, while enum
only allows one.
Type: fix
Change-Id: I5db88c15c85fc6c7130b7b35febcd1ea02ef8f76
Signed-off-by: Ole Troan <otroan@employees.org>
|
|
Type: improvement
Change-Id: Iebf9ee8275a92e962679e3d0d22d33ed0bd8b3ab
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0e58bb970d371818217390d451cf26925b04970f
|
|
Change-Id: I7ac5693ca547fe7249e7b6297bade70a6052b169
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
If ho cleans up on first worker before owner of established session
receives connected notification, the ho session is prematurely cleaned
up.
Wait for established ctx to be allocated before freeing ho.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Icf707e5d8c62a288a49d078460d2ada3b5c41b0e
|
|
Type: feature
Change-Id: I7b29c71d3d053af9a53931aa333484bf43a424ca
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Signed-off-by: BenoƮt Ganne <bganne@cisco.com>
|
|
Type: improvement
Change-Id: I7972f595444eacdb020f3fa2a60331c40766fc0b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This patch prevents the sw interfaces format
function to fail when the interface was deleted.
It also prints the swifindex alongside the 'DELETED'
keyword.
Printing deleted swifindex should not happen, but it is still
helpful to have these safeguards for troubleshooting in the case
invariants get corrupted (e.g. fib entry refcounts, ...)
Type: improvement
Change-Id: I66711049db2eebe0ad17e37c3a260ac81d1e5134
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
The hit_count does not implement the corresponding processing logic, and here the missing is fixed
Type: fix
Fixes: missing
Change-Id: I04a8e11d6b48c2a15c371cbeb2467fa89a9d82bb
Signed-off-by: yanlong <dyl_wlc@163.com>
|
|
Type: improvement
Change-Id: I2acab04ddb6a46a637ed17c683fb37ed7bce3df6
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Coverity report.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I3ce06634b30688d2a9581b50d462092daa8b4cac
|
|
Type: fix
Change-Id: I982ef624226807d7c263e3ff83c108f7d31f61f1
Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
|
|
Checkstyle also forces the new indentation.
Type: fix
Fixes: ddf6cec37027547ff7cc61e15bb8080664d41514
Change-Id: Ife96928d6ca30ba94e1c423d557d6ed9d68eca2b
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
With socket api, applications should not expect reply after worker del
msg. VCL in particular closes the socket after it enqueues the message.
Found by ASAN.
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.com>
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1be02a0cde6b96a96edb709f3fe30bbc01ff2d24
|
|
We might have less than 1 mss when attempting write but more after
write, as application could be actively enqueuing more data. Relax
assert.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I54a83c4460f8e022a88758f0ebd7828df711dbb9
|
|
Type: fix
Fixes: 38c6191
Change-Id: I7760947986dc56236f2494fb1c8c238321489ef6
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
During recovery, send unsent data even if less than mss available as
application is not guaranteed to provide more.
This should speed up recovery when all data in flight was lost.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I7a3c73a0d04d93d51a5910d85450c173c3ad8e93
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I2925134cfcfa36c14b3b69efa892b9b96fce2e6f
|
|
fix asan failure when params number is less then 3:
functions that are set as format_half_open pointer values have
different number of arguments
Type: fix
Fixes: de9a849a18514f0b09bb5f57a73f6a57ee425c76
Change-Id: I6b6e1adf4ffc0c1ec847613f00fe269af640d42b
Signed-off-by: Georgy Borodin <bor1-go@yandex-team.ru>
|
|
Properly set type
path->fp_type = FIB_PATH_TYPE_SPECIAL
for paths with (path->fp_cfg_flags & FIB_PATH_CFG_FLAG_DROP)
Type: fix
Change-Id: Id61dbcda781d872b878e6a6410c05b840795ed46
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
|
|
When a periodic BFD packet cannot be sent because the interface is
disabled, the allocated buffer needs to be freed. This currently will
occur for IPv4 sessions. However, buffers will leak for IPv6 sessions as
in this case, bfd_transport_control_frame() and bfd_transport_udp6()
will not indicate failure.
With this fix, stop always returning success in bfd_transport_udp6() and
start returning the actual return value.
Type: fix
Change-Id: I5fa4d9206e32cccae3053ef24966d80e2022fc81
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: improvement
Change-Id: Ia8d7cd6ff9b1449d986d514d9556cbf803deb670
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Type: improvement
Change-Id: I9ecbf705d460a1744f36c7005b08097dc58d9522
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Fixes: 69768d9
Change-Id: Iafd3a55634583f2799a81c477ccbf5e53b6f29d0
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Make sure ct client segment handles do not collide if multi worker
application establishes cut-through sessions to only one server segment
manager.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I905379f9ed73c64d57a826a3e97d53dab3a87517
|
|
The previous change made CSIT virtio tests fail,
but those tests are not part of trending.
Ticket: VPP-2088
Type: fix
Fixes: a181eaa59bb2ff2784376918e95bbf92e5340db1
Change-Id: If0439a030c051894e07007da9cf0a2e4dc1434c3
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I96bff47206ef64ea7369ae92e1b9ff1f74dfd71b
|
|
Apps may drain fifos prior to handling of accept notification, e.g.,
vcl session relying on epoll lt mode.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I7d105d35a6bf33c419f4f137a5132e6a5d294fe7
|
|
Type: fix
In esp_encrypt_inline(), an index and pointer to the last processed SA
are stored. If the next packet uses the same SA, we defer on updating
counters until a different SA is encountered.
The pointer was being retrieved, then the SA was checked to see if the
packet should be dropped due to no crypto/integ algs, then the index was
updated. If the check failed, we would skip further processing and now
the pointer refers to a different SA than the index. When you have a
batch of packets that are encrypted using an SA followed by a packet
which is dropped for no algs and then more packets to be encrypted using
the original SA, the packets that arrive after the one that was dropped
end up being processed using a pointer that refers to the wrong SA data.
This can result in a segv.
Update the current_sa_index at the same time that the sa0 pointer is
updated.
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I65f1511a37475b4f737f5e1b51749c0a30e88806
|
|
Type: improvement
Change-Id: I74fb01061b4949d68ec39d0b7d08e6df8dc44b98
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: I26124a50d8e05d6f01a2e6dbc4bc8183fb5a09c4
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
Vratko Polak
Matthew Smith
Florin Coras
Georgy Borodin
emmanuel
Damjan Marion
Nathan Skrzypczak
Ole Troan
Mohammed Hawari
Arthur de Kerhor
yanlong
Dengfeng Liu
Alexander Skorichenko
Alexander Chernavin