summaryrefslogtreecommitdiffstats
path: root/src/vnet
AgeCommit message (Collapse)AuthorFilesLines
2022-03-08ipsec: input: drop by default for non-matching pktsZachary Leaf1-0/+14
As per IPSec RFC4301 [1], any non-matching packets should be dropped by default. This is handled correctly in ipsec_output.c, however in ipsec_input.c non-matching packets are allowed to pass as per a matched BYPASS rule. For full details, see: https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480 It appears the ipsec6_input_node only matches PROTECT policies. Until this is extended to handle BYPASS + DISCARD, we may wish to not drop by default here, since all IPv6 traffic not matching a PROTECT policy will be dropped. [1]: https://datatracker.ietf.org/doc/html/rfc4301 Type: fix Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
2022-03-08ip: set fib_index before exiting input ACL nodeArthur de Kerhor1-40/+75
While setting an ACL, a user can specify the adjacency to follow after the input ACL node. Thus, we may skip a lookup and enter directly a local node (ex: ip4_local). To prevent the local source check from failing, we need to specify the fib index. And, we have to do it just before exiting the input ACL node because the l2_classify object is overlapping with the fib_index in the vnet_buffer_opaque_t struct. We could have added a padding to avoid this overlap but there is no place for that in the structure. Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: I383c36e4aec08d181f966f28565aefed950d2a74
2022-03-07ip: Fixes for IPv6 and MPLS fragmentationNeale Ranns2-52/+76
Type: fix - IPv6 fragmentation did not work if the packet spaneed multiple buffers, because the 'len' calculation to did max out at the size of a buffer - IPv6 fragmentation did not work when the l2unfragmentable size was non-zero, it was not used in the correct places - IPv6oMPLS fragmentation would fragment all IPv6, it should do so only for link local - IPv6oMPLS should send back TooBig ICMP6 for non locally generated Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie8f02cdfdd7b7e8474e62b6d0acda8f20c371184
2022-03-04ip: rate-limit the sending of ICMP error messagesNeale Ranns2-2/+58
Type: improvement For error conditions, such as TTL expired, dest unreach, etc, Rate limit the sending of ICMP error messages. The rate limiting is done based on src,dst IP address of the received packet. the rate limit has been chosen, somewhat arbitrarily, to be 1e-3. This is the same limit as the ARP throttling. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I4a0b791cde8c941a9bf37de6aa5da56779d3cef4
2022-03-04ip: fix overflow in ip6_ext_header_walkBenoît Ganne1-1/+1
ip6_ext_hdr_chain_t->eh is IP6_EXT_HDR_MAX elements. Type: fix Change-Id: I28b8d610d8f5c0c520c8391c37b86e837655ab12 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-04pg: fixing the cliMohsin Kazmi1-2/+0
Type: fix This patch removes the assert and it is unnecessary. Because given variable is used for branch testing. Change-Id: I64f57f909fcba205216296e86c1cde2a5dadbb45 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2022-03-04pg: add support for ip mode through cliMohsin Kazmi1-2/+8
Type: improvement Change-Id: I5dda196ab8f1b634fcac46acd5c57a6dd726759c Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2022-03-04ipfix-export: fix the warning message for uninitialized variableMohsin Kazmi1-2/+2
Type: fix Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I2b8b6a3b5a6df71e84ce2f15ef7117f390121c2f
2022-03-04classify: skip l2 header in CLIArthur de Kerhor1-14/+50
Add the possibility to create masks and matches without l2 header in the CLI when creating tables and entries. This is useful for tables working on l3 and l4 only. Type: improvement Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: I7da9e47d810c0b4a0938e2cb3bc31aa69ace3649
2022-03-04mpls: Fix the fragmentation in mpls-output.Neale Ranns1-84/+80
Type: fix the MTU needs to be adjusted to account for the label stack, since the size of fragments produced is stack+mtu. these changes are to the use of the stack variable 'mtu' most of the patch results from appeasing checkstyle. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I8d0e10cf52ca4dd8ecdc224ed6c54a13e4768fdd
2022-03-04tunnel: Fix the format of tunnel flagsNeale Ranns1-10/+17
Type: fix it only display the first flag set Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I45cddbac0d4eed8bda10bf5e0f7c9db0faf183c5
2022-03-03vnet: use system time for pcap traceBenoît Ganne1-0/+1
Use system wall-clock time for packets timestamps instead of the time since VPP started for pcap traces. Type: improvement Change-Id: I716165912efe8db3a8861d5c10597dc7629d2293 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-03session: improve tx tracingFlorin Coras1-10/+10
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4fd7ae435514eb986543302c7e3e69e04acba8cf
2022-03-03ip: Path MTU DPO allocation function is publicNeale Ranns2-7/+23
Type: refactor check for pool expansion in the DPO allocation, just in case. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6ba7dd66313630d3f24a51700ab4486ba43d856b
2022-03-02tap: fix tun set mtuBenoît Ganne1-1/+1
Type: fix Fixes: 1cd0e5dd533f4209dde453eaa43215e52cd42985 Change-Id: I64318585fb3b12369b78735c681f3b747c67b53b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-01virtio: refactor codeMohsin Kazmi19-355/+351
Type: refactor Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I3788cc857023fafcc8eb6d6ff4524425026a75d8
2022-02-28tls: handle read write ssl errorsFlorin Coras2-0/+11
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If5eed7dac4951f0510a4b4b092f66f44d0d3cacd
2022-02-28tls: Receive only when the app_session is availableSaravanan Murugesan1-0/+5
Type: fix Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com> Change-Id: Icfd5e3c0bb034684c7bc43be46927294536ba08a
2022-02-24session: fix session layer socket readFilip Tehlar1-2/+27
This fixes an issue caused by session layer reading expected part of data (cert + key) before the client actually sends it. Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I6ddddb08f9576211b302e814d7c2b040383e5fb7
2022-02-23build: export missing header files required by hicn_pluginDave Wallace1-0/+2
- HICN project's hicn_plugin requires vnet header files fib/fib_entry_track.h and udp/udp_encap.h to be included in build-root/install-vpp*-*/vpp/include/vnet Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Iabd3f8fe0aee8d727758fc6ef202e859d68d63a3
2022-02-22vxlan: crash on assigning IP address to interfaceEd Warnicke2-8/+6
Revert "vxlan: crash on configuring vxlan tunnel on l3 mode" This reverts commit b8de7d43e4955bb4025cd0e0e7390279841b6d7d. Reason for revert: VPP-2014 Type: fix Fixes: b8de7d43e4955bb4025cd0e0e7390279841b6d7d Change-Id: Ic4d10f28985ee10e0550a1bbfd465ada915e4aa6 Signed-off-by: Ed Warnicke <hagbard@gmail.com>
2022-02-22fib: fix adj_get crashRajith P R1-1/+1
adj_get() crashed in worker thread. The index is valid but was freed. 0x00007fba5fb07921 in __GI_abort () at abort.c:79 0x00007fba528de7c3 in os_panic () at /development/libvpp/src/vpp/vnet/main.c:618 0x00007fba506f2a19 in debugger () at /development/libvpp/src/vppinfra/error.c:84 0x00007fba506f2797 in _clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7fba521cecd9 "%s:%d (%s) assertion `%s' fails") at /development/libvpp/src/vppinfra/error.c:143 0x00007fba51d88254 in adj_get (adj_index=79) at /development/libvpp/src/vnet/adj/adj.h:472 0x00007fba51d87642 in icmp6_neighbor_solicitation_or_advertisement (vm=0x7fb9f19a0580, node=0x7fb9bb820340, frame=0x7fb9b718bc40, is_solicitation=0) at /development/libvpp/src/vnet/ip6-nd/ip6_nd.c:134 0x00007fba51d8f479 in icmp6_neighbor_advertisement (vm=0x7fb9f19a0580, node=0x7fb9bb820340, frame=0x7fb9b718bc40) at /development/libvpp/src/vnet/ip6-nd/ip6_nd.c:348 Type: fix Signed-off-by: Rajith P R <rajith@rtbrick.com> Change-Id: Ibe29854137ee9680f7947450eb7e256b8c0ade31
2022-02-22fib: fix mpls db label overflowDmitry Valter1-1/+1
mpls fib DB size was 2^20 instead of intended 2^21. Therefore large mpls labels caused DB to overflow and write to other tables or some random objects. Or crash with ASAN. Sometimes. Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I6db65680037a266fe47e8213464a0c16de63c06c
2022-02-18fib: Use the VLIB logger for adjacency debuggingNeale Ranns2-13/+13
Type: improvement remove the [un]lock logs, they are not useful. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I903d3088b8ed9831f931208aeb6b6862a945550c
2022-02-18vnet: add set_max_frame_size callbacks for several interfacesArtem Glazychev2-0/+18
This is required after distinguishing between max_frame_size and MTU Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: Ie642bee4e30ca76903bb8be5eeb6914c2c09bf35
2022-02-18ipsec: fix vector after remove entry in spdGabriel Oginski1-1/+1
Originally after remove the policy entry in spd, macro "vec_del1" can change localization of the last entry in vector and finally the entry list has not been sorted. This patch fixes this issue by change executed macro "vec_delete" instead of "vec_del1". Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I396591cbbe17646e1d243aedb4cdc272ed4d5e25
2022-02-17tls http srtp: fix session index for listenersFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If5e6d0e8c686ea93674d6201c38b3a4d1c4786a5
2022-02-17ip: Move the IPv6 echo responder into the ping pluginNeale Ranns1-187/+0
Type: refactor To be consistent with the location of the IPv4 responder Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3a5c3ecc10755317591d7ff57b74770c2798e77
2022-02-17ipsec: Improve the handling of NAT-T keepalive messagesNeale Ranns1-8/+21
Type: improvement Ethernet frames on the wire are a minimum of 64 bytes, so use the length in the UDP header to determine if the ESP payload is one bytes of the special SPI, rather than the buffer's size (which will include the ethernet header's padding). In the case of drop advance the packet back to the IP header so the ipx-drop node sees a sane packet. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ic3b75487919f0c77507d6f725bd11202bc5afee8
2022-02-16fib: Use the same adjacency that BFD is usingNeale Ranns3-30/+31
Type: improvement When the adj subsystem is notified of a BFD session, it attempts to find the appropriate adjacency from the session's key. This could lead to a mismatch between the adj used by BFD and that of FIB. The BFD session stores the adj it is using, so FIB uses that instead. Since adj is now using the same adj as BFD, it does not need to maintain its own locks. In BFD it is necessary to initialise the adj index used in INVALID and ensure it is not unlock before listeners are notified of the session delete. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I9630867b10bb18969475299a0c754942a8df0f44
2022-02-16bfd: On a point to point link use the all zeros address for the peer.Neale Ranns1-8/+12
Type: fix The adjacency used is then the same one as that used by routes in the FIB and so the BFD protection/fast-failover works for thise route, since they are children of the BFD protected adjacency. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I72e10b3074697cba8a002a4c1acf690983985157
2022-02-16ipfix-export: pass ipv4 addr to format fn for showPaul Atkins1-3/+4
When the ipfix address was changed to be an ip_address instead of an ip4_address the output when creating an exporter via the cli should have been modified to take the address of the v4 part of the addr. Type: fix Signed-off-by: Paul Atkins <patkins@graphiant.com> Change-Id: I141456cd9092c861a4c4aefba4035dbde23efcd6
2022-02-16crypto: Fix for the crash in cryptomgovind1-0/+4
Fix for the crash when both crypto_native_plugin and DPDK QAT are enabled in startup conf. Type: fix Signed-off-by: mgovind <govindarajan.mohandoss@arm.com> Change-Id: Ib020ed7130a99080a093c70c06d47bcacd6d23b1
2022-02-15tcp: Do not include the tcp_packet.h file in the ip4_packet.hNeale Ranns12-97/+106
Type: refactor IP4 does not depend on TCP (it's the other way around). This upside down dependency leads to some nasty circular includes when trying to use ip46_address.h in interface.h Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I4a1bd21543b08b9c1cf1e5563da738414734a878
2022-02-14bfd: add per session countersKlement Sekera4-28/+128
Add udp total session counts - as stat segment entries: /bfd/udp4/sessions /bfd/udp6/sessions and per session packet/byte counters: /bfd/rx-session-counters /bfd/rx-session-echo-counters /bfd/tx-session-counters /bfd/tx-session-echo-counters These counters are per-thread and per-session id. Adjust tests to verify proper function. Type: refactor Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: Ie597928022b6ac74c2220019b9e8e1714295f170
2022-02-14bfd: refactor code to fix misc warningsKlement Sekera3-131/+110
This change fixes multiple unused parameter warnings, narrowing conversion warnings and identical switch statement warnings. Type: refactor Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I4140e939c409ce06cc5aaaf5e1b042681f7ca448
2022-02-14fib: fix incorrect display of mpls fib_indexRajith P R1-1/+1
Type: fix Signed-off-by: Rajith P R <rajith@rtbrick.com> Change-Id: I8c9c85081c27bfe7ee71b5b620a2a761e027789c
2022-02-10session: use transport endpoint cfg for listenFlorin Coras7-10/+10
Makes it similar to connects. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I38c328670054e1a9ba4dc4ea8fe7519a5a09e8be
2022-02-10vlib: vlib frame bitmapsDamjan Marion1-5/+3
Special bitmaps with VLIB_FRAME_SIZE bits. Type: improvement Change-Id: I48747e422e519e7b5e930fa720397459d3adbb8e Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-02-10tests: Fix the FIB UTNeale Ranns1-2/+1
Type: test The FIB UT fails in debug mode because there is no string associated woth its fib_node_type_t. Change the tests to register their own type, which will give it a name. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I36e546718faa7241c088494cbae10939aca51d5a
2022-02-10session: avoid debug half-open session pool contentionFlorin Coras1-0/+11
Half-opens are only allocated from main with worker barrier but can be cleaned up, i.e., session_half_open_free, from main without a barrier. In debug images, the free_bitmap can grow while workers peek the sessions pool, e.g., session_half_open_migrate_notify, and as a result crash while validating the session. To avoid, proactively grow bitmap in debug images. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I2410793f933fb638651fe8dc08ba78e9bee0bd77
2022-02-09fib: ip6 and mpls fib_table memory leaks on fib_table->ft_locksSteven Luong3-2/+5
ip6 and mpls fib_table->ft_locks memory leaked when the table is deleted. name tag is leaked for mpls table parsing. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ife68c0ddc3a6f9437a149b308310f042799c2116
2022-02-09bfd: Add an update API that has create new or modify existing semanticsNeale Ranns4-22/+120
Type: improvement helps keep the agents stateless Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I3588f13c081e24f5a8083b490eb02856361e4ccb
2022-02-07igmp: make sure fib_index is set before delivering to ip4-localBenoît Ganne1-0/+2
IGMP packets with Router Alert option are delivered to ip4-local without going through ip4-lookup. Make sure fib_index is initialized properly. Type: fix Change-Id: Iab090a33c4c759b6d7f68c28a0b3f4da7a9de864 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-02-05session: track bytes dequeued in snd paramsFlorin Coras3-4/+6
Also reset send params flags before calling transports to avoid explicit resets in all transports. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I1da7b3fab009728e7fee4199425ced933fa8a122
2022-02-03ip nat: use ip rx sw_if_index in ip-local arc startFlorin Coras2-9/+8
This also changes the behavior of the nat44-ei hairpinning feature. Rather then enabling the feature on every nat interface, it is enabled only on local0. Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4e16a83c9e328aa75fc61df508b620ef743ca775
2022-02-02bfd: restore the data within the packet after hash verificationAndrew Yourtchenko1-0/+5
The BFD delayed auth change test was failing intermittently within CI. Debugging has shown it depends on the initial random seed, e.g. the below will consistently fail: RND_SEED=1643734669.7126195 TEST='bfd.BFDAuthOnOffTestCase.test_auth_change_key_delayed' Same thing will happen with: RND_SEED=1643736595.1363552 RND_SEED=1643722239.8224792 The analysis of the behavior shown that the function that is doing the hash verification, modifies the content of the packet for the purposes of hash computation. In case of the auth rollover, this function may be called twice - resulting in the second comparison to be made with a bogus packet data, thus failing the check and the test. The above values of random seed are the ones where the test makes it to the point of this double comparison. The solution is to restore the data within the packet after the check from the array where we have copied it into before modifying the packet. Change-Id: Ibb09beb4b1230032db04527bbf38fa335651866b Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-02-01gso: remove the assert if packet is geneve or gre encapedMohsin Kazmi1-4/+0
Type: fix Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I3265d4a3843b07c2e0050e297f1e014fc5b31cf7
2022-02-01virtio: coverity woes -- divide by zeroSteven Luong1-0/+7
Coverity complains the expression, j % vif->num_txq, may encounter divide by zero. While there is little chance that vif->num_txq is zero, it is easy to prevent divide by zero if vif->num_txq is ever zero. Type: fix Fixes: I337ec63d0868f665329d68eadf1744e080b73a0d Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I2e91f296737ce266ab70fffc1f442cc600724fa2
2022-01-31ip: reassembly - add a way to disable for forusKlement Sekera11-34/+305
Add API to disable full reassembly of "forus" packets. Mark packets passing through ip[4|6]-local nodes with a new buffer flag and check for that flag in reassembly. Enable IP6 "forus" full reassembly by default to be consistent with existing IP4 setting. Type: improvement Change-Id: I7067792fcd4304182654237968e4c4d9293c6143 Signed-off-by: Klement Sekera <ksekera@cisco.com>