| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Type: feature
Change-Id: Ica3e60836c0f26518ba2c238a8c03ce3648ea69b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.
For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480
It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.
[1]: https://datatracker.ietf.org/doc/html/rfc4301
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
|
|
While setting an ACL, a user can specify the adjacency to follow after
the input ACL node. Thus, we may skip a lookup and enter directly a
local node (ex: ip4_local). To prevent the local source check from
failing, we need to specify the fib index. And, we have to do it just
before exiting the input ACL node because the l2_classify object
is overlapping with the fib_index in the vnet_buffer_opaque_t struct.
We could have added a padding to avoid this overlap but there is no
place for that in the structure.
Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: I383c36e4aec08d181f966f28565aefed950d2a74
|
|
Type: fix
- IPv6 fragmentation did not work if the packet spaneed multiple buffers, because the 'len' calculation to did max out at the size of a buffer
- IPv6 fragmentation did not work when the l2unfragmentable size was non-zero, it was not used in the correct places
- IPv6oMPLS fragmentation would fragment all IPv6, it should do so only for link local
- IPv6oMPLS should send back TooBig ICMP6 for non locally generated
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie8f02cdfdd7b7e8474e62b6d0acda8f20c371184
|
|
Type: improvement
For error conditions, such as TTL expired, dest unreach, etc, Rate limit the sending of ICMP error messages.
The rate limiting is done based on src,dst IP address of the received packet.
the rate limit has been chosen, somewhat arbitrarily, to be 1e-3. This is the same limit as the ARP throttling.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a0b791cde8c941a9bf37de6aa5da56779d3cef4
|
|
ip6_ext_hdr_chain_t->eh is IP6_EXT_HDR_MAX elements.
Type: fix
Change-Id: I28b8d610d8f5c0c520c8391c37b86e837655ab12
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
This patch removes the assert and it is unnecessary.
Because given variable is used for branch testing.
Change-Id: I64f57f909fcba205216296e86c1cde2a5dadbb45
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: improvement
Change-Id: I5dda196ab8f1b634fcac46acd5c57a6dd726759c
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I2b8b6a3b5a6df71e84ce2f15ef7117f390121c2f
|
|
Add the possibility to create masks and matches without l2 header in the
CLI when creating tables and entries. This is useful for tables working
on l3 and l4 only.
Type: improvement
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: I7da9e47d810c0b4a0938e2cb3bc31aa69ace3649
|
|
Type: fix
the MTU needs to be adjusted to account for the label stack, since the size of fragments produced is stack+mtu.
these changes are to the use of the stack variable 'mtu'
most of the patch results from appeasing checkstyle.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8d0e10cf52ca4dd8ecdc224ed6c54a13e4768fdd
|
|
Type: fix
it only display the first flag set
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I45cddbac0d4eed8bda10bf5e0f7c9db0faf183c5
|
|
Use system wall-clock time for packets timestamps instead of the time
since VPP started for pcap traces.
Type: improvement
Change-Id: I716165912efe8db3a8861d5c10597dc7629d2293
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I4fd7ae435514eb986543302c7e3e69e04acba8cf
|
|
Type: refactor
check for pool expansion in the DPO allocation, just in case.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6ba7dd66313630d3f24a51700ab4486ba43d856b
|
|
Type: fix
Fixes: 1cd0e5dd533f4209dde453eaa43215e52cd42985
Change-Id: I64318585fb3b12369b78735c681f3b747c67b53b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: refactor
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I3788cc857023fafcc8eb6d6ff4524425026a75d8
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If5eed7dac4951f0510a4b4b092f66f44d0d3cacd
|
|
Type: fix
Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com>
Change-Id: Icfd5e3c0bb034684c7bc43be46927294536ba08a
|
|
This fixes an issue caused by session layer reading expected part of
data (cert + key) before the client actually sends it.
Type: fix
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I6ddddb08f9576211b302e814d7c2b040383e5fb7
|
|
- HICN project's hicn_plugin requires vnet header files
fib/fib_entry_track.h and udp/udp_encap.h to be
included in build-root/install-vpp*-*/vpp/include/vnet
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Iabd3f8fe0aee8d727758fc6ef202e859d68d63a3
|
|
Revert "vxlan: crash on configuring vxlan tunnel on l3 mode"
This reverts commit b8de7d43e4955bb4025cd0e0e7390279841b6d7d.
Reason for revert: VPP-2014
Type: fix
Fixes: b8de7d43e4955bb4025cd0e0e7390279841b6d7d
Change-Id: Ic4d10f28985ee10e0550a1bbfd465ada915e4aa6
Signed-off-by: Ed Warnicke <hagbard@gmail.com>
|
|
adj_get() crashed in worker thread. The index is valid but was freed.
0x00007fba5fb07921 in __GI_abort () at abort.c:79
0x00007fba528de7c3 in os_panic () at /development/libvpp/src/vpp/vnet/main.c:618
0x00007fba506f2a19 in debugger () at /development/libvpp/src/vppinfra/error.c:84
0x00007fba506f2797 in _clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7fba521cecd9 "%s:%d (%s) assertion `%s' fails") at /development/libvpp/src/vppinfra/error.c:143
0x00007fba51d88254 in adj_get (adj_index=79) at /development/libvpp/src/vnet/adj/adj.h:472
0x00007fba51d87642 in icmp6_neighbor_solicitation_or_advertisement (vm=0x7fb9f19a0580, node=0x7fb9bb820340, frame=0x7fb9b718bc40, is_solicitation=0) at /development/libvpp/src/vnet/ip6-nd/ip6_nd.c:134
0x00007fba51d8f479 in icmp6_neighbor_advertisement (vm=0x7fb9f19a0580, node=0x7fb9bb820340, frame=0x7fb9b718bc40) at /development/libvpp/src/vnet/ip6-nd/ip6_nd.c:348
Type: fix
Signed-off-by: Rajith P R <rajith@rtbrick.com>
Change-Id: Ibe29854137ee9680f7947450eb7e256b8c0ade31
|
|
mpls fib DB size was 2^20 instead of intended 2^21.
Therefore large mpls labels caused DB to overflow and write
to other tables or some random objects. Or crash with ASAN.
Sometimes.
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I6db65680037a266fe47e8213464a0c16de63c06c
|
|
Type: improvement
remove the [un]lock logs, they are not useful.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I903d3088b8ed9831f931208aeb6b6862a945550c
|
|
This is required after distinguishing between max_frame_size and MTU
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: Ie642bee4e30ca76903bb8be5eeb6914c2c09bf35
|
|
Originally after remove the policy entry in spd, macro "vec_del1"
can change localization of the last entry in vector and finally the
entry list has not been sorted.
This patch fixes this issue by change executed macro "vec_delete"
instead of "vec_del1".
Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I396591cbbe17646e1d243aedb4cdc272ed4d5e25
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If5e6d0e8c686ea93674d6201c38b3a4d1c4786a5
|
|
Type: refactor
To be consistent with the location of the IPv4 responder
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie3a5c3ecc10755317591d7ff57b74770c2798e77
|
|
Type: improvement
Ethernet frames on the wire are a minimum of 64 bytes, so use the length in the UDP header to determine if the ESP payload is one bytes of the special SPI, rather than the buffer's size (which will include the ethernet header's padding).
In the case of drop advance the packet back to the IP header so the ipx-drop node sees a sane packet.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ic3b75487919f0c77507d6f725bd11202bc5afee8
|
|
Type: improvement
When the adj subsystem is notified of a BFD session, it attempts to find the appropriate adjacency from the session's key.
This could lead to a mismatch between the adj used by BFD and that of FIB. The BFD session stores the adj it is using, so FIB uses that instead.
Since adj is now using the same adj as BFD, it does not need to maintain its own locks.
In BFD it is necessary to initialise the adj index used in INVALID and ensure it is not unlock before listeners are notified of the session delete.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I9630867b10bb18969475299a0c754942a8df0f44
|
|
Type: fix
The adjacency used is then the same one as that used by routes in the FIB and so the BFD protection/fast-failover works for thise route, since they are children of the BFD protected adjacency.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I72e10b3074697cba8a002a4c1acf690983985157
|
|
When the ipfix address was changed to be an ip_address instead of
an ip4_address the output when creating an exporter via the cli
should have been modified to take the address of the v4 part of
the addr.
Type: fix
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I141456cd9092c861a4c4aefba4035dbde23efcd6
|
|
Fix for the crash when both crypto_native_plugin and DPDK QAT
are enabled in startup conf.
Type: fix
Signed-off-by: mgovind <govindarajan.mohandoss@arm.com>
Change-Id: Ib020ed7130a99080a093c70c06d47bcacd6d23b1
|
|
Type: refactor
IP4 does not depend on TCP (it's the other way around).
This upside down dependency leads to some nasty circular includes when trying to use ip46_address.h in interface.h
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a1bd21543b08b9c1cf1e5563da738414734a878
|
|
Add udp total session counts - as stat segment entries:
/bfd/udp4/sessions
/bfd/udp6/sessions
and per session packet/byte counters:
/bfd/rx-session-counters
/bfd/rx-session-echo-counters
/bfd/tx-session-counters
/bfd/tx-session-echo-counters
These counters are per-thread and per-session id.
Adjust tests to verify proper function.
Type: refactor
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Ie597928022b6ac74c2220019b9e8e1714295f170
|
|
This change fixes multiple unused parameter warnings, narrowing
conversion warnings and identical switch statement warnings.
Type: refactor
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I4140e939c409ce06cc5aaaf5e1b042681f7ca448
|
|
Type: fix
Signed-off-by: Rajith P R <rajith@rtbrick.com>
Change-Id: I8c9c85081c27bfe7ee71b5b620a2a761e027789c
|
|
Makes it similar to connects.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I38c328670054e1a9ba4dc4ea8fe7519a5a09e8be
|
|
Special bitmaps with VLIB_FRAME_SIZE bits.
Type: improvement
Change-Id: I48747e422e519e7b5e930fa720397459d3adbb8e
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: test
The FIB UT fails in debug mode because there is no string associated woth its fib_node_type_t.
Change the tests to register their own type, which will give it a name.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I36e546718faa7241c088494cbae10939aca51d5a
|
|
Half-opens are only allocated from main with worker barrier but can be
cleaned up, i.e., session_half_open_free, from main without a barrier.
In debug images, the free_bitmap can grow while workers peek the
sessions pool, e.g., session_half_open_migrate_notify, and as a result
crash while validating the session. To avoid, proactively grow bitmap in
debug images.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I2410793f933fb638651fe8dc08ba78e9bee0bd77
|
|
ip6 and mpls fib_table->ft_locks memory leaked when the table is
deleted.
name tag is leaked for mpls table parsing.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ife68c0ddc3a6f9437a149b308310f042799c2116
|
|
Type: improvement
helps keep the agents stateless
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3588f13c081e24f5a8083b490eb02856361e4ccb
|
|
IGMP packets with Router Alert option are delivered to ip4-local
without going through ip4-lookup. Make sure fib_index is initialized
properly.
Type: fix
Change-Id: Iab090a33c4c759b6d7f68c28a0b3f4da7a9de864
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Also reset send params flags before calling transports to avoid explicit
resets in all transports.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1da7b3fab009728e7fee4199425ced933fa8a122
|
|
This also changes the behavior of the nat44-ei hairpinning feature.
Rather then enabling the feature on every nat interface, it is enabled
only on local0.
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I4e16a83c9e328aa75fc61df508b620ef743ca775
|
|
The BFD delayed auth change test was failing intermittently within CI.
Debugging has shown it depends on the initial random seed, e.g. the below
will consistently fail:
RND_SEED=1643734669.7126195 TEST='bfd.BFDAuthOnOffTestCase.test_auth_change_key_delayed'
Same thing will happen with:
RND_SEED=1643736595.1363552
RND_SEED=1643722239.8224792
The analysis of the behavior shown that the function that is doing the hash verification,
modifies the content of the packet for the purposes of hash computation.
In case of the auth rollover, this function may be called twice - resulting in the second
comparison to be made with a bogus packet data, thus failing the check and the test.
The above values of random seed are the ones where the test makes it
to the point of this double comparison.
The solution is to restore the data within the packet after the check from the array
where we have copied it into before modifying the packet.
Change-Id: Ibb09beb4b1230032db04527bbf38fa335651866b
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I3265d4a3843b07c2e0050e297f1e014fc5b31cf7
|
|
Coverity complains the expression, j % vif->num_txq, may encounter
divide by zero. While there is little chance that vif->num_txq is
zero, it is easy to prevent divide by zero if vif->num_txq is ever
zero.
Type: fix
Fixes: I337ec63d0868f665329d68eadf1744e080b73a0d
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I2e91f296737ce266ab70fffc1f442cc600724fa2
|
Benoît Ganne
Zachary Leaf
Arthur de Kerhor
Neale Ranns
Mohsin Kazmi
Florin Coras
Saravanan Murugesan
Filip Tehlar
Dave Wallace
Ed Warnicke
Rajith P R
Dmitry Valter
Artem Glazychev
Gabriel Oginski
Paul Atkins
mgovind
Klement Sekera
Damjan Marion
Steven Luong
Andrew Yourtchenko