summaryrefslogtreecommitdiffstats
path: root/src/vnet
AgeCommit message (Collapse)AuthorFilesLines
2017-02-17BFD: put session admin-up/admin-downKlement Sekera1-12/+12
Change-Id: I7d8889dce8495607106593ad83320c9af0f2fa07 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-17Implemented IKEv2 initiator features:Radu Nicolau13-186/+2180
- IKE_SA_INIT and IKE_AUTH initial exchanges - Delete IKA SA - Rekey and delete Child SA - Child SAs lifetime policy To set up one VPP instance as the initiator use the following CLI commands (or API equivalents): ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> and finally ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange Child SA re-keying process: 1. Child SA expires 2. A new Child SA is created using the Child SA rekey exchange 3. For a set time both SAs are alive 4. After the set time interval expires old SA is deleted Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA) CLI API additions: ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> ikev2 initiate sa-init <profile id> ikev2 initiate del-child-sa <child sa ispi> ikev2 initiate del-sa <sa ispi> ikev2 initiate rekey-child-sa <profile id> <child sa ispi> Sample configurations: Responder: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.responder ikev2 profile set pr1 id remote fqdn vpp.home.initiator ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 Initiator: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.initiator ikev2 profile set pr1 id remote fqdn vpp.home.responder ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20 ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048 ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256 ikev2 profile set pr1 sa-lifetime 3600 10 5 0 Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-02-17ipsec: changed ipsec-input-ip6 node to be a sibling of ipsec-input-ip4, ↵Radu Nicolau1-6/+1
fixes a problem that occurs with cryptodev ipv6 input. Change-Id: I1f0c0db45b2aabc243dd785c8d5d5ef990cac903 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-02-17l2 input: avoid per-packet trace checks in the fast pathDave Barach4-25/+54
Change-Id: Ib0c8572773499d8dd4d81b3a565c24412ccc3510 Signed-off-by: Dave Barach <dave@barachs.net>
2017-02-17dpdk: quad loop and prefetch in fill_free_listDamjan Marion1-15/+71
Change-Id: I19ec3b769b6512f7408044751393d9faf10d01d5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-16Add NSH load-balance and drop DPOFlorin Coras5-15/+148
Also adds missing gpe nsh address type functions. Change-Id: I3353a23c0518da9ce3b221ddf8c5bd0364930154 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-02-16Fix NSH-LISP interface additionFlorin Coras1-15/+16
Change-Id: I3925d2ebb2d26c676fc61f118d25bdf7fd522f26 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-02-16Fix crash on deleting previously activated IPv6 interface - VPP-636Wojciech Dec1-0/+4
RADV Pool index was not getting updated Change-Id: I2d2f14c56f51034d39049d1c7e13c248180a865f Signed-off-by: Wojciech Dec <wdec@cisco.com>
2017-02-16LISP: minor enhacementsFilip Tehlar1-13/+13
* use RLOC for IP version detection * don't check whether RLOC is local when deleting Change-Id: Icdb84025dd5511eb5348b654bf7b373def15406c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-02-15LISP: fix deleting src/dst entry from GID dictionaryFilip Tehlar2-5/+24
Change-Id: Ic674cc953b45ddd4811e07821e1a0af28b5f6214 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-02-15BFD: loop back echo packetsKlement Sekera4-38/+247
Change-Id: I772b63ac25ebfccaff9ab9d8d0b1445e85f21df7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-15Fix bug in definition of tcp_header_tJuraj Sloboda1-1/+4
Change-Id: Ic814b805ef77913ffe86f82c009602c75258acfb Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-02-14VPP-279: Document changes for vnet/vnet/devicesBilly McFall2-52/+210
Add doxygen documentation for pcap tx trace CLI command. In the process of adding the documentation, made the following changes to the way the command worked: * If there is an error with any of the attributes, the whole command fails. The existing behavior was to apply attribute by attribute, then bail if there was an issue, with partial apply. * Move the 'on' processing to the end. The existing behavior was to process the 'on' as it was encountered on the commandline. That meant that any attributes after the 'on' in the commandline were saved and displayed, but not really being used in the packet trace. * Enhanced the 'status' to show all the configured attributes. NOTE: The packet capture has some weird behavior with regards to how many packets are written to file and if the file is appended or overwritten. VPP-634 written to document the issue. Change-Id: Iab241228b125385052de242865afd9515fa2524f Signed-off-by: Billy McFall <bmcfall@redhat.com>
2017-02-14BFD: respect remote demand modeKlement Sekera1-9/+46
Change-Id: I5063d31f5305c848043afb32fcacff6e61aed79f Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-14BFD: set per session UDP source port per RFCKlement Sekera4-16/+43
Change-Id: Id294dbbd6499ae8221cc8143e1027adc08866ae6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-14Fix coverity issues: ioamShwetha Bhandari1-5/+6
Change-Id: I0963760a7da95612d5cab19596919b369a4d0f8e Signed-off-by: Shwetha Bhandari <shwethab@cisco.com>
2017-02-14Fix is_server flag in vhost dump (VPP-562)Marek Gradzki1-0/+1
Change-Id: I5b308eb39ae770d58d1498d7fafa49b236b3f534 Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
2017-02-14vhost-user: fix crash when descriptor points to unknown regionDamjan Marion1-1/+2
This happens only on when compiled for older microarchitectures, where BSF insutruction is used instead of TZCNT. BSF provides undefined result if operand is 0. Change-Id: I7a13350786a533428168595097ef01a560fde53b Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-13Out-of-tree Build Error fixAkshayaNadahalli2-22/+20
File vnet/fib/fib_urpf_list.h was included in vnet/fib/ip6_fib.h but was exported to be installed in /usr/include/vnet. So out-of-tree builds relying on an installed package was failing. Fix is to inlcude fib_urpf_list.h in source file rather than including it in header file. Change-Id: Iae39c1d9417dbd31ee67fa1bd2d1915d5e813c73 Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
2017-02-13Augment IP_DETAILS, IP_ADDRESS_DETAILS with a few context fields.Jon Loeliger2-5/+15
When handling the IP_DETAILS and IP_ADDRESS_DETAILS replies, it is almost certainly going to require having both the is_ipv6 and sw_if_index context to handle them properly. Placing these values in an essentially global location as the current VAT does isn't thread-safe. Fruthermore, rather than forcing every API user to hoop-jump to establish these context values, simply provide them in their DETAILS reply messages. Change-Id: I6a9e0cb16ecdbf87fca8fc5c7663e98d3a53c26c Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-02-13Basic support for LISP-GPE encapsulated NSH packetsFlorin Coras27-22/+942
Change-Id: I97fedb0f70dd18ed9bbe985407cc5fe714e8a2e2 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-02-13VPP-632 : InBand OAM AnalyserAkshayaNadahalli5-41/+29
Refer to jira ticket for more details. Change-Id: I6facb9ef8553a21464f9a2e612706f152badbb68 Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
2017-02-09Improve MFIB doxygen helpNeale Ranns4-4/+12
Change-Id: Ie490b7fd5238cbad23f0199161cc14324fd9c554 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-02-08BFD: minor fixesKlement Sekera2-5/+3
Change-Id: I1c93f96a752eb2ffd1117a656552131cde1fa489 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-08BFD: modify session parametersKlement Sekera9-114/+414
Change-Id: I666e5c0cc71a3693640960c93cdd1907f84fbe23 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-08Fix source address reachability check for ip6 local packetsAkshayaNadahalli2-7/+26
Currently ip6 local check fails with error - source lookup miss if route to source of packet is over a dpo object such as load balance - recurssive route, tunnel adj - GRE, SR etc. So unless packet source is of a directly connected neibhor or has route with both interface and nexthop specified, it will be dropped. Fix is to check urpf list and if at least one link exists in the list, then allow packets to be processed, else drop. Change-Id: Id426311bb63bab506754a79409c602fdb6d0f190 Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
2017-02-07LISP: reject remote mappings that have as locators local IPsFilip Tehlar2-1/+29
Change-Id: Ifaf46554e45557ebf82009d9c46a9e905a46f884 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-02-06vlib: remove algned/unaligned buffers schemeDamjan Marion2-136/+18
Change-Id: I4433eaed3f4e201edc329c4842cbbf74beb19a9a Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-04dpdk: move to uio_pci_genericDamjan Marion1-1/+1
Change-Id: I3d8b7947ae6d721e9b514a59a7d2de49aed419b5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-03pg: add trace information for pg tx nodeDamjan Marion3-9/+46
Change-Id: I31730d58c34331f25f5b02cd065be94251f1302c Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-03vhost-user: fix missing speculative enqueue unwindSteven1-0/+4
Running trex in a VM with a bad config, trex sent a bogus pack from the VM to the Virtual interface. It caused a crash. Change-Id: I64d0197b444265553ab4c24f21e6a962e89cb587 Signed-off-by: Steven <sluong@cisco.com>
2017-02-03Fix CLI help message for set ip addressMatej Klotton1-1/+1
Change-Id: Ie39bb26a9aea88cf2768ec537adcdd8df1de3be0 Signed-off-by: Matej Klotton <mklotton@cisco.com>
2017-02-03Next node frame over-flow after replicationNeale Ranns1-2/+16
Change-Id: I25077dd0739787de4f7512e5a70a62e8c34c28e4 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-02-03Plugin infrastructure improvementsDamjan Marion1-8/+1
This patch replaces requirement for vlib_plugin_register function in the plugin so file and introduces new macro: VLIB_PLUGIN_REGISTER () = { .version = "version string", .version_required = "requred version", .default_disabled = 1, .early_init = "early_init_function_name", }; Plugin will nor be loaded if .default_disabled is set to 1 unless explicitely enabled in startup.conf. If .verstion_required is set, plugin will not be loaded if there is version mismatch between plugin and vpp. This can be bypassed by setting "skip-version-check" for specific plugin. If .early-init string is present, plugin loader will try to resolve this specific symbol in the plugin namespace and make a function call. Following startup.conf configuration is added: plugins { path /path/to/plugin/directory plugin ila_plugin.so { enable skip-version-check } plugin acl_plugin.so { disable } } Change-Id: I706c691dd34d94ffe9e02b59831af8859a95f061 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-02-02Fix SR multicast post mfib commitNeale Ranns11-649/+450
1 - use the SR policy to construct the replicate DPO. Each bucket therein is a SR tunnel. 2 - install a special mfib entry that links via this replicate 3 - forwarding is now mfib-lookup -> replicate -> sr_rewrite (per-tunnel) no need for a separate sr_replicate node. 4 - Stack the sr tunnel on the forwarding DPO of the first-hop FIB entry. no need for a second lookup post SR encap. 5 - fix some path-list lock leaks in the MFIB entry. Change-Id: I20de96ea4c4be4fae252625bde159d9c435c8315 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-02-02BFD: SHA1 authenticationKlement Sekera9-258/+1459
Add authentication support to BFD feature. Out of three existing authentication types, implement SHA1 (sole RFC requirement). Simple password is insecure and MD5 is discouraged by the RFC, so ignore those. Add/change APIs to allow configuring BFD authentication keys and their usage with BFD sessions. Change-Id: Ifb0fb5b19c2e72196d84c1cde919bd4c074ea415 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-02BFD: improve finding of ipv4/ipv6 headersKlement Sekera1-48/+62
Avoid coverity warning and improve safety by declaring a helper structure and working with it when searching for ip headers. Make sure the content following IPv6 header is actually UDP before parsing it. Bail out if unexpcted IPv6 header found ... Change-Id: I1c6b9fd42d6fdae226f12c91c53c07a932b29522 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-02-02dpdk: fix crypto coverity warningSergio Gonzalez Monroy1-1/+2
Change-Id: I165b64fdc12dd2936df1958348e93b709ce0e784 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-02-02SNAT: changed source for outbound address FIB entry (VPP-613)Matus Fabian1-5/+2
Use FIB_SOURCE_PLUGIN_HI and modify ARP input to use non-source variants for flags and resolving interface get. Change-Id: I3bab76f36e0b1ee86e430a416099f1654e02740a Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-02-02LISP: enhance binary part of some APIsFilip Tehlar2-44/+35
Remote mapping and locator set binary APIs uses zero length arrays defined as 'u8 array[0]' in .api file. This path will change such cases to form 'type_t array[count];' in order to enhance maintainability. Change-Id: I98d0252b441020609c550d48186ed0d8338a3f2d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-02-02VXLAN: further unify ip4/ip6 ctl plane handlingEyal Bari2-83/+55
fix wrong udp error codes in decap ip6 handling Change-Id: Ibf791a995128d38b31725c1ee67ec9d1c9dffca2 Signed-off-by: Eyal Bari <ebari@cisco.com>
2017-01-31BFD: reformat code to match vpp code styleKlement Sekera1-158/+186
Change-Id: I40deb8b40f5d3a96d2c0dcb400f489cd05a64348 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-01-31VXLAN: small changes for brevityEyal Bari1-49/+16
Change-Id: I9cfff0196845c6f1161848aa49442aa4df81b20e Signed-off-by: Eyal Bari <ebari@cisco.com>
2017-01-31MFIB Coverity warnings. The lock macro is functionally equivalent but more ↵Neale Ranns2-25/+40
expressive (and might appease coverity) Change-Id: Ie3c9b2896a487a0302903bfbdd6348f6f091c67d Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-01-31Add vxlan-bypass feature to IP6 forwarding pathJohn Lo6-182/+468
Add vxlan-bypass feature which can be enabled on the IP6 underlay interface which receive VXLAN packets to accelerate VXLAN decap processing. The CLI to enable/disable it is: set interface ip6 vxlan-bypass <interface> [del] The vxlan-bypass feature is already supported on the IP4 underlay interface. The CLI to enable/disable it is: set interface ip vxlan-bypass <interface> [del] Move vxlan-bypass API/CLI support code from decap.c to vxlan.c. Also fixed two issues in the VXLAN decap path in the vxlan-input node: 1. Add verification of VXLAN packet FIB index with the encap-vrf-id of the VXLAN tunnel. 2. Fix checking of VXLANoIPv6 packet mcast DIP against that of the IP6 mcast VXLAN tunnel. Change-Id: I2bad4074a468c48fbb8bb5ac64f6437190756ed2 Signed-off-by: John Lo <loj@cisco.com>
2017-01-30VPP-621: ping: ICMP echo data size must be bounded by VLIB_BUFFER_DATA_SIZE ↵Andrew Yourtchenko2-29/+46
minus headers. Before the commit 878c6098 the VLIB_BUFFER_DATA_SIZE was different depending on whether building "vpp" or "vpp_lite", resulting in an overrun in vpp_lite build. Avoid the hardcoded value and make the upper bound for ICMP echo data size dependent on the buffer size. Change-Id: Id6c4d7fc73766a95af2610eb237881b5fe9ce9aa Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-01-30Fixed set int state up for ipsec interfacesRadu Nicolau1-2/+2
Change-Id: I2330cb7c2ba0f5eaeb4e7a4c3de4f22283d3923d Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-01-30Fix LISP Coverity warningsFlorin Coras2-6/+16
Change-Id: Iaca2ff453872e638ee83b11fc16472e44deb9a7e Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-01-30LISP: add dump calls for GPE entries APIFilip Tehlar5-2/+249
Change-Id: Ie7f51643fd3522a0fa8df8d0309305481c211f5f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-01-28sh not show in the mfib flags commandsNeale Ranns1-2/+2
Change-Id: If10b878cb05d695eaed9416202fd19bed2e0b793 Signed-off-by: Neale Ranns <nranns@cisco.com>