summaryrefslogtreecommitdiffstats
path: root/src/vnet
AgeCommit message (Collapse)AuthorFilesLines
2017-10-14Add API call to set keys on IPsec tunnel intfMatthew Smith2-0/+75
There was already a CLI command and a libvnet function to set the keys on an existing IPsec tunnel interface. Expose this via the API. Change-Id: I226a9616f680fc022f04447177a2e8232690657f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-14Source Lookup progammable via APINeale Ranns9-12/+85
Change-Id: I5d5d4f22b6369d504455a644f73076d772fbcfb4 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-10-14vhost: crash under heavy traffic condition due to memory corruption (VPP-1016)Steven1-2/+33
With heavy traffic, tx code path may crash due to memory corruption Thread 5 "vpp_wk_2" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff3995c700 (LWP 2505)] 0x00007ffff73675e8 in vhost_user_if_input (vm=0x7fffb5f5bf9c, vum=0x7ffff7882a40 <vhost_user_main>, vui=0x7fffb65570c4, qid=0, node=0x7fffb6577dac, mode=VNET_HW_INTERFACE_RX_MODE_POLLING) at /home/sluong/vpp-master/vpp/build-data/../src/vnet/devices/virtio/vhost-user.c:1610 1610 bi_current = (vum->cpus[thread_index].rx_buffers) [vum->cpus[thread_index].rx_buffers_len]; (gdb) p vum->cpus[thread_index].rx_buffers_len $2 = 793212607 (gdb) Apparently, some code accidentally wrote the bad value in rx_buffers_len. rx_buffers_len should never be greater than 1024 since that is how many buffers we request each time. After debugging many hours, I discovered that the memory corruption happens in the tx code path right here on line 2176. { vhost_copy_t *cpy = &vum->cpus[thread_index].copy[copy_len]; copy_len++; cpy->len = bytes_left; cpy->len = (cpy->len > buffer_len) ? buffer_len : cpy->len; cpy->dst = buffer_map_addr; cpy->src = (uword) vlib_buffer_get_current (current_b0) + current_b0->current_length - bytes_left; (gdb) p cpy $3 = (vhost_copy_t *) 0x7fffb554077c (gdb) p copy_len $4 = 1025 (gdb) p &vum->cpus[3].rx_buffers_len $8 = (u32 *) 0x7fffb5540784 copy_len is picking up the index entry 1024 before it was incremented. copy array has only 1024 members (0 - 1023 are valid). The assignment here in cpy surely causes memory corruption. It is only discovered later when the memory location that it corrupted is used. The condition for the crash is to transmit jumbo frames under heavy volume. Since ring size is 1024, with one packet taking up one index for frame size (less 2048), it does not cause overflow. With jumbo frames, it requires multiple indices for one packet, it can cause the overflow under heavy traffic. The fix is to do copy out when we have 1000 entries in the array to avoid overflow. Change-Id: Iefbc739b8e80470f1cf13123113f8331ffcd0eb2 Signed-off-by: Steven <sluong@cisco.com>
2017-10-13Enforce FIB table creation before useNeale Ranns5-78/+11
last i the serise of the use of the FIB table create/delete API. VPP now forces the tables to have been explicitly creted before they are used. Change-Id: Ifde3b1bbb76697a01ab71bce4f5264e6d1725467 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-10-13VPP-1027: DNS name resolverDave Barach10-2/+2958
This patch is a plausible first-cut, suitable for initial testing by vcl (host stack client library). Main features; - recursive name resolution - multiple ip4/ip6 name servers - cache size limit enforcement - currently limited to 65K - ttl / aging - static mapping support - show / clear / debug CLI commands Binary APIs provided for the following: - add/delete name servers - enable/disable the name cache - resolve a name To Do list: - Respond to ip4/ip6 client DNS requests (vs. binary API requests) - Perf / scale tuning - map pending transaction ids to pool indices, so the cache can (greatly) exceed 65K entries - Security improvements - Use unpredictable dns transaction IDs, related to previous item - Make sure that response-packet src ip addresses match the server - Add binary APIs - deliver raw response data to clients - control recursive name resolution - Documentation Change-Id: I48c373d5c05d7108ccd814d4055caf8c75ca10b7 Signed-off-by: Dave Barach <dave@barachs.net>
2017-10-12dpdk/ipsec: coverity fixesSergio Gonzalez Monroy1-9/+20
Change-Id: Ica3bc74ffbb1c0df4e198b0abff8df10cdeb2182 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-12LLDP: Add Management Address TLVSteve Shin6-25/+207
- Management Address TLV is added as per IEEE Std 802.1AB-2009. - Support of management ipv4/ipv6 addresses and OID. Change-Id: I57c14741774390809ce5a829cc087947424432c7 Signed-off-by: Steve Shin <jonshin@cisco.com>
2017-10-12tcp: do not format sb if not established (VPP-1018)Florin Coras1-2/+3
Change-Id: I011dda118f37cb31a37dda270027612d0af57ca0 Signed-off-by: Florin Coras <fcoras@cisco.com> (cherry picked from commit 87f141172212b7568f519653ab32ebd1b5d34344)
2017-10-11Revert "VPP-1001 - update AF Packet Driver to for modern kernels"Damjan Marion4-119/+10
Issues observed with specific kernel versions, e.g. stock Ubuntu 16.04 kernel. This reverts commit 3eab064e3fadaf2a6a128f167ad04ca0319b4e17. Change-Id: I24241f3b580df749fc686af3a319011ca035fb5e Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-10-10session: add support for application namespacingFlorin Coras37-785/+2844
Applications are now provided the option to select the namespace they are to be attached to and the scope of their attachement. Application namespaces are meant to: 1) constrain the scope of communication through the network by association with source interfaces and/or fib tables that provide the source ips to be used and limit the scope of routing 2) provide a namespace local scope to session layer communication, as opposed to the global scope provided by 1). That is, sessions can be established without assistance from transport and network layers. Albeit, zero/local-host ip addresses must still be provided in session establishment messages due to existing application idiosyncrasies. This mode of communication uses shared-memory fifos (cut-through sessions) exclusively. If applications request no namespace, they are assigned to the default one, which at its turn uses the default fib. Applications can request access to both local and global scopes for a namespace. If no scope is specified, session layer defaults to the global one. When a sw_if_index is provided for a namespace, zero-ip (INADDR_ANY) binds are converted to binds to the requested interface. Change-Id: Ia0f660bbf7eec7f89673f75b4821fc7c3d58e3d1 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-10-10punt and drop features:Neale Ranns14-209/+1595
- new IPv4 and IPv6 feature arcs on the punt and drop nodes - new features: - redirect punted traffic to an interface and nexthop - police punted traffic. Change-Id: I53be8bf4e06545add8a3619e462de5ffedd0a95c Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-10-09IP neighbour move incorrectly placed jump labelNeale Ranns1-2/+2
Change-Id: I19fdf13a4848306ee3841d822b832cba96c5bce5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-10-09vppapigen: support per-file (major,minor,patch) version stampsDave Barach29-4/+63
Add one of these statements to foo.api: vl_api_version 1.2.3 to generate a version tuple stanza in foo.api.h: /****** Version tuple *****/ vl_api_version_tuple(foo, 1, 2, 3) Change-Id: Ic514439e4677999daa8463a94f948f76b132ff15 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Ole Troan <ot@cisco.com>
2017-10-09NAT: hairpinning rework (VPP-1003)Matus Fabian2-2/+11
Change-Id: I7c6911cd6ac366fe62675fd0ff8b0246a25ea1db Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-09fix buffer allocation for sparse jumbo frames in vhostPierre Pfister1-1/+3
A bug was reported where a jumbo packet would stay in vhost queue forever or until a large enough number of other packets arrived in the queue too. This is due to a bug in vhost input node buffer allocation. The fix is to make sure that vhost always allocates at least enough buffers for one single big packet. '40' is used to account for 65kB frames. Change-Id: I1d293028854165083e30cd798fab9d4140230b78 Signed-off-by: Pierre Pfister <ppfister@cisco.com> (cherry picked from commit 67700d41169ac37d21c400949a316750eabad969)
2017-10-06tuntap: Introduce per thread structure to suport multi-threadsSteven2-65/+99
https://gerrit.fd.io/r/#/c/8551/ decoupled the global variable, namely tm->iovecs from TX and RX. However, to support multi-threads, we have to eliminate the use of this global variable with per thread variable. I notice that rx_buffers must also be per thread variable. So, we introduce per thread struct to contain rx_buffers and iovecs. Each thread will find the per thread struct with thread_index. Change-Id: I61abf2fdace8d722525a382ac72f0d04a173b9ce Signed-off-by: Steven <sluong@cisco.com>
2017-10-06Initial GENEVE TUNNEL implementation and tests.Marco Varlese12-2/+3802
Notes on this first implementation: * First version of the implementation does NOT support GENEVE OPTIONS HEADER: it isn't well understood what the purpose of the OPTIONS will be and/or what content would be placed in the variable option data; Once the IETF work will evolve and further information will be available it could be possible to modify the frame rewrite to contemplate the actual GENEVE OPTIONS. Change-Id: Iddfe6f408cc45bb0800f00ce6a3e302e48a4ed52 Signed-off-by: Marco Varlese <marco.varlese@suse.com>
2017-10-05dpdk/ipsec: rework plus improved cli commandsSergio Gonzalez Monroy5-44/+100
This patch reworks the DPDK ipsec implementation including the cryptodev management as well as replacing new cli commands for better usability. For the data path: - The dpdk-esp-encrypt-post node is not necessary anymore. - IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead of ip4-input. The DPDK cryptodev cli commands are replaced by the following new commands: - show dpdk crypto devices - show dpdk crypto placement [verbose] - set dpdk crypto placement (<device> <thread> | auto) - clear dpdk crypto placement <device> [<thread>] - show dpdk crypto pools Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-05Distributed Virtual Router SupportNeale Ranns12-108/+543
A distributed virtual router works by attmpeting to switch a packet, but on failing to find a local consumer (i.e. the packet is destined to a locally attached host) then the packet is sent unmodified 'upstream' to where the rest of the 'distributed' router is present. When L3 switching a packet this means the L2 header must not be modifed. This patch adds a 'l2-bridge' object to the L3 FIB which re-injects packets from the L3 path back into the L2 path - use with extreme caution. Change-Id: I069724eb45956647d7980cbe40a80a788ee6ee82 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-10-04[aarch64] Fixes CLI crashes on dpaa2 platform.Christophe Fontaine53-92/+92
- always use 'va_args' as pointer in all format_* functions - u32 for all 'indent' params as it's declaration was inconsistent Change-Id: Ic5799309a6b104c9b50fec309cba789c8da99e79 Signed-off-by: Christophe Fontaine <christophe.fontaine@enea.com>
2017-10-04Set MAC address needs the HW interface indexNeale Ranns2-2/+6
Change-Id: I7b175d57b85e626aab00221b6dac0498aebcbeae Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-10-04Dump of deag/lookup routes has is_drop=1 (VPP-995)Neale Ranns1-0/+2
Change-Id: I58772a83e22885a9ea8a7a981d2bcb4b31a050d2 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-10-04VPP-1001 - update AF Packet Driver to for modern kernelsAnton Ivanov4-10/+119
1. Add VNET headers support for checksumming - required to operate correctly on any recent Linux 2. Bypass QDISC on transmit - improves performance by ~ 5%. Enabled only if the macro is detected - apparently not present on archaic distributions. This still does not solve all issues with TSO - it can be fixed only by going to tpacket v3 and dynamic rx ring as well as significant changes in the TX (sendmmsg?). Change-Id: Iea14ade12586c0a8da49e6dd1012108a08bc85b3 Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
2017-10-04Add API support to dump IPsec SAsMatthew Smith2-0/+175
Add an API request message type to dump IPsec SAs. Either all IPsec SAs can be dumped or it can be limited to a single SA ID (numeric ID set at creation time - not an index). Add a handler for incoming messages with the new request type. Add an API response message type containing the data for an IPsec SA. Add VAT support for new message type. Change-Id: Id7828d000efc637dee7f988a87d3f707a8b466b7 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-03Update L2FIB entry timestamp only if BD aging enabled (VPP-1002)John Lo3-3/+6
Change L2 learning path so it update stale timestamp in MAC entry only if aging is enabled on the BD for the MAC entry. Change-Id: I7babe986ceef3c030d8ef9185076c42b405f7b0f Signed-off-by: John Lo <loj@cisco.com>
2017-10-03tcp: updates to connection closing procedure (VPP-996)Florin Coras4-17/+63
- add separate TIME_WAIT time constant - fix output node for TIME_WAIT acks - ensure snd_nxt is snd_una_max after retransmitting fin - debugging improvements Change-Id: Ic947153346979853f2526824b229126e47aead86 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-10-03Repair vlib API socket serverDave Barach10-25/+58
- Teach vpp_api_test to send/receive API messages over sockets - Add memfd-based shared memory - Add api messages to create memfd-based shared memory segments - vpp_api_test supports both socket and shared memory segment connections - vpp_api_test pivot from socket to shared memory API messaging - add socket client support to libvlibclient.so - dead client reaper sends ping messages, container-friendly - dead client reaper falls back to kill (<pid>, 0) live checking if e.g. a python app goes silent for tens of seconds - handle ping messages in python client support code - teach show api ring about pairwise shared-memory segments - fix ip probing of already resolved destinations (VPP-998) We'll need this work to implement proper host-stack client isolation Change-Id: Ic23b65f75c854d0393d9a2e9d6b122a9551be769 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-10-03Propagate duplicate IF addr add/del error up to API.Jon Loeliger3-8/+30
Identify and complain when the same IP prefix is assigned to two different SW interfaces: vpp# set int ip address TenGigabitEthernet6/0/0 1.2.3.4/32 vpp# set int ip address TenGigabitEthernet6/0/1 1.2.3.4/32 set interface ip address: Prefix 1.2.3.4/32 already found on interface TenGigabitEthernet6/0/0 Change-Id: I1aee1b6a7ddd00d3109a53d8e1b6ce97bf45e372 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-10-02L2-FIB:add mac learn events testEyal Bari1-56/+49
fixes an issue where events were not sent if BD doesn't enable mac aging Change-Id: Iddc53cb5c45e560633e6c5cff2731dccfc70ad5b Signed-off-by: Eyal Bari <ebari@cisco.com>
2017-09-28cdp/lldp: punt for no bufferSteven2-0/+6
When making a call to vlib_packet_template_get_packet(), it is possible to get back a NULL if the system runs out of buffer. This can happen when there is buffer leaks. But don't crash just because we run out of buffers, just punt. Change-Id: Ie90ea41f3dda6e583d48959cbd18ff124158d7f8 Signed-off-by: Steven <sluong@cisco.com>
2017-09-28tun/tap: Bad packets sent to kernel via tun/tap interfaceSteven2-22/+29
It was observed that under heavy traffic, VPP accidentally sent traffic with the wrong source and destination to the tun/tap interface. Traffic appears to be sent to the wrong direction. This problem is only seen when worker thread is configured. When worker thread is used, TX and RX may reside in different core. Yet both TX and RX threads are sharing the same global variable, namely iovecs without any mutex or memory barrier protection. This creates a race condition when heavy traffic is blasted to VPP, like 1000 pps. We could create a mutex or memory barrier to ensure atomic memory access. But why bother? It is a lot cheaper to just decouple the iovecs such that TX and RX have their own iovecs. Change-Id: I86a5a19bd8de54d54f32e1f0845bae6a81bbf686 Signed-off-by: Steven <sluong@cisco.com>
2017-09-27LISP: add API handlers for set/get transport protocolFilip Tehlar3-0/+62
Change-Id: Ib675164c475edcdbe3013df7b847adf5e050c53f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-09-27VLAN support on host(af-packet) interface.Akshaya N1-3/+26
On host interface if a VLAN tagged packet is received, linux kernel removes the VLAN header from packet byte stream and adds metadata in tpacket2_hdr. This patch explicitely checks for the presense of VLAN metadata and adds it in VPP packet. Change-Id: I0ba35c1e98dbc008ce18d032f22f2717d610c1aa Signed-off-by: Akshaya N <akshaya@rtbrick.com>
2017-09-27Various fixes for issues found by Coverity (VPP-972)Chris Luke2-1/+12
174267: Revisit this string termination issue 174816: Add check for NULL when trace is enabled 177211: Add notation that mutex is not required here 177117: Added check for log2_page_size == 0 and returns an error if so 163697,163698: Added missing sw_if_index validation Change-Id: I5a76fcf6505c785bfb3269e353360031c6a0fd0f Signed-off-by: Chris Luke <chrisy@flirble.org>
2017-09-26tcp: update snd_nxt after congestion recoveryFlorin Coras2-9/+7
Change-Id: I2cf4c4850b9c3c093a7dce0cec89b9f710f69393 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-09-26Add thread-safe event signaller, use RPC where requiredDave Barach1-2/+2
Update ping code to use the new function Change-Id: Ieb753b23f8402cbe5667c22747896784c8ece937 Signed-off-by: Florin Coras <fcoras@cisco.com> Signed-off-by: Dave Barach <dave@barachs.net>
2017-09-25tcp: do not sample rtt for retransmitted segmentsFlorin Coras3-81/+100
Change-Id: I365c31607332a944ef498369881332b515894ed7 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-09-25Fix sending GARP/NA on Bonded Interface Active/Backup Link Up/DownJohn Lo2-45/+2
For bonded interface in Active/Backup mode (mode 1), we need to send a GARP/NA packet, if IP address is present, on slave link state change to up or down to help with route convergence. The callback from DPDK happens in a separate thread so we need to make sure RPC call is used to signal the send_garp_na process in the main thread. Also need to fix DPDK polling so the slave links are not polled. Change-Id: If5fd8ea2d28c54dd28726ac403ad366386ce9651 Signed-off-by: John Lo <loj@cisco.com>
2017-09-22vhost-user: fix link-up statusYoann Desmouceaux1-1/+1
When changing the admin state of a vhost-user interface, do not put it in link-up mode if the interface is not actually ready. Change-Id: Idbc631a7126efa79d199909f9e7656d21bd412ca Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
2017-09-22IP-MAC,ND:wildcard events,fix sending multiple eventsEyal Bari4-25/+70
wildcard ND events publisher was sending the last event mutiple times Change-Id: I6c30f2de03fa825e79df9005a3cfaaf68ff7ea2f Signed-off-by: Eyal Bari <ebari@cisco.com>
2017-09-20session: store tep port in net orderFlorin Coras4-14/+14
Change-Id: Ie3a99f09f44ec081d9b88a213bdb8d987fb462de Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-09-20LISP: add debug cli for neighbor discoveryFilip Tehlar4-6/+71
Change-Id: Ib5d335d6130617d6135615c6c8fa8deaac971331 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-09-20TCP: fix "tcp src-address" command with IPv6Yoann Desmouceaux1-1/+1
When given a single IPv6 address, the "tcp src-address" command incorrectly infers the end of the range by copying sizeof(ip4_address_t) bytes from the given address. Change-Id: I100d5c6674d3a3980b8c018588988bdd32ff7269 Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
2017-09-20tcp: add option to punt trafficPierre Pfister5-30/+99
Until now, if the stack didn't find a connection for a packet, it sent back a reset. With the punt option enabled, packets are now enqueued to error-punt where they can be handed off to the host os. Change-Id: I12dea8694b8bd24c92b0d601412928aa7b8046cb Signed-off-by: Florin Coras <fcoras@cisco.com> Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2017-09-20Fix DHCP client so it works for worker threadsJohn Lo1-2/+14
Fix dhcp_client_for_us() function to utilize rpc_call_main_thread to call vlib_process_signal_event() to ensure proper handling irrespective of it being called in main thread or worker thread. Added ASSERT to vlib_process_sinal.. path to make sure it is called in main thread. Change-Id: I4109cc049d8e4225d896ce492ce201011dc9c911 Signed-off-by: John Lo <loj@cisco.com>
2017-09-20Add ip6-local feature arcPierre Pfister4-8/+101
ip4-local feature arc existed but not ip6-local one. This patch also adds node name to the 'show ip local' command and fixes a minor include issue in vnet/ip/ip4.h file. Change-Id: I9bb8a7159917d58f89afcce974680de20d946a70 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2017-09-19session/tcp: improve preallocated segment handlingFlorin Coras10-123/+190
- add preallocated segment flag - don't remove pre-allocated segments except if application detaches - when preallocating fifos in multiple segments, completely fill a segment before moving to the next - detach server application from segment-managers when deleting app - batch syn/syn-ack/fin (re)transmissions - loosen up close-wait and time-wait times Change-Id: I412f53ce601cc83b3acc26aeffd7fa2d52d73b03 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-09-19Treat label=0 as an invalid next-hop-via-labelNeale Ranns1-1/+7
Change-Id: I831226111d26f5c8a795e0773e23fddcddfb1613 Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-09-19LISP: support for neighbor discoveryFilip Tehlar8-110/+384
Change-Id: I0f1a051dd3b5786dc7c457bc6fc7ce4fcd0f530c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2017-09-19Set RX sw_if_index on decrypted routed IPsec buffersMatthew Smith2-0/+3
For routed IPsec, set the RX sw_if_index on inbound packets to the index of the IPsec interface. When a packet is decrypted into a new buffer, bring along the RX sw_if_index of the encrypted packet to the new buffer. Change-Id: I093e9d37def2082c8d2f1deb96b1c5b97126e023 Signed-off-by: Matthew Smith <mgsmith@netgate.com>