summaryrefslogtreecommitdiffstats
path: root/src/vnet
AgeCommit message (Collapse)AuthorFilesLines
2023-03-23ipsec: make pre-shared keys harder to misuseBenoît Ganne8-137/+122
Using pre-shared keys is usually a bad idea, one should use eg. IKEv2 instead, but one does not always have the choice. For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix C) whereas for AES-CTR or AES-GCM, the IV should never be reused with the same key material (see NIST SP800-38a Appendix B and NIST SP800-38d section 8). If one uses pre-shared keys and VPP is restarted, the IV counter restarts at 0 and the same IVs are generated with the same pre-shared keys materials. To fix those issues we follow the recommendation from NIST SP800-38a and NIST SP800-38d: - we use a PRNG (not cryptographically secured) to generate IVs to avoid generating the same IV sequence between VPP restarts. The PRNG is chosen so that there is a low chance of generating the same sequence - for AES-CBC, the generated IV is encrypted as part of the message. This makes the (predictable) PRNG-generated IV unpredictable as it is encrypted with the secret key - for AES-CTR and GCM, we use the IV as-is as predictable IVs are fine Most of the changes in this patch are caused by the need to shoehorn an additional state of 2 u64 for the PRNG in the 1st cacheline of the SA object. Type: improvement Change-Id: I2af89c21ae4b2c4c33dd21aeffcfb79c13c9d84c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-03-23ipsec: add per-SA error countersArthur de Kerhor11-115/+337
Error counters are added on a per-node basis. In Ipsec, it is useful to also track the errors that occured per SA. Type: feature Change-Id: Iabcdcb439f67ad3c6c202b36ffc44ab39abac1bc Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2023-03-23vnet: throttling configuration improvementMaxime Peim6-18/+14
To allow a more flexible throttling configuration, the number of bits used in the throttling bitmap can be chosen. Type: improvement Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I7bfe391dd64729011b03f3e5b89408dfc340e036
2023-03-22session: add session statsFilip Tehlar5-13/+99
Type: feature Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I02d9bb5292b32ffb1b2f05daccd8a7d5dba05125
2023-03-20ipsec: set fast path 5tuple ip addresses based on sa traffic selector valuesPiotr Bronowski1-4/+35
Previously, even if sa defined traffic selectors esp packet src and dst have been used for fast path inbound spd matching. This patch provides a fix for that issue. Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Ibd3ca224b155cc9e0c6aedd0f36aff489b7af5b8
2023-03-18vppinfra: fix corner-cases in bihash lookupDave Barach1-1/+1
In a case where one pounds on a single kvp in a KVP_AT_BUCKET_LEVEL table, the code would sporadically return a transitional value (junk) from a half-deleted kvp. At most, 64-bits worth of the kvp will be written atomically, so using memset(...) to smear 0xFF's across a kvp to free it left a lot to be desired. Performance impact: very mild positive, thanks to FC for doing a multi-thread host stack perf/scale test. Added an ASSERT to catch attempts to add a (key,value) pair which contains the magic "free kvp" value. Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I6a1aa8a2c30bc70bec4b696ce7b17c2839927065
2023-03-16session: support active opens with same source portFlorin Coras2-3/+14
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I2b426e9e988c32d261f36367087f358d8cc25e2f
2023-03-14session vcl: refactor builtin tx event for main txFlorin Coras7-30/+33
Rename unused SESSION_IO_EVT_BUILTIN_TX to SESSION_IO_EVT_TX_MAIN and leverage it for non-connected udp tx. Non-connected udp sessions are listeners and are therefore allocated on main thread. Consequently, whenever session queue node is not polling main, tx events generated by external applications might be missed or processed with some delay. To solve this, request that apps use SESSION_IO_EVT_TX_MAIN tx events as opposed to SESSION_IO_EVT_TX and send that to first worker as opposed to main. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I5df5ac3dc80c0f192b2eefb1d465e9deefe8786b
2023-03-14session: pre-alloc required dma batchesMarvin Liu2-0/+3
Specify the number of max_batches when applying for dma config. Skip this round when no batch available from vlib_dma_batch_new. Type: improvement Signed-off-by: Marvin Liu <yong.liu@intel.com> Change-Id: Ic6e0acf81ba4fc3ed33aea6ac6990ef841021c59
2023-03-14session: format transport connection flagsFlorin Coras2-18/+59
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id87c41c472898d4f66b0771f18f822d1069bbfd0
2023-03-14session: cleanup lcl endpt freelist before all allocFlorin Coras1-4/+5
Make sure endpoint freelist is drained before alloc of fixed local source port is tried. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I302deee5609a463af8135185af71722ac8c55a27
2023-03-14memif: don't leak error strings in API handlersDamjan Marion1-0/+8
Type: fix Fixes: ab4d917 Change-Id: I226044f64e1577033798fd203a2e981c894830d6 Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-13udp: Use udp_output_get_connection instead of udp_connection_getSteven Luong1-12/+11
udp_output_get_connection handles correctly if the connection is a listener whereas udp_connection_get does not which may lead to a crash. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I40b57287a8686820d29872cae2cfd6ae27a57c26
2023-03-08session: Use session->thread_index to correctly retrieve the sessionSteven Luong1-1/+3
For non-connected udp, when retrieving the subscriber session to send the notification, it uses the current worker thread index whereas the subscriber session is actually on the main thread. Using the worker thread may cause a crash since the corresponding session may not be valid in the worker thread context and even if it is valid, it is the wrong session. This scenario is seen when the application forks and adds subscribers to the worker thread session. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I236ee9d9ff9f3b2f7f9f8e782d70d1080aa1b627
2023-03-07udp: crash in format_udp_connectionSteven Luong1-1/+1
format_udp_connection takes 2 arguments from the caller. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ie618a809936a01c094982f9a8c81309826e0b087
2023-03-06tcp: allow syns in closed stateFlorin Coras1-2/+3
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If223096cf912c1748ae417b40585a9bea5d9d9a9
2023-03-06interface: more cleaning after set flags is failed in vnet_create_sw_interfacevarasteh1-0/+1
There's a chance that vnet_sw_interface_set_flags_helper() has successfully called some sw interface add callback functions before returning the error. So the sw interface del callbacks should also be called Type: fix Signed-off-by: varasteh <mahdy.varasteh@gmail.com> Change-Id: I2cd7dc6d5b3a5ebfd2c4d1a6be5390083dee6401 Signed-off-by: varasteh <mahdy.varasteh@gmail.com>
2023-03-06interface: add the missing tag keyword in the cli helperMohsin Kazmi1-1/+2
Type: style Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I6399ad2b0b30f94c6c51db1afc39f5e875dfaa67
2023-03-06crypto: remove VNET_CRYPTO_OP_FLAG_INIT_IV flagBenoît Ganne1-3/+2
IV requirements vary wildly with the selected mode of operation. For example, for AES-CBC the IV must be unpredictable whereas for AES counter mode (CTR or GCM), it can be predictable but reusing an IV with the same key material is catastrophic. Because of that, it is hard to generate IV in a generic way, and it is better left to the crypto user (eg. IPsec). Type: improvement Change-Id: I32689c591d8c6572b8d37c4d24f175ea6132d3ec Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-03-06flow dpdk: introduce IP in IP support for flowXinyao Cai2-9/+156
This patch introduces IP in IP packet support for flow cli and dpdk plugin. Specifically, the following IP in IP packet types are supported: MAC-IPv4-IPv4-TCP/UDP/None, MAC-IPv4-IPv6-TCP/UDP/None, MAC-IPv6-IPv4-TCP/UDP/None, MAC-IPv6-IPv6-TCP/UDP/None, IP in IP flow rules can be created by using the following new keywords in vppctl: in-src-ip, in-dst-ip : to provide information for inner IPv4 header in-ip6-src-ip, in-ip6-dst-ip: to provide information for inner IPv6 header in-proto : to specify inner transport layer protocol type (TCP or UDP) in-src-port, in-dst-port : to provide information for inner TCP/UDP header An example to create flow rule for MAC-IPv6-IPv6-TCP: test flow add index 0 ip6-src-ip any ip6-dst-ip any in-ip6-src-ip any in-ip6-dst-ip any in-proto tcp in-src-port 1234 in-dst-port any rss function default Another example to create flow rule for MAC-IPv6-IPv6: test flow add index 0 ip6-src-ip any in-ip6-src-ip any rss function default Type: feature Signed-off-by: Xinyao Cai <xinyao.cai@intel.com> Change-Id: I6a1ca36d47eb65b9cb5a4b8d874b2a7f017c35cd
2023-03-06crypto: make it easier to diagnose keys use-after-freeBenoît Ganne1-2/+2
Type: improvement Change-Id: Ib98eba146e24e659acf3b9a228b81fcd641f4c67 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-03-06interface: fix 4 or more interfaces equality comparison bug with xor ↵lijinhui1-5/+4
operation using (a^a)^(b^b) Type: fix Signed-off-by: lijinhui <lijh_7@chinatelecom.cn> Change-Id: I80783eed2b819a9e6fd4cee973821c9d97c285a6
2023-03-01docs: fixed to use unified "pcap trace" commandNobuhiro MIKI2-4/+4
Type: docs Fixes: 33909777c637 ("misc: unify pcap rx / tx / drop trace") Signed-off-by: Nobuhiro MIKI <nmiki@yahoo-corp.jp> Change-Id: I049616cfad300658e62e5026c0655ee6f07a2421
2023-03-01udp: fix optimistic assert for UDP RXMohammed Hawari2-1/+6
Change-Id: I431c4a6f409b129e4290dba2e1acadea460ac797 Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: improvement
2023-02-28session: consolidate port alloc logicFlorin Coras4-52/+36
Move port allocation logic from transports into generic transport layer. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I55a21f185d00f5e118c36bcc4a6ffba2cbda885e
2023-02-28tcp: add dispatch errors to countersFlorin Coras1-9/+10
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I27112947071a757065162f0e50f69983d258525d
2023-02-25tcp: fix error countersFilip Tehlar4-44/+43
Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I9f4944f77ecf94f16f809392f28466e33f7f779d
2023-02-20session: track app session closesFlorin Coras2-2/+9
Make sure applications, especially builtin ones, cannot close a session multiple times. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I960a1ae89a48eb359e7e1873a59d47c298c37ef1
2023-02-16session: ignore zero length dgramsFlorin Coras1-1/+9
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I70596ffcf90fa4cd57092584cb7a454f44208943
2023-02-10sr: support define src ipv6 per encap policyTakeru Hayasaka5-48/+313
Can to define src ip of outer IPv6 Hdr for each encap policy. Along with that, I decided to develop it as API version V2. This is useful in the SRv6 MUP case. For example, it will be possible to handle multiple UPF destinations. Type: feature Change-Id: I44ff7b54e8868619069621ab53e194e2c7a17435 Signed-off-by: Takeru Hayasaka <hayatake396@gmail.com>
2023-02-08session: accept lcl ip updates on cl sessionsFlorin Coras1-0/+2
Allow apps/vcl to provide updated local ips for dgrams. In particular, allow sessions bound to 0/0 to send data with valid local ips. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I50a086b1c252731a32a15b6a181ad3dba0c687e0
2023-02-08ip6-nd: support dump/details for IPv6 RAAlexander Chernavin5-98/+470
Type: improvement With this change, add support for dumping IPv6 Router Advertisements details on a per-interface basis (or all). Also, cover that with a test. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I89fa93439d33cc36252377f27187b18b3d30a1d4
2023-02-08ipsec: fix AES CBC IV generation (CVE-2022-46397)Benoît Ganne3-29/+65
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix C). Chaining IVs like is done by ipsecmb and native backends for the VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable. Encrypt a counter as part of the message, making the (predictable) counter-generated IV unpredictable. Fixes: VPP-2037 Type: fix Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-02-06ipsec: fix async crypto linked keys memory leakBenoît Ganne1-1/+6
Type: fix Change-Id: I7bd2696541c8b3824837e187de096fdde19b2c44 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-02-03session: fix out of bounds event memcpyFlorin Coras1-3/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If5300653edd2dad470985f4591959d00cad2a43b
2023-02-02ip: fix ip ACL tracesBenoît Ganne1-6/+9
If we match a next table, we must save its index in the trace instead of the index of the 1st table. Type: fix Change-Id: Idd862242e7fc200eb3ab29b17a26131b844af2c0 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-02-02policer: API policer selection by indexMaxime Peim8-257/+801
Policer API calls were only by policer name. It is now possible to select a policer by its index. Some functionalities are also added to allow updating a policer configuration and to refill its token buckets. Some dead codes are being removed, and small fixes made. Type: improvement Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I4cc8fda0fc7c635a4110da3e757356b150f9b606
2023-02-02fib: keep AddressSanitizer happyBenoît Ganne1-3/+2
adj_delegate_remove() makes 'ad' invalid, invalidate it only after its use. Type: fix Change-Id: I6908d3dd2962ebd3fdf37e946cb19dae727bda09 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-02-01memif: improve error reportingDamjan Marion1-0/+2
Type: improvement Change-Id: I12b120d988347cced3df82810e86dc2fd5cfca80 Signed-off-by: Damjan Marion <dmarion@me.com>
2023-01-25api: pcap capture api updateMaxime Peim5-4/+115
Allow enabling and disabling pcap capture via the API. A little bug is fixed along the way in vl_api_classify_pcap_set_table_t_handler. Type: improvement Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I096129c82aecdc82bee5dbfb5e19c76a51d80aab
2023-01-23vppapigen: enable codegen for stream message typesStanislav Zaikin1-18/+14
Enable codegen for C type from 'rpc A returns B stream C' notation Type: improvement Change-Id: I05cfce71c385d414d7b177a080009628bc8c8fad Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
2023-01-19vxlan: convert vxlan to a pluginSteven Luong11-4194/+0
per https://jira.fd.io/browse/VPP-2058 Type: improvement Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ica0828de218d25ada2d0d1491e373c3b78179ac1
2023-01-19ip: add the missing offload checkMohsin Kazmi1-2/+2
Type: fix Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I64283648985c98e81f315da32a451cef6e60f933
2023-01-16ipsec: fix transpose local ip range position with remote ip range in fast ↵Piotr Bronowski2-13/+13
path implementation In fast path implementation of spd policy lookup opposite convention to the original implementation has been applied and local ip range has been interchanged with the remote ip range. This fix addresses this issue. Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I0b6cccc80bf52b34524e98cfd1f1d542008bb7d0
2023-01-11virtio: add option to bind interface to uio driverBenoît Ganne3-2/+32
Type: improvement Change-Id: I30e66370c927afeb62ba3a2b3334bdc2a31d4561 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-01-11sr: remove stale runs_afterNathan Skrzypczak1-1/+0
This patch removes a .runs_after = VNET_FEATURES ("ip6-lookup"), On the 'pt' node, as 'ip6-lookup' does not belong to the 'ip6-output' arc. Type: fix Change-Id: Ie34aaf7351593f08c61e3b02aaf9f72a4de1a437 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2023-01-10sr: fix compilation errorsGuillaume Solignac2-7/+9
Uses VPP's clib_host_to_net functions, and initializes a potentially uninitialized variable. Type: fix Signed-off-by: Guillaume Solignac <gsoligna@cisco.com> Change-Id: Ie6b035c698f57ff39aeb955b35db8ec40f383b7a
2023-01-10udp: avoid listener cleanups with active opensFlorin Coras2-0/+15
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ibff9f32e4fcaf0344207d8e43f3547180cbd4eef
2023-01-10session: avoid trying to send incomplete dgramFlorin Coras1-2/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ibebe9e4ab7331c3ae66c9502e910368acaba51ec
2023-01-10udp: initialize gso_size on dgram enqueueFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I1b5a35b9d53cc56d4d8050de70f40b95e92f1011