Age | Commit message (Collapse) | Author | Files | Lines |
|
The ipsec startup.conf config currently exists in ipsec_tun.c. This is
because currently the only ipsec{...} options are tunnel related.
This patch moves the ipsec config to a common file (ipsec.c) for future
extensibility/addition of non-tunnel related config options.
Type: refactor
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: I1569dd7948334fd2cc28523ccc6791a22dea8d32
|
|
forwarding gre payload
This commit introduces 2 fixes:
1) After GRE decapsulation sw_if_index[VLIB_TX] is set as fib index of GRE tunnel.
But since GRE tunnel can work on v4 endpoints and have v6 payload, we need to reset it.
In case we get IPv6 packet inside IPv4 GRE tunnel (or vice-versa) fib index can be (and usually is) invalid.
2) Check that ip-table and ip6-table are the same when setting interface as an unnumbered one.
Also, fix for the pipe test include setting the right unnumbered interface for the pipes
Type: fix
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
Change-Id: Id13d239cfdd21e0db6b1c9725f01c40d4af4d800
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I90c2a191ab34a2a7df3fb0a951e5fc78f40ccfe2
|
|
In high traffic scenarios, if app crashed or hang on somewhere, app_mq
will quickly accumulate to full, after which vpp worker will try 100
times before giving up allocating slot for every msg. This will cause
vpp main thread barrier sync to fail.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: I2b2bf2b272c5b3ca7e4a56af179af12bbcde149d
|
|
App namespaces can now be associated to a linux ip netns, e.g.:
app ns add id <ns_id> secret <n> sw_if_index <n> netns <netns>
If session layer's app sock api is enabled, this triggers the creation
of an abstract listening socket in the netns that has been configured.
For the example above that would be @vpp/session/<ns_id>.
Consequently, vcl, or other apps attaching to vpp, can connect to said
abstract socket from an ip netns without the need to share unix domain
socket files. In particular, for vcl it's enough to set app-socket-api
to @vpp/session/<ns_id> in the conf file.
Type: feature
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I26fdc626a760a3f423c5b8be4251623f6e9cd73a
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I8e80252b85dda9a8f5699109264dc1b913581442
|
|
* Add clib_socket_init support for abstract sockets
if name starts with an '@'
* Add clib_socket_init_netns to open socket in netns
* Add clib_netns_open
Type: feature
Change-Id: I89637ad657c702ec38ddecb5c03a1673d0dfb104
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: fix
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6d9473a7b5ab0fbd460e80df36368dd43c5e4fee
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I9301fbbcd611033b4b6ad5313edbc66840f5bb3a
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Iecb171c9451c0fa9a7c6ae4b3e9ab7774a4fe585
|
|
Type: improvement
Change-Id: Iaad50b2044702c46eff287708dfcb24e61022104
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: refactor
Refactor neighbour advertisement code into inline function
to be used solely in feature nodes.
Change-Id: I1e84c54f9807b4e3d90c37526c78a7afcb0ba087
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
The function ip4_neighbor_advertise may be called with NULL addr. In
that case, it looks up addr from fib by calling fib_sas4_get which
returns true or false to indicate whether there is an ip address
associated with the interface or not. But the caller to fib_sas4_get
does not check the return code and blindly assumes there is always an
ip address associated with the interface. As a result, it ends up
sending GARP to the bogus ip address if there is no ip address
associated with the interface.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I7aa0270766c3943ed8ca8f8a092cae34567fd30e
|
|
Type: refactor
Change-Id: Id10cbf52e8f2dd809080a228d8fa282308be84ac
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Change-Id: I776bf797e07bb3cfd0510a4c09d8182edfa193bd
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: I5f4517c65c37c5d73fcd608dc29dfb1d25d4cd8d
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: I8337f81fdcd196fcb0e61f8129fec322e9a1e8f1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: refactor
Change-Id: I2dd9a18497992ac7e2686c14f5d17eccccda0cda
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
These file are no longer needed
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I34f8e0b7e17d9e8c06dcd6c5ffe51aa273cdec07
|
|
correctly.
Type: fix
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4bc2eb394a8f9d01c5a12de2ce963c22209d5439
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ief06b1509d31b55efc8d1436b6ff9e01c6037a32
|
|
Put plugin init order inside plugin instead of in vnet
Type: improvement
Signed-off-by: Bin Zhou (bzhou2) <bzhou2@cisco.com>
Change-Id: Icbacdb3f1cb4ac9d74e3f78458e8bc333793b4d6
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Iacc58d27ac51c8a1c571087f98297e046b3477c2
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If0712f01bdd6f2fc892bcbe4e2cee28affd02520
|
|
Using the cli "set interface tx-queue", it is not possible to assign
tx queue to the last worker thread.
The reason is that vdm->first_worker_thread_index is 1. Adding that
to clib_bitmap_last_set (bitmap) exceeds vdm->last_worker_thread_index
when the CLI specifies the last worker thread.
Also make the threads argument optional to enable user to unbind a queue
from any thread.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I796259c20f571289c8f5a97b9418caf452d0ab3d
|
|
Type: fix
For a TAP device the MTU is set via the ethernet_register for TUN we
need to do it explicitly (like we do for other tunnel types).
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie6a13c795acb35b53f8d99b05c70c3e73a7b428e
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I05be39671a9ed0688d4e006f0f9354aa6560a41b
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I4b3427b966f9ff1ba8895fed7db662d56650f3f5
|
|
Type: docs
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ica576e13953a3c720a7c093af649d1dd380cc2c0
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I189bfcca2d5fa1f37d05a72c92d04bf260343043
|
|
.. as it is going to be removed.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Id3a4a4ea1e1b7361d43735bfa5470c28fc65209f
|
|
Type: improvement
local0 exists just to burn sw_if_index=0 so we catch common API errors.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I2901bb7d36d4c512e6698134a807bf9516ee05db
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I4b6d881571c158b7a69a78b9680732d090c4f8b5
|
|
Type: improvement
There's no need for the user to set the TUNNEL_V6 flag, it can be
derived from the tunnel's address type.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I073073dc970b8a3f2b2645bc697fc00db1adbb47
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I56c4682aef59ed0e69073f9001341c425e65bd48
|
|
Type: fix
two problems;
1 - just because anti-reply is not enabled doesn't mean the high sequence
number should not be used.
- fix, there needs to be some means to detect a wrapped packet, so we
use a window size of 2^30.
2 - The SA object was used as a scratch pad for the high-sequence
number used during decryption. That means that once the batch has been
processed the high-sequence number used is lost. This means it is not
possible to distinguish this case:
if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
{
...
if (post_decrypt)
{
if (hi_seq_used == sa->seq_hi)
/* the high sequence number used to succesfully decrypt this
* packet is the same as the last-sequnence number of the SA.
* that means this packet did not cause a wrap.
* this packet is thus out of window and should be dropped */
return 1;
else
/* The packet decrypted with a different high sequence number
* to the SA, that means it is the wrap packet and should be
* accepted */
return 0;
}
- fix: don't use the SA as a scratch pad, use the 'packet_data' - the
same place that is used as the scratch pad for the low sequence number.
other consequences:
- An SA doesn't have seq and last_seq, it has only seq; the sequence
numnber of the last packet tx'd or rx'd.
- there's 64bits of space available on the SA's first cache line. move
the AES CTR mode IV there.
- test the ESN/AR combinations to catch the bugs this fixes. This
doubles the amount of tests, but without AR on they only run for 2
seconds. In the AR tests, the time taken to wait for packets that won't
arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of
these tests from 10-15 to about 5 sceonds.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5
|
|
According to RFC 793, the ACK control bit is always sent once
the connection is established.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: Id0fe19114a0cc468dbce4c0938b345c2ac339e73
|
|
ipsec4_input_node
ipsec_spd_policy_counters are incremented only for matched inbound
PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have
SPD policy counters that should be incremented on match.
This fix increments the counters for inbound BYPASS and DISCARD actions.
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49
|
|
Type: improvement
the rationale being that the del only requires the SA's ID, so it's a
bit mean to require the client to fill out all the other information as
well.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
|
|
Type: fix
Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com>
Change-Id: I2c2b739a5aa246bbf53d6663efd403c3aee9dddd
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I7b84767e75d5f8310ec071036a5780fa4530f79f
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I4f9316b16f16a48e2042aa17db596bfd181bd314
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I148022278a792b3687402b6915fe6fb513858a2a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I7ec4bbb21a079c6f6adfb4f954054b2b07bf19c5
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0971f12b7b82d5134d06ed0539d41624429c992b
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I3c06e9cb3fabdcdce9c17e93cfedfd771295f589
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ibe32f7965f8cf457c39845713b029c8a4647ee55
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I047310b8c9fcc51dcfb187710ff59b7895abe217
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I13dae61ddb7150c7fe9a7fd0eae73055ff3f2816
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Ic7979755494a2fd23b9fa3d74e14f6b9ea0a46d0
|