| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
The flow_report_process_send() function always allocates a frame.
However, when no template_send is needed, template_bi is ~0.
When this happens, no vectors are placed in the frame. When
the frame is then "put", a check for n_vectors == 0 prevents
the frame from actually being placed back on the free list.
Fix that by using a direct call to vlib_frame_free() when
there are no frame vctors.
Type: fix
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I936b5cea4cb3c358247c3d2e1a77d034a322ea76
(cherry picked from commit eaa83c0439c13b76525224267c23d0cf52a6668b)
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0963bae4b56b08c0a9ab4ee1f2738013217e1fb7
(cherry picked from commit fc20c8e50f2784ad62b97bdb0094605d2b86f596)
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Idc0fdebfea29c241d8a36128241ccec03eace5fd
(cherry picked from commit cf5c774b594d4b403e817886c8d41efd927f06b4)
|
|
Type: fix
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I646ac946d0b07929dfdd1966a4f4a3b697768040
(cherry picked from commit af21b2e6994893e97ad0fef52ca154c69a4a09cb)
|
|
- update wordlist and fix typos so that 'make docs-spell' passes
- sort spelling_wordlist.txt
- update docs maintainers list
Type: docs
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I38ac7850c604c323427d2bb6877ea98bd10bcc38
(cherry picked from commit dac97e2c627ca3a911dac7fd8eb268bde23f853f)
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I4679acbe4fd4400d57c0a79b0a6c74c8f1639703
|
|
Add generic flow type and rss action type to vapi. It is to support
creating generic flow rule via vapi.
Type: feature
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: Ifeaa007679487e02bd2903dc591d80a1caba33bc
|
|
Type: fix
pool_is_free_index() check is performed only for the first element
Signed-off-by: Vijayabhaskar Katamreddy <vkatamre@cisco.com>
Change-Id: Icadc715a9b54761ec69805a134a69a262137536d
|
|
Type: fix
Custom node functionality is missing in v6, so bringing in similar to v4 functionality into ip6 as well
Signed-off-by: Vijayabhaskar Katamreddy <vkatamre@cisco.com>
Change-Id: I28b0be2fc55a00bfc0b456b1caaa1dcf5641a44e
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ie63c360f2e42e9e5799f5c536453823ea95ed3b8
|
|
single struct to hold all api handler, flags, etc.
Provide functions to toggle flags instead of writing directly to
internal data.
Type: refactor
Change-Id: I4730d7290e57489de8eda34a72211527e015b721
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Pace the main thread activity for reassembly timeouts, to avoid barrier syncs
Signed-off-by: Vijayabhaskar Katamreddy <vkatamre@cisco.com>
Change-Id: If8c62a05c7d28bfa6ac530c2cd5124834b4e8a70
|
|
Type: fix
Adding stats from debugging point of view
Signed-off-by: Vijayabhaskar Katamreddy <vkatamre@cisco.com>
Change-Id: I3118d3fd5d630fad80a42ab960e30459789123cf
|
|
Type: fix
as number of reass contexts increasing based on workers, increasing the number of nbuckets for bihash
Signed-off-by: Vijayabhaskar Katamreddy <vkatamre@cisco.com>
Change-Id: I83d061a709ecb8845ce745b18d03fdefc795787f
|
|
Type: fix
There were several places where mbps were converted to kbps for
link_speed, but often drivers of devices set link speed to unknown
(0xFFFFFFFF) on initialization, so there was multiplication of
link_speed equal 0xFFFFFFFF(UINT32_MAX) by 1000, this provides
overflow of unsigned int, and as result link_speed was equal
4295 Gbps, but actually link_speed is unknown.
Signed-off-by: Anton Nikolaev <anikolaev@netgate.com>
Change-Id: Ib462ed6ed685654af4687041e115bfb74e640f13
|
|
Type: fix
Change-Id: I69f7e23b23e8cfcfe57ba019862470e0eb4b06db
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: improvement
Change-Id: I82e7c0acc547794bcc7c42f4b8881a8251bf7a9b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Fixed at infra level.
Type: improvement
Change-Id: I43cf16870c1d2e12189073f7786d62375c46e2c2
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This fixes long standing annoyance that CLIs with optional args cannot
be executed from file, as they cannot distinguish between valid optional
args and next line in the file.
Multiline statements can be provided simply by using backslash before \n.
Also comments are supported - everything after # is ignored up to the
end of the line.
Example:
# multiline cli using backslash
show version \
verbose # end of line comment
packet-generator new { \
name x \
limit 5 \
# comment inside cmultiline cli \
size 128-128 \
interface local0 \
node null-node \
data { \
incrementing 30 \
} \
}
Type: fix
Change-Id: Ia6d588169bae14e6e3f18effe94820d05ace1dbf
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
*Buffer leaks and corruptions during internal errors, either overriding
or missing to add the buffer to the list
Signed-off-by: Vijayabhaskar Katamreddy <vkatamre@cisco.com>
Change-Id: I6c2406cff53a741e800e2d05593696f3e9fd6ff5
|
|
Type: docs
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I23008cde47d8b7a531346eab02902e2ced18742a
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I952ba7e042779855e29628d048da7edec1caaafd
|
|
We allocate vring_spinlock for all vrings in the vui, not just the ones
being used. So when we free the vui, we have to free vring_spinlock for
all vrings, not just the one being used.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I3951fda71ce6e11474b04302116ea9e08b404758
|
|
Type: fix
A simple "create host-interface name xxx" is enough to trigger the bug:
The interface is not found, and we goto error with apif=NULL
Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com>
Change-Id: I2f894176d39b3d15efab054dc7340e7a0600a2e8
|
|
Type: fix
Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com>
Change-Id: Id19a52df4f237cf5d85d305fdc279ab7df2d6f4b
|
|
Type: improvement
Change-Id: Ibc1b5059ed51c34334340534e9eb68121f556bce
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
|
|
It looks like in a distant past we were using a vnet_rewrite but this
no longer the case.
Type: fix
Change-Id: Ib8d336aec7d5abd7749f543739f531144e76e551
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Iee6784c37a835b49d962ae6f87c279cbe65dde15
|
|
Type: fix
set use_custom_mac for args in create_vhost_user_if_v2 API
Add testcase for custom mac-address
Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com>
Change-Id: Iac64d818e0f1e6d36187fe769ee33d202aaafd05
Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com>
|
|
Type: feature
Change-Id: I940b6c9d206e407f3e17d66c97233cd658984e61
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Add vapi_connect_from_vpp() and vapi_disconnect_from_vpp()
calls to allow API clients from within VPP process.
Add a new memclnt_create version that gives the user a
knob to enable or disable dead client scans (keepalive).
Type: feature
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Id0b7bb89308db3a3aed2d3fcbedf4e1282dcd03f
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I67f5a2c8902dd14c09472c25599b3b1b493a6948
|
|
Type: fix
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
Change-Id: I792467b73449074e59c4232b1f82d134c399624c
|
|
Enable the flow action for RSS queue group. Packets can be distributed
among queues in group based on specific fields. Queues must be continous
in the group. This feature is to support 5G enhancement requirement.
Type: feature
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: I74fdc617659bcb61f00b3b1934c95ab1c73bb8f3
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I02aec410eaa7ccb999159b6967414fbaf4e76a3f
|
|
Type: improvement
Change-Id: Ibdadeb4e685f45a93f45504a84709391489abb6a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I79bfe91e81983b619c61a32285d8e038c2654147
|
|
Make sure producer drops lock when it waits for empty ring slot.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id77d54ee8c01bed20c9eaf5ad372ed4b1e9fa712
|
|
Type: fix
current_data is set to 0 for each packet in af-packet input node.
It is not required to include it to calculate the headers offset.
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I538d8c04e24c758155b3f8d6a1532472ef549459
|
|
Listener proxies are allowed to listen on IPs that are not local.
Configurable only by builtin apps for now.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Idb380ee3584a088878a03d45fd85e7bb0deeb590
|
|
Adding flow cache support to improve inbound IPv4/IPSec Security Policy
Database (SPD) lookup performance. By enabling the flow cache in startup
conf, this replaces a linear O(N) SPD search, with an O(1) hash table
search.
This patch is the ipsec4_input_node counterpart to
https://gerrit.fd.io/r/c/vpp/+/31694, and shares much of the same code,
theory and mechanism of action.
Details about the flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using a hash table without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, the old entry
will be overwritten by the new entry. Worst case is when all the
256 packets in a batch result in collision, falling back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows,
but is configurable by a startup.conf option.
4. Whenever a SPD rule is added/deleted by the control plane, all
current flow cache entries will be invalidated. As the SPD API is
not mp-safe, the data plane will wait for the control plane
operation to complete.
Cache invalidation is via an epoch counter that is incremented on
policy add/del and stored with each entry in the flow cache. If the
epoch counter in the flow cache does not match the current count,
the entry is considered stale, and we fall back to linear search.
The following configurable options are available through startup
conf under the ipsec{} entry:
1. ipv4-inbound-spd-flow-cache on/off - enable SPD flow cache
(default off)
2. ipv4-inbound-spd-hash-buckets %d - set number of hash buckets
(default 4,194,304: ~1 million flows with 25% load factor)
Performance with 1 core, 1 ESP Tunnel, null-decrypt then bypass,
94B (null encrypted packet) for different SPD policy matching indices:
SPD Policy index : 2 10 100 1000
Throughput : Mbps/Mbps Mbps/Mbps Mbps/Mbps Mbps/Mbps
(Baseline/Optimized)
ARM TX2 : 300/290 230/290 70/290 8.5/290
Type: improvement
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I8be2ad4715accbb335c38cd933904119db75827b
|
|
Type: fix
After changes made in f840880, VRRP IPv6 cannot reply for neighbor
solicitations requesting the link layer address of the configured
virtual address.
VRRP IPv6 enables the vrrp6-nd-input feature in the ip6-local feature
arc for an interface on which a virtual router is configured. When
neighbor solicitations arrive on that interface, ip6-local should start
feature arc walk for that interface and the messages should be processed
by vrrp6-nd-input. The problem is that currently, the feature arc is
started for the interface obtained from the receive DPO that has
interface unset (i.e. max u32) for local mfib entries. Thus, the feature
arc is started not on the interface the messages were received on and
vrrp6-nd-input is not traversed.
With this fix, if interface obtained from the receive DPO is unset, use
RX interface from the buffer to start the ip46-local feature arc.
Also, enable tests of this case for both IPv4 and IPv6 address families
that are currently tagged as extended and not run on every change. They
configure VRRP with priority 255 and are expected to be stable.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I11ef3d5a7a986e04431e8613d1510b8666094bd7
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie1ae401d5105aa42761d3cac5dfbe523f3995c87
|
|
Use the specified nexthop table id instead of the interface table id.
Type: fix
Change-Id: I61bf61d50d2716fcd9a6e35df4d60222dc4f36d5
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I9f3d1a8574b15f09a458baad98c815e087fd60b8
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I805131b4e3d0cb2fab1d3bf76db659c67522c2e8
|
|
Type: refactor
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I9e68ecb91f6433f68a8a87dd066f3e369f25a3c9
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I12b2e53ddb797cc809a2d742d17a1a60edde385d
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia4d8aaafeb3629f421601edffefe9c61c3e69dba
|
Benoît Ganne
Jon Loeliger
Florin Coras
Filip Tehlar
Dave Wallace
Mohsin Kazmi
Ting Xu
Vijayabhaskar Katamreddy
Damjan Marion
Anton Nikolaev
Nathan Skrzypczak
Klement Sekera
Steven Luong
Gabriel Ganne
Xiaoming Jiang
Stanislav Zaikin
Fahad Naeem
Ole Troan
Zachary Leaf
Alexander Chernavin