Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
two problems;
1 - just because anti-reply is not enabled doesn't mean the high sequence
number should not be used.
- fix, there needs to be some means to detect a wrapped packet, so we
use a window size of 2^30.
2 - The SA object was used as a scratch pad for the high-sequence
number used during decryption. That means that once the batch has been
processed the high-sequence number used is lost. This means it is not
possible to distinguish this case:
if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
{
...
if (post_decrypt)
{
if (hi_seq_used == sa->seq_hi)
/* the high sequence number used to succesfully decrypt this
* packet is the same as the last-sequnence number of the SA.
* that means this packet did not cause a wrap.
* this packet is thus out of window and should be dropped */
return 1;
else
/* The packet decrypted with a different high sequence number
* to the SA, that means it is the wrap packet and should be
* accepted */
return 0;
}
- fix: don't use the SA as a scratch pad, use the 'packet_data' - the
same place that is used as the scratch pad for the low sequence number.
other consequences:
- An SA doesn't have seq and last_seq, it has only seq; the sequence
numnber of the last packet tx'd or rx'd.
- there's 64bits of space available on the SA's first cache line. move
the AES CTR mode IV there.
- test the ESN/AR combinations to catch the bugs this fixes. This
doubles the amount of tests, but without AR on they only run for 2
seconds. In the AR tests, the time taken to wait for packets that won't
arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of
these tests from 10-15 to about 5 sceonds.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5
|
|
According to RFC 793, the ACK control bit is always sent once
the connection is established.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: Id0fe19114a0cc468dbce4c0938b345c2ac339e73
|
|
ipsec4_input_node
ipsec_spd_policy_counters are incremented only for matched inbound
PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have
SPD policy counters that should be incremented on match.
This fix increments the counters for inbound BYPASS and DISCARD actions.
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49
|
|
Type: improvement
the rationale being that the del only requires the SA's ID, so it's a
bit mean to require the client to fill out all the other information as
well.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
|
|
Type: fix
Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com>
Change-Id: I2c2b739a5aa246bbf53d6663efd403c3aee9dddd
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I7b84767e75d5f8310ec071036a5780fa4530f79f
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I4f9316b16f16a48e2042aa17db596bfd181bd314
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I148022278a792b3687402b6915fe6fb513858a2a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I7ec4bbb21a079c6f6adfb4f954054b2b07bf19c5
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0971f12b7b82d5134d06ed0539d41624429c992b
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I3c06e9cb3fabdcdce9c17e93cfedfd771295f589
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ibe32f7965f8cf457c39845713b029c8a4647ee55
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I047310b8c9fcc51dcfb187710ff59b7895abe217
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I13dae61ddb7150c7fe9a7fd0eae73055ff3f2816
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Ic7979755494a2fd23b9fa3d74e14f6b9ea0a46d0
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I39505763371c98b75ff7b697dacd3eeb0d41d40a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0a2c1cbbe798ddf9d08da78bf0b458a0f54fa13a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0bdf870e2e9b0ebc11a3ce252fbd0667a83de4e6
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I03f51393a92bae45608d9fc9f53164f3b0add3cd
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I1de45c4db57444d2d2c9fb91b8a66a4f01be699b
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0db7343e907524af5adb2f4771b45712927d5833
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Iacaefbf04834f000a14f151c4b848f280ac46d63
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I5dd30870443a22a7da65f6b5a6d3967991e2aceb
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I7a0a189ce635a4a74e63ac4cb133686b8b7ba53a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0994241df94ad7536be323b9d7c48caf38cc4267
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I76be91715953c7cbe704961d1a56c48334656e19
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Idf0c24c9c8f8f3c267285c6a231c9c1a364a902a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Change-Id: I864979ce490651bf1f5fed107620e9bc4ca4bf93
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Use autogenerated code
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I02f53486723f7ac7e9026ff092b63e86dff13232
|
|
Use autogenerated code
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Id373c7828d77cca0121baf9c7635cfe2c5f938d7
|
|
use autogenerated code
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I163eefa86f3248260481181818d70fa1b6eaa220
|
|
Use autogenerated code.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Id7d4d23e4fe707f7049828fec44df7ff0419d23c
|
|
use autogenerated code
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I86459d918ac46bed523e847db9f9c7179147d022
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id91c3be57d49745cb3db6c768a8d5d14133f899e
|
|
Type: fix
Signed-off-by: jxm <jiangxiaoming@outlook.com>
Change-Id: I6fb2620e7076e1e38a2ab85a70febe614b079e67
|
|
Allocate per app pair segments with space for more than one fifo.
Type: feature
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ib96fe12b899cb14ff20c0be607814011e2c3fc6a
|
|
Type: improvement
Signed-off-by: jxm <jiangxiaoming@outlook.com>
Change-Id: I80a51e841f9727b68d1de713b6b6d51675ef53c5
|
|
mfib interface flags are parsed before the interface name. For some
specific names, this creates a bug when adding routes.
ex: ip route add 10.0.2.0/24 via FortyGigabitEthernetd8/0/0
The 'F' at the beginnig of the interface name is parsed as the
"Forward" flag. Because of that, the interface name parsed is
"ortyGigabitEthernetd8/0/0" which results in a parsing error.
Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: Ib76c2f86416455841f910f7b466b467001072b70
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I28b98154bbff36e8391a09a2b30302dda4349946
|
|
Type: fix
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
Change-Id: Ib4957bfc03b0dfc90fd28689d5b32cc3d82e7b74
|
|
Length check must also take current_data into account.
Type: fix
Change-Id: I7a1b1752868892d40f59490d05452ef24565cca6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
In the current implement, tcp would start or up an one tick
retransmit timer for that connection if vlib_buffer_alloc()
return 0. Now the tick is 0.1ms, this means that if VPP is
in a buffer shortage state, there would be a large number of
burst timer expirations.
This commit limits the minimum interval of the retransmission
timer to 100ms.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: Ia11d693fe46119c5dc16b24ca93c30c31109057a
|
|
Type: test
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iec69d8624b15766ed65e7d09777819d2242dee17
|
|
Type: feature
this allows VPP to simulate linux tun devices.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3adf38b49a254804370f78edd5d275d192fd00a6
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ied2608e7a28c59c908803ca676abbe93072fadb8
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I338e61654a62ed6308ecd8bb15e1a8b13cd859b9
|
|
TCP and (D)TLS clean up half-opens on main without a lock/barrier so
cleanup initiated from first worker, e.g., cut-throughs, can corrupt the
session pool.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I2e5162831c0e201b22454f17fe55bfac44b85fa9
|
|
Type: fix
This prevents reordering when a push flag is received.
GRO appends the segment with the push flag to the existing
flow and flushes it immediately.
Change-Id: I61b36209b3381f340594a9cb3ed816d43b02bdff
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
VRRP prefix length is 5 bytes, doesn't make sense
to compare with 6 bytes mac address
Type: fix
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I70a9c9ca769f34a81cd568f9e6b9a3538e6ec710
|
|
The path pool can expand during in fib_path_attached_next_hop_get_adj()
when calling adj_nbr_add_or_lock(). If dpo points to a path->fp_dpo, its
reference becomes stale.
Use a temporary copy instead.
Type: fix
Change-Id: Ie966cb5f3f7b416425964dca12f1f586bfc2010c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|