| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
When applying ACEs, in the new hash-based scheme, for each ACE
the lookup in the hash table is done, and either that ACE is added
to the end of the existing list if there is a match,
or a new list is created if there is no match.
Usually ACEs do not overlap, so this operation is fast, however,
the fragment-permit entries in case of a large number of ACLs
create a huge list which needs to be traversed for every other
ACE being added, slowing down the process dramatically.
The solution is to add an explicit flag to denote the first
element of the chain, and use the "prev" index of that
element to point to the tail element. The "next" field
of the last element is still ~0 and if we touch that
one, we do the linear search to find the first one,
but that is a relatively infrequent operation.
Change-Id: I352a3becd7854cf39aae65f0950afad7d18a70aa
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
show interface rx-placement somtimes displays the wrong interface names.
This happens when there exists subinterfaces in VPP.
The problem is due to the function show_interface_rx_placement_fn is calling
format_vnet_sw_if_index_name with hw_if_index instead of sw_if_index.
VPP has the concept of sw_if_index and hw_if_index. Each serves a different
purpose. When there is no subinterfaces, both hw_if_index and sw_if_index
may happen to have the same value.But don't count on it. When the API calls
for sw_if_index, we must pass the sw_if_index although the hw_if_index has
the same type which the compiler does not catch. Passing hw_if_index for an
API which requires sw_if_index may have an unpredictable result such as
described in the VPP-894 and sometimes it may even crash if the particular
index does not exist.
Change-Id: I76c4834f79b88a1c20684fcba64f14b2da142d77
Signed-off-by: Steven <sluong@cisco.com>
|
|
Change-Id: I8cd90820624987dbef848935e2de86fa66a86c17
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
after deleting a sub interface with IP4/IP6 address vpp crash
Change-Id: Ie768ca845b9e2394f61e2a8e9722a80a788746e7
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
(cherry picked from commit 9f5a2b6310ce5c8e59c32ca6f27d8a187b0e4346)
|
|
traffic (VPP-892)
When stacking DPOs the VLIB graph is also updated to add the edge between the nodes, if this edge does not yet exist. This addition should be done with the workers stopped.
Change-Id: I327e4d7d26f0b23eb280f17e4619ff2093ff7940
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
fixed instability in l2bd_multi_instnce test - sometimes failing with extra
packets captured
it appears l2-learn was not updating hit entries but rather a copy of them.
if the ager did not have a chance to run before the test was running the
learning cycle - entries were not updated with the packet's seq num - causing
packets to flood when hitting the stale seq_num in l2-fwd - hence the extra
packets
fixed handling of filter entries
revert workaround for instability in test
Change-Id: I16d918e6310a5bf40bad5b7335b2140c2867cb71
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Change-Id: Ib7824bfc08cb3c8f20258379e1a1f2c159c4f687
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: I6b19634ecb03860a7624d9408e09b52e95f47aef
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
(cherry picked from commit 04ffd0ad83b2d87edb669a9d76eee85f5c589564)
|
|
Change-Id: Ib8c72f8e08e89357b64f2f69ab70d60d3a7ec506
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
- multiarch on svm fifo
- avoid ip lookup on tx
Change-Id: Iab0d85204a710979417bca1d692cc47877131203
Signed-off-by: Florin Coras <fcoras@cisco.com>
Signed-off-by: Dave Barach <dbarach@cisco.com>
|
|
Change-Id: I064d22277a0334c63f3d5072b1584b93e327b331
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
|
|
interface
Multiple subsequent calls to vnet_feature_enable_disable() to enable the feature
cause the feature to be inserted into the processing graph multiple times in a row.
This might be argued to be a bug in that function, but enabling already enabled feature
is suboptimal anyway, so avoid that. The existing tests already catch this issue whenever
the ASSERT() part of this patch was added.
Change-Id: Ia2c06f7dc87bbe05795c2c7b7d19ea06270ce150
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
added CLI command documentation
added NAT64 user documentation page
Change-Id: I3df400013800fe16351e02db7762ee3f92b195ff
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I77412aa8c17b45b1533604e7bfe8fe052ed0f80a
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
If interface is down and queues are not configured then we are not able
to change rx-mode. This change introducess default mode which is stored
per interface and applied if driver wants.
Change-Id: I70149c21c1530eafc148d5e4aa03fbee53dec62f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
custom-dump and in VAT (VPP-885)
Add the missing function to convert the entire array of rules in the respective _endian functions,
rather than just the first rule.
Change-Id: Ic057f27ff7ec20150595efca1a48b74e5850f52b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
It is useful to have the CLI to clear the existing sessions.
There was a work-in-progress CLI but it did not work properly.
Fix it and split into a separate "clear acl-plugin sessions",
and add a unit test into the extended connection-oriented tests.
Change-Id: I55889165ebcee139841fdac88747390903a05394
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
ethernet header
When extracting the 5-tuple, use the ethernet_buffer_header_size() so we can correctly
handle the case of subinterfaces, etc.
Change-Id: Ied73fde98d6b313e9eeab2aff4f22daa50a6cbbf
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Remove the unnecessary variable assignment which coverity detected.
Change-Id: I66ac20a8495400ac59192ddb72f16c95f6b4d03c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
A typo resulted in a value being overwritten and flagged as unused, fix the typo.
Change-Id: I512ba94321afb80d12c71ebbb0eec42d9fa6f299
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: If397b49861468eed29b964fa64b186f80eb0eceb
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Iff550fd65f6e559b9fdfbbd53ef92d287c18166c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Also allow group write as default for CLI socket connections.
Change-Id: I6af1f277f70581358cd9241bf0f5cb0752fe250f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Icf9bd4abda058fb380f1a25d5fe3917ffb38b1c4
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
source is connected
Change-Id: I39fb0ec44cc322eaa12c0ff0700fc405d3982bfc
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
The code path which sets the sw_if_index aimed to restrict the output
did not set the flag to trigger that output.
Change-Id: I0a1a3977fdddbce9a276960df43fed745d099ca0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
n_input == 0
The logic to print the line " output " is wrong for the case of n_input == 0,
and the applied ACLs are printed as if they were applied on input.
One may still figure out the truth by looking at the n_input value above,
but it is confusing.
Change-Id: I7b4a4d548e569994678dd1e139eb829456548b88
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ic2f2dc234199a5f882846880cbacff20fc8d477b
Signed-off-by: Igor Mikhailov (imichail) <imichail@cisco.com>
|
|
definition
Change-Id: I488d7c2b864c0e3661c8abf0363e4b97984d4974
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I15813167e7c8529f229143de4a8f64f0fb530951
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: If35171005e409f77bed4cc16eccb66a85aae5dfb
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
l2_classify memeber table_index was overlaid over l2.l2fib_seq_num
which over written when table_index gets initialized in l2_input_classify
solved by overlaying both table_index and opaque_index as only one is used
seperated l2fib seq num from l2_input configs
for better handling of theoretical ABA issue where an entry for a deleted
interface is considered valid by the ager because a different interface with
same sw_if_index and seq_num was created before the ager got a chance to delete
Change-Id: I7b0eeded971627406f1c80834d7e02c0ebe62136
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Disable CLI/API commands instead of error message on startup.
Change-Id: I313ed6e2ea009f573afb5e08b0e85ed1f9091dc3
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
In IP mode memif interface is L3 point-to-point interfaces and
we don't pass l2 header. There is no l2 header rewrite operation and
received packets are sent straight to ip4-input / ip6-input nodes.
Change-Id: I4177f3fce3004da7ecf14d235006ae053fcf3f09
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- limit minimum rto per connection
- cleanup sack scoreboard
- switched svm fifo out-of-order data handling from absolute offsets to
relative offsets.
- improve cwnd handling when using sacks
- add cc event debug stats
- improved uri tcp test client/server: bugfixes and added half-duplex mode
- expanded builtin client/server
- updated uri socket client/server code to work in half-duplex
- ensure session node unsets fifo event for empty fifo
- fix session detach
Change-Id: Ia446972340e32a65e0694ee2844355167d0c170d
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: Ic81c6098d615fdb6a874e532921efd833fed872c
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Add a bihash-based ACL lookup mechanism and make it a new default.
This changes the time required to lookup a 5-tuple match
from O(total_N_entries) to O(total_N_mask_types), where
"mask type" is an overall mask on the 5-tuple required
to represent an ACE.
For testing/comparison there is a temporary debug CLI
"set acl-plugin use-hash-acl-matching {0|1}", which,
when set to 0, makes the plugin use the "old" linear lookup,
and when set to 1, makes it use the hash-based lookup.
Based on the discussions on vpp-dev mailing list,
prevent assigning the ACL index to an interface,
when the ACL with that index is not defined,
also prevent deleting an ACL if that ACL is applied.
Also, for the easier debugging of the state, there are
new debug CLI commands to see the ACL plugin state at
several layers:
"show acl-plugin acl [index N]" - show a high-level
ACL representation, used for the linear lookup and
as a base for building the hashtable-based lookup.
Also shows if a given ACL is applied somewhere.
"show acl-plugin interface [sw_if_index N]" - show
which interfaces have which ACL(s) applied.
"show acl-plugin tables" - a lower-level debug command
used to see the state of all of the related data structures
at once. There are specifiers possible, which make
for a more focused and maybe augmented output:
"show acl-plugin tables acl [index N]"
show the "bitmask-ready" representations of the ACLs,
we well as the mask types and their associated indices.
"show acl-plutin tables mask"
show the derived mask types and their indices only.
"show acl-plugin tables applied [sw_if_index N]"
show the table of all of the ACEs applied for a given
sw_if_index or all interfaces.
"show acl-plugin tables hash [verbose N]"
show the 48x8 bihash used for the ACL lookup.
Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I83a6c277fa211ac2c2ca2d603650c992886af0a7
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Id160346ebf533ee5f55bd735803624a75ed997b9
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Add optional keywords to show memif to allow display a particular
interface and option to display the descriptor tables. The new syntax for
the show memif command is now
show memif [<interface>] [descriptors]
Change-Id: I20696bbea1142bdc152b6e351c6ece24b1cf5500
Signed-off-by: Steven <sluong@cisco.com>
|
|
Current memif interface supports frame size up to 2048. This patch is to
enhance memif to support jumbo frames.
On tx (writing buffers to the ring), keep reading the next buffer in vlib
when the flag VLIB_BUFFER_NEXT_PRESENT and merge it to the same ring entry.
Use descriptor chaining if the buffer is not big enough.
On rx (reading buffers from the ring), if the packet is greater than 2048,
create multiple vlib buffers, chained with the VLIB_BUFFER_NEXT_PRESENT.
Testing:
Because the ping command provided by VPP does not support jumbo frames,
I have to use linux ping. Here is the set up that I use for testing.
VM1 --- vhost ---- VPP1 --- memif --- VPP2 --- vhost --- VM2
Create vhost-user interfaces between VM1 and VPP1 and between VPP2 and VM2
VM configuration:
Set the interface mtu on the VM, e.g 9216 to support jumbo frames.
create static route and static arp on VM1 to VM2 and vice versa.
Use iperf3 or ping -s 8000 from VM1 to VM2 or vice versa.
Sample run
sluong@ubuntu:~$ ping 131.1.1.1 -c1 -s 8000
ping 131.1.1.1 -c1 -s 8000
PING 131.1.1.1 (131.1.1.1) 8000(8028) bytes of data.
8008 bytes from 131.1.1.1: icmp_seq=1 ttl=62 time=0.835 ms
--- 131.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.835/0.835/0.835/0.000 ms
sluong@ubuntu:~$
DBGvpp# sh interface memif0
Name Idx State Counter Count
memif0 1 up rx packets 1
rx bytes 8042
tx packets 1
tx bytes 8042
ip4 1
DBGvpp#
Change-Id: I469bece3d45a790dceaee1d6a8e976bd018feee2
Signed-off-by: Steven <sluong@cisco.com>
|
|
Change-Id: I9999474c1a4b744f5d5880ee99a0293c576f2819
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: I25ccf8260dbe7e1550aee3904a688fc135ce1f03
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I2b78dad740b67fc05b0e2cf9c180809bc0962cd5
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: Iab2aa5fd92b9e95049f55fce4177e236a482723c
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: Id1139533c41cabef48394b5d79750608e0b74179
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
A bihash-per-interface is convenient, but turns out tricky difficult from
the maintenance standpoint with the large number of interfaces.
This patch makes the sessions reside in a single hash table for all the interfaces,
adding the lower 16 bit of sw_if_index as part of the key into the previously
unused space.
There is a tradeoff, that a session with an identical 5-tuple and the same
sw_if_index modulo 65536 will match on either of the interfaces.
The probability of that is deemed sufficiently small to not worry about it.
In case it still happens before the heat death of the universe,
there is a clib_warning and the colliding packet will be dropped,
at which point we will need to bump the hash key size by another u64,
but rather not pay the cost of doing that right now.
Change-Id: I2747839cfcceda73e597cbcafbe1e377fb8f1889
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I034efb9fc3ebb846c0aef07b18c1f110b8cbf3e3
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
The previous iteration of the code used the L2 classifier tables for session storage,
as a result, the table allocations were pretty big. The new ACL plugin
datapath uses the tables just as a redirection mechanism, without adding any
entries. Thus, the tables can be much smaller.
Change-Id: Ieec4a5abf0abda6e513ab4e675f912f14d47e671
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Best guess, tested carefully, should do no harm. Clang doesn't
complain either way; it's not certain that this patch will make the
coverity warnings in tw_timer_template.c disappear.
Change-Id: I75aa0cfd8970751e823a1165df2a755e947c4cf9
Signed-off-by: Dave Barach <dave@barachs.net>
|
Andrew Yourtchenko
Steven
Dave Barach
Pavel Kotucek
Neale Ranns
Eyal Bari
Ole Troan
Hongjun Ni
Florin Coras
Matus Fabian
Damjan Marion
Igor Mikhailov (imichail)
Filip Tehlar
Dave Wallace