Age | Commit message (Collapse) | Author | Files | Lines |
|
This patch adds SCTP support in the CNat translation primitives.
It also exposes a clib_crc32c_with_init function allowing to set
the init value to start the crc32 with instead of 0.
Type: feature
Change-Id: I86add4cfcac08f2a5a34d1e1841122fafd349fe7
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
- Use the latest IPsec Multi-Buffer library release v1.3
- Use ipsec-mb burst API for HMAC-SHAx algorithms
- Use ipsec-mb burst API for AES-CBC and AES-CTR algorithms
The new burst API available in ipsecmb v1.3 brings significant
performance improvements for certain algorithms compared to the job API.
Type: feature
Signed-off-by: marcel.d.cornu@intel.com
Change-Id: I3490b35a616a2ea77607f103426df62438c22b2b
|
|
otherwise the next time the counter is validated this is dangling.
Type: fix
Fixes: 58fd481d73
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ifa8d5ff27175cf6dfb30cbf023fa3251fe5c780e
|
|
Delete redundant help information in ip neighbor's
cli. There is no code implementation about fib-id and
proxy in the cli's subsequent process.
Type: fix
Signed-off-by: Huawei LI <lihuawei_zzu@163.com>
Change-Id: I1e276aad030409e3f2f62fee489ea95d316e67b5
|
|
CLI lcp default clear or lcp default netns hangs in an infinite while loop.
Type: fix
Signed-off-by: luoyaozu <luoyaozu@foxmail.com>
Change-Id: I699338abc045c84361707260adbb5b574a383170
|
|
Coverity complains dead codes in 2 places due to a recent commit as
pointed out in Fixes. The dead codes are
if (seed < L2_BD_ID_MAX % 2)
is_seed_low = 1;
and
if (is_seed_low)
seed += (2 * (i % 2) - 1) * i;
seed can never be less than (L2_BD_ID_MAX % 2).
Consequently, is_seed_low is always 0.
There is also other problem. The inner loop is iterating only once.
The fix is to greatly simplify the code to generate a random bd_id.
Type: fix
Fixes: Ieb6919f958f437fc603d5e1f48cab01de780951d
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I318773b9a59950920e051548ef14e36054ebd5e6
|
|
Session debug code does not compile anymore due to vlib_mains global
variable disappearing over time. Replace it with vlib_get_main_by_index
call.
Add a cmake variable and pass it from make command line to enable
session debug. Notice transport debug is required for session debug.
make rebuild VPP_EXTRA_CMAKE_ARGS=-DVPP_TCP_DEBUG_ALWAYS=ON VPP_EXTRA_CMAKE_ARGS+=-DVPP_SESSION_DEBUG=ON
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ic2e887c6b10b77cbabd56934f4931fcfa04a6751
|
|
Type: improvement
Change-Id: Ibf683c9ba8a2751e0b40920f6735cfe0a35a6e6d
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
Type: improvement
Change-Id: I4a75583ce718ba6466cd09ca8373fd43988ef62a
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
Type: improvement
Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
https://jira.fd.io/browse/VPP-2034
Type: fix
Signed-off-by: Laszlo Kiraly <laszlo.kiraly@est.tech>
Change-Id: Ieb6919f958f437fc603d5e1f48cab01de780951d
|
|
When checking for CLIB_SANITIZE_ADDR to enable specific behavior for
AddressSanitizer, we must have vppinfra/clib.h included as it is defined
there.
Type: fix
Change-Id: I9060c3c29c1289d28596c215a1d1709b2ea7c84e
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
existing details report the last_heard as the seconds since VPP
started, this is not very useful, so report additionaly
time_since_last_heard in seconds between VPP time and
last_heard.
Change-Id: Ifd34b1449e57919242b1f0e22156d3590af3c738
Type: improvement
Signed-off-by: Dave Cornejo <dcornejo@netgate.com>
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
|
|
Fix vpp crash when create vxlan/vxlan-gpe/geneve/gtpu tunnel
with 0.0.0.0 dst ip in debug build. The ASSERT should be move
out of fib_prefix_from_ip46_addr, which may be called when
create vxlan/vxlan-gpe/geneve/gtpu tunnel with 0.0.0.0 dst ip.
How to reproduce:
1. build debug vpp and run vpp
2. create vxlan t src 192.168.0.2 dst 0.0.0.0 vni 1 instance 1
create vxlan-gpe tunnel local 192.168.0.2 remote 0.0.0.0 vni 1
create geneve tunnel local 192.168.0.2 remote 0.0.0.0 vni 1
create gtpu tunnel src 192.168.0.2 dst 0.0.0.0 teid 1
Type: fix
Change-Id: I19972f6af588f4ff7fd17de1b16b9301e43d596f
Signed-off-by: Huawei LI <lihuawei_zzu@163.com>
|
|
Some files include tcp_debug.h without including <vpp/vnet/config.h>
As a result, those files do not get VPP_TCP_DEBUG_ALWAYS option
set. The fix is to include <vpp/vnet/config.h> in tcp_debug.h
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I0c141147f1e8d1b49c5a1440fac1e97cbd96aaa7
|
|
Add cmake option to enable TCP_DEBUG_ALWAYS.
make rebuild VPP_EXTRA_CMAKE_ARGS=-DVPP_TCP_DEBUG_ALWAYS=ON
make rebuild VPP_EXTRA_CMAKE_ARGS=-DVPP_TCP_DEBUG_ALWAYS=OFF
Type: improvement
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I911a8d615f76516ae0a988bc6135c3b0d8fcb3df
|
|
this patch adds a mode to urpf in order to perform the lookup in a specified vrf instead of the interface vrf
Type: feature
Change-Id: Ieb91de6ccdfbf32b6939364f3bebeecd2d57af19
Signed-off-by: hedi bouattour <hedibouattour2010@gmail.com>
|
|
Type: improvement
Change-Id: Ie035bebf64226691cffc84484e4bf7310287d1b7
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
Type: fix
The handler for abf_itf_attach_add_del was always returning 0. Set rv to
the return value of call to abf_itf_attach() or abf_itf_detach().
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: Ibb888bb148e6e03fc2776e2384b3a6e26148a429
|
|
Type: feature
Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech>
Change-Id: I98bc108360f9d04a33126865ce49d2702cbe9cdf
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I9d5004f8764b1833e5ca825bc52345e23770c6bc
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I07b694323e0f6745dec2b846785026b152d78af6
|
|
adj_delegate_adj_created() is incorrectly called when an existing
adj is found and returned. This can lead to crashes in some cases
in the pmtu delegate:
(gdb) bt
0 0x00007f2aa8fc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
1 0x00007f2aa8fb3537 in abort () from /lib/x86_64-linux-gnu/libc.so.6
2 0x0000564361b5403a in os_exit (code=code@entry=1) at ./src/vpp/vnet/main.c:437
3 0x00007f2aa9271a3e in unix_signal_handler (signum=11, si=<optimized out>, uc=<optimized out>) at ./src/vlib/unix/main.c:188
4 <signal handler called>
5 0x00007f2aa9970d5a in fib_table_get_table_id_for_sw_if_index (proto=FIB_PROTOCOL_IP4, sw_if_index=<optimized out>) at ./src/vnet/fib/fib_table.c:1156
6 0x00007f2aa964aebf in ip_pmtu_adj_delegate_adj_created (ai=8) at ./src/vnet/ip/ip_path_mtu.c:197
7 0x00007f2aa9993ee5 in adj_delegate_adj_created (ai=ai@entry=8) at ./src/vnet/adj/adj_delegate.c:166
8 0x00007f2aa998dbde in adj_mcast_add_or_lock (proto=proto@entry=FIB_PROTOCOL_IP6, link_type=link_type@entry=VNET_LINK_IP6, sw_if_index=sw_if_index@entry=7) at ./src/vnet/adj/adj_mcast.c:95
9 0x00007f2aa95c7b3e in ip6_link_enable (sw_if_index=7, link_local_addr=link_local_addr@entry=0x0) at ./src/vnet/ip/ip6_link.c:217
10 0x00007f2aa9621587 in vl_api_sw_interface_ip_enable_disable_t_handler (mp=0x7f2a4fa5ad10) at ./src/vnet/ip/ip_api.c:108
11 0x00007f2aaa3b7e44 in msg_handler_internal (free_it=0, do_it=1, trace_it=<optimized out>, msg_len=<optimized out>, the_msg=0x7f2a4fa5ad10, am=0x7f2aaa3cc020 <api_global_main>) at ./src/vlibapi/api_shared.c:593
12 vl_msg_api_handler_no_free (the_msg=0x7f2a4fa5ad10, msg_len=<optimized out>) at ./src/vlibapi/api_shared.c:810
13 0x00007f2aaa3a1702 in vl_socket_process_api_msg (rp=<optimized out>, input_v=<optimized out>) at ./src/vlibmemory/socket_api.c:208
14 0x00007f2aaa3a95d8 in vl_api_clnt_process (vm=<optimized out>, node=<optimized out>, f=<optimized out>) at ./src/vlibmemory/memclnt_api.c:429
15 0x00007f2aa9226f37 in vlib_process_bootstrap (_a=<optimized out>) at ./src/vlib/main.c:1235
16 0x00007f2aa91824a8 in clib_calljmp () at /builds/graphiant/graphnos/vpp/debian/output/source_dir/src/vppinfra/longjmp.S:123
17 0x00007f2a47cf5d60 in ?? ()
18 0x00007f2aa922853f in vlib_process_startup (f=0x0, p=0x7f2a494dc000, vm=0x7f2a489ed680) at ./src/vlib/main.c:1260
19 dispatch_process (vm=0x7f2a489ed680, p=0x7f2a494dc000, last_time_stamp=<optimized out>, f=0x0) at ./src/vlib/main.c:1316
20 0x0000000000000000 in ?? ()
(gdb)
Type: fix
Change-Id: I2d3c041e0be8284471771c7882c89f743baab0e5
Signed-off-by: Peter Morrow <pdmorrow@gmail.com>
|
|
Change-Id: Id8d6ab96a710cdd207068cf19a6363bbcd584de4
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Change-Id: Ia5ec7fc0c71e6a0ad1b43df24bb6b88e616d260d
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Change-Id: I2040b560b2a00f8bd176ae6ad46035678a2b249e
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
It looks like tcp_time_now has been deprecated for a while and the
replacement is tcp_time_now_us
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ifaed2632baa49d489d4e03f2623d8cc9a6f36e64
|
|
Type: improvement
Signed-off-by: ChinmayaAgarwal <chinmaya.agarwal@hsc.com>
Change-Id: I27d5981a77d4166a92db9ecf73d9b0eed962ec19
|
|
Need to fill frp_addr for local path, it's used by dpo-receive.
If not, address output can be invalid:
$ sudo vppctl sh ip6-ll fe80::dcad:ff:fe00:3/128
IP6-link-local:loop3, fib_index:2, locks:[IPv6-nd:1, ]
fe80::dcad:ff:fe00:3/128 fib:2 index:55 locks:2
IPv6-nd refs:1 entry-flags:connected,import,local, src-flags:added,contributing,active,
path-list:[72] locks:2 flags:shared,local, uPRF-list:58 len:0 itfs:[]
path:[82] pl-index:72 ip6 weight=1 pref=0 receive: oper-flags:resolved, cfg-flags:local,glean,
[@0]: dpo-receive: 8000:100:fe80::dcad:ff on loop3
forwarding: unicast-ip6-chain
[@0]: dpo-load-balance: [proto:ip6 index:57 buckets:1 uRPF:58 to:[0:0]]
[0] [@2]: dpo-receive: 8000:100:fe80::dcad:ff on loop3
Type: fix
Change-Id: Ib9874c5eac74af789e721098d512a1058cb8e404
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
Encode entropy value in UDP source port when requested per RFC 7510.
CLI already has "src-port-is-entropy", use zero UDP source port in API
to avoid breaking changes, since zero port is not something to be used
in wild.
Also, mark UDP encapsualtion API as mp-safe as already done for CLI.
Type: feature
Change-Id: Ieb61ee11e058179ed566ff1f251a3391eb169d52
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I2901628d23f9b81edb32d0ced3877e5799a6cec7
|
|
Type: refactor
Change-Id: I7b7ca9ec62cb70243c5b7e87968eab1338d67ec8
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
default RLIMIT_MEMLOCK is 64. if we use multi af_xdp interfaces or
load complex bpf program, libbpf will return permission error.
root cause is default 64 is not large enough. So we change it before
load bpf program.
Type: fix
Change-Id: Ia6aed19c9256c498cf1155586a54a32b3f444105
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
|
|
Type: fix
Currently, when a wg interface is administratively disabled initially or
during operation, handshake packets continue to be sent. Data packets
stop being sent because routes pointing to the wg interface will not be
used. But data keys remain.
With this fix, when a wg interface is administratively disabled during
peer creation, avoid connection initialization to the peer. Data keys
and timers should be empty at this point. When a wg interface is
disabled during operation, disable all peers (i.e. stop all timers,
clear data keys, etc.). Thus, state should be identical in both cases.
When a wg interface is administratively enabled, enable all peers (i.e.
get ready to exchange data packets and initiate a connection). Also,
cover these scenarios with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ie9a620077e55d519d21b0abc8c0d3c87b378bca3
|
|
Internaly, vpp uses it's own padding, so all the data
is padded using blocksize in /src/vnet/ipsec/ipsec.c
Openssl should add it's own padding, but the data
is already padded. So on decrypt stage when padding
should be removed, it can't be done. And it produces
error `bad decrypt`
Previous versions of openSSL decrypted data almost
at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex
and produced the same error, but data was already decrypted.
Now it's not, so some algorithms could have some problems
with it
PS. openSSL 3.x.x
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: If715a80228548b4e588cee222968d9da9024c438
|
|
Type: fix
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
Change-Id: Ia447420f692f1487d343886845d648d766e43c27
Signed-off-by: Chen Yahui <goodluckwillcomesoon@gmail.com>
|
|
Validate version and IHL regardless of present options.
Originally VPP would accept seriously damaged headers in case IHL != 5.
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: Ifd59622efa63dfad7f6e4858dec40ccac3274574
|
|
Type: fix
As per the protocol:
A handshake initiation is retried after "REKEY_TIMEOUT + jitter" ms,
if a response has not been received...
Currently, if retransmit handshake timer is started, it will trigger
after "REKEY_TIMEOUT + jitter" ms and will try to send a handshake
initiation via wg_send_handshake() given that no responses have been
received. wg_send_handshake() will verify that time stored in
REKEY_TIMEOUT has passed since last handshake initiation sending and if
has, will send a handshake initiation. Time when a handshake initiation
was last sent is stored in last_sent_handshake.
The problem is that last_sent_handshake is not only updated in
wg_send_handshake() when sending handshake initiations but also in
wg_send_handshake_response() when sending handshake responses. When
retransmit handshake timer triggers and a handshake response has been
sent recently, a handshake initiation will not be sent because for
wg_send_handshake() it will look like that time stored in REKEY_TIMEOUT
has not passed yet. Also, the timer will not be restarted.
wg_send_handshake_response() must not update last_sent_handshake,
because this time is used only when sending handshake intitiations. And
the protocol does not say that handshake initiation retransmission and
handshake response sending (i.e. replying to authenticated handshake
initiations) must coordinate.
With this fix, stop updating last_sent_handshake in
wg_send_handshake_response().
Also, this fixes tests that used to wait for "REKEY_TIMEOUT + 1" seconds
and did not receive any handshake initiations. Then they fail.
Also, long-running tests that send wrong packets and do not expect
anything in reply may now receive handshake intiations, consider them as
replies to the wrond packets, and fail. Those are updated to filter out
handshake initiations in such verifications. Moreover, after sending
wrong packets, error counters are already inspected there to confirm
packet processing was unsuccessful.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I43c428c97ce06cb8a79d239453cb5f6d1ed609d6
|
|
The previous patch[37164] was a bit flawed.
Type: fix
Signed-off-by: Yacan Liu <liuyacan@corp.netease.com>
Change-Id: Ia9d8b9c7853e8f4b960ce7de26d0384243deb667
|
|
Type: improvement
Change-Id: I7f7050c19453a69a7fb6c5e62f8f57db847d9144
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: refactor
Change-Id: I6edbff9a02fcb3c592ccfe8f47ddb3f848be1b6d
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Outgoing packets can be now traced via:
trace add bfd-process <count>
Type: improvement
Change-Id: Ia19af6054289b18f55e518dbea251a2bee9b9457
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
|
|
This patch introduces fast path matching for inbound traffic ipv6.
Fast path uses bihash tables in order to find matching policy.
Adding and removing policies in fast path is much faster than in current
implementation. It is still new feature and further work needs
and can be done in order to improve the perfromance.
Type: feature
Change-Id: Iaef6638033666ad6eb028ffe0c8a4f4374451753
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
|
|
Type: docs
Change-Id: Icfa2bdc9367f8438b53da7c89caec263ed6ab056
Signed-off-by: Filip Varga <fivarga@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
This adds the ability to specify we want an IPv4 route via an IPv6 adj
and vice-versa.
Type: improvement
Change-Id: I5f7f1ab89fc60244d31c26155bbd9b0db690257c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
When manually adding neighbor entries for proxy-arp, those will be
fib-adj entries. Check for proxy-arp instead of dropping immediately.
Type: improvement
Change-Id: Id311159f2966c99719dc2a67d4d2bc92bf366029
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
When ESTABLISHED TCP connection is terminated by an RST packet,
EPOLLHUP + EPOLLRDHUP would be updeliever by VCL. If not using
VPP, app would receive EPOLLHUP + EPOLLERR + EPOLLIN(if requested) +
EPOLLRDHUP(if requested).
libevent will interpret the two cases as different EV combinations.
Below is the code snippet for libevent v2.12:
if (what & EPOLLERR) {
ev = EV_READ | EV_WRITE;
} else if ((what & EPOLLHUP) && !(what & EPOLLRDHUP)) {
ev = EV_READ | EV_WRITE;
} else {
if (what & EPOLLIN)
ev |= EV_READ;
if (what & EPOLLOUT)
ev |= EV_WRITE;
if (what & EPOLLRDHUP)
ev |= EV_CLOSED;
}
Type: fix
Signed-off-by: Yacan Liu <liuyacan@corp.netease.com>
Change-Id: Ice3d2861183b6ea499f66b727bbe175eeae5cb05
|
|
Type: fix
Change-Id: Ib127331507724f853071e66ca1ddfc773a8ed200
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
It's known there're one or more 32-bit increments in the ip
header. So just check ip router alert option length with minimal
performance impact, and don't care of the total options length.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I46dd06516f793846b931a1dc8612f2735f8d24d3
|
|
Also check for non-zero rpath length in CLI cmd.
While there, no need to use "else" after a return.
Also while there, notice and fix numerous input_line
buffer leaks and fix them.
Type: fix
Fixes: 669d07dc016757b856e1014a415996cf9f0ebc58
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I18ea44b7b82e8938c3e793e7c2a04dfe157076d8
|