Age | Commit message (Collapse) | Author | Files | Lines |
|
Crypto algorithms have different requirements on key length. As we do
not support key stretching (eg. PBKDF2), user must provide the exact
key length used by the algorithm.
Failing that means low-level crypto functions might read garbage (eg.
aes128_key_expand() will read 16-bytes, regardless of the key provided
by the user).
Change-Id: I347a1ea7a59720a1ed07ceaad8b00a31f78458c9
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Change-Id: I9894a0c613b0486112623920d49371ceec9e6111
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: Ibf5c283217a985e43a562f1969573eeb26ee6017
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
string name [limit = 64];
Meta-data to do argument validation.
Change-Id: I1f3e0f09b2d5285224399413d25206f77bd3f4b1
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
These were introduced with the switch to unbound tail/head size, so they
only affect master. Added unit tests to avoid future surprises.
Change-Id: I83b6c9efbe31d8092ba59b8e2ed46f4da97f35db
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
With this commit, VTR attributes are shown not only for subinterfaces
but for all interfaces.
Change-Id: I498185d905c0bf48431cddb916165f8e9c841b1f
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
- nonce construction out of salt and iv is ipsec specific so it should be
handled in ipsec code
- fixes GCM unit tests
- GCM IV is constructed out of simple counter, per RFC4106 section 3.1
Change-Id: Ib7712cc9612830daa737f5171d8384f1d361bb61
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
In endpoint dependent mode, when a session at the head of a user
LRU is reused, if the IP protocol for that session was unknown (any
other than tcp, udp, or icmp), the attempt to delete the session
mapping from the in2out bihash was not using the same key that was
used when the mapping was added. This would cause the deletion of
the mapping to fail. If packets arrive later which match the original
session, the search for the session key would succeed when it should
have failed and the session, which is now associated with a different
pair of endpoints, may end up being updated when it should not be.
Update the key generation when reallocating an existing session to
do the right thing if the session is for an unknown protocol.
Also update format_nat_session() for unknown protocols so that
'vppctl show nat44 session detail' will display the protocol
correctly. In endpoint dependent mode, the IP protocol is stored in
the port field on a session if the protocol is unknown. The value
is stored in host byte order, but the format function was swapping
the bytes before writing the protocol.
Change-Id: I9e8daadd4569cb2610532dab4e4f41d1567cf3d1
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
When you create two identical NAT44 static mappings using interface
name as external address and only local or ext port is different,
VALUE_EXIST will be raised but when-resolved static mapping will
remain.
vpp# nat44 add static mapping tcp local 10.128.0.129 443 external GigabitEthernet0/8/0 8443
vpp# nat44 add static mapping tcp local 10.128.0.129 80 external GigabitEthernet0/8/0 8443
nat44 add static mapping: Mapping already exist.
vpp# show nat44 static mappings
NAT44 static mappings:
tcp local 10.128.0.129:443 external 2.2.2.2:8443 vrf 0
tcp local 10.128.0.129:443 external GigabitEthernet0/8/0:8443 vrf -1
tcp local 10.128.0.129:80 external GigabitEthernet0/8/0:8443 vrf -1
With this commit, when-resolved static mapping is not created if the
translation only differs in local or ext port.
Change-Id: Ifc960b9dc1371caa2a8d3206a80a0ffd10d293e4
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Change-Id: Ie96706b4d8bcb32d2d5f065bc765f95f4e9369e7
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
"break;" will never be run after "return;"
Change-Id: I4fdfd10406fdf61897078746d28fa1ee32fb0081
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
... at least for use cases we are interested in
Change-Id: I1156ff354635e8f990ce2664ebc8dcd3786ddca5
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Both firefox and chrome seem happy to browse a hugo-generated site
Change-Id: Id216ad9c781643df42ac4fbce598eb2afa600f4d
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: Idc3763c38f5aa638d4f290f4d4730577601d78b8
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
Change-Id: I73f76c25754f6fb14a49ae47b6404f3cbabbeeb5
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: I984f347fb465c0c405cef668d8690457e81788e2
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
This reverts commit 7f2d57b69ea031cc6110b3a1f4c1ef1c35b67181.
Change-Id: I23c3b4d2dab6e13cc8fbbf0ac9d0cfd8af3241c1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: If8b2c8942db17a853883360885def47ce50e7ddd
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ie1d34b7e71554516595e0cd228e2cd54a3b8d629
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I58e713661a38cecbfdebd4609292d9d12e880cd2
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Id7fcaf8590f9f2dcccdebea0ad31c7ecd1cbc8af
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I51e0d4a9ec62514a85bbe4c5f56a48d60ab6f4e4
Signed-off-by: John Lo <loj@cisco.com>
|
|
This allows QUIC & TLS specific logic to be implemented, and meaningfull
IP/port to be returned when connection is overridden.
Change-Id: Id79c59fe4d7b16d36f0e96ad3e281c4026b5fe65
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
vlib_get_buffers can save at least 1.2 clocks/pkt for ip4_lookup_inline
on Haswell.
Change-Id: I730fc346cec4d2eb5ca364308e45268bda4d5f89
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
Change-Id: Ia092a93a7ac0cbf9338f9d4a5db8b94b23549a13
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Main thread: don't bother with the barrier sync hold-down timer if
none of the worker threads are busy.
Worker threads: avoid epoll_pwait (10ms timeout) when the
control-plane has been active in the last half-second.
Change-Id: I82008d09968c65e2a4af0ebb7887389992e60603
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: Iab07697ef482529e62c11433cffa1f8f894e5bb7
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Change-Id: Ib4a64f17831e2419f1d6140a6d24649c096bdfa5
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
Change-Id: I65e7188c6893acca67455ff37f2dfbd0bedd5c09
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I79fc55f36a9b83957f84619bdf8cef08acc8ec24
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: If23a04623a7138c9f6c98ee9ecfa587396618a60
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: Ic4e882b784e5773198e55bd97b1bbd3d6dda888a
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: I50a6bcc127e4b44becc4b694bdd3018ac9bfab5c
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Make full use of well optimized function vlib_get_buffers
for ethernet_input_inline.
Change-Id: Iee7df570b87fa95c0902895686a62386d730f9a1
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
Change-Id: I6151e57643ebed42f51b795980db2c52084295ab
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
Change-Id: I638facf6e2128334c3d1a5a8494f378505831e1b
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: I2492400a67b39a3adbc24ab7cf1ba17a409e95a8
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Change-Id: Icf0cff122dfbd260a2865b6c83531f4a8c726132
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Handle the case where buffer overflows.
Then SOCK_SEQPACKET assumption that multiple API messages
are not returned by recv() is broken. Use SOCK_STREAM for
API exchanges instead.
Add support for running tests over sockets.
make test SOCKET=1
Change-Id: Ibe5fd69b1bf617de4c7ba6cce0a7c2b3f97a2821
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: Ifeaf93c98e4af92da9409fa5a2114b577e8c0937
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This reverts commit bed1421b9f1b3643d93384084972337b596aec73.
/vpp/master3/src/plugins/nat/nat_api.c: In function ‘send_nat_worker_details’:
/vpp/master3/src/vppinfra/clib.h:62:33: error: division ‘sizeof (u8 * {aka unsigned char *}) / sizeof (u8 {aka unsigned char})’ does not compute the number of array elements [-Werror=sizeof-pointer-div]
#define ARRAY_LEN(x) (sizeof (x)/sizeof (x[0]))
^
/vpp/master3/src/plugins/nat/nat_api.c:205:43: note: in expansion of macro ‘ARRAY_LEN’
rmp = vl_msg_api_alloc (sizeof (*rmp) + ARRAY_LEN (w->name) - 1);
^~~~~~~~~
Change-Id: Ie82672c145fb2f6580827f95e535435307bc7a23
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
This is a temporary measure, to allow CSIT usage
of VAT command sw_interface_dump without arguments.
Change-Id: Ic40adfcc89d92179e213afc497e4e71bbc0dad83
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
Change-Id: I519d7efc8ee3c86381d96be2e2a46017cd948895
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Change-Id: Ic75df36e06a77730ff8764f96d3cf53c4e59923b
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
Remove the duplicated code and unnecessary operations.
Change-Id: I78005848d29d3156165627926a79015d590d61a6
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
The memory areas storing vlib_buffer_t and ip4|6_and_esp_header_t
are not prefetched. The patch help dpdk_esp_encrypt to reduce 18
clocks/pkt from 149 to 131 on Haswell when running IPsec in tunnel
mode.
Change-Id: I4f4e9e2b3982a4b7810cab8ed828a5e4631f8f8c
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
The graph node running IPsec encap in tunnel mode can be saved
from 65.8 to 57.3 clocks/pkt on Haswell platform.
The graph node can be saved 10 clockes/pkt on DVN as well in the
same case.
Change-Id: I4804879c4d489465ee56a8f8317596b7e79b9331
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
The macro for x86 platform is wrong, and the patch fixes it.
Change-Id: I4f0ed254b177d6863fbe9113308c6a8b4478e0b2
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|