Age | Commit message (Collapse) | Author | Files | Lines |
|
Just like commit 252647482b24bb3474e8f13bc86100718176832f
did for Wireguard interface keys, prevent stack smashing
the peer keys.
Integer math on 32 bytes of base64 data might yield 33 bytes
of data in some poorly formed user input of private key values.
Rather than smashing the stack (detected) and aborting, simply
allow for the possible yet irrelevant 33-rd byte of data.
Type: fix
Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I9f77b3faaaa01d3123b356c958db60c87238db9c
|
|
- Add peer_index, table_id, and keep-alive.
- Fix some lingering cut-n-paste issues in the API file.
Type: improvement
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I6fc0729ba0268bbcda0248f680979c44e68b6b0c
|
|
This adds two new exported functions
for the clib_bihash
* clib_bihash_add_with_overwrite_cb allowing
to pass a callback to be called on overwriting
a key with bucket lock held.
* clib_bihash_add_del_with_hash doing an add_del
with a precomputed hash.
Type: feature
Change-Id: I1590c933fa7cf21e6a8ada89b3456a60c4988244
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: feature
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: If24a43b7f79e05092306562c192de03994dec550
|
|
More generic vector heap code coming in another patch...
Type: refactor
Change-Id: I2327128fb3aba9d5d330f46a35afec32e1e3942e
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This is not to be used lightly.
The idea is to forces pool reallocs to be done only on main thread with
a barrier to make sure pools are always reallocated without
peekers/readers. If rpcs are delayed and the pool runs out of elements,
workers will block waiting for barrier and force the realloc.
Consumers of this api should be session layer and transports.
Type: feature
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I533272a29534338935a3fcf7027c0e7af2ca948c
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I88a747cac70cb88755f50c7b337207f4ba256530
|
|
Type: refactor
Change-Id: I3625eacf9e04542ca8778df5d46075a8654642c7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
vec_free() does the work
Type: refactor
Change-Id: I8a97607c3b2f58d116863642b32b55525dc15d88
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: refactor
Change-Id: Iaa1e43c87c5725ab33ea8489bff2a7bda18b9c79
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Immediate benefit is ability to use hugepage backed memory.
Type: improvement
Change-Id: Ibcae961aa09ea92d3e931a40bedbc6346a4b2039
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
When dNAT-ing to a VIP, it can happen
that the return session conflicts with
another forward session than the one
we own.
This patchs adds a rsession_flags
CNAT_SESSION_RETRY_SNAT that makes cnat_session_create
search for a free src port to use for the
resulting return session.
It also makes forward & return session
share their fate in the session scanner.
Type: fix
Change-Id: Id0edf59abf8e5bc0c0d8941ba289c4563c77dee0
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: fix
Calling vnet_hw_if_register_tx_queue should
be done with the worker barrier held, as
virtio-pre-input might be grabbing a queue
while a memif connect event is triggered.
Change-Id: Ie1272cdfd2477faf7a4e10f30778279872f04916
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
There is no need to verify the checksum for packets that have the IP
checksum offload flag set. This uses the same logic as
ip4_ttl_and_checksum_check.
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Change-Id: I177b07212a992362a4c965c074dcecf1e504c593
|
|
Checking for existence of source address on interface prevents creating
session before assigning address to said interface. Removing this check
allows more flexibility when configuring BFD feature.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Ia57960e29b5dbdb758a7a64193c28f21482f229e
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ib3d1ac6c82bc0c00e445b15d4102e4fd755f8e2d
|
|
Type: fix
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Ic8cc12788d9062f30faa992afaecc0c64078c4d7
|
|
Type: improvement
Change-Id: I17778e89674da0e8204713302e2293377bdabcbc
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
On the forst vector alloc values are stored into header.
Later, when vector grows values from header are used istead of provided
ones.
In the debug image code will assert if same values are not provided.
Type: improvement
Change-Id: I8fdcfa495e9c1df0f6392c90f634e8c74b73b328
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: refactor
Change-Id: Ibd29a717eaf12d795b3bceb31835d6fc655268b1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: Id705dab895602a60b053296b560ca3db5b0cd344
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Add missing translation of ICMP inner IP layer.
Change responsible test so that it actually tests something.
Type: fix
Fixes: 4881cb4c6f
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Id3a6f12a7308d81b1cdf9815f857221fab2f24d9
|
|
For some unknown reason sometimes calling exec() ends up on weak
exec() defined in src/vat/api_format.c which return -1 instead of using
one few lines above.
Another proof that use of weak symbols is bad idea.
Luckily this can be easily workarounded.
Type: fix
Change-Id: Ic84e8525bff75c1b8186c233cd524aac4d95c8b5
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ib2e1d847607c9c7d928b174b87e5c21d53153ebe
|
|
Update persist timer if data sent during snd_wnd < snd_mss was acked.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I5c75ff8ddc0e49750b2088237d32afa4eda99e7f
|
|
In order to support the requirement of RSS and packet steering of new
protocols, such as GTPU PDU-type and QFI, for 5G UPF, a generic pattern
is introduced in vnet flow. The generic flow pattern is based on DDP
(Dynamic Device Personalization) function and Parser Library module in
DPDK. Using generic flow pattern, we do not need to create new packet
and field type and offset in API parser for every new protocols. We can
create flows for any protocol immediately as long as supported by DDP.
The generic flow can be used to support 5G related protocols in
different scenarios.
The input of this generic pattern are two binary strings for spec and
mask. Spec is the binary presentation of the target packet type, and
mask is used to mark the target fields.
In this patch DPDK plugins is enabled for POC. Next step we will enable
generic flow in native IAVF, which is the main target.
Here is an example. If we want to create a flow for GTPU QFI,
spec is:
00000000000100000000000208004500003C00000000001100000101010102020202000
008680028000034FF001C00000000000000850100010045000014000000000000000001
01010102020202
mask is:
00000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000007F0000000000000000000000000000
00000000000000
A naming API POC is created via VAPI to help create the rule with
the target packet format similar to Scapy. It is based on a function
module called PacketForge. In this way, the user no need to create
binary string spec and mask by themselves.
Type: feature
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: Id3444f95c158bdcdfeeee19d795cd9ecbeeec07c
|
|
Type: improvement
Change-Id: I531115f32c484e4c4794173d24e15f3b5b8f547b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
The index i was incremented in the wrong place, and the check on the
presence of a next buffer in the chain was actually done for the
next desc_status rather than the current one.
Type: fix
Signed-off-by: Mauro Sardara <msardara@cisco.com>
Change-Id: I74a64a34fea497900b7969cd96e1aeeb570a1bba
|
|
Rename vec_capacity to vec_mem_size as it returned the size of the
underlying memory allocation not the number of bytes that can be used
for vector elements.
Add new vec_max_elts macro that returns number of elements that can fit
into generic vector.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I2e53a2bfa6e56a89af62d6ddc073ead58b8c49bb
|
|
Change-Id: I09d2da73eff42c52ba1373acc99ff28f283a6725
Type: improvement
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
With DPDK plugin, VPP does the DMA page map in IOMMU, only when
DPDK supported ethernet devices are present. As a result, Mellanox NIC
and QAT combo doesn't work. As part of this fix, DPDK supported
crypto device check is added to do the DMA page map.
Type: fix
Signed-off-by: mgovind <govindarajan.mohandoss@arm.com>
Change-Id: I02de4588c5b021e0c9c62612137f28ed8784bea6
|
|
Type: improvement
Change-Id: I85dd3d34bcb175dd68dda34a58cd454848a0fc2b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Fixes a minor issue that causes printing an error message when there is no error.
Type: fix
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I59f5c6af7c5aeae3e812b4cf0c75a47894bb8bbd
|
|
Type: fix
Change-Id: I298d2a5067f7949002e6c010f892553f1eb9f477
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
This patch improves the per dpdk-input loop number of packets
received from the port. The change mimics how packets rx happened
before VPP 22.02/DPDK 21.11: instead of trying to rx huge number
of packets (256) in one go, rx more times with up to 32 packets
max each time.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: I804dce6d9121ab21b02e53dd0328dc52ac49d80f
|
|
Thanks to Ben McKeegan <ben@netservers.co.uk> for the report.
Type: fix
Change-Id: I8170dda572c326b6b1823fd330dbd5e961fdad74
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
The tlsmbedtls plugin should only be built if mbedtls libraries are
present.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I24364177d24ea744f24f808f492be08adff3690b
|
|
This fixes a crash caused by client closing socket before adding worker.
During detach vpp tries to delete worker based on invalid worker index.
Type: fix
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I3242bcbb116ef5fd1d4c449f5bcf907e4e2f8f30
|
|
Type: refactor
Change-Id: Ieb7a595e40d801af5349c83b128fa92c7698a346
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: I2eb5543aa470094d4c5ad420a2fcc9873b7808e1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Recent "dpdk: refactor device setup" have broken vlans programming for IXGBE_VF.
Type: fix
Signed-off-by: Dzmitry Sautsa <dzmitry.sautsa@nokia.com>
Change-Id: Idacda33a473f6b10dbe002d9926661a19d0f3f97
|
|
Type: refactor
Change-Id: If180816303909b92c9aa4ff9fd70dc7938a6cfbe
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: refactor
Change-Id: I0a40e22e1439e13ffdbcbd6fd7cad40c8178418c
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I3425350f5e874df79716bd726900540629793beb
|
|
Type: fix
The l2unfragmentable size is not included in the calculation of 'max', the maximum amount of data that can be added to a fragment, therefore the fragments created are too big.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Id1e949ad98203b6f8ea2f55322ef6fa3d507e2a6
|
|
Type: refactor
Change-Id: Ifd533a095d979dc55bfbe5fac7e0b7510a4d900c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Deadly combination is clib_{set,long}jmp + lazy linking + tail call compiler
optimization. On the first call to clib_setjmp, dynamic linker executes loader
code which then calls clib_setjmp, so stored stack position contains dynamic
loader data. Tail call optimization simply jumps back to the calling
code when clib_longjump is called and that results in wrong return
address used from the stack.
Change-Id: Ia7d8dbd5b2c425cdd0449374aa07ab6b684a330e
Type: fix
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: feature
Change-Id: Ica3e60836c0f26518ba2c238a8c03ce3648ea69b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.
For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480
It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.
[1]: https://datatracker.ietf.org/doc/html/rfc4301
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
|
|
While setting an ACL, a user can specify the adjacency to follow after
the input ACL node. Thus, we may skip a lookup and enter directly a
local node (ex: ip4_local). To prevent the local source check from
failing, we need to specify the fib index. And, we have to do it just
before exiting the input ACL node because the l2_classify object
is overlapping with the fib_index in the vnet_buffer_opaque_t struct.
We could have added a padding to avoid this overlap but there is no
place for that in the structure.
Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: I383c36e4aec08d181f966f28565aefed950d2a74
|