Age | Commit message (Collapse) | Author | Files | Lines |
|
Classify table for output node should be cleaned up
after deleting macip ACL.
Change-Id: Ibbc46c8465bec02fe6fa6a8d33a1f06bcf28e9ad
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Group Base Policy (GBP) defines:
- endpoints: typically a VM or container that is connected to the
virtual switch/router (i.e. to VPP)
- endpoint-group: (EPG) a collection of endpoints
- policy: rules determining which traffic can pass between EPGs a.k.a
a 'contract'
Here, policy is implemented via an ACL.
EPG classification for transit packets is determined by:
- source EPG: from the packet's input interface
- destination EPG: from the packet's destination IP address.
Change-Id: I7b983844826b5fc3d49e21353ebda9df9b224e25
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Change-Id: Ib9eb65d2ba166f5883a8ce8d37298c696113f2be
Signed-off-by: Chun Li <chunl2@cisco.com>
|
|
interface reconnect.
Change-Id: Ifc7eb2494a22c334d8899422545fca1a4bba4d05
Signed-off-by: Chun Li <chunl2@cisco.com>
|
|
L2 ACL
There was no test coverage for the L2 ACL (other than indirect by
means of ACL plugin tests), so the enabling of the outbound ACL
got fumbled throughout the revisions of the refactoring.
Fix both issues - the error and the lack of test coverage for L2 ACL.
Change-Id: Ib7f42780ef84b4a4f70bd88d7319aeeda866cf06
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ib04a8787038fb536470a04d99fdc165102edfb5a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
In the case that vhostuser server accepted more than one client connection,
'vui->clib_file_index' will be overwritten directly without release the possible
existed resource, so file descriptor leak occurs
Change-Id: I89d08133dae31a12a815df2631334dbf0aefeb1e
Signed-off-by: Haiyang Tan <haiyang.tan.dev@gmail.com>
|
|
Enable CLIB_HAVE_VEC128 if both aarch64 and __ARM_NEON
ie. armv8 only, not armv7
Add more neon compare intrinsics wrappers.
I only add simple intrinsics wrappers. More complex ones can be added
later as they are needed, with performance tests on the corresponding
feature to back them up.
Remove wrongly added 128bits definitions defined on both armv7 and armv8
without concern for NEON instructions presence.
Notable correspondinf code activations:
* MHEAP_FLAG_SMALL_OBJECT_CACHE in mheap.c
* ip4 fib mtrie leaves access
* enable ixge plugin compilation for aarch64
(conf still disables it by default)
Change-Id: I99953823627bdff6f222d232c78aa7b655aaf77a
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This patch addresses some bugs discovered with the shutdown phase which
were causing the actual chunks not to leave the output_node.
While fixing the issue some minor refactoring was also performed to
align the internal functions to a 'common' design.
Change-Id: Ieac4f6e78cffad2e6982536f8e9f190a66f328f7
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
Change-Id: I6d91c8051de786fb8781cd0750ea9c350036b306
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Reference-count the number of entries in each bucket. If the reference
count goes to zero, free the backing store.
Add long-term churn-testing to test_bihash_template.c, thanks to
Andrew Yourtchenko for the initial implementation.
Change-Id: I4fbd9229cacfaba8027a85cbf87b74afdead6e39
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
This is the second patch, using the new functionality from the change 10002
in order to implement the egress filtering on the MACIP ACLs.
This adds an action "2" which means "add also egress filtering rules for this
MACIP ACL.
The reason for having the two choices is that the egress filtering really takes
care of a fairly corner case scenario, and I am not convinced that
always adding the performance cost of the egress lookup check is worth it.
Also, of course, not breaking the existing implementations is a nice plus,
too.
Change-Id: I3d7883ed45b1cdf98d7303771bcc75951dff38f0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
conn cleaner threads interactions
This replaces some of the early-stage commented-out printf()s with
an elog-based debug collector.
It is aimed to be "better than nothing" initial implementation to be available
in the field. It will be refined/updated based on use. This initial code
is focused on the main/worker threads interactions, hence uses just
the worker tracks.
This code adds a developer debug CLI "set acl-plugin session table event-trace 1",
which allows to gather the events pertaining to connection cleaning.
The CLI is deliberately not part of the online help, as the express
declaration that the semantics/trace levels, etc. are subject to change
without notice.
Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Needed to allow other code paths to reuse them.
Change-Id: I9e469527c6b2e9a6fec7af5f17d8b400a2e85826
Signed-off-by: Vijayabhaskar Katamreddy <vkatamre@cisco.com>
|
|
Change-Id: I0b8ebe2c47fdd1e23a91723a7b454a0c1c8b996e
Signed-off-by: Keith Burns (alagalah) <alagalah@gmail.com>
|
|
If one is not selected by the user, the next available id
will be allocated, thus maintaining backward compatibility.
Change-Id: I4691ed0638b8072f9cfa9f20b9fe4f981e708800
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
The thread0 in some configurations can handle the traffic.
Some of the previous fixes accomodated for that, but
the interrupt sending for connection clearing
was not adapted to that, resulting in a deadlock
during clearing of all connections...
Change-Id: I32b4c7bac09c91c22b796baab843bdaf41f7045c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
(VPP-1085)
The NEON implementation searches particular address in
VHOST_MEMORY_MAX_NREGIONS regions. Searching two regions at a
time.
Change-Id: Icc3c6746bc98e3a1fa71424e51b64f62efbfdc74
Signed-off-by: Nitin Saxena <nitin.saxena@cavium.com>
|
|
In multi-worker cases, af-packet tx was subject to a pretty
serious race condition as the device lock was obtained
after some queue values were read from queue.
Result could go from packet loss to queue inconsistency, leading
to tx being stuck for 'some time'.
The fix is really simple. Finding the problem was not...
Change-Id: Ib18967b7459a8609428a56de934c577cea87b165
Signed-off-by: Pierre Pfister <ppfister@cisco.com>
|
|
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound
classifier-based ACL would be needed. There was an existing incomplete
code for outbound ACLs, it looked almost exact copy of input ACLs, minus
the various enhancements, trying to sync that code seemed error-prone
and cumbersome to maintain in the longer run.
This change refactors the input+output ACLs processing into a unified
routine (thus any changes will have effect on both), and also adds
the API to set the output interface ACL, with the same format
and semantics as the existing input one (except working on output
ACL of course).
WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields
in the vnet_buffer_opaque_t, since the code is using l2_classify.*
The net_buffer (p0)->ip.save_rewrite_length is rescued into
l2_classify.pad.l2_len, and used to rewind the header in case of
drop, so that ipX_drop prints something sensible.
Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I853386aebfe488ebb10328435b81b6e3403c5dd0
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Iba7c398a398e24b96eb536bbcefa841bd153a205
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
error: passing an object that undergoes default argument promotion to
'va_start' has undefined behavior [-Werror,-Wvarargs]
Change-Id: Id342beea916ec73e29e399087532caecfa19055f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I1771a1cca2a4bc394677b2a18f14c47f0633fa77
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This patch teaches worer threads to sleep and to be waken up by
kernel if there is activity on file desctiptors assigned to that thread.
It also adds counters to epoll file descriptors and new
debug cli 'show unix file'.
Change-Id: Iaf67869f4aa88ff5b0a08982e1c08474013107c4
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This patch address the need to send/receive heartbeats between peers.
At the same time, the number of unacked heartbeats is tracked and when
the peer requests to send DATA to the remote-peer the value of unacked
heartbeats needs to be checked against the maximum value allowed for
retransmissions. If the unacked heartbeats value is higher then the
remote-peer is considered unreachable and the connetion needs to be
shutdown.
Change-Id: I2b1a21c26775e734dbe82486f40982ed5702dc63
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
Change-Id: I2421197b76be58099e5f8ed5554410adff202109
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Change-Id: I7834e676c23a697a12a6e06111c68450ba787fc9
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
When the number of threads results being more than 1, the spinlock
structure requires to be initialized otherwise subsequent calls to
the "lock" API (clib_spinlock_lock_if_init) would result in a void
operation.
Change-Id: Ia268c4687252e41962bb3f1217f0a849d8c40385
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
Normally session keys are generated by mirroring the packets sent.
ICMP message type should be used and inverted for the stateful ACL.
Supported ICMP messages with this patch:
- ICMPv4: Echo/Timestamp/Information/Address Mask requests
- ICMPv6: Echo request/Node Information Queury
The invmap & valid_new tables can be modified to make any other
ICMP messages to be reflexive ACL.
Change-Id: Ia47b08b79fe0a5b1f7a995af78de3763d275dbd9
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
For some files such as hugepages files, ftruncate() fails with the error
"Invalid argument" if the 'length' parameter is not on a page boundary.
Change-Id: I42a9cde98707da15e3c5d1653046e2277fc7a424
Signed-off-by: Igor Mikhailov (imichail) <imichail@cisco.com>
|
|
- use valloc as a 'central' segment baseva manager
- use per segment manager segment pools and use rwlocks to guard them
- add session test that exercises segment creation
- embed segment manager properties into application since they're shared
- fix rw locks
Change-Id: I761164c147275d9e8a926f1eda395e090d231f9a
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: Ic5e8d74bf5ac84cce5661de44778c89541c67636
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Add an ASSERT to vlib_process_signal_event_helper to catch future
instances of passing node_index = 0 to vlib_process_signal_event().
Change-Id: Iec896fc7c3917feb2fd3198cea42851ba88e64e5
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
This patch addresses the need to calculate the RTO / RTT and RTTVAR
according to the rules depicted by the RFC4960 at section 6.3.1
Change-Id: I1d346f3c67610070b3f602f32c7738d58b99ffed
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
1. Replace the magic number '-1' with MAP_FAILED
2. On x86 platform, QEMU uses vhostuser required the memory back-end is file based,
the file could be tmpfs(4K page size) or hugetlbfs(2M or 1G page size)
Change-Id: If1818cb6833728d641f68e4d4a3bc645e70f2ee6
Signed-off-by: Haiyang Tan <haiyang.tan.dev@gmail.com>
|
|
Change-Id: Ide577f036d9d8dcedd99cdb4666a0eaf8a19b92e
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I2548ebd37e16bed50b5c8046b728415a341413e3
Signed-off-by: Keith Burns (alagalah) <alagalah@gmail.com>
|
|
Change-Id: Idddb60bbc7fcc701d39212f6422a6b2f6dc75221
Signed-off-by: Florin Coras <fcoras@cisco.com>
(cherry picked from commit cba3675fabe618194bf80a9de0e9c53b89a541ca)
|
|
Change-Id: I5b7117f3568e3ba979baa15521b2cfc180abb682
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Clients cannot know at svm region detach time if the shm backing files
have been recreated (e.g., if vpp restarts) and therefore should not try
to unlink them. Otherwise, terminating clients attached to previous
instantiations of a re-allocated region end up making the new instance
un-mappable by removing its backing file.
Change-Id: Idcd0cab776e63fd75b821bc9f0fac58217b9ccbe
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: Id96dc5d86719546268b50a9999a06387d2d9075c
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
L3DSR is used to overcome Layer 2 limitations
of Direct Server Return Load Balancing.
It maps VIP to DSCP bits, and reuse TOS bits to transfer it
to server, and then server will get VIP from DSCP-to-VIP mapping.
Please refer to https://www.nanog.org/meetings/nanog51/presentations/Monday/NANOG51.Talk45.nanog51-Schaumann.pdf
Change-Id: I403ffeadfb04ed0265086eb2dc41f2e17f8f34cb
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
|
|
This patch addresses the need to handle out-of-order data chunks
received by a peer. To do that effectively, we had to add the handling
of data chunks flags (E/B/U bit) to understand whether the stream is
fragmenting user-message data and in that case if a fragment is the
FIRST/MIDDLE/LAST one of a transmission.
The same patch also addresses the security requirement to have a HMAC
calculated and incorporated in the INIT_ACK and COOKIE_ECHO chunks. The
algorithm used is the HMAC-SHA1.
Change-Id: Ib6a9a80492e2aafe5c8480d6e02da895efe9f90b
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
Change-Id: Ic5dcadd13c88b8a5e7896dab82404509c081614a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Prior to this commit, the VXLAN "create" API assumed
the vrf_id belonged to only the IPv4 FIB tables space.
With this commit, the FIB table is found in either the
IPv4 or IPv6 table as determined by the is_ipv6 flag.
This follows the same pattern that was already being
done in the CLI code for the VXLAN "create" command.
Change-Id: I35d5e37db24efa858e4696dc2c004fa64bb4a4a8
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Rather than having multiple copies of the same function
scattered around, promote the function into the FIB
PROTOCOL definitions in fib_types.h.
Change-Id: I11c4d85931167d3a5f3dc1278afecc8845b23cd7
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Fixed a typo in tcp_push_header(). The typo only kicks in when the macro
VLIB_BUFFER_TRACE_TRAJECTORY is enabled.
Change-Id: I62832a4932ec5b14e3063d5eac113780851aae59
Signed-off-by: Steven <sluong@cisco.com>
|
|
Change-Id: I7110436626352d45ffe0ca71fb88dea2c77ab639
Signed-off-by: Eyal Bari <ebari@cisco.com>
|