Age | Commit message (Collapse) | Author | Files | Lines |
|
When NAT44 forwarding is disabled, if a DHCP server-to-
client packet arrives on an outside interface, it is
handled correctly by setting the next node to the next
feature on the ip4-unicast feature arc, where it can be
processed.
When NAT44 forwarding is enabled, if a DHCP server-to-
client packet arrives, it is not handled any differently
than other packets and ends up going to ip4-lookup
which results in the packet being dropped.
Move the check for DHCP server-to-client packets outside
of the block that is executed if forwarding is disabled so
DHCP replies will be processed in either case.
Change-Id: Ia795cce3fd459f3252c2c17d53bb88ceaeaafca4
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Prior to this fix vppapigen would just do a crc32 on the Python representation
of the file as a set of dictionaries. That of course was not a good idea.
Change-Id: Ie454736ffec02fa4679ab27e684b1d6c6406a0f1
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: Icfb99a09726c01e96ff14967afbafa4116e02eff
Signed-off-by: Dave Barach <dbarach@cisco.com>
|
|
Change-Id: I686254b332a4527cb0cad3c5c0a17ea4c9f40e1d
Signed-off-by: Andrey "Zed" Zaikin <zed.0xff@gmail.com>
|
|
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
The users of ACL lookup contexts might not check the data they supply,
so do it on their behalf in this function, and return an error if
an ACL does not exist or if they attempt to apply the same ACL twice.
Change-Id: I89d871e60f267ce643f88574c83baf9cd0a2d7b3
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit e5cbccf35f4d230afafa633abbc88e64ef33d758)
|
|
using the inline functions
The acl_main struct, which is defined in the acl_plugin, is not visible when
the ACL plugin inline code is being compiled within the context of other plugins.
Fix that by using the global pointer variable, which exists in both the ACL plugin
context and is set in the context of the external plugins using ACL plugin.
Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
|
|
Change-Id: If536ae142dc0109b587d92981d337bc6f15e070a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
lb session with the same user maybe deleted.
Change-Id: Ie58579cf4f8babb594f3c44aa185720134c58c3d
Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
|
|
Change-Id: I6400b77de388c01e85209e5dc5f11ccafb79a459
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: Iaadfbc75832e37ae52511b25448da14116214fc1
Signed-off-by: Francois Clad <fclad@cisco.com>
|
|
With no IPv4 output features on an IPsec tunnel inferface,
when packets are forwarded to that interface, they reach
the ipsec-if-output node via the output_node_index on the
hw interface and they are handled correctly.
When an IPv4 output feature (e.g. output ACL, outbound
NAT) is enabled on an IPsec tunnel interface, outbound
IPsec stops working for that interface. The last node in
the ip4-output feature arc is interface-output. From there
a packet is sent to ipsec<N>-output, and then ipsec<N>-tx.
The tx function for an IPsec tunnel interface that is
called by ipsec<N>-tx is a dummy that doesn't do anything
except write a warning message.
Enable a feature on the interface-output feature arc for
an IPsec tunnel interface so the ipsec-if-output node is
reached from the interface-output node.
Change-Id: Ia9c73d3932f5930ec7ce0791a0375b1d37148b01
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
We need to keep original linked list so destructire can remove entries.
Change-Id: I5ff5ca0e1a417d88707255207725bba46433c943
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I50ff0cacf88182f8e0be19840c50f4954de586e2
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Change-Id: I32f68e2ee8f5d32962acdefb0193583f71d342b3
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I71660eb327124179ff200763c4743cc81dc6e1c6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
dpdk plugin self-disables if there are no hugepages available
Change-Id: Ib286e1a370deeb21248e6e961573ef9c68759b4c
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I0efd03bdb84bc9ff2334d398bfdb82486228114a
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Change-Id: I2b1d1035f810cb58356626cf081d46eb289265b4
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
If l2-fwd node does not find an L2FIB entry for DMAC of packet,
use input feature bitmap to find next node instead of always
sending packet to l2-flood node to perform unknow unicast flood.
It provides possibilty of using other feature to forward unknow
unicast packet instead of flooding the BD.
Change-Id: I56b277050537678c92bd548d96d87cadc8d2e287
Signed-off-by: John Lo <loj@cisco.com>
|
|
Adopt nova naming convention for vhost-user interfaces.
Change-Id: If70f0828106bf594eb11d4f0ed2898a35ec0af15
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: I78a4176f98c2b4630a57ac5ddb7faf58ba0c4ee1
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Id775efb2e85d850e510d00f1b48bb711a3342397
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I3700fc1d140e30da783e41762670618f0298c7db
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: I92ca28d3007f7ea43cd3e8b20659e400dfa6c75c
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Change-Id: I81d870ab9fc0b1f0e1b777d56ca7870ff99c7c2c
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
Change-Id: Ibcffee7d20dbb79720199bcd82d2353f39d5544f
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
Change-Id: I65306fb1f8e39221dd1d8c00737a7fb1c0129ba8
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Use device-input and interface-output feautre arcs to collect unicast, multicast
and broadcast states for RX and TX resp. Since these feature arcs are present only
for 'physical' interfaces (i.e. not su-interfaces) counter collection is supported
only on parent interface types.
Change-Id: I915c235e336b0fc3a3c3de918f95dd674e4e0e4e
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: Ia99490180683e8649784f7d9d18c509c3ca78438
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I32b30210c2f1aec10a1b614d04f427662326a3d2
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ifb4d23059b7989c32a52eaf0c25c275b35e83010
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
dpdk-input was dropping packets with bad ip-checksum on l2 interfaces
Change-Id: Ife5b52766bb71e878b1da6e94ae7b8a1e59fc478
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
This change fixes a bug which would corrupt features infra by making
feature infra resistant to double-removal. It also fixes 'out of memory'
issue by properly initializing the bihash tables.
Change-Id: I78ac03139234a9a0e0b48e7bdfac1c38a0069e82
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I148cb40c8bea55dabe54fa6a662d46862e571640
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
virtio_free_rx_buffers uses the wrong slot in the vring to get
the buffer index. It uses desc_next. It should be last_used_idx
which is the slot number for the first valid descriptor.
Change-Id: I6b62b794f06869fbffffce45430b8b2e37b1266c
Signed-off-by: Steven <sluong@cisco.com>
|
|
(re-)applied
There were several discussions in which users would expect the sessions to be deleted
if the new policy after the change does not permit them.
There is no right or wrong answer to this question - it is a policy decision.
This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate
a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to
an interface, this counter increments.
The newly created connections inherit the current policy epoch in a given direction.
Likewise, this counter increments if anyone updates an ACL applied to an interface.
There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]"
(with default being 0) which allows to enable the checking of the existing sessions
against the current policy epoch in a given direction.
The session is not verified unless there is traffic hitting that session
*in the direction of the policy creation* - if the epoch has changed,
the session is deleted and within the same processing cycle is evaluated
against the ACL rule base and recreated - thus, it should allow traffic-driven
session state refresh without affecting the connectivity for the existing sessions.
If the packet is coming in the direction opposite to which the session was initially
created, the state adjustment is never done, because doing so generically
is not really possible without diving too deep into the special cases,
which may or may not work.
Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Id2884a4c2208b4382fce56019b11e4b7fdc4275b
Signed-off-by: Maciek Konstantynowicz <mkonstan@cisco.com>
|
|
Coverity has started whining about uint32_t missing in this .h
Change-Id: I57992121c0593d6a0ada35917802d0300cf91259
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
Do fast-rate if we are not yet synchronized with the partner.
Stop sending LACP updates as a flash in the worker thread. Just expire the
timer and let the lacp_process handle sending LACP PDU.
Change-Id: I8b36fe74e752e7f45bd4a8d70512c0341cc197a1
Signed-off-by: Steven <sluong@cisco.com>
|
|
For the debug image, if the interface is removed and the trace was
collected prior to the interface delete, show trace may cause a crash.
This is because vnet_get_sw_interface_name and vnet_get_sup_hw_interface
are not safe if the interface is deleted.
The fix is to use format_vnet_sw_if_index_name if all we need is to
get the interface name in the trace to display. It would show "DELETED"
which is better than a crash.
Change-Id: I912402d3e71592ece9f49d36c8a6b7af97f3b69e
Signed-off-by: Steven <sluong@cisco.com>
|
|
xd->flags is set incorrectly when a slave link is down in bonded interface mode.
This can result in VPP crash when data traffic flows to the interface.
Change-Id: Ideb9f5231db1211e8452c52fde646d681310c951
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Minor bug fixes
CID 183000: double close
CID 180996: dead code
CID 180995: NULL deref
CID 181957: NULL deref
CID 182676: NULL deref
CID 182675: NULL deref
Change-Id: Id35e391c95fafb8cd771984ee8a1a6e597056d37
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
Use sw_if_index[VLIB_TX] if set as fib index when doing the urpf check.
Change-Id: I5ec3e7f7a54c6782704d91e9a5614fd0f7f9e3de
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
only one counter update per frame (was updated per iteration)
only access ethertype for casts (was always accessing ethertype)
Change-Id: I3a3c3219ec63e975cf5bd8cf2d93103932a4aaa3
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Change-Id: I373cc252df3621d44879b8eca70aed17d7752a2a
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Causes subtle misbehavior elsewhere
Change-Id: I3a0ade26e8e03b8c5dc8e722f6a01fb99ec7a1e0
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I5695d51dd4f6daff472877fe1cce3ddcb924b187
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
rename "enslave interface <slave> to <BondEthernetx>" to
"bond add <BondEthernetx> <slave>
"detach interface <slave>" to
"bond del <slave>"
Change-Id: I1bf8f017517b1f8a823127c7efedd3766e45cd5b
Signed-off-by: Steven <sluong@cisco.com>
|
|
Following TCP fixes from Florin (11430), this patch follows the same
approach to indicate a fib (not just using the default one).
Change-Id: Ib883aa0e9a1c6157acfea69c44426ba07d6c932a
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|