Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: improvement
If an SA protecting an IPv6 tunnel interface has UDP encapsulation
enabled, the code in esp_encrypt_inline() inserts a UDP header but does
not set the next protocol or the UDP payload length, so the peer that
receives the packet drops it. Set the next protocol field and the UDP
payload length correctly.
The port(s) for UDP encapsulation of IPsec was not registered for IPv6.
Add this registration for IPv6 SAs when UDP encapsulation is enabled.
Add punt handling for IPv6 IKE on NAT-T port.
Add registration of linux-cp for the new punt reason.
Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
|
|
Free up the vapi context in case of failure.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I4f64e8718014d714f1b82877e69d2354b5fa44fb
|
|
Crypto backend errors should not be using the same error as missing
keypair.
Type: fix
Change-Id: I78c2b3df3f08a354463b7824349b08627f2b023c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
IPv6 payload length should not include the size of the IPv6 header.
Type: fix
Change-Id: Iedcd17d0af8d72d9b5f8f9b605da7c99e151bc9d
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Fix a copy-n-paste issue that left clib_bitmap_set()'s return
type documentation incorrect. Chnage it to indicate that
the function returns a new pointer for the bitmap that could
be different due to a possible reallocation.
Type: docs
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: Ia193c4673c0e4d1760e91cd7f80ebe1868a3c9b5
|
|
Previously, each address maintained an array of 32-bit
reference counts for each of 65K possible ports for each
of 4 NAT protocols. Totalling 1MB per address. Wow.
A close read of the code shows that an "is used" check
precedes each attempted reference count increment.
That means the refcount never actually gets above 1.
That in turn means algorithmically, a bit vector is
sufficient. And one need not be allocated for more
than the highest validated port referenced.
These changes introduce a dynamically sized bit vector
replacing the reference counts, for a maximum of 32K
if all 4 protocols use port 65535. In fact, protocol
OTHER is never used, so at most 24K will be used, and
none of it will be "statically" allocated per address.
Type: fix
Fixes: 85bee7548bc5a360851d92807dae6d4159b68314
Change-Id: I7fd70050e7bf4871692a862231f8f38cf0158132
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Zero-initialize the temporary struct on stack.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I89ced4cca8e832827fe054e2e60986de5910360c
|
|
Zero-initialize the temporary struct on stack.
Type: fix
Change-Id: I651f87deeb79c6c073d5c510435fa268893a3b0e
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: improvement
plus the addition of the 'thorttle' counter of IP6.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ic845247a9f3288caa755c33e79ae2eb6d2029d09
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3d36faa60075658fd59eb5bbe16efcb48664691b
|
|
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload
to enable stronger guarantees of forward secrecy.
When the KEi payload is included in the CREATE_CHILD_SA request,
responder should reply with the KEr payload and complete the key
exchange, in accordance with the RFC.
Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: Icbd452b43ecaafe46def1276c98f7e8cbf761e51
|
|
Zero-initialize the temporary struct.
Type: fix
Change-Id: I6f7a35ace6002aa75dc986c7c7eca614c9c5c3ed
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Add a missing null check
Type: fix
Change-Id: Id1b27341480c9d62185496ae1d832360119ec198
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Add a missing null check.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ie6234804e2b89adc918ef9075f9defbb1fd35e44
|
|
We validate each descriptor via memif_validate_desc_data and set
desc_status to non-zero for the corresponding descriptor when
the descriptor is bad. However, desc_status is not propagated back to
xor_status in memif_validate_desc_data which eventually sets
ptd->xor_status.
Not setting ptd->xor_status causes us to treat all descriptors as
"simple". In that case, when we try to copy also the bad descriptors to
the buffers, it results a crash since desc_data is not set to point
to the correct memory in the descriptor.
The fix is to set xor_status in memif_validate_desc_data such that if
there is a bad descriptor in the frame, "is_simple" is set to false and
we have to selectively copy only the good descriptors to the buffers.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I780f51a42aa0f8745edcddebbe02b2961c183598
|
|
Type: fix
After peers roaming support addition, FIB entry tracking stopped
working. For example, it can be observed when an adjacency is stacked on
a FIB entry by the plugin and the FIB entry hasn't got ARP resolution
yet. Once the FIB entry gets ARP resolution, the adjacency is not
re-stacked as it used to. This results in endless ARP requests when a
traffic is sent via the adjacency.
This is broken because the plugin stopped using "midchain delegate" with
peers roaming support addition. The reason is that "midchain delegate"
didn't support stacking on a different FIB entry which is needed when
peer's endpoint changes. Now it is supported there (added in 36892).
With this fix, start using "midchane delegate" again and thus, fix FIB
entry tracking. Also, cover this in tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
|
|
Type: improvement
Currently, once an adjacency is stacked on a FIB entry via
adj_midchain_delegate_stack(), "midchain delegate" is created for the
adjacency and the FIB index is stored there. And all further calls to
adj_midchain_delegate_stack() even passing another FIB index will cause
the function to still use the stored one. In other words, there is
currently no way to stack an adjacency on another FIB index if "midchain
delegate" already exists for it.
Being able to stack on another FIB index is needed for the wireguard
plugin. As per the protocol, peers can roam between different external
endpoints. When an authenticated packet is received and it was sent from
a different endpoint than currently stored, the endpoint needs to be
updated and all futher communication needs to happen with that endpoint.
Thus, the corresponding to that peer adjacencies need to be stacked on
the FIB entry that corresponds to the new endpoint.
With this change, add adj_midchain_delegate_remove() that removes
"midchain delegate". When stacking on another FIB entry is needed,
existing "midchain delegate" can be removed and then, a new one created
with a new FIB index via adj_midchain_delegate_stack().
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ibc1c99b248a5ef8ef64867f39f494fab627a1741
|
|
In several NAT submodules, the number of available ports (0xffff - 1024)
may not be divisible by the number of workers, so port_per_thread is
determined by integer division, which is the floor of the quotient.
Later when a worker index is needed, dividing the port with port_per_thread
may yield an out-of-bound array index into the workers array.
As an example, assume 2 workers are configured, then port_per_thread
will be (0xffff - 1024) / 2, which is 32255. When we compute a worker
index with port 0xffff, we get (0xffff - 1024) / 32255, which is 2,
but since we only have 2 workers, only 0 and 1 are valid indices.
This patch fixes the problem by adding a modulo at the end of the division.
Type: fix
Signed-off-by: Jing Peng <pj.hades@gmail.com>
Change-Id: Ieae3d5faf716410422610484a68222f1c957f3f8
|
|
we need cancel vrrp_vr_timer when deleting vrrp vr
Type: fix
Signed-off-by: luoyaozu <luoyaozu@chinatelecom.cn>
Change-Id: I8ea01f1943d6e3e60c4990c5be945de613bc8b53
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I18b9d0d67f5fe4c1714427259df29026153d8dd1
|
|
like tcp punt
Type: fix
Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com>
Change-Id: I894a881cec1888b392d26fdfb385f97c31113ef1
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I9d25f5459ab70d9cf8556e44cfddfd7029e5b540
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I822ead1495edb96ee62e53dc5920aa6c565e3621
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ica7de5a493389c6f53b7cf04e06939473a63d2b9
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ifda8ca8d26912c750a77d2ca889e1638ca83d85a
|
|
Type: improvement
If a tun/L3 interface is paired with a multipoint tunnel interface,
pass packets arriving from the host to ip[46]-lookup instead of
cross-connecting them to the tunnel interface. Adjacencies are used
to drive the rewrite for Multipoint tunnel interfaces, so the generic
adjacency used with a P2P tunnel will not work correctly.
Change-Id: I2d8be56dc5029760978c05bc4953f84c8924a412
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
API and internal flags do not match 1:1.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I0f4e53b2e071d1c9fffd1b97bf28b4789887b032
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
|
|
Type: improvement
This method allows the assignment of a severity to the error.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Id1a414a88018390d03bd6b16bd048a98903bab5a
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8907fecde6d48f5362f0f91372d5a9a1bba6f931
|
|
Type: feature
With this change, peers are able to roam between different external
endpoints. Successfully authenticated handshake or data packet that is
received from a new endpoint will cause the peer's endpoint to be
updated accordingly.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
|
|
Type: feature
With this change, if being under load a handshake message with both
valid mac1 and mac2 is received, the peer will be rate limited. Cover
this with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
|
|
Type: feature
stats of the like from:
https://datatracker.ietf.org/doc/html/draft-ietf-rtgwg-arp-yang-model-03#section-4
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Icb1bf4f6f7e6ccc2f44b0008d4774b61cae96184
|
|
Change-Id: I42a138628b06a412b8fce7fb4fc500caf9057169
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
This change implement a flavour of vlib_validate_buffer_enqueue_x1 with
aux data support
Change-Id: I2ecf7af49cf15ecd23b12d8acd57fe90546c1af7
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Change-Id: I2f3163a7a158afa8e2debc6f545c3d1a2a12ac1d
Type: fix
Fixes: 3414977152ae6362277158dc732e6b9958a6e618
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Change-Id: I6bed66f740b34673a4883eda1c7f7310c57e131b
Type: fix
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: feature
With this change:
- if the number of received handshake messages exceeds the limit
calculated based on the peers number, under load state will activate;
- if being under load a handshake message with a valid mac1 is
received, but mac2 is invalid, a cookie reply will be sent.
Also, cover these with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I065bd5c26055d863d786023970e7deeed261b31c
|
|
In set_hw_interface_change_rx_mode(), when vnet_hw_if_set_rx_queue_mode()
returns an error it actually returns success. This has been changed to
return a clib_error_return() value.
Type: fix
Change-Id: Iba39c875d9e15463cb6492d8a966234560a1f522
Signed-off-by: Wayne Morrison <wmorrison@netgate.com>
|
|
Type: improvement
This patches makes the make json-api-files
run in parallel in the same python runtime.
Default number of workers is 8, and run time
goes from ~20s to ~2s on average.
Change-Id: Id8cff013889db2671f6b6b4af9a019460c656f81
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: feature
Change-Id: I0abbe925d6b9d3dd7196cd8beaf4f471beb45bd6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
May cause pointers point to unexpected non-zero addresses if not
validate vec
Type: fix
Change-Id: Ie4d3343d6734125b98e0dc962e33e0c7514da829
Signed-off-by: GaoChX <chiso.gao@gmail.com>
|
|
Type: feature
Currently, if a handshake message is sent and a cookie message is
received in reply, the cookie message will be ignored. Thus, further
handshake messages will not have valid mac2 and handshake will not be
able to be completed.
With this change, process received cookie messages to be able to
calculate mac2 for further handshake messages sent. Cover this with
tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I6d51459778b7145be7077badec479b2aa85960b9
|
|
This patch fixes followig coverity issues:
CID 274739 Out-of-bounds read
CID 274746 Out-of-bounds access
CID 274748 Out-of-bounds read
Type: fix
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I9bb6741f100a9414a5a15278ffa49b31ccd7994f
|
|
Fix parse problem with per-prefix settings (e.g. valid-lifetime)
in ip6 ra.
Type: fix
Signed-off-by: me@hrntknr.net
Change-Id: I2a00bf5b9621ebc16211227d70e376fc2f61bae1
|
|
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I39e3e007da2b99321bebf3e1c1ebb1d87547f532
|
|
Type: fix
Receive router solicitation in pop vlan interface, it will cause copy mac address to wrong buffer current_data and can not reply the solicitation right
Signed-off-by: liangrq <liangrq@efly.cc>
Change-Id: Ic40a5a47a52c8187aaf6c6854df761529e6f24d9
|
|
format_base10 reads 64b but is fed 32b values at the callsite; change
to u64 consistently. The function has only one call site in
interface/monitor.c which has a few additional bugs (spurious
character, and ambiguous 'bits' versus 'bytes' in the output).
Type: improvement
Signed-off-by: Pim van Pelt <pim@ipng.nl>
Change-Id: I360f0d439cc13c09bd3f53db8184bd12ad4bc2e9
|