Age | Commit message (Collapse) | Author | Files | Lines |
|
The stateful ICMP/ICMPv6 handling got broken.
Fix that and introduce testcases to catch in the future.
Change-Id: Ie602e72d6ac613d64ab0bf6693b6d75afb1a9552
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I21ad6b04c19c8735d057174b1f260a59f2812241
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This reverts commit c8efa29b6f9a91381897b54f1147daf922ed7164.
Change-Id: I1d5c5773d5f86a63073e255336bd9de628e26179
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This reverts commit d5c60b96a3fd93916fc4af5c8d6d25625c28242e.
Change-Id: I3632b9c3f76c615aee897f28f76d094e7031e689
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: I2e092774f81503e04b53cc6c6b5d357fe3fc52ab
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I1fcc742699a60ef99ce97b35f7b964ee6ad29ddf
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
During the testing of 94f9a6de3f706243d138e05b63fef1d5c8174f6c
I realized there was no test coverage for the cases where
the ACLs are added then modified while having beein applied.
This change adds some simple shuffling to l2l3 ACL test set,
whereby after each of the ACLs being applied, a few extra ACLs
are applied at the front and the back of the list, and are changed
several times, the base for the changes being the set of all the
ACEs that are being applied previously.
After these few shuffles, the routine restores the applied ACLs
and proceeds to the test as usual.
Change-Id: Ieda2aa5b7963746d62484e54719309de9c1ee752
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I1d3818027b8a1fcb1ec12016e3476b5c22a2d5a5
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Add a bihash-based ACL lookup mechanism and make it a new default.
This changes the time required to lookup a 5-tuple match
from O(total_N_entries) to O(total_N_mask_types), where
"mask type" is an overall mask on the 5-tuple required
to represent an ACE.
For testing/comparison there is a temporary debug CLI
"set acl-plugin use-hash-acl-matching {0|1}", which,
when set to 0, makes the plugin use the "old" linear lookup,
and when set to 1, makes it use the hash-based lookup.
Based on the discussions on vpp-dev mailing list,
prevent assigning the ACL index to an interface,
when the ACL with that index is not defined,
also prevent deleting an ACL if that ACL is applied.
Also, for the easier debugging of the state, there are
new debug CLI commands to see the ACL plugin state at
several layers:
"show acl-plugin acl [index N]" - show a high-level
ACL representation, used for the linear lookup and
as a base for building the hashtable-based lookup.
Also shows if a given ACL is applied somewhere.
"show acl-plugin interface [sw_if_index N]" - show
which interfaces have which ACL(s) applied.
"show acl-plugin tables" - a lower-level debug command
used to see the state of all of the related data structures
at once. There are specifiers possible, which make
for a more focused and maybe augmented output:
"show acl-plugin tables acl [index N]"
show the "bitmask-ready" representations of the ACLs,
we well as the mask types and their associated indices.
"show acl-plutin tables mask"
show the derived mask types and their indices only.
"show acl-plugin tables applied [sw_if_index N]"
show the table of all of the ACEs applied for a given
sw_if_index or all interfaces.
"show acl-plugin tables hash [verbose N]"
show the 48x8 bihash used for the ACL lookup.
Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I3d64d5ced38a68f3fa208be00c49d20c4e6d4d0e
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
(VPP-682)
This fixes the previously-implicit "drop all non-first fragments" behavior
to be more in line with security rules: a non-first fragment is treated
for the purposes of matching the ACL as a packet with the port
match succeeding. This allows to change the behavior to permit
the fragmented packets for the default "permit specific rules"
ruleset, but also gives the flexibility to block the non-initial
fragments by inserting into the begining a bogus rule
which would deny the L4 traffic.
Also, add a knob which allows to potentially turn this behavior off
in case of a dire need (and revert to dropping all non-initial fragments),
via a debug CLI.
Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
|
|
L3 path support, L2+L3 unified processing node, skip IPv6 EH support.
Change-Id: Iac37a466ba1c035e5c2997b03c0743bfec5c9a08
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|