aboutsummaryrefslogtreecommitdiffstats
path: root/test
AgeCommit message (Collapse)AuthorFilesLines
2023-02-10sr: support define src ipv6 per encap policyTakeru Hayasaka2-2/+193
Can to define src ip of outer IPv6 Hdr for each encap policy. Along with that, I decided to develop it as API version V2. This is useful in the SRv6 MUP case. For example, it will be possible to handle multiple UPF destinations. Type: feature Change-Id: I44ff7b54e8868619069621ab53e194e2c7a17435 Signed-off-by: Takeru Hayasaka <hayatake396@gmail.com>
2023-02-10tests: use existing pip compiled req file for building the run.py venvNaveen Joy1-18/+1
pip compiled requirements file named requirements-3.txt exists in the test directory. No need to auto-generate it again Type: improvement Change-Id: Ib2b51c983af8d0e4b000e4544012b6cd94405519 Signed-off-by: Naveen Joy <najoy@cisco.com>
2023-02-10tests: use iperf3 for running interface tests on the hostNaveen Joy1-1/+20
Type: improvement Change-Id: I7123591932d51ce0c5b372893454945bbd3913b2 Signed-off-by: Naveen Joy <najoy@cisco.com>
2023-02-08ip6-nd: support dump/details for IPv6 RAAlexander Chernavin1-0/+79
Type: improvement With this change, add support for dumping IPv6 Router Advertisements details on a per-interface basis (or all). Also, cover that with a test. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I89fa93439d33cc36252377f27187b18b3d30a1d4
2023-02-06ipsec: fix SA names consistency in testsArthur de Kerhor5-127/+127
In some IPsec tests, the SA called scapy_sa designs the SA that encrypts Scapy packets and decrypts them in VPP, and the one called vpp_sa the SA that encrypts VPP packets and decrypts them with Scapy. However, this pattern is not consistent across all tests. Some tests use the opposite logic. Others even mix both correlating scapy_tra_spi with vpp_tra_sa_id and vice-versa. Because of that, sometimes, the SA called vpp_sa_in is used as an outbound SA and vpp_sa_out as an inbound one. This patch forces all the tests to follow the same following logic: - scapy_sa is the SA used to encrypt Scapy packets and decrypt them in VPP. It matches the VPP inbound SA. - vpp_sa is the SA used to encrypt VPP packets and decrypt them in Scapy. It matches the VPP outbound SA. Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: Iadccdccbf98e834add13b5f4ad87af57e2ea3c2a
2023-02-03nat: fix accidental o2i deletion/reuseDmitry Valter1-2/+73
Nat session is allocated before the port allocation. During port allocation candidate address+port are set to o2i 6-tuple and tested against the flow hash. If insertion fails, the port is busy and rejected. When all N attempts are unsuccessful, "out-of-ports" error is recorded and the session is to be deleted. During session deletion o2i and i2o tuples are deleted from the flow hash. In case of "out-of-ports" i2o tuple is not valid, however o2i is and it refers to **some other** session that's known to be allocated. By backing match tuple up session should be invalidated well enough not to collide with any valid one. Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: Id30be6f26ecce7a5a63135fb971bb65ce318af82
2023-02-02policer: API policer selection by indexMaxime Peim2-22/+116
Policer API calls were only by policer name. It is now possible to select a policer by its index. Some functionalities are also added to allow updating a policer configuration and to refill its token buckets. Some dead codes are being removed, and small fixes made. Type: improvement Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I4cc8fda0fc7c635a4110da3e757356b150f9b606
2023-02-01wireguard: update ESTABLISHED flagArtem Glazychev1-1/+29
We cannot confidently say that if we have received and processed the handshake_initiation message, then the connection has been established. Because we also send a response. The fact that the connection is established can only be considered if a keepalive packet was received. Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I61731916071990f28cdebcd1d0e4d302fa1dee15
2023-01-31tests: refactor quic tests to use app-socket-apiDave Wallace1-25/+40
- clean up nomenclature & use f-strings where applicable Type: test Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I561b7808cfc3fbfa463f7698732d19759d9ddcd4
2023-01-26wireguard: sending the first handshakeArtem Glazychev1-0/+33
After creating a peer, we send a handshake request. But it's not quite right to call wg_send_keepalive() directly. According to documentation, handshake initiation is sent after (REKEY_TIMEOUT + jitter) ms. Since it's the first one - we don't need to take REKEY_TIMEOUT into account, but we still have jitter. It also makes no sense to immediately send keepalives, because the connection is not created yet. Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I61707e4be79be65abc3396b5f1dbd48ecbf7ba60
2023-01-25api: pcap capture api updateMaxime Peim1-1/+73
Allow enabling and disabling pcap capture via the API. A little bug is fixed along the way in vl_api_classify_pcap_set_table_t_handler. Type: improvement Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I096129c82aecdc82bee5dbfb5e19c76a51d80aab
2023-01-18lb: add source ip based sticky load balancingNobuhiro MIKI1-2/+42
This patch adds source ip based sticky session, which is already implemented in many hardware LBs and software LBs. Note that sticky sessions may be reset if the hash is recalculated as ASs are added or deleted. Since this feature is unrelated to the other existing options, the lb_add_del_vip API version has been upgraded to v2 and a new option "src_ip_sticky" has been added. Type: feature Signed-off-by: Nobuhiro MIKI <nmiki@yahoo-corp.jp> Change-Id: I3eb3680a28defbc701f28c873933ec2fb54544ab
2023-01-18tests: improve packet checksum functionsKlement Sekera1-6/+21
Fool-proof assert_checksum_valid so that one does not verify checksum on wrong layer (because of how scapy internally works). Make assert_packet_checksums_valid start checksum checking at inner layers and outwards to make it more obvious where the error is. With old behaviour, if one received an ICMP packet carrying a truncated TCP packet, an error would be raised for ICMP checksum, as that one would be the first to be wrong after recalculating all packet checksums, while the real issue is TCP header being truncated and thus unsuitable for use with this function. Type: improvement Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I39a2b50ec5610f969cfde9796416ee3a50ae0ba3
2023-01-16ipsec: fix transpose local ip range position with remote ip range in fast ↵Piotr Bronowski1-32/+35
path implementation In fast path implementation of spd policy lookup opposite convention to the original implementation has been applied and local ip range has been interchanged with the remote ip range. This fix addresses this issue. Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I0b6cccc80bf52b34524e98cfd1f1d542008bb7d0
2023-01-12abf: exclude networks with deny rulesJosh Dorsey1-0/+126
Type: improvement Signed-off-by: Josh Dorsey <jdorsey@netgate.com> Change-Id: Iee43ca9278922fc7396764b88cff1a87bcb28349
2022-12-21quic: fix quic plugin with openssl 3.xDave Wallace1-2/+1
- load openssl legacy providers during quic init when building with openssl 3.0 or greater - re-enable quic 'make test' testcases on ubuntu-22.04 Type: fix Change-Id: Icfd429b6bc1bddf9f9937baa44cc47cd535ac5f2 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-12-16ipsec: new api for sa ips and ports updatesArthur de Kerhor3-6/+61
Useful to update the tunnel paramaters and udp ports (NAT-T) of an SA without having to rekey. Could be done by deleting and re-adding the SA but it would not preserve the anti-replay window if there is one. Use case: a nat update/reboot between the 2 endpoints of the tunnel. Type: feature Change-Id: Icf5c0aac218603e8aa9a008ed6f614e4a6db59a0 Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2022-12-15nat: disable nat44-ed/ei features on interface deletionVladislav Grishenko2-2/+100
After deleting a sw interface with nat44 features, the next created sw interface will get the same sw_index reused and therefore will erroneously have the same nat features enabled. Type: fix Change-Id: I1d84f842ab7ab2a757668ae1a111efe67e1e924d Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-12-13tests: tapv2, tunv2 and af_packet interface tests for vppNaveen Joy7-135/+1191
Tests gso/gro-coalesce features on tapv2, tunv2 and af_packet interfaces to ensure that packet transmission is enabled correctly for various MTU sizes and interface combinations in bridged and routed topologies for IPv4 and IPv6. Interface tests are dynamically generated at run time from the config file vm_test_config.py. Type: test Change-Id: I5f9d8cc80d20b4e34011fc8a87e35659bd9613bc Signed-off-by: Naveen Joy <najoy@cisco.com>
2022-12-07tests: multiple apidir locationsOle Troan3-2/+15
To support testing of external plugins, add support to the test framework and PAPI for specifying a list of locations to look for api.json files. Type: improvement Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I128a306e3c091dc8ef994801b1470b82d2f4595d Signed-off-by: Ole Troan <ot@cisco.com>
2022-11-29wireguard: compute checksum for outer ipv6 headerArtem Glazychev1-9/+86
Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I477e92712e441c91789afdf9be389d967acfa799
2022-11-21tests: add VCL Thru Host Stack TLS in interrupt modeFilip Tehlar1-0/+22
Type: test Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I7d5a9e9fedfc85bd7fad88f8eae1e46476ec0b7b
2022-11-18ipsec: Failure at the start of the batch should not invalidate the rest of ↵Neale Ranns1-0/+28
the batch Type: fix Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Icd1e43a5764496784c355c93066273435f16dd35
2022-11-09tests: initial asf framework refactoring for 'make test'Pratikshya Prasai45-47/+1907
Type: refactor Change-Id: I41455b759a5d302ad5c4247c13634c471e7d49a8 Signed-off-by: Pratikshya Prasai <pratikshyaprasai2112@gmail.com> Signed-off-by: Saima Yunus <yunus.saima.234@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-10-31tests: session in interrupt modeFilip Tehlar1-0/+9
Type: test Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I2deba97a8dfff907f0e2452e9347d6a68474ce92
2022-10-20tests: enable extended test runs in run.pyNaveen Joy1-0/+14
Change-Id: I5f712614910dc69f04c43efd8958ef8e87906b9e Type: test Signed-off-by: Naveen Joy <najoy@cisco.com>
2022-10-11l2: Add bridge_domain_add_del_v2 to l2 apiLaszlo Kiraly12-48/+90
https://jira.fd.io/browse/VPP-2034 Type: fix Signed-off-by: Laszlo Kiraly <laszlo.kiraly@est.tech> Change-Id: Ieb6919f958f437fc603d5e1f48cab01de780951d
2022-10-11tests: don't use tmp as the default log dir with run.pyNaveen Joy1-2/+4
The log file directory is configurable with run.py using the --log-dir argument. This patch removes the use of /tmp as the default dir for storing all test logs. The default log dir is now set to show the year, month and day of the test run. This provides a more meaningful aggregation of test logs for effective troubleshooting. The default log dir is set to <CWD>/test-run-YYYY-MM-DD. Type: improvement Change-Id: I6c9002e961f6e06fc953ca42d86febf4f218e566 Signed-off-by: Naveen Joy <najoy@cisco.com>
2022-10-07tests: disable broken wireguard tests on vpp_debug imageDave Wallace2-1/+13
Type: test Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I3a53d57e42f4c1f5ba0de6d2b181c7f2ad083a3a
2022-09-30fib: fix dpo-receive address in ip6-ll fibsVladislav Grishenko1-1/+3
Need to fill frp_addr for local path, it's used by dpo-receive. If not, address output can be invalid: $ sudo vppctl sh ip6-ll fe80::dcad:ff:fe00:3/128 IP6-link-local:loop3, fib_index:2, locks:[IPv6-nd:1, ] fe80::dcad:ff:fe00:3/128 fib:2 index:55 locks:2 IPv6-nd refs:1 entry-flags:connected,import,local, src-flags:added,contributing,active, path-list:[72] locks:2 flags:shared,local, uPRF-list:58 len:0 itfs:[] path:[82] pl-index:72 ip6 weight=1 pref=0 receive: oper-flags:resolved, cfg-flags:local,glean, [@0]: dpo-receive: 8000:100:fe80::dcad:ff on loop3 forwarding: unicast-ip6-chain [@0]: dpo-load-balance: [proto:ip6 index:57 buckets:1 uRPF:58 to:[0:0]] [0] [@2]: dpo-receive: 8000:100:fe80::dcad:ff on loop3 Type: fix Change-Id: Ib9874c5eac74af789e721098d512a1058cb8e404 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-30udp: add udp encap source port entropy supportVladislav Grishenko1-4/+199
Encode entropy value in UDP source port when requested per RFC 7510. CLI already has "src-port-is-entropy", use zero UDP source port in API to avoid breaking changes, since zero port is not something to be used in wild. Also, mark UDP encapsualtion API as mp-safe as already done for CLI. Type: feature Change-Id: Ieb61ee11e058179ed566ff1f251a3391eb169d52 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-28tests: stabilize wireguard ratelimiting testAlexander Chernavin1-29/+13
Type: test "test_wg_handshake_ratelimiting_multi_peer" has been unstable recently because the test strongly relies on execution speed. Currently, the test triggers ratelimiting for peer 1 and sends handshake initiations from peer 1 and 2 mixed up. After that, the test expects that all handshake initiations for peer 1 are ratelimited and a handshake response for peer 2 is received. Ratelimiting is based on the token bucket algorithm. The more time passes between triggering ratelimiting for peer 1 and sending a mixture of handshake initiations from peer 1 and 2, the more tokens will be added into the bucket for peer 1. Depending on delays between these steps, the number of tokens might be enough to process handshake initiations from peer 1 while they are expected to be rejected due to ratelimiting. With this change, these two steps are combined into one and the logic modified. The test triggers ratelimiting for both peer 1 and 2. Packets that trigger ratelimiting and that are to be rejected are sent in one batch that is going to reduce delays between packet processing. Also, verify that number of rejected handshake messages is in expected range instead of verifying the exact number as it still may slightly vary. Also, this should finish making the wireguard tests stable on Ubuntu 22.04 and Debian 11. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3407d15abe1356dde23a241ac3650e84401c9802
2022-09-27tests: enable ipsec-esp 'make test' testcases on ubuntu-22.04Dave Wallace2-59/+1
Type: test Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I016fd169813e369208089df122477152aaf9ffc2
2022-09-27wireguard: stop sending handshakes when wg intf is downAlexander Chernavin1-1/+133
Type: fix Currently, when a wg interface is administratively disabled initially or during operation, handshake packets continue to be sent. Data packets stop being sent because routes pointing to the wg interface will not be used. But data keys remain. With this fix, when a wg interface is administratively disabled during peer creation, avoid connection initialization to the peer. Data keys and timers should be empty at this point. When a wg interface is disabled during operation, disable all peers (i.e. stop all timers, clear data keys, etc.). Thus, state should be identical in both cases. When a wg interface is administratively enabled, enable all peers (i.e. get ready to exchange data packets and initiate a connection). Also, cover these scenarios with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ie9a620077e55d519d21b0abc8c0d3c87b378bca3
2022-09-27wireguard: fix re-handshake timer when response sentAlexander Chernavin1-22/+48
Type: fix As per the protocol: A handshake initiation is retried after "REKEY_TIMEOUT + jitter" ms, if a response has not been received... Currently, if retransmit handshake timer is started, it will trigger after "REKEY_TIMEOUT + jitter" ms and will try to send a handshake initiation via wg_send_handshake() given that no responses have been received. wg_send_handshake() will verify that time stored in REKEY_TIMEOUT has passed since last handshake initiation sending and if has, will send a handshake initiation. Time when a handshake initiation was last sent is stored in last_sent_handshake. The problem is that last_sent_handshake is not only updated in wg_send_handshake() when sending handshake initiations but also in wg_send_handshake_response() when sending handshake responses. When retransmit handshake timer triggers and a handshake response has been sent recently, a handshake initiation will not be sent because for wg_send_handshake() it will look like that time stored in REKEY_TIMEOUT has not passed yet. Also, the timer will not be restarted. wg_send_handshake_response() must not update last_sent_handshake, because this time is used only when sending handshake intitiations. And the protocol does not say that handshake initiation retransmission and handshake response sending (i.e. replying to authenticated handshake initiations) must coordinate. With this fix, stop updating last_sent_handshake in wg_send_handshake_response(). Also, this fixes tests that used to wait for "REKEY_TIMEOUT + 1" seconds and did not receive any handshake initiations. Then they fail. Also, long-running tests that send wrong packets and do not expect anything in reply may now receive handshake intiations, consider them as replies to the wrond packets, and fail. Those are updated to filter out handshake initiations in such verifications. Moreover, after sending wrong packets, error counters are already inspected there to confirm packet processing was unsuccessful. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I43c428c97ce06cb8a79d239453cb5f6d1ed609d6
2022-09-27tests: disable failing tests on ubuntu-22.04 debian-11Dave Wallace11-8/+116
Type: test Change-Id: I7b2314a731c83b3dcd69c999edb8ebed53839724 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-09-23bfd: add tracing support to bfd-processKlement Sekera1-0/+2
Outgoing packets can be now traced via: trace add bfd-process <count> Type: improvement Change-Id: Ia19af6054289b18f55e518dbea251a2bee9b9457 Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2022-09-21ipsec: introduce fast path ipv6 inbound matchingPiotr Bronowski1-40/+77
This patch introduces fast path matching for inbound traffic ipv6. Fast path uses bihash tables in order to find matching policy. Adding and removing policies in fast path is much faster than in current implementation. It is still new feature and further work needs and can be done in order to improve the perfromance. Type: feature Change-Id: Iaef6638033666ad6eb028ffe0c8a4f4374451753 Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
2022-09-20tests: run tests against a running VPPNaveen Joy4-12/+291
Usage: test/run.py -r -t {test_filter} Instead of starting a new instance of VPP, when the -r argument is provided, test is run against a running VPP instance. Optionally, one can also set the VPP socket directory using the -d argument. The default location for socket files is /var/run/user/${uid}/vpp and /var/run/vpp if VPP is started as root. Type: improvement Change-Id: I05e57a067fcb90fb49973f8159fc17925b741f1a Signed-off-by: Naveen Joy <najoy@cisco.com>
2022-09-19tests: skip tests failing on ubuntu 22.04Dave Wallace4-2/+87
Type: test Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I218059de5d05680d661f302293475b6c2a7bf81d
2022-09-19igmp: validate ip router alert option lengthVladislav Grishenko1-15/+45
It's known there're one or more 32-bit increments in the ip header. So just check ip router alert option length with minimal performance impact, and don't care of the total options length. Type: fix Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru> Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I46dd06516f793846b931a1dc8612f2735f8d24d3
2022-09-19arp: update error reason when checking for proxy-arpBenoît Ganne1-1/+5
When we follow arp feature arc for proxy-arp, we should still update the error reason in case proxy-arp cannot handle the arp request and drops it. Type: improvement Change-Id: I046df017ca2056cfc12af0f0a968b401058bcd6d Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-09-15nat: fix nat44-ed port range with multiple workersVladislav Grishenko1-1/+192
The number of available dynamic ports is set to (0xffff - 1024) = 64511, which is not divisable by the pow2 number of workers - the only integer divisors are 31 and 2081. So, total dynamic port range of all workers will be less than it: 1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536 2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535 4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533 8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529 ... As seen, with multiple workers there are unused trailing ports for every nat pool address and that is the reason of out-of-bound index in the worker array on out2in path due (port - 1024) / port_per_thread math. This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets to unused ports will go to existing worker and dropped there. Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6: 6. Port Number Ranges o the System Ports, also known as the Well Known Ports, from 0-1023 (assigned by IANA) o the User Ports, also known as the Registered Ports, from 1024- 49151 (assigned by IANA) o the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned) According that let's allocate dynamic ports from 1024 and have full port range with a wide range of the workers number - 64 integer divisors in total, including pow2 ones: 1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536 2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536 3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536 4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536 5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534 6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536 7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536 8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536 ... Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required when the numbers of workers is not the integer divisor of 64512. Type: fix Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-12ipsec: introduce fast path ipv4 inbound matchingPiotr Bronowski1-0/+844
This patch introduces fast path matching for inbound traffic ipv4. Fast path uses bihash tables in order to find matching policy. Adding and removing policies in fast path is much faster than in current implementation. It is still new feature and further work needs and can be done in order to improve perfromance. Type: feature Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Ifbd5bfecc21b76ddf8363f5dc089d77595196675
2022-09-09vlib: don't leak node frames on reforkDmitry Valter1-0/+103
Free node frames in worker mains on refork. Otherwise these frames are never returned to free pool and it causes massive memory leaks if performed under traffic load Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I15cbf024a3f4b4082445fd5e5aaa10bfcf77f363
2022-08-19ipsec: enable UDP encap for IPv6 ESP tun protectMatthew Smith2-0/+160
Type: improvement If an SA protecting an IPv6 tunnel interface has UDP encapsulation enabled, the code in esp_encrypt_inline() inserts a UDP header but does not set the next protocol or the UDP payload length, so the peer that receives the packet drops it. Set the next protocol field and the UDP payload length correctly. The port(s) for UDP encapsulation of IPsec was not registered for IPv6. Add this registration for IPv6 SAs when UDP encapsulation is enabled. Add punt handling for IPv6 IKE on NAT-T port. Add registration of linux-cp for the new punt reason. Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
2022-08-18ikev2: accept key exchange on CREATE_CHILD_SAAtzm Watanabe1-9/+53
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload to enable stronger guarantees of forward secrecy. When the KEi payload is included in the CREATE_CHILD_SA request, responder should reply with the KEr payload and complete the key exchange, in accordance with the RFC. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
2022-08-17wireguard: fix fib entry trackingAlexander Chernavin1-0/+83
Type: fix After peers roaming support addition, FIB entry tracking stopped working. For example, it can be observed when an adjacency is stacked on a FIB entry by the plugin and the FIB entry hasn't got ARP resolution yet. Once the FIB entry gets ARP resolution, the adjacency is not re-stacked as it used to. This results in endless ARP requests when a traffic is sent via the adjacency. This is broken because the plugin stopped using "midchain delegate" with peers roaming support addition. The reason is that "midchain delegate" didn't support stacking on a different FIB entry which is needed when peer's endpoint changes. Now it is supported there (added in 36892). With this fix, start using "midchane delegate" again and thus, fix FIB entry tracking. Also, cover this in tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
2022-08-16tests: move "venv" to "build-root" directory from "test" directorySaima Yunus5-10/+8
Type: refactor - refactored VPP test code to remove "ignore_path" variable from "discover_tests" function and "run_test" code - configured VPP test makefile, config file, and 'run.sh' shell script to move "venv" directory from "test" dir to "build-root" dir Signed-off-by: Saima Yunus <yunus.saima.234@gmail.com> Change-Id: Id2beecbb99f24ce13ed118a1869c5adbef247e50
2022-08-11ip: Use .api declared error countersNeale Ranns5-25/+11
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I822ead1495edb96ee62e53dc5920aa6c565e3621