aboutsummaryrefslogtreecommitdiffstats
path: root/test
AgeCommit message (Collapse)AuthorFilesLines
2020-07-21ipsec: Dedicated IPSec interface typeNeale Ranns3-4/+343
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8bd50df163aea2798e9f9d35a13dcadc4a4a4b2
2020-07-16gre: fix outer ip6 lengthAloys Augustin1-0/+9
This updates the computation of the outer ip6 header payload_length field in order to take into account the GRE header length. Change-Id: Ie9f982521aeaef7279a9e329a33272d6fae0a428 Type: fix Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2020-06-24tests: fix deps pinning / patchingAloys Augustin1-5/+3
This ensures we don't recompute the requirements-{2,3}.txt on each make test run, and skips patching scapy if it is already patched instead of failing. Change-Id: I3da57182ae49f3dd04db139d96734a5d145fedff Type: fix Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2020-06-20tests: improve lcov stats for memory_api.cDave Barach1-1/+19
Cover vl_mem_api_dead_client_scan(...), which is not so simple. Spin up vpp_api_test using pexpect.spawn, make it bootstrap a private memory segment, kill vpp_api_test, and wait for the dead client scanner to run a few times so that it declares the client dead. The test only runs if GCOV_TESTS=yes is set in the environment. Type: test Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I3c712fa011df2e23761a2e73c1aba0c7e50123a6
2020-06-16gso: fix the udp checksum in testMohsin Kazmi1-2/+2
Type: fix Change-Id: I7005e4763e73f3679c40f94bdab26d439cd23188 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-06-10vapi: memset allocated messages to zeroKlement Sekera2-20/+0
This avoids using dirty data from shared memory by client. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I96eecf655bf344ec29609cedbd8dc891b572e207
2020-06-08vxlan: Fixed checksum caclculation offsetVladimir Isaev5-6/+41
VXLAN uses csum_offload for IPv6 packets. But without gso node we have csum calculated only for inner packet. This patch adds support for outer header csum calculation. Checksum for inner packet should be calculated before interface-output node (for example in vxlan node). Type: fix Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: Ica68429ede4426293769207cd83c791ebe72fe56
2020-05-29bonding: Revert adjust link stateMatthew Smith1-58/+1
This reverts commit 9121c415a91904be50071ec55143d9c89b2f1b91. Reason for revert: causes deadlock with multiple worker threads Type: fix Change-Id: Icf3d6d343d99d887abacbaa03acbf04d4628514e Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-05-29gso: add checksum and payload size testingMohsin Kazmi1-49/+148
Type: test Change-Id: I9e4f7cf44d465712aa26e5dd6a0ff38588964a39 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-05-27bonding: adjust link state based on active slavesMatthew Smith1-1/+58
Type: improvement Bond link state is being maintained inconsistently. It is initially set to up. If the bond interface admin state is set to down, the link state is set to down. If the bond interface admin state is set to up, the link state is only set to up if there are active slave interfaces at that point. If slaves become active at some later time, it does not get updated. Its next chance to be updated is the next time the bond interface is set to admin up. To address this, do not set the link state to up after creating a bond. Adjust the link state as slave interfaces are attached or detached based on whether the bond is getting its first active slave or losing its last one. Unit test added to verify correct maintenance of link state. Change-Id: I31f17321f7f0e727e1ab1e01713423af6566dad9 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-05-25tests: update pip and pip-toolsAloys Augustin4-216/+387
This fixes an issue where the pinned requirements file can be modified when running the tests. Change-Id: Ic89d1844d1fd8d00f62211a9b051a26ac34ee316 Type: fix Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2020-05-24ipsec: fixed chaining ops after add footer and icvPiotrX Kleski1-0/+1
In case there is no free space in first buffer for ICV and footer, additional buffer will be added, but esp_encrypt will stay in single buffer mode. The issue happens for the following payload sizes: - TCP packets with payload 1992 - ICMP packets with payload 2004 This fix moves the single/chained buffer ops selection to after esp_add_footer_and_icv call. Type: fix Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com> Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79
2020-05-15ikev2: add support for NAT traversalFilip Tehlar1-4/+1
Type: feature * initiator behind NAT supported * tested with static NAT mappings * works only with pre-configured tunnels The pre-configured tunnel has to be defined as follows: initiator (i) side: src=ip(i) dst=ip(r) responder (r) side: src=ip(r) dst=ip(nat) Change-Id: Ia9f79ddbbcc3f7dc8fde6bbeca2a433e3b784e94 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-05-14nat: "users" dump for ED-NATKlement Sekera1-1/+1
Since the removal of "users" concept in ED-NAT nat44_user_dump API returns empty array. This brings back previous behaviour at a considerable runtime cost until a better API is introduced. Type: improvement Change-Id: I5a45923cfeb6b8ebe6fc906601264d6567386991 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-05-14ip: fix interface ip address del sw_if_index checkyedg2-0/+36
Type: fix Signed-off-by: Ye donggang <yedg@wangsu.com> Change-Id: Ia9f72ff2be455ecd4ff3d16e884c5a50f9df69fe
2020-05-13feature: Config end nodes are user specificNeale Ranns1-0/+12
Type: fix it is possible for a user to change the end node of a feature arc, but this change should only apply to that 'instnace' of the arc, not all arcs. for example, if a tunnel has its ipx-output end node changed to adj-midchain-tx, this shouldn't affect all ipx-output arcs. obviously... Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I41daea7ba6907963e42140307d065c8bcfdcb585
2020-05-13ipsec: Support 4o6 and 6o4 for SPD tunnel mode SAsNeale Ranns1-1/+75
Type: feature the es4-encrypt and esp6-encrypt nodes need to be siblings so they both have the same edges for the DPO on which the tunnel mode SA stacks. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I2126589135a1df6c95ee14503dfde9ff406df60a
2020-05-05tests: clean up loggingPaul Vinciguerra2-30/+25
Tests currently expect the logger to be poked from run_tests.py. The tests should run without any magic values. This change sets a default null logger and removes the hasattr checks for the logger. For reference, see: https://docs.python-guide.org/writing/logging/ Type: test Change-Id: I98f953d73d12d00e74b59c94a0fb8c7a625b9c44 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-05ipsec: User can choose the UDP source portNeale Ranns5-97/+252
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-05gso: fix the make test for ipipMohsin Kazmi1-2/+15
Type: test This commit fixes the make test for GSO/IPIP which are added in following commit id: 84f91fa9c54f82c54b58ea3bf6e9ba22ff735d3a Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I66a57fe195e626b432ff0acba3a5bdf242a7a46e
2020-05-05api: ip: add IP_ROUTE_LOOKUP APIChristian Hopps2-0/+148
Add an IP_ROUTE_LOOKUP function that does either an exact match or longest prefix match in a given fib table for a given prefix returning the match if present. Add API test. Type: improvement Signed-off-by: Christian Hopps <chopps@labn.net> Change-ID: I67ec5a61079f4acf1349a9c646185f91f5f11806
2020-05-05gso: add support for IP-IPMohsin Kazmi1-6/+199
Type: feature Change-Id: I37752af8496e0042a1da91124f3d94216b39ff11 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-05-04fib: midchain adjacency optimisationsNeale Ranns1-2/+3
Type: improvement - inline some common encap fixup functions into the midchain rewrite node so we don't incur the cost of the virtual function call - change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header - add adj-midchain-tx to multiarch sources - don't run adj-midchain-tx as a feature, instead put this node as the adj's next and at the end of the feature arc. - cache the feature arc config index (to save the cache miss going to fetch it) - don't check if features are enabled when taking the arc (since we know they are) the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc) for IPSec: - don't run esp_encrypt as a feature, instead when required insert this node into the adj's next and into the end of the feature arc. this implies that encrypt is always 'the last feature' run, which is symmetric with decrypt always being the first. - esp_encrpyt for tunnels has adj-midchain-tx as next node Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-05-04misc: binary api fuzz test fixesDave Barach2-2/+9
Add a hook to src/vlibapi/api_shared.c to fuzz (screw up) binary API messages, e.g. by xoring random data into them before processing. We specifically exempt client connection messages, and inband debug CLI messages. We step over msg_id, client index, client context, and sw_if_index. Otherwise, "make test" vectors fail too rapidly to learn anything. The goal is to reduce the number of crashes caused to zero. We're fairly close with this patch. Add vl_msg_api_max_length(void *mp), which returns the maximum plausible length for a binary API message. Use it to hardern vl_api_from_api_to_new_vec(...) which takes an additional argument - message pointer - so it can verify that astr->length is sane. If it's not sane, return a u8 *vector of the form "insane astr->length nnnn\0". Verify array lengths in vl_api_dhcp6_send_client_message_t_handler(...) and vl_api_dhcp6_pd_send_client_message_t_handler(...). Add a fairly effective binary API fuzz hook to the unittest plugin, and modify the "make test" framework.py to pass "api-fuzz { on|off }" to enable API fuzzing: "make API_FUZZ=on TEST=xxx test-debug" or similar Type: improvement Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I0157267652a163c01553d5267620f719cc6c3bde
2020-05-03tests: vpp_interface remove deprecated packed propertiesPaul Vinciguerra12-102/+67
The api no longer requires packed ip addresses. Type: test Change-Id: If67365d86b7c3189f871a58234e99f9c8f875371 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-03tests: improve vpp_papi_provider exception outputPaul Vinciguerra1-4/+12
saves time debugging tests by replacing 'API call' with the actual function signature: vpp_papi_provider.UnexpectedApiReturnValueError: API call failed, expected 0 return value instead of -2 in vxlan_add_del_tunnel_reply(_0=247, context=5052, retval=-2, sw_if_index=4294967295) vpp_papi_provider.UnexpectedApiReturnValueError: vxlan_add_del_tunnel(is_add=0, src_address=172.16.1.1, dst_address=239.1.1.209, vni=209, sw_if_index=26, mcast_sw_if_index=1, encap_vrf_id=None, instance=None, decap_next_index=None) failed, expected 0 return value instead of -2 in vxlan_add_del_tunnel_reply(_0=247, context=5052, retval=-2, sw_if_index=4294967295) Type: test Change-Id: Ie3b6a5fdb4e1d427d60c51f7a7bf815af0bb3de6 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-01tap: implement sw_interface_tap_v2_dump filtering by sw_if_indexPaul Vinciguerra2-9/+19
Type: feature Change-Id: I6f607f383dc77a71e8712124f7613b38b4ac065a Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-04-30ip-neighbor: Add flush APINeale Ranns1-6/+156
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I96509c274895b917c3e220204d7959d9270de30d
2020-04-30build: rework x86 CPU variantsDamjan Marion1-15/+40
Type: improvement Change-Id: Ief243f88e654e578ef9b8060fcf535b364aececb Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-04-28vppinfra: improve test coverageDave Barach2-0/+46
Bonus corner-case bugfix in bitmap.h, found during the exercise. Issue dates from 2001 or thereabouts. Please review this specific change carefully. lcov_post: filter system include directories and generated files in build-root Type: improvement Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Iaa0b63e9dc571dfe3d992197ac49ba4d93403c61
2020-04-28tests: fix update_path_flags for multicast in vpp_ip_routePaul Vinciguerra1-2/+2
add support for the case where the first path doesn't match the searched interface. Type: test Change-Id: I29bd724cfe275ec5489d32c37ef2af12d6d1102a Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-04-28tests: implement ipaddress convenience methodsPaul Vinciguerra5-85/+40
Add vpp specific properties to ip addresses for use in the api. .vapi_af -- returns [ADDRESS_IP4, ADDRESS_IP6] .vapi_af_name -- returns the string ['ip4', 'ip6'] Update tests to demonstrate usage. Type: feature Change-Id: I43447a1522769d99f89debdc714c51700068d771 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-04-28lisp: API cleanupJakub Grajciar3-204/+94
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: Ib7f73a0b6de188982a09040f7739dc46be3cb1de Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-04-28vlib: startup multi-arch variant configurationRay Kinsella3-0/+126
Support for startup node multi-arch variant selection through startup.conf. This is to facilitate unit, functional testing and benchmarking of non-default multi-arch variant node code path. Also added parameters to make test, to specific using multi-arch variants in unit testing. Type: improvement Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I94fd332bb629683b7a7dd770ee9f615a9a424060
2020-04-28tests: move defaults from defaultmapping to .api filesPaul Vinciguerra1-16/+1
facilitates use of papi beyond the tests. Type: improvement Change-Id: I3d502d9130b81a7fb65ee69bb06fe55802b28a27 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-04-27virtio: support virtio 1.1 packed ring in vhostSteven Luong1-2/+4
virtio 1.1 defines a number of new features. Packed ring is among the most notable and important one. It combines used, available, and descripptor rings into one. This patch provides experimental support for packed ring. To avoid regression, when packed ring is configured for the interface, it is branched to a separate RX and TX driver. Non packed ring should continue to perform as it was before. Packed ring is tested using qemu4.2 and ubuntu focal fossa (kernel 5.4.0-12) on the guess VM which supports packed ring. To configure VPP with packed ring, just add the optional keyword "packed" when creating the vhost interface. To bring up the guest VM with packed ring, add "packed=on" in the qemu launch command. To facilitate troubleshooting, also added "verbose" option in show vhost desc CLI to include displaying the indirect descriptors. Known qemu reconnect issue - If VPP is restarted, guest VMs also need to be restarted. The problem is kernel virtio-net-pci keeps track of the previous available and used indices. For virtio 1.0, these indices are in shared memory and qemu can easily copy them to pass to the backend for reconnect. For virio 1.1, these indices are no longer in shared memory. Qemu needs a new mechanism to retrieve them and it is not currently implemented. So when the protocol reconnects, qemu does not have the correct available and used indices to pass to the backend. As a result, after the reconnect, virtio-net-pci is reading the TX ring from the wrong position in the ring, not the same position which the backend is writing. Similar problem exists also in the RX. Type: feature Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I5afc50b0bafab5a1de7a6dd10f399db3fafd144c
2020-04-27vlib: pcap rx/tx/dispatch trace testDave Barach1-0/+89
Mainly intended to improve code coverage, but since the test only runs for 0.3 seconds we might as well run it all the time. Type: test Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Icfd0f4dbcdbf76abbaa12e16cee1136413c8ae2e
2020-04-24tests: test vnet_calc_checksums_inline(...)Dave Barach1-0/+74
Use a hand-crafted packet generator script to inject packets with deliberately broken ip4 and udp checksums - and the appropriate checksum offload flags - into src/vnet/interface_output.c vnet_interface_output_node_inline(...), and make sure that the resulting checksums are correct. Use the packet tracer to catch one of the packets. Parse through the packet trace, and make sure that the checksums have been correctly computed. Type: test Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ic08b4b64d7ef27061558a3abf0b79917ead254b5
2020-04-24ip: Setting the Link-Local address from the API enables IPv6 on theNeale Ranns2-3/+116
interface Type: fix Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0b7c189006e30a357cd6be4f3c9c61fded4157cb
2020-04-23ip: Replace Sematics for Interface IP addressesNeale Ranns3-9/+373
Type: feature - replace functions for prefixes attached to interfaces - add ip_interface.[ch] to consoldate the functions Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I9c0c39c09dbf80ea1aadefee02c9bd16f094b6ad
2020-04-23ip-neighbor: Replace feature for the ip-neighbor data-baseNeale Ranns1-0/+117
Type: feature DB replace is implemented with a mark and sweep algorithm (just the the FIB) Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I54ab06e11552219e2a18e1b4a87d531321cf3829
2020-04-22gso: add vxlan tunnel supportMohsin Kazmi1-50/+250
Type: feature Change-Id: I85f6ec77187a4983c66c5e22fd39fbb2cef82902 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-04-10geneve: Fix the byte swapping for the VNINeale Ranns6-11/+18
Type: fix - swipe away the vomit indent left last time. - add tests for VNIs > 16bit Change-Id: I2d1f591bfb9d7a18996c38969365a509168d4193 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-04-07tests: pin sphinx and sphinx-rtd-themeAloys Augustin3-99/+102
Add these two packages to requirements.txt so that their version and the version of their dependencies are pinned to limit the risk of unexpected breakage. Change-Id: If330404f2e840af3d2628f997ce406cd14e7e128 Type: fix Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2020-04-07sr: Support uSID function.Tetsuya Murakami1-0/+323
1. Add uSID function in VNET SRv6 2. Add test case for uSID Type: feature Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com> Change-Id: I354fc687192ed713ceb81fccc9f7b69b6777f6f6 Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
2020-04-06vcl session: enforce full dgram reads/writesFlorin Coras1-0/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4a3861e31ca42faf0b59f8f09393fb10413bf3af
2020-04-06docs: pin down sphinx to avoid crash with Sphinx 3.0.0Andrew Yourtchenko2-1/+121
The vpp-make-test-docs-verify jobs started to fail. The last successful run of it shows: reating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vpp_vxlan_gbp_tunnel.rst. Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vpp_vxlan_tunnel.rst. Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vrf.rst. Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/modules.rst. sphinx-build -b html -d /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/.sphinx-cache /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api -c /w/workspace/vpp-make-test-docs-verify-master/test/doc /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/html Running Sphinx v2.4.4 making output directory... done building [mo]: targets for 0 po files that are out of date building [html]: targets for 161 source files that are out of date updating environment: [new config] 161 added, 0 changed, 0 removed reading sources... [ 0%] bfd reading sources... [ 1%] debug reading sources... [ 1%] debug_internal reading sources... [ 2%] discover_tests The failing jobs show: Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vpp_vxlan_tunnel.rst. Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vrf.rst. Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/modules.rst. sphinx-build -b html -d /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/.sphinx-cache /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api -c /w/workspace/vpp-make-test-docs-verify-master/test/doc /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/html Running Sphinx v3.0.0 making output directory... done building [mo]: targets for 0 po files that are out of date building [html]: targets for 161 source files that are out of date updating environment: [new config] 161 added, 0 changed, 0 removed reading sources... [ 0%] bfd Exception occurred: File "/usr/lib/python3.6/inspect.py", line 516, in unwrap raise ValueError('wrapper loop when unwrapping {!r}'.format(f)) ValueError: wrapper loop when unwrapping scapy.fields.BitEnumField The full traceback has been saved in /tmp/sphinx-err-n84dadfq.log, if you want to report the issue to the developers. Please also report this if it was a user error, so that a better error message can be provided next time. A bug report can be filed in the tracker at <https://github.com/sphinx-doc/sphinx/issues>. Thanks! Makefile:39: recipe for target 'html' failed make[2]: *** [html] Error 2 make[2]: Leaving directory '/w/workspace/vpp-make-test-docs-verify-master/test/doc' Makefile:274: recipe for target '/w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc' failed Type: fix Change-Id: Id98c0f94104e455ea819aacec62f605e53db13ce Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2020-04-06misc: fix python sonarcloud BLOCKER level issuesPaul Vinciguerra3-2/+4
Fix of the top 11 python issues flagged as BLOCKER. Ticket: VPP-1856 Type: fix Change-Id: Icf4691e62f4a69d6ee196b6d6e2ab52d961b5c76 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-03-31ipsec: fix chained ESPFilip Tehlar1-1/+2
This fixes a special case when buffer chain enters decrypt node and becomes a single buffer after decryption. Type: fix Change-Id: Id5da9e8a074f83ec3561949631ce613f35528312 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-31ipsec: fix udp-encap in transport modeAlexander Chernavin1-2/+51
Now UDP enacapsulation doesn't work in transport mode with crypto algorithms that have iv_sz=8 like AES GCM or 3DES CBC. That happens because the inserted UDP header overlaps with the old IP header and gets filled before the information from the old IP header can be copied to a new IP header. The result is a broken packet: 00:03:39:620863: esp4-encrypt-tun esp: sa-index 3 spi 3464048590 (0xce792fce) seq 31 sa-seq-hi 0 crypto aes-gcm-128 integrity none udp-encap-enabled 00:03:39:620867: adj-midchain-tx ... 00:03:39:620868: ip4-rewrite ... 00:03:39:620869: GigabitEthernet0/8/0-output GigabitEthernet0/8/0 IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 00:03:39:620870: GigabitEthernet0/8/0-tx GigabitEthernet0/8/0 tx queue 0 ... IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 With this commit, fill UDP header after copying the IP headers in transport mode. Type: fix Change-Id: Ie9a6e562aa05a8378114329d6a9ff395189fa6a8 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>