Age | Commit message (Collapse) | Author | Files | Lines |
|
Adding flow cache support to improve inbound IPv4/IPSec Security Policy
Database (SPD) lookup performance. By enabling the flow cache in startup
conf, this replaces a linear O(N) SPD search, with an O(1) hash table
search.
This patch is the ipsec4_input_node counterpart to
https://gerrit.fd.io/r/c/vpp/+/31694, and shares much of the same code,
theory and mechanism of action.
Details about the flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using a hash table without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, the old entry
will be overwritten by the new entry. Worst case is when all the
256 packets in a batch result in collision, falling back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows,
but is configurable by a startup.conf option.
4. Whenever a SPD rule is added/deleted by the control plane, all
current flow cache entries will be invalidated. As the SPD API is
not mp-safe, the data plane will wait for the control plane
operation to complete.
Cache invalidation is via an epoch counter that is incremented on
policy add/del and stored with each entry in the flow cache. If the
epoch counter in the flow cache does not match the current count,
the entry is considered stale, and we fall back to linear search.
The following configurable options are available through startup
conf under the ipsec{} entry:
1. ipv4-inbound-spd-flow-cache on/off - enable SPD flow cache
(default off)
2. ipv4-inbound-spd-hash-buckets %d - set number of hash buckets
(default 4,194,304: ~1 million flows with 25% load factor)
Performance with 1 core, 1 ESP Tunnel, null-decrypt then bypass,
94B (null encrypted packet) for different SPD policy matching indices:
SPD Policy index : 2 10 100 1000
Throughput : Mbps/Mbps Mbps/Mbps Mbps/Mbps Mbps/Mbps
(Baseline/Optimized)
ARM TX2 : 300/290 230/290 70/290 8.5/290
Type: improvement
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I8be2ad4715accbb335c38cd933904119db75827b
|
|
Type: fix
After changes made in f840880, VRRP IPv6 cannot reply for neighbor
solicitations requesting the link layer address of the configured
virtual address.
VRRP IPv6 enables the vrrp6-nd-input feature in the ip6-local feature
arc for an interface on which a virtual router is configured. When
neighbor solicitations arrive on that interface, ip6-local should start
feature arc walk for that interface and the messages should be processed
by vrrp6-nd-input. The problem is that currently, the feature arc is
started for the interface obtained from the receive DPO that has
interface unset (i.e. max u32) for local mfib entries. Thus, the feature
arc is started not on the interface the messages were received on and
vrrp6-nd-input is not traversed.
With this fix, if interface obtained from the receive DPO is unset, use
RX interface from the buffer to start the ip46-local feature arc.
Also, enable tests of this case for both IPv4 and IPv6 address families
that are currently tagged as extended and not run on every change. They
configure VRRP with priority 255 and are expected to be stable.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I11ef3d5a7a986e04431e8613d1510b8666094bd7
|
|
Add simple counter statistics to VRRP, based on a subset of those
defined in RFC8347.
Add an update API that allows in-place modification of an existing
instance. The method returns a vrrp_index which can be used both for
retrieving statistics and to modify non-key parameters. Also add a
delete method which will take that vrrp_index as parameter.
Type: improvement
Signed-off-by: Emanuele Di Pascale <lele84@gmail.com>
Change-Id: I2cd11467b4dbd9dfdb5aa748783144b4883dba57
|
|
Set deprecated option on unsupported API calls.
Cleaned up API calls with deprecated option. Removed
in progress option from long term used API calls.
Removed obsolete/unused nodes, functions, variables.
Fixed set frame queue nelts function. Calling API
would incorrectly not fail even though frame queue nelts
can only be set before first call nat44_plugin_enable.
Moved all formatting functions to _format.c file.
Type: refactor
Change-Id: I3ca16e0568f8d7eee3a27c3620ca36164833a7e4
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
When computing the inner packet checksum, the code wrongly
assumes that the IP version of the inner packet is the
same of the outer one. On the contrary, it is perfectly
possible to encapsulate v6 packets into v4 and viceversa,
so we need to check the IP format of the inner header before
calling vnet_calc_checksums_inline.
Ticket: VPP-2020
Type: fix
Signed-off-by: Mauro Sardara <msardara@cisco.com>
Change-Id: Ia4515563c164f6dd5096832c831a48cb0a29b3ad
Signed-off-by: Mauro Sardara <msardara@cisco.com>
|
|
Prevent crashing on nonexistent VPP binary path class member when creating
testsuite core message.
Type: fix
Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: Ib9b3dc8c69317e6561e5404bbdcbf672e417cbcd
|
|
Type: fix
otherwise if two packets arrive with the same source address but from different VRFs, then they are treated as the same and they use the same LB and thus share the same fate. but the lookup, when done, results in two different LBs, and hence the fate can be different.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Id6e16f7c577a561d9ddd7066339fa4385361d07f
|
|
Type: improvement
Currently, RA message sending is enabled by default - both periodic and
in response to RS message. However, RFC 4861 section 6.2.1 says the
following:
Note that AdvSendAdvertisements MUST be FALSE by default so that a
node will not accidentally start acting as a router unless it is
explicitly configured by system management to send Router
Advertisements.
With this change, RA message sending is disabled by default and
"test_ip6.TestIPv6.test_rs" updated appropriately.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I2a8865199cb665c59268504aefe2976e5ee96dc2
|
|
Type: fix
The reported MTU should include the MPLS label overhead
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3df6d2e0b13f49701e187a766a157498dcaafbc0
|
|
Type: test
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I56a585a8a1f588e682552913cfbdd4551e057ead
|
|
Make make test-start-vpp-in-gdb work again.
Fix incorrect temp directory when using DEBUG=attach.
Type: fix
Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec
Change-Id: Ie98b637acbbe0221606ccdc7b54f63885e5951a4
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
|
|
The random seed is not an integer, so the current code does not allow reproducing a test run by running e.g.
RND_SEED=1647595144.0940742 make test
Solution: make the random seed a positive float.
Also, add the missing positiveness check to the positive_integer function.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I858bab0a9b828b99c20a2252aeecb9e2dda4ee21
|
|
Add missing translation of ICMP inner IP layer.
Change responsible test so that it actually tests something.
Type: fix
Fixes: 4881cb4c6f
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Id3a6f12a7308d81b1cdf9815f857221fab2f24d9
|
|
Several test cases re-use the same test class name,
which leads to test error when do parrallel test with TEST_JOBS=16,
change the test class names to unique values.
Type: fix
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: Iefc01d40a25ebd60533baf3a2dc98a537437e8e9
|
|
Type: fix
The l2unfragmentable size is not included in the calculation of 'max', the maximum amount of data that can be added to a fragment, therefore the fragments created are too big.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Id1e949ad98203b6f8ea2f55322ef6fa3d507e2a6
|
|
The same test for v22.02 was already merged: https://gerrit.fd.io/r/c/vpp/+/35390
Type: improvement
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I214f6fb5b63d97ca4afe3b10fd2d3e3410b5a6e4
|
|
Type: feature
Change-Id: Ica3e60836c0f26518ba2c238a8c03ce3648ea69b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.
For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480
It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.
[1]: https://datatracker.ietf.org/doc/html/rfc4301
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
|
|
Type: fix
- IPv6 fragmentation did not work if the packet spaneed multiple buffers, because the 'len' calculation to did max out at the size of a buffer
- IPv6 fragmentation did not work when the l2unfragmentable size was non-zero, it was not used in the correct places
- IPv6oMPLS fragmentation would fragment all IPv6, it should do so only for link local
- IPv6oMPLS should send back TooBig ICMP6 for non locally generated
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie8f02cdfdd7b7e8474e62b6d0acda8f20c371184
|
|
Type: fix
if original packet was to the link local, then the
fib index in the buffer is that of the LL table, we can't use that
to foward the response if the new destination
is global, so reset to the fib index of the link.
In other case, the fib index we need has been written
to the buffer already.
Add a test for IPv6 ping in an MPLS-VPN where int inout interface is
not the the same VRF as the response should be sent.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I18a232d90ddd3ef051a52476c5d861c87060e76f
|
|
Type: improvement
For error conditions, such as TTL expired, dest unreach, etc, Rate limit the sending of ICMP error messages.
The rate limiting is done based on src,dst IP address of the received packet.
the rate limit has been chosen, somewhat arbitrarily, to be 1e-3. This is the same limit as the ARP throttling.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a0b791cde8c941a9bf37de6aa5da56779d3cef4
|
|
Raise a new UnexpectedPacketErrror, when a packet is captured
unexpectedly. This pretty-prints a terse description of said packet.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Ibac19fc5bbd82a150fec3c90940a37af6344fd4f
|
|
Add support for inline packet counter verification to send_and_* functions.
Diff dictionary is a dictionary of dictionaries of interesting stats:
diff_dictionary =
{
"err" : { '/error/counter1' : 4, },
sw_if_index1 : { '/stat/segment/counter1' : 5,
'/stat/segment/counter2' : 6,
},
sw_if_index2 : { '/stat/segment/counter1' : 7,
},
}
It describes a per sw-if-index diffset, where each key is stat segment
path and value is the expected change for that counter for sw-if-index.
Special case string "err" is used for error counters.
This then allows more precise packet counter verification by first
defining a "zero" dictionary, e.g. for ED NAT:
cls.no_diff = StatsDiff({
pg.sw_if_index: {
'/nat44-ed/in2out/fastpath/tcp': 0,
'/nat44-ed/in2out/fastpath/udp': 0,
'/nat44-ed/in2out/fastpath/icmp': 0,
'/nat44-ed/in2out/fastpath/drops': 0,
'/nat44-ed/in2out/slowpath/tcp': 0,
'/nat44-ed/in2out/slowpath/udp': 0,
'/nat44-ed/in2out/slowpath/icmp': 0,
'/nat44-ed/in2out/slowpath/drops': 0,
'/nat44-ed/in2out/fastpath/tcp': 0,
'/nat44-ed/in2out/fastpath/udp': 0,
'/nat44-ed/in2out/fastpath/icmp': 0,
'/nat44-ed/in2out/fastpath/drops': 0,
'/nat44-ed/in2out/slowpath/tcp': 0,
'/nat44-ed/in2out/slowpath/udp': 0,
'/nat44-ed/in2out/slowpath/icmp': 0,
'/nat44-ed/in2out/slowpath/drops': 0,
}
for pg in cls.pg_interfaces
})
and then to specify only changed counters directly when calling
one of send_and_* functions:
self.send_and_assert_no_replies(
self.pg0, pkts, msg="i2o pkts",
stats_diff=self.no_diff | {
"err": {
'/err/nat44-ed-in2out-slowpath/out of ports': len(pkts),
},
self.pg0.sw_if_index: {
'/nat44-ed/in2out/slowpath/drops': len(pkts),
},
}
)
operator | is overloaded by StatsDiff class to perform a deep merge operation,
so in above case, dictionaries for "err" and self.pg0.sw_if_index do not
overwrite whole sub-dictionaries, rather the contents are merged,
assuring that all the remaining counters are verified to be zero.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I2b87f7bd58a7d4b34ee72344e2f871b2f372e2d9
|
|
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I5e0fd1019372df0cd403725b8cac52363af13718
|
|
Some tests might want to keep vpp config in between test functions.
Add a flag to allow that.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I90243cd667dce922b43b381f3d52f4ac0f6bf3a7
|
|
Type: test
there were multiple instances of send_and_expect_load_balancing
and a send_and_expect_one_itf which has the same functionality as send_and_expect_one.
Put one implementation of both in framework.py (where the other send_and_X functions reside).
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I7f629d440220bee29368067f475059322e1134f7
|
|
Implement command line argument parsing instead of passing arguments via
environment variables. Add script for running tests without having to
invoke make. Deprecate running tests via make.
Type: improvement
Change-Id: I2e3054a61a2ae25d460e9be00be7d7705fbf943e
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: improvement
Ethernet frames on the wire are a minimum of 64 bytes, so use the length in the UDP header to determine if the ESP payload is one bytes of the special SPI, rather than the buffer's size (which will include the ethernet header's padding).
In the case of drop advance the packet back to the IP header so the ipx-drop node sees a sane packet.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ic3b75487919f0c77507d6f725bd11202bc5afee8
|
|
Add udp total session counts - as stat segment entries:
/bfd/udp4/sessions
/bfd/udp6/sessions
and per session packet/byte counters:
/bfd/rx-session-counters
/bfd/rx-session-echo-counters
/bfd/tx-session-counters
/bfd/tx-session-echo-counters
These counters are per-thread and per-session id.
Adjust tests to verify proper function.
Type: refactor
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Ie597928022b6ac74c2220019b9e8e1714295f170
|
|
Type: improvement
helps keep the agents stateless
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3588f13c081e24f5a8083b490eb02856361e4ccb
|
|
Type: test
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I3b6e56b319aab3ffd2cc82d31e646bd42901275b
|
|
Debian 11 has some packages that have changed, and need adjustment.
Also - its default compiler is gcc 10, which, contrary to either gcc 8
or gcc 11 prints a bunch of warnings, which fails compilation.
And there is no gcc 11 package.
Therefore, use clang for this build.
Additionally, python 3.9 has exposed this issue:
https://bugs.python.org/issue42580
Therefore, make a local patch to scapy to tackle it.
Type: feature
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I7b9c0f852ab97fe3c1feca3f22020ac0970ba3e2
|
|
- pip == 22.0.3
- pip-tools == 6.5.0
- setuptools == 60.7.1 (now pinned in test/Makefile)
- upgrade packages in requirements-3.txt
- install iperf3 for 'make test TEST=vcl'
Type: test
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I1bd85f10fb4f6ba87b9bc1267905e5f1b8eb16de
|
|
Type: fix
Fixes: 72e31bc2d9
Fixes: db02380
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92a62bb1cb799e8fdc3ec4110ae3428825254f8a
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Mark broken test suites using @tag_fixme_asan.The main issue
is that some tests do not pass with ASan. These will need to
be fixed, but it takes time and in the meantime, new issues are
introduced that trip up ASan. When this tag is set and Asan
is enabled, failing ASan tests are skipped, so incremental
fixes can pass the CI
Type: improvement
Change-Id: I02602eb74234c25a4c701279e14704b81d4c5b71
Signed-off-by: Naveen Joy <najoy@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I6d23ff14380b0154f617b3ab7cd1acd5aa45106a
|
|
Removing obsolete unused nat44-ei nodes and functions.
Type: refactor
Change-Id: I1e03e283091c3c0d92908d04037cba00a348351a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Use 'python3' for all python calls in virtualenv. Using $(PYTHON_INTERP)
(set to $(PYTHON)) is incorrect when $(PYTHON) contains absolute path
(e.g. '/usr/bin/pypy3') as it uses interpreter outside of virtualenv.
Type: fix
Change-Id: I19878360cfc1ab6a591e09a079b0b69c1a1a58cf
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Add API to disable full reassembly of "forus" packets. Mark packets
passing through ip[4|6]-local nodes with a new buffer flag and check for
that flag in reassembly.
Enable IP6 "forus" full reassembly by default to be consistent with
existing IP4 setting.
Type: improvement
Change-Id: I7067792fcd4304182654237968e4c4d9293c6143
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Make VPP_BUILD_DIR hold the correct value and adjust paths where
necessary.
Type: refactor
Change-Id: I5bc60666c04919956bf26badaf1ee1f1b188ef65
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Allow entering a test name on stack trace window with STEP=y option
instead of a number. This allows to run a whole suite and skip all tests
until a particular test is hit.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I23e45f8022b82545365b8921390e0e106e02b39c
|
|
- cleanup data structures, functions and cli
- remove option to return static html. For similar results, use
http static server
- rename to http_cli.c as it better describes what the app does
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I502e7566fba4376c68fbe41de9e45079a159e864
|
|
Implement proper state machine based on above RFCs. ACKs to SYNs/FINs
are no longer required/tracked. This is more friendly to peers and
accounts for lost packets and retransmits.
This change also means that all traffic is translated and forwarded
while in transitory timeout, which helps delivering e.g. retransmitted
FINs, FINACKs and other messages.
Also support reopening a session in transitory timeout after seeing both
FINs by seeing both SYNs again. This helps quick connection
reestablishment if the peers want to.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com>
Change-Id: Ibf521c79463472db97e593bfa02b32b4a06dfd2a
|
|
Type: improvement
When an IPSec interface is first constructed, the end node of the feature arc is not changed, which means it is interface-output.
This means that traffic directed into adjacencies on the link, that do not have protection (w/ an SA), drop like this:
...
00:00:01:111710: ip4-midchain
tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:6 flags:[]
stacked-on:
[@1]: dpo-drop ip4 flow hash: 0x00000000
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111829: local0-output
ipsec0
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 5858585858585858585858585858585858585858585858585858585858585858
00000040: 58585858585858585858585858585858585858585858585858585858c2cf08c0
00000060: 2a2c103cd0126bd8b03c4ec20ce2bd02dd77b3e3a4f49664
00:00:01:112017: error-drop
rx:pg1
00:00:01:112034: drop
local0-output: interface is down
although that's a drop, no packets should go to local0, and we want all IPvX packets to go through ipX-drop.
This change sets the interface's end-arc node to the appropriate drop node when the interface is created, and when the last protection is removed.
The resulting drop is:
...
00:00:01:111504: ip4-midchain
tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:0 flags:[]
stacked-on:
[@1]: dpo-drop ip4 flow hash: 0x00000000
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111533: ip4-drop
ICMP: 172.16.2.2 -> 1.1.1.1
tos 0x00, ttl 63, length 92, checksum 0xcb8c dscp CS0 ecn NON_ECN
fragment id 0x0001
ICMP echo_request checksum 0xecf4 id 0
00:00:01:111620: error-drop
rx:pg1
00:00:01:111640: drop
null-node: blackholed packets
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I7e7de23c541d9f1210a05e6984a688f1f821a155
|
|
GTP4/6.D behavior is updated as shown below.
1. When receiving GTP-U message or IPv6 linklocal destination in inner IP, GTP packet is tnralated to SRv6.
2. When receiving T-PDU packet, OuterIP/UDP/GTP headers are stripped off and Inner IP is encapsulated into SRv6 based on L3VPN SRv6 manner.
Type: feature
Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
Change-Id: I6092c98ea80236d54017f84c5b35cca0b645f034
Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
|
|
We add the possibility to bind the destination UDP port of a Scapy SA
to the ESP layer in the IPsec tunnel protection tests, even if it is not
the default port for ESP (4500).
This allows to test IPSec tunnel protection with ports other than 4500
in the UDP header, without hardcoding them in the Scapy patch (ex: 4545)
Type: improvement
Change-Id: I1eea3d4660ed1b59d827250a419af6b7b41c4a72
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
|
|
Type: fix
Presently a local label associated with an attached or connected prefix will link to the glean. This is a problem since it will never use the adj-fibs that are installed for that attached prefix. Instead link the local label to a lookup in the table in which the attached link is bound.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iad49fb6168b9ba47216a9a52bd262363b49c3c43
|
|
Coverity complained that there is boundary checking in
add_del_punt_redirect_v2 handler. This test proves that such boundary
checking is not necessary as it is handled in the common path.
Type: test
Change-Id: Ibec054c01d4eb057accdc9d5732aba6fe6de51cc
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Zero length fragments are invalid and should be dropped. This patch adds
that.
Type: improvement
Change-Id: Ic6466c39ca8bf376efe06bb3b7f5d7f1ae812866
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
If a fragment arrives with fragment offset = 0 and M = 0, it means that
this is actually a complete packet and per RFC 8200, it should be
treated independently from other fragments. This patch does that.
Fragmentation header is stripped and fragment is forwarded irregardles
of other existing reassemblies in case of full reassembly and treated
the same way as regular packet in shallow virtual reassembly.
Type: improvement
Change-Id: If3322d5e3160cd755b8465a642702a9166d46cc2
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|