Age | Commit message (Collapse) | Author | Files | Lines |
|
Change GRE tunnel to use the interface type where the same encap
node is used as output node for all GRE tunnels, instead of having
dedicated output and tx node for each tunnel. This allows for more
efficient tunnel creation and deletion at scale tested at 1000's
of GRE tunnels.
Add support for ERSPAN encap as another tunnel type, in addition
to the existing L3 and TEB types. The GRE ERSPAN encap supported
is type 2 thus GRE encap need to include sequence number and GRE-
ERSPAN tunnel can be created with user secified ERSPAN session ID.
The GRE tunnel lookup hash key is updated to inclue tunnel type
and session ID, in addition to SIP/DIP and FIB index.
Thus, GRE-ERSPAN tunnel can be created, with the appropriate
session ID, to be used as output interface for SPAN config to
send mirrored packets.
Change interface naming so that all GRE tunnels, irrespective of
tunnel type, uses "greN" where N is the instance number. Removed
interface reuse on tunnel creation and deletion to enable unfied
tunnel interface name.
Add support of user specified instance on GRE tunnel creation.
Thus, N in the "greN" interface name can optionally be specified
by user via CLI/API.
Optimize GRE tunnel encap DPO stacking to bypass load-balance DPO
node since packet output on GRE tunnel always belong to the same
flow after 5-tupple hash.
Change-Id: Ifa83915744a1a88045c998604777cc3583f4da52
Signed-off-by: John Lo <loj@cisco.com>
|
|
Memfd backed shared memory segments can only be negotiated over sockets.
For such scenarios, the existing redirect mechanism that establishes
cut-through sessions does not work anymore as the two peer application
do not share such a socket.
This patch adds support for local sessions, as opposed to sessions
backed by a transport connection, in a way that is almost transparent to
the two applications by reusing the existing binary api messages.
Moreover, all segment allocations are now entirely done through the
segment manager valloc, so segment overlaps due to independent
allocations previously required for redirects are completely avoided.
The one notable characteristic of local sessions (cut-through from app
perspective) notification messages is that they carry pointers to two
event queues, one for each app peer, instead of one. For
transport-backed sessions one of the queues can be inferred but for
local session they cannot.
Change-Id: Ia443fb63e2d9d8e43490275062a708f039038175
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
- Reduce log size by using "api trace custom-dump" instead
of "api trace dump".
- Fix custom-dump output of cli_inband_t api message to include
cli command being executed.
New output:
DBGvpp# api trace custom-dump /tmp/test
vl_api_memclnt_delete_t:
index: 2
handle: 0x301d8e10
SCRIPT: memclnt_create name vpp_api_test
SCRIPT: sw_interface_dump all
SCRIPT: control_ping
SCRIPT: exec show run
Old output:
DBGvpp# api trace dump /tmp/test
---------- trace 0 -----------
vl_api_memclnt_delete_t:
index: 33554432
handle: 0x108e1d3000000000
---------- trace 1 -----------
vl_api_memclnt_create_t:
name: vpp_api_test
input_queue: 0x808e1d3000000000
context: 0
ctx_quota: 0
---------- trace 2 -----------
vl_api_sw_interface_dump_t:
_vl_msg_id: 61
client_index: 33554432
context: 0
name_filter_valid: 0
---------- trace 3 -----------
vl_api_control_ping_t:
_vl_msg_id: 712
client_index: 33554432
context: 0
---------- trace 4 -----------
vl_api_cli_inband_t:
_vl_msg_id: 715
client_index: 33554432
context: 0
length: 9
Change-Id: If740c861649a3a59b8cc7a777c23c3cf94b8ff87
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Change-Id: I2b572ebd4b7bb26381f127912a4cc0825c04fc34
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
- setting MTU on an interface updates the L3 max bytes too
- value cached in the adjacency is also updated
- MTU exceeded generates ICMP to sender
Change-Id: I343ec71d8e903b529594c4bd0543f04bc7f370b3
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Group Base Policy (GBP) defines:
- endpoints: typically a VM or container that is connected to the
virtual switch/router (i.e. to VPP)
- endpoint-group: (EPG) a collection of endpoints
- policy: rules determining which traffic can pass between EPGs a.k.a
a 'contract'
Here, policy is implemented via an ACL.
EPG classification for transit packets is determined by:
- source EPG: from the packet's input interface
- destination EPG: from the packet's destination IP address.
Change-Id: I7b983844826b5fc3d49e21353ebda9df9b224e25
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
L2 ACL
There was no test coverage for the L2 ACL (other than indirect by
means of ACL plugin tests), so the enabling of the outbound ACL
got fumbled throughout the revisions of the refactoring.
Fix both issues - the error and the lack of test coverage for L2 ACL.
Change-Id: Ib7f42780ef84b4a4f70bd88d7319aeeda866cf06
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Reduce the number of tunnels created/destroyed to reduce the load of the tests
without changing the code covered.
These are functional tests, not performance tests.
This reduced the test time down to 10s from 4 minutes on my machine.
Change-Id: Ifcaddc0b0628a21392c5cb247196f56bc28a53a2
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
conn cleaner threads interactions
This replaces some of the early-stage commented-out printf()s with
an elog-based debug collector.
It is aimed to be "better than nothing" initial implementation to be available
in the field. It will be refined/updated based on use. This initial code
is focused on the main/worker threads interactions, hence uses just
the worker tracks.
This code adds a developer debug CLI "set acl-plugin session table event-trace 1",
which allows to gather the events pertaining to connection cleaning.
The CLI is deliberately not part of the online help, as the express
declaration that the semantics/trace levels, etc. are subject to change
without notice.
Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
If one is not selected by the user, the next available id
will be allocated, thus maintaining backward compatibility.
Change-Id: I4691ed0638b8072f9cfa9f20b9fe4f981e708800
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound
classifier-based ACL would be needed. There was an existing incomplete
code for outbound ACLs, it looked almost exact copy of input ACLs, minus
the various enhancements, trying to sync that code seemed error-prone
and cumbersome to maintain in the longer run.
This change refactors the input+output ACLs processing into a unified
routine (thus any changes will have effect on both), and also adds
the API to set the output interface ACL, with the same format
and semantics as the existing input one (except working on output
ACL of course).
WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields
in the vnet_buffer_opaque_t, since the code is using l2_classify.*
The net_buffer (p0)->ip.save_rewrite_length is rescued into
l2_classify.pad.l2_len, and used to rewind the header in case of
drop, so that ipX_drop prints something sensible.
Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Do not set UDS related system parameters if DOCKER_TEST is set to "True"
as docker environment doesn't contain the necessary /proc/... entries.
Change-Id: Id85e4512c7bba6b3feb6e6fd1fbe1e05aa10a341
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I2421197b76be58099e5f8ed5554410adff202109
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
- use valloc as a 'central' segment baseva manager
- use per segment manager segment pools and use rwlocks to guard them
- add session test that exercises segment creation
- embed segment manager properties into application since they're shared
- fix rw locks
Change-Id: I761164c147275d9e8a926f1eda395e090d231f9a
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
This fixes a constant setting of random seed forgotten from testing.
Change-Id: Ie3c4db8bb2b4b73ba33de1ffc02cb563391fd31c
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
L3DSR is used to overcome Layer 2 limitations
of Direct Server Return Load Balancing.
It maps VIP to DSCP bits, and reuse TOS bits to transfer it
to server, and then server will get VIP from DSCP-to-VIP mapping.
Please refer to https://www.nanog.org/meetings/nanog51/presentations/Monday/NANOG51.Talk45.nanog51-Schaumann.pdf
Change-Id: I403ffeadfb04ed0265086eb2dc41f2e17f8f34cb
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
|
|
Change-Id: Ic5dcadd13c88b8a5e7896dab82404509c081614a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Support the 1:1 translation of source address for IPv6
Change-Id: I934d18e5ec508bf7422d796ee5f172b79c048011
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
(VPP-1156)
Change-Id: I5395245c9e49f741a949ada1f725c34f9379c249
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ib99b597502b8335e57ecfa122b12e2e5aa45ee1a
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I1e3cfc751e7657464fc850dc56ddf763df45f62e
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
This consolidates builtin apps under session-apps folder. It also
removes duplicate builtin echo server/client implementations.
Change-Id: I75ed879399c5aa9b75b1eb38b33aedf69dd8df3f
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: I85c799f28c4246884107e569a36482af10d9be9d
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I620e2081285ca8ac5c2da8efc12fe6f540ea4fd1
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Moved CLI from nat.c to nat44_cli.c
Split "show nat44" to:
show nat44 addresses
show nat44 interfaces
show nat44 static mappings
show nat44 interface address
show nat44 sessions detail
show nat44 deterministic mappings
show nat44 deterministic timeouts
show nat44 deterministic sessions
show nat workers
Change-Id: I2d1be8941dd0e4a9e037f4a4d2cd192389beb8ed
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Verify that /dev/shm size is >= 512M, which should be enough for `make
test' needs. If the verification fails, try to enlarge it automatically.
This helps avoid docker vpp/make test crashes (seen as SIGBUS).
Change-Id: I4e23d59ff8bf8befc320fa229fb6c9bfeb809a8f
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
== CONTENT ==
* SCTP chunks definition as per RFC4960;
* Helper functions to set/get values to/from the corresponding chunks;
* Hooks to the session/application layers;
* Complete state-machine handling;
* Implementation for unexpected chunk received in a certain
state (state-machine error handling)
* Support for 1-single connection;
* Sample application to test receive/transmit data-path;
* Test to validate SCTP stack;
Change-Id: I1b55c455ab400be9513f4e094dadfc3181d2ebc9
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
now we get:
00:00:04:288925: pg-input
...
00:00:04:289345: ethernet-input
...
00:00:04:289524: ip6-input
...
00:00:04:289553: ip6-mfib-forward-lookup
...
00:00:04:289584: ip6-mfib-forward-rpf
entry 14 itf 2 flags Forward,
00:00:04:289754: ip6-drop
UDP: 2002::1 -> ff01:2::255
tos 0x00, flow label 0x0, hop limit 64, payload length 21
UDP: 1234 -> 1234
length 21, checksum 0x90d1
00:00:04:289802: error-drop
ip4-input: Multicast RPF check failed
08:36:44,517 Count Node Reason
182 ip4-input Multicast RPF check failed
8 ip6-icmp-input neighbor advertisements sent
8 ip6-icmp-input router advertisements sent
8 arp-input ARP replies sent
Change-Id: I1b29cda4ec77a88db45bfb25c7473cd64bbf501a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
One-armed NAT should work for asymmetrical static mappings without adding external address to the NAT44 pool.
Change-Id: Ie886b75b55c3b552d1029a50bd967625fde80f09
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
DISCOVER message sent.
According to RFC2131:
In the case of a client using DHCP for initial configuration (before
the client's TCP/IP software has been completely configured), DHCP
requires creative use of the client's TCP/IP software and liberal
interpretation of RFC 1122. The TCP/IP software SHOULD accept and
forward to the IP layer any IP packets delivered to the client's
hardware address before the IP address is configured; DHCP servers
and BOOTP relay agents may not be able to deliver DHCP messages to
clients that cannot accept hardware unicast datagrams before the
TCP/IP software is configured.
To work around some clients that cannot accept IP unicast datagrams
before the TCP/IP software is configured as discussed in the previous
paragraph, DHCP uses the 'flags' field [21]. The leftmost bit is
defined as the BROADCAST (B) flag. The semantics of this flag are
discussed in section 4.1 of this document. The remaining bits of the
flags field are reserved for future use. They MUST be set to zero by
clients and ignored by servers and relay agents. Figure 2 gives the
format of the 'flags' field.
this changes means VPP conforms to the:
"SHOULD accept and forward to the IP layer any IP packets delivered
to the client's hardware address before the IP address is configured"
with the caveat that VPP allows DHCP packets destined to the stanard client
DHCP port to be delivered. With this enhancement the control-plane is now
able to choose the setting of the broadcast flag.
Change-Id: Ia4eb2c9bb1e30c29f9192facc645e9533641955a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
On reviece side svm queue only permits blocking and
non-blocking calls. This patch adds timed wait blocking
functionality which returns either on signal/event or
on given time out.
It also preserves the original behavior, so it will not
hurt client applications which are using svm queue.
Change-Id: Ic10632170330a80afb8bc781d4ccddfe4da2c69a
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
add option to NAT44 static mapping API/CLI to make rule asymmetrical (rule match only out2in direction)
Change-Id: If262a3ff375a24d3059f0de1f1ac387a4fe09475
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
- Refactor LDP to be stateless.
- Use upper bit of fd to identify
tag as VCL session.
- Clean up debug output.
- Add VCOM config env vars for
app name and sid bit.
- Add VCL get/set attributes
- Add VCL poll implementation.
Change-Id: I4603ae88254c460a024fdb79fe91c6d1ef9bc7b9
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Add option to NAT44 load balancing static mapping API/CLI to make rule asymmetrical (rule match only in out2in direction).
Change-Id: I325ecef5591e4bf44ce4469a24d44fe56c3bb2e9
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ifcca60da3f77c0a4959f98b3365c846badbdc2d0
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
- rename l2_bridged to is_dvr. Including on the ip.api
this was new in the 18.01 release so no compatability issues.
- steal the free space in vnet_buffer_opaque_t for use with flags.
- run the ipX-output feature arc from the DVR DPO
Change-Id: I040e5976d1dbe076fcdda3a40a7804f56337ce3f
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Iddd754d00ace3d042336e5c2c40431566275051a
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
Change-Id: I7fa7d0ebf73dab8264a2e5ddbd412600d78ead05
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Ib90dc5613c9fdac0344b3bd7f163e2f7163c64d8
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I66ae618edaa12c2b4e4afe276da689673b02c9cd
Signed-off-by: zhaoqingling <zhao.qingling@zte.com.cn>
|
|
Change-Id: I24e7a26972bbbfcea100292b212b29ae7a349335
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Change-Id: Iab0baabf2f27bc7ad7fbf2d2789a493752b07d8a
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
L2 Emulation is a feautre that is applied to L2 ports to 'extract'
IP packets from the L2 path and inject them into the L3 path (i.e.
into the appropriate ip[4|6]_input node).
L3 routes in the table_id for that interface should then be configured
as DVR routes, therefore the forwarded packet has the L2 header
preserved and togehter the L3 routed system behaves like an L2 bridge.
Change-Id: I8effd7e2f4c67ee277b73c7bc79aa3e5a3e34d03
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
* NAT46: fix test cleanup, missing del keyword
* NAT66: fix kube-proxy vip, is ipv6
* add some missing kp_put_writer_lock
* wipe flowtable after each unit test
* Add new cli api: "test kube-proxy flowtable flush" to flushes everything
* Call this new cli function after the end of each kube-proxy unit test.
* same as commit b3d1b203579226ca5136b9d6a2744577d07cfcc6 for the lb plugin
Change-Id: I4146f44841328ec96eb66729e3bae3d40f33e4aa
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
Add API function which enables forwarding of packets not matching
existing translation or static mapping instead of dropping them.
When forwarding is enabled matching packets will be translated
while non-matching packets will be forwarded without translation.
Change-Id: Ic13040cbad16d3a1ecdc3e02a497171bef6aa413
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Translation of both source and destination addresses and ports for 1:1 NAT
session initiated from outside network (ExternalIP K8 use case).
Change-Id: Ic0000497cf71619aac996d6d580844f0ea0edc14
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
This plugin provides kube-proxy data plane on user space,
which is used to replace linux kernal's kube-proxy based on iptables.
The idea is largely inspired from VPP LB plugin.
Currently, kube-proxy plugin supports three service types:
1) Cluster IP plus Port: support any protocols, including TCP, UDP.
2) Node IP plus Node Port: currently only support UDP.
3) External Load Balancer.
Please refer to kp_plugin_doc.md for details.
Change-Id: I36690e417dd26ad5ec1bd77c7ea4b8100416cac6
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
|
|
Change-Id: I0e20100c9e2ca4e951f605a79d48c04ff47864cb
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
- GRE tunnels with the same src,dst addresses are not the same tunnel
- Two data-plane improvements:
- the cached key was never updated and so useless
- no need to dereference the tunnel's HW interface to get the sw_if_index
Change-Id: I2f2ea6e08c759a810b753cec22c497e921a2ca01
Signed-off-by: Neale Ranns <nranns@cisco.com>
|