| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Type: make
Change-Id: Ifb3e52af93d24fcc2f2e6a0c408e16902a2fe553
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- use user instance number in interface name
Restore the behavior of previous versions where the IPsec tunnel
interface name contained the value of the user-provided instance number.
For example, a command similar to
create ipsec tunnel local-ip . . . instance 5
would result in the creation of interface "ipsec5".
- ipsec: delete tunnel protection when asked
The "ipsec tunnel protect" command will parse a "del" argument but does
not undo the tunnel protection, leaving the SAs hanging around with
reference counts that were incremented by a previous invocation of the
command. Allow the tunnel protection to be deleted and also update the
help text to indicate that deletion is an option.
- test: ipsec: add test for ipsec interface instance
Also cleanup (unconfig) after TestIpsecItf4 NULL algo test.
Type: fix
Fixes: dd4ccf2623b5 ("ipsec: Dedicated IPSec interface type")
Signed-off-by: Eric Kinzie <ekinzie@labn.net>
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Idb59ceafa0633040344473c9942b6536e3d941ce
|
|
Type: fix
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I9eff41407b0f172f2b567e6a4ea1c48be8df883a
|
|
Type: test
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Id07e8981a903f11f50fb494a93d01815382025e4
|
|
Type: improvement
on the dedicated IPSec interface, the SA describes the peer, so it is
not possible to forward to a peer for which there is no SA. Therefore if
an SA is added with NULL auth and integ then this explicitly states that
this is what the peer desires.
on the contrary on the IP-IP/GRE interface, in the absence of protection
and an SA, then the traffic is sent in the clear. So adding NULL
auth/crypto iSA is a means to describe that the peer should not be sent
traffic.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I7ad2d466cc74eb7ff8c4c84e0d7897d06e2fcf86
|
|
Type: fix
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ic6c76b65e2dcc08916373153944507a297c962c0
|
|
The Python VPP Stats module also used the VPP heap.
Fix so it now explicitly allocates a heap.
Fixes: f68fccfe7e188fec2c9f91da38ca9acf6f67d811
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I0bd4ae64d6c89cdf634d8d9a91c23ab38017c5cc
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Ticket: VPP-1918
Type: improvement
Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: refactor
Change-Id: I54df533a8f863c4e49742903cf2457f18b4fc506
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: refactor
Change-Id: I613bf4d6517591351b212bfe6c8d93abf235f5dc
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: refactor
Change-Id: Ifb36eeb146b87e9e305881429d32d6879e955e1e
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
- VPP on opensuse has not been supported
for several releases.
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I2b5316ad5c20a843b8936f4ceb473f932a5338d9
|
|
Type: fix
Change-Id: I6fdc4e952097e92ac3aa53e0be3ef99e0d801b28
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
The main information about plugin you can see in README.md
vpp# wireguard ?
wireguard create wireguard create listen-port <port> private-key <key> src <IP> [generate-key]
wireguard delete wireguard delete <interface>
wireguard peer add wireguard peer add <wg_int> public-key <pub_key_other>endpoint <ip4_dst> allowed-ip <prefix>dst-port [port_dst] persistent-keepalive [keepalive_interval]
wireguard peer remove wireguard peer remove <index>
Change-Id: I85eb0bfc033ccfb2045696398d8a108b1c64b8d9
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Jim Thompson <jim@netgate.com>
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.
CTR: https://tools.ietf.org/html/rfc3686#section-3.2
GCM: https://tools.ietf.org/html/rfc4106#section-3.2
CCM: https://tools.ietf.org/html/rfc4309#section-3.2
- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.
Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.
test: ipsec: Add unit-test to test for RFC correct padding/alignment
test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well
- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:
https://github.com/secdev/scapy/issues/2322
Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
|
|
Type: fix
Change-Id: Ic6e2b7e05b50945a8e2222019c2942a6ee52e465
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
gso option is available for the debug CLI version of bond create.
This patch is to create a new API to have the corresponding option in
the binary API. The old binary API bond_create is marked deprecated.
Type: improvement
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Id9501b8e6d267ae09e2b411957f181343da459c0
|
|
Node variant names have changed to skx and icl.
Type: fix
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I5be832aa59e4e440df53869077d801c011e3defa
|
|
Some of the tests are time-sensitive, and at present require a non-trivial
modification in order to run at high concurrency.
Without these modifications, they intermittently fail, and require
the test retries.
Rather than setting them to the extended tests and forgetting
about them, put them into a "solo" set, which gets run in a
single-threaded mode after the rest of the tests are done.
Mark a few of the tests that showed errors during TEST_JOBS=48
as forced-solo.
Also, give a better diagnostic if the testcase misses a docstring
needed to represent it in the diagnostic outputs.
Type: fix
Change-Id: I33fe62eb17edc1885bd2c3523892051d52da6546
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: feature
Change-Id: Ia19d3611e596d9ec47509889b34e8fe793a0ccc3
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ibad744788e200ce012ad88ff59c2c34920742454
|
|
Type: test
Change-Id: I490c1b1a2fa49badda038e6be014c77b9bee6c56
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Before this patch it was not allowed to replace
a dynamic ARP entry with a static one with the
same mac-address.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I6cfc0e510ffdf141c61874288f11a60395182374
|
|
For bond interface, we set hardware link state to up initially when
admin state is set to up. Thereafter, if we toggle the admin state to
down and up, we require at least one active member in the bond prior
to bringing up the hardware state which is inconsistent. The fix is to
remove the unnecessary condition.
This is a rework of the original proposed patch which is more complex
and could be tricky to get it right
https://gerrit.fd.io/r/c/vpp/+/27141
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I65f4fee55299b5b4d5645f6e05e1be15b46b73cd
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ia77ce41a8f1a032c5e027c4bb47347752cfda0a9
|
|
- Replace textual string slave with member except APIs.
- For APIs, mark the existing APIs as deprecated and introduce new APIs
- While introducing sw_bond_interface_dump, add the optional filter by
sw_if_index and enhance the testcases to make use of it.
Type: improvement
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ib6626c514e45350308aeeda0decb70f3aba2f63e
|
|
create geneve tunnel local 10.10.10.10 remote 10.10.10.9 vni 48 decap-next node ethernet-input l3-mode
set interface ip address geneve_tunnel0 11.11.11.12/24
Type: feature
Change-Id: I579ce879553d72a2e8048e33d0c0122674996b81
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8bd50df163aea2798e9f9d35a13dcadc4a4a4b2
|
|
This updates the computation of the outer ip6 header payload_length
field in order to take into account the GRE header length.
Change-Id: Ie9f982521aeaef7279a9e329a33272d6fae0a428
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
This ensures we don't recompute the requirements-{2,3}.txt on each make
test run, and skips patching scapy if it is already patched instead of
failing.
Change-Id: I3da57182ae49f3dd04db139d96734a5d145fedff
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
Cover vl_mem_api_dead_client_scan(...), which is not so simple. Spin
up vpp_api_test using pexpect.spawn, make it bootstrap a private
memory segment, kill vpp_api_test, and wait for the dead client
scanner to run a few times so that it declares the client dead.
The test only runs if GCOV_TESTS=yes is set in the environment.
Type: test
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I3c712fa011df2e23761a2e73c1aba0c7e50123a6
|
|
Type: fix
Change-Id: I7005e4763e73f3679c40f94bdab26d439cd23188
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
This avoids using dirty data from shared memory by client.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I96eecf655bf344ec29609cedbd8dc891b572e207
|
|
VXLAN uses csum_offload for IPv6 packets.
But without gso node we have csum calculated only for inner
packet.
This patch adds support for outer header csum calculation.
Checksum for inner packet should be calculated before
interface-output node (for example in vxlan node).
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Ica68429ede4426293769207cd83c791ebe72fe56
|
|
This reverts commit 9121c415a91904be50071ec55143d9c89b2f1b91.
Reason for revert: causes deadlock with multiple worker threads
Type: fix
Change-Id: Icf3d6d343d99d887abacbaa03acbf04d4628514e
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: test
Change-Id: I9e4f7cf44d465712aa26e5dd6a0ff38588964a39
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: improvement
Bond link state is being maintained inconsistently. It is initially set to
up. If the bond interface admin state is set to down, the link state is
set to down. If the bond interface admin state is set to up, the link
state is only set to up if there are active slave interfaces at that point.
If slaves become active at some later time, it does not get updated. Its
next chance to be updated is the next time the bond interface is set to
admin up.
To address this, do not set the link state to up after creating a bond.
Adjust the link state as slave interfaces are attached or detached
based on whether the bond is getting its first active slave or losing
its last one.
Unit test added to verify correct maintenance of link state.
Change-Id: I31f17321f7f0e727e1ab1e01713423af6566dad9
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
This fixes an issue where the pinned requirements file can be modified
when running the tests.
Change-Id: Ic89d1844d1fd8d00f62211a9b051a26ac34ee316
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
In case there is no free space in first buffer for ICV and footer,
additional buffer will be added, but esp_encrypt will stay in single
buffer mode.
The issue happens for the following payload sizes:
- TCP packets with payload 1992
- ICMP packets with payload 2004
This fix moves the single/chained buffer ops selection to after
esp_add_footer_and_icv call.
Type: fix
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79
|
|
Type: feature
* initiator behind NAT supported
* tested with static NAT mappings
* works only with pre-configured tunnels
The pre-configured tunnel has to be defined as follows:
initiator (i) side: src=ip(i) dst=ip(r)
responder (r) side: src=ip(r) dst=ip(nat)
Change-Id: Ia9f79ddbbcc3f7dc8fde6bbeca2a433e3b784e94
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Since the removal of "users" concept in ED-NAT nat44_user_dump API
returns empty array. This brings back previous behaviour at
a considerable runtime cost until a better API is introduced.
Type: improvement
Change-Id: I5a45923cfeb6b8ebe6fc906601264d6567386991
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Signed-off-by: Ye donggang <yedg@wangsu.com>
Change-Id: Ia9f72ff2be455ecd4ff3d16e884c5a50f9df69fe
|
|
Type: fix
it is possible for a user to change the end node of a feature arc, but
this change should only apply to that 'instnace' of the arc, not all
arcs. for example, if a tunnel has its ipx-output end node changed to
adj-midchain-tx, this shouldn't affect all ipx-output arcs. obviously...
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I41daea7ba6907963e42140307d065c8bcfdcb585
|
|
Type: feature
the es4-encrypt and esp6-encrypt nodes need to be siblings so they both have the same edges for the DPO on which the tunnel mode SA stacks.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I2126589135a1df6c95ee14503dfde9ff406df60a
|
|
Tests currently expect the logger to be poked from run_tests.py.
The tests should run without any magic values. This change sets a default
null logger and removes the hasattr checks for the logger.
For reference, see: https://docs.python-guide.org/writing/logging/
Type: test
Change-Id: I98f953d73d12d00e74b59c94a0fb8c7a625b9c44
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: feature
thus allowing NAT traversal,
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: test
This commit fixes the make test for GSO/IPIP which are added in
following commit id: 84f91fa9c54f82c54b58ea3bf6e9ba22ff735d3a
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I66a57fe195e626b432ff0acba3a5bdf242a7a46e
|
|
Add an IP_ROUTE_LOOKUP function that does either an exact match or
longest prefix match in a given fib table for a given prefix
returning the match if present.
Add API test.
Type: improvement
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-ID: I67ec5a61079f4acf1349a9c646185f91f5f11806
|
|
Type: feature
Change-Id: I37752af8496e0042a1da91124f3d94216b39ff11
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: improvement
- inline some common encap fixup functions into the midchain
rewrite node so we don't incur the cost of the virtual function call
- change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header
- add adj-midchain-tx to multiarch sources
- don't run adj-midchain-tx as a feature, instead put this node as the
adj's next and at the end of the feature arc.
- cache the feature arc config index (to save the cache miss going to fetch it)
- don't check if features are enabled when taking the arc (since we know they are)
the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc)
for IPSec:
- don't run esp_encrypt as a feature, instead when required insert this
node into the adj's next and into the end of the feature arc. this
implies that encrypt is always 'the last feature' run, which is
symmetric with decrypt always being the first.
- esp_encrpyt for tunnels has adj-midchain-tx as next node
Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
Damjan Marion
Eric Kinzie
Neale Ranns
Ole Troan
Filip Tehlar
Dave Wallace
Artem Glazychev
Christian Hopps
Nathan Skrzypczak
Steven Luong
Ray Kinsella
Andrew Yourtchenko
Mohsin Kazmi
Dave Barach
Benoît Ganne
Vladimir Isaev
Klement Sekera
Aloys Augustin
Matthew Smith
PiotrX Kleski
yedg
Paul Vinciguerra