Age | Commit message (Collapse) | Author | Files | Lines |
|
In esp_encrypt_inline(), if two or more consecutive packets are
associated with the same SA which has no crypto or integrity algorithms
set, only the first one gets dropped. Subsequent packets either get sent
(synchronous crypto) or cause a segv (asynchronous crypto).
The current SA's index and pool entry are cached before it can be
determined whether the packet should be dropped due to no algorithms
being set. The check for no algorithms is only performed when the cached
SA index is different than the SA index for the current packet. So
packets after the first one associated with the "none" alg SA aren't
handled properly.
This was broken by my previous commit ("ipsec: keep esp encrypt pointer
and index synced") which fixed a segv that occurred under a different
set of circumstances.
Check whether each packet should be dropped instead of only checking
when a new SA is encountered.
Update unit tests:
- Add a test for no algs on tunnel interface which enables
asynchronous crypto.
- Send more than one packet in the tests for no algs.
Type: fix
Fixes: dac9e566cd16fc375fff14280b37cb5135584fc6
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I69e951f22044051eb8557da187cb58f5535b54bf
|
|
Split virtual interface tests in VPP into smaller and modular
tests for testing various interface types and features.
Type: test
Change-Id: Ic38af88379f75eee3090679d411edbdc8fd5d2e5
Signed-off-by: Naveen Joy <najoy@cisco.com>
|
|
Type: improvement
Change-Id: Ide4b45da99e3a67376281f6438997f3148be08e5
Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
|
|
RFC 7296 describes the way to rekey IKE SAs: to rekey an IKE SA,
establish a new equivalent IKE SA with the peer to whom the old
IKE SA is shared using a CREATE_CHILD_SA within the existing IKE
SA. An IKE SA so created inherits all of the original IKE SA's
Child SAs, and the new IKE SA is used for all control messages
needed to maintain those Child SAs.
Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: Icdf43b67c38bf183913a28a08a85236ba16343af
|
|
the error node is set to ip6_input in the inline funcition
associated with ip6_rewrite. Thus, error counters defined
for node ip6 rewrite are never used.
Type: fix
Change-Id: Id6bef633928b0fff9069498c2e39e9f5bea2cf9b
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
|
|
VPP requires GNU Make to build, on GNU systems (such as Debian), GNU
Make is installed as 'make', typically with a symlink from 'gmake'.
On other systems (such as FreeBSD), 'make' is a BSD Make derriviative
and GNU Make is installed a 'gmake'.
Use $(MAKE) variable for make calls from within Makefiles. This
variable is set to the path of the calling make program, i.e.,
/usr/local/bin/gmake on a bsd system.
This is the recommended way to call make from Makefiles in the GNU Make
documentation.
Type: improvement
Change-Id: Id9162a34a0f8358f22090718087918dae31c0fce
Signed-off-by: Tom Jones <thj@freebsd.org>
|
|
VPP requires bash for all shell scripts. Align shebang lines in build
and test scripts to look up the location of bash rather than hard coding
'/bin/bash'.
Look up the location of bash for makefiles.
Type: improvement
Change-Id: I23b705d81d60389fa8af61c680cf0abd74f0ea24
Signed-off-by: Tom Jones <thj@freebsd.org>
|
|
When sanity test is not done, API files are not loaded until the
first test case is run. Hence, it is not possible to use enums, etc.
outside of a test class.
By preloading API files before running any tests, it prevents its
issue.
Type: fix
Change-Id: I8730150374e6c5f8d6933ec037811372ac2a8da0
Signed-off-by: Maxime Peim <mpeim@cisco.com>
|
|
Add an urpf_interface_dump() API call, with optional sw_if_index.
If either a mode or a table is specified in any given interface
address family and direction, return it in a list, otherwise omit
it.
TESTED:
create loopback interface instance 0
create loopback interface instance 1
create loopback interface instance 2
create loopback interface instance 3
ip6 table add 8298
set urpf ip4 rx loose loop1
set urpf ip6 tx off loop2 table 8298
API call urpf_interface_dump(sw_if_index=~1) returns:
[
urpf_interface_details(_0=658, context=2, sw_if_index=2, is_rx=True, mode=<vl_api_urpf_mode_t.URPF_API_MODE_LOOSE: 1>, af=<vl_api_address_family_t.ADDRESS_IP4: 0>, table_id=0),
urpf_interface_details(_0=658, context=2, sw_if_index=3, is_rx=False, mode=<vl_api_urpf_mode_t.URPF_API_MODE_OFF: 0>, af=<vl_api_address_family_t.ADDRESS_IP6: 1>, table_id=8298)
]
Type: improvement
Change-Id: I1ded5c445dc07dab73ea41b817b5827b72ca79d4
Signed-off-by: pim@ipng.nl
|
|
Type: test
Change-Id: Idd608511ed350a8e13afff393e558e20d52627a0
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: test
Change-Id: I711dfe65ad542a45acd484f0b4e3e6ade9576f66
Signed-off-by: Naveen Joy <najoy@cisco.com>
|
|
This merge request adds the feature to manipulate localsids and policies for SRv6 mobile via API.
Type: feature
Signed-off-by: Takeru Hayasaka <hayatake396@gmail.com>
Change-Id: Ibb46bf71ae1d9d4591ce2c8ccf66f520887dad70
|
|
Type: test
Change-Id: I026d9298fe1372d03f61b6ad57c82628bab4c831
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: feature
Change-Id: I7b29c71d3d053af9a53931aa333484bf43a424ca
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Fetch 'pg-input' node index instead
of using a hardcoded value
Change-Id: I1ca27ddb54806530b546085d83e83b880acc4573
Signed-off-by: hsandid <halsandi@cisco.com>
|
|
Type: test
Change-Id: Ie054924eb5e5b2b146db8d2b63511c8b0400f045
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Pass a correct form of node variant config in tests
Type: fix
Signed-off-by: d-valter@yandex-team.ru
Change-Id: I8cdc240b18a1664e57a5814d6cd644891c99f515
Fixes: 8800f732f868bf54da8adba05e38bd2477895ca5
|
|
Type: test
Change-Id: Id621a806b853688ced7c6a38e1a9e5f298d2b97e
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: test
Change-Id: I504c079126bd8b33c5e217a1b9086788a8c778e5
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: test
Change-Id: I387611cfc361e664eb1e78ae669ba4e3901c4fe6
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: test
Change-Id: I270798ed68f04bd3974dd39c44e85dad5fa02de0
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Currently, when IPFIX records generation is enabled for an interface in
the TX direction, some rewritten traffic is being sent from that
interface, and the Ethernet header's location has changed due to
rewriting, generated TX flows will contain fields with wrong and zero
values. For example, that can be observed when traffic is rewritten from
a subinterface to a hardware interface (i.e. when tags are removed). A
TX flow generated in this case will have wrong L2 fields because of an
incorrectly located Ethernet header. And zero L3/L4 fields because the
Ethernet type will match neither IP4 nor IP6.
The same code is executed to generate flows for both input and output
features. And the same mechanism is applied to identify the Ethernet
header in the buffer's data. However, such general code usually works
with the buffer's data conditionally based on the direction. For most
input features, the buffer's current_data will likely point to the IP
header. For most output features, the buffer's current_data will likely
point to the Ethernet header.
With this fix:
- Keep relying on ethernet_buffer_get_header() to locate the Ethernet
header for input features. And start using vlib_buffer_get_current()
to locate the Ethernet header for output features. The function will
account for the Ethernet header's position change in the buffer's
data if there is rewriting.
- After fixing Ethernet header determination in the buffer's data,
L3/L4 fields will contain non-zero but still incorrect data. That is
because IP header determination needs to be fixed too. It currently
relies on the fact that the Ethernet header is always located at the
beginning of the buffer's data and that l2_hdr_sz can be used as an
IP header offset. However, this may not be the case after rewriting.
So start calculating the actual offset of the IP header in the
buffer's data.
- Add a unit test to cover the case.
Type: fix
Change-Id: Icf3f9e6518912d06dff0d5aa48e103b3dc94edb7
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: test
Change-Id: I1910f3ef79e9018aee032daca0f1932eccb7b9f9
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
- test_http_static.py: If namespace creation fails, try to delete the namespace and create it again
- vpp_qemu_utils.py: Added "isinstance()" to "delete_namespace()" to match "create_namespace()"
Type: test
Change-Id: I88ff7a36f5d52816fee16283efba6af025496491
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: test
Change-Id: Ief0c0e13a2c19a03b48219d9a0d85256fb0c9dbe
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: test
Change-Id: I77f119ac982170627484d792dc456753c9847af8
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
As a result of recent fixes, all currently stored flows of an interface
are deleted when the feature is being disabled for the interface. This
includes stopping the timer and freeing the flow entries for further
reuse. The problem is that meta information is not cleared in the flow
entries being deleted. For example, packet delta count will keep its
value. The next flow that gets one of these pool entries will already
have a non-zero packet count. So the counting of packets will start from
a non-zero value. And incorrect packet delta count will be exported for
that flow.
With this fix, clear meta information too when clearing interface state.
Also, update the corresponding test to cover this case.
Type: fix
Change-Id: I9a73b3958adfd1676e66b0ed50f1478920671cca
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Allow settings default values explicitly in positive_int_or_default and
positive_float_or_default.
It allows setting setting default 0 test retries explicitly despite it
being not positive.
Type: improvement
Signed-off-by: Dmitry Valter <d-valter@yandex-team.com>
Change-Id: Id23a9fdae0ef174eea8992c1f9fc2530aade6194
|
|
- Make framework.py classes a subset of asfframework.py classes
- Remove all packet related code from asfframework.py
- Add test class and test case set up debug output to log
- Repatriate packet tests from asf to test directory
- Remove non-packet related code from framework.py and
inherit them from asfframework.py classes
- Clean up unused import variables
- Re-enable BFD tests on Ubuntu 22.04 and fix
intermittent test failures in echo_looped_back
testcases (where # control packets verified but
not guaranteed to be received during test)
- Re-enable Wireguard tests on Ubuntu 22.04 and fix
intermittent test failures in handshake ratelimiting
testcases and event testcase
- Run Wiregard testcase suites solo
- Improve debug output in log.txt
- Increase VCL/LDP post sleep timeout to allow iperf server
to finish cleanly.
- Fix pcap history files to be sorted by suite and testcase
and ensure order/timestamp is correct based on creation
in the testcase.
- Decode pcap files for each suite and testcase for all
errors or if configured via comandline option / env var
- Improve vpp corefile detection to allow complete corefile
generation
- Disable vm vpp interfaces testcases on debian11
- Clean up failed unittest dir when retrying failed testcases
and unify testname directory and failed linknames into
framwork functions
Type: test
Change-Id: I0764f79ea5bb639d278bf635ed2408d4d5220e1e
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: test
Change-Id: I1883b50f67890aefb28ca0ca7447f4e73c574d26
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
- Use of well known UDP port numbers causes random
failure of mdata and bufmon tests
Type: test
Change-Id: I21a01c54e5f166aea101d3caace85b53f3f7285d
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: test
Change-Id: I5fddb293f1b56853613ca2823dbb6d3d887d9929
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
traffics
In this patch, IPsec related test files have been modified to send UDP-encapsulated
ESP packets,and validate against Inbound and Outbound policies that are configured
with Bypass, Discard and Protect action.
Type: test
Change-Id: I4b8da18270fd177868223bfe1389dc9c50e86cc5
Signed-off-by: vinay Tripathi <vinayx.tripathi@intel.com>
|
|
Type: test
Change-Id: I5a2d1b2c92f2bb7c45a7b5e025584d9417487840
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Coverage increased from 21% to 80%
Type: test
Change-Id: Ic8ecc620cef738d7dbe4c259f58a373ac155a588
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: improvement
Since RFC4303 does not specify the anti-replay window size, VPP should
support multiple window size. It is done through a clib_bitmap.
Signed-off-by: Maxime Peim <mpeim@cisco.com>
Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
|
|
Currently, TCP flags of a flow entry don't get reset once the flow is
exported (unlike other meta information about a flow - packet delta
count and octet delta count). So TCP flags are accumulated as long as
the flow is active. When the flow expires, it is exported the last time,
and its pool entry is freed for further reuse. The next flow that gets
this pool entry will already have non-zero TCP flags. If it's a TCP
flow, the flags will keep being accumulated. This might look fine when
exported. If it's a non-TCP flow, that will definitely look erroneous.
With this fix, reset TCP flags once the flow is exported. Also, cover
the reuse case with tests.
Type: fix
Change-Id: I5f8560afffcfe107909117d3d063e8a69793437e
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: test
Change-Id: I8665492c2f7755901a428aacdb27e98329ff557a
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Coverage increased from 35% to 94%
Type: test
Change-Id: I9a54a58bf53b29a771a93ce03998e95fbcd518eb
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Coverage increased from 54% to 92%
Type: test
Change-Id: Ibb26f2b8989c5bb2826190c961bffe2c21c3f9a2
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: improvement
If an interface address is added, the glean adjacency for it's covering
prefix is updated with that address. In the case of multiple addresses
within the same prefix being added, the most recently added one will end
up being used as the sender protocol address for ARP requests.
Similar behavior occurs when an interface address is deleted. The glean
adjacency is updated to some appropriate entry under it's covering
prefix. If there were multiple interface addresses configured, we may
update the address on the adjacency even though the address currently in
use is not the one being deleted.
Add a new value PROVIDES_GLEAN to fib_entry_src_flag_t. The flag
identifies whether a source interface entry is being used as the address
for the glean adjacency for the covering prefix.
Update logic so that the glean is only updated on adding an interface
address if there is not already a sibling entry in use which has the
flag set. Also, only update the glean on deleting an interface address
if the address being deleted has the flag set.
Also update unit test which validates expected behavior in the case
where multiple addresses within a prefix are configured on an interface.
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I7d918b8dd703735b20ec76e0a60af6d7e571b766
|
|
Type: test
Change-Id: I30dfaed684e1f808089bb8eb301486434425ccd7
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Type: test
Change-Id: I96ec8b4347210672bc587407ab2fd0f0305ea486
Signed-off-by: adrianvillin <avillin@cisco.com>
|
|
Currently, when L2 and L4 recording is enabled on the L2 datapath, the
L2 template will contain L4 fields and L2 flows will be exported with
those fields always set to zero.
With this fix, when L4 recording is enabled, add L4 fields to templates
other than the L2 template (i.e. to the IP4, IP6, L2_IP4, and L2_IP6
templates). And export L2 flows without L4 fields. Also, cover that case
in the tests.
Type: fix
Change-Id: Id5ed8b99af5634fb9d5c6e695203344782fdac01
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Using the source address selection algorithm to determine the best source
of an NS for address resolution risks incompatible behavior.
It may choose a source address that is off-link to the other host.
Which may drop it.
A safer approach is to always use the link-local address as the SA.
It's recommended to pick a source that an application will later use,
as VPP is mostly a router, that rarely applies. And regardlessly we have
no mechanism to signal from an application that triggered address resolutiuon
what source address it intends to use.
Type: fix
Change-Id: I3c5de66e41505f3682767706ef1195a20e4f0e54
Signed-off-by: Ole Troan <otroan@employees.org>
|
|
When IPFIX flow record generation is enabled on an interface and the
active timer is set, flows will be saved and then exported according to
the active and passive timers. If then disable the feature on the
interface, the flow entries currently saved will remain in the state
tables. They will gradually expire and be exported. The problem is that
the template for them has already been removed. And they will be sent
with zero template ID which will make them unreadable.
A similar problem will occur if feature settings are "changed" on the
interface - i.e. disable the feature and re-enable it with different
settings (e.g. set a different datapath). The remaining flows that
correspond to the previous feature settings will be eventually sent
either with zero template ID or with template ID that corresponds to the
current feature settings on the interface (and look like garbage data).
With this fix, flush the current buffers before template removal and
clear the remaining flows of the interface during feature disabling.
Type: fix
Change-Id: I1e57db06adfdd3a02fed1a6a89b5418f85a35e16
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
This prevents ipfix flood with the repeating events and allows
to enable nat64 max_session and max_bibs events. Also fix wrong
endian for det44 and nat64 ipfix tests, now should be fine with
extended tests enabled.
Max session per user event @ nat44-ei requires more precise rate
limiter per user address, probably with sparse vec, not handled.
Type: improvement
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: Ib20cc1ee3f81e7acc88a415fe83b4e2deae2a836
|
|
Support rewriting the inner packet for ICMP6 error messages.
Type: feature
Change-Id: I7e11f53626037075a23310f1cb7e673b0cb52843
Signed-off-by: Ole Troan <otroan@employees.org>
|
|
When MAC address changes for an interface, address change callbacks are
executed for it. In turn adjacencies register a callback for MAC address
changes to be able to update their rewrite strings accordingly.
Subinterfaces inherit MAC address from the parent interface. When MAC
address of the parent interface changes, it also implies MAC address
change for its subinterfaces. The problem is that this is currently not
considered when address change callbacks are executed. After MAC address
change on the parent interface, packets sent from subinterfaces might
have wrong source MAC address as the result of stale adjacencies. For
example, ARP messages might be sent with the wrong (previous) MAC
address and address resolution will fail.
With this fix, when address change callbacks are executed for an
interface, they will be also executed for its subinterfaces. And
adjacencies will be able to update accordingly.
Type: fix
Change-Id: I87349698c10b9c3a31a28c0287e6dc711d9413a2
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Currently, L2 flows are exported using L2_IP6 template if L3 or L4
recording is enabled on L2 datapath. That occurs because during feature
enable, L2 template is added and its ID is not saved immediately. Then
L2_IP4 and L2_IP6 templates are added overwriting "template_id" each
time. And in the end, the current value of "template_id" is saved for L2
template. The problem is that "template_id" at that point contains the
ID of L2_IP6 template.
With this fix, save the template ID immediately after adding a template
for all variants (datapaths). Also, cover the case with a test.
Type: fix
Change-Id: Id27288043b3b8f0e89e77f45ae9a01fa7439e20e
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|