summaryrefslogtreecommitdiffstats
path: root/test
AgeCommit message (Collapse)AuthorFilesLines
2021-11-22ipfix-export: add mutliple ipfix_exporters testsPaul Atkins1-0/+192
Now that we support multiple exporters add some basic tests to verify that we can create/delete multiple exporters and that the streaming commands work. Type: test Signed-off-by: Paul Atkins <patkins@graphiant.com> Change-Id: I577f38440790080bfdcf87a8a6828da6cb6f1707
2021-11-19fib: Don't use [midchain] adjacencies to change an interface's feature arcNeale Ranns1-3/+29
Type: fix Using the adjacency to modify the interface's feature arc doesn't work, since there are potentially more than one adj per-interface. Instead have the interface, when it is created, register what the end node of the feature arc is. This end node is then also used as the interface's tx node (i.e. it is used as the adjacency's next-node). rename adj-midhcain-tx as 'tunnel-output', that's a bit more intuitive. There's also a fix in config string handling to: 1- prevent false sharing of strings when the end node of the arc is different. 2- call registered listeners when the end node is changed For IPSec the consequences are that one cannot provide per-adjacency behaviour using different end-nodes - this was previously done for the no-SA and an SA with no protection. These cases are no handled in the esp-encrypt node. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: If3a83d03a3000f28820d9a9cb4101d244803d084
2021-11-15fib: re-evaluate the import/export state of a prefix.Neale Ranns1-0/+135
Type: fix re-evaluate the import/export state of a prefix when the interface it is attached to rebinds to a different table. Only attached routes have import/export requirements, so we can back walk from the glean adjacency when the interface rebinds tables. There are two cases to consider. 1. the rebind may change the prefix from/to import 2. the import VRF may change Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I25b6af43b3b2d8f701dfbe7a08710dc56b3f5778
2021-11-10nat: api autoendian fixFilip Varga2-16/+12
Fixed bad use of macros for autoendian API calls and updated tests for the new API. Removed sw_if_index check macro because of ntol conversion. Changed REPLY_MACRO to REPLY_MACRO_END to fix ntohl conversions. Type: fix Change-Id: I878a07b3f80fe03179feab60f0abc662f408a2c8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-09tests: Remove the error output from the linux-cp testsNeale Ranns1-6/+3
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ib9899327897f36219c113fedb25366cd1be463a0
2021-11-09tests: fix missing dataclasses module in python 3.6Dave Wallace1-0/+1
Type: fix Fixes: b8165b96f Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Ic82a0404073a26e3d160b01c9038cde11eedf3ec
2021-11-09memif: memif linkstate can't become upDaniel Béreš1-0/+40
Admin down implies Link down but nothing came with admin up. Ticket: VPP-1959 Type: fix Change-Id: I43725329ae7918659c73d703280c25de5f0b1d14 Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
2021-11-06tests docs: fix jsonschema dependencyDave Wallace2-2/+2
- docs requires jsonschema which is only supported on python 3.7 or newer. This causes 'make test' to fail on Ubuntu 18.04 Type: fix Fixes: 9ad39c026 Change-Id: I0935c569ac102ea1dba6112f458e6ee10330e474 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-11-06unittest: remove clib_count_equal_* testsDamjan Marion1-1/+1
Due to multiarch nature of that code, those tests doesn't bring much value. New tests will be addes as part of refactor. Type: refactor Change-Id: I41056dc99d08cd6ca38f9e00e8cf6a465c90edb7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-11-05unittest: gcc-11 errors for clib_strcpy, clib_strstr, clib_strcat, and ↵Steven Luong1-3/+3
clib_strncat There are 3 versions of the string functions. For example, for strcpy, they are 1. strcpy(dst, src) -- the legacy unsafe version 2. strcpy_s(dst, dmax, src) -- C11 safeC version which has an addition argument named dmax. 3. clib_strcpy(dst,src) -- clib version to enable legacy code that uses strcpy to make use of strcpy_s without adding the additional argument, dmax, which is required by the C11 safeC version. The implementation for the clib version is to artificially provide dmax to strcpy_s. In this case, it uses 4096 which assumes that if the legacy code works without blowing up, it is likely to work with the clib version without problem. gcc-11 is getting smarter by checking if dmax is within the object's boundary. When the object is declared as static array, it will flag a warning/error if dmax is out of bound for the object since the real size of dst can be determined at compile time. There is no way to find the real size of dst if the object is dynamically allocated at compile time. For this reason, we simply can't provide support for the clib version of the function anymore. If any code is using the clib version, the choice is to migrate to the safeC version. Type: fix Fixes: b0598497afde60146fe8480331c9f96e7a79475a Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I99fa59c878331f995b734588cca3906a1d4782f5
2021-11-03tests: Apply the 'return self' pattern for the L2 objectsNeale Ranns1-0/+5
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I3286fbf09d18719546ba80e9cb81c7e58f87a603
2021-11-02tests: update python packagesDave Wallace3-110/+134
- Also fix docs requirements and venv cleanup required for docker executor building Type: test Change-Id: I839423224d95c45af42f459217887f4201cbb11a Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-11-02build: remove unnecessary executable bitsRay Kinsella15-0/+0
Run 'find src -executable -type f', remove unnecessary executable bits from the source tree. Type: refactor Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I070e22c8fb2ef8712bc3ea620727ee5ab3d9a9fb
2021-10-22fib: Don't back walk from a path-list when a child fist attaches.Neale Ranns1-1/+11
Type: fix If the walk is triggered when the child is added, then that child is visited in the walk. However, since it is just attahcing to the path-list it may not, or indeed cannot, have all the context it needs to successfully handle the walk. In the case of MPLS tunnel, it does not have the path extensions ready, and cannot since the path extensions need to resolve on the path-list. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I027af8cf2f522d2f6e37931bea60c767f0cb667d
2021-10-21cnat: improve testsNathan Skrzypczak1-737/+562
Type: improvement This is an attempt to make the cnat tests more readable by hiding the scapy packet generation under a common context concept. This in order to add tests covering a wider range of scenarios. As of now, only VIP, snat & DHCP being covered Change-Id: Ia84868984506bbb652fe974e9a6f54f7a3cc0bd9 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-20nat: enable skipped nat44-ed multi worker testsFilip Varga1-57/+0
Type: test Change-Id: I185725c0f94084d08c8514642a84a04da62398e1 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-10-20nat: nat44-ei configuration improvementsFilip Varga1-16/+1
nat44-ed core configuration improvements & fixes [0-5] adjusted for nat44-ei plugin. Improvements: * repeating code converted to functions * simplified functions used for pool address, static mapping and interface configuration. Clean up: * remove obsolete code and logic persisted after plugin separation from old SNAT plugin. Fixes: * [0] return correct API behavior changed in [5] Type: improvement [0] https://gerrit.fd.io/r/c/vpp/+/33622 [1] https://gerrit.fd.io/r/c/vpp/+/33431 [2] https://gerrit.fd.io/r/c/vpp/+/33337 [3] https://gerrit.fd.io/r/c/vpp/+/33249 [4] https://gerrit.fd.io/r/c/vpp/+/32796 [5] https://gerrit.fd.io/r/c/vpp/+/32951 Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ie197faa576cb49acb3d218f14e00cb7d13ad9342
2021-10-14nat: static mappings in flow hashKlement Sekera4-10/+238
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idfde8efabc09971be38921d4b0ca5ccf4e9fe412
2021-10-13docs: better docs, mv doxygen to sphinxNathan Skrzypczak8-922/+116
This patch refactors the VPP sphinx docs in order to make it easier to consume for external readers as well as VPP developers. It also makes sphinx the single source of documentation, which simplifies maintenance and operation. Most important updates are: - reformat the existing documentation as rst - split RELEASE.md and move it into separate rst files - remove section 'events' - remove section 'archive' - remove section 'related projects' - remove section 'feature by release' - remove section 'Various links' - make (Configuration reference, CLI docs, developer docs) top level items in the list - move 'Use Cases' as part of 'About VPP' - move 'Troubleshooting' as part of 'Getting Started' - move test framework docs into 'Developer Documentation' - add a 'Contributing' section for gerrit, docs and other contributer related infos - deprecate doxygen and test-docs targets - redirect the "make doxygen" target to "make docs" Type: refactor Change-Id: I552a5645d5b7964d547f99b1336e2ac24e7c209f Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-10-12fib: fix the drop counter for ipv6 RPF failuresNeale Ranns1-0/+6
Type: fix the only change to the mfib forwarding node is to set the error code, the rest is checkstyle formatting. The traces previously showed some bogus reason: 00:04:27:325550: ip6-mfib-forward-rpf entry 10 itf -1 flags 00:04:27:325551: ip6-drop fib:0 adj:10 flow:0 UDP: fe80::b203:eaff:fe02:604 -> ff02::1:2 tos 0x00, flow label 0x651ed, hop limit 1, payload length 64 UDP: 546 -> 547 length 64, checksum 0xec9a 00:04:27:325551: error-drop rx:GigabitEthernet6/0/0 00:04:27:325553: drop ip6-input: drops due to concurrent reassemblies limit Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I294684c36edc346b4ebdd83ba66888b3b2197704
2021-10-12ipsec: Performance improvement of ipsec4_output_node using flow cacheGovindarajan Mohandoss2-0/+794
Adding flow cache support to improve outbound IPv4/IPSec SPD lookup performance. Details about flow cache: Mechanism: 1. First packet of a flow will undergo linear search in SPD table. Once a policy match is found, a new entry will be added into the flow cache. From 2nd packet onwards, the policy lookup will happen in flow cache. 2. The flow cache is implemented using bihash without collision handling. This will avoid the logic to age out or recycle the old flows in flow cache. Whenever a collision occurs, old entry will be overwritten by the new entry. Worst case is when all the 256 packets in a batch result in collision and fall back to linear search. Average and best case will be O(1). 3. The size of flow cache is fixed and decided based on the number of flows to be supported. The default is set to 1 million flows. This can be made as a configurable option as a next step. 4. Whenever a SPD rule is added/deleted by the control plane, the flow cache entries will be completely deleted (reset) in the control plane. The assumption here is that SPD rule add/del is not a frequent operation from control plane. Flow cache reset is done, by putting the data plane in fall back mode, to bypass flow cache and do linear search till the SPD rule add/delete operation is complete. Once the rule is successfully added/deleted, the data plane will be allowed to make use of the flow cache. The flow cache will be reset only after flushing out the inflight packets from all the worker cores using vlib_worker_wait_one_loop(). Details about bihash usage: 1. A new bihash template (16_8) is added to support IPv4 5 tuple. BIHASH_KVP_PER_PAGE and BIHASH_KVP_AT_BUCKET_LEVEL are set to 1 in the new template. It means only one KVP is supported per bucket. 2. Collision handling is avoided by calling BV (clib_bihash_add_or_overwrite_stale) function. Through the stale callback function pointer, the KVP entry will be overwritten during collision. 3. Flow cache reset is done using BV (clib_bihash_foreach_key_value_pair) function. Through the callback function pointer, the KVP value is reset to ~0ULL. MRR performance numbers with 1 core, 1 ESP Tunnel, null-encrypt, 64B for different SPD policy matching indices: SPD Policy index : 1 10 100 1000 Throughput : MPPS/MPPS MPPS/MPPS MPPS/MPPS KPPS/MPPS (Baseline/Optimized) ARM Neoverse N1 : 5.2/4.84 4.55/4.84 2.11/4.84 329.5/4.84 ARM TX2 : 2.81/2.6 2.51/2.6 1.27/2.6 176.62/2.6 INTEL SKX : 4.93/4.48 4.29/4.46 2.05/4.48 336.79/4.47 Next Steps: Following can be made as a configurable option through startup conf at IPSec level: 1. Enable/Disable Flow cache. 2. Bihash configuration like number of buckets and memory size. 3. Dual/Quad loop unroll can be applied around bihash to further improve the performance. 4. The same flow cache logic can be applied for IPv6 as well as in IPSec inbound direction. A deeper and wider flow cache using bihash_40_8 can replace existing bihash_16_8, to make it common for both IPv4 and IPv6 in both outbound and inbound directions. Following changes are made based on the review comments: 1. ON/OFF flow cache through startup conf. Default: OFF 2. Flow cache stale entry detection using epoch counter. 3. Avoid host order endianness conversion during flow cache lookup. 4. Move IPSec startup conf to a common file. 5. Added SPD flow cache unit test case 6. Replaced bihash with vectors to implement flow cache. 7. ipsec_add_del_policy API is not mpsafe. Cleaned up inflight packets check in control plane. Type: improvement Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com> Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Tested-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I62b4d6625fbc6caf292427a5d2046aa5672b2006
2021-10-12Revert "nat: static mappings in flow hash"Ole Troan4-240/+11
This reverts commit 69b7599e4b061a8996205f0304232ede84cb70d4. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If531b122ae5a9f91c2fe6eaa0da69922a91f16d3
2021-10-12nat: static mappings in flow hashKlement Sekera4-11/+240
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ieeba691d83a83887d0a0baccd5f3832f66126096
2021-10-11ip: fix fib and mfib locksNathan Skrzypczak1-0/+27
This patches fixes an issue that could cause fib locks to underflow: if an API user deletes a fib and quickly recreates it, the fib may not have been actually deleted. As a result, the lock would not be incremented on the create call leading to the fib potentially disappearing afterwards - or to the lock to underflow when the fib is deleted again. In order to keep the existing API semantics, we use the locks with API and CLI source as flags. This means we need to use a different counter for the interface-related locks. This also prevents an issue where an interface being bound to a vrf via API and released via CLI could mess up the lock counter. Finally, this will help with cleaning up the interface-related locks on interface deletion in a later patch. Type: fix Change-Id: I93030a7660646d6dd179ddf27fe4e708aa11b90e Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com> Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2021-10-08vxlan-gpe: add udp-port configuration supportArtem Glazychev3-112/+235
similar behavior as here: 839dcc0fb7313638d9b8f52a9db81350dddfe461 Type: improvement Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I1b0a8f8f3dab48839e27df7065cf5f786cf0b5e9
2021-10-07udp: fix severity error infoFilip Tehlar2-3/+3
Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I415d68b39ecac546b531f6eb98bca51e7eb6f7f7
2021-10-07ikev2: do not require optional IDr on IKE AUTHBenoît Ganne1-12/+31
IDr is optional in IKE AUTH from the initiator. In that case, the responder is free to use any matching profile and fills the corresponding IDr in the response. The initiator is then free to accept or reject it. Type: improvement Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-06wireguard: add events for peerArtem Glazychev1-8/+136
we can receive events from peer about its state: -WIREGUARD_PEER_STATUS_DEAD -WIREGUARD_PEER_ESTABLISHED Type: improvement Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-10-06wireguard: add ipv6 supportArtem Glazychev1-51/+448
Type: improvement Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: If1a7e82ce163c4c4acaa5acf45ad2b88371396f6
2021-10-06docs: vnet comment nitfixesNathan Skrzypczak1-1/+1
Type: improvement Change-Id: Iac01d7830b53819ace8f199554be10ab89ecdb97 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-06ip: add classifier-based ACLs support on ip puntBenoît Ganne2-2/+78
This feature allows one to add classifier-based ACLs on packets punted from the ip infra, eg. to only whitelist specific sender(s). Type: feature Change-Id: Idab37b188583efbca980038875fc3e540cb2e880 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-05build: don't hardcode triplet, allow specifying custom lib dirDamjan Marion2-21/+23
Type: fix Change-Id: I33f364fda88914f88f9b976cb83e6d3ff466f0bb Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
2021-10-04wireguard: use the same udp-port for multi-tunnelArtem Glazychev1-0/+104
now we can reuse udp-port for many wireguard interfaces Type: improvement Change-Id: I14b5a9dbe917d83300ccb4d6907743d88355e5c5 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-10-04ip: fix punt for ipv6Benoît Ganne1-0/+144
Type: fix Change-Id: I583c30e9b63c0b0b6cd5fef0b2cb9ed7ec9856e2 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-09-30wireguard: move adjacency processing from wireguard_peer to wireguard_interfaceArtem Glazychev1-14/+36
now we should add routes manually Type: improvement Change-Id: I877511a18854efdfad02939267d38a216b2ccec3 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-09-29ipsec: Record the number of packets lost from an SANeale Ranns3-0/+101
Type: feature Gaps in the sequence numbers received on an SA indicate packets that were lost. Gaps are identified using the anti-replay window that records the sequences seen. Publish the number of lost packets in the stats segment at /net/ipsec/sa/lost Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I8af1c09b7b25a705e18bf82e1623b3ce19e5a74d
2021-09-28api: API trace improvementsFilip Tehlar1-0/+63
Type: improvement * add support for JSON format in API trace * add ability to replay JSON API trace in both VPP and VAT2 * use CRC for backward compatibility check during JSON API replay * fix API trace CLI (and remove duplicits) * remove custom dump * remove vppapitrace.py * update docs accordingly Change-Id: I5294f68bebe6cbe738630f457f3a87720e06486b Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com>
2021-09-27ikev2: support variable-length noncesBenoît Ganne1-1/+3
IKEv2 nonces can be 16 to 256 bytes. Type: fix Change-Id: Ib332028594355c9e5b462bddb7e4dffbcdc9a927 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-09-27classify: Large and nested classifer unit testsRay Kinsella3-20/+352
Type: test Large and nested unit tests to test AVX-512 optimized versions of the classify hash and match algorithims. Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: Ie423fee5e0fd1cb4bdf3bec8e0230a5f7cfc75fc
2021-09-27gso: do not gro on small packetsAloys Augustin1-0/+102
This has two benefits: fix an issue where small packets can be padded to 64 bytes by the ethernet layer, and we included these bytes in the tcp stream; and also if we receive a small packet, it signals that this tcp stream is likely more latency-sensitive than throughput- sensitive, and skipping gro buffering should be beneficial. Type: fix Change-Id: I165b97673d8cdce95ebf0a66c362ae9f9e6f3f34 Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2021-09-22ip: add ip_table_allocate to apiAloys Augustin2-47/+183
Set tableID = ~0 for auto selection unused ID https://jira.fd.io/browse/VPP-1993 Type: improvement Change-Id: I4eec2cc1d18fc025196cb6ac4c9a4b374388eb56 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2021-09-16ip6-nd: add ip6-nd proxyMohsin Kazmi1-0/+188
Type: feature Change-Id: I91f72f5802db195d1a15424d67c1b6e518168f9f Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-09-13ip-neighbor: Handle local MAC address change for incomplete adjacenciesNeale Ranns1-1/+23
Type: fix When the local MAC address of an interface changes the rewrite strings of all adjacency types need to be updated - this patch fixes the missing case of incomplete adjacencies. I moved the update of all adj types into the adj module, since if the complete adjs were done by the ip-neighbour module and incomplete ones by adj module, that would mean two walks of the adj DB, as it is not possible to walk only a specific type. UT is updated to include the missing case. Signed-off-by: Neale Ranns <neale@graphiant.com> Signed-off-by: Ivan Shvedunov <ivan4th@gmail.com> Change-Id: I36af94976c645bdd0d4d3bc0093b24d7d077e9d7
2021-09-09flowprobe: simplify test logicKlement Sekera1-55/+18
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9a3923ec1ff1371e870bc57ade4035de07bfbbcb
2021-09-08tests: fix DEBUG=attach multiple worker configKlement Sekera1-0/+3
Type: fix Change-Id: Ie7920c0c699904de0f68ddb749725887b569f295 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-08-31vcl: switch part of the tests to sock apiFlorin Coras1-13/+47
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I427af3be604783d36080c284ed32fb1df525bf54
2021-08-26ikev2: check for valid cipher + integrityBenoît Ganne1-1/+1
Type: improvement Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith1-0/+45
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin1-1/+1
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-13tests docs: upgrade python packagesDave Wallace16-354/+439
- Upgrade python package requirements for test & docs - Clean up docs generation warnings - Consolidate python requirements for docs in test requirements specs. - Upgrade pip Type: make Change-Id: I74a3924b43ed93d15b32ec9f6fc41ed1ba95b69b Signed-off-by: Dave Wallace <dwallacelf@gmail.com>