summaryrefslogtreecommitdiffstats
path: root/test
AgeCommit message (Collapse)AuthorFilesLines
2022-09-21ipsec: introduce fast path ipv6 inbound matchingPiotr Bronowski1-40/+77
This patch introduces fast path matching for inbound traffic ipv6. Fast path uses bihash tables in order to find matching policy. Adding and removing policies in fast path is much faster than in current implementation. It is still new feature and further work needs and can be done in order to improve the perfromance. Type: feature Change-Id: Iaef6638033666ad6eb028ffe0c8a4f4374451753 Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
2022-09-20tests: run tests against a running VPPNaveen Joy4-12/+291
Usage: test/run.py -r -t {test_filter} Instead of starting a new instance of VPP, when the -r argument is provided, test is run against a running VPP instance. Optionally, one can also set the VPP socket directory using the -d argument. The default location for socket files is /var/run/user/${uid}/vpp and /var/run/vpp if VPP is started as root. Type: improvement Change-Id: I05e57a067fcb90fb49973f8159fc17925b741f1a Signed-off-by: Naveen Joy <najoy@cisco.com>
2022-09-19tests: skip tests failing on ubuntu 22.04Dave Wallace4-2/+87
Type: test Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I218059de5d05680d661f302293475b6c2a7bf81d
2022-09-19igmp: validate ip router alert option lengthVladislav Grishenko1-15/+45
It's known there're one or more 32-bit increments in the ip header. So just check ip router alert option length with minimal performance impact, and don't care of the total options length. Type: fix Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru> Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I46dd06516f793846b931a1dc8612f2735f8d24d3
2022-09-19arp: update error reason when checking for proxy-arpBenoît Ganne1-1/+5
When we follow arp feature arc for proxy-arp, we should still update the error reason in case proxy-arp cannot handle the arp request and drops it. Type: improvement Change-Id: I046df017ca2056cfc12af0f0a968b401058bcd6d Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-09-15nat: fix nat44-ed port range with multiple workersVladislav Grishenko1-1/+192
The number of available dynamic ports is set to (0xffff - 1024) = 64511, which is not divisable by the pow2 number of workers - the only integer divisors are 31 and 2081. So, total dynamic port range of all workers will be less than it: 1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536 2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535 4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533 8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529 ... As seen, with multiple workers there are unused trailing ports for every nat pool address and that is the reason of out-of-bound index in the worker array on out2in path due (port - 1024) / port_per_thread math. This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets to unused ports will go to existing worker and dropped there. Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6: 6. Port Number Ranges o the System Ports, also known as the Well Known Ports, from 0-1023 (assigned by IANA) o the User Ports, also known as the Registered Ports, from 1024- 49151 (assigned by IANA) o the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned) According that let's allocate dynamic ports from 1024 and have full port range with a wide range of the workers number - 64 integer divisors in total, including pow2 ones: 1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536 2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536 3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536 4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536 5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534 6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536 7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536 8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536 ... Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required when the numbers of workers is not the integer divisor of 64512. Type: fix Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-12ipsec: introduce fast path ipv4 inbound matchingPiotr Bronowski1-0/+844
This patch introduces fast path matching for inbound traffic ipv4. Fast path uses bihash tables in order to find matching policy. Adding and removing policies in fast path is much faster than in current implementation. It is still new feature and further work needs and can be done in order to improve perfromance. Type: feature Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Ifbd5bfecc21b76ddf8363f5dc089d77595196675
2022-09-09vlib: don't leak node frames on reforkDmitry Valter1-0/+103
Free node frames in worker mains on refork. Otherwise these frames are never returned to free pool and it causes massive memory leaks if performed under traffic load Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I15cbf024a3f4b4082445fd5e5aaa10bfcf77f363
2022-08-19ipsec: enable UDP encap for IPv6 ESP tun protectMatthew Smith2-0/+160
Type: improvement If an SA protecting an IPv6 tunnel interface has UDP encapsulation enabled, the code in esp_encrypt_inline() inserts a UDP header but does not set the next protocol or the UDP payload length, so the peer that receives the packet drops it. Set the next protocol field and the UDP payload length correctly. The port(s) for UDP encapsulation of IPsec was not registered for IPv6. Add this registration for IPv6 SAs when UDP encapsulation is enabled. Add punt handling for IPv6 IKE on NAT-T port. Add registration of linux-cp for the new punt reason. Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
2022-08-18ikev2: accept key exchange on CREATE_CHILD_SAAtzm Watanabe1-9/+53
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload to enable stronger guarantees of forward secrecy. When the KEi payload is included in the CREATE_CHILD_SA request, responder should reply with the KEr payload and complete the key exchange, in accordance with the RFC. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
2022-08-17wireguard: fix fib entry trackingAlexander Chernavin1-0/+83
Type: fix After peers roaming support addition, FIB entry tracking stopped working. For example, it can be observed when an adjacency is stacked on a FIB entry by the plugin and the FIB entry hasn't got ARP resolution yet. Once the FIB entry gets ARP resolution, the adjacency is not re-stacked as it used to. This results in endless ARP requests when a traffic is sent via the adjacency. This is broken because the plugin stopped using "midchain delegate" with peers roaming support addition. The reason is that "midchain delegate" didn't support stacking on a different FIB entry which is needed when peer's endpoint changes. Now it is supported there (added in 36892). With this fix, start using "midchane delegate" again and thus, fix FIB entry tracking. Also, cover this in tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
2022-08-16tests: move "venv" to "build-root" directory from "test" directorySaima Yunus5-10/+8
Type: refactor - refactored VPP test code to remove "ignore_path" variable from "discover_tests" function and "run_test" code - configured VPP test makefile, config file, and 'run.sh' shell script to move "venv" directory from "test" dir to "build-root" dir Signed-off-by: Saima Yunus <yunus.saima.234@gmail.com> Change-Id: Id2beecbb99f24ce13ed118a1869c5adbef247e50
2022-08-11ip: Use .api declared error countersNeale Ranns5-25/+11
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I822ead1495edb96ee62e53dc5920aa6c565e3621
2022-08-11ipsec: Use .api declared error countersNeale Ranns2-24/+12
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ica7de5a493389c6f53b7cf04e06939473a63d2b9
2022-08-11arp: Use the new style error count declarationNeale Ranns1-3/+1
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ifda8ca8d26912c750a77d2ca889e1638ca83d85a
2022-08-10ikev2: do not accept rekey until old SA is deletedAtzm Watanabe1-9/+39
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
2022-08-09wireguard: add peers roaming supportAlexander Chernavin1-19/+247
Type: feature With this change, peers are able to roam between different external endpoints. Successfully authenticated handshake or data packet that is received from a new endpoint will cause the peer's endpoint to be updated accordingly. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
2022-08-09wireguard: add handshake rate limiting supportAlexander Chernavin1-0/+168
Type: feature With this change, if being under load a handshake message with both valid mac1 and mac2 is received, the peer will be rate limited. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
2022-08-09ip-neighbor: ARP and ND stats per-interface.Neale Ranns2-0/+88
Type: feature stats of the like from: https://datatracker.ietf.org/doc/html/draft-ietf-rtgwg-arp-yang-model-03#section-4 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Icb1bf4f6f7e6ccc2f44b0008d4774b61cae96184
2022-08-08wireguard: add dos mitigation supportAlexander Chernavin1-4/+187
Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
2022-08-08ikev2: fix rekeying with multiple notify payloadsAtzm Watanabe1-1/+8
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I065bd5c26055d863d786023970e7deeed261b31c
2022-08-05tests: fix node variant selectionBenoît Ganne1-1/+1
Type: fix Fixes: 4830e4f78fb8e46b23a1a0711cd06969a77d8d95 Change-Id: Iddc73dbda633acd72bd82e52f8ae83c17e3940f6 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-04tests: run a test inside a QEMU VMNaveen Joy6-0/+809
Use the script test/run.py to run a test named test_vm_tap inside a QEMU VM. The run script builds out a virtual env, launches a light weight QEMU VM, mounts host directories, starts VPP inside the VM and runs the test. The test named test_vm_tap, creates two tap v2 interfaces in separate Linux namespaces and using iPerf, streams traffic between the VM and VPP. All data files are stored in the directory named /tmp/vpp-vm-tests. To clean up, use the make test-wipe command. Usage: test/run.py --vm --debug --test test_vm_tap Type: improvement Change-Id: I4425dbef52acee1e5b8af5acaa169b89a2c0f171 Signed-off-by: Naveen Joy <najoy@cisco.com>
2022-08-03wireguard: add processing of received cookie messagesAlexander Chernavin3-5/+199
Type: feature Currently, if a handshake message is sent and a cookie message is received in reply, the cookie message will be ignored. Thus, further handshake messages will not have valid mac2 and handshake will not be able to be completed. With this change, process received cookie messages to be able to calculate mac2 for further handshake messages sent. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I6d51459778b7145be7077badec479b2aa85960b9
2022-07-15tests: add fast path ipv6 python tests for outbound policy matchingPiotr Bronowski2-6/+857
This patch introduces set of python tests for fast path ipv6, based on ipv4 tests. Some missing parts of ipsec framework has been added in order to test ipv6 implementation. Type: feature Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Icc13322787d76485c08106bad2cb071947ad9846
2022-06-29ipsec: add fast path python testsFan Zhang2-0/+782
This patch introduces set of python tests for fast path, based on flow cache tests. There was a bug in calculating of policy mask when adding to fast path, which has been fixed. Memory size for bihash tables for both ip4 and ip6 outbound fast path policies has been increased. Type: feature Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Ibeee904ae7179f5dafbd45bb44282436f0b80821
2022-06-28session quic: allow custom config of rx mqs seg sizeFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Idc0fdebfea29c241d8a36128241ccec03eace5fd
2022-06-28ipsec: change wildcard value for any protocol of spd policyPiotr Bronowski5-21/+21
Currently 0 has been used as the wildcard representing ANY type of protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore it should not be used as a wildcard. Instead 255 is used which is guaranteed by IANA to be reserved and not used as a protocol id. Type: improvement Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
2022-06-10vcl: fix iperf3 server crash issue when it runs over vpp host stack.Liangxing Wang1-0/+11
Issue: Let iperf3 server run via ldp and vcl on top of vpp's host stack. If iperf3 client connects this iperf3 server with tcp MSS setting option, iperf3 server will always crash. Root cause: When MSS option is specified by iperf3 client, iperf3 server will recreate the listening socket firstly, then call setsockopt() to set MSS immediately. Iperf3 code can be referred here: https://github.com/esnet/iperf/blob/58332f8154e2140e40a6e0ea060a418138291718/src/iperf_tcp.c#L186. However, in vcl layer vpp_evt_q of this recreated session is not allocated yet. So iperf3 server crashes with vpp_evt_q null pointer access. Fix: Add session vpp_evt_q null pointer check in vcl_session_transport_attr(). Add a vcl test case for this MSS option scenario. Type: fix Signed-off-by: Liangxing Wang <liangxing.wang@arm.com> Change-Id: I2863bd0cffbe6e60108ab333f97c00530c006ba7
2022-06-05wireguard: fix crash by not sending arp via wg interfaceAlexander Chernavin1-8/+54
Type: fix Currently, neighbor adjacencies on a wg interface are converted into a midchain only if one of the peers has a matching allowed prefix configured. If create a route that goes through a wg interface but the next-hop address does not match any allowed prefixes, an ARP/ND request will try to be sent via the wg interface to resolve the next-hop address when matching traffic occurs. And sending an ARP request will cause VPP to crash while copying hardware address of the wg interface which is NULL. Sending an ND message will not cause VPP to crash but the error logged will be unclear (no source address). With this fix, convert all neighbor adjacencies on a wg interface into a midchain and update tests to cover the case. If there is no matching allowed prefix configured, traffic going such routes will be dropped because of "Peer error". No changes if there is matching allowed prefix configured. Also, fix getting peer by adjacency index. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I15bc1e1f83de719e97edf3f7210a5359a35bddbd
2022-05-24tests: fix ipsec sdp cases with parrallel jobTianyu Li2-10/+10
Serveral IPSec SPD cases re-use the same test class name, leads to test error when do parrallel test with TEST_JOBS=16, change the test class names to unique values. Type: fix Fixes: 7cd35f5d688d9e3bddf66602655274dae944b086 Signed-off-by: Tianyu Li <tianyu.li@arm.com> Change-Id: Ia5768654ddb6274531222761cc82b226d97325a9
2022-05-24tests: fix default failed dir settingKlement Sekera2-8/+7
When running tests via run.sh, default setting of None would cause failed directory symlink to appear in vpp workspace with an ugly name. This patch places the symlink in temporary directory. Type: fix Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: Ic1715eba7ac1f82f71855e2aeb9b659d27bbb3af
2022-05-16flowprobe: add api messages to obtain current stateAlexander Chernavin1-1/+92
Type: improvement With this change: - add dump/details messages to obtain interfaces for which IPFIX flow record generation is enabled; - add get message to obtain parameters; - add a new message to set parameters with validation present and to correspond with get/set naming; - add tests for get/set parameters and dump/details interfaces. Change-Id: I09f6ec990171ac8bcb9d2f5c92629803b8ab6c28 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2022-05-13tests: fix pnat tests formattingAlexander Chernavin1-51/+53
Type: fix Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I944dc8418e7ab541ae96141c15e04abb33635ac4
2022-05-13flowprobe: add support for reporting on inbound packetsAlexander Chernavin1-36/+148
Type: feature Currently, the plugin supports only IPFIX flow record generation for outbound packets. With this change: - add a new API message for enabling the feature on an interface that accepts direction (rx, tx, both); - update existing debug command for feature enabling to accept direction; - update existing debug command for showing currently enabled feature on interfaces to display direction; - update templates to include a direction field; - generate flow records on the specified direction and data path; - report direction in flow data; - update tests to use the new API; - add tests for inbound flows. Change-Id: I121fd904b38408641036ebeea848df7a4e5e0b30 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2022-05-12pnat: add support to wildcard IP Protocol field if not specifiedFahad Naeem1-0/+99
- add pnat_binding_add_v2 which explicitly requires match mask to set to PNAT_PROTO if we want to match on IP Protocol - fix pnat_binding_add backward compatibility i.e. no need to set match mast to PNAT_PROTO Type: improvement Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com> Change-Id: I5a23244be55b7d4c10552c555881527a4b2f325f
2022-05-11tests: fix checkstyle-pythonKlement Sekera1-1/+1
Add --check to black to pass back error value and fail checkstyle if a reformat would occur. Type: fix Fixes: d9b0c6fbf7aa5bd9af84264105b39c82028a4a29 Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I9a1fbe224929fc461ff833a589f73ca06e7cc9d6
2022-05-10tests: replace pycodestyle with blackKlement Sekera195-27443/+36387
Drop pycodestyle for code style checking in favor of black. Black is much faster, stable PEP8 compliant code style checker offering also automatic formatting. It aims to be very stable and produce smallest diffs. It's used by many small and big projects. Running checkstyle with black takes a few seconds with a terse output. Thus, test-checkstyle-diff is no longer necessary. Expand scope of checkstyle to all python files in the repo, replacing test-checkstyle with checkstyle-python. Also, fixstyle-python is now available for automatic style formatting. Note: python virtualenv has been consolidated in test/Makefile, test/requirements*.txt which will eventually be moved to a central location. This is required to simply the automated generation of docker executor images in the CI. Type: improvement Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8 Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-05-05policer: output interface policerStanislav Zaikin3-22/+55
Type: improvement Change-Id: Ibc1b5059ed51c34334340534e9eb68121f556bce Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
2022-05-05udp: remove buggy assert in udp encapBenoît Ganne1-2/+38
It looks like in a distant past we were using a vnet_rewrite but this no longer the case. Type: fix Change-Id: Ib8d336aec7d5abd7749f543739f531144e76e551 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-05-04vhost: use_custom_mac set in create_vhost_user_if_v2Fahad Naeem1-0/+28
Type: fix set use_custom_mac for args in create_vhost_user_if_v2 API Add testcase for custom mac-address Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com> Change-Id: Iac64d818e0f1e6d36187fe769ee33d202aaafd05 Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com>
2022-05-03tests: handle removed interfaceKlement Sekera3-22/+29
Catch exception if sw_if_index is invalid when querying interface binding config. If the interface is not there, it's surely not bound to any table ... Type: improvement Change-Id: I1f3e04a631653feb5c2350662b6a041adccefa1f Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2022-05-02vapi: support api clients within vpp processOle Troan1-0/+20
Add vapi_connect_from_vpp() and vapi_disconnect_from_vpp() calls to allow API clients from within VPP process. Add a new memclnt_create version that gives the user a knob to enable or disable dead client scans (keepalive). Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Id0b7bb89308db3a3aed2d3fcbedf4e1282dcd03f Signed-off-by: Ole Troan <ot@cisco.com>
2022-04-29tests: fix handling failed test caseKlement Sekera1-1/+2
Add missing parameter where required. Type: fix Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I8cd7c31848836e3233cb79d1dd21884167db4354
2022-04-29tests: fix assert_nothing_capturedKlement Sekera4-33/+33
Type: fix Fixes: 26cd0242c95025e0d644db3a80dfe8dee83b6d7a Change-Id: I9a88221af65f170dc6b1f0dc0992df401e489fa2 Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2022-04-21nat: tweak rfc7857 tcp connection trackingOle Troan1-24/+20
The RFC7857 state machine introduced in 56c492a is a trade-off. It tries to retain sessions as much as possible and also offers some protection against spurious RST by re-establishing sessions if data is received after the RST. From experience in the wild, this algorithm is a little too liberal, as it leaves too many spurious established sessions in the session table. E.g. a oberserved pattern is: client server <- FIN, ACK ACK -> ACK -> RST, ACK -> With the current state machine this would leave the session in established state. These proposed changes do: - require 3-way handshake to establish session. (current requires only to see SYNs from both sides) - RST will move session to transitory without recovery if data is sent after - Only a single FIN is needed to move to transitory Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea Signed-off-by: Ole Troan <ot@cisco.com>
2022-04-14ipsec: perf improvement of ipsec4_input_node using flow cacheZachary Leaf3-6/+700
Adding flow cache support to improve inbound IPv4/IPSec Security Policy Database (SPD) lookup performance. By enabling the flow cache in startup conf, this replaces a linear O(N) SPD search, with an O(1) hash table search. This patch is the ipsec4_input_node counterpart to https://gerrit.fd.io/r/c/vpp/+/31694, and shares much of the same code, theory and mechanism of action. Details about the flow cache: Mechanism: 1. First packet of a flow will undergo linear search in SPD table. Once a policy match is found, a new entry will be added into the flow cache. From 2nd packet onwards, the policy lookup will happen in flow cache. 2. The flow cache is implemented using a hash table without collision handling. This will avoid the logic to age out or recycle the old flows in flow cache. Whenever a collision occurs, the old entry will be overwritten by the new entry. Worst case is when all the 256 packets in a batch result in collision, falling back to linear search. Average and best case will be O(1). 3. The size of flow cache is fixed and decided based on the number of flows to be supported. The default is set to 1 million flows, but is configurable by a startup.conf option. 4. Whenever a SPD rule is added/deleted by the control plane, all current flow cache entries will be invalidated. As the SPD API is not mp-safe, the data plane will wait for the control plane operation to complete. Cache invalidation is via an epoch counter that is incremented on policy add/del and stored with each entry in the flow cache. If the epoch counter in the flow cache does not match the current count, the entry is considered stale, and we fall back to linear search. The following configurable options are available through startup conf under the ipsec{} entry: 1. ipv4-inbound-spd-flow-cache on/off - enable SPD flow cache (default off) 2. ipv4-inbound-spd-hash-buckets %d - set number of hash buckets (default 4,194,304: ~1 million flows with 25% load factor) Performance with 1 core, 1 ESP Tunnel, null-decrypt then bypass, 94B (null encrypted packet) for different SPD policy matching indices: SPD Policy index : 2 10 100 1000 Throughput : Mbps/Mbps Mbps/Mbps Mbps/Mbps Mbps/Mbps (Baseline/Optimized) ARM TX2 : 300/290 230/290 70/290 8.5/290 Type: improvement Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com> Tested-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I8be2ad4715accbb335c38cd933904119db75827b
2022-04-12ip: fix arc start in ip46-local for local mfib entriesAlexander Chernavin1-2/+22
Type: fix After changes made in f840880, VRRP IPv6 cannot reply for neighbor solicitations requesting the link layer address of the configured virtual address. VRRP IPv6 enables the vrrp6-nd-input feature in the ip6-local feature arc for an interface on which a virtual router is configured. When neighbor solicitations arrive on that interface, ip6-local should start feature arc walk for that interface and the messages should be processed by vrrp6-nd-input. The problem is that currently, the feature arc is started for the interface obtained from the receive DPO that has interface unset (i.e. max u32) for local mfib entries. Thus, the feature arc is started not on the interface the messages were received on and vrrp6-nd-input is not traversed. With this fix, if interface obtained from the receive DPO is unset, use RX interface from the buffer to start the ip46-local feature arc. Also, enable tests of this case for both IPv4 and IPv6 address families that are currently tagged as extended and not run on every change. They configure VRRP with priority 255 and are expected to be stable. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I11ef3d5a7a986e04431e8613d1510b8666094bd7
2022-04-01vrrp: add stats support and update APIEmanuele Di Pascale1-0/+120
Add simple counter statistics to VRRP, based on a subset of those defined in RFC8347. Add an update API that allows in-place modification of an existing instance. The method returns a vrrp_index which can be used both for retrieving statistics and to modify non-key parameters. Also add a delete method which will take that vrrp_index as parameter. Type: improvement Signed-off-by: Emanuele Di Pascale <lele84@gmail.com> Change-Id: I2cd11467b4dbd9dfdb5aa748783144b4883dba57
2022-04-01nat: nat44-ed cleanup & fixesFilip Varga3-23/+19
Set deprecated option on unsupported API calls. Cleaned up API calls with deprecated option. Removed in progress option from long term used API calls. Removed obsolete/unused nodes, functions, variables. Fixed set frame queue nelts function. Calling API would incorrectly not fail even though frame queue nelts can only be set before first call nat44_plugin_enable. Moved all formatting functions to _format.c file. Type: refactor Change-Id: I3ca16e0568f8d7eee3a27c3620ca36164833a7e4 Signed-off-by: Filip Varga <fivarga@cisco.com>