summaryrefslogtreecommitdiffstats
path: root/test
AgeCommit message (Collapse)AuthorFilesLines
2022-08-10ikev2: do not accept rekey until old SA is deletedAtzm Watanabe1-9/+39
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
2022-08-09wireguard: add peers roaming supportAlexander Chernavin1-19/+247
Type: feature With this change, peers are able to roam between different external endpoints. Successfully authenticated handshake or data packet that is received from a new endpoint will cause the peer's endpoint to be updated accordingly. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
2022-08-09wireguard: add handshake rate limiting supportAlexander Chernavin1-0/+168
Type: feature With this change, if being under load a handshake message with both valid mac1 and mac2 is received, the peer will be rate limited. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
2022-08-09ip-neighbor: ARP and ND stats per-interface.Neale Ranns2-0/+88
Type: feature stats of the like from: https://datatracker.ietf.org/doc/html/draft-ietf-rtgwg-arp-yang-model-03#section-4 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Icb1bf4f6f7e6ccc2f44b0008d4774b61cae96184
2022-08-08wireguard: add dos mitigation supportAlexander Chernavin1-4/+187
Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
2022-08-08ikev2: fix rekeying with multiple notify payloadsAtzm Watanabe1-1/+8
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I065bd5c26055d863d786023970e7deeed261b31c
2022-08-05tests: fix node variant selectionBenoît Ganne1-1/+1
Type: fix Fixes: 4830e4f78fb8e46b23a1a0711cd06969a77d8d95 Change-Id: Iddc73dbda633acd72bd82e52f8ae83c17e3940f6 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-04tests: run a test inside a QEMU VMNaveen Joy6-0/+809
Use the script test/run.py to run a test named test_vm_tap inside a QEMU VM. The run script builds out a virtual env, launches a light weight QEMU VM, mounts host directories, starts VPP inside the VM and runs the test. The test named test_vm_tap, creates two tap v2 interfaces in separate Linux namespaces and using iPerf, streams traffic between the VM and VPP. All data files are stored in the directory named /tmp/vpp-vm-tests. To clean up, use the make test-wipe command. Usage: test/run.py --vm --debug --test test_vm_tap Type: improvement Change-Id: I4425dbef52acee1e5b8af5acaa169b89a2c0f171 Signed-off-by: Naveen Joy <najoy@cisco.com>
2022-08-03wireguard: add processing of received cookie messagesAlexander Chernavin3-5/+199
Type: feature Currently, if a handshake message is sent and a cookie message is received in reply, the cookie message will be ignored. Thus, further handshake messages will not have valid mac2 and handshake will not be able to be completed. With this change, process received cookie messages to be able to calculate mac2 for further handshake messages sent. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I6d51459778b7145be7077badec479b2aa85960b9
2022-07-15tests: add fast path ipv6 python tests for outbound policy matchingPiotr Bronowski2-6/+857
This patch introduces set of python tests for fast path ipv6, based on ipv4 tests. Some missing parts of ipsec framework has been added in order to test ipv6 implementation. Type: feature Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Icc13322787d76485c08106bad2cb071947ad9846
2022-06-29ipsec: add fast path python testsFan Zhang2-0/+782
This patch introduces set of python tests for fast path, based on flow cache tests. There was a bug in calculating of policy mask when adding to fast path, which has been fixed. Memory size for bihash tables for both ip4 and ip6 outbound fast path policies has been increased. Type: feature Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Ibeee904ae7179f5dafbd45bb44282436f0b80821
2022-06-28session quic: allow custom config of rx mqs seg sizeFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Idc0fdebfea29c241d8a36128241ccec03eace5fd
2022-06-28ipsec: change wildcard value for any protocol of spd policyPiotr Bronowski5-21/+21
Currently 0 has been used as the wildcard representing ANY type of protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore it should not be used as a wildcard. Instead 255 is used which is guaranteed by IANA to be reserved and not used as a protocol id. Type: improvement Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
2022-06-10vcl: fix iperf3 server crash issue when it runs over vpp host stack.Liangxing Wang1-0/+11
Issue: Let iperf3 server run via ldp and vcl on top of vpp's host stack. If iperf3 client connects this iperf3 server with tcp MSS setting option, iperf3 server will always crash. Root cause: When MSS option is specified by iperf3 client, iperf3 server will recreate the listening socket firstly, then call setsockopt() to set MSS immediately. Iperf3 code can be referred here: https://github.com/esnet/iperf/blob/58332f8154e2140e40a6e0ea060a418138291718/src/iperf_tcp.c#L186. However, in vcl layer vpp_evt_q of this recreated session is not allocated yet. So iperf3 server crashes with vpp_evt_q null pointer access. Fix: Add session vpp_evt_q null pointer check in vcl_session_transport_attr(). Add a vcl test case for this MSS option scenario. Type: fix Signed-off-by: Liangxing Wang <liangxing.wang@arm.com> Change-Id: I2863bd0cffbe6e60108ab333f97c00530c006ba7
2022-06-05wireguard: fix crash by not sending arp via wg interfaceAlexander Chernavin1-8/+54
Type: fix Currently, neighbor adjacencies on a wg interface are converted into a midchain only if one of the peers has a matching allowed prefix configured. If create a route that goes through a wg interface but the next-hop address does not match any allowed prefixes, an ARP/ND request will try to be sent via the wg interface to resolve the next-hop address when matching traffic occurs. And sending an ARP request will cause VPP to crash while copying hardware address of the wg interface which is NULL. Sending an ND message will not cause VPP to crash but the error logged will be unclear (no source address). With this fix, convert all neighbor adjacencies on a wg interface into a midchain and update tests to cover the case. If there is no matching allowed prefix configured, traffic going such routes will be dropped because of "Peer error". No changes if there is matching allowed prefix configured. Also, fix getting peer by adjacency index. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I15bc1e1f83de719e97edf3f7210a5359a35bddbd
2022-05-24tests: fix ipsec sdp cases with parrallel jobTianyu Li2-10/+10
Serveral IPSec SPD cases re-use the same test class name, leads to test error when do parrallel test with TEST_JOBS=16, change the test class names to unique values. Type: fix Fixes: 7cd35f5d688d9e3bddf66602655274dae944b086 Signed-off-by: Tianyu Li <tianyu.li@arm.com> Change-Id: Ia5768654ddb6274531222761cc82b226d97325a9
2022-05-24tests: fix default failed dir settingKlement Sekera2-8/+7
When running tests via run.sh, default setting of None would cause failed directory symlink to appear in vpp workspace with an ugly name. This patch places the symlink in temporary directory. Type: fix Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: Ic1715eba7ac1f82f71855e2aeb9b659d27bbb3af
2022-05-16flowprobe: add api messages to obtain current stateAlexander Chernavin1-1/+92
Type: improvement With this change: - add dump/details messages to obtain interfaces for which IPFIX flow record generation is enabled; - add get message to obtain parameters; - add a new message to set parameters with validation present and to correspond with get/set naming; - add tests for get/set parameters and dump/details interfaces. Change-Id: I09f6ec990171ac8bcb9d2f5c92629803b8ab6c28 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2022-05-13tests: fix pnat tests formattingAlexander Chernavin1-51/+53
Type: fix Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I944dc8418e7ab541ae96141c15e04abb33635ac4
2022-05-13flowprobe: add support for reporting on inbound packetsAlexander Chernavin1-36/+148
Type: feature Currently, the plugin supports only IPFIX flow record generation for outbound packets. With this change: - add a new API message for enabling the feature on an interface that accepts direction (rx, tx, both); - update existing debug command for feature enabling to accept direction; - update existing debug command for showing currently enabled feature on interfaces to display direction; - update templates to include a direction field; - generate flow records on the specified direction and data path; - report direction in flow data; - update tests to use the new API; - add tests for inbound flows. Change-Id: I121fd904b38408641036ebeea848df7a4e5e0b30 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2022-05-12pnat: add support to wildcard IP Protocol field if not specifiedFahad Naeem1-0/+99
- add pnat_binding_add_v2 which explicitly requires match mask to set to PNAT_PROTO if we want to match on IP Protocol - fix pnat_binding_add backward compatibility i.e. no need to set match mast to PNAT_PROTO Type: improvement Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com> Change-Id: I5a23244be55b7d4c10552c555881527a4b2f325f
2022-05-11tests: fix checkstyle-pythonKlement Sekera1-1/+1
Add --check to black to pass back error value and fail checkstyle if a reformat would occur. Type: fix Fixes: d9b0c6fbf7aa5bd9af84264105b39c82028a4a29 Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I9a1fbe224929fc461ff833a589f73ca06e7cc9d6
2022-05-10tests: replace pycodestyle with blackKlement Sekera195-27443/+36387
Drop pycodestyle for code style checking in favor of black. Black is much faster, stable PEP8 compliant code style checker offering also automatic formatting. It aims to be very stable and produce smallest diffs. It's used by many small and big projects. Running checkstyle with black takes a few seconds with a terse output. Thus, test-checkstyle-diff is no longer necessary. Expand scope of checkstyle to all python files in the repo, replacing test-checkstyle with checkstyle-python. Also, fixstyle-python is now available for automatic style formatting. Note: python virtualenv has been consolidated in test/Makefile, test/requirements*.txt which will eventually be moved to a central location. This is required to simply the automated generation of docker executor images in the CI. Type: improvement Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8 Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-05-05policer: output interface policerStanislav Zaikin3-22/+55
Type: improvement Change-Id: Ibc1b5059ed51c34334340534e9eb68121f556bce Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
2022-05-05udp: remove buggy assert in udp encapBenoît Ganne1-2/+38
It looks like in a distant past we were using a vnet_rewrite but this no longer the case. Type: fix Change-Id: Ib8d336aec7d5abd7749f543739f531144e76e551 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-05-04vhost: use_custom_mac set in create_vhost_user_if_v2Fahad Naeem1-0/+28
Type: fix set use_custom_mac for args in create_vhost_user_if_v2 API Add testcase for custom mac-address Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com> Change-Id: Iac64d818e0f1e6d36187fe769ee33d202aaafd05 Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com>
2022-05-03tests: handle removed interfaceKlement Sekera3-22/+29
Catch exception if sw_if_index is invalid when querying interface binding config. If the interface is not there, it's surely not bound to any table ... Type: improvement Change-Id: I1f3e04a631653feb5c2350662b6a041adccefa1f Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2022-05-02vapi: support api clients within vpp processOle Troan1-0/+20
Add vapi_connect_from_vpp() and vapi_disconnect_from_vpp() calls to allow API clients from within VPP process. Add a new memclnt_create version that gives the user a knob to enable or disable dead client scans (keepalive). Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Id0b7bb89308db3a3aed2d3fcbedf4e1282dcd03f Signed-off-by: Ole Troan <ot@cisco.com>
2022-04-29tests: fix handling failed test caseKlement Sekera1-1/+2
Add missing parameter where required. Type: fix Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I8cd7c31848836e3233cb79d1dd21884167db4354
2022-04-29tests: fix assert_nothing_capturedKlement Sekera4-33/+33
Type: fix Fixes: 26cd0242c95025e0d644db3a80dfe8dee83b6d7a Change-Id: I9a88221af65f170dc6b1f0dc0992df401e489fa2 Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2022-04-21nat: tweak rfc7857 tcp connection trackingOle Troan1-24/+20
The RFC7857 state machine introduced in 56c492a is a trade-off. It tries to retain sessions as much as possible and also offers some protection against spurious RST by re-establishing sessions if data is received after the RST. From experience in the wild, this algorithm is a little too liberal, as it leaves too many spurious established sessions in the session table. E.g. a oberserved pattern is: client server <- FIN, ACK ACK -> ACK -> RST, ACK -> With the current state machine this would leave the session in established state. These proposed changes do: - require 3-way handshake to establish session. (current requires only to see SYNs from both sides) - RST will move session to transitory without recovery if data is sent after - Only a single FIN is needed to move to transitory Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea Signed-off-by: Ole Troan <ot@cisco.com>
2022-04-14ipsec: perf improvement of ipsec4_input_node using flow cacheZachary Leaf3-6/+700
Adding flow cache support to improve inbound IPv4/IPSec Security Policy Database (SPD) lookup performance. By enabling the flow cache in startup conf, this replaces a linear O(N) SPD search, with an O(1) hash table search. This patch is the ipsec4_input_node counterpart to https://gerrit.fd.io/r/c/vpp/+/31694, and shares much of the same code, theory and mechanism of action. Details about the flow cache: Mechanism: 1. First packet of a flow will undergo linear search in SPD table. Once a policy match is found, a new entry will be added into the flow cache. From 2nd packet onwards, the policy lookup will happen in flow cache. 2. The flow cache is implemented using a hash table without collision handling. This will avoid the logic to age out or recycle the old flows in flow cache. Whenever a collision occurs, the old entry will be overwritten by the new entry. Worst case is when all the 256 packets in a batch result in collision, falling back to linear search. Average and best case will be O(1). 3. The size of flow cache is fixed and decided based on the number of flows to be supported. The default is set to 1 million flows, but is configurable by a startup.conf option. 4. Whenever a SPD rule is added/deleted by the control plane, all current flow cache entries will be invalidated. As the SPD API is not mp-safe, the data plane will wait for the control plane operation to complete. Cache invalidation is via an epoch counter that is incremented on policy add/del and stored with each entry in the flow cache. If the epoch counter in the flow cache does not match the current count, the entry is considered stale, and we fall back to linear search. The following configurable options are available through startup conf under the ipsec{} entry: 1. ipv4-inbound-spd-flow-cache on/off - enable SPD flow cache (default off) 2. ipv4-inbound-spd-hash-buckets %d - set number of hash buckets (default 4,194,304: ~1 million flows with 25% load factor) Performance with 1 core, 1 ESP Tunnel, null-decrypt then bypass, 94B (null encrypted packet) for different SPD policy matching indices: SPD Policy index : 2 10 100 1000 Throughput : Mbps/Mbps Mbps/Mbps Mbps/Mbps Mbps/Mbps (Baseline/Optimized) ARM TX2 : 300/290 230/290 70/290 8.5/290 Type: improvement Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com> Tested-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I8be2ad4715accbb335c38cd933904119db75827b
2022-04-12ip: fix arc start in ip46-local for local mfib entriesAlexander Chernavin1-2/+22
Type: fix After changes made in f840880, VRRP IPv6 cannot reply for neighbor solicitations requesting the link layer address of the configured virtual address. VRRP IPv6 enables the vrrp6-nd-input feature in the ip6-local feature arc for an interface on which a virtual router is configured. When neighbor solicitations arrive on that interface, ip6-local should start feature arc walk for that interface and the messages should be processed by vrrp6-nd-input. The problem is that currently, the feature arc is started for the interface obtained from the receive DPO that has interface unset (i.e. max u32) for local mfib entries. Thus, the feature arc is started not on the interface the messages were received on and vrrp6-nd-input is not traversed. With this fix, if interface obtained from the receive DPO is unset, use RX interface from the buffer to start the ip46-local feature arc. Also, enable tests of this case for both IPv4 and IPv6 address families that are currently tagged as extended and not run on every change. They configure VRRP with priority 255 and are expected to be stable. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I11ef3d5a7a986e04431e8613d1510b8666094bd7
2022-04-01vrrp: add stats support and update APIEmanuele Di Pascale1-0/+120
Add simple counter statistics to VRRP, based on a subset of those defined in RFC8347. Add an update API that allows in-place modification of an existing instance. The method returns a vrrp_index which can be used both for retrieving statistics and to modify non-key parameters. Also add a delete method which will take that vrrp_index as parameter. Type: improvement Signed-off-by: Emanuele Di Pascale <lele84@gmail.com> Change-Id: I2cd11467b4dbd9dfdb5aa748783144b4883dba57
2022-04-01nat: nat44-ed cleanup & fixesFilip Varga3-23/+19
Set deprecated option on unsupported API calls. Cleaned up API calls with deprecated option. Removed in progress option from long term used API calls. Removed obsolete/unused nodes, functions, variables. Fixed set frame queue nelts function. Calling API would incorrectly not fail even though frame queue nelts can only be set before first call nat44_plugin_enable. Moved all formatting functions to _format.c file. Type: refactor Change-Id: I3ca16e0568f8d7eee3a27c3620ca36164833a7e4 Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-03-30udp: fix inner packet checksum calculation in udp-encapMauro Sardara1-4/+9
When computing the inner packet checksum, the code wrongly assumes that the IP version of the inner packet is the same of the outer one. On the contrary, it is perfectly possible to encapsulate v6 packets into v4 and viceversa, so we need to check the IP format of the inner header before calling vnet_calc_checksums_inline. Ticket: VPP-2020 Type: fix Signed-off-by: Mauro Sardara <msardara@cisco.com> Change-Id: Ia4515563c164f6dd5096832c831a48cb0a29b3ad Signed-off-by: Mauro Sardara <msardara@cisco.com>
2022-03-27tests: fix core file messageDmitry Valter3-5/+7
Prevent crashing on nonexistent VPP binary path class member when creating testsuite core message. Type: fix Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: Ib9b3dc8c69317e6561e5404bbdcbf672e417cbcd
2022-03-24ip: The check for 'same packet' must include the FIB indexNeale Ranns2-0/+182
Type: fix otherwise if two packets arrive with the same source address but from different VRFs, then they are treated as the same and they use the same LB and thus share the same fate. but the lookup, when done, results in two different LBs, and hence the fate can be different. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Id6e16f7c577a561d9ddd7066339fa4385361d07f
2022-03-24ip6-nd: stop sending RA by defaultAlexander Chernavin1-2/+5
Type: improvement Currently, RA message sending is enabled by default - both periodic and in response to RS message. However, RFC 4861 section 6.2.1 says the following: Note that AdvSendAdvertisements MUST be FALSE by default so that a node will not accidentally start acting as a router unless it is explicitly configured by system management to send Router Advertisements. With this change, RA message sending is disabled by default and "test_ip6.TestIPv6.test_rs" updated appropriately. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I2a8865199cb665c59268504aefe2976e5ee96dc2
2022-03-24mpls: Set the MTU field in the frag-needed ICMP when doing MPLS fragmentationNeale Ranns2-3/+8
Type: fix The reported MTU should include the MPLS label overhead Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I3df6d2e0b13f49701e187a766a157498dcaafbc0
2022-03-22tests: add http tps testFilip Tehlar1-0/+42
Type: test Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I56a585a8a1f588e682552913cfbdd4551e057ead
2022-03-22tests: fix DEBUG=attach functionalityKlement Sekera2-6/+10
Make make test-start-vpp-in-gdb work again. Fix incorrect temp directory when using DEBUG=attach. Type: fix Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec Change-Id: Ie98b637acbbe0221606ccdc7b54f63885e5951a4 Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2022-03-18tests: fix the RND_SEED parsingAndrew Yourtchenko1-1/+13
The random seed is not an integer, so the current code does not allow reproducing a test run by running e.g. RND_SEED=1647595144.0940742 make test Solution: make the random seed a positive float. Also, add the missing positiveness check to the positive_integer function. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I858bab0a9b828b99c20a2252aeecb9e2dda4ee21
2022-03-17nat: fix ICMP error translationKlement Sekera1-17/+22
Add missing translation of ICMP inner IP layer. Change responsible test so that it actually tests something. Type: fix Fixes: 4881cb4c6f Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: Id3a6f12a7308d81b1cdf9815f857221fab2f24d9
2022-03-10tests: fix test failure with parrallel testTianyu Li7-56/+56
Several test cases re-use the same test class name, which leads to test error when do parrallel test with TEST_JOBS=16, change the test class names to unique values. Type: fix Signed-off-by: Tianyu Li <tianyu.li@arm.com> Change-Id: Iefc01d40a25ebd60533baf3a2dc98a537437e8e9
2022-03-09ip: IPv4 Fragmentation fix for l2fragmetable sizeNeale Ranns1-1/+2
Type: fix The l2unfragmentable size is not included in the calculation of 'max', the maximum amount of data that can be added to a fragment, therefore the fragments created are too big. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Id1e949ad98203b6f8ea2f55322ef6fa3d507e2a6
2022-03-09vxlan: add l2 mode testArtem Glazychev1-0/+59
The same test for v22.02 was already merged: https://gerrit.fd.io/r/c/vpp/+/35390 Type: improvement Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I214f6fb5b63d97ca4afe3b10fd2d3e3410b5a6e4
2022-03-08classify: add API to retrieve punt ACL tablesBenoît Ganne1-0/+10
Type: feature Change-Id: Ica3e60836c0f26518ba2c238a8c03ce3648ea69b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-08ipsec: input: drop by default for non-matching pktsZachary Leaf3-11/+200
As per IPSec RFC4301 [1], any non-matching packets should be dropped by default. This is handled correctly in ipsec_output.c, however in ipsec_input.c non-matching packets are allowed to pass as per a matched BYPASS rule. For full details, see: https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480 It appears the ipsec6_input_node only matches PROTECT policies. Until this is extended to handle BYPASS + DISCARD, we may wish to not drop by default here, since all IPv6 traffic not matching a PROTECT policy will be dropped. [1]: https://datatracker.ietf.org/doc/html/rfc4301 Type: fix Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
2022-03-07ip: Fixes for IPv6 and MPLS fragmentationNeale Ranns3-1/+115
Type: fix - IPv6 fragmentation did not work if the packet spaneed multiple buffers, because the 'len' calculation to did max out at the size of a buffer - IPv6 fragmentation did not work when the l2unfragmentable size was non-zero, it was not used in the correct places - IPv6oMPLS fragmentation would fragment all IPv6, it should do so only for link local - IPv6oMPLS should send back TooBig ICMP6 for non locally generated Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie8f02cdfdd7b7e8474e62b6d0acda8f20c371184