| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Type: improvement
If an SA protecting an IPv6 tunnel interface has UDP encapsulation
enabled, the code in esp_encrypt_inline() inserts a UDP header but does
not set the next protocol or the UDP payload length, so the peer that
receives the packet drops it. Set the next protocol field and the UDP
payload length correctly.
The port(s) for UDP encapsulation of IPsec was not registered for IPv6.
Add this registration for IPv6 SAs when UDP encapsulation is enabled.
Add punt handling for IPv6 IKE on NAT-T port.
Add registration of linux-cp for the new punt reason.
Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
|
|
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload
to enable stronger guarantees of forward secrecy.
When the KEi payload is included in the CREATE_CHILD_SA request,
responder should reply with the KEr payload and complete the key
exchange, in accordance with the RFC.
Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
|
|
Type: fix
After peers roaming support addition, FIB entry tracking stopped
working. For example, it can be observed when an adjacency is stacked on
a FIB entry by the plugin and the FIB entry hasn't got ARP resolution
yet. Once the FIB entry gets ARP resolution, the adjacency is not
re-stacked as it used to. This results in endless ARP requests when a
traffic is sent via the adjacency.
This is broken because the plugin stopped using "midchain delegate" with
peers roaming support addition. The reason is that "midchain delegate"
didn't support stacking on a different FIB entry which is needed when
peer's endpoint changes. Now it is supported there (added in 36892).
With this fix, start using "midchane delegate" again and thus, fix FIB
entry tracking. Also, cover this in tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
|
|
Type: refactor
- refactored VPP test code to remove "ignore_path" variable
from "discover_tests" function and "run_test" code
- configured VPP test makefile, config file, and 'run.sh' shell script
to move "venv" directory from "test" dir to "build-root" dir
Signed-off-by: Saima Yunus <yunus.saima.234@gmail.com>
Change-Id: Id2beecbb99f24ce13ed118a1869c5adbef247e50
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I822ead1495edb96ee62e53dc5920aa6c565e3621
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ica7de5a493389c6f53b7cf04e06939473a63d2b9
|
|
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ifda8ca8d26912c750a77d2ca889e1638ca83d85a
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
|
|
Type: feature
With this change, peers are able to roam between different external
endpoints. Successfully authenticated handshake or data packet that is
received from a new endpoint will cause the peer's endpoint to be
updated accordingly.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
|
|
Type: feature
With this change, if being under load a handshake message with both
valid mac1 and mac2 is received, the peer will be rate limited. Cover
this with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
|
|
Type: feature
stats of the like from:
https://datatracker.ietf.org/doc/html/draft-ietf-rtgwg-arp-yang-model-03#section-4
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Icb1bf4f6f7e6ccc2f44b0008d4774b61cae96184
|
|
Type: feature
With this change:
- if the number of received handshake messages exceeds the limit
calculated based on the peers number, under load state will activate;
- if being under load a handshake message with a valid mac1 is
received, but mac2 is invalid, a cookie reply will be sent.
Also, cover these with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I065bd5c26055d863d786023970e7deeed261b31c
|
|
Type: fix
Fixes: 4830e4f78fb8e46b23a1a0711cd06969a77d8d95
Change-Id: Iddc73dbda633acd72bd82e52f8ae83c17e3940f6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Use the script test/run.py to run a test named test_vm_tap
inside a QEMU VM. The run script builds out a virtual env,
launches a light weight QEMU VM, mounts host directories,
starts VPP inside the VM and runs the test. The test named
test_vm_tap, creates two tap v2 interfaces in separate Linux
namespaces and using iPerf, streams traffic between the VM
and VPP. All data files are stored in the directory named
/tmp/vpp-vm-tests. To clean up, use the make test-wipe
command.
Usage:
test/run.py --vm --debug --test test_vm_tap
Type: improvement
Change-Id: I4425dbef52acee1e5b8af5acaa169b89a2c0f171
Signed-off-by: Naveen Joy <najoy@cisco.com>
|
|
Type: feature
Currently, if a handshake message is sent and a cookie message is
received in reply, the cookie message will be ignored. Thus, further
handshake messages will not have valid mac2 and handshake will not be
able to be completed.
With this change, process received cookie messages to be able to
calculate mac2 for further handshake messages sent. Cover this with
tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I6d51459778b7145be7077badec479b2aa85960b9
|
|
This patch introduces set of python tests for fast path ipv6, based on
ipv4 tests. Some missing parts of ipsec framework has been added
in order to test ipv6 implementation.
Type: feature
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: Icc13322787d76485c08106bad2cb071947ad9846
|
|
This patch introduces set of python tests for fast path, based on
flow cache tests. There was a bug in calculating of policy mask when
adding to fast path, which has been fixed. Memory size for bihash
tables for both ip4 and ip6 outbound fast path policies
has been increased.
Type: feature
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: Ibeee904ae7179f5dafbd45bb44282436f0b80821
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Idc0fdebfea29c241d8a36128241ccec03eace5fd
|
|
Currently 0 has been used as the wildcard representing ANY type of
protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore
it should not be used as a wildcard. Instead 255 is used which is
guaranteed by IANA to be reserved and not used as a protocol id.
Type: improvement
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
|
|
Issue:
Let iperf3 server run via ldp and vcl on top of vpp's host stack. If
iperf3 client connects this iperf3 server with tcp MSS setting option,
iperf3 server will always crash.
Root cause:
When MSS option is specified by iperf3 client, iperf3 server will
recreate the listening socket firstly, then call setsockopt() to set MSS
immediately. Iperf3 code can be referred here:
https://github.com/esnet/iperf/blob/58332f8154e2140e40a6e0ea060a418138291718/src/iperf_tcp.c#L186.
However, in vcl layer vpp_evt_q of this recreated session is not
allocated yet. So iperf3 server crashes with vpp_evt_q null pointer access.
Fix:
Add session vpp_evt_q null pointer check in vcl_session_transport_attr().
Add a vcl test case for this MSS option scenario.
Type: fix
Signed-off-by: Liangxing Wang <liangxing.wang@arm.com>
Change-Id: I2863bd0cffbe6e60108ab333f97c00530c006ba7
|
|
Type: fix
Currently, neighbor adjacencies on a wg interface are converted into a
midchain only if one of the peers has a matching allowed prefix
configured. If create a route that goes through a wg interface but the
next-hop address does not match any allowed prefixes, an ARP/ND request
will try to be sent via the wg interface to resolve the next-hop address
when matching traffic occurs. And sending an ARP request will cause VPP
to crash while copying hardware address of the wg interface which is
NULL. Sending an ND message will not cause VPP to crash but the error
logged will be unclear (no source address).
With this fix, convert all neighbor adjacencies on a wg interface into a
midchain and update tests to cover the case. If there is no matching
allowed prefix configured, traffic going such routes will be dropped
because of "Peer error". No changes if there is matching allowed prefix
configured.
Also, fix getting peer by adjacency index.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I15bc1e1f83de719e97edf3f7210a5359a35bddbd
|
|
Serveral IPSec SPD cases re-use the same test class name,
leads to test error when do parrallel test with TEST_JOBS=16,
change the test class names to unique values.
Type: fix
Fixes: 7cd35f5d688d9e3bddf66602655274dae944b086
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: Ia5768654ddb6274531222761cc82b226d97325a9
|
|
When running tests via run.sh, default setting of None would cause
failed directory symlink to appear in vpp workspace with an ugly name.
This patch places the symlink in temporary directory.
Type: fix
Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Ic1715eba7ac1f82f71855e2aeb9b659d27bbb3af
|
|
Type: improvement
With this change:
- add dump/details messages to obtain interfaces for which IPFIX flow
record generation is enabled;
- add get message to obtain parameters;
- add a new message to set parameters with validation present and to
correspond with get/set naming;
- add tests for get/set parameters and dump/details interfaces.
Change-Id: I09f6ec990171ac8bcb9d2f5c92629803b8ab6c28
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: fix
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I944dc8418e7ab541ae96141c15e04abb33635ac4
|
|
Type: feature
Currently, the plugin supports only IPFIX flow record generation for
outbound packets.
With this change:
- add a new API message for enabling the feature on an interface that
accepts direction (rx, tx, both);
- update existing debug command for feature enabling to accept
direction;
- update existing debug command for showing currently enabled feature
on interfaces to display direction;
- update templates to include a direction field;
- generate flow records on the specified direction and data path;
- report direction in flow data;
- update tests to use the new API;
- add tests for inbound flows.
Change-Id: I121fd904b38408641036ebeea848df7a4e5e0b30
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
- add pnat_binding_add_v2 which explicitly requires match mask to
set to PNAT_PROTO if we want to match on IP Protocol
- fix pnat_binding_add backward compatibility i.e. no need to set
match mast to PNAT_PROTO
Type: improvement
Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com>
Change-Id: I5a23244be55b7d4c10552c555881527a4b2f325f
|
|
Add --check to black to pass back error value and fail checkstyle if
a reformat would occur.
Type: fix
Fixes: d9b0c6fbf7aa5bd9af84264105b39c82028a4a29
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I9a1fbe224929fc461ff833a589f73ca06e7cc9d6
|
|
Drop pycodestyle for code style checking in favor of black. Black is
much faster, stable PEP8 compliant code style checker offering also
automatic formatting. It aims to be very stable and produce smallest
diffs. It's used by many small and big projects.
Running checkstyle with black takes a few seconds with a terse output.
Thus, test-checkstyle-diff is no longer necessary.
Expand scope of checkstyle to all python files in the repo, replacing
test-checkstyle with checkstyle-python.
Also, fixstyle-python is now available for automatic style formatting.
Note: python virtualenv has been consolidated in test/Makefile,
test/requirements*.txt which will eventually be moved to a central
location. This is required to simply the automated generation of
docker executor images in the CI.
Type: improvement
Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: improvement
Change-Id: Ibc1b5059ed51c34334340534e9eb68121f556bce
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
|
|
It looks like in a distant past we were using a vnet_rewrite but this
no longer the case.
Type: fix
Change-Id: Ib8d336aec7d5abd7749f543739f531144e76e551
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
set use_custom_mac for args in create_vhost_user_if_v2 API
Add testcase for custom mac-address
Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com>
Change-Id: Iac64d818e0f1e6d36187fe769ee33d202aaafd05
Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com>
|
|
Catch exception if sw_if_index is invalid when querying interface
binding config. If the interface is not there, it's surely not bound to
any table ...
Type: improvement
Change-Id: I1f3e04a631653feb5c2350662b6a041adccefa1f
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
|
|
Add vapi_connect_from_vpp() and vapi_disconnect_from_vpp()
calls to allow API clients from within VPP process.
Add a new memclnt_create version that gives the user a
knob to enable or disable dead client scans (keepalive).
Type: feature
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Id0b7bb89308db3a3aed2d3fcbedf4e1282dcd03f
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Add missing parameter where required.
Type: fix
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I8cd7c31848836e3233cb79d1dd21884167db4354
|
|
Type: fix
Fixes: 26cd0242c95025e0d644db3a80dfe8dee83b6d7a
Change-Id: I9a88221af65f170dc6b1f0dc0992df401e489fa2
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
|
|
The RFC7857 state machine introduced in 56c492a is a trade-off.
It tries to retain sessions as much as possible and also offers
some protection against spurious RST by re-establishing sessions if data
is received after the RST. From experience in the wild, this algorithm is
a little too liberal, as it leaves too many spurious established sessions
in the session table.
E.g. a oberserved pattern is:
client server
<- FIN, ACK
ACK ->
ACK ->
RST, ACK ->
With the current state machine this would leave the session in established state.
These proposed changes do:
- require 3-way handshake to establish session.
(current requires only to see SYNs from both sides)
- RST will move session to transitory without recovery if data is sent after
- Only a single FIN is needed to move to transitory
Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Adding flow cache support to improve inbound IPv4/IPSec Security Policy
Database (SPD) lookup performance. By enabling the flow cache in startup
conf, this replaces a linear O(N) SPD search, with an O(1) hash table
search.
This patch is the ipsec4_input_node counterpart to
https://gerrit.fd.io/r/c/vpp/+/31694, and shares much of the same code,
theory and mechanism of action.
Details about the flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using a hash table without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, the old entry
will be overwritten by the new entry. Worst case is when all the
256 packets in a batch result in collision, falling back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows,
but is configurable by a startup.conf option.
4. Whenever a SPD rule is added/deleted by the control plane, all
current flow cache entries will be invalidated. As the SPD API is
not mp-safe, the data plane will wait for the control plane
operation to complete.
Cache invalidation is via an epoch counter that is incremented on
policy add/del and stored with each entry in the flow cache. If the
epoch counter in the flow cache does not match the current count,
the entry is considered stale, and we fall back to linear search.
The following configurable options are available through startup
conf under the ipsec{} entry:
1. ipv4-inbound-spd-flow-cache on/off - enable SPD flow cache
(default off)
2. ipv4-inbound-spd-hash-buckets %d - set number of hash buckets
(default 4,194,304: ~1 million flows with 25% load factor)
Performance with 1 core, 1 ESP Tunnel, null-decrypt then bypass,
94B (null encrypted packet) for different SPD policy matching indices:
SPD Policy index : 2 10 100 1000
Throughput : Mbps/Mbps Mbps/Mbps Mbps/Mbps Mbps/Mbps
(Baseline/Optimized)
ARM TX2 : 300/290 230/290 70/290 8.5/290
Type: improvement
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I8be2ad4715accbb335c38cd933904119db75827b
|
|
Type: fix
After changes made in f840880, VRRP IPv6 cannot reply for neighbor
solicitations requesting the link layer address of the configured
virtual address.
VRRP IPv6 enables the vrrp6-nd-input feature in the ip6-local feature
arc for an interface on which a virtual router is configured. When
neighbor solicitations arrive on that interface, ip6-local should start
feature arc walk for that interface and the messages should be processed
by vrrp6-nd-input. The problem is that currently, the feature arc is
started for the interface obtained from the receive DPO that has
interface unset (i.e. max u32) for local mfib entries. Thus, the feature
arc is started not on the interface the messages were received on and
vrrp6-nd-input is not traversed.
With this fix, if interface obtained from the receive DPO is unset, use
RX interface from the buffer to start the ip46-local feature arc.
Also, enable tests of this case for both IPv4 and IPv6 address families
that are currently tagged as extended and not run on every change. They
configure VRRP with priority 255 and are expected to be stable.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I11ef3d5a7a986e04431e8613d1510b8666094bd7
|
|
Add simple counter statistics to VRRP, based on a subset of those
defined in RFC8347.
Add an update API that allows in-place modification of an existing
instance. The method returns a vrrp_index which can be used both for
retrieving statistics and to modify non-key parameters. Also add a
delete method which will take that vrrp_index as parameter.
Type: improvement
Signed-off-by: Emanuele Di Pascale <lele84@gmail.com>
Change-Id: I2cd11467b4dbd9dfdb5aa748783144b4883dba57
|
|
Set deprecated option on unsupported API calls.
Cleaned up API calls with deprecated option. Removed
in progress option from long term used API calls.
Removed obsolete/unused nodes, functions, variables.
Fixed set frame queue nelts function. Calling API
would incorrectly not fail even though frame queue nelts
can only be set before first call nat44_plugin_enable.
Moved all formatting functions to _format.c file.
Type: refactor
Change-Id: I3ca16e0568f8d7eee3a27c3620ca36164833a7e4
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
When computing the inner packet checksum, the code wrongly
assumes that the IP version of the inner packet is the
same of the outer one. On the contrary, it is perfectly
possible to encapsulate v6 packets into v4 and viceversa,
so we need to check the IP format of the inner header before
calling vnet_calc_checksums_inline.
Ticket: VPP-2020
Type: fix
Signed-off-by: Mauro Sardara <msardara@cisco.com>
Change-Id: Ia4515563c164f6dd5096832c831a48cb0a29b3ad
Signed-off-by: Mauro Sardara <msardara@cisco.com>
|
|
Prevent crashing on nonexistent VPP binary path class member when creating
testsuite core message.
Type: fix
Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: Ib9b3dc8c69317e6561e5404bbdcbf672e417cbcd
|
|
Type: fix
otherwise if two packets arrive with the same source address but from different VRFs, then they are treated as the same and they use the same LB and thus share the same fate. but the lookup, when done, results in two different LBs, and hence the fate can be different.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Id6e16f7c577a561d9ddd7066339fa4385361d07f
|
|
Type: improvement
Currently, RA message sending is enabled by default - both periodic and
in response to RS message. However, RFC 4861 section 6.2.1 says the
following:
Note that AdvSendAdvertisements MUST be FALSE by default so that a
node will not accidentally start acting as a router unless it is
explicitly configured by system management to send Router
Advertisements.
With this change, RA message sending is disabled by default and
"test_ip6.TestIPv6.test_rs" updated appropriately.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I2a8865199cb665c59268504aefe2976e5ee96dc2
|
|
Type: fix
The reported MTU should include the MPLS label overhead
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3df6d2e0b13f49701e187a766a157498dcaafbc0
|
|
Type: test
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I56a585a8a1f588e682552913cfbdd4551e057ead
|
|
Make make test-start-vpp-in-gdb work again.
Fix incorrect temp directory when using DEBUG=attach.
Type: fix
Fixes: b23ffd7ef216463c35b75c831e6a27e58971f4ec
Change-Id: Ie98b637acbbe0221606ccdc7b54f63885e5951a4
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
|
|
The random seed is not an integer, so the current code does not allow reproducing a test run by running e.g.
RND_SEED=1647595144.0940742 make test
Solution: make the random seed a positive float.
Also, add the missing positiveness check to the positive_integer function.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I858bab0a9b828b99c20a2252aeecb9e2dda4ee21
|
Matthew Smith
Atzm Watanabe
Alexander Chernavin
Saima Yunus
Neale Ranns
Benoît Ganne
Naveen Joy
Piotr Bronowski
Fan Zhang
Florin Coras
Liangxing Wang
Tianyu Li
Klement Sekera
Fahad Naeem
Stanislav Zaikin
Ole Troan
Zachary Leaf
Emanuele Di Pascale
Filip Varga
Mauro Sardara
Dmitry Valter
Filip Tehlar
Andrew Yourtchenko