Age | Commit message (Collapse) | Author | Files | Lines |
|
As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.
For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480
It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.
[1]: https://datatracker.ietf.org/doc/html/rfc4301
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
|
|
Type: fix
- IPv6 fragmentation did not work if the packet spaneed multiple buffers, because the 'len' calculation to did max out at the size of a buffer
- IPv6 fragmentation did not work when the l2unfragmentable size was non-zero, it was not used in the correct places
- IPv6oMPLS fragmentation would fragment all IPv6, it should do so only for link local
- IPv6oMPLS should send back TooBig ICMP6 for non locally generated
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie8f02cdfdd7b7e8474e62b6d0acda8f20c371184
|
|
Type: fix
if original packet was to the link local, then the
fib index in the buffer is that of the LL table, we can't use that
to foward the response if the new destination
is global, so reset to the fib index of the link.
In other case, the fib index we need has been written
to the buffer already.
Add a test for IPv6 ping in an MPLS-VPN where int inout interface is
not the the same VRF as the response should be sent.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I18a232d90ddd3ef051a52476c5d861c87060e76f
|
|
Type: improvement
For error conditions, such as TTL expired, dest unreach, etc, Rate limit the sending of ICMP error messages.
The rate limiting is done based on src,dst IP address of the received packet.
the rate limit has been chosen, somewhat arbitrarily, to be 1e-3. This is the same limit as the ARP throttling.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a0b791cde8c941a9bf37de6aa5da56779d3cef4
|
|
Raise a new UnexpectedPacketErrror, when a packet is captured
unexpectedly. This pretty-prints a terse description of said packet.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Ibac19fc5bbd82a150fec3c90940a37af6344fd4f
|
|
Add support for inline packet counter verification to send_and_* functions.
Diff dictionary is a dictionary of dictionaries of interesting stats:
diff_dictionary =
{
"err" : { '/error/counter1' : 4, },
sw_if_index1 : { '/stat/segment/counter1' : 5,
'/stat/segment/counter2' : 6,
},
sw_if_index2 : { '/stat/segment/counter1' : 7,
},
}
It describes a per sw-if-index diffset, where each key is stat segment
path and value is the expected change for that counter for sw-if-index.
Special case string "err" is used for error counters.
This then allows more precise packet counter verification by first
defining a "zero" dictionary, e.g. for ED NAT:
cls.no_diff = StatsDiff({
pg.sw_if_index: {
'/nat44-ed/in2out/fastpath/tcp': 0,
'/nat44-ed/in2out/fastpath/udp': 0,
'/nat44-ed/in2out/fastpath/icmp': 0,
'/nat44-ed/in2out/fastpath/drops': 0,
'/nat44-ed/in2out/slowpath/tcp': 0,
'/nat44-ed/in2out/slowpath/udp': 0,
'/nat44-ed/in2out/slowpath/icmp': 0,
'/nat44-ed/in2out/slowpath/drops': 0,
'/nat44-ed/in2out/fastpath/tcp': 0,
'/nat44-ed/in2out/fastpath/udp': 0,
'/nat44-ed/in2out/fastpath/icmp': 0,
'/nat44-ed/in2out/fastpath/drops': 0,
'/nat44-ed/in2out/slowpath/tcp': 0,
'/nat44-ed/in2out/slowpath/udp': 0,
'/nat44-ed/in2out/slowpath/icmp': 0,
'/nat44-ed/in2out/slowpath/drops': 0,
}
for pg in cls.pg_interfaces
})
and then to specify only changed counters directly when calling
one of send_and_* functions:
self.send_and_assert_no_replies(
self.pg0, pkts, msg="i2o pkts",
stats_diff=self.no_diff | {
"err": {
'/err/nat44-ed-in2out-slowpath/out of ports': len(pkts),
},
self.pg0.sw_if_index: {
'/nat44-ed/in2out/slowpath/drops': len(pkts),
},
}
)
operator | is overloaded by StatsDiff class to perform a deep merge operation,
so in above case, dictionaries for "err" and self.pg0.sw_if_index do not
overwrite whole sub-dictionaries, rather the contents are merged,
assuring that all the remaining counters are verified to be zero.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I2b87f7bd58a7d4b34ee72344e2f871b2f372e2d9
|
|
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I5e0fd1019372df0cd403725b8cac52363af13718
|
|
Some tests might want to keep vpp config in between test functions.
Add a flag to allow that.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I90243cd667dce922b43b381f3d52f4ac0f6bf3a7
|
|
Type: test
there were multiple instances of send_and_expect_load_balancing
and a send_and_expect_one_itf which has the same functionality as send_and_expect_one.
Put one implementation of both in framework.py (where the other send_and_X functions reside).
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I7f629d440220bee29368067f475059322e1134f7
|
|
Implement command line argument parsing instead of passing arguments via
environment variables. Add script for running tests without having to
invoke make. Deprecate running tests via make.
Type: improvement
Change-Id: I2e3054a61a2ae25d460e9be00be7d7705fbf943e
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: improvement
Ethernet frames on the wire are a minimum of 64 bytes, so use the length in the UDP header to determine if the ESP payload is one bytes of the special SPI, rather than the buffer's size (which will include the ethernet header's padding).
In the case of drop advance the packet back to the IP header so the ipx-drop node sees a sane packet.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ic3b75487919f0c77507d6f725bd11202bc5afee8
|
|
Add udp total session counts - as stat segment entries:
/bfd/udp4/sessions
/bfd/udp6/sessions
and per session packet/byte counters:
/bfd/rx-session-counters
/bfd/rx-session-echo-counters
/bfd/tx-session-counters
/bfd/tx-session-echo-counters
These counters are per-thread and per-session id.
Adjust tests to verify proper function.
Type: refactor
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Ie597928022b6ac74c2220019b9e8e1714295f170
|
|
Type: improvement
helps keep the agents stateless
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3588f13c081e24f5a8083b490eb02856361e4ccb
|
|
Type: test
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I3b6e56b319aab3ffd2cc82d31e646bd42901275b
|
|
Debian 11 has some packages that have changed, and need adjustment.
Also - its default compiler is gcc 10, which, contrary to either gcc 8
or gcc 11 prints a bunch of warnings, which fails compilation.
And there is no gcc 11 package.
Therefore, use clang for this build.
Additionally, python 3.9 has exposed this issue:
https://bugs.python.org/issue42580
Therefore, make a local patch to scapy to tackle it.
Type: feature
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I7b9c0f852ab97fe3c1feca3f22020ac0970ba3e2
|
|
- pip == 22.0.3
- pip-tools == 6.5.0
- setuptools == 60.7.1 (now pinned in test/Makefile)
- upgrade packages in requirements-3.txt
- install iperf3 for 'make test TEST=vcl'
Type: test
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I1bd85f10fb4f6ba87b9bc1267905e5f1b8eb16de
|
|
Type: fix
Fixes: 72e31bc2d9
Fixes: db02380
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92a62bb1cb799e8fdc3ec4110ae3428825254f8a
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Mark broken test suites using @tag_fixme_asan.The main issue
is that some tests do not pass with ASan. These will need to
be fixed, but it takes time and in the meantime, new issues are
introduced that trip up ASan. When this tag is set and Asan
is enabled, failing ASan tests are skipped, so incremental
fixes can pass the CI
Type: improvement
Change-Id: I02602eb74234c25a4c701279e14704b81d4c5b71
Signed-off-by: Naveen Joy <najoy@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I6d23ff14380b0154f617b3ab7cd1acd5aa45106a
|
|
Removing obsolete unused nat44-ei nodes and functions.
Type: refactor
Change-Id: I1e03e283091c3c0d92908d04037cba00a348351a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Use 'python3' for all python calls in virtualenv. Using $(PYTHON_INTERP)
(set to $(PYTHON)) is incorrect when $(PYTHON) contains absolute path
(e.g. '/usr/bin/pypy3') as it uses interpreter outside of virtualenv.
Type: fix
Change-Id: I19878360cfc1ab6a591e09a079b0b69c1a1a58cf
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Add API to disable full reassembly of "forus" packets. Mark packets
passing through ip[4|6]-local nodes with a new buffer flag and check for
that flag in reassembly.
Enable IP6 "forus" full reassembly by default to be consistent with
existing IP4 setting.
Type: improvement
Change-Id: I7067792fcd4304182654237968e4c4d9293c6143
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Make VPP_BUILD_DIR hold the correct value and adjust paths where
necessary.
Type: refactor
Change-Id: I5bc60666c04919956bf26badaf1ee1f1b188ef65
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Allow entering a test name on stack trace window with STEP=y option
instead of a number. This allows to run a whole suite and skip all tests
until a particular test is hit.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I23e45f8022b82545365b8921390e0e106e02b39c
|
|
- cleanup data structures, functions and cli
- remove option to return static html. For similar results, use
http static server
- rename to http_cli.c as it better describes what the app does
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I502e7566fba4376c68fbe41de9e45079a159e864
|
|
Implement proper state machine based on above RFCs. ACKs to SYNs/FINs
are no longer required/tracked. This is more friendly to peers and
accounts for lost packets and retransmits.
This change also means that all traffic is translated and forwarded
while in transitory timeout, which helps delivering e.g. retransmitted
FINs, FINACKs and other messages.
Also support reopening a session in transitory timeout after seeing both
FINs by seeing both SYNs again. This helps quick connection
reestablishment if the peers want to.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com>
Change-Id: Ibf521c79463472db97e593bfa02b32b4a06dfd2a
|
|
Type: improvement
When an IPSec interface is first constructed, the end node of the feature arc is not changed, which means it is interface-output.
This means that traffic directed into adjacencies on the link, that do not have protection (w/ an SA), drop like this:
...
00:00:01:111710: ip4-midchain
tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:6 flags:[]
stacked-on:
[@1]: dpo-drop ip4 flow hash: 0x00000000
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111829: local0-output
ipsec0
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 5858585858585858585858585858585858585858585858585858585858585858
00000040: 58585858585858585858585858585858585858585858585858585858c2cf08c0
00000060: 2a2c103cd0126bd8b03c4ec20ce2bd02dd77b3e3a4f49664
00:00:01:112017: error-drop
rx:pg1
00:00:01:112034: drop
local0-output: interface is down
although that's a drop, no packets should go to local0, and we want all IPvX packets to go through ipX-drop.
This change sets the interface's end-arc node to the appropriate drop node when the interface is created, and when the last protection is removed.
The resulting drop is:
...
00:00:01:111504: ip4-midchain
tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:0 flags:[]
stacked-on:
[@1]: dpo-drop ip4 flow hash: 0x00000000
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111533: ip4-drop
ICMP: 172.16.2.2 -> 1.1.1.1
tos 0x00, ttl 63, length 92, checksum 0xcb8c dscp CS0 ecn NON_ECN
fragment id 0x0001
ICMP echo_request checksum 0xecf4 id 0
00:00:01:111620: error-drop
rx:pg1
00:00:01:111640: drop
null-node: blackholed packets
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I7e7de23c541d9f1210a05e6984a688f1f821a155
|
|
GTP4/6.D behavior is updated as shown below.
1. When receiving GTP-U message or IPv6 linklocal destination in inner IP, GTP packet is tnralated to SRv6.
2. When receiving T-PDU packet, OuterIP/UDP/GTP headers are stripped off and Inner IP is encapsulated into SRv6 based on L3VPN SRv6 manner.
Type: feature
Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
Change-Id: I6092c98ea80236d54017f84c5b35cca0b645f034
Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
|
|
We add the possibility to bind the destination UDP port of a Scapy SA
to the ESP layer in the IPsec tunnel protection tests, even if it is not
the default port for ESP (4500).
This allows to test IPSec tunnel protection with ports other than 4500
in the UDP header, without hardcoding them in the Scapy patch (ex: 4545)
Type: improvement
Change-Id: I1eea3d4660ed1b59d827250a419af6b7b41c4a72
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
|
|
Type: fix
Presently a local label associated with an attached or connected prefix will link to the glean. This is a problem since it will never use the adj-fibs that are installed for that attached prefix. Instead link the local label to a lookup in the table in which the attached link is bound.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iad49fb6168b9ba47216a9a52bd262363b49c3c43
|
|
Coverity complained that there is boundary checking in
add_del_punt_redirect_v2 handler. This test proves that such boundary
checking is not necessary as it is handled in the common path.
Type: test
Change-Id: Ibec054c01d4eb057accdc9d5732aba6fe6de51cc
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Zero length fragments are invalid and should be dropped. This patch adds
that.
Type: improvement
Change-Id: Ic6466c39ca8bf376efe06bb3b7f5d7f1ae812866
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
If a fragment arrives with fragment offset = 0 and M = 0, it means that
this is actually a complete packet and per RFC 8200, it should be
treated independently from other fragments. This patch does that.
Fragmentation header is stripped and fragment is forwarded irregardles
of other existing reassemblies in case of full reassembly and treated
the same way as regular packet in shallow virtual reassembly.
Type: improvement
Change-Id: If3322d5e3160cd755b8465a642702a9166d46cc2
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Refactor and improve boundary checking on IPv6 extension header handling.
Limit parsing of IPv6 extension headers to a maximum of 4 headers and a
depth of 256 bytes.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ide40aaa2b482ceef7e92f02fa0caeadb3b8f7556
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: test
Change-Id: Ic9fddc9fedd5140984c5901c4cac53dec022dcec
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Change-Id: I2f30a4f04fd9a8635ce2d259b5fd5b0c85cee8c3
|
|
On interface delete we were not removing
the lock taken by a previous ip_table_bind()
call thus preventing the VRFs to be removed.
Type: fix
Change-Id: I11abbb51a09b45cd3390b23d5d601d029c5ea485
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
NAT pool address overlaps with pg4 network 10.0.0.1/24
this is not desirable because of upcoming change [1]. This
change uncovered configuration issue with hairpinning test
that would fail because of already configured pg4 interface
that shares subnet with nat pool address. Packets would
incorectly end up in bad pg interface causing the test to fail.
This patch changes nat pool address to 10.0.10.3 that doesn't
belong to any of the subnets configured on pg interfaces in nat
tests.
[1] https://gerrit.fd.io/r/c/vpp/+/34441
Type: test
Change-Id: I49e63dacbf0847116adbcf1954ff5defd833a657
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: feature
Change-Id: Iabd76558e9c72ed8286cfeeb1fbaa4fde4832a90
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Now that we support multiple exporters add some basic tests to verify
that we can create/delete multiple exporters and that the streaming
commands work.
Type: test
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I577f38440790080bfdcf87a8a6828da6cb6f1707
|
|
Type: fix
Using the adjacency to modify the interface's feature arc doesn't work, since there are potentially more than one adj per-interface.
Instead have the interface, when it is created, register what the end node of the feature arc is. This end node is then also used as the interface's tx node (i.e. it is used as the adjacency's next-node).
rename adj-midhcain-tx as 'tunnel-output', that's a bit more intuitive.
There's also a fix in config string handling to:
1- prevent false sharing of strings when the end node of the arc is different.
2- call registered listeners when the end node is changed
For IPSec the consequences are that one cannot provide per-adjacency behaviour using different end-nodes - this was previously done for the no-SA and an SA with no protection. These cases are no handled in the esp-encrypt node.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If3a83d03a3000f28820d9a9cb4101d244803d084
|
|
Type: fix
re-evaluate the import/export state of a prefix when the interface it is attached to rebinds to a different table.
Only attached routes have import/export requirements, so we can back walk from the glean adjacency when the interface rebinds tables.
There are two cases to consider.
1. the rebind may change the prefix from/to import
2. the import VRF may change
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I25b6af43b3b2d8f701dfbe7a08710dc56b3f5778
|
|
Fixed bad use of macros for autoendian API calls
and updated tests for the new API. Removed sw_if_index
check macro because of ntol conversion. Changed
REPLY_MACRO to REPLY_MACRO_END to fix ntohl conversions.
Type: fix
Change-Id: I878a07b3f80fe03179feab60f0abc662f408a2c8
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: test
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ib9899327897f36219c113fedb25366cd1be463a0
|
|
Type: fix
Fixes: b8165b96f
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Ic82a0404073a26e3d160b01c9038cde11eedf3ec
|
|
Admin down implies Link down but nothing came with admin up.
Ticket: VPP-1959
Type: fix
Change-Id: I43725329ae7918659c73d703280c25de5f0b1d14
Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
|
|
- docs requires jsonschema which is only supported
on python 3.7 or newer. This causes 'make test'
to fail on Ubuntu 18.04
Type: fix
Fixes: 9ad39c026
Change-Id: I0935c569ac102ea1dba6112f458e6ee10330e474
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Due to multiarch nature of that code, those tests doesn't bring much
value. New tests will be addes as part of refactor.
Type: refactor
Change-Id: I41056dc99d08cd6ca38f9e00e8cf6a465c90edb7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
clib_strncat
There are 3 versions of the string functions. For example, for strcpy,
they are
1. strcpy(dst, src) -- the legacy unsafe version
2. strcpy_s(dst, dmax, src) -- C11 safeC version which has an addition argument
named dmax.
3. clib_strcpy(dst,src) -- clib version to enable legacy code that uses strcpy
to make use of strcpy_s without adding the additional argument, dmax, which is
required by the C11 safeC version.
The implementation for the clib version is to artificially provide dmax to
strcpy_s. In this case, it uses 4096 which assumes that if the legacy code
works without blowing up, it is likely to work with the clib version without
problem.
gcc-11 is getting smarter by checking if dmax is within the object's boundary.
When the object is declared as static array, it will flag a warning/error
if dmax is out of bound for the object since the real size of dst can be
determined at compile time.
There is no way to find the real size of dst if the object is dynamically
allocated at compile time. For this reason, we simply can't provide support
for the clib version of the function anymore. If any code is using the clib
version, the choice is to migrate to the safeC version.
Type: fix
Fixes: b0598497afde60146fe8480331c9f96e7a79475a
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I99fa59c878331f995b734588cca3906a1d4782f5
|
|
Type: test
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3286fbf09d18719546ba80e9cb81c7e58f87a603
|