summaryrefslogtreecommitdiffstats
path: root/test
AgeCommit message (Collapse)AuthorFilesLines
2021-10-07ikev2: do not require optional IDr on IKE AUTHBenoît Ganne1-12/+31
IDr is optional in IKE AUTH from the initiator. In that case, the responder is free to use any matching profile and fills the corresponding IDr in the response. The initiator is then free to accept or reject it. Type: improvement Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-06wireguard: add events for peerArtem Glazychev1-8/+136
we can receive events from peer about its state: -WIREGUARD_PEER_STATUS_DEAD -WIREGUARD_PEER_ESTABLISHED Type: improvement Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-10-06wireguard: add ipv6 supportArtem Glazychev1-51/+448
Type: improvement Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: If1a7e82ce163c4c4acaa5acf45ad2b88371396f6
2021-10-06docs: vnet comment nitfixesNathan Skrzypczak1-1/+1
Type: improvement Change-Id: Iac01d7830b53819ace8f199554be10ab89ecdb97 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-06ip: add classifier-based ACLs support on ip puntBenoît Ganne2-2/+78
This feature allows one to add classifier-based ACLs on packets punted from the ip infra, eg. to only whitelist specific sender(s). Type: feature Change-Id: Idab37b188583efbca980038875fc3e540cb2e880 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-05build: don't hardcode triplet, allow specifying custom lib dirDamjan Marion2-21/+23
Type: fix Change-Id: I33f364fda88914f88f9b976cb83e6d3ff466f0bb Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
2021-10-04wireguard: use the same udp-port for multi-tunnelArtem Glazychev1-0/+104
now we can reuse udp-port for many wireguard interfaces Type: improvement Change-Id: I14b5a9dbe917d83300ccb4d6907743d88355e5c5 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-10-04ip: fix punt for ipv6Benoît Ganne1-0/+144
Type: fix Change-Id: I583c30e9b63c0b0b6cd5fef0b2cb9ed7ec9856e2 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-09-30wireguard: move adjacency processing from wireguard_peer to wireguard_interfaceArtem Glazychev1-14/+36
now we should add routes manually Type: improvement Change-Id: I877511a18854efdfad02939267d38a216b2ccec3 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-09-29ipsec: Record the number of packets lost from an SANeale Ranns3-0/+101
Type: feature Gaps in the sequence numbers received on an SA indicate packets that were lost. Gaps are identified using the anti-replay window that records the sequences seen. Publish the number of lost packets in the stats segment at /net/ipsec/sa/lost Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I8af1c09b7b25a705e18bf82e1623b3ce19e5a74d
2021-09-28api: API trace improvementsFilip Tehlar1-0/+63
Type: improvement * add support for JSON format in API trace * add ability to replay JSON API trace in both VPP and VAT2 * use CRC for backward compatibility check during JSON API replay * fix API trace CLI (and remove duplicits) * remove custom dump * remove vppapitrace.py * update docs accordingly Change-Id: I5294f68bebe6cbe738630f457f3a87720e06486b Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com>
2021-09-27ikev2: support variable-length noncesBenoît Ganne1-1/+3
IKEv2 nonces can be 16 to 256 bytes. Type: fix Change-Id: Ib332028594355c9e5b462bddb7e4dffbcdc9a927 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-09-27classify: Large and nested classifer unit testsRay Kinsella3-20/+352
Type: test Large and nested unit tests to test AVX-512 optimized versions of the classify hash and match algorithims. Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: Ie423fee5e0fd1cb4bdf3bec8e0230a5f7cfc75fc
2021-09-27gso: do not gro on small packetsAloys Augustin1-0/+102
This has two benefits: fix an issue where small packets can be padded to 64 bytes by the ethernet layer, and we included these bytes in the tcp stream; and also if we receive a small packet, it signals that this tcp stream is likely more latency-sensitive than throughput- sensitive, and skipping gro buffering should be beneficial. Type: fix Change-Id: I165b97673d8cdce95ebf0a66c362ae9f9e6f3f34 Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2021-09-22ip: add ip_table_allocate to apiAloys Augustin2-47/+183
Set tableID = ~0 for auto selection unused ID https://jira.fd.io/browse/VPP-1993 Type: improvement Change-Id: I4eec2cc1d18fc025196cb6ac4c9a4b374388eb56 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2021-09-16ip6-nd: add ip6-nd proxyMohsin Kazmi1-0/+188
Type: feature Change-Id: I91f72f5802db195d1a15424d67c1b6e518168f9f Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-09-13ip-neighbor: Handle local MAC address change for incomplete adjacenciesNeale Ranns1-1/+23
Type: fix When the local MAC address of an interface changes the rewrite strings of all adjacency types need to be updated - this patch fixes the missing case of incomplete adjacencies. I moved the update of all adj types into the adj module, since if the complete adjs were done by the ip-neighbour module and incomplete ones by adj module, that would mean two walks of the adj DB, as it is not possible to walk only a specific type. UT is updated to include the missing case. Signed-off-by: Neale Ranns <neale@graphiant.com> Signed-off-by: Ivan Shvedunov <ivan4th@gmail.com> Change-Id: I36af94976c645bdd0d4d3bc0093b24d7d077e9d7
2021-09-09flowprobe: simplify test logicKlement Sekera1-55/+18
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9a3923ec1ff1371e870bc57ade4035de07bfbbcb
2021-09-08tests: fix DEBUG=attach multiple worker configKlement Sekera1-0/+3
Type: fix Change-Id: Ie7920c0c699904de0f68ddb749725887b569f295 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-08-31vcl: switch part of the tests to sock apiFlorin Coras1-13/+47
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I427af3be604783d36080c284ed32fb1df525bf54
2021-08-26ikev2: check for valid cipher + integrityBenoît Ganne1-1/+1
Type: improvement Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith1-0/+45
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin1-1/+1
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-13tests docs: upgrade python packagesDave Wallace16-354/+439
- Upgrade python package requirements for test & docs - Clean up docs generation warnings - Consolidate python requirements for docs in test requirements specs. - Upgrade pip Type: make Change-Id: I74a3924b43ed93d15b32ec9f6fc41ed1ba95b69b Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-08-09ip6-nd: only respond to RS if sending RA is enabledOle Troan1-1/+15
Even when periodic RAs are disabled VPP would respond to router solicitations. Making it impossible to have an IPv6 enabled interface with hosts connected to it without VPP acting as a default router. This change drops RS messages if the radv_info->send_radv is off. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I9a68f8e12c93c1c00125b54f8fd454f48fa22caa Signed-off-by: Ole Troan <ot@cisco.com>
2021-07-29nat: fix ICMP checksum validationKlement Sekera1-0/+44
Handle case where extra data is present in buffer which is not part of IP/ICMP headers. Type: fix Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76 Change-Id: Icfef811470056d38c60fc45cc302139ed7594385 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-28gre: set proper fib index for unnumbered interfaces, unset fib index before ↵Stanislav Zaikin1-7/+9
forwarding gre payload This commit introduces 2 fixes: 1) After GRE decapsulation sw_if_index[VLIB_TX] is set as fib index of GRE tunnel. But since GRE tunnel can work on v4 endpoints and have v6 payload, we need to reset it. In case we get IPv6 packet inside IPv4 GRE tunnel (or vice-versa) fib index can be (and usually is) invalid. 2) Check that ip-table and ip6-table are the same when setting interface as an unnumbered one. Also, fix for the pipe test include setting the right unnumbered interface for the pipes Type: fix Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com> Change-Id: Id13d239cfdd21e0db6b1c9725f01c40d4af4d800
2021-07-19nat: harden ICMP handlingKlement Sekera1-0/+4
Verify that headers are not truncated and that checksums are valid. Correct checksum computation in translation code. Type: fix Change-Id: I6acfcec4661411f83c86b15aafac90cd4538c0b5 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-14nat: adding support for icmp-error msgFilip Varga1-0/+35
Extending tests. Type: test Change-Id: I98cc1d214ead10ac53fed34a1492d9b5f37975a2 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-07-14nat: refactoring NAT44ED cfg functionsFilip Varga1-11/+2
Refactored & fixed NAT44ED configuration functions used for handling interfaces and nodes. Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I6fbbb7f0fe35d572675997745d53290152987424
2021-07-13fib: Set the GLEAN flag on attached export routes so that the SAS worksNeale Ranns2-1/+14
correctly. Type: fix Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I4bc2eb394a8f9d01c5a12de2ce963c22209d5439
2021-07-12papi: remove shared memory transportOle Troan2-2/+1
This patch removes the papi transport shared memory plugin. It also removes any dependency on CFFI. Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ia81701c0dc506871e511495d837e41420e1fdf72 Signed-off-by: Ole Troan <ot@cisco.com>
2021-07-09gso: add ipsec tunnel testsMohsin Kazmi1-0/+247
Type: test Change-Id: I831bc8c21f8ce869054eafcb14542508039c1b82 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-07-06vrrp: Fix for test-all testcases failure.Rajaselvam1-18/+16
Failure due to the method vrrp_adv_packet scope and self reference. Type: fix Signed-off-by: rajaselvam <rajaselvam@gmail.com> Change-Id: I4ec14ea37928142651eb08fcc5736bc9c24ab062
2021-06-30ipsec: Derive the TUNNEL_V6 flag from the configured address typesNeale Ranns1-2/+0
Type: improvement There's no need for the user to set the TUNNEL_V6 flag, it can be derived from the tunnel's address type. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I073073dc970b8a3f2b2645bc697fc00db1adbb47
2021-06-29ipsec: Fix setting the hi-sequence number for decryptNeale Ranns2-192/+1016
Type: fix two problems; 1 - just because anti-reply is not enabled doesn't mean the high sequence number should not be used. - fix, there needs to be some means to detect a wrapped packet, so we use a window size of 2^30. 2 - The SA object was used as a scratch pad for the high-sequence number used during decryption. That means that once the batch has been processed the high-sequence number used is lost. This means it is not possible to distinguish this case: if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl)) { ... if (post_decrypt) { if (hi_seq_used == sa->seq_hi) /* the high sequence number used to succesfully decrypt this * packet is the same as the last-sequnence number of the SA. * that means this packet did not cause a wrap. * this packet is thus out of window and should be dropped */ return 1; else /* The packet decrypted with a different high sequence number * to the SA, that means it is the wrap packet and should be * accepted */ return 0; } - fix: don't use the SA as a scratch pad, use the 'packet_data' - the same place that is used as the scratch pad for the low sequence number. other consequences: - An SA doesn't have seq and last_seq, it has only seq; the sequence numnber of the last packet tx'd or rx'd. - there's 64bits of space available on the SA's first cache line. move the AES CTR mode IV there. - test the ESN/AR combinations to catch the bugs this fixes. This doubles the amount of tests, but without AR on they only run for 2 seconds. In the AR tests, the time taken to wait for packets that won't arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of these tests from 10-15 to about 5 sceonds. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5
2021-06-28ipsec: Split the SA add_del API into an separate add and delNeale Ranns1-20/+2
Type: improvement the rationale being that the del only requires the SA's ID, so it's a bit mean to require the client to fill out all the other information as well. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
2021-06-28ipsec: Enable the extended Sequence Number IPSec tests for GCMNeale Ranns1-2/+72
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie691b1c8841f5e195525bfff990f12ab918ba394
2021-06-25stats: revert "add a retry mechanism in a symlink test"Beno�t Ganne1-15/+1
This reverts commit d70777aa60a87001f323f3b226d7e5cee2cd23d8. Reason for revert: wrong fix Type: fix Change-Id: Ibff1b977eae8d2cc85888165ebf83c42eb661698 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-06-22nat: don't drop packet with ttl=1 if output featureKlement Sekera1-0/+26
TTL was already decremented in ip4-rewrite so it's okay if it's 1. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc
2021-06-22stats: add a retry mechanism in a symlink testArthur de Kerhor1-1/+15
When creating a new node, a corresponding node symlink is created when the nodes counters update. To be sure we are able to access this symlink, a retry mechanism was added. Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: Ieb08d8554b4fd13d01e79062b5f820b235be9a13
2021-06-17tests: Tests for cross AF routingNeale Ranns1-0/+124
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iebee39d0974c6f458863ce6144c6a83bc3cf4cb7
2021-06-17mpls: CLI to show the MPLS forwarding state of an interfaceNeale Ranns1-0/+7
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I28b98154bbff36e8391a09a2b30302dda4349946
2021-06-16api: remove custom dumpFilip Tehlar1-2/+0
Type: improvement Change-Id: I4b9b2be8817be10e46accc19219deb2b544f266b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-06-14linux-cp: Add tests for tun devicesNeale Ranns3-5/+252
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iec69d8624b15766ed65e7d09777819d2242dee17
2021-06-14pg: A Tunnel mode variant of a pg interfaceNeale Ranns3-4/+129
Type: feature this allows VPP to simulate linux tun devices. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I3adf38b49a254804370f78edd5d275d192fd00a6
2021-06-08vppinfra: pool_free_elts() now supports fixed-size poolsDave Barach1-0/+13
Test added to the unittest plugin / test_vlib.py Type: improvement Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I73445e57918347c102ff6f5e8c9ddb9bd96f1407
2021-06-03fib: fix flags updates when adding routes with a udp encap pathArthur de Kerhor1-5/+5
When adding a route via a udp encap instance, FIB_ENTRY_FLAG_IMPORT should not be set. In particular, fib_route_attached_cross_table should always return false for such paths. Modified test_udp_encap to leverage the bug that needed to be fixed. Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: Iaa9489e96d1cff09751f92c62caf7999d924fd7f
2021-05-29udp: add udp decapsulationArthur de Kerhor2-4/+179
Possibility to register a port via CLI or API to decap incoming UDP packets: - For CLI, a user needs to specify the inner protocol (only MPLS supported for now) - For API, the protocol is specified by index Added unittests Type: feature Change-Id: Ifedd86d8db2e355b7618472554fd67d77a13a4aa Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2021-05-28svm: fix inadequate atomic load for chunk mgrDave Wallace1-3/+1
- Fixes intermittent LDP cut thru iperf3 test failure on AARCH64 Type: fix Change-Id: Id21a078d642e03d974bacacd1f4d0faa42fb6652 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>