Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: test
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ib9899327897f36219c113fedb25366cd1be463a0
|
|
Type: fix
Fixes: b8165b96f
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Ic82a0404073a26e3d160b01c9038cde11eedf3ec
|
|
Admin down implies Link down but nothing came with admin up.
Ticket: VPP-1959
Type: fix
Change-Id: I43725329ae7918659c73d703280c25de5f0b1d14
Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
|
|
- docs requires jsonschema which is only supported
on python 3.7 or newer. This causes 'make test'
to fail on Ubuntu 18.04
Type: fix
Fixes: 9ad39c026
Change-Id: I0935c569ac102ea1dba6112f458e6ee10330e474
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Due to multiarch nature of that code, those tests doesn't bring much
value. New tests will be addes as part of refactor.
Type: refactor
Change-Id: I41056dc99d08cd6ca38f9e00e8cf6a465c90edb7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
clib_strncat
There are 3 versions of the string functions. For example, for strcpy,
they are
1. strcpy(dst, src) -- the legacy unsafe version
2. strcpy_s(dst, dmax, src) -- C11 safeC version which has an addition argument
named dmax.
3. clib_strcpy(dst,src) -- clib version to enable legacy code that uses strcpy
to make use of strcpy_s without adding the additional argument, dmax, which is
required by the C11 safeC version.
The implementation for the clib version is to artificially provide dmax to
strcpy_s. In this case, it uses 4096 which assumes that if the legacy code
works without blowing up, it is likely to work with the clib version without
problem.
gcc-11 is getting smarter by checking if dmax is within the object's boundary.
When the object is declared as static array, it will flag a warning/error
if dmax is out of bound for the object since the real size of dst can be
determined at compile time.
There is no way to find the real size of dst if the object is dynamically
allocated at compile time. For this reason, we simply can't provide support
for the clib version of the function anymore. If any code is using the clib
version, the choice is to migrate to the safeC version.
Type: fix
Fixes: b0598497afde60146fe8480331c9f96e7a79475a
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I99fa59c878331f995b734588cca3906a1d4782f5
|
|
Type: test
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3286fbf09d18719546ba80e9cb81c7e58f87a603
|
|
- Also fix docs requirements and venv cleanup
required for docker executor building
Type: test
Change-Id: I839423224d95c45af42f459217887f4201cbb11a
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Run 'find src -executable -type f', remove unnecessary executable bits from the
source tree.
Type: refactor
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I070e22c8fb2ef8712bc3ea620727ee5ab3d9a9fb
|
|
Type: fix
If the walk is triggered when the child is added, then that child is visited in the walk. However, since it is just attahcing to the path-list it may not, or indeed cannot, have all the context it needs to successfully handle the walk.
In the case of MPLS tunnel, it does not have the path extensions ready, and cannot since the path extensions need to resolve on the path-list.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I027af8cf2f522d2f6e37931bea60c767f0cb667d
|
|
Type: improvement
This is an attempt to make the cnat tests more
readable by hiding the scapy packet generation
under a common context concept.
This in order to add tests covering a wider range
of scenarios. As of now, only VIP, snat & DHCP
being covered
Change-Id: Ia84868984506bbb652fe974e9a6f54f7a3cc0bd9
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: test
Change-Id: I185725c0f94084d08c8514642a84a04da62398e1
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
nat44-ed core configuration improvements & fixes [0-5] adjusted
for nat44-ei plugin.
Improvements:
* repeating code converted to functions
* simplified functions used for pool address, static mapping
and interface configuration.
Clean up:
* remove obsolete code and logic persisted after plugin
separation from old SNAT plugin.
Fixes:
* [0] return correct API behavior changed in [5]
Type: improvement
[0] https://gerrit.fd.io/r/c/vpp/+/33622
[1] https://gerrit.fd.io/r/c/vpp/+/33431
[2] https://gerrit.fd.io/r/c/vpp/+/33337
[3] https://gerrit.fd.io/r/c/vpp/+/33249
[4] https://gerrit.fd.io/r/c/vpp/+/32796
[5] https://gerrit.fd.io/r/c/vpp/+/32951
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: Ie197faa576cb49acb3d218f14e00cb7d13ad9342
|
|
Put static mappings in flow hash, drop existing hash tables used for
static mappings. Drop refcount variables and use hash table as a single
point of truth. Allow creating a static mapping conflicting with dynamic
mapping, which will take precedence after dynamic mapping is freed, so
that the existing flow can finish transferring data.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Idfde8efabc09971be38921d4b0ca5ccf4e9fe412
|
|
This patch refactors the VPP sphinx docs
in order to make it easier to consume
for external readers as well as VPP developers.
It also makes sphinx the single source
of documentation, which simplifies maintenance
and operation.
Most important updates are:
- reformat the existing documentation as rst
- split RELEASE.md and move it into separate rst files
- remove section 'events'
- remove section 'archive'
- remove section 'related projects'
- remove section 'feature by release'
- remove section 'Various links'
- make (Configuration reference, CLI docs,
developer docs) top level items in the list
- move 'Use Cases' as part of 'About VPP'
- move 'Troubleshooting' as part of 'Getting Started'
- move test framework docs into 'Developer Documentation'
- add a 'Contributing' section for gerrit,
docs and other contributer related infos
- deprecate doxygen and test-docs targets
- redirect the "make doxygen" target to "make docs"
Type: refactor
Change-Id: I552a5645d5b7964d547f99b1336e2ac24e7c209f
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: fix
the only change to the mfib forwarding node is to set the error code, the rest is checkstyle formatting.
The traces previously showed some bogus reason:
00:04:27:325550: ip6-mfib-forward-rpf
entry 10 itf -1 flags
00:04:27:325551: ip6-drop
fib:0 adj:10 flow:0
UDP: fe80::b203:eaff:fe02:604 -> ff02::1:2
tos 0x00, flow label 0x651ed, hop limit 1, payload length 64
UDP: 546 -> 547
length 64, checksum 0xec9a
00:04:27:325551: error-drop
rx:GigabitEthernet6/0/0
00:04:27:325553: drop
ip6-input: drops due to concurrent reassemblies limit
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I294684c36edc346b4ebdd83ba66888b3b2197704
|
|
Adding flow cache support to improve outbound IPv4/IPSec SPD lookup
performance. Details about flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using bihash without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, old entry will
be overwritten by the new entry. Worst case is when all the 256
packets in a batch result in collision and fall back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows.
This can be made as a configurable option as a next step.
4. Whenever a SPD rule is added/deleted by the control plane, the
flow cache entries will be completely deleted (reset) in the
control plane. The assumption here is that SPD rule add/del is not
a frequent operation from control plane. Flow cache reset is done,
by putting the data plane in fall back mode, to bypass flow cache
and do linear search till the SPD rule add/delete operation is
complete. Once the rule is successfully added/deleted, the data
plane will be allowed to make use of the flow cache. The flow
cache will be reset only after flushing out the inflight packets
from all the worker cores using
vlib_worker_wait_one_loop().
Details about bihash usage:
1. A new bihash template (16_8) is added to support IPv4 5 tuple.
BIHASH_KVP_PER_PAGE and BIHASH_KVP_AT_BUCKET_LEVEL are set
to 1 in the new template. It means only one KVP is supported
per bucket.
2. Collision handling is avoided by calling
BV (clib_bihash_add_or_overwrite_stale) function.
Through the stale callback function pointer, the KVP entry
will be overwritten during collision.
3. Flow cache reset is done using
BV (clib_bihash_foreach_key_value_pair) function.
Through the callback function pointer, the KVP value is reset
to ~0ULL.
MRR performance numbers with 1 core, 1 ESP Tunnel, null-encrypt,
64B for different SPD policy matching indices:
SPD Policy index : 1 10 100 1000
Throughput : MPPS/MPPS MPPS/MPPS MPPS/MPPS KPPS/MPPS
(Baseline/Optimized)
ARM Neoverse N1 : 5.2/4.84 4.55/4.84 2.11/4.84 329.5/4.84
ARM TX2 : 2.81/2.6 2.51/2.6 1.27/2.6 176.62/2.6
INTEL SKX : 4.93/4.48 4.29/4.46 2.05/4.48 336.79/4.47
Next Steps:
Following can be made as a configurable option through startup
conf at IPSec level:
1. Enable/Disable Flow cache.
2. Bihash configuration like number of buckets and memory size.
3. Dual/Quad loop unroll can be applied around bihash to further
improve the performance.
4. The same flow cache logic can be applied for IPv6 as well as in
IPSec inbound direction. A deeper and wider flow cache using
bihash_40_8 can replace existing bihash_16_8, to make it
common for both IPv4 and IPv6 in both outbound and
inbound directions.
Following changes are made based on the review comments:
1. ON/OFF flow cache through startup conf. Default: OFF
2. Flow cache stale entry detection using epoch counter.
3. Avoid host order endianness conversion during flow cache
lookup.
4. Move IPSec startup conf to a common file.
5. Added SPD flow cache unit test case
6. Replaced bihash with vectors to implement flow cache.
7. ipsec_add_del_policy API is not mpsafe. Cleaned up
inflight packets check in control plane.
Type: improvement
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I62b4d6625fbc6caf292427a5d2046aa5672b2006
|
|
This reverts commit 69b7599e4b061a8996205f0304232ede84cb70d4.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: If531b122ae5a9f91c2fe6eaa0da69922a91f16d3
|
|
Put static mappings in flow hash, drop existing hash tables used for
static mappings. Drop refcount variables and use hash table as a single
point of truth. Allow creating a static mapping conflicting with dynamic
mapping, which will take precedence after dynamic mapping is freed, so
that the existing flow can finish transferring data.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ieeba691d83a83887d0a0baccd5f3832f66126096
|
|
This patches fixes an issue that could cause
fib locks to underflow: if an API user deletes
a fib and quickly recreates it, the fib may not
have been actually deleted. As a result, the
lock would not be incremented on the create call
leading to the fib potentially disappearing
afterwards - or to the lock to underflow when
the fib is deleted again.
In order to keep the existing API semantics,
we use the locks with API and CLI source as flags.
This means we need to use a different counter
for the interface-related locks.
This also prevents an issue where an interface being
bound to a vrf via API and released via CLI could
mess up the lock counter.
Finally, this will help with cleaning up the
interface-related locks on interface deletion
in a later patch.
Type: fix
Change-Id: I93030a7660646d6dd179ddf27fe4e708aa11b90e
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
similar behavior as here: 839dcc0fb7313638d9b8f52a9db81350dddfe461
Type: improvement
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I1b0a8f8f3dab48839e27df7065cf5f786cf0b5e9
|
|
Type: fix
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I415d68b39ecac546b531f6eb98bca51e7eb6f7f7
|
|
IDr is optional in IKE AUTH from the initiator. In that case, the
responder is free to use any matching profile and fills the
corresponding IDr in the response.
The initiator is then free to accept or reject it.
Type: improvement
Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
we can receive events from peer about its state:
-WIREGUARD_PEER_STATUS_DEAD
-WIREGUARD_PEER_ESTABLISHED
Type: improvement
Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
Type: improvement
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: If1a7e82ce163c4c4acaa5acf45ad2b88371396f6
|
|
Type: improvement
Change-Id: Iac01d7830b53819ace8f199554be10ab89ecdb97
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
This feature allows one to add classifier-based ACLs on packets punted
from the ip infra, eg. to only whitelist specific sender(s).
Type: feature
Change-Id: Idab37b188583efbca980038875fc3e540cb2e880
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Change-Id: I33f364fda88914f88f9b976cb83e6d3ff466f0bb
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
|
|
now we can reuse udp-port for many wireguard interfaces
Type: improvement
Change-Id: I14b5a9dbe917d83300ccb4d6907743d88355e5c5
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
Type: fix
Change-Id: I583c30e9b63c0b0b6cd5fef0b2cb9ed7ec9856e2
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
now we should add routes manually
Type: improvement
Change-Id: I877511a18854efdfad02939267d38a216b2ccec3
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
Type: feature
Gaps in the sequence numbers received on an SA indicate packets that were lost.
Gaps are identified using the anti-replay window that records the sequences seen.
Publish the number of lost packets in the stats segment at /net/ipsec/sa/lost
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8af1c09b7b25a705e18bf82e1623b3ce19e5a74d
|
|
Type: improvement
* add support for JSON format in API trace
* add ability to replay JSON API trace in both VPP and VAT2
* use CRC for backward compatibility check during JSON API replay
* fix API trace CLI (and remove duplicits)
* remove custom dump
* remove vppapitrace.py
* update docs accordingly
Change-Id: I5294f68bebe6cbe738630f457f3a87720e06486b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
IKEv2 nonces can be 16 to 256 bytes.
Type: fix
Change-Id: Ib332028594355c9e5b462bddb7e4dffbcdc9a927
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: test
Large and nested unit tests to test AVX-512 optimized versions of the classify
hash and match algorithims.
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: Ie423fee5e0fd1cb4bdf3bec8e0230a5f7cfc75fc
|
|
This has two benefits: fix an issue where small packets can be
padded to 64 bytes by the ethernet layer, and we included these bytes
in the tcp stream; and also if we receive a small packet, it signals
that this tcp stream is likely more latency-sensitive than throughput-
sensitive, and skipping gro buffering should be beneficial.
Type: fix
Change-Id: I165b97673d8cdce95ebf0a66c362ae9f9e6f3f34
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
Set tableID = ~0 for auto selection unused ID
https://jira.fd.io/browse/VPP-1993
Type: improvement
Change-Id: I4eec2cc1d18fc025196cb6ac4c9a4b374388eb56
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
Type: feature
Change-Id: I91f72f5802db195d1a15424d67c1b6e518168f9f
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
When the local MAC address of an interface changes the rewrite strings
of all adjacency types need to be updated - this patch fixes the missing
case of incomplete adjacencies.
I moved the update of all adj types into the adj module, since if the
complete adjs were done by the ip-neighbour module and incomplete ones
by adj module, that would mean two walks of the adj DB, as it is not
possible to walk only a specific type.
UT is updated to include the missing case.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Signed-off-by: Ivan Shvedunov <ivan4th@gmail.com>
Change-Id: I36af94976c645bdd0d4d3bc0093b24d7d077e9d7
|
|
Type: refactor
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I9a3923ec1ff1371e870bc57ade4035de07bfbbcb
|
|
Type: fix
Change-Id: Ie7920c0c699904de0f68ddb749725887b569f295
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I427af3be604783d36080c284ed32fb1df525bf54
|
|
Type: improvement
Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
With endpoint dependent NAT44, When there are multiple workers we look
for a flow which matches the packet in order to figure out which worker
should handle the packet. If the packet is an ICMP error, it may be
associated with an existing flow by inspecting the L3/L4 headers that
are included in the message payload.
This was not being done for in2out packets in
nat44_ed_get_in2out_worker_index(), so some packets which were related
to an open session were not being associated with that session and were
being passed to a different thread than the one where the session was
created. Later on, when the packet was processed by the fast path in2out
node, the L3/L4 headers in the payload are inspected and the fast path
node finds the existing session. Since that session is owned by a
different thread than the one the packet is being processed by, the
in2out fast path node can potentially access the wrong session and/or
memory adjacent to the session pool. This can cause a SEGV.
Make nat44_ed_get_in2out_worker_index() look at the inner headers when
processing an ICMP error. THis is already done in
nat44_ed_get_out2in_worker_index() and in the fast path in2out node.
Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
The NAT plugin stores packet counters and a counter represents a vector
indexed by interface index. When an interface is assigned a NAT role,
the counters are validated to be long enough for the given interface
index.
When a packet traverses NAT in2out and output feature is disabled, the
appropriate counters are updated by the RX interface index. In this
case, translation happens on the inside interface and its index was
ensured to be valid in all of the counters during NAT role assignment.
When a packet traverses NAT in2out and output feature is enabled, the
appropriate counters are updated by the RX interface index too. In this
case, translation happens on the outside interface and the packet could
be received on any interface, even with no NAT role assigned. If that's
the case and its index is greater than the greatest index validated in
the counters, a new counter value will be written to memory that does
not belong to the counter. As a result, a crash will occur at some
point.
With this change, use TX interface index to update the counters when
output feature is enabled. TX interface is an actual interface where
translation happens and its index is always valid in the counters.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
|
|
- Upgrade python package requirements for test & docs
- Clean up docs generation warnings
- Consolidate python requirements for docs in test
requirements specs.
- Upgrade pip
Type: make
Change-Id: I74a3924b43ed93d15b32ec9f6fc41ed1ba95b69b
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Even when periodic RAs are disabled VPP would respond to
router solicitations. Making it impossible to have an IPv6
enabled interface with hosts connected to it without VPP
acting as a default router.
This change drops RS messages if the radv_info->send_radv is
off.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I9a68f8e12c93c1c00125b54f8fd454f48fa22caa
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Handle case where extra data is present in buffer which is not part of
IP/ICMP headers.
Type: fix
Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76
Change-Id: Icfef811470056d38c60fc45cc302139ed7594385
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
forwarding gre payload
This commit introduces 2 fixes:
1) After GRE decapsulation sw_if_index[VLIB_TX] is set as fib index of GRE tunnel.
But since GRE tunnel can work on v4 endpoints and have v6 payload, we need to reset it.
In case we get IPv6 packet inside IPv4 GRE tunnel (or vice-versa) fib index can be (and usually is) invalid.
2) Check that ip-table and ip6-table are the same when setting interface as an unnumbered one.
Also, fix for the pipe test include setting the right unnumbered interface for the pipes
Type: fix
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
Change-Id: Id13d239cfdd21e0db6b1c9725f01c40d4af4d800
|
|
Verify that headers are not truncated and that checksums are valid.
Correct checksum computation in translation code.
Type: fix
Change-Id: I6acfcec4661411f83c86b15aafac90cd4538c0b5
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|