When the NIC does not support mac filter, we rely on ethernet-input
node to do the destination mac check, ie, when the interface is in L3,
the mac address for the packet must be the mac address of the
interface where the packet arrives. This works fine in ethernet-input
node when all packets in the frame might have different interfaces, ie,
ETH_INPUT_FRAME_F_SINGLE_SW_IF_ID is not set in the frame. However,
when all packets are having the same interface,
ETH_INPUT_FRAME_F_SINGLE_SW_IF_ID is set, ethernet-input node goes
through the optimized routine eth_input_single_int -> eth_input_process_frame.
That is where dmac check has a bug when all packets in the frame are
either, ip4, ip6, or mpls without vlan tags. Because without vlan tags,
the code handles all packets in fast path and ignores dmac check.
With vlan tags, the code goes to slow path where dmac check is handled
properly.
The fix is to check if we have a bad dmac in the fast path and force the
code to go to slow path which will handle dmac check properly.
Also do a wholesale correction on all the testcases which do not use
the proper dmac when sending L3 packets.
Type: fix
Change-Id: I73153a805cecdc24c4eefcc781676de04737ae2c
Signed-off-by: Steven Luong <sluong@cisco.com>
This reverts commit 71c32a8989.
Type: fix
Reason for revert: vnet pinning is not considered in this patch.
This causes keywords 'workers' and 'skip-cores' to be broken,
as well as keyword 'main-core auto' introduced in this patch.
If this patch is ever reconsidered, it must account for vnet
pinning fix in commit https://gerrit.fd.io/r/c/vpp/+/40711.
Change-Id: I1f3154a6c7e830b100f824375aa00e95b192f7f3
Signed-off-by: hsandid <halsandi@cisco.com>
After adding a path to the default route, the prefix still be there
in the table as it is a mandatory prefix. However, the registry hence
fail to remove the route from VPP.
Type: fix
Change-Id: Ic4ad72455ac7a1a2f1d8baba59a7a3afe1610726
Signed-off-by: Maxime Peim <mpeim@cisco.com>
In case of multiple path within tunnel, mpls lookup node
computes lb hash with mpls_compute_flow_hash config value 0,
so only mpls label and l4 ports gets accounted, not 5-tuple.
This leads to flow traffic polarization and disbalance over
mpls paths.
Use mpls hash config from lb instead, usually it'll be
MPLS_FLOw_HASH_DEFAULT with 5-tuple plus flowlabel.
As optimization, fix flow hash reuse from the previous lookup
node if present, like ip_lookup does. Previously mpls lookup
always calcs the hash.
Test lb distribution for both cases.
Also, use the same flow hash hex format in ip4/ip6 and mpls
traces for easier reading, most code changes is due fixstyle
formatting.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: Ib89e1ab3edec14269866fe825a3e887d6c817b7c
On unnumbered interfaces, ARP fails because there is no attached route.
Allow replies to peer-to-peer addresses on unnumbered interfaces:
eg. 192.0.2.1/32 <-> 192.0.2.2/32
Type: fix
Change-Id: Ibeb8d8ebc8d58d5bfb0724739a17694e0217356e
Signed-off-by: Pim van Pelt <pim@ipng.nl>
In run_in_venv_with_cleanup.sh, sed was changed to gsed to allow the
script to run properly on FreeBSD because the sed script uses an
expression that is specific to the gnu sed. Gnu sed is available to
be invoked as gsed on FreeBSD systems, but there is no executable or
symlink which allows sed to be run by the name gsed on ubuntu 22.04.
Check for the existence of gsed. If it's found, use it. Otherwise, just
use sed.
Type: fix
Fixes: b3c863eae4
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I487197e486f500711aa3e87ec7ba899a53606b40
l2 tunnels like vxlan, gtpu, geneva use vnet_l2_compute_flow_hash() to
compute flow hash for udp src port entropy. In case of inner mpls tunnels
to the same lsr ethernet src and dst macs are the same, so l2 flow hash
is also the same leading to no src port entropy and the only rss queue
overflow on receiver side.
Fix it for all the possible vnet_l2_compute_flow_hash callers by making
mpls playload hash in additon to ip4/ip6. Visible performance impact is
not expected as it's only one check for mpls ethertype for common cases.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: I69153d42fb3d7c094a670c674fac8d14039c626a
Type: feature
Auto core pinning now fetches vpp cpu affinity list
using pthread api. This enables us to do core-pinning in
environments where the host cpu list does not necessarily align
with cpus available to vpp
Change-Id: Ife8c2a2351c08c5c6c4fdf7c729eeff2697bc39a
Signed-off-by: hsandid <halsandi@cisco.com>
FreeBSD doesn't have an easy mechanism to discover CPU features
currently. For tests declare we don't support anything we are asked
about.
Add the FreeBSD spelling of amd64 while we are here.
Type: improvement
Change-Id: I3eb5db856ee5cbc71250e47eee619e2f620de33a
Signed-off-by: Tom Jones <thj@freebsd.org>
For portability we use errno defines rather than explicit int values
when checking for errors.
Type: improvement
Change-Id: Ib5fc1db357da150d008d5a11bef5dbc7ec354cfb
Signed-off-by: Tom Jones <thj@freebsd.org>
The offload should be handled by gso node or by the NIC
if the latter has the relevant capabilities. But ip midchain
is missing the support for buffer offload metadata in case
of GSO packet.
This patch adds the relevant support to add the buffer metadata
if the packet is GSO/IPIP to be handled accordingly.
Type: improvement
Change-Id: I17f5d71bf4c5f43a85ca3f2fbebfa1426b42ef69
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Using unittest skip instead of print unclutters display by not printing
skip messages when not applicable, e.g. when somebody runs tests which
are unrelated to netns tests, e.g. with FILTER=vapi.
Type: fix
Fixes: e416893a59
Change-Id: Ie09e213249aa47da7e4ff484c3d072fbce3c2001
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
IPFIX buffers are stored on a per worker thread basis. Currently, the
flush callbacks will flush only buffers stored for the main thread. And
buffers for worker threads will not be sent until their size reach the
path MTU configured for the exporter. So if traffic is constant, the
problem will unlikely to be visible. Buffers will be sent once they
reach the maximum size. However, if traffic stops at some point and
flush is triggered in order to make the plugin send all currently
buffered data, this will not happen. And collectors will not receive
that data. The plugin will keep the remaining data until traffic starts
again, the buffers reach the maximum size, and be sent.
With this fix, flush buffers for worker threads and for the main thread
when the flush callbacks are triggered.
This will allow to remove @tag_fixme_vpp_workers from the unit tests
that don't set timers. The tests that set timers will still be failing
for other multi-worker related problems.
Type: fix
Change-Id: I9a7d9cef8ddbec7ee68c79309e48e7bc0953d488
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
BPF filter w/o optimization can take x2 - x3 more instructions,
causing significant slow down in fast path.
Enable pcap optimization by default via cli and introduce api v2
with pcap optimization control, keep v1 for a while as it exists
in previous release already.
Intriduce bpf filter cli dump, similar to tcpdump -d.
Also fix memleak, function name typo, cli pcap format hint and
add related tests.
Type: improvement
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: I92b2b519e92326f1b8e1a4dda6a3e3edc52f87ad
Fix crash while adding intf-rx ip4 and ip6 routes via api due
invalid exporting of interface rx routes as attached.
Also, add missed route path via rx-ip6 cli support.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: I15711c8c0787398dd7e3baa4787019bb1f317666
In esp_encrypt_inline(), if two or more consecutive packets are
associated with the same SA which has no crypto or integrity algorithms
set, only the first one gets dropped. Subsequent packets either get sent
(synchronous crypto) or cause a segv (asynchronous crypto).
The current SA's index and pool entry are cached before it can be
determined whether the packet should be dropped due to no algorithms
being set. The check for no algorithms is only performed when the cached
SA index is different than the SA index for the current packet. So
packets after the first one associated with the "none" alg SA aren't
handled properly.
This was broken by my previous commit ("ipsec: keep esp encrypt pointer
and index synced") which fixed a segv that occurred under a different
set of circumstances.
Check whether each packet should be dropped instead of only checking
when a new SA is encountered.
Update unit tests:
- Add a test for no algs on tunnel interface which enables
asynchronous crypto.
- Send more than one packet in the tests for no algs.
Type: fix
Fixes: dac9e566cd
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I69e951f22044051eb8557da187cb58f5535b54bf
Split virtual interface tests in VPP into smaller and modular
tests for testing various interface types and features.
Type: test
Change-Id: Ic38af88379f75eee3090679d411edbdc8fd5d2e5
Signed-off-by: Naveen Joy <najoy@cisco.com>
RFC 7296 describes the way to rekey IKE SAs: to rekey an IKE SA,
establish a new equivalent IKE SA with the peer to whom the old
IKE SA is shared using a CREATE_CHILD_SA within the existing IKE
SA. An IKE SA so created inherits all of the original IKE SA's
Child SAs, and the new IKE SA is used for all control messages
needed to maintain those Child SAs.
Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: Icdf43b67c38bf183913a28a08a85236ba16343af
the error node is set to ip6_input in the inline funcition
associated with ip6_rewrite. Thus, error counters defined
for node ip6 rewrite are never used.
Type: fix
Change-Id: Id6bef633928b0fff9069498c2e39e9f5bea2cf9b
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
VPP requires GNU Make to build, on GNU systems (such as Debian), GNU
Make is installed as 'make', typically with a symlink from 'gmake'.
On other systems (such as FreeBSD), 'make' is a BSD Make derriviative
and GNU Make is installed a 'gmake'.
Use $(MAKE) variable for make calls from within Makefiles. This
variable is set to the path of the calling make program, i.e.,
/usr/local/bin/gmake on a bsd system.
This is the recommended way to call make from Makefiles in the GNU Make
documentation.
Type: improvement
Change-Id: Id9162a34a0f8358f22090718087918dae31c0fce
Signed-off-by: Tom Jones <thj@freebsd.org>
VPP requires bash for all shell scripts. Align shebang lines in build
and test scripts to look up the location of bash rather than hard coding
'/bin/bash'.
Look up the location of bash for makefiles.
Type: improvement
Change-Id: I23b705d81d60389fa8af61c680cf0abd74f0ea24
Signed-off-by: Tom Jones <thj@freebsd.org>
When sanity test is not done, API files are not loaded until the
first test case is run. Hence, it is not possible to use enums, etc.
outside of a test class.
By preloading API files before running any tests, it prevents its
issue.
Type: fix
Change-Id: I8730150374e6c5f8d6933ec037811372ac2a8da0
Signed-off-by: Maxime Peim <mpeim@cisco.com>
Add an urpf_interface_dump() API call, with optional sw_if_index.
If either a mode or a table is specified in any given interface
address family and direction, return it in a list, otherwise omit
it.
TESTED:
create loopback interface instance 0
create loopback interface instance 1
create loopback interface instance 2
create loopback interface instance 3
ip6 table add 8298
set urpf ip4 rx loose loop1
set urpf ip6 tx off loop2 table 8298
API call urpf_interface_dump(sw_if_index=~1) returns:
[
urpf_interface_details(_0=658, context=2, sw_if_index=2, is_rx=True, mode=<vl_api_urpf_mode_t.URPF_API_MODE_LOOSE: 1>, af=<vl_api_address_family_t.ADDRESS_IP4: 0>, table_id=0),
urpf_interface_details(_0=658, context=2, sw_if_index=3, is_rx=False, mode=<vl_api_urpf_mode_t.URPF_API_MODE_OFF: 0>, af=<vl_api_address_family_t.ADDRESS_IP6: 1>, table_id=8298)
]
Type: improvement
Change-Id: I1ded5c445dc07dab73ea41b817b5827b72ca79d4
Signed-off-by: pim@ipng.nl
This merge request adds the feature to manipulate localsids and policies for SRv6 mobile via API.
Type: feature
Signed-off-by: Takeru Hayasaka <hayatake396@gmail.com>
Change-Id: Ibb46bf71ae1d9d4591ce2c8ccf66f520887dad70
Type: fix
Fetch 'pg-input' node index instead
of using a hardcoded value
Change-Id: I1ca27ddb54806530b546085d83e83b880acc4573
Signed-off-by: hsandid <halsandi@cisco.com>
Pass a correct form of node variant config in tests
Type: fix
Signed-off-by: d-valter@yandex-team.ru
Change-Id: I8cdc240b18a1664e57a5814d6cd644891c99f515
Fixes: 8800f732f8
Currently, when IPFIX records generation is enabled for an interface in
the TX direction, some rewritten traffic is being sent from that
interface, and the Ethernet header's location has changed due to
rewriting, generated TX flows will contain fields with wrong and zero
values. For example, that can be observed when traffic is rewritten from
a subinterface to a hardware interface (i.e. when tags are removed). A
TX flow generated in this case will have wrong L2 fields because of an
incorrectly located Ethernet header. And zero L3/L4 fields because the
Ethernet type will match neither IP4 nor IP6.
The same code is executed to generate flows for both input and output
features. And the same mechanism is applied to identify the Ethernet
header in the buffer's data. However, such general code usually works
with the buffer's data conditionally based on the direction. For most
input features, the buffer's current_data will likely point to the IP
header. For most output features, the buffer's current_data will likely
point to the Ethernet header.
With this fix:
- Keep relying on ethernet_buffer_get_header() to locate the Ethernet
header for input features. And start using vlib_buffer_get_current()
to locate the Ethernet header for output features. The function will
account for the Ethernet header's position change in the buffer's
data if there is rewriting.
- After fixing Ethernet header determination in the buffer's data,
L3/L4 fields will contain non-zero but still incorrect data. That is
because IP header determination needs to be fixed too. It currently
relies on the fact that the Ethernet header is always located at the
beginning of the buffer's data and that l2_hdr_sz can be used as an
IP header offset. However, this may not be the case after rewriting.
So start calculating the actual offset of the IP header in the
buffer's data.
- Add a unit test to cover the case.
Type: fix
Change-Id: Icf3f9e6518912d06dff0d5aa48e103b3dc94edb7
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
- test_http_static.py: If namespace creation fails, try to delete the namespace and create it again
- vpp_qemu_utils.py: Added "isinstance()" to "delete_namespace()" to match "create_namespace()"
Type: test
Change-Id: I88ff7a36f5d52816fee16283efba6af025496491
Signed-off-by: adrianvillin <avillin@cisco.com>
