Type: fix
The l2unfragmentable size is not included in the calculation of 'max', the maximum amount of data that can be added to a fragment, therefore the fragments created are too big.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Id1e949ad98203b6f8ea2f55322ef6fa3d507e2a6
Deadly combination is clib_{set,long}jmp + lazy linking + tail call compiler
optimization. On the first call to clib_setjmp, dynamic linker executes loader
code which then calls clib_setjmp, so stored stack position contains dynamic
loader data. Tail call optimization simply jumps back to the calling
code when clib_longjump is called and that results in wrong return
address used from the stack.
Change-Id: Ia7d8dbd5b2c425cdd0449374aa07ab6b684a330e
Type: fix
Signed-off-by: Damjan Marion <damarion@cisco.com>
As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.
For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480
It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.
[1]: https://datatracker.ietf.org/doc/html/rfc4301
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
While setting an ACL, a user can specify the adjacency to follow after
the input ACL node. Thus, we may skip a lookup and enter directly a
local node (ex: ip4_local). To prevent the local source check from
failing, we need to specify the fib index. And, we have to do it just
before exiting the input ACL node because the l2_classify object
is overlapping with the fib_index in the vnet_buffer_opaque_t struct.
We could have added a padding to avoid this overlap but there is no
place for that in the structure.
Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: I383c36e4aec08d181f966f28565aefed950d2a74
Type: feature
This patch bumps ipsecmb library version from 1.1 to 1.2
Signed-off-by: Marcel Cornu <marcel.d.cornu@intel.com>
Change-Id: I181e43c711fe530296c037d59b53fe3c5f2719ea
Type: improvement
Currently, when an interface is brought down administratively, IPv4
routes that resolve through that interface remain in the FIB. However,
the kernel removes those routes but doesn't send any notifications about
that. Desynchronization between the kernel and VPP happens.
With this change, when a notification received from the kernel
indicating that an interface was brought down, in addition to bringing
the VPP interface down, walk the IPv4 FIB bound to that interface and
remove any entries that resolve through that interface and were added
with one of the linux-cp FIB sources.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I0cd14bb63c9e6616ae1c5739b17c3bf33b186bc2
Type: fix
- IPv6 fragmentation did not work if the packet spaneed multiple buffers, because the 'len' calculation to did max out at the size of a buffer
- IPv6 fragmentation did not work when the l2unfragmentable size was non-zero, it was not used in the correct places
- IPv6oMPLS fragmentation would fragment all IPv6, it should do so only for link local
- IPv6oMPLS should send back TooBig ICMP6 for non locally generated
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie8f02cdfdd7b7e8474e62b6d0acda8f20c371184
Type: fix
Primarily fix an issue reported by Coverity in
lcp_nl_open_sync_socket() that close() could possibly be run with
negative fd. Also, add more checks and error logging there.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I9a88520d068392977a6eba0766451e5652fe512c
Type: improvement
Currently, read event signal is sent on every notification message
received and added in the queue.
With this change, signal read event only when all currently available
notification messages are received.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib86d189311ce01f50167e4e97feb99df0292ad96
Type: improvement
Currently, while reading notifications, ENOBUFS error is ignored and
reading continues. This was done to minimize the number of notifications
that are lost due to reopening the socket.
Now that synchronization is implemented to recover from socket errors,
ignoring ENOBUFS and reading as much notifications as possible is not
actual. Before synchronization, all currently enqueued notification are
discarded in any case.
With this change, stop reading notifications if any error occurs.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I1184d9a3aa99df63ef59bc2a67be2b1e5e0e9329
- make sure we do not overflow
- skip unknown messages if we can
Type: fix
Change-Id: I0efbe7376d9d78f6b0ec8018c0813400e6653698
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Type: fix
if original packet was to the link local, then the
fib index in the buffer is that of the LL table, we can't use that
to foward the response if the new destination
is global, so reset to the fib index of the link.
In other case, the fib index we need has been written
to the buffer already.
Add a test for IPv6 ping in an MPLS-VPN where int inout interface is
not the the same VRF as the response should be sent.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I18a232d90ddd3ef051a52476c5d861c87060e76f
Type: improvement
For error conditions, such as TTL expired, dest unreach, etc, Rate limit the sending of ICMP error messages.
The rate limiting is done based on src,dst IP address of the received packet.
the rate limit has been chosen, somewhat arbitrarily, to be 1e-3. This is the same limit as the ARP throttling.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a0b791cde8c941a9bf37de6aa5da56779d3cef4
Type: improvement
When dump of neighbors is requested, the replies will also include
neighbor entries for IPv6 multicast addresses:
GigabitEthernet0/8/0 S ff02::16 33:33:00:00:00:16
GigabitEthernet0/8/0 S ff02::1:ff76:7135 33:33:ff:76:71:35
GigabitEthernet0/8/0 S ff02::2 33:33:00:00:00:02
Such entries are not reported in netlink notification messages and
VPP is unlikely to use these.
With this change, ignore neighbor entries when the IP address is a
multicast address.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ic712aa4904f1d559f31fd89ff4541268e2340f84
Type: fix
This patch removes the assert and it is unnecessary.
Because given variable is used for branch testing.
Change-Id: I64f57f909fcba205216296e86c1cde2a5dadbb45
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Add the possibility to create masks and matches without l2 header in the
CLI when creating tables and entries. This is useful for tables working
on l3 and l4 only.
Type: improvement
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: I7da9e47d810c0b4a0938e2cb3bc31aa69ace3649
Type: fix
the MTU needs to be adjusted to account for the label stack, since the size of fragments produced is stack+mtu.
these changes are to the use of the stack variable 'mtu'
most of the patch results from appeasing checkstyle.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8d0e10cf52ca4dd8ecdc224ed6c54a13e4768fdd
Use system wall-clock time for packets timestamps instead of the time
since VPP started for pcap traces.
Type: improvement
Change-Id: I716165912efe8db3a8861d5c10597dc7629d2293
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Type: improvement
During synchronization, only the current actual set of entries is
loaded. If some entries are no longer present in the set being loaded
but present in VPP, they should be removed to fully syncronize.
With this change, add handlers for sync begin and end events. Begin
handlers will mark the entries as stale. End handlers will remove the
entries that are still marked as stale.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I4f7e872af3e1c9ffa6c63bcc3984ec76def1bb43
An updated ipsec script was identical to the existing ipsec_tun_protect script.
Remove the ipsec vnet script, and rename the ipsec_tun_protect to become the
default ipsec vnet script.
Type: fix
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: Ie05ca3e089b67a5b9499d83d4cb2adf1b6c6ffba
Type: improvement
Currently, if an error happens on the netlink notification socket, the
socket gets reopened. A portion of notification messages have been lost
because of this and will never arrive on the socket. VPP will be out of
sync with the kernel networking state.
With this change, synchronize VPP state and the kernel networking state
if there was an error polling or reading the notification socket.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I8cdff89b505cd227535a0acaadb6ee757204c45e
Type: refactor
check for pool expansion in the DPO allocation, just in case.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6ba7dd66313630d3f24a51700ab4486ba43d856b
Type: improvement
For some message types, timestamps are checked on netlink message to
decide whether the message should be applied. For notification messages
timestamps are expected to be always available.
With this change, before accessing the timestamp, make sure the message
info object that carries it is not null. If it is null, pass the check.
This is to be ready to process dump replies that will not need the
timestamp check and will have the message info object set to null.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ic7211c0d451d72f6a5248898b3a8f8e0bca8f7aa
Type: fix
Currently, a tap interface created to be a member of a linux-cp pair has
default link state (down) and default link speed (10Mb/s). Then the
plugin monitors the link state of the paired hardware interface and if
it changes, the new link state is reflected on the tap interface. And
when the new link state is "up", the link speed is also reflected on the
tap interface.
The problem is that this scheme implies that the hardware interface's
link state is "down" at the moment of the linux-cp pair creation and
then changes. But there are cases when the link state is already "up" at
that moment. If that is the case, the link speed on the tap interface
will remain the default one until the link comes down and then comes up.
With this fix, when a linux-cp pair is created, reflect current link
state of the hardware interface being paired on the created tap
interface.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I73664d753f4daaa6d439c9ca898fb7363d21c06d
Some possible side effects for multicast routes appears to be in
lcp_router_table_add_or_lock. so ff00/8 route will be processed
for ospf purposes the right way
Ignore IPv6 kernel routes
Skip adding auto routes into FIB
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I35f73d629a7fffca7f7d4547adc2549b72c2048f
Include the user_instance in wireguard interface details.
In addition to dumping all wireguard interface details,
also allow selective dumping of just one interface.
Type: improvement
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: Iaf1093c6ae3eb00a685f34b2e0171285b02fae2b
When building a VPP library out of tree using add_vpp_library, the build
sometimes fails because the library API files are not necessarily
generated before compiling this library.
This is fixed by adding the lib API files as dependencies of the
lib compilation.
Type: fix
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
Change-Id: I69dffaecbfd547f10115504494a47358c4624258
- cli_inband is missing from vat2
Type: improvement
Change-Id: I1f22dee3ee29f3cf0f1f7c6076d5f2b2b2bf969d
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
- A call to vapi_msg_control_ping_hton() is generated in
a static inline function in vlib.api.vapi.h, which is
defined/generated in memclnt.api.vapi.h without
including memclnt.api.vapi.h in vlib.api.vapi.h.
This breaks the compilation of plugins which include
only vlib.api.vapi.h (e.g. hicn_plugin from the HICN
project).
Type: fix
Fixes: a1400cecb
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I5574f4ed496183ea93265f493bf3624254a865a2
The app keeps on using the default app ns but each listen will be done
in the vrf configured.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0947e03188d55231b299916351115038e0b1f5da
This fixes an issue caused by session layer reading expected part of
data (cert + key) before the client actually sends it.
Type: fix
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I6ddddb08f9576211b302e814d7c2b040383e5fb7
Raise a new UnexpectedPacketErrror, when a packet is captured
unexpectedly. This pretty-prints a terse description of said packet.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Ibac19fc5bbd82a150fec3c90940a37af6344fd4f
