This patch adds a missing file descriptor free handler to prevent
invalid dereferencing in the future
Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: Idc809a70b1fedec9a06446344d5481d467c78c19
The current implementation can cause memory leaks of async frames
and exhaust the async frames pool. Wireguard can early get async frame,
even when later it turns out it is not needed. Then such frame won't
be freed.
This fix changes the moment of acquiring async frame from the pool, so
it doesn't leak.
Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: If7696de6a6f5db84e0dffef60caa31d4a5e6280e
This will make name of the test unique so that executing specifically
this test won't execute also other tests starting with same name.
Type: test
Signed-off-by: Maros Ondrejicka <mondreji@cisco.com>
Change-Id: I8013aa453c2a1c3c156e6476a93fd58bbb850b93
- add support for building/running debug/release images
- have one point of control (Makefile)
- list all test cases
Type: test
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I97949abc2fff85d7a2b3784122be159aeec72b52
- The version of libsrtp2 (2.4.2) on ubuntu-22.04 changed
the 'ekt' field in srtp_policy_t to 'deprecated_ekt'.
Type: fix
Change-Id: Icb9d8f3b56c8305bcdac5066a5f8e3e5d17d37cf
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Make sure applications, especially builtin ones, cannot close a session
multiple times.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I960a1ae89a48eb359e7e1873a59d47c298c37ef1
For some apps(e.g. wrk2) upon vpp hoststack, ldp_epoll_pwait()
is called. In this function, epoll fd was created on one thread,
but it is now used on another thread. The vcl worker index is still
invalid, so the fetched ldp worker is also invalid and can corrupt
some already allocated memory.
Just as the ldp_epoll_pwait_eventfd(), make sure the vcl worker is valid
before getting the ldp worker in ldp_epoll_pwait().
Type: fix
Signed-off-by: Liangxing Wang <liangxing.wang@arm.com>
Change-Id: I2ec23a4b5d5b0879a06642ffd80f95e948af4274
Currently wg-output-tun() doesn't check if a buffer has enough space for
prepending an ethernet header (wg header over ipv6 vxlan header case
leaves only 8 bytes free).
In such a case move buffer's content.
Type: fix
Change-Id: Iad18860e6b86a3d81f3d96d782de7c59556152d0
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
VPP build failed on Centos stream 8 when build xdp-tool
and dpdk mlx driver, Add the missing tools, libraries and headers.
Type: fix
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: Ie705dc8f558ceb872029f9ab4f1351b514c87405
Support running tests with `--tmp-dir` on a filesystem different from /tmp.
os.rename withs only within a single FS whereas shutil.move works accross
different filesystems.
Type: improvement
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I5371f5d75386bd2b82a75b3e6c1f2c850bc62356
The current implementation of vpp-swan plugin adds the same policy rule
in SPD twice, and it is not necessary to have two the same rules in
inbound-protect database.
This patch fixes an issue that prevents the addition of a second
identical policy rule in SPD.
Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: Ieef74288e5301455658e4e101433147d6d2482e9
When DPDK MLX PMDs are built, and the DPDK plugin is loaded, DPDK may
set the MLX5_CQE_SIZE environment variable to 128. This causes the RDMA
plugin to be unable to create completion queues. Since the RDMA plugin
expects the CQEs to be 64 bytes, set the cqe_size explicitly when
creating the CQ. This avoids any issues with different values for the
MLX5_CQE_SIZE environment variable.
Type: improvement
Signed-off-by: Nathan Brown <nathan.brown@arm.com>
Change-Id: Idfd078d3045a4dcb674325ef36f85a89df6fbebc
Can to define src ip of outer IPv6 Hdr for each encap policy.
Along with that, I decided to develop it as API version V2.
This is useful in the SRv6 MUP case.
For example, it will be possible to handle multiple UPF destinations.
Type: feature
Change-Id: I44ff7b54e8868619069621ab53e194e2c7a17435
Signed-off-by: Takeru Hayasaka <hayatake396@gmail.com>
This converts remaining tests to configation of VPP from test context.
Type: test
Change-Id: I386714f6b290e03d1757c2a033a25fae0340f5d6
Signed-off-by: Maros Ondrejicka <mondreji@cisco.com>
This converts more tests to configure VPP from test context.
Type: test
Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech>
Change-Id: Idf26b0c16f87e87c97b198412af39b99d947ced6
pip compiled requirements file named requirements-3.txt exists in the
test directory. No need to auto-generate it again
Type: improvement
Change-Id: Ib2b51c983af8d0e4b000e4544012b6cd94405519
Signed-off-by: Naveen Joy <najoy@cisco.com>
Instead of configuring VPP instances running inside of a container,
now the configuration is going to be done from within the test context
by using binary API and shared volume that exposes api socket.
This converts just some of the test cases, rest is to follow.
Type: test
Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech>
Change-Id: I87e4ab15de488f0eebb01ff514596265fc2a787f
Allow apps/vcl to provide updated local ips for dgrams. In particular,
allow sessions bound to 0/0 to send data with valid local ips.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I50a086b1c252731a32a15b6a181ad3dba0c687e0
In current flow creating process in native avf and dpdk-plugins, when
parsing the input arguments, it does not copy IPv6 src address correctly,
so that IPv6 src address will not be configured in any flow rule, and
any packet with the same address will not be matched.
Type: fix
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: Ic957c57e3e1488b74e6281f4ed1df7fd491af35c
When parsing flow action type in avf, there is an incorrect flag for
flow director, which makes flow director rule created unexpectedly.
Type: fix
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: Id9fed5db8ccacd5cc6c2f4833183364d763188c1
Fix some configurations of avf checksum offload to get the correct
udp and tcp checksum. Change Tx checksum offload capability since
avf supports ipv4, tcp and udp offload all. Remove the operation to
swap bit of checksum.
Type: fix
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: I55a916cc9ee6bef5b2074b5b6bb5f517fc2c178d
In avf the function fls_u32 is used to calculate the power of 2.
Fix the expression of this function.
Type: fix
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: I27160de8588a5efb3f24306597a5a240deb3ab74
Type: improvement
With this change, add support for dumping IPv6 Router Advertisements
details on a per-interface basis (or all). Also, cover that with a test.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I89fa93439d33cc36252377f27187b18b3d30a1d4
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Control use of apis that rely on _GNU_SOURCE being defined with compile
time macro.
Also fixes sendmmsg and recvmmsg which were not probably wrapped.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I207de23210d4b9dc960bb4289159502760c5614d
Add one new edge for ipv6 after gtppsc so that packetforge can parse
this protocol combination.
Type: fix
Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: I1bae1ec617c4867de2e0b3de27eda77b89e5580c
In some IPsec tests, the SA called scapy_sa designs the SA that
encrypts Scapy packets and decrypts them in VPP, and the one
called vpp_sa the SA that encrypts VPP packets and decrypts them
with Scapy. However, this pattern is not consistent across all
tests. Some tests use the opposite logic. Others even mix both
correlating scapy_tra_spi with vpp_tra_sa_id and vice-versa.
Because of that, sometimes, the SA called vpp_sa_in is used as an
outbound SA and vpp_sa_out as an inbound one.
This patch forces all the tests to follow the same following logic:
- scapy_sa is the SA used to encrypt Scapy packets and decrypt
them in VPP. It matches the VPP inbound SA.
- vpp_sa is the SA used to encrypt VPP packets and decrypt them in
Scapy. It matches the VPP outbound SA.
Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: Iadccdccbf98e834add13b5f4ad87af57e2ea3c2a
Nat session is allocated before the port allocation. During port allocation
candidate address+port are set to o2i 6-tuple and tested against the flow hash.
If insertion fails, the port is busy and rejected. When all N attempts are
unsuccessful, "out-of-ports" error is recorded and the session is to be
deleted.
During session deletion o2i and i2o tuples are deleted from the flow hash.
In case of "out-of-ports" i2o tuple is not valid, however o2i is and it refers
to **some other** session that's known to be allocated.
By backing match tuple up session should be invalidated well enough not to
collide with any valid one.
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: Id30be6f26ecce7a5a63135fb971bb65ce318af82
This patch adds a "charon.plugins.kernel-vpp.use_tunnel_mode_sa"
key into strongswan.conf. If this is turned off, SAs will be
installed without tunnel information and can be used to
"ipsec tunnel protect". For the route-based IPsec, it will be
used with turning "policies" off in swanctl.conf.
Type: feature
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I58fb94bfe56627fa7002d9b95c48930a32993d2d
When application performs SSL_read from the app rx-fifo, it can
pre-allocate multiple segments, but there is an issue if the OpenSSL
manages to partially fill in the first segment, in this case, since
data is assumed to be copied over by OpenSSL to the pre-allocated
segments(s), vpp uses svm_fifo_enqueue_nocopy API which performs
zero copy by passing the pre-allocated segment to SSL_read.
If the decrypted data size is smaller than the pre-allocated fifo
segment buffer size, application will fetch buffers including zero
in the area not filled in by SSL_read.
Type: fix
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
Change-Id: I941a89b17d567d86e5bd2c35785f1df043c33f38
lcp_itf_pair_pool could grew during sub-interface creation.
Type: fix
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
Change-Id: Ideafe392f9bb2b418ce9d6faa4f08dfe26f4a273
