This fixes the previously-implicit "drop all non-first fragments" behavior
to be more in line with security rules: a non-first fragment is treated
for the purposes of matching the ACL as a packet with the port
match succeeding. This allows to change the behavior to permit
the fragmented packets for the default "permit specific rules"
ruleset, but also gives the flexibility to block the non-initial
fragments by inserting into the begining a bogus rule
which would deny the L4 traffic.
Also, add a knob which allows to potentially turn this behavior off
in case of a dire need (and revert to dropping all non-initial fragments),
via a debug CLI.
Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
epoll was supposed to not sleep when timeout
is less than 1ms, but a typo made it not sleep
any time the requested timeout is lower than
1000 seconds (in practice, never...).
This patch replaces "1e3" with "1e-3", which
represents 1ms.
Change-Id: I731851b27a6bf6ab8e41586e017e94b962b09bf3
Signed-off-by: Pierre Pfister <ppfister@cisco.com>
To line up with "show interface placement," recently added. Otherwise,
"show int" refers only to "show interface placement," which tends to
annoy the cash customers...
Change-Id: Iea9e3681aeb051e2b0e1ecbf06706d98af9a3abf
Signed-off-by: Dave Barach <dave@barachs.net>
(cherry picked from commit 13ad1f0292)
- use the counters in a private struct rather than node error counters
- ensure the timer for the non-idle connections is restarted
- fix the deletion of conn at the current tail the list
Change-Id: I632f63574d2ced95fb75c5e7fb588c78fb3cce1c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
af_packet driver must check that VLIB_BUFFER_NEXT_PRESENT flag is set
when walking vlib_buffer_t next_buffer chain on transmit.
On buffer allocation:
- next_buffer is not and may contain a stale invalid value that
should be ignored if not overwritten by a valid value.
- VLIB_BUFFER_NEXT_PRESENT flag is cleared and only set
if a valid value is written to next_buffer.
Change-Id: Iebf76ce8eea24a0d63c7bf749e672d6a232c80e7
Signed-off-by: Jim Gibson <gibson+fdio@cisco.com>
- Fixed three coverity issues
- Linked SRv6 docs
- Moved sample plugin to examples folder
- Fixed bug with hash. Now everything is using mhash. Potentially in the future we want to do bihash.
Change-Id: Ie03a13c8fecb1e315e67d0596cbd23220779aaf2
Signed-off-by: Pablo Camarillo <pcamaril@cisco.com>
Allow non-static MACs in the L2FIB which is associated with an
interface or a bridge domain (BD) be flushed. MAC flush are
initiated automatically when an interface is removed from a BD
or when a BD is deleted. MAC flush can also be invoked manually
via the following CLI:
l2fib mac-flush interface <if-name>
l2fib mac-flush bridge-domain <bd-id>
Change-Id: Ie33243622834810a765f48ebcd22bdb8e8fc87a4
Signed-off-by: John Lo <loj@cisco.com>
env EXTERN_TESTS="/path/to/extra/tests" make test
causes to run the default test set and tests collected from
test_*.py files under subtree specified in EXTERN_TESTS.
Change-Id: I58c5471dd6010730278a5b47d4318737d920bc28
Signed-off-by: Klement Sekera <ksekera@cisco.com>
vhost currently supports only polling mode. This patch is to add
interrupt mode. When the interface is configured for interrupt
mode, our input node does not get called unless there is a packet
in the vring.
If a particular CPU has one interface configured for polling mode
and another in interrupt, the input node is set to polling for
that CPU.
This diffs also includes two crashes in vlib's dispatch_node. One is
included in https://gerrit.fd.io/r/#/c/5516. The other crash is in
the ASSERT. The ASSERT can become true when the caller of
dispatch_node is in a loop. The first call converted the node
to polling. The second call thereafter will hit the ASSERT.
Change-Id: If17b6d48b20d7d8605c6a161459828637173cd32
Signed-off-by: Steven <sluong@cisco.com>
System timer of ARMv8 runs at a different frequency than the CPU's.
The frequency is fixed, typically in the range 1-50MHz. It can be
read at CNTFRQ special register.
Change-Id: I6a21a6a9e2df783559df0caec63d5525c2258227
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
With DPDK 17.02, bonded interface device_index does not start
from 0 and may vary depends on the existence of other interfaces.
Implement instance number for bonded interface so the interface
name can make use of instance number starting from 0.
Change-Id: Ia8eb7bd530446faa02ee7c7d1f6abdc22ac60b62
Signed-off-by: John Lo <loj@cisco.com>
In DPDK 17.02 bonded PMD name is changed from rte_bond_pmd
to net_bonding.
Change-Id: I1a57a16b0ae68b5fa56a561a4f75981112228572
Signed-off-by: Alexander Popovsky (apopovsk) <apopovsk@cisco.com>
Drop comes before lookup when enabled. is_first_or_last is not required when setting a feature, the anchor is added in find_config_with_features().
Don't make the PG interfaces automatically L3 enabled, this way we can have tests that check the L3 protocol disbaled behaviour.
Change-Id: Icef22a920b27ff9cec6ab2da6b05f05c532cb60f
Signed-off-by: Neale Ranns <nranns@cisco.com>
allow this config to function:
set int ip address loop0 169.254.1.1/32 (the default GW address for attached hosts)
set int unnumbered af_packet0 use loop0 ('enable' IP on the host interface)
ip route add 192.168.1.1/32 via af_packet0 (where to find the host)
repeat for each host and host interface.
Inter-host communication is throught the /32 routes.
To allow this:
1 - attached host routes have the ATTACHED flag set, so the ARP code accepts then as legitimate sources
2 - unnumbered interfaces inherit the source address from the IP interface
Change-Id: Ib66c5f0e848c528f79372813adc3a0c11b50717f
Signed-off-by: Neale Ranns <nranns@cisco.com>
dispatch_node may be invoked from vlib main or worker threads. The call to
ELOG_DATA in dispatch_node passes the parameter &vm->elog_main. It works fine
when dispatch_node is invoked from the main thread. It does bad thing when it
is invoked from the worker thread.
While we are at it, make two additional enhancements to the same area.
1. Use ELOG_TRACK_DATA instead of ELOG_DATA to enhance g2 viewer presentation.
2. Since ELOG_DATA is in the data path, it could get very chatty. Make the call
to ELOG_TRACK_DATA conditional compile.
Change-Id: I80ca0eea10bc1e5d0d5549f9844dd9a34dbb65a2
Signed-off-by: Steven <sluong@cisco.com>
%py2_install is required by vpp-api-python and is not available on
bare CentOS/RHEL install, causing 'fg: no job control' error.
Added 'epel-rpm-macros' to the list of EPEL dependencies
Change-Id: I1e09d7d825d9d8db06e7385d2b8d5579c8ce748b
Signed-off-by: Alexander Popovsky (apopovsk) <apopovsk@cisco.com>
Return an error if the ip6_interface_first_address decides to return NULL.
Change-Id: Iea0184382b8fbe2af81a781c3671687a1fbb5b32
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
