This fixes the undesirable pause in the dump commands in case there is nothing to dump.
Change-Id: I0554556c9e442038aa2a1ed8c88234f21f7fe9b9
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Add the logic to be able to use stateful ACLs in a multithreaded setup.
Change-Id: I3b0cfa6ca4ea8f46f61648611c3e97b00c3376b6
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
This fixes the previously-implicit "drop all non-first fragments" behavior
to be more in line with security rules: a non-first fragment is treated
for the purposes of matching the ACL as a packet with the port
match succeeding. This allows to change the behavior to permit
the fragmented packets for the default "permit specific rules"
ruleset, but also gives the flexibility to block the non-initial
fragments by inserting into the begining a bogus rule
which would deny the L4 traffic.
Also, add a knob which allows to potentially turn this behavior off
in case of a dire need (and revert to dropping all non-initial fragments),
via a debug CLI.
Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 9fc0c26c6b)
- use the counters in a private struct rather than node error counters
- ensure the timer for the non-idle connections is restarted
- fix the deletion of conn at the current tail the list
Change-Id: I632f63574d2ced95fb75c5e7fb588c78fb3cce1c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 097051a3bd)
Before this commit, several output features that happen to be the
last in the list of features to be executed, send the packets directly
to <interfaceName>-output. To do this, they use l2_output_dispatch,
which builds a list of sw_if_index to next index mappings.
When interfaces are deleted and the new interfaces are created,
these mappings become stale, and cause the packets being sent to wrong
interface output nodes.
This patch (thanks John Lo for the brilliant idea!) adds a feature node "output",
whose sole purpose is dispatching the packets to the correct interface output
nodes. To do that, it uses the l2output_main.next_nodes, which is already
taken care of for the case of the sw_if_index reuse, so this makes the dependent
features all work correctly.
Since this changes the packet path, for the features that were always the last ones
it has triggered a side problem of the output feat_next_node_index not being properly
initalized. These two users are l2-output-classify node and the output nodes belonging
to the acl-plugin.
For the first one the less invasive fix is just to initialize that field.
For the acl-plugin nodes, rewrite the affected part of the code to use
feat_bitmap_get_next_node_index since this is essentially what the conditional
in l2_output_dispatch does, and fix the compiler warnings generated.
This fix was first made in stable/1701 under commit e7dcee4027.
Change-Id: I32e876ab1e1d498cf0854c19c6318dcf59a93805
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
This patch replaces requirement for vlib_plugin_register function
in the plugin so file and introduces new macro:
VLIB_PLUGIN_REGISTER () = {
.version = "version string",
.version_required = "requred version",
.default_disabled = 1,
.early_init = "early_init_function_name",
};
Plugin will nor be loaded if .default_disabled is set to 1
unless explicitely enabled in startup.conf.
If .verstion_required is set, plugin will not be loaded if there
is version mismatch between plugin and vpp. This can be bypassed
by setting "skip-version-check" for specific plugin.
If .early-init string is present, plugin loader will try to resolve
this specific symbol in the plugin namespace and make a function call.
Following startup.conf configuration is added:
plugins {
path /path/to/plugin/directory
plugin ila_plugin.so { enable skip-version-check }
plugin acl_plugin.so { disable }
}
Change-Id: I706c691dd34d94ffe9e02b59831af8859a95f061
Signed-off-by: Damjan Marion <damarion@cisco.com>
