Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.
CTR: https://tools.ietf.org/html/rfc3686#section-3.2
GCM: https://tools.ietf.org/html/rfc4106#section-3.2
CCM: https://tools.ietf.org/html/rfc4309#section-3.2
- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.
Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.
test: ipsec: Add unit-test to test for RFC correct padding/alignment
test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well
- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:
https://github.com/secdev/scapy/issues/2322
Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
gso option is available for the debug CLI version of bond create.
This patch is to create a new API to have the corresponding option in
the binary API. The old binary API bond_create is marked deprecated.
Type: improvement
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Id9501b8e6d267ae09e2b411957f181343da459c0
Node variant names have changed to skx and icl.
Type: fix
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I5be832aa59e4e440df53869077d801c011e3defa
Some of the tests are time-sensitive, and at present require a non-trivial
modification in order to run at high concurrency.
Without these modifications, they intermittently fail, and require
the test retries.
Rather than setting them to the extended tests and forgetting
about them, put them into a "solo" set, which gets run in a
single-threaded mode after the rest of the tests are done.
Mark a few of the tests that showed errors during TEST_JOBS=48
as forced-solo.
Also, give a better diagnostic if the testcase misses a docstring
needed to represent it in the diagnostic outputs.
Type: fix
Change-Id: I33fe62eb17edc1885bd2c3523892051d52da6546
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Before this patch it was not allowed to replace
a dynamic ARP entry with a static one with the
same mac-address.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I6cfc0e510ffdf141c61874288f11a60395182374
For bond interface, we set hardware link state to up initially when
admin state is set to up. Thereafter, if we toggle the admin state to
down and up, we require at least one active member in the bond prior
to bringing up the hardware state which is inconsistent. The fix is to
remove the unnecessary condition.
This is a rework of the original proposed patch which is more complex
and could be tricky to get it right
https://gerrit.fd.io/r/c/vpp/+/27141
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I65f4fee55299b5b4d5645f6e05e1be15b46b73cd
- Replace textual string slave with member except APIs.
- For APIs, mark the existing APIs as deprecated and introduce new APIs
- While introducing sw_bond_interface_dump, add the optional filter by
sw_if_index and enhance the testcases to make use of it.
Type: improvement
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ib6626c514e45350308aeeda0decb70f3aba2f63e
This updates the computation of the outer ip6 header payload_length
field in order to take into account the GRE header length.
Change-Id: Ie9f982521aeaef7279a9e329a33272d6fae0a428
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
This ensures we don't recompute the requirements-{2,3}.txt on each make
test run, and skips patching scapy if it is already patched instead of
failing.
Change-Id: I3da57182ae49f3dd04db139d96734a5d145fedff
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Cover vl_mem_api_dead_client_scan(...), which is not so simple. Spin
up vpp_api_test using pexpect.spawn, make it bootstrap a private
memory segment, kill vpp_api_test, and wait for the dead client
scanner to run a few times so that it declares the client dead.
The test only runs if GCOV_TESTS=yes is set in the environment.
Type: test
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I3c712fa011df2e23761a2e73c1aba0c7e50123a6
This avoids using dirty data from shared memory by client.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I96eecf655bf344ec29609cedbd8dc891b572e207
VXLAN uses csum_offload for IPv6 packets.
But without gso node we have csum calculated only for inner
packet.
This patch adds support for outer header csum calculation.
Checksum for inner packet should be calculated before
interface-output node (for example in vxlan node).
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Ica68429ede4426293769207cd83c791ebe72fe56
This reverts commit 9121c415a9.
Reason for revert: causes deadlock with multiple worker threads
Type: fix
Change-Id: Icf3d6d343d99d887abacbaa03acbf04d4628514e
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Type: improvement
Bond link state is being maintained inconsistently. It is initially set to
up. If the bond interface admin state is set to down, the link state is
set to down. If the bond interface admin state is set to up, the link
state is only set to up if there are active slave interfaces at that point.
If slaves become active at some later time, it does not get updated. Its
next chance to be updated is the next time the bond interface is set to
admin up.
To address this, do not set the link state to up after creating a bond.
Adjust the link state as slave interfaces are attached or detached
based on whether the bond is getting its first active slave or losing
its last one.
Unit test added to verify correct maintenance of link state.
Change-Id: I31f17321f7f0e727e1ab1e01713423af6566dad9
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
This fixes an issue where the pinned requirements file can be modified
when running the tests.
Change-Id: Ic89d1844d1fd8d00f62211a9b051a26ac34ee316
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
In case there is no free space in first buffer for ICV and footer,
additional buffer will be added, but esp_encrypt will stay in single
buffer mode.
The issue happens for the following payload sizes:
- TCP packets with payload 1992
- ICMP packets with payload 2004
This fix moves the single/chained buffer ops selection to after
esp_add_footer_and_icv call.
Type: fix
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79
Type: feature
* initiator behind NAT supported
* tested with static NAT mappings
* works only with pre-configured tunnels
The pre-configured tunnel has to be defined as follows:
initiator (i) side: src=ip(i) dst=ip(r)
responder (r) side: src=ip(r) dst=ip(nat)
Change-Id: Ia9f79ddbbcc3f7dc8fde6bbeca2a433e3b784e94
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Since the removal of "users" concept in ED-NAT nat44_user_dump API
returns empty array. This brings back previous behaviour at
a considerable runtime cost until a better API is introduced.
Type: improvement
Change-Id: I5a45923cfeb6b8ebe6fc906601264d6567386991
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Type: fix
it is possible for a user to change the end node of a feature arc, but
this change should only apply to that 'instnace' of the arc, not all
arcs. for example, if a tunnel has its ipx-output end node changed to
adj-midchain-tx, this shouldn't affect all ipx-output arcs. obviously...
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I41daea7ba6907963e42140307d065c8bcfdcb585
Type: feature
the es4-encrypt and esp6-encrypt nodes need to be siblings so they both have the same edges for the DPO on which the tunnel mode SA stacks.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I2126589135a1df6c95ee14503dfde9ff406df60a
Tests currently expect the logger to be poked from run_tests.py.
The tests should run without any magic values. This change sets a default
null logger and removes the hasattr checks for the logger.
For reference, see: https://docs.python-guide.org/writing/logging/
Type: test
Change-Id: I98f953d73d12d00e74b59c94a0fb8c7a625b9c44
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
Type: test
This commit fixes the make test for GSO/IPIP which are added in
following commit id: 84f91fa9c5
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I66a57fe195e626b432ff0acba3a5bdf242a7a46e
Add an IP_ROUTE_LOOKUP function that does either an exact match or
longest prefix match in a given fib table for a given prefix
returning the match if present.
Add API test.
Type: improvement
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-ID: I67ec5a61079f4acf1349a9c646185f91f5f11806
Type: improvement
- inline some common encap fixup functions into the midchain
rewrite node so we don't incur the cost of the virtual function call
- change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header
- add adj-midchain-tx to multiarch sources
- don't run adj-midchain-tx as a feature, instead put this node as the
adj's next and at the end of the feature arc.
- cache the feature arc config index (to save the cache miss going to fetch it)
- don't check if features are enabled when taking the arc (since we know they are)
the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc)
for IPSec:
- don't run esp_encrypt as a feature, instead when required insert this
node into the adj's next and into the end of the feature arc. this
implies that encrypt is always 'the last feature' run, which is
symmetric with decrypt always being the first.
- esp_encrpyt for tunnels has adj-midchain-tx as next node
Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7
Signed-off-by: Neale Ranns <nranns@cisco.com>
Add a hook to src/vlibapi/api_shared.c to fuzz (screw up) binary API
messages, e.g. by xoring random data into them before processing. We
specifically exempt client connection messages, and inband debug CLI
messages. We step over msg_id, client index, client context, and
sw_if_index. Otherwise, "make test" vectors fail too rapidly to learn
anything.
The goal is to reduce the number of crashes caused to zero. We're
fairly close with this patch.
Add vl_msg_api_max_length(void *mp), which returns the maximum
plausible length for a binary API message.
Use it to hardern vl_api_from_api_to_new_vec(...) which takes an
additional argument - message pointer - so it can verify that
astr->length is sane. If it's not sane, return a u8 *vector of the
form "insane astr->length nnnn\0".
Verify array lengths in vl_api_dhcp6_send_client_message_t_handler(...)
and vl_api_dhcp6_pd_send_client_message_t_handler(...).
Add a fairly effective binary API fuzz hook to the unittest plugin,
and modify the "make test" framework.py to pass "api-fuzz { on|off }"
to enable API fuzzing: "make API_FUZZ=on TEST=xxx test-debug" or similar
Type: improvement
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I0157267652a163c01553d5267620f719cc6c3bde
The api no longer requires packed ip addresses.
Type: test
Change-Id: If67365d86b7c3189f871a58234e99f9c8f875371
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
saves time debugging tests by replacing 'API call' with
the actual function signature:
vpp_papi_provider.UnexpectedApiReturnValueError: API call failed, expected 0 return value instead of -2 in vxlan_add_del_tunnel_reply(_0=247, context=5052, retval=-2, sw_if_index=4294967295)
vpp_papi_provider.UnexpectedApiReturnValueError: vxlan_add_del_tunnel(is_add=0, src_address=172.16.1.1, dst_address=239.1.1.209, vni=209, sw_if_index=26, mcast_sw_if_index=1, encap_vrf_id=None, instance=None, decap_next_index=None) failed, expected 0 return value instead of -2 in vxlan_add_del_tunnel_reply(_0=247, context=5052, retval=-2, sw_if_index=4294967295)
Type: test
Change-Id: Ie3b6a5fdb4e1d427d60c51f7a7bf815af0bb3de6
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
Bonus corner-case bugfix in bitmap.h, found during the exercise.
Issue dates from 2001 or thereabouts. Please review this specific
change carefully.
lcov_post: filter system include directories and generated files in
build-root
Type: improvement
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Iaa0b63e9dc571dfe3d992197ac49ba4d93403c61
add support for the case where the first path doesn't
match the searched interface.
Type: test
Change-Id: I29bd724cfe275ec5489d32c37ef2af12d6d1102a
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
Add vpp specific properties to ip addresses for use in the api.
.vapi_af -- returns [ADDRESS_IP4, ADDRESS_IP6]
.vapi_af_name -- returns the string ['ip4', 'ip6']
Update tests to demonstrate usage.
Type: feature
Change-Id: I43447a1522769d99f89debdc714c51700068d771
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
Use consistent API types.
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: Ib7f73a0b6de188982a09040f7739dc46be3cb1de
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Support for startup node multi-arch variant selection through startup.conf.
This is to facilitate unit, functional testing and benchmarking of non-default
multi-arch variant node code path. Also added parameters to make test, to
specific using multi-arch variants in unit testing.
Type: improvement
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I94fd332bb629683b7a7dd770ee9f615a9a424060
facilitates use of papi beyond the tests.
Type: improvement
Change-Id: I3d502d9130b81a7fb65ee69bb06fe55802b28a27
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
virtio 1.1 defines a number of new features. Packed ring is among the most
notable and important one. It combines used, available, and descripptor rings
into one.
This patch provides experimental support for packed ring. To avoid
regression, when packed ring is configured for the interface, it is branched
to a separate RX and TX driver. Non packed ring should continue to perform
as it was before.
Packed ring is tested using qemu4.2 and ubuntu focal fossa (kernel 5.4.0-12)
on the guess VM which supports packed ring.
To configure VPP with packed ring, just add the optional keyword "packed"
when creating the vhost interface. To bring up the guest VM with packed ring,
add "packed=on" in the qemu launch command.
To facilitate troubleshooting, also added "verbose" option in
show vhost desc CLI to include displaying the indirect descriptors.
Known qemu reconnect issue -
If VPP is restarted, guest VMs also need to be restarted. The problem
is kernel virtio-net-pci keeps track of the previous available and used
indices. For virtio 1.0, these indices are in shared memory and qemu can
easily copy them to pass to the backend for reconnect. For virio 1.1, these
indices are no longer in shared memory. Qemu needs a new mechanism to retrieve
them and it is not currently implemented. So when the protocol reconnects,
qemu does not have the correct available and used indices to pass to the
backend. As a result, after the reconnect, virtio-net-pci is reading the TX
ring from the wrong position in the ring, not the same position which the
backend is writing. Similar problem exists also in the RX.
Type: feature
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I5afc50b0bafab5a1de7a6dd10f399db3fafd144c
