vnet_session_rule_add_del may be called with a bogus appns index
from the API. Validate the appns index is indeed valid.
Type: fix
Change-Id: Ife1b5b9ab0b180ececa74008d2ef92045a9e8b58
Signed-off-by: Steven Luong <sluong@cisco.com>
session table may be shared among multiple appns's.
app ns add id blue secret 1 if tap0
app ns add id red secret 1 if tap0
session table holds the last added app_ns's appns_index.
If the last app_ns is deleted, session table is not free
since there is still an appns which uses the same session
table. In that case, session table is holding the free
app_ns's appns_index and it can cause problem.
The fix is to modify appns_index in session table to hold
a vector of appns_index's instead of just the appns_index
that was last added. When the app ns is deleted, remove the
deleted appns_index from the session table's vector of
appns_index's.
Type: fix
Change-Id: Ied8bc97f185071dc89b9b56656e18efbd2995131
Signed-off-by: Steven Luong <sluong@cisco.com>
The convention in the binary API is that fields encoded in network order.
For some reason, port was parsed in host order.
Type: fix
Change-Id: I31ea313937097e2547226566b7869be4e28251b8
Signed-off-by: Steven Luong <sluong@cisco.com>
The size of dhcp option should be o.length + 2 additional bytes of the header.
Incorrect offset results in an extra byte at the end of the packet:
...
0120 04 00 00 00 04 05 04 AC 10 04 01 FF 00
...
RFC2131 says the last should be the 'end' option (ff)
Type: fix
Change-Id: I056d755d29465aab8c1c55a0b930f65ece6fafce
Signed-off-by: Artem Glazychev <glazychev@mts.ru>
Type: test
Activate tests that works successfully on ubuntu 22.04 but were
problematic on later version and were excluded by
@tag_fixme_ubuntu2204
Change-Id: I93c4626a120ce8b475e9c5ca933a5544d6337933
Signed-off-by: Ivan Ivanets <iivanets@cisco.com>
Type: test
There are random failures in the wireguard test cases that are not related to concurrency issues.
The root cause is a retry of the handshake initiation after (REKEY_TIMEOUT + JITTER) ms, where JITTER is a random value between 0 and 333 ms.
Solution: Add a filter parameter for the `send_and_expect` method of the vpptestcase.
This filter allows for excluding unexpected handshake initiation packets when the responder sends two packets (with `message_type = 1` and `message_type = 2`),while only a single packet (with `message_type = 2`) is expected.
Change-Id: I62816931fc1b85e2202f3d36eb6c2a23714644d5
Signed-off-by: Ivan Ivanets <iivanets@cisco.com>
The language is
local == VPP local interface
remote == sender prefix to VPP node
SDL acts on remote prefix.
Type: fix
Change-Id: I82917c6ef801fc67430dfdd15c5630cb7a6347e0
Signed-off-by: Steven Luong <sluong@cisco.com>
Also, made disconnect-instance and delete-instance functions
available via cli.
Type: feature
Change-Id: I7939d27867959cb871b1cc7205b94410b53906fd
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
This plugin implements a PoC of UDP-based tunnel substrate whose aim is
to specifically provide higher MTU to the upper layers by chunking
the payload PDUs into smaller packets with full 5-tuple.
At the same time, if there are multiple small packets to
the same destination during the vector processing, they
are packed into "carrier" packets up to underlay MTU size.
It does assume a trustworthy underlying medium, thus for the
operation over Internet it requires the use of encryption layer
underneath.
Type: feature
Change-Id: I323958fa8de62584f6ed15643ea689568a9a62bc
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
With this feature, session enable is now modified to have 3 modes of operation
session enable -- only enable session
session enable rt-backend sdl -- enable session with sdl
session enable rt-backend rule-table -- enable session with rule-table
session rule tables are now created on demand, upon adding first rule
to the rule table.
refactor session table to remove depenency from sesssion rules table. Now
session rules table APIs take srtg_handle and transport
proto instead of srt pointer.
Type: feature
Change-Id: Idde6a9b2f46b29bb931f9039636562575572aa14
Signed-off-by: Steven Luong <sluong@cisco.com>
- add patch to scapy to use latest six module instead
of the old scapy specific six module which fails to
import moves sub-module on python 3.12
- fix warning for deprecated legacy editable install of vpp_papi
- skip failing testcases on ubuntu-24.04
Type: test
Change-Id: Idc1a008c6e45ba69caa50c2e245012eb05effed7
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Since scapy 2.4.4, scapy will not decode the next layer if the fragment
offset is not 0 - IOW it will decode only for the 1st fragment.
See f1c26e77c5
Type: fix
Change-Id: If738734f90b15b24c0d98fec4bce4ff48c6d5fea
Signed-off-by: Benoît Ganne <bganne@cisco.com>
current approach saves state in per-thread data structure. in
multi-worker + nat-t cases udp/500 and udp/4500 might be dispatched on
different workers. this patch adds hands off packet to 1 explicit thread
- 1st worker (or main thread in case there're no workers) or to thread
that was explicitly set by user via configuration
Type: improvement
Change-Id: Ib5cd9a4b8612dfaa63b276035709524f7a492d4f
Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
the former code was re-allocating the vector when padding takes place.
it's not necessary since we have the correct size. also, it caused
issues since upper layer doesn't know about re-allocation and it caused
crash. with this patch many test-cases are enabled again.
Type: fix
Change-Id: Idf0b320101670ec64d62e9aac6399cc7c54c996f
Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
- Required for Ubuntu 24.04 LTS jobs
- temporarily disable TestIpsecEsp1 and
TestIpsecAhAll tests until a patch can
be added to fix them
Type: test
Change-Id: I1ae7b170117182c3252629bbbb770775e2c496c9
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
When an application namespace is added, we call session_table_is_alloced
to see if we need to allocate a new session table. That check returns true
even if we removed the session table.
The fix is when we delete an application's global session table,
we need to invalidate fib_index_to_table_index.
Fixed test_vcl test script to run two tests back to back.
The 1st test deletes the application namespace at the end.
The 2nd test adds the application namespace in the beginning.
Type: fix
Fixes: 67bae20b05cb46e5f6d19afeaf1f7a52a5309d59
Change-Id: I67f5cc1b726a07659597a9479df011717db08d0a
Signed-off-by: Steven Luong <sluong@cisco.com>
lock the vrf table when adding an application namespace and
unlock the vrf table when deleting an application namespace.
Free the session table when no more application namespace
uses it anymore to avoid memory leaks.
Type: fix
Change-Id: I10422c9a3b549bd4403962c925e29dd61a058eb0
Signed-off-by: Steven Luong <sluong@cisco.com>
Introduce "none", "all" and "failed" options for --decode-pcaps
parameter. Keep "failed" as default to be consistent with current
behaviour. Add missing documentation to test/Makefile and passthrough to
Makefile.
Rationale: running tshark binary takes about 100-150ms and if there are
thousands of pcap files, it takes minutes to decode them. This might not
be desirable if rerunning the tests repeatedly during development.
Type: improvement
Change-Id: Ie033521d51d18b9d499b9bc40fe6eff21c94622d
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Check and skip VPP_EXCLUDED_PLUGINS tests for most of plugins.
Type: improvement
Signed-off-by: Dmitry Valter <d-valter@yandex-team.com>
Change-Id: I23fd3666729251c639aa8da72a676058e3f5bb4e
In some cases we do not need multicast support. Making it optional helps
scaling to high number of VRFs, by reducing the control plane operations
and memory consumption.
Type: improvement
Change-Id: Ib34ed3fe2806e2f4624981da4e4a3c49c69f70be
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Also rework the logic so the skipping of marked Ubuntu 22.04 occurs at framework level
Leave debian11 special cases as-is.
Type: fix
Change-Id: I481eb32cd1a0860935482e9f930ced409da653c9
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Do not mark drop paths as imported to avoid crashes on invalid table lookup.
```
vpp[8478]: /build/Vpp2310/source/src/vnet/fib/fib_table.c:35 (fib_table_get) assertion `! pool_is_free (ip4_main.fibs, _e)' fails
#9 0x00007ff21785da1d in _clib_error () from /lib/x86_64-linux-gnu/libvppinfra.so.23.10
#10 0x00007ff218087698 in fib_table_get (index=4294967295, proto=FIB_PROTOCOL_IP4) at /build/Vpp2310/source/src/vnet/fib/fib_table.c:35
#11 0x00007ff218087a37 in fib_table_lookup_exact_match (fib_index=4294967295, prefix=0x7ff0eae0d354) at /build/Vpp2310/source/src/vnet/fib/fib_table.c:100
#12 0x00007ff2180bc938 in fib_attached_export_import (fib_entry=0x7ff0eceac3e0, export_fib=4294967295) at /build/Vpp2310/source/src/vnet/fib/fib_attached_export.c:264
#13 0x00007ff218098ade in fib_entry_post_flag_update_actions (fib_entry=0x7ff0eceac3e0, old_flags=FIB_ENTRY_FLAG_NONE, new_fib_index=4294967295) at /build/Vpp2310/source/src/vnet/fib/fib_entry.c:624
#14 0x00007ff218098b90 in fib_entry_post_install_actions (fib_entry=0x7ff0eceac3e0, source=FIB_SOURCE_API, old_flags=FIB_ENTRY_FLAG_NONE) at /build/Vpp2310/source/src/vnet/fib/fib_entry.c:674
#15 0x00007ff218098cce in fib_entry_create (fib_index=1, prefix=0x7ff0d3244d80, source=FIB_SOURCE_API, flags=FIB_ENTRY_FLAG_NONE, paths=0x7ff0eac15ab8) at /build/Vpp2310/source/src/vnet/fib/fib_entry.c:712
#16 0x00007ff218088db4 in fib_table_entry_update (fib_index=1, prefix=0x7ff0d3244d80, source=FIB_SOURCE_API, flags=FIB_ENTRY_FLAG_NONE, paths=0x7ff0eac15ab8) at /build/Vpp2310/source/src/vnet/fib/fib_table.c:799
#17 0x00007ff2180c026c in fib_api_route_add_del (is_add=1 '\001', is_multipath=0 '\000', fib_index=1, prefix=0x7ff0d3244d80, src=FIB_SOURCE_API, entry_flags=FIB_ENTRY_FLAG_NONE, rpaths=0x7ff0eac15ab8) at /build/Vpp2310/source/src/vnet/fib/fib_api.c:485
#18 0x00007ff217d4b6dd in ip_route_add_del_t_handler (mp=0x7ff0eb08b998, stats_index=0x7ff0d3244dc8) at /build/Vpp2310/source/src/vnet/ip/ip_api.c:718
#19 0x00007ff217d4b986 in vl_api_ip_route_add_del_t_handler (mp=0x7ff0eb08b998) at /build/Vpp2310/source/src/vnet/ip/ip_api.c:789
```
Type: fix
Fixes: 4b08632748727486e7ebfdcf4d992743595bc500
Signed-off-by: Dmitry Valter <d-valter@yandex-team.com>
Change-Id: I647899533771c35f44c9ecde517a30f111b36ad9
- Remove code from test report that is effectively
untested and categorize based on reason for lack
of testing.
Type: test
Change-Id: I6ca5444055b3a81a4880945b6845afc867556277
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Type: fix
This patch fixes the missing UDP port check in IPsec NAT-T
case. As of RFC3948 UDP encapped ESP traffic should have
destination port ID of 4500, which was missing.
The related tests are updated with this port ID, too.
Change-Id: I73ecc6a93de8d0f4b642313b0f4d9c2f214a7790
Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
Type: fix
fib_api_path_decode() is utilized by the IP route API call
to translate the path from the API to the fib_route_path_t
structure. The ip_route_add_del_handler_t function initializes
the fib_route_path_t structure to zeros, consequently setting
the sw_if_index value to 0, which is a valid value in VPP.
Typically, the default VRF (Virtual Routing and Forwarding)
has a local interface at index 0, leading to normal functionality.
However, a custom VRF table without any interface will result
in a crash.
The issue arises because the DROP route in fib_api_path_decode()
does not override the sw_if_index value with the one provided
in vl_api_fib_path_t. Subsequently, when this sw_if_index is
attempted to be resolved in the VRF table where the interface
does not exist, it leads to a crash.
This patch addresses the problem by setting the sw_if_index of
fib_route_path_t to the sw_if_index value of the API path.
To reproduce the issue, please remove the fix and run the following command:
make test-debug TEST=test_ip4.TestIPv4RouteLookup.test_exact_match
Change-Id: I5d72e91e5c701e749a92873941bee7b7b5eabd41
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
When the NIC does not support mac filter, we rely on ethernet-input
node to do the destination mac check, ie, when the interface is in L3,
the mac address for the packet must be the mac address of the
interface where the packet arrives. This works fine in ethernet-input
node when all packets in the frame might have different interfaces, ie,
ETH_INPUT_FRAME_F_SINGLE_SW_IF_ID is not set in the frame. However,
when all packets are having the same interface,
ETH_INPUT_FRAME_F_SINGLE_SW_IF_ID is set, ethernet-input node goes
through the optimized routine eth_input_single_int -> eth_input_process_frame.
That is where dmac check has a bug when all packets in the frame are
either, ip4, ip6, or mpls without vlan tags. Because without vlan tags,
the code handles all packets in fast path and ignores dmac check.
With vlan tags, the code goes to slow path where dmac check is handled
properly.
The fix is to check if we have a bad dmac in the fast path and force the
code to go to slow path which will handle dmac check properly.
Also do a wholesale correction on all the testcases which do not use
the proper dmac when sending L3 packets.
Type: fix
Change-Id: I73153a805cecdc24c4eefcc781676de04737ae2c
Signed-off-by: Steven Luong <sluong@cisco.com>
This reverts commit 71c32a898941e32b5d4f865b50fbe775560c582d.
Type: fix
Reason for revert: vnet pinning is not considered in this patch.
This causes keywords 'workers' and 'skip-cores' to be broken,
as well as keyword 'main-core auto' introduced in this patch.
If this patch is ever reconsidered, it must account for vnet
pinning fix in commit https://gerrit.fd.io/r/c/vpp/+/40711.
Change-Id: I1f3154a6c7e830b100f824375aa00e95b192f7f3
Signed-off-by: hsandid <halsandi@cisco.com>
After adding a path to the default route, the prefix still be there
in the table as it is a mandatory prefix. However, the registry hence
fail to remove the route from VPP.
Type: fix
Change-Id: Ic4ad72455ac7a1a2f1d8baba59a7a3afe1610726
Signed-off-by: Maxime Peim <mpeim@cisco.com>
In case of multiple path within tunnel, mpls lookup node
computes lb hash with mpls_compute_flow_hash config value 0,
so only mpls label and l4 ports gets accounted, not 5-tuple.
This leads to flow traffic polarization and disbalance over
mpls paths.
Use mpls hash config from lb instead, usually it'll be
MPLS_FLOw_HASH_DEFAULT with 5-tuple plus flowlabel.
As optimization, fix flow hash reuse from the previous lookup
node if present, like ip_lookup does. Previously mpls lookup
always calcs the hash.
Test lb distribution for both cases.
Also, use the same flow hash hex format in ip4/ip6 and mpls
traces for easier reading, most code changes is due fixstyle
formatting.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: Ib89e1ab3edec14269866fe825a3e887d6c817b7c
On unnumbered interfaces, ARP fails because there is no attached route.
Allow replies to peer-to-peer addresses on unnumbered interfaces:
eg. 192.0.2.1/32 <-> 192.0.2.2/32
Type: fix
Change-Id: Ibeb8d8ebc8d58d5bfb0724739a17694e0217356e
Signed-off-by: Pim van Pelt <pim@ipng.nl>
In run_in_venv_with_cleanup.sh, sed was changed to gsed to allow the
script to run properly on FreeBSD because the sed script uses an
expression that is specific to the gnu sed. Gnu sed is available to
be invoked as gsed on FreeBSD systems, but there is no executable or
symlink which allows sed to be run by the name gsed on ubuntu 22.04.
Check for the existence of gsed. If it's found, use it. Otherwise, just
use sed.
Type: fix
Fixes: b3c863eae4
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I487197e486f500711aa3e87ec7ba899a53606b40
l2 tunnels like vxlan, gtpu, geneva use vnet_l2_compute_flow_hash() to
compute flow hash for udp src port entropy. In case of inner mpls tunnels
to the same lsr ethernet src and dst macs are the same, so l2 flow hash
is also the same leading to no src port entropy and the only rss queue
overflow on receiver side.
Fix it for all the possible vnet_l2_compute_flow_hash callers by making
mpls playload hash in additon to ip4/ip6. Visible performance impact is
not expected as it's only one check for mpls ethertype for common cases.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: I69153d42fb3d7c094a670c674fac8d14039c626a