1847 Commits

Author SHA1 Message Date
Benoît Ganne
d13b61171b tests: fix ipv6 fragmented esp w/ scapy 2.4.5
Since scapy 2.4.4, scapy will not decode the next layer if the fragment
offset is not 0 - IOW it will decode only for the 1st fragment.
See f1c26e77c5

Type: fix

Change-Id: If738734f90b15b24c0d98fec4bce4ff48c6d5fea
Signed-off-by: Benoît Ganne <bganne@cisco.com>
2024-08-07 13:18:47 +00:00
Stanislav Zaikin
0f2c6cd1ab ikev2: handoff packets
current approach saves state in per-thread data structure. in
multi-worker + nat-t cases udp/500 and udp/4500 might be dispatched on
different workers. this patch adds hands off packet to 1 explicit thread
- 1st worker (or main thread in case there're no workers) or to thread
  that was explicitly set by user via configuration

Type: improvement

Change-Id: Ib5cd9a4b8612dfaa63b276035709524f7a492d4f
Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
2024-08-07 12:07:13 +00:00
Stanislav Zaikin
fa7b7a41e7 ikev2: fix BN_bn2bin re-allocation
the former code was re-allocating the vector when padding takes place.
it's not necessary since we have the correct size. also, it caused
issues since upper layer doesn't know about re-allocation and it caused
crash. with this patch many test-cases are enabled again.

Type: fix

Change-Id: Idf0b320101670ec64d62e9aac6399cc7c54c996f
Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
2024-08-07 10:12:22 +00:00
Dave Wallace
cf9356d642 tests: update scapy to version 2.4.5
- Required for Ubuntu 24.04 LTS jobs
- temporarily disable TestIpsecEsp1 and
  TestIpsecAhAll tests until a patch can
  be added to fix them

Type: test

Change-Id: I1ae7b170117182c3252629bbbb770775e2c496c9
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2024-08-07 09:15:17 +00:00
Matus Fabian
519983b44d misc: remove deprecated builtinurl plugin
Plugin code is incorporated in http_static plugin for longer time.

Type: refactor
Change-Id: Ib74adb2a79d3ee715bbc994d77bc7718faf7184f
Signed-off-by: Matus Fabian <matfabia@cisco.com>
2024-08-01 16:02:14 +02:00
Matus Fabian
f95c4d81fc prom: test_prom fix
Type: test
Change-Id: I022a3435429976590b8e8e2e1abe924188d1c3f9
Signed-off-by: Matus Fabian <matfabia@cisco.com>
2024-07-24 21:14:55 +00:00
Steven Luong
5682ca8ef6 session: delete and add application namespace do not create the global session table
When an application namespace is added, we call session_table_is_alloced
to see if we need to allocate a new session table. That check returns true
even if we removed the session table.
The fix is when we delete an application's global session table,
we need to invalidate fib_index_to_table_index.

Fixed test_vcl test script to run two tests back to back.
The 1st test deletes the application namespace at the end.
The 2nd test adds the application namespace in the beginning.

Type: fix
Fixes: 67bae20b05cb46e5f6d19afeaf1f7a52a5309d59

Change-Id: I67f5cc1b726a07659597a9479df011717db08d0a
Signed-off-by: Steven Luong <sluong@cisco.com>
2024-07-24 04:20:08 +00:00
Dave Wallace
0da0883453 tests: output raw packet data when decoding pcap files
Type: test

Change-Id: I4e945b2bd067466afdaa58a6f07a1ab2c567bc2b
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2024-07-18 14:45:49 +00:00
Steven Luong
67bae20b05 session: application namespace may reference a deleted vrf table
lock the vrf table when adding an application namespace and
unlock the vrf table when deleting an application namespace.

Free the session table when no more application namespace
uses it anymore to avoid memory leaks.

Type: fix

Change-Id: I10422c9a3b549bd4403962c925e29dd61a058eb0
Signed-off-by: Steven Luong <sluong@cisco.com>
2024-07-15 20:57:35 +00:00
Klement Sekera
ca2f2e1ec9 tests: more options for decoding pcaps
Introduce "none", "all" and "failed" options for --decode-pcaps
parameter. Keep "failed" as default to be consistent with current
behaviour. Add missing documentation to test/Makefile and passthrough to
Makefile.

Rationale: running tshark binary takes about 100-150ms and if there are
thousands of pcap files, it takes minutes to decode them. This might not
be desirable if rerunning the tests repeatedly during development.

Type: improvement
Change-Id: Ie033521d51d18b9d499b9bc40fe6eff21c94622d
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2024-07-15 18:58:07 +00:00
Dmitry Valter
34fa0ce8f7 tests: skip more excluded plugin tests
Check and skip VPP_EXCLUDED_PLUGINS tests for most of plugins.

Type: improvement
Signed-off-by: Dmitry Valter <d-valter@yandex-team.com>
Change-Id: I23fd3666729251c639aa8da72a676058e3f5bb4e
2024-07-12 15:43:24 +00:00
Benoît Ganne
ff570d3d07 fib: make mfib optional
In some cases we do not need multicast support. Making it optional helps
scaling to high number of VRFs, by reducing the control plane operations
and memory consumption.

Type: improvement

Change-Id: Ib34ed3fe2806e2f4624981da4e4a3c49c69f70be
Signed-off-by: Benoît Ganne <bganne@cisco.com>
2024-07-12 03:09:22 +00:00
Andrew Yourtchenko
9987d470a6 tests: disable failing tests on Ubuntu 22.04
Also rework the logic so the skipping of marked Ubuntu 22.04 occurs at framework level

Leave debian11 special cases as-is.

Type: fix
Change-Id: I481eb32cd1a0860935482e9f930ced409da653c9
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2024-07-03 12:43:57 +02:00
Dmitry Valter
e95687b0d6 fib: fix ip drop path crashes
Do not mark drop paths as imported to avoid crashes on invalid table lookup.

```
vpp[8478]: /build/Vpp2310/source/src/vnet/fib/fib_table.c:35 (fib_table_get) assertion `! pool_is_free (ip4_main.fibs, _e)' fails
 #9  0x00007ff21785da1d in _clib_error () from /lib/x86_64-linux-gnu/libvppinfra.so.23.10
 #10 0x00007ff218087698 in fib_table_get (index=4294967295, proto=FIB_PROTOCOL_IP4) at /build/Vpp2310/source/src/vnet/fib/fib_table.c:35
 #11 0x00007ff218087a37 in fib_table_lookup_exact_match (fib_index=4294967295, prefix=0x7ff0eae0d354) at /build/Vpp2310/source/src/vnet/fib/fib_table.c:100
 #12 0x00007ff2180bc938 in fib_attached_export_import (fib_entry=0x7ff0eceac3e0, export_fib=4294967295) at /build/Vpp2310/source/src/vnet/fib/fib_attached_export.c:264
 #13 0x00007ff218098ade in fib_entry_post_flag_update_actions (fib_entry=0x7ff0eceac3e0, old_flags=FIB_ENTRY_FLAG_NONE, new_fib_index=4294967295) at /build/Vpp2310/source/src/vnet/fib/fib_entry.c:624
 #14 0x00007ff218098b90 in fib_entry_post_install_actions (fib_entry=0x7ff0eceac3e0, source=FIB_SOURCE_API, old_flags=FIB_ENTRY_FLAG_NONE) at /build/Vpp2310/source/src/vnet/fib/fib_entry.c:674
 #15 0x00007ff218098cce in fib_entry_create (fib_index=1, prefix=0x7ff0d3244d80, source=FIB_SOURCE_API, flags=FIB_ENTRY_FLAG_NONE, paths=0x7ff0eac15ab8) at /build/Vpp2310/source/src/vnet/fib/fib_entry.c:712
 #16 0x00007ff218088db4 in fib_table_entry_update (fib_index=1, prefix=0x7ff0d3244d80, source=FIB_SOURCE_API, flags=FIB_ENTRY_FLAG_NONE, paths=0x7ff0eac15ab8) at /build/Vpp2310/source/src/vnet/fib/fib_table.c:799
 #17 0x00007ff2180c026c in fib_api_route_add_del (is_add=1 '\001', is_multipath=0 '\000', fib_index=1, prefix=0x7ff0d3244d80, src=FIB_SOURCE_API, entry_flags=FIB_ENTRY_FLAG_NONE, rpaths=0x7ff0eac15ab8) at /build/Vpp2310/source/src/vnet/fib/fib_api.c:485
 #18 0x00007ff217d4b6dd in ip_route_add_del_t_handler (mp=0x7ff0eb08b998, stats_index=0x7ff0d3244dc8) at /build/Vpp2310/source/src/vnet/ip/ip_api.c:718
 #19 0x00007ff217d4b986 in vl_api_ip_route_add_del_t_handler (mp=0x7ff0eb08b998) at /build/Vpp2310/source/src/vnet/ip/ip_api.c:789
```

Type: fix
Fixes: 4b08632748727486e7ebfdcf4d992743595bc500
Signed-off-by: Dmitry Valter <d-valter@yandex-team.com>
Change-Id: I647899533771c35f44c9ecde517a30f111b36ad9
2024-06-19 00:50:49 +00:00
Dave Wallace
8a284cc611 tests: organize test coverage report generation
- Remove code from test report that is effectively
  untested and categorize based on reason for lack
  of testing.

Type: test

Change-Id: I6ca5444055b3a81a4880945b6845afc867556277
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2024-06-05 16:30:17 +00:00
Fan Zhang
e7901e8830 ipsec: fix missing udp port check
Type: fix

This patch fixes the missing UDP port check in IPsec NAT-T
case. As of RFC3948 UDP encapped ESP traffic should have
destination port ID of 4500, which was missing.

The related tests are updated with this port ID, too.

Change-Id: I73ecc6a93de8d0f4b642313b0f4d9c2f214a7790
Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
2024-06-04 12:44:53 +00:00
Mohsin Kazmi
5f694322a9 fib: set the value of the sw_if_index for DROP route
Type: fix

fib_api_path_decode() is utilized by the IP route API call
to translate the path from the API to the fib_route_path_t
structure. The ip_route_add_del_handler_t function initializes
the fib_route_path_t structure to zeros, consequently setting
the sw_if_index value to 0, which is a valid value in VPP.
Typically, the default VRF (Virtual Routing and Forwarding)
has a local interface at index 0, leading to normal functionality.
However, a custom VRF table without any interface will result
in a crash.

The issue arises because the DROP route in fib_api_path_decode()
does not override the sw_if_index value with the one provided
in vl_api_fib_path_t. Subsequently, when this sw_if_index is
attempted to be resolved in the VRF table where the interface
does not exist, it leads to a crash.

This patch addresses the problem by setting the sw_if_index of
fib_route_path_t to the sw_if_index value of the API path.

To reproduce the issue, please remove the fix and run the following command:
make test-debug TEST=test_ip4.TestIPv4RouteLookup.test_exact_match

Change-Id: I5d72e91e5c701e749a92873941bee7b7b5eabd41
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2024-06-03 12:22:10 +00:00
adrianvillin
8512145d7c hs-test: added targets to makefiles to get coverage from HS tests
Type: make

Change-Id: Iae7998692890264dfeea98c165617d0efa024d42
Signed-off-by: adrianvillin <avillin@cisco.com>
2024-05-30 15:59:07 +00:00
Steven Luong
e4238aa34f ethernet: check destination mac for L3 in ethernet-input node
When the NIC does not support mac filter, we rely on ethernet-input
node to do the destination mac check, ie, when the interface is in L3,
the mac address for the packet must be the mac address of the
interface where the packet arrives. This works fine in ethernet-input
node when all packets in the frame might have different interfaces, ie,
ETH_INPUT_FRAME_F_SINGLE_SW_IF_ID is not set in the frame. However,
when all packets are having the same interface,
ETH_INPUT_FRAME_F_SINGLE_SW_IF_ID is set, ethernet-input node goes
through the optimized routine eth_input_single_int -> eth_input_process_frame.
That is where dmac check has a bug when all packets in the frame are
either, ip4, ip6, or mpls without vlan tags. Because without vlan tags,
the code handles all packets in fast path and ignores dmac check.
With vlan tags, the code goes to slow path where dmac check is handled
properly.

The fix is to check if we have a bad dmac in the fast path and force the
code to go to slow path which will handle dmac check properly.

Also do a wholesale correction on all the testcases which do not use
the proper dmac when sending L3 packets.

Type: fix

Change-Id: I73153a805cecdc24c4eefcc781676de04737ae2c
Signed-off-by: Steven Luong <sluong@cisco.com>
2024-05-08 09:42:23 +00:00
Hadi Rayan Al-Sandid
4aecd4869c vlib: revert automatic core pinning changes
This reverts commit 71c32a898941e32b5d4f865b50fbe775560c582d.

Type: fix

Reason for revert: vnet pinning is not considered in this patch.
This causes keywords 'workers' and 'skip-cores' to be broken,
as well as keyword 'main-core auto' introduced in this patch.
If this patch is ever reconsidered, it must account for vnet
pinning fix in commit https://gerrit.fd.io/r/c/vpp/+/40711.

Change-Id: I1f3154a6c7e830b100f824375aa00e95b192f7f3
Signed-off-by: hsandid <halsandi@cisco.com>
2024-05-06 11:52:35 +00:00
Mohsin Kazmi
7b3339efff gso: use the header offsets from buffer metadata
Type: improvement

Change-Id: I955fbef0e0238cb69307e96cd1c677061737e5f3
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2024-05-02 14:51:59 +00:00
Klement Sekera
0f1fda9cec tests: remove duplicate SVR test case
Type: fix
Change-Id: I4105109c1c659190fc2da4ee1802ef53449a3c15
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2024-05-01 00:59:42 +00:00
Maxime Peim
f13534e79d tests: allow ip table name
Type: refactor
Change-Id: I4abbc77a447358f4beaa05505299cae732a3f374
Signed-off-by: Maxime Peim <mpeim@cisco.com>
2024-04-23 08:52:48 +00:00
Maxime Peim
b0d433978b tests: allow to add paths to default route
After adding a path to the default route, the prefix still be there
in the table as it is a mandatory prefix. However, the registry hence
fail to remove the route from VPP.

Type: fix
Change-Id: Ic4ad72455ac7a1a2f1d8baba59a7a3afe1610726
Signed-off-by: Maxime Peim <mpeim@cisco.com>
2024-04-09 17:30:57 +00:00
adrianvillin
bfbe7a8c9a tests: Added a simple prom(etheus exporter) plugin test
Type: test

Change-Id: Ibceabc411f09d80cc23be6f2e7c8abd56d4c4ac2
Signed-off-by: adrianvillin <avillin@cisco.com>
2024-04-09 16:17:29 +00:00
Vladislav Grishenko
302db471a0 mpls: fix default mpls lb hash config
In case of multiple path within tunnel, mpls lookup node
computes lb hash with mpls_compute_flow_hash config value 0,
so only mpls label and l4 ports gets accounted, not 5-tuple.
This leads to flow traffic polarization and disbalance over
mpls paths.

Use mpls hash config from lb instead, usually it'll be
MPLS_FLOw_HASH_DEFAULT with 5-tuple plus flowlabel.
As optimization, fix flow hash reuse from the previous lookup
node if present, like ip_lookup does. Previously mpls lookup
always calcs the hash.
Test lb distribution for both cases.

Also, use the same flow hash hex format in ip4/ip6 and mpls
traces for easier reading, most code changes is due fixstyle
formatting.

Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: Ib89e1ab3edec14269866fe825a3e887d6c817b7c
2024-04-09 04:47:02 +00:00
Pim van Pelt
2a7bc81ae3 vnet: fix ARP for unnumbered
On unnumbered interfaces, ARP fails because there is no attached route.
Allow replies to peer-to-peer addresses on unnumbered interfaces:
  eg. 192.0.2.1/32 <-> 192.0.2.2/32

Type: fix
Change-Id: Ibeb8d8ebc8d58d5bfb0724739a17694e0217356e
Signed-off-by: Pim van Pelt <pim@ipng.nl>
2024-04-09 04:26:21 +00:00
Dave Wallace
940a70fff4 tests: upgrade python packages
Type: test

Change-Id: I01500466f3d15c79e38028677ce7e5c75d427fdc
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2024-04-03 14:10:47 -04:00
Matthew Smith
b48325100b tests: figure out correct version of sed to run
In run_in_venv_with_cleanup.sh, sed was changed to gsed to allow the
script to run properly on FreeBSD because the sed script uses an
expression that is specific to the gnu sed. Gnu sed is available to
be invoked as gsed on FreeBSD systems, but there is no executable or
symlink which allows sed to be run by the name gsed on ubuntu 22.04.

Check for the existence of gsed. If it's found, use it. Otherwise, just
use sed.

Type: fix
Fixes: b3c863eae4

Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I487197e486f500711aa3e87ec7ba899a53606b40
2024-04-02 18:35:06 +00:00
Tom Jones
b3c863eae4 tests: Use gnu sed explicitly in test setup/tear down
Type: improvement
Change-Id: Ie79fd8a5bcfd72a97bf460ef6437913ac34f439c
Signed-off-by: Tom Jones <thj@freebsd.org>
2024-04-02 02:26:29 +00:00
Tom Jones
800386ac3f tests: Add missing socket imports in tests
Type: fix
Change-Id: I646f96517d3bda5c0f5644e6bb89ade7818fc466
Signed-off-by: Tom Jones <thj@freebsd.org>
2024-04-02 02:25:22 +00:00
Vladislav Grishenko
f2fc97aafc l2: fix vxlan src port entropy with mpls payload
l2 tunnels like vxlan, gtpu, geneva use vnet_l2_compute_flow_hash() to
compute flow hash for udp src port entropy. In case of inner mpls tunnels
to the same lsr ethernet src and dst macs are the same, so l2 flow hash
is also the same leading to no src port entropy and the only rss queue
overflow on receiver side.

Fix it for all the possible vnet_l2_compute_flow_hash callers by making
mpls playload hash in additon to ip4/ip6. Visible performance impact is
not expected as it's only one check for mpls ethertype for common cases.

Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: I69153d42fb3d7c094a670c674fac8d14039c626a
2024-04-02 02:11:02 +00:00
hsandid
71c32a8989 vlib: improve automatic core pinning
Type: feature

Auto core pinning now fetches vpp cpu affinity list
using pthread api. This enables us to do core-pinning in
environments where the host cpu list does not necessarily align
with cpus available to vpp

Change-Id: Ife8c2a2351c08c5c6c4fdf7c729eeff2697bc39a
Signed-off-by: hsandid <halsandi@cisco.com>
2024-03-29 16:29:44 +00:00
Tom Jones
4941afb4f9 tests: Add support for getting corefile patterns on FreeBSD
Type: improvement
Change-Id: I960edc05a9a77eb55f67cb1ec01d2b3122298ef8
Signed-off-by: Tom Jones <thj@freebsd.org>
2024-03-26 15:15:02 +00:00
Tom Jones
e49e75a4b5 tests: Add platform handling for FreeBSD
FreeBSD doesn't have an easy mechanism to discover CPU features
currently. For tests declare we don't support anything we are asked
about.

Add the FreeBSD spelling of amd64 while we are here.

Type: improvement
Change-Id: I3eb5db856ee5cbc71250e47eee619e2f620de33a
Signed-off-by: Tom Jones <thj@freebsd.org>
2024-03-26 15:14:29 +00:00
Tom Jones
ebe3a11ca7 tests: Add missing struct import
Type: fix
Change-Id: I957877d7a82dea437c072e493561894f11321aaf
Signed-off-by: Tom Jones <thj@freebsd.org>
2024-03-26 15:14:05 +00:00
Tom Jones
853cc9f2ad tests: Use errno value rather than a specific int
For portability we use errno defines rather than explicit int values
when checking for errors.

Type: improvement
Change-Id: Ib5fc1db357da150d008d5a11bef5dbc7ec354cfb
Signed-off-by: Tom Jones <thj@freebsd.org>
2024-03-26 15:13:34 +00:00
Arthur de Kerhor
2f4586d9b3 ip: add support for buffer offload metadata in ip midchain
The offload should be handled by gso node or by the NIC
if the latter has the relevant capabilities. But ip midchain
is missing the support for buffer offload metadata in case
of GSO packet.

This patch adds the relevant support to add the buffer metadata
if the packet is GSO/IPIP to be handled accordingly.

Type: improvement

Change-Id: I17f5d71bf4c5f43a85ca3f2fbebfa1426b42ef69
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2024-03-21 14:38:49 +00:00
Stanislav Zaikin
dc4d21e9ce vapi: uds transport support
introduce ability to connect over unix socket instead of shared memory

Type: improvement

Change-Id: Id9042c74e33ad4e418896c4d7ae48bb9106195c9
Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2024-03-18 17:30:07 +00:00
Klement Sekera
ceed1e3b81 tests: use proper unit test skip instead of prints
Using unittest skip instead of print unclutters display by not printing
skip messages when not applicable, e.g. when somebody runs tests which
are unrelated to netns tests, e.g. with FILTER=vapi.

Type: fix
Fixes: e416893a59
Change-Id: Ie09e213249aa47da7e4ff484c3d072fbce3c2001
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
2024-03-12 19:33:12 +00:00
Alexander Chernavin
4c7305f124 flowprobe: fix flush callbacks when multiple workers
IPFIX buffers are stored on a per worker thread basis. Currently, the
flush callbacks will flush only buffers stored for the main thread. And
buffers for worker threads will not be sent until their size reach the
path MTU configured for the exporter. So if traffic is constant, the
problem will unlikely to be visible. Buffers will be sent once they
reach the maximum size. However, if traffic stops at some point and
flush is triggered in order to make the plugin send all currently
buffered data, this will not happen. And collectors will not receive
that data. The plugin will keep the remaining data until traffic starts
again, the buffers reach the maximum size, and be sent.

With this fix, flush buffers for worker threads and for the main thread
when the flush callbacks are triggered.

This will allow to remove @tag_fixme_vpp_workers from the unit tests
that don't set timers. The tests that set timers will still be failing
for other multi-worker related problems.

Type: fix
Change-Id: I9a7d9cef8ddbec7ee68c79309e48e7bc0953d488
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2024-03-07 21:18:03 +00:00
Maxime Peim
2cc14de7eb misc: fix icmp
- fix ICMPv6 lookup FIB (don't reset sw_if_index[VLIB_TX] to -1)
- add locally generated flag in ICMPv4 buffers (reflect ICMPv6)

Type: fix
Change-Id: If25a176a9952cbe185a030f8b136718af1bff9e8
Signed-off-by: Maxime Peim <mpeim@cisco.com>
2024-03-04 11:30:24 +00:00
Vladislav Grishenko
5be4b869a4 bpf_trace_filter: support bpf filter optimization and dump
BPF filter w/o optimization can take x2 - x3 more instructions,
causing significant slow down in fast path.

Enable pcap optimization by default via cli and introduce api v2
with pcap optimization control, keep v1 for a while as it exists
in previous release already.
Intriduce bpf filter cli dump, similar to tcpdump -d.

Also fix memleak, function name typo, cli pcap format hint and
add related tests.

Type: improvement
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: I92b2b519e92326f1b8e1a4dda6a3e3edc52f87ad
2024-03-04 09:29:12 +00:00
Vladislav Grishenko
dea806da53 fib: fix crash while adding intf-rx routes
Fix crash while adding intf-rx ip4 and ip6 routes via api due
invalid exporting of interface rx routes as attached.
Also, add missed route path via rx-ip6 cli support.

Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: I15711c8c0787398dd7e3baa4787019bb1f317666
2024-03-04 07:51:16 +00:00
Matthew Smith
ff71939c30 ipsec: check each packet for no algs in esp-encrypt
In esp_encrypt_inline(), if two or more consecutive packets are
associated with the same SA which has no crypto or integrity algorithms
set, only the first one gets dropped. Subsequent packets either get sent
(synchronous crypto) or cause a segv (asynchronous crypto).

The current SA's index and pool entry are cached before it can be
determined whether the packet should be dropped due to no algorithms
being set. The check for no algorithms is only performed when the cached
SA index is different than the SA index for the current packet. So
packets after the first one associated with the "none" alg SA aren't
handled properly.

This was broken by my previous commit ("ipsec: keep esp encrypt pointer
and index synced") which fixed a segv that occurred under a different
set of circumstances.

Check whether each packet should be dropped instead of only checking
when a new SA is encountered.

Update unit tests:
- Add a test for no algs on tunnel interface which enables
  asynchronous crypto.
- Send more than one packet in the tests for no algs.

Type: fix
Fixes: dac9e566cd16fc375fff14280b37cb5135584fc6

Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I69e951f22044051eb8557da187cb58f5535b54bf
2024-02-19 15:35:54 +00:00
Naveen Joy
0215ef1010 tests: refactor virtual interface tests
Split virtual interface tests in VPP into smaller and modular
tests for testing various interface types and features.

Type: test

Change-Id: Ic38af88379f75eee3090679d411edbdc8fd5d2e5
Signed-off-by: Naveen Joy <najoy@cisco.com>
2024-02-14 22:08:20 +00:00
Denys Haryachyy
f40a354dab ikev2: dump state and profile name in CLI and API
Type: improvement

Change-Id: Ide4b45da99e3a67376281f6438997f3148be08e5
Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
2024-02-14 18:47:23 +02:00
Atzm Watanabe
d4f405a70f ikev2: accept rekey request for IKE SA
RFC 7296 describes the way to rekey IKE SAs: to rekey an IKE SA,
establish a new equivalent IKE SA with the peer to whom the old
IKE SA is shared using a CREATE_CHILD_SA within the existing IKE
SA.  An IKE SA so created inherits all of the original IKE SA's
Child SAs, and the new IKE SA is used for all control messages
needed to maintain those Child SAs.

Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: Icdf43b67c38bf183913a28a08a85236ba16343af
2024-02-09 14:19:31 +00:00
Arthur de Kerhor
af1ddd39f1 ip: don't export useless error counters for ip6 rewrite
the error node is set to ip6_input in the inline funcition
associated with ip6_rewrite. Thus, error counters defined
for node ip6 rewrite are never used.

Type: fix
Change-Id: Id6bef633928b0fff9069498c2e39e9f5bea2cf9b
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2024-01-29 10:22:17 +00:00
Tom Jones
0aa0d6ffbe build: Explicitly use gmake
VPP requires GNU Make to build, on GNU systems (such as Debian), GNU
Make is installed as 'make', typically with a symlink from 'gmake'.

On other systems (such as FreeBSD), 'make' is a BSD Make derriviative
and GNU Make is installed a 'gmake'.

Use $(MAKE) variable for make calls from within Makefiles.  This
variable is set to the path of the calling make program, i.e.,
/usr/local/bin/gmake on a bsd system.

This is the recommended way to call make from Makefiles in the GNU Make
documentation.

Type: improvement
Change-Id: Id9162a34a0f8358f22090718087918dae31c0fce
Signed-off-by: Tom Jones <thj@freebsd.org>
2024-01-21 14:42:03 +00:00