Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 49378f206b8e780a898e632f7dd8db912b9b118e
commit49378f206b8e780a898e632f7dd8db912b9b118e[log] [tgz]
authorNeale Ranns <neale@graphiant.com>Mon Jan 10 10:38:43 2022 +0000
committerMatthew Smith <mgsmith@netgate.com>Mon Jan 17 19:55:13 2022 +0000
tree35c6629f14b753878251fe92d5afcdd9c837554b
parent88a9c0e02ab919cadd4e035133995a6afb4d1c32 [diff]
ipsec: IPSec interface correct drop w/ no protection

Type: improvement

When an IPSec interface is first constructed, the end node of the feature arc is not changed, which means it is interface-output.
This means that traffic directed into adjacencies on the link, that do not have protection (w/ an SA), drop like this:

...
00:00:01:111710: ip4-midchain
  tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:6 flags:[]
  stacked-on:
    [@1]: dpo-drop ip4 flow hash: 0x00000000
  00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
  00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111829: local0-output
  ipsec0
  00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
  00000020: 5858585858585858585858585858585858585858585858585858585858585858
  00000040: 58585858585858585858585858585858585858585858585858585858c2cf08c0
  00000060: 2a2c103cd0126bd8b03c4ec20ce2bd02dd77b3e3a4f49664
00:00:01:112017: error-drop
  rx:pg1
00:00:01:112034: drop
  local0-output: interface is down

although that's a drop, no packets should go to local0, and we want all IPvX packets to go through ipX-drop.

This change sets the interface's end-arc node to the appropriate drop node when the interface is created, and when the last protection is removed.
The resulting drop is:

...
00:00:01:111504: ip4-midchain
  tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:0 flags:[]
  stacked-on:
    [@1]: dpo-drop ip4 flow hash: 0x00000000
  00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
  00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111533: ip4-drop
    ICMP: 172.16.2.2 -> 1.1.1.1
      tos 0x00, ttl 63, length 92, checksum 0xcb8c dscp CS0 ecn NON_ECN
      fragment id 0x0001
    ICMP echo_request checksum 0xecf4 id 0
00:00:01:111620: error-drop
  rx:pg1
00:00:01:111640: drop
  null-node: blackholed packets

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I7e7de23c541d9f1210a05e6984a688f1f821a155
5 files changed
tree: 35c6629f14b753878251fe92d5afcdd9c837554b
  1. build/
  2. build-data/
  3. build-root/
  4. docs/
  5. extras/
  6. src/
  7. test/
  8. .clang-format
  9. .clang-tidy
  10. .git_commit_template.txt
  11. .gitignore
  12. .gitreview
  13. configure
  14. INFO.yaml
  15. LICENSE
  16. MAINTAINERS
  17. Makefile
  18. README.md
README.md

Vector Packet Processing

Introduction

The VPP platform is an extensible framework that provides out-of-the-box production quality switch/router functionality. It is the open source version of Cisco's Vector Packet Processing (VPP) technology: a high performance, packet-processing stack that can run on commodity CPUs.

The benefits of this implementation of VPP are its high performance, proven technology, its modularity and flexibility, and rich feature set.

For more information on VPP and its features please visit the FD.io website and What is VPP? pages.

Changes

Details of the changes leading up to this version of VPP can be found under doc/releasenotes.

Directory layout

Directory nameDescription
build-dataBuild metadata
build-rootBuild output directory
docsSphinx Documentation
dpdkDPDK patches and build infrastructure
extras/libmemifClient library for memif
src/examplesVPP example code
src/pluginsVPP bundled plugins directory
src/svmShared virtual memory allocation library
src/testsStandalone tests (not part of test harness)
src/vatVPP API test program
src/vlibVPP application library
src/vlibapiVPP API library
src/vlibmemoryVPP Memory management
src/vnetVPP networking
src/vppVPP application
src/vpp-apiVPP application API bindings
src/vppinfraVPP core library
src/vpp/apiNot-yet-relocated API bindings
testUnit tests and Python test harness

Getting started

In general anyone interested in building, developing or running VPP should consult the VPP wiki for more complete documentation.

In particular, readers are recommended to take a look at [Pulling, Building, Running, Hacking, Pushing](https://wiki.fd.io/view/VPP/Pulling,_Building,_Run ning,_Hacking_and_Pushing_VPP_Code) which provides extensive step-by-step coverage of the topic.

For the impatient, some salient information is distilled below.

Quick-start: On an existing Linux host

To install system dependencies, build VPP and then install it, simply run the build script. This should be performed a non-privileged user with sudo access from the project base directory:

./extras/vagrant/build.sh

If you want a more fine-grained approach because you intend to do some development work, the Makefile in the root directory of the source tree provides several convenience shortcuts as make targets that may be of interest. To see the available targets run:

make

Quick-start: Vagrant

The directory extras/vagrant contains a VagrantFile and supporting scripts to bootstrap a working VPP inside a Vagrant-managed Virtual Machine. This VM can then be used to test concepts with VPP or as a development platform to extend VPP. Some obvious caveats apply when using a VM for VPP since its performance will never match that of bare metal; if your work is timing or performance sensitive, consider using bare metal in addition or instead of the VM.

For this to work you will need a working installation of Vagrant. Instructions for this can be found [on the Setting up Vagrant wiki page] (https://wiki.fd.io/view/DEV/Setting_Up_Vagrant).

More information

Several modules provide documentation, see @subpage user_doc for more end-user-oriented information. Also see @subpage dev_doc for developer notes.

Visit the VPP wiki for details on more advanced building strategies and other development notes.