Re: [vpp-dev] IPsec interface handling in FIB
Hi Matt,
No ARP lookup is needed for interfaces that are point-2-point. The FIB will
link entries reachable through a p2p interface using a special ‘auto’
adjacency. The auto adj has the all zeros address as a next-hop and a rewrite
that is constructed by the interface type (i.e. for GRE has tunnel src,dst) and
since the interface is P2P, it’s independent of the packet’s destination.
The construction of the special adj and the config to set the interface as P2P
is, e.g.;
VNET_HW_INTERFACE_CLASS (gre_hw_interface_class) = {
.name = "GRE",
…
.update_adjacency = gre_update_adj,
.flags = VNET_HW_INTERFACE_CLASS_FLAG_P2P,
};
similar config for IPSEC would be required.
Thanks,
neale
-Original Message-
From: on behalf of Matthew Smith
Date: Saturday, 20 May 2017 at 01:36
To: "vpp-dev@lists.fd.io"
Subject: [vpp-dev] IPsec interface handling in FIB
Hi,
In the course of testing IPsec interfaces in VPP, I managed to make VPP
crash on a SEGV by setting an IP address on an established IPsec tunnel
interface and then trying to send packets through the tunnel to the IPsec peer
by pinging an address in the same subnet as that address. I.e. I set the
address 10.0.0.2/30 on the ipsec0 interface and tried to ping to 10.0.0.1. It
looks like VPP was trying to resolve the address via ARP and crashed because it
was trying to memcpy the hardware address of the IPsec tunnel interface, which
was NULL, to build the ARP packet.
GRE tunnel interfaces allow this sort of configuration without crashing. I
took a look at some of the GRE code and it looked like there was some setup &
maintenance that is done for GRE tunnels so that FIB lookups treat packets
destined for a GRE tunnel in a special way. No ARP lookup is initiated when I
send a packet to an address in the same subnet as an IP address configured on a
GRE tunnel interface.
I’d like to fix this for IPsec tunnel interfaces. Does anyone have any
pointers on what I would need to do? I been looking at the GRE code to get an
idea, but it would save me a lot of time if anyone could share a high-level
description of what needs to be done, or point me at any relevant documentation.
Thanks,
-Matt Smith
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
[vpp-dev] Segmentation fault in loading snat_plugin.so
Hi all,
Thanks for time.
I have adjusted snat nodes like below, then i got segmentation fault.
It seems that when node snat-det-out2in is registering himself, there is no
node snat-out2in.
But node snat-out2in was already registered before that, why ?
VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
VLIB_REGISTER_NODE (snat_det_out2in_node) = {
.function = snat_det_out2in_node_fn,
.name = "snat-det-out2in",
.vector_size = sizeof (u32),
.format_trace = format_snat_out2in_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(snat_out2in_error_strings),
.error_strings = snat_out2in_error_strings,
.runtime_data_bytes = sizeof (snat_runtime_t),
.n_next_nodes = 3,
/* edit / add dispositions here */
.next_nodes = {
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_SLOW_PATH] = "snat-out2in",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
VLIB_REGISTER_NODE (snat_out2in_node) = {
.function = snat_out2in_node_fn,
.name = "snat-out2in",
.vector_size = sizeof (u32),
.format_trace = format_snat_out2in_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(snat_out2in_error_strings),
.error_strings = snat_out2in_error_strings,
.runtime_data_bytes = sizeof (snat_runtime_t),
.n_next_nodes = 3,
/* edit / add dispositions here */
.next_nodes = {
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
Thread 1 "vpp" received signal SIGSEGV, Segmentation fault.
0x7776ded6 in vlib_get_node (i=4294967295, vm=0x779aa2a0
) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/node_funcs.h:60
60 return vec_elt (vm->node_main.nodes, i);
(gdb) bt
#0 0x7776ded6 in vlib_get_node (i=4294967295, vm=0x779aa2a0
) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/node_funcs.h:60
#1 vlib_node_main_init (vm=0x779aa2a0 ) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/node.c:608
#2 0x77756bc2 in vlib_main (vm=vm@entry=0x779aa2a0
, input=input@entry=0x7fffb4cf7fa0) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/main.c:1691
#3 0x77790833 in thread0 (arg=140737347494560) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/unix/main.c:507
#4 0x75c5ff00 in clib_calljmp () at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vppinfra/longjmp.S:110
#5 0x7fffd410 in ?? ()
#6 0x7779123d in vlib_unix_main (argc=, argv=) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/unix/main.c:606
#7 0x001f0f1474db8548 in ?? ()
Regards,
Ewan
ewan
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] Segmentation fault in loading snat_plugin.so
Hi all,
My mistake, sorry to bother :) .
Regards,
Ewan
yug...@telincn.com
From: yug...@telincn.com
Date: 2017-05-20 15:20
To: vpp-dev
Subject: Segmentation fault in loading snat_plugin.so
Hi all,
Thanks for time.
I have adjusted snat nodes like below, then i got segmentation fault.
It seems that when node snat-det-out2in is registering himself, there is no
node snat-out2in.
But node snat-out2in was already registered before that, why ?
VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
VLIB_REGISTER_NODE (snat_det_out2in_node) = {
.function = snat_det_out2in_node_fn,
.name = "snat-det-out2in",
.vector_size = sizeof (u32),
.format_trace = format_snat_out2in_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(snat_out2in_error_strings),
.error_strings = snat_out2in_error_strings,
.runtime_data_bytes = sizeof (snat_runtime_t),
.n_next_nodes = 3,
/* edit / add dispositions here */
.next_nodes = {
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_SLOW_PATH] = "snat-out2in",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
VLIB_REGISTER_NODE (snat_out2in_node) = {
.function = snat_out2in_node_fn,
.name = "snat-out2in",
.vector_size = sizeof (u32),
.format_trace = format_snat_out2in_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(snat_out2in_error_strings),
.error_strings = snat_out2in_error_strings,
.runtime_data_bytes = sizeof (snat_runtime_t),
.n_next_nodes = 3,
/* edit / add dispositions here */
.next_nodes = {
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
Thread 1 "vpp" received signal SIGSEGV, Segmentation fault.
0x7776ded6 in vlib_get_node (i=4294967295, vm=0x779aa2a0
) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/node_funcs.h:60
60 return vec_elt (vm->node_main.nodes, i);
(gdb) bt
#0 0x7776ded6 in vlib_get_node (i=4294967295, vm=0x779aa2a0
) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/node_funcs.h:60
#1 vlib_node_main_init (vm=0x779aa2a0 ) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/node.c:608
#2 0x77756bc2 in vlib_main (vm=vm@entry=0x779aa2a0
, input=input@entry=0x7fffb4cf7fa0) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/main.c:1691
#3 0x77790833 in thread0 (arg=140737347494560) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/unix/main.c:507
#4 0x75c5ff00 in clib_calljmp () at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vppinfra/longjmp.S:110
#5 0x7fffd410 in ?? ()
#6 0x7779123d in vlib_unix_main (argc=, argv=) at
/usr/src/1704/VBRASV100R001/vpp1704/build-data/../src/vlib/unix/main.c:606
#7 0x001f0f1474db8548 in ?? ()
Regards,
Ewan
ewan
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] five tuple nat
Hi, > Thanks, it seems that there is no icmp procedure in det nat, why is it like > this? Yes, there should be ICMP support. E.g. through: commit b33f413af46ec8dff7f222dbd5bc3bcec1502d3d Author: Juraj Sloboda Date: Wed Feb 8 23:54:21 2017 -0800 Add handling of ICMP error packets in SNAT (VPP-629) Change-Id: I8d2022b7cb3ef3da736c085bccbb5b9c057a8d76 Signed-off-by: Juraj Sloboda > > Regards, > Ewan > ewan > > From: otroan > Date: 2017-04-25 16:06 > To: yugang > CC: vpp-dev > Subject: Re: [vpp-dev] five tuple nat > Ewan, > > > Do we have any plan to surpport five tuple nat like linux kernel? > > That should already be supported in the SNAT plugin. > https://wiki.fd.io/view/VPP/SNAT > > Best regards, > Ole signature.asc Description: Message signed with OpenPGP ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] five tuple nat
Hi, There is no code to process ICMP in func "snat_det_in2out_node_fn", so it treats ICMP packet as UDP packet, then we get the wrong output packet. Regards, Ewan yug...@telincn.com From: otroan Date: 2017-05-20 20:00 To: yug...@telincn.com CC: vpp-dev Subject: Re: [vpp-dev] five tuple nat Hi, > Thanks, it seems that there is no icmp procedure in det nat, why is it like > this? Yes, there should be ICMP support. E.g. through: commit b33f413af46ec8dff7f222dbd5bc3bcec1502d3d Author: Juraj Sloboda Date: Wed Feb 8 23:54:21 2017 -0800 Add handling of ICMP error packets in SNAT (VPP-629) Change-Id: I8d2022b7cb3ef3da736c085bccbb5b9c057a8d76 Signed-off-by: Juraj Sloboda > > Regards, > Ewan > ewan > > From: otroan > Date: 2017-04-25 16:06 > To: yugang > CC: vpp-dev > Subject: Re: [vpp-dev] five tuple nat > Ewan, > > > Do we have any plan to surpport five tuple nat like linux kernel? > > That should already be supported in the SNAT plugin. > https://wiki.fd.io/view/VPP/SNAT > > Best regards, > Ole ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
