aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2023-03-23ipsec: make pre-shared keys harder to misuseBenoît Ganne10-137/+208
Using pre-shared keys is usually a bad idea, one should use eg. IKEv2 instead, but one does not always have the choice. For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix C) whereas for AES-CTR or AES-GCM, the IV should never be reused with the same key material (see NIST SP800-38a Appendix B and NIST SP800-38d section 8). If one uses pre-shared keys and VPP is restarted, the IV counter restarts at 0 and the same IVs are generated with the same pre-shared keys materials. To fix those issues we follow the recommendation from NIST SP800-38a and NIST SP800-38d: - we use a PRNG (not cryptographically secured) to generate IVs to avoid generating the same IV sequence between VPP restarts. The PRNG is chosen so that there is a low chance of generating the same sequence - for AES-CBC, the generated IV is encrypted as part of the message. This makes the (predictable) PRNG-generated IV unpredictable as it is encrypted with the secret key - for AES-CTR and GCM, we use the IV as-is as predictable IVs are fine Most of the changes in this patch are caused by the need to shoehorn an additional state of 2 u64 for the PRNG in the 1st cacheline of the SA object. Type: improvement Change-Id: I2af89c21ae4b2c4c33dd21aeffcfb79c13c9d84c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-03-23ipsec: add per-SA error countersArthur de Kerhor15-128/+380
Error counters are added on a per-node basis. In Ipsec, it is useful to also track the errors that occured per SA. Type: feature Change-Id: Iabcdcb439f67ad3c6c202b36ffc44ab39abac1bc Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2023-03-23vnet: throttling configuration improvementMaxime Peim6-18/+14
To allow a more flexible throttling configuration, the number of bits used in the throttling bitmap can be chosen. Type: improvement Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I7bfe391dd64729011b03f3e5b89408dfc340e036
2023-03-22session: add session statsFilip Tehlar5-13/+99
Type: feature Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I02d9bb5292b32ffb1b2f05daccd8a7d5dba05125
2023-03-22build: fix rpm build error with test_infraTianyu Li1-0/+1
RPM build errors: error: Installed (but unpackaged) file(s) found: /usr/bin/test_infra Add NO_INSTALL tag in CMakeLists to avoid installing test binary. Type: fix Fixes: c3542e17b5df ("vppinfra: widen the scope of test_vector_funcs") Signed-off-by: Tianyu Li <tianyu.li@arm.com> Change-Id: I359ba79af2e3cb32b47dda3bb8707a5d2fd8586b
2023-03-21linux-cp: fix get_default_ns api methodStanislav Zaikin1-13/+7
Type: fix Change-Id: I141e5779aab7eee3068b702dd2f93765420fb920 Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
2023-03-21papi: vla list of fixed stringsOle Troan2-4/+28
Handle a variable length array of fixed strings. Like: fixed_string = VPPType("fixed_string", [["string", "data", 32]]) s = VPPType("string_vla", [["u32", "length"], ["fixed_string", "services", 0, "length"]]) Previously instead of packing and unpacking as strings, exception packed as u8 instead of list. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I501a8a4755828042e1539fd5a54eacec21c5e364 Signed-off-by: Ole Troan <ot@cisco.com>
2023-03-20wireguard: fix sending peer events from worker threadsAlexander Chernavin1-5/+23
Type: fix API clients can register for peer events (e.g. to be notified when connection is established). In a multi-worker setup, peer events might be triggered from a worker thread. In order to send a peer event to the clients, an API message needs to be allocated and populated. API messages allocation is only allowed from the main thread. Currently, the code does not handle the case when a peer event is trying to be sent from a worker thread. In debug builds, when this happens, it causes SIGABRT in vl_msg_api_alloc_internal() because assertion "pool == 0 || vlib_get_thread_index () == 0" fails. In production builds, when this happens, it might cause unexplained behavior. There is a test that is supposed to catch this but all multi-worker Wireguard tests are currently disabled. This problem is likely to be one of the reasons they were disabled. With this fix, when a peer event is triggered from a worker thread, allocate and send corresponding API message from the main thread using RPC. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib3fe19f8070563b35732afd16c017411c089437e
2023-03-20ipsec: set fast path 5tuple ip addresses based on sa traffic selector valuesPiotr Bronowski1-4/+35
Previously, even if sa defined traffic selectors esp packet src and dst have been used for fast path inbound spd matching. This patch provides a fix for that issue. Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Ibd3ca224b155cc9e0c6aedd0f36aff489b7af5b8
2023-03-19vppinfra: fix pool free bitmap allocationVladislav Grishenko3-1/+58
Using clib_bitmap_vec_validate makes free bitmap vector to be x64 times bigger (assuming x86_64) than necessary when non-zero and possible oom due (u32)(0 - 1) math with zero alloc. Fix it with clib_bitmap_validate which takes bit size, not index and ensure at least one bit is allocated. Type: fix Change-Id: I7e191f4e2fb3722a06bb800e1d075f7c7e2dcec9 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2023-03-18vppinfra: fix corner-cases in bihash lookupDave Barach18-39/+205
In a case where one pounds on a single kvp in a KVP_AT_BUCKET_LEVEL table, the code would sporadically return a transitional value (junk) from a half-deleted kvp. At most, 64-bits worth of the kvp will be written atomically, so using memset(...) to smear 0xFF's across a kvp to free it left a lot to be desired. Performance impact: very mild positive, thanks to FC for doing a multi-thread host stack perf/scale test. Added an ASSERT to catch attempts to add a (key,value) pair which contains the magic "free kvp" value. Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I6a1aa8a2c30bc70bec4b696ce7b17c2839927065
2023-03-17vppinfra: move sha2.h to crypto/Damjan Marion2-1/+591
Type: refactor Change-Id: I3d0c57b82e5bdb4575c1ca13e463685fd11b7f11 Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-17vppinfra: auto-free test memoryDamjan Marion5-59/+10
Type: improvement Change-Id: Ibc40a02c8c45fc8d9409c9a86fea7aaf70d9c048 Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-17vppinfra: add FOREACH_ARRAY_ELT macroDamjan Marion2-0/+3
Type: improvement Change-Id: Iac1b3a66176c9a38a161246159140f30a1c168da Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-16vppinfra: add clib_crc32c testcase into infra testsAndrew Yourtchenko2-0/+55
Type: test Change-Id: Id96448ba3ab69a5b22dfc27812fc17194136b969 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2023-03-16session: support active opens with same source portFlorin Coras2-3/+14
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I2b426e9e988c32d261f36367087f358d8cc25e2f
2023-03-16hs-test: check exit value of ab/wrkFilip Tehlar1-1/+2
Type: test Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I967e91e4ea97edff427013c92376b388d6ce5d85
2023-03-15hs-test: use consistent naming conventionMaros Ondrejicka17-238/+205
Exported indentifiers in Go start with capital letters. Only few fields in hs-test, which are being unmarshaled from yaml are required to be exported. Every other field name or method name should start with lower-case letter, to be consistent with this naming convention. Type: test Signed-off-by: Maros Ondrejicka <mondreji@cisco.com> Change-Id: I7eab0eef9fd08a7890c77b6ce1aeb3fa4b80f3cd
2023-03-15vppinfra: widen the scope of test_vector_funcsDamjan Marion12-23/+23
Location changed and binary renamed to test_infra Also it is built by default. Type: improvement Change-Id: I27cd97f274501ceb7a01213e2bc9676cea00f39c Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-15crypto-native: 256-bit AES CBC supportDamjan Marion8-86/+369
Used on intel client CPUs which suppport VAES instruction set without AVX512 Type: improvement Change-Id: I5f816a1ea9f89a8d298d2c0f38d8d7c06f414ba0 Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-15build: add support for intel alderlake and sapphirerapids, part 2Damjan Marion1-1/+3
Type: improvement Change-Id: I64ca5bd3a959190111f61c5311a908d242c10bad Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-15dma_intel: fix potential invalid batch statusMarvin Liu1-5/+6
DMA batch status was set by hardware. Its value may be variable between cpus twice accesses. Saving the value of status can fix it. Type: fix Signed-off-by: Marvin Liu <yong.liu@intel.com> Change-Id: Ibc9337239555744a571685b486c986991c3e9b18
2023-03-15hs-test: create temporary folder at initMaros Ondrejicka1-0/+7
Type: test Signed-off-by: Maros Ondrejicka <mondreji@cisco.com> Change-Id: I6444582ce83beddc5cb2fcb31942a4c2e9556bb6
2023-03-14dpdk: enable Google Virtual EthernetMarvin Liu2-0/+7
Recognize and drive google virtual ethernet (gve) in google cloud. Type: feature Signed-off-by: Marvin Liu <yong.liu@intel.com> Change-Id: Ia559615ac059cabbca5d10bcd4049e87beaad638
2023-03-14vlib: fix clib_crc32c on odd lengths and clib_crc32c_u8Andrew Yourtchenko1-1/+1
Fix the typo in the intrinsic name, which caused incorrect intrinsic to be used. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Ib7fde14d12897e4d1bfb5a01f6d65025473e4f8e
2023-03-14session vcl: refactor builtin tx event for main txFlorin Coras9-36/+50
Rename unused SESSION_IO_EVT_BUILTIN_TX to SESSION_IO_EVT_TX_MAIN and leverage it for non-connected udp tx. Non-connected udp sessions are listeners and are therefore allocated on main thread. Consequently, whenever session queue node is not polling main, tx events generated by external applications might be missed or processed with some delay. To solve this, request that apps use SESSION_IO_EVT_TX_MAIN tx events as opposed to SESSION_IO_EVT_TX and send that to first worker as opposed to main. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I5df5ac3dc80c0f192b2eefb1d465e9deefe8786b
2023-03-14session: pre-alloc required dma batchesMarvin Liu2-0/+3
Specify the number of max_batches when applying for dma config. Skip this round when no batch available from vlib_dma_batch_new. Type: improvement Signed-off-by: Marvin Liu <yong.liu@intel.com> Change-Id: Ic6e0acf81ba4fc3ed33aea6ac6990ef841021c59
2023-03-14vlib: pre-alloc dma backend batchesMarvin Liu2-0/+28
Allocate and initialize dma batch structure when adding dma config. The number of required dma batches is set by max_batches parameter. Thus dma batches are not allocated dynamically in worker thread. Application need to check the return value of vlib_dma_batch_new. Type: improvement Signed-off-by: Marvin Liu <yong.liu@intel.com> Change-Id: I5d05a67b59634cf2862a377d5ab77cb1040343ce
2023-03-14session: format transport connection flagsFlorin Coras2-18/+59
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id87c41c472898d4f66b0771f18f822d1069bbfd0
2023-03-14session: cleanup lcl endpt freelist before all allocFlorin Coras1-4/+5
Make sure endpoint freelist is drained before alloc of fixed local source port is tried. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I302deee5609a463af8135185af71722ac8c55a27
2023-03-14build: add support for intel alderlake and sapphirerapidsDamjan Marion2-1/+28
Disabled by default.. Type: improvement Change-Id: I36176c009e0873c048874ae38a7ea0a91449235c Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-14crypto-native: avoid crash on 12th and 13th gen Intel client CPUsDamjan Marion1-2/+4
Those CPUs are announcing VAES capability but they don't support AVX512. Type: fix Fixes: 73a60b2 Change-Id: I7b4be95e91bb6f367cd71461f1126690f3ecd988 Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-14memif: don't leak error strings in API handlersDamjan Marion2-4/+12
Type: fix Fixes: ab4d917 Change-Id: I226044f64e1577033798fd203a2e981c894830d6 Signed-off-by: Damjan Marion <damarion@cisco.com>
2023-03-13udp: Use udp_output_get_connection instead of udp_connection_getSteven Luong1-12/+11
udp_output_get_connection handles correctly if the connection is a listener whereas udp_connection_get does not which may lead to a crash. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I40b57287a8686820d29872cae2cfd6ae27a57c26
2023-03-13avf: 512-bit SIMD version of avf_tx_prepareLeyi Rong2-0/+53
Exploiting AVX-512 operations on avf_tx_prepare(). Type: improvement Signed-off-by: Leyi Rong <leyi.rong@intel.com> Change-Id: I01e0b4a2e2d440659b4298668a868d983f5091c3
2023-03-10vcl: init ldp config before vcl initFlorin Coras1-26/+31
This avoids printing ldp debug messages while debug is disabled and vcl is initializing. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I5dfd1d59032db937fea146b6b84b8e26307a0de0
2023-03-10vlib: 512-bit SIMD version of vlib_buffer_freeLeyi Rong2-2/+73
Process 8 packets perf batch in vlib_buffer_free_inline() when CLIB_HAVE_VEC512 is enabled. Type: improvement Signed-off-by: Leyi Rong <leyi.rong@intel.com> Change-Id: I78b8a525bce25ee355c9bf0e0f651698a8c45bda
2023-03-10af_packet: fix the broken functionality upon admin downMohsin Kazmi2-41/+25
Type: fix In vpp, file descriptor handler closes the fd upon error if there is no error handling function is registered. This patch fixes the issue for af_packet interface by registering the error handling function. Errors will also be gracefully logged. Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I260d780ac54ffd0199dcd6ca5b95e5afe957e968
2023-03-09vcl: fix select connected deq notificationFlorin Coras1-6/+12
Also make sure that only sessions with fifos try to set deq notification flag on fifo Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I878c2d2e18bb98109ee03b42a4f0f8c48aa23e9f
2023-03-09vcl: fix epoll out evt on connectFlorin Coras1-1/+1
Make sure session has a tx fifo. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ibde40645b401ca0255da298ea4ba691ee924a2d2
2023-03-08session: Use session->thread_index to correctly retrieve the sessionSteven Luong1-1/+3
For non-connected udp, when retrieving the subscriber session to send the notification, it uses the current worker thread index whereas the subscriber session is actually on the main thread. Using the worker thread may cause a crash since the corresponding session may not be valid in the worker thread context and even if it is valid, it is the wrong session. This scenario is seen when the application forks and adds subscribers to the worker thread session. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I236ee9d9ff9f3b2f7f9f8e782d70d1080aa1b627
2023-03-08hs-test: fix install-depsDave Wallace1-6/+10
- Skip addition of docker apt source/key if already installed. Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I747e4dd5e79e23b64e6eb11c6a9348e2ae1a157f
2023-03-08quic: use tx instead of builtin_tx event with timersFlorin Coras1-3/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic11069c912a5e59bb3ea0e0c6de6cfcc879c5f4e
2023-03-08hs-test: fix docker-ce installDave Wallace1-5/+17
Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I449cd4ad71e33a2dd41e53accc6b325803a32c70
2023-03-08hs-test: add vppctl wrapper scriptFilip Tehlar1-0/+6
Type: test Add a helper wrapper script for vppctl called vppcli to vpp docker image with proper cli socket path. Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I1a51aa54bc91c1c812698501a56401c525d498e8
2023-03-07hs-test: fix envoy testFilip Tehlar3-10/+12
Type: test Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I776e0f1f7ea700439d1fe6a598772776ae6a1493
2023-03-07avf: enable rss action of flowXinyao Cai4-152/+2925
This patch enables RSS action of avf flow. Type: feature Signed-off-by: Xinyao Cai <xinyao.cai@intel.com> Change-Id: I65de18d0c2eaa415893959563ea917a6b1956550
2023-03-07vlib: stop worker threads on main loop exitVladislav Grishenko1-1/+2
If not, worker threads may continue own loops after deinit and/or thread0 exit with related crashes due no rpc capability, unmapped shared memory, etc. Main loop exit handlers that uses barrier sync will be happy too as long as recursive barrier sync is supported. Type: feature Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru> Change-Id: I255a796b06936d96715683e3f062128060233dc6
2023-03-07avf: fix cli memory leak with incorrect optionsTianyu Li1-37/+19
Remove extra line_input and unformat_user. Type: fix Fixes: b4ff07a2f843 ("Intel Adaptive Virtual Function native device driver plugin") Signed-off-by: Tianyu Li <tianyu.li@arm.com> Change-Id: I9e502f3b254d0b1c7d8fd4b80925338a18da8269
2023-03-07udp: crash in format_udp_connectionSteven Luong1-1/+1
format_udp_connection takes 2 arguments from the caller. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ie618a809936a01c094982f9a8c81309826e0b087