summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2020-09-11l2: fix null deref in l2_to_bvi()Matthew Smith1-1/+1
Type: fix Static analysis identified a possible null pointer dereference. It was introduced by a recent patch which expanded the DMAC comparison on inbound packets on a BVI interface to include any secondary MAC addresses which were added to an interface. Check if the pointer is null before dereferencing. Change-Id: Ic2afe2b062eda32977e05bf3f98d82c1fe64620c Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-09-11ikev2: fix memory leaksBenoît Ganne1-7/+20
- make sure everything is freed on cleanup - reuse already allocated vectors where possible Type: fix Change-Id: Ibd8da1edb37126522dc2d525596521d32dceb73a Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-11quic: fix coverity warningAloys Augustin1-1/+1
Type: fix Signed-off-by: Aloys Augustin <aloaugus@cisco.com> Change-Id: Ic51ba3450b3d0722ebff4280127f526b5a9934b1
2020-09-11misc: selinux fixes (packet_socket r/w)Martin Millnert1-1/+1
vpp-20.05 on up-to-date Centos 7.8 host with enforcing SELinux fails to create a host-interface due to two missing SELinux-permissions: vpp_t self:packet_socket { read write } This simple patch adds these two permissions. Tested successfully on local installation. The steps to reproduce: $ ip link add vpeer-host type veth peer name vpeer-vpp vpp# create host-interface name vpeer-vpp create host-interface: Permission denied (errno 13) [...] $ semodule -i vpp-packet-socket.pp vpp# create host-interface name vpeer-vpp host-vpeer-vpp Type: fix Ticket: VPP-1931 Change-Id: I2b3d92b27b9a9f26aa1c85af2946b15e83e27944 Signed-off-by: Martin Millnert <martin@millnert.se>
2020-09-10lisp: fix vat crash with one_add_del_local_eid apiOnong Tayeng1-1/+1
VAT crashes when the one_add_del_local_eid api is invoked with mac address as eid. Type: fix Signed-off-by: Onong Tayeng <otayeng@cisco.com> Change-Id: I29e246f6cad4b350fec52d54e94dbed586d488c4
2020-09-10wireguard: fix handshake procedureArtem Glazychev2-12/+17
Type: fix Change-Id: I96e8c5c9c792b1d9aefd39ce3e240d220827b7d1 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2020-09-10lisp: fix crash with arp and packet trace onOnong Tayeng2-3/+7
With packet trace on, VPP crashes when an arp packet arrives. This patch fixes the crash and also ensures that the packet trace displays the eid info. Type: fix Signed-off-by: Onong Tayeng <otayeng@cisco.com> Change-Id: Iaad09a5e2b33e931ab9bd7bc3d4573b5ed5e4bfd
2020-09-10af_xdp: documents incompatibility with 1GB hugepages and high buffers-per-numa.Mohammed Hawari1-0/+2
Type: docs Change-Id: If8602d4b73cc1f04e42d19b8df60a05f67aa90c9 Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2020-09-09vlib: support interrupt re-arm from nodev21.01-rc0Damjan Marion1-10/+21
Type: improvement Change-Id: I13517bff4129497644e0efc3495d0ee7897fe5a7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-09-09docs: Improve new plugin doc & add govpp API docNathan Skrzypczak4-28/+142
Type: docs Change-Id: I5f20ac0232c5cdc3cf64015185b0d0fc5c4a3100 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2020-09-09docs: Update and improve indent installNathan Skrzypczak1-13/+28
Type: docs Change-Id: I1a37450261e0bcedf90685243b14027f3cf23704 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2020-09-09l2: check secondary macs on BVI interfaceMatthew Smith1-2/+35
Type: fix VRRP cannot be used on a BVI interface currently because packets sent to the virtual mac address of the VR fail the destination mac check in l2_to_bvi(). Apparently people want to use VRRP on BVI interfaces, so update the check in l2_to_bvi() so that it will check any secondary mac addresses which have been added to the ethernet interface if the destination mac address does not match the primary mac address for the interface. An equivalent check is already done in ethernet_input_inline() for L3 interfaces which are in promiscuous mode. Change-Id: I7c5bf624dafda8744fea236c704e8e17e5f53b35 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-09-09docs: Fix create memif cliNathan Skrzypczak3-4/+4
Type: docs Change-Id: I91a954abf77335e1ddcbd1468633d9d7980bbac2 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2020-09-09svm: fix non-null-terminated stringBenoît Ganne1-1/+1
Type: fix Change-Id: Ia9cd71ce12584cd8ef90bfe357cf762dd7653f71 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-09misc: Merge 20.05.1, 19.08.3 RELEASE.md sectionsAndrew Yourtchenko1-10/+19
also, remove a duplicate 17.01.1 section and wrong page tag for 20.09 Change-Id: Ia2cc77faa75cccab38972ad46517762cb7456466 Type: docs Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2020-09-09wireguard: initial implementation of wireguard protocolArtem Glazychev34-1/+6226
Type: feature The main information about plugin you can see in README.md vpp# wireguard ? wireguard create wireguard create listen-port <port> private-key <key> src <IP> [generate-key] wireguard delete wireguard delete <interface> wireguard peer add wireguard peer add <wg_int> public-key <pub_key_other>endpoint <ip4_dst> allowed-ip <prefix>dst-port [port_dst] persistent-keepalive [keepalive_interval] wireguard peer remove wireguard peer remove <index> Change-Id: I85eb0bfc033ccfb2045696398d8a108b1c64b8d9 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Jim Thompson <jim@netgate.com> Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-09-09crypto: change cryptodev with new cryptodev APIFan Zhang4-1/+3188
Type: feature This patch updateds cryptodev engine uses new DPDK Cryptodev API planned to be upstreamed in DPDK 20.11. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Piotr Bronowski <piotrX.bronowski@intel.com> Change-Id: I8dd1a8ac643f1e952deb787e466b76ea7aa5f420
2020-09-09interface: support configuring RSS steering queuesChenmin Sun10-36/+320
This patch adds the RSS steering queues set interface, and it's implementation in DPDK device: /* Interface to set rss queues of the interface */ typedef clib_error_t *(vnet_interface_rss_queues_set_t) (struct vnet_main_t * vnm, struct vnet_hw_interface_t * hi, clib_bitmap_t *bitmap); This patch also introduces a command line to set the RSS queues: set interface rss queues <interface> <list <queue-list>> To display the rss queues, use "show hardware-interfaces" Below is the example to configure rss queues for interface Gig0: vpp# set interface rss queues Gig0 list 0,2,4-7 vpp# show hardware-interfaces brief Name Idx Link Hardware VirtualFunctionEthernet18/1/0 1 down VirtualFunctionEthernet18/1/0 Link speed: unknown RSS queues: 0 2 4 5 6 7 local0 0 down local0 Link speed: unknown vpp# Users can also configure the rss queues on a dpdk interface in startup.conf: dpdk { dev 0000:18:01.0 { rss-queues 0,2,5-7 } } Type: feature Signed-off-by: Chenmin Sun <chenmin.sun@intel.com> Change-Id: I1835595a1c54016a84eabee9fd62ce137935385d
2020-09-09stats: Fix stat_segment to set timeout directlyRajesh Goel1-0/+13
Type: fix Signed-off-by: Rajesh Goel <rajegoel@cisco.com> Change-Id: Ib37802f4270fe894a31e871c7fbb12b5a1cdf058
2020-09-09tcp: fix the tcp unittest to workRyujiro Shibuya1-0/+2
Type: fix Signed-off-by: Ryujiro Shibuya <ryujiro.shibuya@owmobility.com> Change-Id: If5a8313262da828616db8b1d9ef831d42b11d952
2020-09-08dpdk-ipsec: don't leak buffers on crypto alloc failureChristian Hopps2-6/+8
Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I4dee2ea723631e1bd95b33a74b9431d984565aef
2020-09-08dpdk: fix extended stat stringsChristian Hopps1-2/+2
- These were displaying blank, apparently dpdk extended stat strings must be within the heap so they are identified as vectors by format_c_identifier even though they are not. Type: fix Change-Id: I2b153b100203b9856ce3af6d5ecb2daae410fb5b Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-08dpdk: fix interface counters to never go backwardChristian Hopps1-33/+24
Was seeing imissed counter become negative. Reuse the RX_ERROR code for all three error counters to avoid the problem. Type: fix Change-Id: I99a69c8816326682745785ecd30e18a131ac2969 Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-08svm session: document unsupported fifo deq combinationsFlorin Coras4-7/+33
Type: fix - Document that ooo dequeues with ooo lookups cannot be done in combination with in order dequeues. - Added assert to capture this scenario and de-initialized rbtrees for cut-through tx fifo Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic40d020b3f0391fcf022ea3c906b86121744144f
2020-09-07ipsec: fix padding/alignment for native IPsec encryptionChristian Hopps9-52/+120
Not all ESP crypto algorithms require padding/alignment to be the same as AES block/IV size. CCM, CTR and GCM all have no padding/alignment requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet alignment requirement) should be used unless TFC (traffic flow confidentiality) has been requested. CTR: https://tools.ietf.org/html/rfc3686#section-3.2 GCM: https://tools.ietf.org/html/rfc4106#section-3.2 CCM: https://tools.ietf.org/html/rfc4309#section-3.2 - VPP is incorrectly using the IV/AES block size to pad CTR and GCM. These modes do not require padding (beyond ESPs 4 octet requirement), as a result packets will have unnecessary padding, which will waste bandwidth at least and possibly fail certain network configurations that have finely tuned MTU configurations at worst. Fix this as well as changing the field names from ".*block_size" to ".*block_align" to better represent their actual (and only) use. Rename "block_sz" in esp_encrypt to "esp_align" and set it correctly as well. test: ipsec: Add unit-test to test for RFC correct padding/alignment test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well - Scapy is also incorrectly using the AES block size of 16 to pad CCM, CTR, and GCM cipher modes. A bug report has been opened with the and acknowledged with the upstream scapy project as well: https://github.com/secdev/scapy/issues/2322 Ticket: VPP-1928 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-09-06marvell: add cli options to configure rxq and txq sizesChristian E. Hopps1-1/+6
Add the ability to configure the pp2 rx and tx queue sizes in the CLI. Type: improvement Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: I6a824f92e22fa47fec3d84525cc2d82524ddf639
2020-09-05vlib: vlib_get_node_by_name fails via APINathan Skrzypczak1-2/+1
Type: fix Calling vlib_get_node_by_name via the VPE api doesn't work due to hash weirdness. Haven't gotten around the real cause of this. But this fixes it. Change-Id: I89f95dba2bcd9573b8f1f435e063e9dd57f9ca93 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2020-09-05docs: Improve & link cnat docNathan Skrzypczak3-13/+81
Type: docs Change-Id: Ib985ed6a644ae3f4c330bf6a27dc69c49a489a2f Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2020-09-04cnat: fix cnat_set_snat() debug CLIDave Barach1-6/+18
Otherwise, the debug CLI command is unusable in a script because it will eat (and complain about) subsequent lines in the script. Missing this guitar lick, etc: /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Id328e6f1cc4d2e1672c3946db3865ab5a1a3af8d
2020-09-04cnat: fix snat ip v6 testsMathiasRaoul1-6/+6
Type: fix Change-Id: I9e102e0028274cc084e59c106d1cd4be174b1205 Signed-off-by: MathiasRaoul <mathias.raoul@gmail.com>
2020-09-04virtio: remove kernel virtio header dependenciesMohsin Kazmi18-394/+483
Type: refactor tap, virtio and vhost use virtio/vhost header files from linux kernel. Different features are supported on different kernel versions, making it difficult to use those in VPP. This patch removes virtio/vhost based header dependencies to local header files. Change-Id: I064a8adb5cd9753c986b6f224bb075200b3856af Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-09-04vrrp: improve RFC compliance for ARP/NDMatthew Smith2-38/+48
Type: fix The ARP/ND feature nodes reply to requests for a VR virtual IP address when a VR is in the master state. If the VR is in the backup state, the request is passed to the next node on the feature arc. This can cause an incorrect response to be sent. If some other feature (e.g. NAT) causes a virtual IP address to be configured as a "local" address on the system, a later node on the feature arc may respond to an ARP/ND request with the real MAC address of the interface. RFC 5798 says that a router must respond to ARP/ND requests for VR virtual IP addresses with the VR virtual MAC address. And it says a router must not respond to ARP/ND requests for VR virtual IP addresses when the VR is in the backup state. Ensure that ARP/ND requests for VR virtual IP addresses are dropped when in the backup state rather than allowing them to continue on the feature arc where another node may end up responding. In order to do this, enable/disable the feature nodes when leaving or entering the init state instead of the master state. Change-Id: I416f83e125cbf91deb90c3b6eb00ba3207de24ad Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-09-04buffers: improve cache occupancyDamjan Marion1-2/+8
Adjust buffer allocation so it always have odd number of cache lines. That should result in better distribution of cachelines among cache sets. Type: improvement Change-Id: I0d39d4cf01cff36ad6f70a700730823a96448c22 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-09-04dpdk-ipsec: use init function instead of one-time processChristian Hopps1-11/+3
Use VLIB_MAIN_LOOP_ENTER_FUNCTION to do post init initialization for dpdk crypto rather than create a one-time process to do the same. Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I06e480b028c8e1fc1b0024a66b2338eb21a797ca
2020-09-04vpp: Fix node APIsNathan Skrzypczak2-5/+5
Type: fix Change-Id: Ic6e2b7e05b50945a8e2222019c2942a6ee52e465 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2020-09-04dpdk-ipsec: fix show outputChristian Hopps3-3/+3
Fix the shown crypto inflight counts which were reversed. Also improve a couple error descriptions to tell them apart when viewed. Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I6d4054c64aa842658cfcde8969c7aa48f6d21207
2020-09-04ipsec: fix trace of GRE_teb packetsChristian Hopps1-2/+5
The issue is not easily hit. When GRE_teb packets are received the post crypto processing adjusts the l2.l2_len value in the vnet_buffer opaque data. This is overwriting the ipsec opaque data. Later the trace code fetches the sa_index from the ipsec opaque data. It's just an accident that this currently works, if the ipsec data is changed so that the sa_index moves around it will be overwritten by the l2_len modification. Indeed, this was found b/c local development changes had moved the sa_index so it was over-lapping with the l2_len memory space, and the UT failed. Type: fix Change-Id: Iaecfa750cf0b36653fd9e75b4d799f323a14d932 Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-04ipsec: cli: add missing flags for SA addChristian Hopps1-0/+12
Add missing cli options for setting IPsec SA flags, inbound, use-anti-replay, and use-esn. Type: fix Change-Id: Ia7a91b4b0a12be9e4dd0e684be3e04d8ccafb9d4 Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-04ip: enhance vtep4_check of tunnel by vector wayZhiyong Yang6-48/+173
This patch aims to improve decap performance by reducing expensive hash_get callings as less as possible using AVX512 on XEON. e.g. vxlan, vxlan_gpe, geneve, gtpu. For the existing code, if vtep4 of the current packet match the last vtep4_key_t well, expensive hash computation can be avoided and the code returns directly. This patch improves tunnel decap multiple flows case greatly by leveraging 512bit vector register on XEON accommodating 8 vtep4_keys. It enhances the possiblity of avoiding unnecessary hash computing once hash key of the current packet hits any one of 8 in the 512bit cache. The oldest element in vtep4_cache_t is updated in round-robin order. vlib_get_buffers is also leveraged in the meanwhile. Type: improvement Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com> Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Signed-off-by: Junfeng Wang <drenfong.wang@intel.com> Change-Id: I313103202bd76f2dd638cd942554721b37ddad60
2020-09-03api: fix ipsec custom_dump functionChristian Hopps1-8/+5
The protocol value was changed to 50 and 51 (rather than 0 and 1), but the custom_dump function wasn't updated to reflect this. Also the is_add value wasn't being shown. Fix both these issues. Type: fix Change-Id: I429b4616d6c7937f73308b644154370fab32eaae Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-03misc: l2tp: cli: fix overly generic CLI commandsChristian Hopps1-2/+2
"clear counters" is not appropriate for a protocol to own. Change to "clear l2tp counters" (and "test l2tp counter"). Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I3faac3907c4697c1c95df34ac7d31e48063869a8
2020-09-03vlib: exit 0 (nocore) on SIGHUPChristian Hopps1-2/+2
Scenarios where SIGHUP is sent would include the user closing an xterm while in interactive/nodaemon mode, or similarly when running vpp in the same mode during testing (e.g., using ssh to run VPP on a DUT). VPP should exit in these cases; however, generating a core is unwanted. Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Ibccfe5e676547e913c8a205ff16ab56d9abb1c82
2020-09-03crypto: Add async crypto APIsNathan Skrzypczak11-5/+307
Type: feature This adds api calls for the following CLIs: * set sw_scheuduler worker <N> crypto on|off * set crypto async dispatch polling|interrupt * set crypto handler * set crypto async handler Change-Id: Ic701d149c440e42ea4575da42b9f69e4c8759602 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2020-09-03crypto: SW scheduler async crypto enginePiotrX Kleski8-71/+1027
Type: feature This patch adds new sw_scheduler async crypto engine. The engine transforms async frames info sync crypto ops and delegates them to active sync engines. With the patch it is possible to increase the single worker crypto throughput by offloading the crypto workload to multiple workers. By default all workers in the system will attend the crypto workload processing. However a worker's available cycles are limited. To avail more cycles to one worker to process other workload (e.g. the worker core that handles the RX/TX and IPSec stack processing), a useful cli command is added to remove itself (or add it back later) from the heavy crypto workload but only let other workers to process the crypto. The command is: - set sw_scheduler worker <idx> crypto <on|off> It also adds new interrupt mode to async crypto dispatch node. This mode signals the node when new frames are enqueued as opposed to polling mode that continuously calls dispatch node. New cli commands: - set crypto async dispatch [polling|interrupt] - show crypto async status (displays mode and nodes' states) Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com> Signed-off-by: DariuszX Kazimierski <dariuszx.kazimierski@intel.com> Reviewed-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I332655f347bb9e3bc9c64166e86e393e911bdb39
2020-09-02vcl: handle svm fifo write failureFlorin Coras1-1/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4b132cad8ff906ef24846cc43935ccfd6aa7b4ec
2020-09-02tcp: fix connection refused errorFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I436741e061f11685980a71fb3989befc7af1e081
2020-09-02nat: twice-nat static mapping pool addressFilip Varga10-95/+354
Let twice-nat static mapping pick specific address from the twice-nat pool. Type: improvement Change-Id: Iadaa036af2fa3b0e6e9a68ff6e68b4bbe1650eb1 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-09-02fib: IPv6 lookup data structure MP safe when prefixes changeNeale Ranns4-15/+84
Type: fix adding routes should be MP safe. When new prefixes with differrent prefix lengths are added, adjust the sorted list in an MP safe way. Change-Id: Ib73a3c84d01eb86d17f8e79ea2bd2505dd9afb3d Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-02fib: fix ADJ_NBR_ITF_OK param erroryedg1-1/+1
Type: fix Signed-off-by: yedonggang <yedg@wangsu.com> Change-Id: I3bf67070ed01df40626f3b90f2762158b6c3ce05
2020-09-02bonding: add bond_create2 API to include gso optionSteven Luong6-20/+234
gso option is available for the debug CLI version of bond create. This patch is to create a new API to have the corresponding option in the binary API. The old binary API bond_create is marked deprecated. Type: improvement Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Id9501b8e6d267ae09e2b411957f181343da459c0