summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2021-10-13vapi: fix vapi test coverity warningFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I5ecb73009c6ebb00b5d9e14bd09b4b3e80ab5601
2021-10-13vppinfra: fix socket init netns coverityFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4f37c6601ace08ae886b08d2284b413d457e4eae
2021-10-13vppinfra: fix format_table coverity warningFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ida114ba35227f70ddd87cad791a21f186be1cba8
2021-10-13vlib: fix vmbus error logBenoît Ganne1-3/+3
struct dirent *e is freed when calling closedir(). Use ifname instead. Type: fix Change-Id: Icc9ca52c33ecc1dee7a9e28802149e4e3e4c8ac0 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-13interface: handle error during admin-up correctlyMatthew Smith1-3/+0
Type: fix In vnet_sw_interface_set_flags_helper(), the variable old_flags is set to the original value of vnet_sw_interface_t.flags for an interface. If an error occurs during the process of bringing an interface up, old_flags is used to restore the original value. Before the dev class or hw class admin_up_down_function can be called, but after modifying vnet_sw_interface_t.flags to it's new value, old_flags is set to the value of vnet_sw_interface_t.flags a second time. This discards the original flags that were being preserved. As a result, if an interface is being brought up and the dev class or hw class function fails, at the end VPP believes that interface is up. This can cause a crash if packets are routed through the interface and some RX/TX initialization was not completed because of the error while bringing the interface up. Change-Id: Ica6b6bac13c24e88c4136bf084cd392e6217e7d9 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-10-12dhcp: fix coverity warningFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I2367e86fb22176881d118342f6e991dbc708b1f2
2021-10-12vppinfra: use unaligned non-vector load/stores in x86 memcpyDamjan Marion4-21/+28
Type: fix Change-Id: I54ef23a52f05cc95210a736f84b927dd69b8a6f7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-10-12fib: fix the drop counter for ipv6 RPF failuresNeale Ranns3-24/+36
Type: fix the only change to the mfib forwarding node is to set the error code, the rest is checkstyle formatting. The traces previously showed some bogus reason: 00:04:27:325550: ip6-mfib-forward-rpf entry 10 itf -1 flags 00:04:27:325551: ip6-drop fib:0 adj:10 flow:0 UDP: fe80::b203:eaff:fe02:604 -> ff02::1:2 tos 0x00, flow label 0x651ed, hop limit 1, payload length 64 UDP: 546 -> 547 length 64, checksum 0xec9a 00:04:27:325551: error-drop rx:GigabitEthernet6/0/0 00:04:27:325553: drop ip6-input: drops due to concurrent reassemblies limit Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I294684c36edc346b4ebdd83ba66888b3b2197704
2021-10-12unittest: fix crypto key len coverity warningFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id41e22345be3ec401813ba43ddc7d92666784eb4
2021-10-12api: cli coverity fixesFlorin Coras1-2/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I515be7ea213250fe89a2b2be06f3636fe8f493a8
2021-10-12ipsec: Performance improvement of ipsec4_output_node using flow cacheGovindarajan Mohandoss10-17/+1060
Adding flow cache support to improve outbound IPv4/IPSec SPD lookup performance. Details about flow cache: Mechanism: 1. First packet of a flow will undergo linear search in SPD table. Once a policy match is found, a new entry will be added into the flow cache. From 2nd packet onwards, the policy lookup will happen in flow cache. 2. The flow cache is implemented using bihash without collision handling. This will avoid the logic to age out or recycle the old flows in flow cache. Whenever a collision occurs, old entry will be overwritten by the new entry. Worst case is when all the 256 packets in a batch result in collision and fall back to linear search. Average and best case will be O(1). 3. The size of flow cache is fixed and decided based on the number of flows to be supported. The default is set to 1 million flows. This can be made as a configurable option as a next step. 4. Whenever a SPD rule is added/deleted by the control plane, the flow cache entries will be completely deleted (reset) in the control plane. The assumption here is that SPD rule add/del is not a frequent operation from control plane. Flow cache reset is done, by putting the data plane in fall back mode, to bypass flow cache and do linear search till the SPD rule add/delete operation is complete. Once the rule is successfully added/deleted, the data plane will be allowed to make use of the flow cache. The flow cache will be reset only after flushing out the inflight packets from all the worker cores using vlib_worker_wait_one_loop(). Details about bihash usage: 1. A new bihash template (16_8) is added to support IPv4 5 tuple. BIHASH_KVP_PER_PAGE and BIHASH_KVP_AT_BUCKET_LEVEL are set to 1 in the new template. It means only one KVP is supported per bucket. 2. Collision handling is avoided by calling BV (clib_bihash_add_or_overwrite_stale) function. Through the stale callback function pointer, the KVP entry will be overwritten during collision. 3. Flow cache reset is done using BV (clib_bihash_foreach_key_value_pair) function. Through the callback function pointer, the KVP value is reset to ~0ULL. MRR performance numbers with 1 core, 1 ESP Tunnel, null-encrypt, 64B for different SPD policy matching indices: SPD Policy index : 1 10 100 1000 Throughput : MPPS/MPPS MPPS/MPPS MPPS/MPPS KPPS/MPPS (Baseline/Optimized) ARM Neoverse N1 : 5.2/4.84 4.55/4.84 2.11/4.84 329.5/4.84 ARM TX2 : 2.81/2.6 2.51/2.6 1.27/2.6 176.62/2.6 INTEL SKX : 4.93/4.48 4.29/4.46 2.05/4.48 336.79/4.47 Next Steps: Following can be made as a configurable option through startup conf at IPSec level: 1. Enable/Disable Flow cache. 2. Bihash configuration like number of buckets and memory size. 3. Dual/Quad loop unroll can be applied around bihash to further improve the performance. 4. The same flow cache logic can be applied for IPv6 as well as in IPSec inbound direction. A deeper and wider flow cache using bihash_40_8 can replace existing bihash_16_8, to make it common for both IPv4 and IPv6 in both outbound and inbound directions. Following changes are made based on the review comments: 1. ON/OFF flow cache through startup conf. Default: OFF 2. Flow cache stale entry detection using epoch counter. 3. Avoid host order endianness conversion during flow cache lookup. 4. Move IPSec startup conf to a common file. 5. Added SPD flow cache unit test case 6. Replaced bihash with vectors to implement flow cache. 7. ipsec_add_del_policy API is not mpsafe. Cleaned up inflight packets check in control plane. Type: improvement Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com> Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Tested-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I62b4d6625fbc6caf292427a5d2046aa5672b2006
2021-10-12session: set actual lcl ip on accepted ctFlorin Coras1-1/+1
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic2ba5fa234a394acb524b61573fc49f2d58c2dea
2021-10-12memif: fix the memif crash when slave disconnectMohsin Kazmi1-1/+2
Type: fix Fixes: 3effb4e63068 ("memif: integrate with new tx infra") memif is recently integrated with new tx infra. But it introduces a crash when slave disconnect from master but interface is not deleted. Disconnect routine was missing unregister of all tx queues. This patch fixes it. Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I81c59cc1a03561248ec8595d5e3caa54f421833e
2021-10-12Revert "nat: static mappings in flow hash"Ole Troan31-1298/+1468
This reverts commit 69b7599e4b061a8996205f0304232ede84cb70d4. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If531b122ae5a9f91c2fe6eaa0da69922a91f16d3
2021-10-12nat: static mappings in flow hashKlement Sekera31-1468/+1298
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ieeba691d83a83887d0a0baccd5f3832f66126096
2021-10-11api: set missing handlersFilip Tehlar1-0/+3
Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I1fdefeaa4661c03e819b2f2f25762c633f9ab42c
2021-10-11vat: move memset after initFilip Tehlar2-2/+2
Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Ia65fd2f99dfe6538411c247aeb9691c590c2e00b
2021-10-11l3xc: skip load balancing if not multipathBenoît Ganne1-5/+5
Type: improvement Change-Id: I3d8e1c7a83530bbc4b1751358ad7d034476ff13f Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-11ip: fix fib and mfib locksNathan Skrzypczak14-96/+126
This patches fixes an issue that could cause fib locks to underflow: if an API user deletes a fib and quickly recreates it, the fib may not have been actually deleted. As a result, the lock would not be incremented on the create call leading to the fib potentially disappearing afterwards - or to the lock to underflow when the fib is deleted again. In order to keep the existing API semantics, we use the locks with API and CLI source as flags. This means we need to use a different counter for the interface-related locks. This also prevents an issue where an interface being bound to a vrf via API and released via CLI could mess up the lock counter. Finally, this will help with cleaning up the interface-related locks on interface deletion in a later patch. Type: fix Change-Id: I93030a7660646d6dd179ddf27fe4e708aa11b90e Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com> Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2021-10-11docs: nitfixes in FEATURE.yamlNathan Skrzypczak8-9/+9
Type: improvement Change-Id: Iec585880085b12b08594a0640822cd831455d594 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-11af_xdp: ensure at least one queue is createdJoshua Roys1-1/+4
Attempting to create an af_xdp interface with zerocopy where the underlying driver didn't support it would lead to a crash due to queue creation silently failing. Type: fix Signed-off-by: Joshua Roys <roysjosh@gmail.com> Change-Id: Ifd9070b8c2b3023d71120c5cf20f7e89d04e4cb3
2021-10-08tls: shutdown openssl context on app closeFlorin Coras1-0/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie0fde16fb4e41637169474628808fddf343884f3
2021-10-08vxlan-gpe: add udp-port configuration supportArtem Glazychev10-395/+687
similar behavior as here: 839dcc0fb7313638d9b8f52a9db81350dddfe461 Type: improvement Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I1b0a8f8f3dab48839e27df7065cf5f786cf0b5e9
2021-10-08ikev2: lazy initializationBenoît Ganne4-52/+111
- do not initialize resources if ikev2 is not used. - process IKE packets only if we have profile(s) configured Type: improvement Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-08build: fix centos rpm buildTianyu Li1-4/+4
When build vpp-plugins rpm package, found /home/vpp/build-root/rpmbuild/vpp-21.10/build-root/\ install-vpp-native/vpp/lib/vpp_plugins: No such file or directory RPM build errors: File not found: /home/vpp/build-root/rpmbuild/../usr/lib/vpp_plugins/* After e3cf4d0 ("build: use GNUInstallDirs install destinations") vpp_plugins on centos src path changed from lib to lib64 Update RPM spec file accordingly. Type: fix Signed-off-by: Tianyu Li <tianyu.li@arm.com> Change-Id: I9c4d91f97f2faa474bce28893ab763b414f759b8
2021-10-07ipsec: fix protect update log if nexthop is NULLBenoît Ganne1-2/+3
If logging is on, it will try to print the address nh. Make sure it is not NULL. Type: fix Change-Id: I81c0295865901406d86e0d822a103b4d5adffe47 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07wireguard: peers dump fixArtem Glazychev1-1/+1
Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I4450b8c8b50a3be8d6a399f6a58bc0e8eb500b28
2021-10-07vppinfra: asan: improve overflow semanticBenoît Ganne4-36/+46
Type: improvement Change-Id: Ia63899b82e34f179f9efa921e4630b598f2a86cb Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07misc: MAINTAINERS fixes for lldp and lispAndrew Yourtchenko1-13/+12
They are now plugins Type: docs Change-Id: I37d0db10872218cb645feda83fc47b14a57ceada Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-10-07build: fix ipsecmb version checkFan Zhang1-5/+5
Type: fix This patch fixes the chacha20-poly1305 support check in ipsecmb engine build. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com> Change-Id: I74b52a27f78a0f6a65c867dbd44a44a8f4a2ed60
2021-10-07udp: fix severity error infoFilip Tehlar6-28/+28
Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I415d68b39ecac546b531f6eb98bca51e7eb6f7f7
2021-10-07ip: fix path MTU node errors definitionBenoît Ganne3-3/+7
The path mtu node uses errors defined by ip fragmentation. Type: fix Change-Id: I1f173955919a4f555ab0309cd8201ec342a0ae92 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07ikev2: do not require optional IDr on IKE AUTHBenoît Ganne2-20/+57
IDr is optional in IKE AUTH from the initiator. In that case, the responder is free to use any matching profile and fills the corresponding IDr in the response. The initiator is then free to accept or reject it. Type: improvement Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07ikev2: add logs in case of parsing errorsBenoît Ganne1-6/+24
Type: improvement Change-Id: Id0a6a9e68725ea7aa0b7da14cf54d14405a907fb Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07ikev2: do not send IDi on responder AUTHBenoît Ganne1-1/+0
The IDi is not mentioned in the RFC for the responder AUTH message, and it confuses some IKE implementations. Type: fix Change-Id: I2bcefa1efd315412a6f5fa592668d4e0da510264 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07arp: source address selectionEd Warnicke2-5/+13
https://gerrit.fd.io/r/c/vpp/+/30197 introduced SAS and inadvertently broke ping in a variety of situations: https://jira.fd.io/browse/VPP-1992 https://jira.fd.io/browse/VPP-1970 https://lists.fd.io/g/vpp-dev/topic/84038840 all of which seem to be rooted in situations where there's literally nothing smarter ping can do for source address selection than to pick the first IP on the interface. This can happen for: 1. P2P interfaces, see attempted fix: https://gerrit.fd.io/r/c/vpp/+/32801 2. Interfaces with /32 IP addresses intentionally assigned After some discussion, this problem was partially fixed in https://gerrit.fd.io/r/c/vpp/+/33449 Unforunately, while source selection was fixed in ping, it continued to be broken in arp/nd. This gerrit builds on https://gerrit.fd.io/r/c/vpp/+/33449 and fixes arp/nd. Type: fix Ticket: VPP-1970 Ticket: VPP-1992 Fixes: e2fe097424fb169dfe01421ff17b8ccd0c26b4a6 Change-Id: Ief60c321676a15f4f30bf4cd84d50b2f1efec432 Signed-off-by: Ed Warnicke <hagbard@gmail.com>
2021-10-07perfmon: Topdown Level 1 support on SnowridgeRay Kinsella4-1/+102
Enable Topdown Level 1 support on Snowridge, enabled with standard CPU events on small core. Type: improvement Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I58ad09383de7464265ac1b69e683f253591e3b5e
2021-10-07perfmon: check bundle is supportedRay Kinsella1-0/+23
Add a check bundle is supported before futher activation. Enable different bundles with same name, supported on different platforms. Type: improvement Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I73e8bbd1e07c05ebccd9146d48a234eb598a2388
2021-10-07perfmon: fix peusdo eventsRay Kinsella1-1/+1
Fix peusdo events, missed populating "core" events with peusdo events. Type: fix Fixes: bf37bf6f7 Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I569fa876f1b58540adac0b095be0ff4ade664dec
2021-10-06ip: check if interface has link-local address (addition)Artem Glazychev1-1/+6
previous - b31fbc47f5fcf8234c757558d7b0285348774086 Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I7ea2d693d3ad5bf41ece066b3511fbfa156c1e4b
2021-10-06wireguard: add events for peerArtem Glazychev9-41/+359
we can receive events from peer about its state: -WIREGUARD_PEER_STATUS_DEAD -WIREGUARD_PEER_ESTABLISHED Type: improvement Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-10-06session: fix severity infoFilip Tehlar1-11/+10
Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I6548274f8c0ae2a183b1d221cb195de445c2819f
2021-10-06wireguard: add ipv6 supportArtem Glazychev15-244/+965
Type: improvement Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: If1a7e82ce163c4c4acaa5acf45ad2b88371396f6
2021-10-06tcp: fix severity infoFilip Tehlar6-69/+69
Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ibe39bc045c3b154209a83b59ef95a37c61b32c0c
2021-10-06docs: more nitfixesNathan Skrzypczak4-46/+49
Type: fix Change-Id: I41455e1cdc62e7c0baa148630b0701b042f3b156 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-06build: fix lib dir in debian packagingDamjan Marion1-1/+1
Type: fix Change-Id: I64b0bbe5ba2317ab03b68f140df69a94a0dd7407 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-10-06docs: vnet comment nitfixesNathan Skrzypczak16-85/+109
Type: improvement Change-Id: Iac01d7830b53819ace8f199554be10ab89ecdb97 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-06vlib: doc nitfixesNathan Skrzypczak3-3/+3
Type: improvement Change-Id: I9e761f908d9d2becbc61eb0515dc6b7c1e1e036f Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-06docs: extras/deprec nitfixesNathan Skrzypczak4-8/+7
Type: improvement Change-Id: I39038072eff3c09536917a32984daebab69e6fe7 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-06ip: add classifier-based ACLs support on ip puntBenoît Ganne7-293/+379
This feature allows one to add classifier-based ACLs on packets punted from the ip infra, eg. to only whitelist specific sender(s). Type: feature Change-Id: Idab37b188583efbca980038875fc3e540cb2e880 Signed-off-by: Benoît Ganne <bganne@cisco.com>