| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
Change-Id: I9952497a108bac26445af95c28d4eed46099c2fc
|
|
We should not use main thread vlib_main in workers.
Type: fix
Change-Id: I58c0a8cadf2dc7f768b20ac90e7ec7921e2e8ca4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 0a2fde105a5a0c996333d67d2901b4eaedf7cbe1)
|
|
Type: improvement
Change-Id: I840741dfe040718b682935cdbcb0ba958d45a591
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 40aa27ef7cf63daa11974d0b06ea9ee1a102cb32)
|
|
When removing an interface we must reset all per-interface per-feature
arc data to ensure we do not get wrong feature arc config data when the
sw_if_index is recycled.
Type: fix
Change-Id: I8c9d850d7c62b7b77193da4258ab5fb9bdda85a6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 6178bdafa6a318d50cc8ad82f07c6c798c7024ef)
|
|
ipsec_{crypto,integ}_alg_t are packed and smaller than u32. Callers are
using those enums so unformat functions should too instead of u32 to
not overflow the stack.
Type: fix
Change-Id: Ifc86366f1928ca6352f06f390a88ac64668289d5
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit f6422ffbc82c55f50d06c8c7a2e230db7001ee35)
|
|
Type: docs
Change-Id: I96d5cdb41bd938f06d2d72f2625bf1b3d2c5b1b4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 7bed48cb79ea13dc34ef263942b4a74030aeb11c)
|
|
When GSO is enabled, vhost clears the checksum field prior to transmitting
the packet. Some newer kernel version does not like that and complains
about checksum error. This was seen with ip6 traffic.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I7c6f2a6148f4a30107bfa8b078f5990e64300cf1
(cherry picked from commit ac0f5363881fdce2721287bc5c756282166d9991)
|
|
QUEUE_SELECT and QUEUE_NOTIFY_OFF registers are shared between all
workers operating on the same device and operations are not atomic
Type: fix
Change-Id: Ie017b1bfc7e3b6b4e59029f45db78eeffd9f3aeb
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
(cherry picked from commit 162a296756f3dbead55079e4670973d859df1ef9)
|
|
Initialize txq lock only if some txq are shared and check if another
worker is already operating on the txq before processing gro timeouts
in input node.
Type: fix
Change-Id: I89dab6c0e6eb6a7aa621fa1548b0a2c76e6c7581
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit b6b484d01adb8ab2ef5a50d5a3d6f3f097df2e0c)
|
|
sanitizer complains about strlen on hi->name in tap_dump_ifs.
hi->name is a vector which is not null-terminated, so use vec_len.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Icdd5f65369bb51b0c4a9cd86c24899e6febd837c
(cherry picked from commit 84f3d9fba4e1715237a41f0978430193363187c7)
|
|
Type: fix
Change-Id: I96c30baaf34fe7b0cd899966a507501e58cde934
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
(cherry picked from commit 1017a1d360cc1c38e2aee4b5f19ff1f2869a8cd9)
|
|
Thanks to Martin Sustrik for spotting the bug introduced by a316744
and submitting the fix.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4984fc32503b0c7b6db3543834dfbbfed2a1f23c
|
|
Type: fix
The GBP plugin that uses this module is also in-ptogress, hence so is
this module.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I3cb5dd124afac05da013d92d67b2abf6cdf9b769
(cherry picked from commit b468773aa4164bf52e0751fdf780f67248037cc0)
|
|
This reverts commit 8c91b2ae2b32d428ef35605707788fe064621cb3,
but keep a comment fix.
Type: fix
Signed-off-by: Yulong Pei <yulong.pei@intel.com>
Change-Id: Ia66941bf18d3efac96f41bdf905d877cfb3ab211
(cherry picked from commit 6816c3b3df8c91a319cca56784dca07f842ef178)
|
|
Type: improvement
Signed-off-by: Yulong Pei <yulong.pei@intel.com>
Change-Id: I43556f8c76c7aae64d9c927e1fda3c1774d7e49d
(cherry picked from commit 8c91b2ae2b32d428ef35605707788fe064621cb3)
|
|
The syntax of the deprecated flag has evolved.
Clean up usage to be "option deprecated;".
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: If2b639f275eb8db58b36c457f9245fe35a4d8cb1
(cherry picked from commit f916414b383afd37ec78509ee613df8878160406)
|
|
The lisp|one show eid-table command's help msg does not display the
available options. This patch fixes that.
show lisp eid-table [local|remote|eid <eid>]
show one eid-table [local|remote|eid <eid>]
Type: fix
Signed-off-by: Onong Tayeng <otayeng@cisco.com>
Change-Id: Id39148db2ff291a7fe859830c1488b69ccd15c05
(cherry picked from commit b418c397dc8c870c6561ea1d7565067333db9df4)
|
|
The local|remote options to vat's lisp|one_eid_table_dump api command
does not print the eid details instead it produces the following error
messages:
Filter error, unknown filter: 1
Filter error, unknown filter: 2
Type: fix
Signed-off-by: Onong Tayeng <otayeng@cisco.com>
Change-Id: I000c290b400dbf39bd883d57115923167092c9bd
(cherry picked from commit 2237cc8ce1e0eb7222a34bb30bdeb2f3f1df9a81)
|
|
With packet trace on, VPP crashes when an arp packet arrives. This patch
fixes the crash and also ensures that the packet trace displays the eid
info.
Type: fix
Signed-off-by: Onong Tayeng <otayeng@cisco.com>
Change-Id: Iaad09a5e2b33e931ab9bd7bc3d4573b5ed5e4bfd
(cherry picked from commit a3960a8b74de5cef51db2c7575f8f2d71a013d0a)
|
|
Type: fix
Change-Id: Ic07d0ae313b32e420ba93693cb75960a86f752a9
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 3f0ae664faf33578515ffa1fd5287ad692f16c6f)
|
|
Type: fix
Static analysis identified a possible null pointer dereference. It
was introduced by a recent patch which expanded the DMAC comparison
on inbound packets on a BVI interface to include any secondary MAC
addresses which were added to an interface.
Check if the pointer is null before dereferencing.
Change-Id: Ic2afe2b062eda32977e05bf3f98d82c1fe64620c
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
(cherry picked from commit 78681def21b931309a779dfc6a5cbc6ff8b1f814)
|
|
Type: fix
VRRP cannot be used on a BVI interface currently because packets sent
to the virtual mac address of the VR fail the destination mac check in
l2_to_bvi().
Apparently people want to use VRRP on BVI interfaces, so update the
check in l2_to_bvi() so that it will check any secondary mac addresses
which have been added to the ethernet interface if the destination mac
address does not match the primary mac address for the interface.
An equivalent check is already done in ethernet_input_inline() for L3
interfaces which are in promiscuous mode.
Change-Id: I7c5bf624dafda8744fea236c704e8e17e5f53b35
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: feature
This patch updateds cryptodev engine uses new DPDK Cryptodev
API planned to be upstreamed in DPDK 20.11.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Piotr Bronowski <piotrX.bronowski@intel.com>
Change-Id: I8dd1a8ac643f1e952deb787e466b76ea7aa5f420
|
|
This patch adds the RSS steering queues set interface, and it's
implementation in DPDK device:
/* Interface to set rss queues of the interface */
typedef clib_error_t *(vnet_interface_rss_queues_set_t)
(struct vnet_main_t * vnm, struct vnet_hw_interface_t * hi,
clib_bitmap_t *bitmap);
This patch also introduces a command line to set the RSS queues:
set interface rss queues <interface> <list <queue-list>>
To display the rss queues, use "show hardware-interfaces"
Below is the example to configure rss queues for interface Gig0:
vpp# set interface rss queues Gig0 list 0,2,4-7
vpp# show hardware-interfaces brief
Name Idx Link Hardware
VirtualFunctionEthernet18/1/0 1 down VirtualFunctionEthernet18/1/0
Link speed: unknown
RSS queues: 0 2 4 5 6 7
local0 0 down local0
Link speed: unknown
vpp#
Users can also configure the rss queues on a dpdk interface in
startup.conf:
dpdk {
dev 0000:18:01.0 {
rss-queues 0,2,5-7
}
}
Type: feature
Signed-off-by: Chenmin Sun <chenmin.sun@intel.com>
Change-Id: I1835595a1c54016a84eabee9fd62ce137935385d
|
|
Type: fix
- Document that ooo dequeues with ooo lookups cannot be done in
combination with in order dequeues.
- Added assert to capture this scenario and de-initialized rbtrees for
cut-through tx fifo
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic40d020b3f0391fcf022ea3c906b86121744144f
|
|
Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.
CTR: https://tools.ietf.org/html/rfc3686#section-3.2
GCM: https://tools.ietf.org/html/rfc4106#section-3.2
CCM: https://tools.ietf.org/html/rfc4309#section-3.2
- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.
Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.
test: ipsec: Add unit-test to test for RFC correct padding/alignment
test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well
- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:
https://github.com/secdev/scapy/issues/2322
Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
|
|
Type: refactor
tap, virtio and vhost use virtio/vhost header files from linux
kernel. Different features are supported on different kernel
versions, making it difficult to use those in VPP. This patch
removes virtio/vhost based header dependencies to local header
files.
Change-Id: I064a8adb5cd9753c986b6f224bb075200b3856af
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
The issue is not easily hit. When GRE_teb packets are received the post
crypto processing adjusts the l2.l2_len value in the vnet_buffer opaque
data. This is overwriting the ipsec opaque data. Later the trace code
fetches the sa_index from the ipsec opaque data. It's just an accident
that this currently works, if the ipsec data is changed so that the
sa_index moves around it will be overwritten by the l2_len modification.
Indeed, this was found b/c local development changes had moved the
sa_index so it was over-lapping with the l2_len memory space, and the UT
failed.
Type: fix
Change-Id: Iaecfa750cf0b36653fd9e75b4d799f323a14d932
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
Add missing cli options for setting IPsec SA flags, inbound,
use-anti-replay, and use-esn.
Type: fix
Change-Id: Ia7a91b4b0a12be9e4dd0e684be3e04d8ccafb9d4
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
This patch aims to improve decap performance by reducing expensive
hash_get callings as less as possible using AVX512 on XEON.
e.g. vxlan, vxlan_gpe, geneve, gtpu.
For the existing code, if vtep4 of the current packet match the last
vtep4_key_t well, expensive hash computation can be avoided and the
code returns directly.
This patch improves tunnel decap multiple flows case greatly by
leveraging 512bit vector register on XEON accommodating 8 vtep4_keys.
It enhances the possiblity of avoiding unnecessary hash computing
once hash key of the current packet hits any one of 8 in the 512bit
cache.
The oldest element in vtep4_cache_t is updated in round-robin order.
vlib_get_buffers is also leveraged in the meanwhile.
Type: improvement
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Signed-off-by: Junfeng Wang <drenfong.wang@intel.com>
Change-Id: I313103202bd76f2dd638cd942554721b37ddad60
|
|
"clear counters" is not appropriate for a protocol to own. Change
to "clear l2tp counters" (and "test l2tp counter").
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: I3faac3907c4697c1c95df34ac7d31e48063869a8
|
|
Type: feature
This adds api calls for the following CLIs:
* set sw_scheuduler worker <N> crypto on|off
* set crypto async dispatch polling|interrupt
* set crypto handler
* set crypto async handler
Change-Id: Ic701d149c440e42ea4575da42b9f69e4c8759602
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: feature
This patch adds new sw_scheduler async crypto engine.
The engine transforms async frames info sync crypto ops and
delegates them to active sync engines. With the patch it
is possible to increase the single worker crypto throughput
by offloading the crypto workload to multiple workers.
By default all workers in the system will attend the crypto
workload processing. However a worker's available cycles
are limited. To avail more cycles to one worker to process
other workload (e.g. the worker core that handles the RX/TX
and IPSec stack processing), a useful cli command is added
to remove itself (or add it back later) from the heavy
crypto workload but only let other workers to process the
crypto. The command is:
- set sw_scheduler worker <idx> crypto <on|off>
It also adds new interrupt mode to async crypto dispatch node.
This mode signals the node when new frames are enqueued
as opposed to polling mode that continuously calls dispatch node.
New cli commands:
- set crypto async dispatch [polling|interrupt]
- show crypto async status (displays mode and nodes' states)
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Signed-off-by: DariuszX Kazimierski <dariuszx.kazimierski@intel.com>
Reviewed-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: I332655f347bb9e3bc9c64166e86e393e911bdb39
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I436741e061f11685980a71fb3989befc7af1e081
|
|
Type: fix
adding routes should be MP safe. When new prefixes with differrent
prefix lengths are added, adjust the sorted list in an MP safe way.
Change-Id: Ib73a3c84d01eb86d17f8e79ea2bd2505dd9afb3d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Signed-off-by: yedonggang <yedg@wangsu.com>
Change-Id: I3bf67070ed01df40626f3b90f2762158b6c3ce05
|
|
gso option is available for the debug CLI version of bond create.
This patch is to create a new API to have the corresponding option in
the binary API. The old binary API bond_create is marked deprecated.
Type: improvement
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Id9501b8e6d267ae09e2b411957f181343da459c0
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I7228a01d38e61cc00358419b2512ca0da4f76ff5
|
|
Type: improvement
Signed-off-by: Yulong Pei <yulong.pei@intel.com>
Change-Id: I841f4407ed8c1a448e5102059fc79ae1f7d461de
|
|
Type: fix
Change-Id: I2b6b7b6f28cbf7accf883743e390b0031dd13bbb
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ia1276d00dded36ee28b4b2e93b4cc7c1df6b1eef
|
|
Type: feature
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I95d7fc1cc8db5199570c66535f45e867a7cae676
|
|
Type: feature
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I3e00deb94943c545d1649865b2efdf7d51b90f4d
|
|
Type: fix
Change-Id: Ia28161b583ea26ab820a494332a79b64add7004d
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
Change-Id: I8d55c2bfdd3c4607044370ebabf40cbac78b4996
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
Change-Id: I12b08333f3f69aaa882e8801f4f69bca2d7bd558
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: feature
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I3697cf7fab7abb7c3d2f61ef326c9116bc1eed66
|
|
In one's complement, there are two representations of zero: the all
zero and the all one bit values, often referred to as +0 and -0. See
RFC 1624 section 3 for more details.
This used to be taken care of in ip4_header_checksum(), but it is no
longer the case. The check ip->checksum == ip4_header_checksum (ip) is
no longer correct in the -0 case.
Always use ip4_header_checksum_is_valid() instead (which behaves
correctly since 9a79a1ab931c3b5a7ae07d6f0fcfef7c4368a2c4).
Type: fix
Fixes: e5f0050c7a5d411f96af6401797529d58825e2af
Change-Id: Iacc6b60645a834287b085aecb9e3fdb4554cf0cf
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Change-Id: Ie063ee0a0c59a9ad632200ce2b23703bc0d936e6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
Benoît Ganne
Neale Ranns
Steven Luong
Mohsin Kazmi
Vladimir Isaev
Klement Sekera
Neale Ranns
Yulong Pei
Ole Troan
Onong Tayeng
Matthew Smith
Fan Zhang
Chenmin Sun
Florin Coras
Christian Hopps
Zhiyong Yang
Nathan Skrzypczak
PiotrX Kleski
yedg
Artem Glazychev