aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet
AgeCommit message (Collapse)AuthorFilesLines
2020-09-07ipsec: fix padding/alignment for native IPsec encryptionChristian Hopps5-19/+19
Not all ESP crypto algorithms require padding/alignment to be the same as AES block/IV size. CCM, CTR and GCM all have no padding/alignment requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet alignment requirement) should be used unless TFC (traffic flow confidentiality) has been requested. CTR: https://tools.ietf.org/html/rfc3686#section-3.2 GCM: https://tools.ietf.org/html/rfc4106#section-3.2 CCM: https://tools.ietf.org/html/rfc4309#section-3.2 - VPP is incorrectly using the IV/AES block size to pad CTR and GCM. These modes do not require padding (beyond ESPs 4 octet requirement), as a result packets will have unnecessary padding, which will waste bandwidth at least and possibly fail certain network configurations that have finely tuned MTU configurations at worst. Fix this as well as changing the field names from ".*block_size" to ".*block_align" to better represent their actual (and only) use. Rename "block_sz" in esp_encrypt to "esp_align" and set it correctly as well. test: ipsec: Add unit-test to test for RFC correct padding/alignment test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well - Scapy is also incorrectly using the AES block size of 16 to pad CCM, CTR, and GCM cipher modes. A bug report has been opened with the and acknowledged with the upstream scapy project as well: https://github.com/secdev/scapy/issues/2322 Ticket: VPP-1928 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-09-04virtio: remove kernel virtio header dependenciesMohsin Kazmi18-394/+483
Type: refactor tap, virtio and vhost use virtio/vhost header files from linux kernel. Different features are supported on different kernel versions, making it difficult to use those in VPP. This patch removes virtio/vhost based header dependencies to local header files. Change-Id: I064a8adb5cd9753c986b6f224bb075200b3856af Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-09-04ipsec: fix trace of GRE_teb packetsChristian Hopps1-2/+5
The issue is not easily hit. When GRE_teb packets are received the post crypto processing adjusts the l2.l2_len value in the vnet_buffer opaque data. This is overwriting the ipsec opaque data. Later the trace code fetches the sa_index from the ipsec opaque data. It's just an accident that this currently works, if the ipsec data is changed so that the sa_index moves around it will be overwritten by the l2_len modification. Indeed, this was found b/c local development changes had moved the sa_index so it was over-lapping with the l2_len memory space, and the UT failed. Type: fix Change-Id: Iaecfa750cf0b36653fd9e75b4d799f323a14d932 Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-04ipsec: cli: add missing flags for SA addChristian Hopps1-0/+12
Add missing cli options for setting IPsec SA flags, inbound, use-anti-replay, and use-esn. Type: fix Change-Id: Ia7a91b4b0a12be9e4dd0e684be3e04d8ccafb9d4 Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-04ip: enhance vtep4_check of tunnel by vector wayZhiyong Yang4-36/+137
This patch aims to improve decap performance by reducing expensive hash_get callings as less as possible using AVX512 on XEON. e.g. vxlan, vxlan_gpe, geneve, gtpu. For the existing code, if vtep4 of the current packet match the last vtep4_key_t well, expensive hash computation can be avoided and the code returns directly. This patch improves tunnel decap multiple flows case greatly by leveraging 512bit vector register on XEON accommodating 8 vtep4_keys. It enhances the possiblity of avoiding unnecessary hash computing once hash key of the current packet hits any one of 8 in the 512bit cache. The oldest element in vtep4_cache_t is updated in round-robin order. vlib_get_buffers is also leveraged in the meanwhile. Type: improvement Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com> Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Signed-off-by: Junfeng Wang <drenfong.wang@intel.com> Change-Id: I313103202bd76f2dd638cd942554721b37ddad60
2020-09-03misc: l2tp: cli: fix overly generic CLI commandsChristian Hopps1-2/+2
"clear counters" is not appropriate for a protocol to own. Change to "clear l2tp counters" (and "test l2tp counter"). Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I3faac3907c4697c1c95df34ac7d31e48063869a8
2020-09-03crypto: Add async crypto APIsNathan Skrzypczak6-5/+175
Type: feature This adds api calls for the following CLIs: * set sw_scheuduler worker <N> crypto on|off * set crypto async dispatch polling|interrupt * set crypto handler * set crypto async handler Change-Id: Ic701d149c440e42ea4575da42b9f69e4c8759602 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2020-09-03crypto: SW scheduler async crypto enginePiotrX Kleski4-69/+232
Type: feature This patch adds new sw_scheduler async crypto engine. The engine transforms async frames info sync crypto ops and delegates them to active sync engines. With the patch it is possible to increase the single worker crypto throughput by offloading the crypto workload to multiple workers. By default all workers in the system will attend the crypto workload processing. However a worker's available cycles are limited. To avail more cycles to one worker to process other workload (e.g. the worker core that handles the RX/TX and IPSec stack processing), a useful cli command is added to remove itself (or add it back later) from the heavy crypto workload but only let other workers to process the crypto. The command is: - set sw_scheduler worker <idx> crypto <on|off> It also adds new interrupt mode to async crypto dispatch node. This mode signals the node when new frames are enqueued as opposed to polling mode that continuously calls dispatch node. New cli commands: - set crypto async dispatch [polling|interrupt] - show crypto async status (displays mode and nodes' states) Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com> Signed-off-by: DariuszX Kazimierski <dariuszx.kazimierski@intel.com> Reviewed-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I332655f347bb9e3bc9c64166e86e393e911bdb39
2020-09-02tcp: fix connection refused errorFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I436741e061f11685980a71fb3989befc7af1e081
2020-09-02fib: IPv6 lookup data structure MP safe when prefixes changeNeale Ranns1-14/+31
Type: fix adding routes should be MP safe. When new prefixes with differrent prefix lengths are added, adjust the sorted list in an MP safe way. Change-Id: Ib73a3c84d01eb86d17f8e79ea2bd2505dd9afb3d Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-02fib: fix ADJ_NBR_ITF_OK param erroryedg1-1/+1
Type: fix Signed-off-by: yedonggang <yedg@wangsu.com> Change-Id: I3bf67070ed01df40626f3b90f2762158b6c3ce05
2020-09-02bonding: add bond_create2 API to include gso optionSteven Luong2-4/+75
gso option is available for the debug CLI version of bond create. This patch is to create a new API to have the corresponding option in the binary API. The old binary API bond_create is marked deprecated. Type: improvement Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Id9501b8e6d267ae09e2b411957f181343da459c0
2020-09-02session: fix non-blocking msg enqueue to vpp mqFlorin Coras1-1/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7228a01d38e61cc00358419b2512ca0da4f76ff5
2020-09-02ipsec: add ipsec set async mode apiYulong Pei2-1/+26
Type: improvement Signed-off-by: Yulong Pei <yulong.pei@intel.com> Change-Id: I841f4407ed8c1a448e5102059fc79ae1f7d461de
2020-09-02misc: fix pcap [rx|tx|drop] filename stem overflowBenoît Ganne1-1/+1
Type: fix Change-Id: I2b6b7b6f28cbf7accf883743e390b0031dd13bbb Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-02tap: add the static assert for api flagsMohsin Kazmi1-0/+19
Type: improvement Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: Ia1276d00dded36ee28b4b2e93b4cc7c1df6b1eef
2020-09-02virtio: add virtio 1.1 api flagsMohsin Kazmi3-1/+119
Type: feature Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I95d7fc1cc8db5199570c66535f45e867a7cae676
2020-09-02tap: add virtio 1.1 API flagMohsin Kazmi3-2/+10
Type: feature Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I3e00deb94943c545d1649865b2efdf7d51b90f4d
2020-09-01virtio: fix the bar starting indexMohsin Kazmi1-1/+1
Type: fix Change-Id: Ia28161b583ea26ab820a494332a79b64add7004d Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-09-01virtio: fix the NULL deferenceMohsin Kazmi1-1/+2
Type: fix Change-Id: I8d55c2bfdd3c4607044370ebabf40cbac78b4996 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-09-01virtio: fix the error returnMohsin Kazmi1-9/+12
Type: fix Change-Id: I12b08333f3f69aaa882e8801f4f69bca2d7bd558 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-09-01crypto: add chacha20-poly1305 algoArtem Glazychev1-2/+5
Type: feature Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I3697cf7fab7abb7c3d2f61ef326c9116bc1eed66
2020-09-01ip: fix ip zero checksum verificationBenoît Ganne5-11/+12
In one's complement, there are two representations of zero: the all zero and the all one bit values, often referred to as +0 and -0. See RFC 1624 section 3 for more details. This used to be taken care of in ip4_header_checksum(), but it is no longer the case. The check ip->checksum == ip4_header_checksum (ip) is no longer correct in the -0 case. Always use ip4_header_checksum_is_valid() instead (which behaves correctly since 9a79a1ab931c3b5a7ae07d6f0fcfef7c4368a2c4). Type: fix Fixes: e5f0050c7a5d411f96af6401797529d58825e2af Change-Id: Iacc6b60645a834287b085aecb9e3fdb4554cf0cf Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-01fib: detect wrong adj neighbour bugsBenoît Ganne1-0/+23
Type: improvement Change-Id: Ie063ee0a0c59a9ad632200ce2b23703bc0d936e6 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-01mpls: fix adjacencies walk in case of restackBenoît Ganne1-1/+1
Adjacencies are only defined for IPv4 and IPv6. Type: fix Fixes: 20aec3db441074ee5a861a40d6e02fad2f3dcb37 Change-Id: I19b2b7f6958da49f41c6eabc9f248840769acbbb Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-01ip: improve ip4_header_checksum_is_validDamjan Marion1-5/+12
It is cheaper to include checksum field in calculation and simply compare result with zero. Type: improvement Change-Id: I6f77632c0a4d2f2c632d044d3a5d2fcf2b5bac62 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-08-31vppinfra: convert A_extend_to_B to B_from_A format of vector inlinesDamjan Marion1-8/+8
Make it shorter and same format when converting to biggor or smaller types. Type: refactor Change-Id: I443d67e18ae65d779b4d9a0dce5406f7d9f0e4ac Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-08-31ip: fix compiling error with gcc-10Jieqiang Wang1-0/+12
Building VPP using gcc-10 fails because of the array bounds check error for function ip4_header_checksum(), with option field in IPv4 header exceeding the ip4_header_t bound. Fix this error by turning off the array bounds check option for function ip4_header_checksum(). Change-Id: I68cc241ae9e403d35ac2e320549506dc6565a0b6 Type: fix Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
2020-08-31session: format app_ns_name with %v rather than %sjiangxiaoming1-1/+1
Type: fix Signed-off-by: jiangxiaoming <jiangxiaoming@outlook.com> Change-Id: Ie29dec803aa4ee02755190b09573c23f9b5f0ada
2020-08-31flow: code refactorChenmin Sun5-355/+389
This is the code refactor for vnet/flow infra and the dpdk_plugin flow implementation. The main works of the refactor are: 1. Added two base flow type: VNET_FLOW_TYPE_IP4 and VNET_FLOW_TYPE_IP6 as the base the flow type 2. All the other flows are derived from the base flow types 3. Removed some flow types that are not currently supported by the hardware, and VPP won't leverage them either: IP4_GTPU_IP4, IP4_GTPU_IP6, IP6_GTPC, IP6_GTPU, IP6_GTPU_IP4, IP6_GTPU_IP6 4. Re-implemented the vnet/flow cli as well as the dpdk_plugin implementation 5. refine cli prompt 6. refine display info in command "show flow entry" Type: refactor Signed-off-by: Chenmin Sun <chenmin.sun@intel.com> Change-Id: Ica5e61c5881adc73b28335fd83e36ec1cb420c96
2020-08-31cnat: Destination based NATNeale Ranns2-35/+35
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I64a99a4fbc674212944247793fd5c1fb701408cb
2020-08-31virtio: fix the coverity warningMohsin Kazmi2-7/+13
Type: fix Change-Id: I6c6d66ad8aa158be8d2b9d111de7d46473b9dc02 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-08-27ipsec: Deprecate old interface APINeale Ranns1-1/+3
Type: feature Change-Id: Ib5d7b7e4735a5dec6c3ed74068206a86782588ca Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-08-27session: limit max number of ct sessions per dispatchFlorin Coras1-2/+5
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia67662a5b988b3b5351cea21d6d92fb3a86629b5
2020-08-25flow: add vnet/flow formal APIChenmin Sun8-0/+695
This patch adds the API for vnet/flow infra. Currently this API supports the below flow types: VNET_FLOW_TYPE_IP4_N_TUPLE VNET_FLOW_TYPE_IP6_N_TUPLE VNET_FLOW_TYPE_IP4_N_TUPLE_TAGGED VNET_FLOW_TYPE_IP6_N_TUPLE_TAGGED VNET_FLOW_TYPE_IP4_L2TPV3OIP VNET_FLOW_TYPE_IP4_IPSEC_ESP VNET_FLOW_TYPE_IP4_IPSEC_AH VNET_FLOW_TYPE_IP4_GTPU All the above flows are tested with Intel E810/X710 NIC Type: feature Signed-off-by: Chenmin Sun <chenmin.sun@intel.com> Change-Id: Icb8ae20cab9bdad6b120dddc3bd4fb1d85634f3f
2020-08-25ip-neighbor: skip probe for disabled interfacesMatthew Smith1-0/+6
Type: fix In ip6_neighbor_probe(), if the interface is not enabled for ip6, return NULL and skip trying to build a packet. If the interface is not enabled, its mcast adjacency will be set to ~0 and a seg fault will ensue. Change-Id: I825c9f40a0d5b2a77f788ac8dbd618138706383d Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-08-24bonding: enhance binary api handlingSteven Luong1-0/+9
- check input sw_if_index to make sure it is sane. Coverity actually complains about it. - return rv. Some of the APIs handlers were not passing back the rv. Type: improvement Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I8378ea948af561ba2bd9b02fb10bf4f9df2a2cd2
2020-08-20tcp: track reorder with sacksFlorin Coras6-38/+61
Type: feature Change-Id: I041bff2e8d589c171661de286fa1503531dff891 Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-08-20virtio: add modern device supportMohsin Kazmi7-47/+678
Type: feature Change-Id: I205f7c146a213d603d9d1e46fcf5195a876608dc Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-08-20ipsec: fix esp paddingMilan Lenco1-1/+1
Type: fix Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech> Change-Id: Ic8db52b41d7e5af3425099f008984e50afb3da74
2020-08-20virtio: refactor pci device codeMohsin Kazmi7-350/+533
Type: refactor Change-Id: I7342178f9ab9adb99b91a4f984bc22bef2ce8021 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-08-20ip: vnet_ip_mroute_cmd payload_proto fixElias Rudberg1-6/+6
Make sure payload_proto variable is set properly in vnet_ip_mroute_cmd() function. This avoids using an uninitialized payload_proto value which could lead to assertion failure when using e.g. the ip mroute add command. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I8b1d1df02e80150836b7b0448814d8f99747eeed
2020-08-19session: ct init error handlingFlorin Coras1-4/+18
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie70348406a2bfc156302687d2f5f98bc1a50c88f
2020-08-17tap: add gro supportMohsin Kazmi8-14/+87
Type: feature Change-Id: I5868dd267aa26aa97aec5fd70e70c5956ac52277 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-08-14gso: packet coalesce libraryMohsin Kazmi11-9/+1002
Type: feature Change-Id: Ia19d3611e596d9ec47509889b34e8fe793a0ccc3 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-08-14ip: add VNET_IP_TABLE_ADD_DEL_FUNCTIONSteven Luong4-0/+137
vrf table may be dynamically added or deleted. When the table is deleted, clients who use the corresponding vrf table may need a callback to do the clean up. The mechanism added here is cloned from VNET_SW_INTERFACE_ADD_DEL_FUNCTION. Type: improvement Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I08635c715cd7361a6c359b90890dd3545b0da94c
2020-08-12vcl: support multi-threads with session migrationhanlin2-1/+2
Currently, mutlti-threads only support one dispatch thread and multiple worker threads, eventually only dispatch thread is a vcl worker and can interact with epoll. This patch will register all threads as vcl worker, and then each thread can interact with epoll now. Moreover, session migration also supported, such as socket created in thread A and used (bind, connect and etc.) in thread B. Type: feature Signed-off-by: hanlin <hanlin_wang@163.com> Change-Id: Iab0b43a33466968c1423d7d20faf1460c8589d91
2020-08-11vcl: support inter worker rpcFlorin Coras3-0/+38
Type: feature Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I664cd14c84fc5cf2ffe61efce99c95219b44fad7
2020-08-06misc: harmonize namesDave Barach13-62/+66
Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ibad744788e200ce012ad88ff59c2c34920742454
2020-08-05interface: add pcap trace data preallocationDave Barach2-4/+48
Type: improvement Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I2e53fa85a0b4082666f57a3a58a09c04ae2001b5