Age | Commit message (Collapse) | Author | Files | Lines |
|
Adding flow cache support to improve inbound IPv4/IPSec Security Policy
Database (SPD) lookup performance. By enabling the flow cache in startup
conf, this replaces a linear O(N) SPD search, with an O(1) hash table
search.
This patch is the ipsec4_input_node counterpart to
https://gerrit.fd.io/r/c/vpp/+/31694, and shares much of the same code,
theory and mechanism of action.
Details about the flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using a hash table without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, the old entry
will be overwritten by the new entry. Worst case is when all the
256 packets in a batch result in collision, falling back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows,
but is configurable by a startup.conf option.
4. Whenever a SPD rule is added/deleted by the control plane, all
current flow cache entries will be invalidated. As the SPD API is
not mp-safe, the data plane will wait for the control plane
operation to complete.
Cache invalidation is via an epoch counter that is incremented on
policy add/del and stored with each entry in the flow cache. If the
epoch counter in the flow cache does not match the current count,
the entry is considered stale, and we fall back to linear search.
The following configurable options are available through startup
conf under the ipsec{} entry:
1. ipv4-inbound-spd-flow-cache on/off - enable SPD flow cache
(default off)
2. ipv4-inbound-spd-hash-buckets %d - set number of hash buckets
(default 4,194,304: ~1 million flows with 25% load factor)
Performance with 1 core, 1 ESP Tunnel, null-decrypt then bypass,
94B (null encrypted packet) for different SPD policy matching indices:
SPD Policy index : 2 10 100 1000
Throughput : Mbps/Mbps Mbps/Mbps Mbps/Mbps Mbps/Mbps
(Baseline/Optimized)
ARM TX2 : 300/290 230/290 70/290 8.5/290
Type: improvement
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I8be2ad4715accbb335c38cd933904119db75827b
|
|
Type: fix
After changes made in f840880, VRRP IPv6 cannot reply for neighbor
solicitations requesting the link layer address of the configured
virtual address.
VRRP IPv6 enables the vrrp6-nd-input feature in the ip6-local feature
arc for an interface on which a virtual router is configured. When
neighbor solicitations arrive on that interface, ip6-local should start
feature arc walk for that interface and the messages should be processed
by vrrp6-nd-input. The problem is that currently, the feature arc is
started for the interface obtained from the receive DPO that has
interface unset (i.e. max u32) for local mfib entries. Thus, the feature
arc is started not on the interface the messages were received on and
vrrp6-nd-input is not traversed.
With this fix, if interface obtained from the receive DPO is unset, use
RX interface from the buffer to start the ip46-local feature arc.
Also, enable tests of this case for both IPv4 and IPv6 address families
that are currently tagged as extended and not run on every change. They
configure VRRP with priority 255 and are expected to be stable.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I11ef3d5a7a986e04431e8613d1510b8666094bd7
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie1ae401d5105aa42761d3cac5dfbe523f3995c87
|
|
Use the specified nexthop table id instead of the interface table id.
Type: fix
Change-Id: I61bf61d50d2716fcd9a6e35df4d60222dc4f36d5
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I9f3d1a8574b15f09a458baad98c815e087fd60b8
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I805131b4e3d0cb2fab1d3bf76db659c67522c2e8
|
|
Type: refactor
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I9e68ecb91f6433f68a8a87dd066f3e369f25a3c9
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I12b2e53ddb797cc809a2d742d17a1a60edde385d
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia4d8aaafeb3629f421601edffefe9c61c3e69dba
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I33a29cf11998736347eca5016eee112619d847c1
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ie5f2bdb8fb559680bab863a7c24a49360e005b58
|
|
Type: fix
Change-Id: I2562ae5833b542c29bcd5025a9a6756e5de95a42
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I609fb28e58286ff490d12384b03dd713830379b3
|
|
Type: refactor
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Id485f525057163582dc7a83f7dab7a8b2e759270
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: If7d9c94dcdc32fa66763e18bd3be7d28b2d17946
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ie647fb280831af23925c4b5f659f1dade6d37eff
|
|
Use of _vec_len() to set vector length breaks address sanitizer.
Users should use vec_set_len(), vec_inc_len(), vec_dec_len () instead.
Type: improvement
Change-Id: I441ae948771eb21c23a61f3ff9163bdad74a2cb8
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I5bd0b300af07424d1ce4807fa0b17e375001f089
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I8ba93643236aaa50eeb4755b74821a8c4ca6179b
|
|
vl_api_sw_interface_tx_placement_get_t_handler is autoendian.
So (contrary to most other uses) the context is in native order there.
Thus, send_interface_tx_placement_details needs to convert back
before using REPLY_MACRO_DETAILS5 macro.
Type: fix
Fixes: 0d05c0d214ffd326e531bea58f3c971bb9a58252
Change-Id: I00a3734cafa66d7d76c7edaea526a1eae0448ad9
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
Fix race with connects for iperf3 udp test.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ief725b80047911e87ba24736dc0a60aa8bcdac50
|
|
Type: feature
Change-Id: I0f4e6517fcfa07ffb0aba89b159ac1337937a508
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
Change-Id: I442496585fc24b7458535ad1a1d8db525c258540
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I2c264c31d2470b11b94d68411fa8266387319146
|
|
Adds api that allows workers to synchronize through main thread.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1e75e2fb5144d397d19b13c4dfc7e937f11c044c
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I6ddb172d7b4f0ba06b0117d71853a22702a3466b
|
|
If async engines are disbaled and async is turned on vpp tries to
enqueue frame with nonexisting handler which leads to segfault.
This patch checks for handler and drops the frame in case it doesn't
exist.
Type: fix
Signed-off-by: Dastin Wilski <dastin.wilski@gmail.com>
Change-Id: I67211867ee29dc41cc9f0733e8e0b3ea86677f85
|
|
Type: improvement
Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com>
Change-Id: I90e90678ae6586019cc842f9d504d53991cfabe4
|
|
Type: fix
otherwise punt features are applied multiple times to the same packet if enabled multiple times
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If0cbd9065275f68a10fd6d35e4f7a7c7508245e0
|
|
When computing the inner packet checksum, the code wrongly
assumes that the IP version of the inner packet is the
same of the outer one. On the contrary, it is perfectly
possible to encapsulate v6 packets into v4 and viceversa,
so we need to check the IP format of the inner header before
calling vnet_calc_checksums_inline.
Ticket: VPP-2020
Type: fix
Signed-off-by: Mauro Sardara <msardara@cisco.com>
Change-Id: Ia4515563c164f6dd5096832c831a48cb0a29b3ad
Signed-off-by: Mauro Sardara <msardara@cisco.com>
|
|
Type: fix
Fixes: 1cd0e5dd533f
In vnet_eth_register_interface(), max frame size was being used where
frame overhead was intended.
Change-Id: I6e6de25e2d616caaf35730ab3d15235ec679ebdd
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
ply_create() is not thread safe when the ip4_ply_pool expands.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: Ie11cc8b1ba587d5e9239a60f4e288492da61368e
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1c55c054fea6c6886d8287a9b6e264a308f89504
|
|
Type: improvement
Change-Id: I99d2c69ede39b3ba5604e1811ce12209c47f5caf
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Fixes case when packet to link-local address is received over
gre/mpls or other non-ethernet interface and ip6-ll fib for it
is undefined.
If by a chance ip6-ll fib index is valid, packet will be passed
to some ip6 fib with possibilities to be sent out over unrelated
interface or be looped again into ip6-link-local dpo till oom
and crash.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: Ie985f0373ea45e2926db7fb0a1ff951eca0e38f6
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ibd23648483b38696271154237e81081480bb16e0
|
|
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I5bbf8d584efdec57908c61f8626bcc81590401b3
|
|
When incrementing node counters with vlib_node_increment_counter
the local error index should be passed in. vlib_node_increment_counter
adds the local index to the nodes base index to get the counter to
write to. If we pass in the global counter index, the offset gets
added again in the fn, and we then potentially write into memory that
is not part of the counter vector.
Type: fix
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I43be33a51bcb52d520495d326b971c1d848d96b5
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I6c86d0691bd0594d8b2c05d83d004be1aa8c5e21
|
|
Type: fix
otherwise if two packets arrive with the same source address but from different VRFs, then they are treated as the same and they use the same LB and thus share the same fate. but the lookup, when done, results in two different LBs, and hence the fate can be different.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Id6e16f7c577a561d9ddd7066339fa4385361d07f
|
|
Type: improvement
Currently, RA message sending is enabled by default - both periodic and
in response to RS message. However, RFC 4861 section 6.2.1 says the
following:
Note that AdvSendAdvertisements MUST be FALSE by default so that a
node will not accidentally start acting as a router unless it is
explicitly configured by system management to send Router
Advertisements.
With this change, RA message sending is disabled by default and
"test_ip6.TestIPv6.test_rs" updated appropriately.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I2a8865199cb665c59268504aefe2976e5ee96dc2
|
|
Type: fix
The reported MTU should include the MPLS label overhead
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3df6d2e0b13f49701e187a766a157498dcaafbc0
|
|
Type: fix
When a covering entry is removed from the table, the covered entries first see it 'updated' and then 'removed'.
the crash occurs because the covered prefixes share (simple pointer copy) the covereds hash table of path extensions. During the cervers deletion this hash table has been removed and the update of the covered crashes when recaluationg forwarding becuase it uses the free'd hash.
Fix is to refetch the shared hash table (which is NULL) when the covered is updated.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Icefca9d7b21da975111d0e974d75f663fc0cc00c
|
|
Type: fix
Fixes: 26bc9f3c855496fb56f5fc648f75a299d4d539f8
Change-Id: Idab52bf856c03ded7b181608c3db1313aa2e33de
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ib96ee54eaf967bf435d6da910a6b582e87fbedc0
|
|
Type: improvement
This patch adds support for:
1) GSO
2) checksum offload
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ib00629888c62da04d58db36ce021993769e736c9
|
|
Type: feature
CPU usage ~20% less than v2.
Performance improvement 20% more than v2.
High vector rate.
Change-Id: I24bc594200f42664b59d07b44d44578e61068bbc
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
This allows specifying both c string and vector for node name
and removes need for crafting temporary string.
Type: improvement
Change-Id: I0b016cd70aeda0f68eb6f9171c5152f303be7369
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
This also makes the is_white_space function
public
Change-Id: Ifc1c0d4509f3ecae14f09bb5fa7a2eea33c49b09
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: refactor
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ibb6d19de053c306e9758dbfa827ab7bcab5de856
|