summaryrefslogtreecommitdiffstats
path: root/test
AgeCommit message (Collapse)AuthorFilesLines
2022-02-17ipsec: Improve the handling of NAT-T keepalive messagesNeale Ranns1-1/+13
Type: improvement Ethernet frames on the wire are a minimum of 64 bytes, so use the length in the UDP header to determine if the ESP payload is one bytes of the special SPI, rather than the buffer's size (which will include the ethernet header's padding). In the case of drop advance the packet back to the IP header so the ipx-drop node sees a sane packet. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ic3b75487919f0c77507d6f725bd11202bc5afee8
2022-02-14bfd: add per session countersKlement Sekera1-10/+123
Add udp total session counts - as stat segment entries: /bfd/udp4/sessions /bfd/udp6/sessions and per session packet/byte counters: /bfd/rx-session-counters /bfd/rx-session-echo-counters /bfd/tx-session-counters /bfd/tx-session-echo-counters These counters are per-thread and per-session id. Adjust tests to verify proper function. Type: refactor Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: Ie597928022b6ac74c2220019b9e8e1714295f170
2022-02-09bfd: Add an update API that has create new or modify existing semanticsNeale Ranns2-0/+52
Type: improvement helps keep the agents stateless Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I3588f13c081e24f5a8083b490eb02856361e4ccb
2022-02-08tests: vcl: add missing host stack echo testFilip Tehlar1-0/+8
Type: test Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I3b6e56b319aab3ffd2cc82d31e646bd42901275b
2022-02-07build: Make the build work on Debian 11Andrew Yourtchenko1-0/+19
Debian 11 has some packages that have changed, and need adjustment. Also - its default compiler is gcc 10, which, contrary to either gcc 8 or gcc 11 prints a bunch of warnings, which fails compilation. And there is no gcc 11 package. Therefore, use clang for this build. Additionally, python 3.9 has exposed this issue: https://bugs.python.org/issue42580 Therefore, make a local patch to scapy to tackle it. Type: feature Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I7b9c0f852ab97fe3c1feca3f22020ac0970ba3e2
2022-02-07tests: Update python packagesDave Wallace3-132/+153
- pip == 22.0.3 - pip-tools == 6.5.0 - setuptools == 60.7.1 (now pinned in test/Makefile) - upgrade packages in requirements-3.txt - install iperf3 for 'make test TEST=vcl' Type: test Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I1bd85f10fb4f6ba87b9bc1267905e5f1b8eb16de
2022-02-06stats: fix memory leaksOle Troan1-1/+0
Type: fix Fixes: 72e31bc2d9 Fixes: db02380 Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I92a62bb1cb799e8fdc3ec4110ae3428825254f8a Signed-off-by: Ole Troan <ot@cisco.com>
2022-02-05tests: mark the test suites broken when ASan is enabledNaveen Joy1-0/+16
Mark broken test suites using @tag_fixme_asan.The main issue is that some tests do not pass with ASan. These will need to be fixed, but it takes time and in the meantime, new issues are introduced that trip up ASan. When this tag is set and Asan is enabled, failing ASan tests are skipped, so incremental fixes can pass the CI Type: improvement Change-Id: I02602eb74234c25a4c701279e14704b81d4c5b71 Signed-off-by: Naveen Joy <najoy@cisco.com>
2022-02-05tests: fix test-checkstyle-diff if no .py changedKlement Sekera1-2/+2
Type: fix Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I6d23ff14380b0154f617b3ab7cd1acd5aa45106a
2022-02-01nat: nat44-ei hairpinning code cleanupFilip Varga1-1/+1
Removing obsolete unused nat44-ei nodes and functions. Type: refactor Change-Id: I1e03e283091c3c0d92908d04037cba00a348351a Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-01-31tests: correct python usage in virtualenvKlement Sekera1-9/+9
Use 'python3' for all python calls in virtualenv. Using $(PYTHON_INTERP) (set to $(PYTHON)) is incorrect when $(PYTHON) contains absolute path (e.g. '/usr/bin/pypy3') as it uses interpreter outside of virtualenv. Type: fix Change-Id: I19878360cfc1ab6a591e09a079b0b69c1a1a58cf Signed-off-by: Klement Sekera <ksekera@cisco.com>
2022-01-31ip: reassembly - add a way to disable for forusKlement Sekera2-34/+79
Add API to disable full reassembly of "forus" packets. Mark packets passing through ip[4|6]-local nodes with a new buffer flag and check for that flag in reassembly. Enable IP6 "forus" full reassembly by default to be consistent with existing IP4 setting. Type: improvement Change-Id: I7067792fcd4304182654237968e4c4d9293c6143 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2022-01-31tests: make VPP_BUILD_DIR to point to correct dirKlement Sekera3-5/+5
Make VPP_BUILD_DIR hold the correct value and adjust paths where necessary. Type: refactor Change-Id: I5bc60666c04919956bf26badaf1ee1f1b188ef65 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2022-01-31tests: support skipping to test method with STEPKlement Sekera1-4/+24
Allow entering a test name on stack trace window with STEP=y option instead of a number. This allows to run a whole suite and skip all tests until a particular test is hit. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I23e45f8022b82545365b8921390e0e106e02b39c
2022-01-26hsa: cleanup and rename http test serverFlorin Coras1-1/+2
- cleanup data structures, functions and cli - remove option to return static html. For similar results, use http static server - rename to http_cli.c as it better describes what the app does Type: refactor Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I502e7566fba4376c68fbe41de9e45079a159e864
2022-01-24nat: TCP state tracking based on RFC 7857/RFC 6146Klement Sekera2-160/+464
Implement proper state machine based on above RFCs. ACKs to SYNs/FINs are no longer required/tracked. This is more friendly to peers and accounts for lost packets and retransmits. This change also means that all traffic is translated and forwarded while in transitory timeout, which helps delivering e.g. retransmitted FINs, FINACKs and other messages. Also support reopening a session in transitory timeout after seeing both FINs by seeing both SYNs again. This helps quick connection reestablishment if the peers want to. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com> Change-Id: Ibf521c79463472db97e593bfa02b32b4a06dfd2a
2022-01-17ipsec: IPSec interface correct drop w/ no protectionNeale Ranns2-5/+28
Type: improvement When an IPSec interface is first constructed, the end node of the feature arc is not changed, which means it is interface-output. This means that traffic directed into adjacencies on the link, that do not have protection (w/ an SA), drop like this: ... 00:00:01:111710: ip4-midchain tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:6 flags:[] stacked-on: [@1]: dpo-drop ip4 flow hash: 0x00000000 00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858 00000020: 58585858585858585858585858585858585858585858585858585858 00:00:01:111829: local0-output ipsec0 00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858 00000020: 5858585858585858585858585858585858585858585858585858585858585858 00000040: 58585858585858585858585858585858585858585858585858585858c2cf08c0 00000060: 2a2c103cd0126bd8b03c4ec20ce2bd02dd77b3e3a4f49664 00:00:01:112017: error-drop rx:pg1 00:00:01:112034: drop local0-output: interface is down although that's a drop, no packets should go to local0, and we want all IPvX packets to go through ipX-drop. This change sets the interface's end-arc node to the appropriate drop node when the interface is created, and when the last protection is removed. The resulting drop is: ... 00:00:01:111504: ip4-midchain tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:0 flags:[] stacked-on: [@1]: dpo-drop ip4 flow hash: 0x00000000 00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858 00000020: 58585858585858585858585858585858585858585858585858585858 00:00:01:111533: ip4-drop ICMP: 172.16.2.2 -> 1.1.1.1 tos 0x00, ttl 63, length 92, checksum 0xcb8c dscp CS0 ecn NON_ECN fragment id 0x0001 ICMP echo_request checksum 0xecf4 id 0 00:00:01:111620: error-drop rx:pg1 00:00:01:111640: drop null-node: blackholed packets Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I7e7de23c541d9f1210a05e6984a688f1f821a155
2022-01-05srv6-mobile: Update GTP4/6.D functionTetsuya Murakami1-10/+17
GTP4/6.D behavior is updated as shown below. 1. When receiving GTP-U message or IPv6 linklocal destination in inner IP, GTP packet is tnralated to SRv6. 2. When receiving T-PDU packet, OuterIP/UDP/GTP headers are stripped off and Inner IP is encapsulated into SRv6 based on L3VPN SRv6 manner. Type: feature Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com> Change-Id: I6092c98ea80236d54017f84c5b35cca0b645f034 Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
2022-01-05ipsec: allow registering random ports in testsArthur de Kerhor2-30/+47
We add the possibility to bind the destination UDP port of a Scapy SA to the ESP layer in the IPsec tunnel protection tests, even if it is not the default port for ESP (4500). This allows to test IPSec tunnel protection with ports other than 4500 in the UDP header, without hardcoding them in the Scapy patch (ex: 4545) Type: improvement Change-Id: I1eea3d4660ed1b59d827250a419af6b7b41c4a72 Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2021-12-21fib: MPLS EOS chains built for attached prefixes should link to a lookup DPONeale Ranns1-0/+27
Type: fix Presently a local label associated with an attached or connected prefix will link to the glean. This is a problem since it will never use the adj-fibs that are installed for that attached prefix. Instead link the local label to a lookup in the table in which the attached link is bound. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iad49fb6168b9ba47216a9a52bd262363b49c3c43
2021-12-16ip: add tests for message size verificationKlement Sekera1-5/+24
Coverity complained that there is boundary checking in add_del_punt_redirect_v2 handler. This test proves that such boundary checking is not necessary as it is handled in the common path. Type: test Change-Id: Ibec054c01d4eb057accdc9d5732aba6fe6de51cc Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-12-14ip: reassembly: drop zero length fragmentsKlement Sekera1-0/+18
Zero length fragments are invalid and should be dropped. This patch adds that. Type: improvement Change-Id: Ic6466c39ca8bf376efe06bb3b7f5d7f1ae812866 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-12-10ip: reassembly: handle atomic fragments correctlyKlement Sekera2-2/+84
If a fragment arrives with fragment offset = 0 and M = 0, it means that this is actually a complete packet and per RFC 8200, it should be treated independently from other fragments. This patch does that. Fragmentation header is stripped and fragment is forwarded irregardles of other existing reassemblies in case of full reassembly and treated the same way as regular packet in shallow virtual reassembly. Type: improvement Change-Id: If3322d5e3160cd755b8465a642702a9166d46cc2 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-12-03ip: extension header parsing fails for fragment headerOle Troan1-9/+33
Refactor and improve boundary checking on IPv6 extension header handling. Limit parsing of IPv6 extension headers to a maximum of 4 headers and a depth of 256 bytes. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ide40aaa2b482ceef7e92f02fa0caeadb3b8f7556 Signed-off-by: Ole Troan <ot@cisco.com>
2021-12-02tests: add segment manager testsFilip Tehlar1-0/+27
Type: test Change-Id: Ic9fddc9fedd5140984c5901c4cac53dec022dcec Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-11-23misc: deprecate gbp and its dependentsNeale Ranns7-6488/+0
Type: improvement Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Benoît Ganne <bganne@cisco.com> Change-Id: I2f30a4f04fd9a8635ce2d259b5fd5b0c85cee8c3
2021-11-23ip: unlock_fib on if deleteNathan Skrzypczak1-2/+13
On interface delete we were not removing the lock taken by a previous ip_table_bind() call thus preventing the VRFs to be removed. Type: fix Change-Id: I11abbb51a09b45cd3390b23d5d601d029c5ea485 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-11-22nat: change nat44-ed test pool addressFilip Varga1-1/+1
NAT pool address overlaps with pg4 network 10.0.0.1/24 this is not desirable because of upcoming change [1]. This change uncovered configuration issue with hairpinning test that would fail because of already configured pg4 interface that shares subnet with nat pool address. Packets would incorectly end up in bad pg interface causing the test to fail. This patch changes nat pool address to 10.0.10.3 that doesn't belong to any of the subnets configured on pg interfaces in nat tests. [1] https://gerrit.fd.io/r/c/vpp/+/34441 Type: test Change-Id: I49e63dacbf0847116adbcf1954ff5defd833a657 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-22vlib: add virtual time supportBenoît Ganne10-61/+37
Type: feature Change-Id: Iabd76558e9c72ed8286cfeeb1fbaa4fde4832a90 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-11-22ipfix-export: add mutliple ipfix_exporters testsPaul Atkins1-0/+192
Now that we support multiple exporters add some basic tests to verify that we can create/delete multiple exporters and that the streaming commands work. Type: test Signed-off-by: Paul Atkins <patkins@graphiant.com> Change-Id: I577f38440790080bfdcf87a8a6828da6cb6f1707
2021-11-19fib: Don't use [midchain] adjacencies to change an interface's feature arcNeale Ranns1-3/+29
Type: fix Using the adjacency to modify the interface's feature arc doesn't work, since there are potentially more than one adj per-interface. Instead have the interface, when it is created, register what the end node of the feature arc is. This end node is then also used as the interface's tx node (i.e. it is used as the adjacency's next-node). rename adj-midhcain-tx as 'tunnel-output', that's a bit more intuitive. There's also a fix in config string handling to: 1- prevent false sharing of strings when the end node of the arc is different. 2- call registered listeners when the end node is changed For IPSec the consequences are that one cannot provide per-adjacency behaviour using different end-nodes - this was previously done for the no-SA and an SA with no protection. These cases are no handled in the esp-encrypt node. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: If3a83d03a3000f28820d9a9cb4101d244803d084
2021-11-15fib: re-evaluate the import/export state of a prefix.Neale Ranns1-0/+135
Type: fix re-evaluate the import/export state of a prefix when the interface it is attached to rebinds to a different table. Only attached routes have import/export requirements, so we can back walk from the glean adjacency when the interface rebinds tables. There are two cases to consider. 1. the rebind may change the prefix from/to import 2. the import VRF may change Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I25b6af43b3b2d8f701dfbe7a08710dc56b3f5778
2021-11-10nat: api autoendian fixFilip Varga2-16/+12
Fixed bad use of macros for autoendian API calls and updated tests for the new API. Removed sw_if_index check macro because of ntol conversion. Changed REPLY_MACRO to REPLY_MACRO_END to fix ntohl conversions. Type: fix Change-Id: I878a07b3f80fe03179feab60f0abc662f408a2c8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-09tests: Remove the error output from the linux-cp testsNeale Ranns1-6/+3
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ib9899327897f36219c113fedb25366cd1be463a0
2021-11-09tests: fix missing dataclasses module in python 3.6Dave Wallace1-0/+1
Type: fix Fixes: b8165b96f Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Ic82a0404073a26e3d160b01c9038cde11eedf3ec
2021-11-09memif: memif linkstate can't become upDaniel Béreš1-0/+40
Admin down implies Link down but nothing came with admin up. Ticket: VPP-1959 Type: fix Change-Id: I43725329ae7918659c73d703280c25de5f0b1d14 Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
2021-11-06tests docs: fix jsonschema dependencyDave Wallace2-2/+2
- docs requires jsonschema which is only supported on python 3.7 or newer. This causes 'make test' to fail on Ubuntu 18.04 Type: fix Fixes: 9ad39c026 Change-Id: I0935c569ac102ea1dba6112f458e6ee10330e474 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-11-06unittest: remove clib_count_equal_* testsDamjan Marion1-1/+1
Due to multiarch nature of that code, those tests doesn't bring much value. New tests will be addes as part of refactor. Type: refactor Change-Id: I41056dc99d08cd6ca38f9e00e8cf6a465c90edb7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-11-05unittest: gcc-11 errors for clib_strcpy, clib_strstr, clib_strcat, and ↵Steven Luong1-3/+3
clib_strncat There are 3 versions of the string functions. For example, for strcpy, they are 1. strcpy(dst, src) -- the legacy unsafe version 2. strcpy_s(dst, dmax, src) -- C11 safeC version which has an addition argument named dmax. 3. clib_strcpy(dst,src) -- clib version to enable legacy code that uses strcpy to make use of strcpy_s without adding the additional argument, dmax, which is required by the C11 safeC version. The implementation for the clib version is to artificially provide dmax to strcpy_s. In this case, it uses 4096 which assumes that if the legacy code works without blowing up, it is likely to work with the clib version without problem. gcc-11 is getting smarter by checking if dmax is within the object's boundary. When the object is declared as static array, it will flag a warning/error if dmax is out of bound for the object since the real size of dst can be determined at compile time. There is no way to find the real size of dst if the object is dynamically allocated at compile time. For this reason, we simply can't provide support for the clib version of the function anymore. If any code is using the clib version, the choice is to migrate to the safeC version. Type: fix Fixes: b0598497afde60146fe8480331c9f96e7a79475a Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I99fa59c878331f995b734588cca3906a1d4782f5
2021-11-03tests: Apply the 'return self' pattern for the L2 objectsNeale Ranns1-0/+5
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I3286fbf09d18719546ba80e9cb81c7e58f87a603
2021-11-02tests: update python packagesDave Wallace3-110/+134
- Also fix docs requirements and venv cleanup required for docker executor building Type: test Change-Id: I839423224d95c45af42f459217887f4201cbb11a Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-11-02build: remove unnecessary executable bitsRay Kinsella15-0/+0
Run 'find src -executable -type f', remove unnecessary executable bits from the source tree. Type: refactor Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I070e22c8fb2ef8712bc3ea620727ee5ab3d9a9fb
2021-10-22fib: Don't back walk from a path-list when a child fist attaches.Neale Ranns1-1/+11
Type: fix If the walk is triggered when the child is added, then that child is visited in the walk. However, since it is just attahcing to the path-list it may not, or indeed cannot, have all the context it needs to successfully handle the walk. In the case of MPLS tunnel, it does not have the path extensions ready, and cannot since the path extensions need to resolve on the path-list. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I027af8cf2f522d2f6e37931bea60c767f0cb667d
2021-10-21cnat: improve testsNathan Skrzypczak1-737/+562
Type: improvement This is an attempt to make the cnat tests more readable by hiding the scapy packet generation under a common context concept. This in order to add tests covering a wider range of scenarios. As of now, only VIP, snat & DHCP being covered Change-Id: Ia84868984506bbb652fe974e9a6f54f7a3cc0bd9 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-20nat: enable skipped nat44-ed multi worker testsFilip Varga1-57/+0
Type: test Change-Id: I185725c0f94084d08c8514642a84a04da62398e1 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-10-20nat: nat44-ei configuration improvementsFilip Varga1-16/+1
nat44-ed core configuration improvements & fixes [0-5] adjusted for nat44-ei plugin. Improvements: * repeating code converted to functions * simplified functions used for pool address, static mapping and interface configuration. Clean up: * remove obsolete code and logic persisted after plugin separation from old SNAT plugin. Fixes: * [0] return correct API behavior changed in [5] Type: improvement [0] https://gerrit.fd.io/r/c/vpp/+/33622 [1] https://gerrit.fd.io/r/c/vpp/+/33431 [2] https://gerrit.fd.io/r/c/vpp/+/33337 [3] https://gerrit.fd.io/r/c/vpp/+/33249 [4] https://gerrit.fd.io/r/c/vpp/+/32796 [5] https://gerrit.fd.io/r/c/vpp/+/32951 Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ie197faa576cb49acb3d218f14e00cb7d13ad9342
2021-10-14nat: static mappings in flow hashKlement Sekera4-10/+238
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idfde8efabc09971be38921d4b0ca5ccf4e9fe412
2021-10-13docs: better docs, mv doxygen to sphinxNathan Skrzypczak8-922/+116
This patch refactors the VPP sphinx docs in order to make it easier to consume for external readers as well as VPP developers. It also makes sphinx the single source of documentation, which simplifies maintenance and operation. Most important updates are: - reformat the existing documentation as rst - split RELEASE.md and move it into separate rst files - remove section 'events' - remove section 'archive' - remove section 'related projects' - remove section 'feature by release' - remove section 'Various links' - make (Configuration reference, CLI docs, developer docs) top level items in the list - move 'Use Cases' as part of 'About VPP' - move 'Troubleshooting' as part of 'Getting Started' - move test framework docs into 'Developer Documentation' - add a 'Contributing' section for gerrit, docs and other contributer related infos - deprecate doxygen and test-docs targets - redirect the "make doxygen" target to "make docs" Type: refactor Change-Id: I552a5645d5b7964d547f99b1336e2ac24e7c209f Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-10-12fib: fix the drop counter for ipv6 RPF failuresNeale Ranns1-0/+6
Type: fix the only change to the mfib forwarding node is to set the error code, the rest is checkstyle formatting. The traces previously showed some bogus reason: 00:04:27:325550: ip6-mfib-forward-rpf entry 10 itf -1 flags 00:04:27:325551: ip6-drop fib:0 adj:10 flow:0 UDP: fe80::b203:eaff:fe02:604 -> ff02::1:2 tos 0x00, flow label 0x651ed, hop limit 1, payload length 64 UDP: 546 -> 547 length 64, checksum 0xec9a 00:04:27:325551: error-drop rx:GigabitEthernet6/0/0 00:04:27:325553: drop ip6-input: drops due to concurrent reassemblies limit Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I294684c36edc346b4ebdd83ba66888b3b2197704
2021-10-12ipsec: Performance improvement of ipsec4_output_node using flow cacheGovindarajan Mohandoss2-0/+794
Adding flow cache support to improve outbound IPv4/IPSec SPD lookup performance. Details about flow cache: Mechanism: 1. First packet of a flow will undergo linear search in SPD table. Once a policy match is found, a new entry will be added into the flow cache. From 2nd packet onwards, the policy lookup will happen in flow cache. 2. The flow cache is implemented using bihash without collision handling. This will avoid the logic to age out or recycle the old flows in flow cache. Whenever a collision occurs, old entry will be overwritten by the new entry. Worst case is when all the 256 packets in a batch result in collision and fall back to linear search. Average and best case will be O(1). 3. The size of flow cache is fixed and decided based on the number of flows to be supported. The default is set to 1 million flows. This can be made as a configurable option as a next step. 4. Whenever a SPD rule is added/deleted by the control plane, the flow cache entries will be completely deleted (reset) in the control plane. The assumption here is that SPD rule add/del is not a frequent operation from control plane. Flow cache reset is done, by putting the data plane in fall back mode, to bypass flow cache and do linear search till the SPD rule add/delete operation is complete. Once the rule is successfully added/deleted, the data plane will be allowed to make use of the flow cache. The flow cache will be reset only after flushing out the inflight packets from all the worker cores using vlib_worker_wait_one_loop(). Details about bihash usage: 1. A new bihash template (16_8) is added to support IPv4 5 tuple. BIHASH_KVP_PER_PAGE and BIHASH_KVP_AT_BUCKET_LEVEL are set to 1 in the new template. It means only one KVP is supported per bucket. 2. Collision handling is avoided by calling BV (clib_bihash_add_or_overwrite_stale) function. Through the stale callback function pointer, the KVP entry will be overwritten during collision. 3. Flow cache reset is done using BV (clib_bihash_foreach_key_value_pair) function. Through the callback function pointer, the KVP value is reset to ~0ULL. MRR performance numbers with 1 core, 1 ESP Tunnel, null-encrypt, 64B for different SPD policy matching indices: SPD Policy index : 1 10 100 1000 Throughput : MPPS/MPPS MPPS/MPPS MPPS/MPPS KPPS/MPPS (Baseline/Optimized) ARM Neoverse N1 : 5.2/4.84 4.55/4.84 2.11/4.84 329.5/4.84 ARM TX2 : 2.81/2.6 2.51/2.6 1.27/2.6 176.62/2.6 INTEL SKX : 4.93/4.48 4.29/4.46 2.05/4.48 336.79/4.47 Next Steps: Following can be made as a configurable option through startup conf at IPSec level: 1. Enable/Disable Flow cache. 2. Bihash configuration like number of buckets and memory size. 3. Dual/Quad loop unroll can be applied around bihash to further improve the performance. 4. The same flow cache logic can be applied for IPv6 as well as in IPSec inbound direction. A deeper and wider flow cache using bihash_40_8 can replace existing bihash_16_8, to make it common for both IPv4 and IPv6 in both outbound and inbound directions. Following changes are made based on the review comments: 1. ON/OFF flow cache through startup conf. Default: OFF 2. Flow cache stale entry detection using epoch counter. 3. Avoid host order endianness conversion during flow cache lookup. 4. Move IPSec startup conf to a common file. 5. Added SPD flow cache unit test case 6. Replaced bihash with vectors to implement flow cache. 7. ipsec_add_del_policy API is not mpsafe. Cleaned up inflight packets check in control plane. Type: improvement Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com> Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Tested-by: Jieqiang Wang <jieqiang.wang@arm.com> Change-Id: I62b4d6625fbc6caf292427a5d2046aa5672b2006