For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Also remove the duplicate 17.01.1 section
Change-Id: I809f417fabea96df506886ae6576b6e8c1b72caf
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
On CentOS-7 aarch64, command of 'debuginfo-install -y glibc openssl-libs mbedtls-devel zlib' in 'make install-deps' fails because it tries to install the corresponding *debuginfo* packages from some inaccessible/unmaintained repos on aarch64, e.g., centos-sclo-rh-debuginfo. The error message shows as below.
Using 'debuginfo-install --enablerepo=xxx' also fails because it will still enable all the repos including the broken repos on aarch64. Using 'debuginfo-install --disablerepo=xxx' (xxx is the broken repo) works fine but we are not centain about that if VPP user will install additional broken repos on aarch64 or not. So to fix this error, we install all the *debuginfo* packages for 'glibc openssl-libs mbedtls-devel zlib' packages using 'yum install' instead.
[root@ ~]# debuginfo-install -y glibc openssl-libs mbedtls-devel zlib
Loaded plugins: auto-update-debuginfo, fastestmirror, ovl
enabling epel-debuginfo
enabling base-debuginfo
enabling centos-sclo-rh-debuginfo
Loading mirror speeds from cached hostfile
epel/aarch64/metalink | 8.2 kB 00:00:00
epel-debuginfo/aarch64/metalink | 8.5 kB 00:00:00
* base: mirror.aktkn.sg
* centos-sclo-rh: mirror.aktkn.sg
* epel: mirrors.yun-idc.com
* epel-debuginfo: mirrors.yun-idc.com
* extras: mirror.aktkn.sg
* updates: mirror.xtom.com.hk
http://debuginfo.centos.org/centos/7/sclo/aarch64/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use https://bugs.centos.org/.
failure: repodata/repomd.xml from centos-sclo-rh-debuginfo: [Errno 256] No more mirrors to try.
http://debuginfo.centos.org/centos/7/sclo/aarch64/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found
Type: fix
Change-Id: I017c3b20a167d8035c3ae617b9ad5ae479e52f57
Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
(cherry picked from commit 81b95c1fe2ece45ee2a5d895631b608733384182)
Type: fix
adding routes should be MP safe. When new prefixes with differrent
prefix lengths are added, adjust the sorted list in an MP safe way.
Change-Id: Ib73a3c84d01eb86d17f8e79ea2bd2505dd9afb3d
Signed-off-by: Neale Ranns <nranns@cisco.com>
(cherry picked from commit aecb10b97fa97b215c415ceaa3cac4c97204922f)
MAKE_PARALLEL_JOBS was prepending "-j", which in case of nested targets like "verify"
resulted in ninja being executed with "-j -j" flags.
Solution: prepend -j only at the moment of setting the MAKE_PARALLEL_FLAGS variable,
this keeps MAKE_PARALLEL_JOBS intact regardless of depth of the job call tree.
Type: make
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I10a69fe527758e5a862852a9f2102aeaca30e88f
(cherry picked from commit 56ac770df97065ea705ff2f3070055a410113b9f)
Type: fix
Only add GSO and Checksum offload flags when gso is
enabled.
Change-Id: I58945a4ffbb9a0e6a8640fc01424c63feef16306
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Type: fix
This fix is backported from master partial of patch:
gso: add vxlan tunnel support
It fixes required number of buffers for segmentation and
also enables gso infra node on sub-interfaces.
Change-Id: I2cf93cdb39c67e2252a3549905d141fffa95d249
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Swap byte order for fields of type vl_api_rx_mode_t.
Ticket: VPP-1871
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: Ia1745257b57209d41661d38067e0dd7618f9a9b9
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Type: fix
some crytto engines store key data indexed by SA index. Creating new SAs
means this store reallocs with packets inflight; bad stuff ensues.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ia23c3a59e2d05fb006bdbd9922d01ee192e22853
Calling vlib_time_now (&vlib_global_main) from a worker thread is a bad
mistake. ASSERT (vm->thread_index == __os_thread_index) will catch it.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I55af6de84e06143f8f43adc62103b77267a7a441
(cherry picked from commit 77d98382824ca211fb55fcf842931930ccfb3baa)
When checksum is enable for IPv6, it erroneously set the flag
VNET_BUFFER_F_OFFLOAD_IP_CKSUM. That flag is meant for ip4 packets only.
Type: fix
Ticket: VPP-1857
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Id03b2937bfa34e2a9b50a36aafe0700bad7fb95e
(cherry picked from commit f78294d8468f156e066e7e69aab3a1b285810c3a)
(cherry picked from commit 82b62bbf58bc3d1143a359d8f58f7be2f473cddd)
Building applications using the VPP bin_api outside of the VPP tree is broken, missing these includes.
Type: fix
Change-Id:
Signed-off-by: IJsbrand Wijnands <ice@cisco.com>
Change-Id: Ibcb2fea0f5740a73b9577392aa54ac3c93c8d2b5
(cherry picked from commit 724c8051d1f589c8890b0a4ad41a29d8d6581c9c)
Send dhcp unicast packets to ip4-lookup. Otherwise, these packets
won't reach a dhcp server on a different subnet.
Do an immediate client scan after processing wakeup events.
Calculate the next process wakeup time by scanning all
clients.
Increase maximum (idle, no-clients-configured) timeout to 1000
seconds.
Reduce log spew.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I3d10cd4c353298ed0b19e7e30887dc1d8d07b19e
(cherry picked from commit c54162981cdd41d65ed283df36955007552ddffe)
The code sets f->n_vectors = n_to_send, but it can bail out of the
loop if vlib_buffer_copy(...) returns 0.
Need to fix f->n_vectors in the error return path, or we enqueue some
number of 0xfefefefe buffer indices in a debug image or worse in a
production image.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I2d886266006c6c1c2f9ef8e3b95eb46ac6c0b3df
(cherry picked from commit 8324c55f95dd5ddbf1f5f9c47907204a12e152ef)
vlib_buffer_clone(...) may not manage to produce any buffer clones at
all.
vlib_buffer_clone_256 should not smash the original buffer reference
count if no clones are produced.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I14d9d53637a220485c7a0036cfc75a4149b264ea
(cherry picked from commit 95e19253320ab07748787f4c8a7620704563f6b8)
vlib_buffer_copy(...) returns NULL if the system is temporarily out of
buffers.
This is NOT correct. Please don't be this person:
c0 = vlib_buffer_copy (vm, p0);
ci0 = vlib_get_buffer_index (vm, c0);
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ic25ef58965871ea5d2b40904df9506803f69e47e
(cherry picked from commit 954c707972bf7efcd227e26d9679544813a78115)
Add these two packages to requirements.txt so that their version and
the version of their dependencies are pinned to limit the risk of
unexpected breakage.
Change-Id: If330404f2e840af3d2628f997ce406cd14e7e128
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
(cherry picked from commit 1f2e146bd3f78ac6c7caf7ed92eff82a75644de6)
The vpp-make-test-docs-verify jobs started to fail. The last successful run of it shows:
reating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vpp_vxlan_gbp_tunnel.rst.
Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vpp_vxlan_tunnel.rst.
Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vrf.rst.
Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/modules.rst.
sphinx-build -b html -d /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/.sphinx-cache /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api -c /w/workspace/vpp-make-test-docs-verify-master/test/doc /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/html
Running Sphinx v2.4.4
making output directory... done
building [mo]: targets for 0 po files that are out of date
building [html]: targets for 161 source files that are out of date
updating environment: [new config] 161 added, 0 changed, 0 removed
reading sources... [ 0%] bfd
reading sources... [ 1%] debug
reading sources... [ 1%] debug_internal
reading sources... [ 2%] discover_tests
The failing jobs show:
Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vpp_vxlan_tunnel.rst.
Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/vrf.rst.
Creating file /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api/modules.rst.
sphinx-build -b html -d /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/.sphinx-cache /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/api -c /w/workspace/vpp-make-test-docs-verify-master/test/doc /w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc/html
Running Sphinx v3.0.0
making output directory... done
building [mo]: targets for 0 po files that are out of date
building [html]: targets for 161 source files that are out of date
updating environment: [new config] 161 added, 0 changed, 0 removed
reading sources... [ 0%] bfd
Exception occurred:
File "/usr/lib/python3.6/inspect.py", line 516, in unwrap
raise ValueError('wrapper loop when unwrapping {!r}'.format(f))
ValueError: wrapper loop when unwrapping scapy.fields.BitEnumField
The full traceback has been saved in /tmp/sphinx-err-n84dadfq.log, if you want to report the issue to the developers.
Please also report this if it was a user error, so that a better error message can be provided next time.
A bug report can be filed in the tracker at <https://github.com/sphinx-doc/sphinx/issues>. Thanks!
Makefile:39: recipe for target 'html' failed
make[2]: *** [html] Error 2
make[2]: Leaving directory '/w/workspace/vpp-make-test-docs-verify-master/test/doc'
Makefile:274: recipe for target '/w/workspace/vpp-make-test-docs-verify-master/build-root/build-test/doc' failed
Type: fix
Change-Id: Id98c0f94104e455ea819aacec62f605e53db13ce
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit a2ffc6c2fee60a2289aa9aa549de8a88e4ca2d98)
Remove duplicate space allocation for the pool header. Not significant
w/ CLIB_CACHE_LINE_BYTES >= 64 since the code rounds the size of the
pool header to an even multiple of the cache line size.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I923f2a60e7565cf2dfbc18d78264bf82ff30c926
(cherry picked from commit 6e495ce428e110665ee9616e0951015963502cac)
The option parsing loop had "break" statements included in each
'if (unformat (line_input, "this-option ...") option_values=xxx;'
statement.
Result: the code would silently ignore all but the first
option. Probably broken forever, not easy to spot because the code
looks OK even though it's badly broken.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I667bee85b4ca654b53fb3af421f957957ed0f0f8
(cherry picked from commit 7249b90ab21c20138907e692dcb6032aea9e2f0f)
Tap configuration code sets the host mac address
two time. This patch fixes it.
Type: fix
Change-Id: I7bebb9b7f25352a8a9a98bae6a0636757c0cea9c
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
(cherry picked from commit 3039753eda526e63d57a09debd3762e5590459df)
host mtu can't be set if tap interface is in namespace.
This patch fixes this issue.
Type: fix
Change-Id: I63811c4b56c708fe708061a8afbaec41994f08ca
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
(cherry picked from commit 91592c0c9cdd1bc61a2796e41a8becc30aaf8082)
Type: fix
"set int state <interface> down" puts the virtio device link
down. It will not put the link in "UP" state, when
"set int state <interface up>" will be used again to change
the interface admin up. This patch fixes it.
To test:
create tap
set int state tap0 up
set int state tap0 down
sh hardware
sh int
set int state tap0 up
sh int
sh hardware
Change-Id: I3c0e31539f8a2a1e40220e7fb57eedecf408f067
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
(cherry picked from commit 529f0e97b6064039c500adce0d54b738954b2ffa)
Type: fix
Some vhost-backends give used descriptors back in
out-of-order. This patch fixes the native virtio to
handle out-of-order descriptors.
Change-Id: I57323303349f6a385e412ee22772ab979ae8edbf
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
(cherry picked from commit 7f6d145accc6e63b150ab4efc282f19cbe996b57)
Type: fix
it was marked MP safe in the CLI (which it shouldn't be) but
it it not marked MP safe on the API.
Change-Id: I4bdea498a510a8b406d13d62a899b6d03656f7e8
Signed-off-by: Neale Ranns <nranns@cisco.com>
This fixes a bug in the initialization of handoff_out2in_index and
handoff_in2out_index where the node index for out2in was set to the
in2out node, and vice versa.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: I983ddd3b3cec06f4cb3fb95b2a9cda4ab6d1270f
(cherry picked from commit dd9aedaf377f4af8620408843bd3e4610d3df5f9)
Fix a bug that caused some input packets to be dropped due to errors of
the type 'ip4 length > l2 length'. The change is related to the second
call to the rdma_device_input_bufs() function that happens when the end
of the ring buffer is reached.
Type: fix
Change-Id: I332d69ab22242b3443a0baca6e5dd86349a54765
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
(cherry picked from commit e5ecf3ea4b456afb710f4ed903cd7e4c1ae87859)
While TSO is supported for Intel NIC, Cisco VIC does not work.
The problem is due to txmode offloads is not properly set for
the Cisco VIC when enable-tcp-udp-checksum is configured.
Type: fix
Ticket: VPP-1838
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I72c41db9b327ed8d08ef70d74e8cc6206d4a102f
(cherry picked from commit ac8bb9263438221cc93db62257ffd8db711530e2)
For chain buffer, need to traverse b->next_buffer to transmit all buffers
in the chain. Only set EOP at the last descriptor in the chain to signal
this is a chain descriptor.
Introduce slow path to handle ring wrap. This is needed because chain
buffer may consist of multiple pieces and it may span from near the end of
the ring to the beginning of the ring.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Id7c872f3e39e09f3566aa63f3cdba8f40736d508
(cherry picked from commit f7ab7b2d9bc0f42c1e766d22d49dd0dc4f28abb6)
L4 checksums for IPv6 should be calculated using a pseudo header that
includes the source/destination addresses, payload length, and payload
protocol.
ip6_tcp_udp_icmp_compute_checksum() was using the payload length and
protocol from the IPv6 header. If there is a hop-by-hop header (or any
other extension header), the payload length used for the pseudo header
should only include the upper layer header and payload and not the
extension header bytes. Same deal with the protocol, the upper layer
next header value should be used instead of the extension header.
Type: fix
Fixes: cb9cadad57
Change-Id: Ifa2c9ad41c0fc4eea674f0671255b637c8e01f71
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
(cherry picked from commit 97677a26f7c857e7ee0acbdb2c13eef214aa70a8)
Recent modification added a call to vnet_gso_header_offset_parser in the
beginning of vhost_user_handle_tx_offload. The former routine may set tcp or
udp->checksum to 0. While it is appropriate to set it to 0 for the GSO packet,
it is broken and causes checksum error if the aformentiooned routine is called
by a non-GSO packet. The fix is to not call vhost_user_handle_tx_offload
if the buffer does not indicate checksum offload is needed.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I6e699d7a40b7887ff149cd8f77e8f0fa9374ef19
(cherry picked from commit 564e1672917e205d7ae79525bb937df18f8d764b)
fib_walk_sync may call adj_alloc which may cause adj_pool to expand. When
that happens, any previous frame which still use the old adj pointer needs to
refresh. Failure to do so may access or update to the old adj memory
unintentionally and crash mysteriously.
Type: fix
Ticket: VPPSUPP-54
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I173dec4c5ce81c6e26c4fe011b894a7345901b24
(cherry picked from commit 3d5f6229bccf77fcf7e0e17ab4f1b361fedd1b2b)
