For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Initializing struct avf_ip6_psh by {0} using gcc with O2 optimize option
will trigger the -Werror=maybe-uninitialized compiling warning on Arm
because gcc compiler will think some members of the struct avf_ip6_psh
may not be initialized, which probably is a false positive in this case.
The compiling error log is shown as below. Avoid this compiling warning
by explicitly declaring the IPv6 src and dst ip in avf_ip6_psh as
ip6_address_t.
ccache /usr/lib/ccache/gcc-10 -DHAVE_FCNTL64 -DHAVE_GETCPU -DHAVE_MEMFD_CREATE -I/home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src -I. -Iinclude -I/home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/plugins -Iplugins -Iplugins/avf -Wno-address-of-packed-member -g -fPIC -Werror -Wall -march=armv8-a+crc -O2 -fstack-protector -DFORTIFY_SOURCE=2 -fno-common -fPIC -DCLIB_MARCH_VARIANT=cortexa72 -march=armv8-a+crc+crypto -mtune=cortex-a72 -DCLIB_N_PREFETCHES=6 -MD -MT plugins/avf/CMakeFiles/avf_plugin_cortexa72.dir/output.c.o -MF plugins/avf/CMakeFiles/avf_plugin_cortexa72.dir/output.c.o.d -o plugins/avf/CMakeFiles/avf_plugin_cortexa72.dir/output.c.o -c /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/plugins/avf/output.c
In file included from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/vector_funcs.h:41,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/vector.h:196,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/string.h:48,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/mem.h:49,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/vec.h:42,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/format.h:44,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/elf.h:41,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/elf_clib.h:41,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vlib/vlib.h:44,
from /home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/plugins/avf/output.c:18:
/home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/plugins/avf/output.c: In function ‘avf_device_class_tx_fn_cortexa72’:
/home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/vppinfra/byte_order.h:59:10: error: ‘*((void *)&psh+32)’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
59 | return __builtin_bswap16 (x);
| ^~~~~~~~~~~~~~~~~~~~~
/home/snowball/tasks/test_vpp_build/test-patch-9/vpp/src/plugins/avf/output.c:115:23: note: ‘*((void *)&psh+32)’ was declared here
115 | struct avf_ip6_psh psh = { 0 };
| ^~~
Type: fix
Change-Id: I2684b101b07823dfacc4a56cc29d152828d0cf37
Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
(cherry picked from commit 3daf1f5d3a5918564ae2acdd748b24acaef5bce0)
Fix an issue where multiple VPP instances with DPDK starting at the
same time would not initialize VFs properly. This is done by using the
iavf PMD (where the issue can't be reproduced) instead of the i40evf
PMD.
Type: fix
Ticket: VPP-1943
Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
Change-Id: I023138896610dc2b3bb731759f62afc605e9bb09
When building DPDK with rdma linkage, this patch avoids linking against
useless verb providers. It also hard-codes the library directory to lib
to fix CentOS behavior.
Change-Id: I3acd94adf1b7e59e023346b3c254bd4bba6157df
Type: fix
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
(cherry picked from commit df849f8ea8750e934a7a2c9ea2d5628b0c209056)
The move from ip4(6)_src_address_for_packet to fib_sas4(6)_get changed
the behavior, so that the new looked only to adjacent gleans. This
caused a problem for destinations routed according to FIB table.
To reproduce:
vpp# create tap
vpp# set interface state tap0 up
vpp# set interface ip address tap0 192.168.11.1/24
vpp# ip route add 192.168.20.0/24 via 192.168.11.2
linux$ sudo ip addr add 192.168.20.1/24 dev lo
linux$ sudo ip link set tap0 up
linux$ sudo ip addr add 192.168.11.2/24 dev tap0
vpp# ping 192.168.20.1
Failed: no source address for egress interface
Type: fix
Signed-off-by: Július Milan <julius.milan@pantheon.tech>
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I22899f4dbbf8c1c85ccce72f801b92c183195b5d
(cherry picked from commit 98874cda5853ea2d6b2dc32001b935d394b88430)
Running vpp without any interface configured and then invoking the
binary-api l2_xconnect_dump causes vpp to crash in l2_input_is_xconnect due
to l2input_main.configs has no memory allocated to it, not even for the local
interface which exists all the times.
The reason that l2input_main.configs has no memory allocated to it was due to
gerrit patch 29232 which took out a line in l2input_init
/* Create the config vector */
vec_validate (mp->configs, 100);
The fix is to iterate through l2input_main.configs for each interface in
l2 to call l2_input_is_xconnect when dumping l2_xconnect interfaces.
Type: fix
Fixes: gerrit 29232
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I8d9cba4b7eba4c2e0c60887c4fd57d5ec3b06d3b
(cherry picked from commit 16f08657758db0f32b60cc88644b3a1c8fc28cbc)
Propagate the multi-arch variant selection to interfaces.
Type: fix
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Change-Id: I99c4a7896f172f0d14d2ded22a27383825529a7d
(cherry picked from commit 5a48b3b9d88fa2793793e2bf3db8bf156fe2951f)
The RPM build ends up with "vXX.YY" to vstring,
which is not what we'd expect - so fix it up.
Change-Id: I0af68e69b1e40fc49ade759bb2f0ed9f47614217
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 072def4738f149a6e3f2f3884fae55690d6ad3a1)
Use vlib_buffer_t::current_data instead of
vnet_buffer_opaque_t::l2_hdr_offset to compute l2_len for checksum
offload (l2_hdr_offset might be invalid if packet originates from an L3
interface)
Change-Id: I2031ea6fd6a7af4b6e186751e119ebd6161641b5
Type: fix
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
(cherry picked from commit 533ac64330436752f82477973e4587e2197c4719)
- In a new centos-8 installation, vpp-ext-deps fails on missing
ssl.h header file after 'make install-deps'.
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I521d817dd1f1e21aff427d98b9832ea7c7b89339
Minor fixes for Intel AVX-512 alignment, and cache update.
Type: fix
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I9f9bebb4ecb3265ffc765affd1ed94d0ba979066
(cherry picked from commit 480600662ccbe6175971053ac732e1e92295a43f)
Fix build errors related to chachapoly when the
system openssl version is < 0x10100000.
Type: fix
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I62283fcc44c952ddd4d6a9f621c18e8be1af8af1
(cherry picked from commit bf93c6e9bf340e323157ca2b4ffa8e83a36e5108)
The list of plugins is outdated.
This change introduces a dynamically
generated list of the plugins along with their descriptions,
extracted directly from the sources.
Type: docs
Change-Id: Icb7b65e6b45289e257d71a1c18d10f62ced59cbe
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
(cherry picked from commit 630ca994e0ff210a3de80d73bb395c931d2fd83f)
Switch to markdown format.
Update docs to current production configs. Add remote software
installation scripts.
Type: docs
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ieaf507a4393c1e4600fb40ae0722c52472bb0f8f
(cherry picked from commit 5bfaa6e7e3225f06403be718eb6185b5fad01c91)
Add safeguards when tracing packets to avoid cases where clear trace
was issue while buffers were held in reassembly.
Type: fix
Change-Id: I1bdd1e629e8bc08ce63913fd3c4b2327e47dec04
Signed-off-by: Klement Sekera <ksekera@cisco.com>
- CentOS-7 support has been deprecated.
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: If7f1988487d0b63a596dfee9dd03af89fb159573
Split ED and EI nat44 test cases. Added multi worker
support for ED test cases.
Type: refactor
Change-Id: Ibcc2f62b94cacff69ed35c5d914b55f9fdbcf882
Signed-off-by: Filip Varga <fivarga@cisco.com>
Add a couple of tests to check l2bd learn limit behaviour
Type: test
Signed-off-by: Jerome Tollet <jtollet@cisco.com>
Change-Id: Iee16c81e5bb41066e3d6446d0e6ea4f389241270
This reverts commit 510aaa8911843206f7b9ff48b41e3c7b8c4a99fe.
Reason for revert: failed in case of no api file in changeset.
Change-Id: I2c6f01b25a35128df870418eef0008766bb590df
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Add lookup/get/set API calls to manage both PCAP and Trace
filtering Classifier tables.
The "lookup" call may be used to identify a Classifier table
within a chain of tables taht matches a particular mask vector.
For efficiency, this call should be used to determine to which
table a match vector should be added.
The "get" calls return the first table within a chain (either
a PCAP or the Trace) set of tables. The "set" call may be
used to add a new table to one such chain. If the "sort_masks"
flag is set, the tables within the chain are ordered such that
the most-specific mask is first, and the least-specific mask
is last. A call that "sets" a chain to ~0 will delete and free
all the tables with a chain.
The PCAP filters are per-interface, with "local0", (that is,
sw_if_index == 0) holding the system-wide PCAP filter.
The Classifier used a reference-counted "set" for each PCAP
or trace filter that it stored. The ref counts were not used,
and the vector of tables was only used temporarily to establish
a sorted order for tables based on masks. None of that
complexity was actually warranted, and where it was used,
the same could be achieved more simply.
Type: refactor
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: Icc56116cca91b91c631ca0628e814fb53f3677d2
- For check patchset ignore files outside of src directory
- For check patchset ignore files that have version < 1.0.0
- fix Pylint warnings
- Modify vppapigen_crc to include version in JSON output
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I93f7bebeeaeedc19b2b1e5e135ea1035517d7f76
Signed-off-by: Ole Troan <ot@cisco.com>
Python2 was EOL's in Jan 2020.
RHEL6 was EOL'd in Nov 2020.
Type: fix
Change-Id: Id6910258cfe808c1e6a8fe16334c23d7991509dc
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
format_ip_address() to display {local,remote}_id does not work because
we do not store ip_address_t but ip{4,6}_address_t, hence we lack the
ip_address_family_t version field.
Update format_ikev2_id_type_and_data() to support all types and use it
instead.
Type: fix
Change-Id: I7a81beb0b22fcf1c5d1bf03a32a6cc4f030f4361
Signed-off-by: Benoît Ganne <bganne@cisco.com>
- reduces number of instructions generated 4 times compared to old code
- adds pool_foreach2 which is more friendly to clang-format
Type: improvement
Change-Id: I51e9c7fb09655c60d883987dadf5b2666c12b3f7
Signed-off-by: Damjan Marion <damarion@cisco.com>
This reverts commit bfba2d555331ce67f707e608877e96dbd2aacd80.
Reason for revert: breaks test test_nat44.TestNAT44.test_ipfix_max_sessions
Change-Id: I6eed4d02835ab792e7e3491fc14240cc88a86710
Type: fix
Signed-off-by: Damjan Marion <damarion@cisco.com>
Type: feature
This patch bumps DPDK to 20.11. In addtion a few changes are
made:
- Changed dynamic rx offload flag display.
- Updated deprecating options.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: I6e4399d551a7eb8e1a9fc9ef6e39e74266450ad4
Previously, RX interface for PPPoE packets was set as the original interface.
Now it is set as corresponding PPPoE interface in the "pppoe-input" node.
We need to do it because otherwise IP or other settings won't be working onto the PPPoE interface (only on original rx interface).
Type: fix
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
Change-Id: If9cc37608aa5fe685b8278dd99b819b7eddc6c38
Type: improvement
ip4_rewrite_inline_with_gso() did vlib_prefetch_buffer_header() for all nodes.
However it is not necessary for ip-rewrite, it is only needed by ip-midchain.
This patch makes ip4-rewrite prefetches less buffers to save cycles.
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: Ib82dcb0eda4a2d1d7b8d664f2224d49b72aef50f
Represent enum flags as JSON arrays (as these can have multiple values).
Add unit tests.
Type: improvement
Change-Id: I680c5b6f76ef6f05f360e2f3b9c4cbb927e15d7d
Signed-off-by: Ole Troan <ot@cisco.com>
Type: fix
The code for quota exceeded events is a u32 and was being copied
into ipfix packets in host byte order. Same for the limit field.
Swap the order before copying into packet buffer.
Change-Id: I881766e1c52acc9bebde38d85228fa492214ee21
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
