Adding a nat44 static mapping during startup on a DHCP interface leads
to a segv via this path:
- dhcp_client_acquire_address
- ip4_add_del_interface_address
- ip4_add_del_interface_address_internal
- nat44_ed_add_del_interface_address_cb
- nat44_ed_add_static_mapping
- ip4_interface_first_address
Type: fix
Signed-off-by: Joshua Roys <roysjosh@gmail.com>
Change-Id: I38dac8a096b052550f2b87b4e13a950d2cd868b0
Type: fix
In vnet_sw_interface_set_flags_helper(), the variable old_flags is set
to the original value of vnet_sw_interface_t.flags for an interface. If
an error occurs during the process of bringing an interface up, old_flags
is used to restore the original value.
Before the dev class or hw class admin_up_down_function can be called,
but after modifying vnet_sw_interface_t.flags to it's new value,
old_flags is set to the value of vnet_sw_interface_t.flags a second time.
This discards the original flags that were being preserved.
As a result, if an interface is being brought up and the dev class
or hw class function fails, at the end VPP believes that interface is up.
This can cause a crash if packets are routed through the interface
and some RX/TX initialization was not completed because of the error
while bringing the interface up.
Change-Id: Ica6b6bac13c24e88c4136bf084cd392e6217e7d9
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Type: fix
the only change to the mfib forwarding node is to set the error code, the rest is checkstyle formatting.
The traces previously showed some bogus reason:
00:04:27:325550: ip6-mfib-forward-rpf
entry 10 itf -1 flags
00:04:27:325551: ip6-drop
fib:0 adj:10 flow:0
UDP: fe80::b203:eaff:fe02:604 -> ff02::1:2
tos 0x00, flow label 0x651ed, hop limit 1, payload length 64
UDP: 546 -> 547
length 64, checksum 0xec9a
00:04:27:325551: error-drop
rx:GigabitEthernet6/0/0
00:04:27:325553: drop
ip6-input: drops due to concurrent reassemblies limit
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I294684c36edc346b4ebdd83ba66888b3b2197704
Adding flow cache support to improve outbound IPv4/IPSec SPD lookup
performance. Details about flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using bihash without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, old entry will
be overwritten by the new entry. Worst case is when all the 256
packets in a batch result in collision and fall back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows.
This can be made as a configurable option as a next step.
4. Whenever a SPD rule is added/deleted by the control plane, the
flow cache entries will be completely deleted (reset) in the
control plane. The assumption here is that SPD rule add/del is not
a frequent operation from control plane. Flow cache reset is done,
by putting the data plane in fall back mode, to bypass flow cache
and do linear search till the SPD rule add/delete operation is
complete. Once the rule is successfully added/deleted, the data
plane will be allowed to make use of the flow cache. The flow
cache will be reset only after flushing out the inflight packets
from all the worker cores using
vlib_worker_wait_one_loop().
Details about bihash usage:
1. A new bihash template (16_8) is added to support IPv4 5 tuple.
BIHASH_KVP_PER_PAGE and BIHASH_KVP_AT_BUCKET_LEVEL are set
to 1 in the new template. It means only one KVP is supported
per bucket.
2. Collision handling is avoided by calling
BV (clib_bihash_add_or_overwrite_stale) function.
Through the stale callback function pointer, the KVP entry
will be overwritten during collision.
3. Flow cache reset is done using
BV (clib_bihash_foreach_key_value_pair) function.
Through the callback function pointer, the KVP value is reset
to ~0ULL.
MRR performance numbers with 1 core, 1 ESP Tunnel, null-encrypt,
64B for different SPD policy matching indices:
SPD Policy index : 1 10 100 1000
Throughput : MPPS/MPPS MPPS/MPPS MPPS/MPPS KPPS/MPPS
(Baseline/Optimized)
ARM Neoverse N1 : 5.2/4.84 4.55/4.84 2.11/4.84 329.5/4.84
ARM TX2 : 2.81/2.6 2.51/2.6 1.27/2.6 176.62/2.6
INTEL SKX : 4.93/4.48 4.29/4.46 2.05/4.48 336.79/4.47
Next Steps:
Following can be made as a configurable option through startup
conf at IPSec level:
1. Enable/Disable Flow cache.
2. Bihash configuration like number of buckets and memory size.
3. Dual/Quad loop unroll can be applied around bihash to further
improve the performance.
4. The same flow cache logic can be applied for IPv6 as well as in
IPSec inbound direction. A deeper and wider flow cache using
bihash_40_8 can replace existing bihash_16_8, to make it
common for both IPv4 and IPv6 in both outbound and
inbound directions.
Following changes are made based on the review comments:
1. ON/OFF flow cache through startup conf. Default: OFF
2. Flow cache stale entry detection using epoch counter.
3. Avoid host order endianness conversion during flow cache
lookup.
4. Move IPSec startup conf to a common file.
5. Added SPD flow cache unit test case
6. Replaced bihash with vectors to implement flow cache.
7. ipsec_add_del_policy API is not mpsafe. Cleaned up
inflight packets check in control plane.
Type: improvement
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I62b4d6625fbc6caf292427a5d2046aa5672b2006
Type: fix
Fixes: 3effb4e63068 ("memif: integrate with new tx infra")
memif is recently integrated with new tx infra. But it
introduces a crash when slave disconnect from master but
interface is not deleted. Disconnect routine was missing
unregister of all tx queues. This patch fixes it.
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I81c59cc1a03561248ec8595d5e3caa54f421833e
Put static mappings in flow hash, drop existing hash tables used for
static mappings. Drop refcount variables and use hash table as a single
point of truth. Allow creating a static mapping conflicting with dynamic
mapping, which will take precedence after dynamic mapping is freed, so
that the existing flow can finish transferring data.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ieeba691d83a83887d0a0baccd5f3832f66126096
This patches fixes an issue that could cause
fib locks to underflow: if an API user deletes
a fib and quickly recreates it, the fib may not
have been actually deleted. As a result, the
lock would not be incremented on the create call
leading to the fib potentially disappearing
afterwards - or to the lock to underflow when
the fib is deleted again.
In order to keep the existing API semantics,
we use the locks with API and CLI source as flags.
This means we need to use a different counter
for the interface-related locks.
This also prevents an issue where an interface being
bound to a vrf via API and released via CLI could
mess up the lock counter.
Finally, this will help with cleaning up the
interface-related locks on interface deletion
in a later patch.
Type: fix
Change-Id: I93030a7660646d6dd179ddf27fe4e708aa11b90e
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Attempting to create an af_xdp interface with zerocopy where the
underlying driver didn't support it would lead to a crash due to
queue creation silently failing.
Type: fix
Signed-off-by: Joshua Roys <roysjosh@gmail.com>
Change-Id: Ifd9070b8c2b3023d71120c5cf20f7e89d04e4cb3
- do not initialize resources if ikev2 is not used.
- process IKE packets only if we have profile(s) configured
Type: improvement
Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25
Signed-off-by: Benoît Ganne <bganne@cisco.com>
When build vpp-plugins rpm package, found
/home/vpp/build-root/rpmbuild/vpp-21.10/build-root/\
install-vpp-native/vpp/lib/vpp_plugins: No such file or directory
RPM build errors:
File not found: /home/vpp/build-root/rpmbuild/../usr/lib/vpp_plugins/*
After e3cf4d0 ("build: use GNUInstallDirs install destinations")
vpp_plugins on centos src path changed from lib to lib64
Update RPM spec file accordingly.
Type: fix
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I9c4d91f97f2faa474bce28893ab763b414f759b8
If logging is on, it will try to print the address nh. Make sure it is
not NULL.
Type: fix
Change-Id: I81c0295865901406d86e0d822a103b4d5adffe47
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Type: fix
This patch fixes the chacha20-poly1305 support check in ipsecmb
engine build.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: I74b52a27f78a0f6a65c867dbd44a44a8f4a2ed60
The path mtu node uses errors defined by ip fragmentation.
Type: fix
Change-Id: I1f173955919a4f555ab0309cd8201ec342a0ae92
Signed-off-by: Benoît Ganne <bganne@cisco.com>
IDr is optional in IKE AUTH from the initiator. In that case, the
responder is free to use any matching profile and fills the
corresponding IDr in the response.
The initiator is then free to accept or reject it.
Type: improvement
Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
The IDi is not mentioned in the RFC for the responder AUTH message, and
it confuses some IKE implementations.
Type: fix
Change-Id: I2bcefa1efd315412a6f5fa592668d4e0da510264
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Enable Topdown Level 1 support on Snowridge,
enabled with standard CPU events on small core.
Type: improvement
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I58ad09383de7464265ac1b69e683f253591e3b5e
Add a check bundle is supported before futher activation.
Enable different bundles with same name, supported on different platforms.
Type: improvement
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I73e8bbd1e07c05ebccd9146d48a234eb598a2388
we can receive events from peer about its state:
-WIREGUARD_PEER_STATUS_DEAD
-WIREGUARD_PEER_ESTABLISHED
Type: improvement
Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
