During deb package build, a .buildinfo file is created at build-root.
Add this to .gitignore.
Type: make
Signed-off-by: Renato Botelho do Couto <renato@netgate.com>
Change-Id: Id86c21e22aa2b9e4b559cfc0bc662de835fa1621
Adding flow cache support to improve inbound IPv4/IPSec Security Policy
Database (SPD) lookup performance. By enabling the flow cache in startup
conf, this replaces a linear O(N) SPD search, with an O(1) hash table
search.
This patch is the ipsec4_input_node counterpart to
https://gerrit.fd.io/r/c/vpp/+/31694, and shares much of the same code,
theory and mechanism of action.
Details about the flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using a hash table without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, the old entry
will be overwritten by the new entry. Worst case is when all the
256 packets in a batch result in collision, falling back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows,
but is configurable by a startup.conf option.
4. Whenever a SPD rule is added/deleted by the control plane, all
current flow cache entries will be invalidated. As the SPD API is
not mp-safe, the data plane will wait for the control plane
operation to complete.
Cache invalidation is via an epoch counter that is incremented on
policy add/del and stored with each entry in the flow cache. If the
epoch counter in the flow cache does not match the current count,
the entry is considered stale, and we fall back to linear search.
The following configurable options are available through startup
conf under the ipsec{} entry:
1. ipv4-inbound-spd-flow-cache on/off - enable SPD flow cache
(default off)
2. ipv4-inbound-spd-hash-buckets %d - set number of hash buckets
(default 4,194,304: ~1 million flows with 25% load factor)
Performance with 1 core, 1 ESP Tunnel, null-decrypt then bypass,
94B (null encrypted packet) for different SPD policy matching indices:
SPD Policy index : 2 10 100 1000
Throughput : Mbps/Mbps Mbps/Mbps Mbps/Mbps Mbps/Mbps
(Baseline/Optimized)
ARM TX2 : 300/290 230/290 70/290 8.5/290
Type: improvement
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I8be2ad4715accbb335c38cd933904119db75827b
The sys/random.h header, which provides the getrandom syscall wrapper,
was only added in glibc2.25. To make it compatible with older version,
we can directly call the syscall.
Type: improvement
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
Change-Id: I93c5f8a49c0323511a4e34273f0b3c0e24663bfd
Type: fix
After changes made in f840880, VRRP IPv6 cannot reply for neighbor
solicitations requesting the link layer address of the configured
virtual address.
VRRP IPv6 enables the vrrp6-nd-input feature in the ip6-local feature
arc for an interface on which a virtual router is configured. When
neighbor solicitations arrive on that interface, ip6-local should start
feature arc walk for that interface and the messages should be processed
by vrrp6-nd-input. The problem is that currently, the feature arc is
started for the interface obtained from the receive DPO that has
interface unset (i.e. max u32) for local mfib entries. Thus, the feature
arc is started not on the interface the messages were received on and
vrrp6-nd-input is not traversed.
With this fix, if interface obtained from the receive DPO is unset, use
RX interface from the buffer to start the ip46-local feature arc.
Also, enable tests of this case for both IPv4 and IPv6 address families
that are currently tagged as extended and not run on every change. They
configure VRRP with priority 255 and are expected to be stable.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I11ef3d5a7a986e04431e8613d1510b8666094bd7
In test_bihash_threads, if a test thread fails to be created,
it is still counted towards the total thread count, which could
lead to never-ending test loop. This patch fixes the issue.
Type: fix
Signed-off-by: Jing Peng <pj.hades@gmail.com>
Change-Id: Ic0f1d4dde9c5ea672b52f0e2e49f16d42f982b77
Use the specified nexthop table id instead of the interface table id.
Type: fix
Change-Id: I61bf61d50d2716fcd9a6e35df4d60222dc4f36d5
Signed-off-by: Benoît Ganne <bganne@cisco.com>
This patch fixes test_bihash_unittest in two ways:
1. The number of searches, namely tm->search_iter, defaults to 0,
thus disabling the test. This patch changes the default to 1.
2. Test errors are reported by clib_warning() instead of being
returned, thus the caller test/test_bihash.py is never aware of them.
This patch returns the errors constructed by clib_error_return().
Type: fix
Signed-off-by: Jing Peng <pj.hades@gmail.com>
Change-Id: I60e99a829ebe6aa2a56e7a9332cf973afa100311
clang-14 is default for Upcoming Ubuntu 22.04 LTS...
Type: make
Change-Id: I65328d0e90a4c13d5766e51da8b90a8899b773d9
Signed-off-by: Damjan Marion <dmarion@me.com>
Type: fix
Fixes: 616447c39231
In lcp_router_link_mtu(), either vnet_hw_interface_set_mtu() or
vnet_sw_interface_set_mtu() is called, based on whether this appears to
be a physical interface. The test to determine whether this is true was
incorrect and probably never worked right so vnet_sw_interface_set_mtu()
was always being called. This causes some breakage with Recent changes
to code which manages interface MTUs. Fix the test so the right function
is called.
Change-Id: I1ecccbce37d5a1e53b2349ed40f3d0d27eb03569
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Do not access allocated elements beyond the end of the vector. They are
allocated, but not yet valid both logically (they are at best NULLs) and
according to ASAN.
Type: fix
Change-Id: Iaf43767d6d3bd4c24c7c5a0ba9b3410bbeeb0556
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
The clib interrupt structure has a couple of fields at the start of
the cacheline, and then in the next cacheline it has a bitmap, which
is then followed by an atomic bitmap. The size of the bitmaps is
based on the number of interrupts, and when the memory is allocated
the number of interrupts needed is used to size the overall block of
memory. The interrupts typically map to pool entries, so if we want
to store 512 entries then we store them in indices 0..511. This
would then take 8 6 4bit words, so each bitmap would be this size
when the struct is allocated.
It is possible to walk over the end of the allocated data with certain
sizes, one of which is 512. The reason this happens with 512 is that
the check to see when to exit the loop is returning when offset is
greater than the value needed to fit all the values. In this case
512 >> 6 = 8. If there had only been 511 entries then the size would
have been 511 >> 6 = 7, and so it would have fitted in the space.
Therefore modify the check to also check that we are not looking into
the memory beyond what we have allocated in the case where the
number of interrupt is one of the boundary values like 512.
Also add a similar check first time round the loop as it is
possible we could have ate same problem there too.
Add a new test file to verify the new code works. The old version
of the code made this test fail when run with the address
sanitizer. Without the sanitiser it tended to pass because the
following memory was typically set to 0 even though it was
uninitialised.
Type: fix
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I2ec4afae43d296a5c30299bd7694c072ca76b9a4
Type: improvement
Short message lengths are correctly handled by the code, asserting makes unit tests that verify this behaviour (e.g. test_ip_punt_api_validation) fail/crash with a debug image.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ib3a377e5d49fde0eee252b92f0e58a8a0d0d83ec
An unexpected packet that shows up on a Wireguard interace
that happens not to have a forwarding peer will cause a
segfault trying to index the vector of peers by adjacency.
Rather than segfaulting, recognize a non-adjacent packet
and drop it instead.
This leaves open the question of what _should_ be
happening to, say, IPv6 multicast packets.
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Type: fix
Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88
Change-Id: Ic0a29e6cf6fe812a4895ec11bedcca86c62e590b
This patch bumps dpdk version from 21.11 to 22.03.
Type: feature
Signed-off-by: Dastin Wilski <dastin.wilski@gmail.com>
Change-Id: I152a7857378371d3fd26d7473421c2b3113cd3ee
New dpdk version deprecates some macros used by VPP.
This patch changes them to 22.03 version.
Type: improvement
Signed-off-by: Dastin Wilski <dastin.wilski@gmail.com>
Change-Id: Ic362ed318dc1ad88bb682ef13fbd6159171fbaef
New version of dpdk changes some macros names.
This patch ensures VPP will be compatible with older dpdk versions.
Type: improvement
Signed-off-by: Dastin Wilski <dastin.wilski@gmail.com>
Change-Id: I3d9736278e70064610a1dcad5f2d2f6eb26e0d4b
Two similar CLI paths "nat44" and "nat44 add interface address"
caused unexpected behavior. If "nat44 add interface address"
command would fail the vlib cli processing function would
call "nat44" handler. This would also clean any previously
set errors from the first command and basically return
same error returned by "nat44" handler for every failed
command that starts with the same path string.
Fixes nat44-ed and nat44-ei plugin.
Change-Id: I1aac85c8ae2932da582a2b78243521d1bf8a0653
Ticket: VPP-2021
Type: fix
Signed-off-by: Filip Varga <fivarga@cisco.com>
This commit only update is_equal flavours to use
_mm512_cmpneq_epi64_mask() but clang-format decided to also reformat the
whole block.
Type: improvement
Change-Id: I530cf91e8bceaf15022556f803b27de4f8583217
Signed-off-by: Benoît Ganne <bganne@cisco.com>
