ipsec: fix AES CBC IV generation (CVE-2022-46397)

For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.

Fixes: VPP-2037
Type: fix

Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>

.gitignore

@@ -81,6 +81,7 @@ GTAGS
 /build-root/.doxygen-bootstrap.ok
 /build-root/.doxygen-siphon.dep
 /docs/_build
+/docs/dynamic_includes
 /sphinx_venv
 !/docs/Makefile
 

.gitreview

@@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/2009

MAINTAINERS

@@ -200,17 +200,17 @@ I:	span
 M:	N/A
 F:	src/vnet/span
 
-Crypto native Plugin
+Plugin - Crypto - native
 I:	crypto-native
 M:	Damjan Marion <damarion@cisco.com>
 F:	src/plugins/crypto_native/
 
-Crypto openssl Plugin
+Plugin - Crypto - OpenSSL
 I:	crypto-openssl
 M:	Damjan Marion <damarion@cisco.com>
 F:	src/plugins/crypto_openssl/
 
-Crypto ipsecmb Plugin
+Plugin - Crypto - ipsecmb
 I:	crypto-ipsecmb
 M:	Neale Ranns <nranns@cisco.com>
 F:	src/plugins/crypto_ipsecmb/

Makefile

@@ -55,14 +55,14 @@ endif
 
 ifeq ($(filter ubuntu debian,$(OS_ID)),$(OS_ID))
 PKG=deb
-else ifeq ($(filter rhel centos fedora opensuse opensuse-leap opensuse-tumbleweed,$(OS_ID)),$(OS_ID))
+else ifeq ($(filter rhel centos fedora,$(OS_ID)),$(OS_ID))
 PKG=rpm
 endif
 
 # +libganglia1-dev if building the gmond plugin
 
 DEB_DEPENDS  = curl build-essential autoconf automake ccache
-DEB_DEPENDS += debhelper dkms git libtool libapr1-dev dh-systemd
+DEB_DEPENDS += debhelper dkms git libtool libapr1-dev dh-systemd dh-python
 DEB_DEPENDS += libconfuse-dev git-review exuberant-ctags cscope pkg-config
 DEB_DEPENDS += lcov chrpath autoconf indent clang-format libnuma-dev
 DEB_DEPENDS += python3-all python3-setuptools check
@@ -72,7 +72,7 @@ DEB_DEPENDS += python3-venv  # ensurepip
 DEB_DEPENDS += python3-dev   # needed for python3 -m pip install psutil
 # python3.6 on 16.04 requires python36-dev
 
-LIBFFI=libffi6 # works on all but 20.04
+LIBFFI=libffi6 # works on all but 20.04 and debian-testing
 
 ifeq ($(OS_VERSION_ID),18.04)
 	DEB_DEPENDS += python-dev python-all python-pip python-virtualenv
@@ -83,16 +83,17 @@ else ifeq ($(OS_VERSION_ID),20.04)
 	DEB_DEPENDS += libssl-dev
 	DEB_DEPENDS += libelf-dev # for libbpf (af_xdp)
 	LIBFFI=libffi7
-else ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-8)
-	DEB_DEPENDS += libssl-dev
-	DEB_DEPENDS += python-dev python-all python-pip python-virtualenv
-	APT_ARGS = -t jessie-backports
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-9)
 	DEB_DEPENDS += libssl1.0-dev
 	DEB_DEPENDS += python-all python-pip
 	DEB_DEPENDS += python-dev python-all python-pip python-virtualenv
+else ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-10)
+	DEB_DEPENDS += libssl-dev
+	DEB_DEPENDS += libelf-dev # for libbpf (af_xdp)
 else
 	DEB_DEPENDS += libssl-dev
+	DEB_DEPENDS += libelf-dev # for libbpf (af_xdp)
+	LIBFFI=libffi7
 endif
 
 DEB_DEPENDS += $(LIBFFI)
@@ -108,6 +109,7 @@ RPM_DEPENDS += libuuid-devel
 RPM_DEPENDS += mbedtls-devel
 RPM_DEPENDS += ccache
 RPM_DEPENDS += xmlto
+RPM_DEPENDS += elfutils-libelf-devel
 
 ifeq ($(OS_ID),fedora)
 	RPM_DEPENDS += dnf-utils
@@ -120,7 +122,7 @@ ifeq ($(OS_ID),fedora)
 	RPM_DEPENDS_GROUPS = 'C Development Tools and Libraries'
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),centos-8)
 	RPM_DEPENDS += yum-utils
-	RPM_DEPENDS += compat-openssl10
+	RPM_DEPENDS += compat-openssl10 openssl-devel
 	RPM_DEPENDS += python2-devel python36-devel python3-ply
 	RPM_DEPENDS += python3-virtualenv python3-jsonschema
 	RPM_DEPENDS += cmake
@@ -144,42 +146,6 @@ RPM_DEPENDS_DEBUG  = glibc-debuginfo e2fsprogs-debuginfo
 RPM_DEPENDS_DEBUG += krb5-debuginfo openssl-debuginfo
 RPM_DEPENDS_DEBUG += zlib-debuginfo nss-softokn-debuginfo
 RPM_DEPENDS_DEBUG += yum-plugin-auto-update-debug-info
-# lowercase- replace spaces with dashes.
-SUSE_NAME= $(shell grep '^NAME=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g' | sed -e 's/ /-/' | awk '{print tolower($$0)}')
-SUSE_ID= $(shell grep '^VERSION_ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g' | cut -d' ' -f2)
-RPM_SUSE_BUILDTOOLS_DEPS = autoconf automake ccache check-devel chrpath
-RPM_SUSE_BUILDTOOLS_DEPS += clang cmake indent libtool make ninja python3-ply
-
-RPM_SUSE_DEVEL_DEPS = glibc-devel-static libnuma-devel
-RPM_SUSE_DEVEL_DEPS += libopenssl-devel openssl-devel mbedtls-devel libuuid-devel
-
-RPM_SUSE_PYTHON_DEPS = python-devel python3-devel python-pip python3-pip
-RPM_SUSE_PYTHON_DEPS += python-rpm-macros python3-rpm-macros
-
-RPM_SUSE_PLATFORM_DEPS = distribution-release shadow rpm-build
-
-ifeq ($(OS_ID),opensuse)
-ifeq ($(SUSE_NAME),tumbleweed)
-	RPM_SUSE_DEVEL_DEPS = libboost_headers1_68_0-devel-1.68.0  libboost_thread1_68_0-devel-1.68.0 gcc
-	RPM_SUSE_PYTHON_DEPS += python3-ply python2-virtualenv
-endif
-ifeq ($(SUSE_ID),15.0)
-	RPM_SUSE_DEVEL_DEPS += libboost_headers-devel libboost_thread-devel gcc
-	RPM_SUSE_PYTHON_DEPS += python3-ply python2-virtualenv
-else
-	RPM_SUSE_DEVEL_DEPS += libboost_headers1_68_0-devel-1.68.0 gcc6
-	RPM_SUSE_PYTHON_DEPS += python-virtualenv
-endif
-endif
-
-ifeq ($(OS_ID),opensuse-leap)
-ifeq ($(SUSE_ID),15.0)
-	RPM_SUSE_DEVEL_DEPS += libboost_headers-devel libboost_thread-devel gcc git curl
-	RPM_SUSE_PYTHON_DEPS += python3-ply python2-virtualenv
-endif
-endif
-
-RPM_SUSE_DEPENDS += $(RPM_SUSE_BUILDTOOLS_DEPS) $(RPM_SUSE_DEVEL_DEPS) $(RPM_SUSE_PYTHON_DEPS) $(RPM_SUSE_PLATFORM_DEPS)
 
 ifneq ($(wildcard $(STARTUP_DIR)/startup.conf),)
         STARTUP_CONF ?= $(STARTUP_DIR)/startup.conf
@@ -310,13 +276,6 @@ bootstrap:
 .PHONY: install-dep
 install-dep:
 ifeq ($(filter ubuntu debian,$(OS_ID)),$(OS_ID))
-ifeq ($(OS_VERSION_ID),14.04)
-	@sudo -E apt-get $(CONFIRM) $(FORCE) install software-properties-common
-endif
-ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-8)
-	@grep -q jessie-backports /etc/apt/sources.list /etc/apt/sources.list.d/* 2> /dev/null \
-           || ( echo "Please install jessie-backports" ; exit 1 )
-endif
 	@sudo -E apt-get update
 	@sudo -E apt-get $(APT_ARGS) $(CONFIRM) $(FORCE) install $(DEB_DEPENDS)
 else ifneq ("$(wildcard /etc/redhat-release)","")
@@ -326,8 +285,9 @@ ifeq ($(OS_ID),rhel)
 	@sudo -E yum install $(CONFIRM) $(RPM_DEPENDS)
 	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs mbedtls-devel zlib
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),centos-8)
-	@sudo -E dnf install $(CONFIRM) epel-release
-	@sudo -E dnf config-manager --set-enabled PowerTools
+	@sudo -E dnf install $(CONFIRM) dnf-plugins-core epel-release
+	@sudo -E dnf config-manager --set-enabled \
+          $(shell dnf repolist all 2>/dev/null|grep -i powertools|cut -d' ' -f1)
 	@sudo -E dnf groupinstall $(CONFIRM) $(RPM_DEPENDS_GROUPS)
 	@sudo -E dnf install $(CONFIRM) $(RPM_DEPENDS)
 else ifeq ($(OS_ID),centos)
@@ -340,17 +300,8 @@ else ifeq ($(OS_ID),fedora)
 	@sudo -E dnf install $(CONFIRM) $(RPM_DEPENDS)
 	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs mbedtls-devel zlib
 endif
-else ifeq ($(filter opensuse-tumbleweed,$(OS_ID)),$(OS_ID))
-	@sudo -E zypper refresh
-	@sudo -E zypper install -y $(RPM_SUSE_DEPENDS)
-else ifeq ($(filter opensuse-leap,$(OS_ID)),$(OS_ID))
-	@sudo -E zypper refresh
-	@sudo -E zypper install  -y $(RPM_SUSE_DEPENDS)
-else ifeq ($(filter opensuse,$(OS_ID)),$(OS_ID))
-	@sudo -E zypper refresh
-	@sudo -E zypper install -y $(RPM_SUSE_DEPENDS)
 else
-	$(error "This option currently works only on Ubuntu, Debian, RHEL, CentOS or openSUSE systems")
+	$(error "This option currently works only on Ubuntu, Debian, RHEL, or CentOS systems")
 endif
 	git config commit.template .git_commit_template.txt
 

build/external/packages.mk

@@ -79,7 +79,7 @@ $(B)/.$1.patch.ok: $(B)/.$1.extract.ok
 ifneq ($$(wildcard $$($1_patch_dir)/*.patch),)
 	@for f in $$($1_patch_dir)/*.patch ; do \
 		echo "Applying patch: $$$$(basename $$$$f)" ; \
-		patch -p1 -d $$($1_src_dir) < $$$$f ; \
+		patch -p1 -d $$($1_src_dir) --no-backup-if-mismatch < $$$$f ; \
 	done
 endif
 	@touch $$@

build/external/packages/libbpf.mk

@@ -27,8 +27,10 @@ else
   LIBBPF_CFLAGS+= -O2
 endif
 
-IF_XDP:=$(shell echo "\#include <linux/if_xdp.h>" | $(CC) -E -xc - > /dev/null 2>&1)
-IF_XDP:=$(.SHELLSTATUS)
+# check for libelf, zlib and kernel if_xdp.h presence
+LIBBPF_DEPS_CHECK:="\#include <linux/if_xdp.h>\\n\#include <gelf.h>\\n\#include <zlib.h>\\nint main(void){return 0;}"
+LIBBPF_DEPS_CHECK:=$(shell echo -e $(LIBBPF_DEPS_CHECK) | $(CC) -xc -lelf -lz -o /dev/null - > /dev/null 2>&1)
+LIBBPF_DEPS_CHECK:=$(.SHELLSTATUS)
 
 define  libbpf_config_cmds
 	@true
@@ -46,8 +48,8 @@ define  libbpf_install_cmds
 	$(call libbpf_build_cmds__,install,$(libbpf_install_log))
 endef
 
-ifneq ($(IF_XDP),0)
-  $(warning "linux/if_xdp.h was not found on this system. libbpf will be skipped.")
+ifneq ($(LIBBPF_DEPS_CHECK),0)
+  $(warning "Missing libbpf dependencies. libbpf will be skipped.")
 libbpf-install:
 	@true
 else

build/external/patches/README

@@ -24,7 +24,7 @@ for release tag “v2.2.0” and will create a branch named “two_dot_two”.
 
 5. Create the patch files with format-patch. This creates all the patch files
 for your branch (two_dot_two), with your latest commits as the last ones.
- # git format-patch master..two_dot_two
+ # git format-patch main..two_dot_two
 
 6. Copy, add and commit the new patches into the patches directory.
 

build/external/patches/dpdk_20.08/0001-net-iavf-deprecate-i40evf-pmd.patch

@@ -0,0 +1,232 @@
+From bd048f56bc4b85fed31f34db676f1ad67c86bd16 Mon Sep 17 00:00:00 2001
+From: Robin Zhang <robinx.zhang@intel.com>
+Date: Mon, 19 Apr 2021 03:05:39 +0000
+Subject: [PATCH] net/iavf: deprecate i40evf pmd
+
+The i40evf PMD will be deprecated, iavf will be the only VF driver for
+Intel 700 serial (i40e) NIC family. To reach this, there will be 2 steps:
+
+Step 1: iavf will be the default VF driver, while i40evf still can be
+selected by devarg: "driver=i40evf".
+This is covered by this patch, which include:
+1) add all 700 serial NIC VF device ID into iavf PMD
+2) skip probe if devargs contain "driver=i40evf" in iavf
+3) continue probe if devargs contain "driver=i40evf" in i40evf
+
+Step 2: i40evf and related devarg are removed, this will happen at DPDK
+21.11
+
+Between step 1 and step 2, no new feature will be added into i40evf except
+bug fix.
+
+Signed-off-by: Robin Zhang <robinx.zhang@intel.com>
+Acked-by: Qi Zhang <qi.z.zhang@intel.com>
+Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
+Acked-by: Beilei Xing <beilei.xing@intel.com>
+---
+ doc/guides/nics/intel_vf.rst         |  6 +++
+ doc/guides/rel_notes/deprecation.rst |  8 ++++
+ drivers/common/iavf/iavf_devids.h    |  2 +
+ drivers/net/i40e/i40e_ethdev_vf.c    | 45 ++++++++++++++++++++++
+ drivers/net/iavf/iavf_ethdev.c       | 57 +++++++++++++++++++++++++++-
+ 5 files changed, 116 insertions(+), 2 deletions(-)
+
+diff --git a/doc/guides/nics/intel_vf.rst b/doc/guides/nics/intel_vf.rst
+index ade5152595..b95200698d 100644
+--- a/doc/guides/nics/intel_vf.rst
++++ b/doc/guides/nics/intel_vf.rst
+@@ -88,6 +88,12 @@ For more detail on SR-IOV, please refer to the following documents:
+     assignment in hypervisor. Take qemu for example, the device assignment should carry the IAVF device id (0x1889) like
+     ``-device vfio-pci,x-pci-device-id=0x1889,host=03:0a.0``.
+ 
++    Starting from DPDK 21.05, the default VF driver for Intel® 700 Series Ethernet Controller will be IAVF. No new feature
++    will be added into i40evf except bug fix until it's removed in DPDK 21.11. Between DPDK 21.05 and 21.11, by using the
++    ``devargs`` option ``driver=i40evf``, i40evf PMD still can be used on Intel® 700 Series Ethernet Controller, for example::
++
++    -a 81:02.0,driver=i40evf
++
+ The PCIE host-interface of Intel Ethernet Switch FM10000 Series VF infrastructure
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ 
+diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
+index c2770feeae..25caf4e52d 100644
+--- a/doc/guides/rel_notes/deprecation.rst
++++ b/doc/guides/rel_notes/deprecation.rst
+@@ -335,3 +335,11 @@ Deprecation Notices
+   ``make``. Given environments are too much variables for such a simple script,
+   it will be removed in DPDK 20.11.
+   Some useful parts may be converted into specific scripts.
++
++* i40e: As there are both i40evf and iavf pmd, the functions of them are
++  duplicated. And now more and more advanced features are developed on iavf.
++  To keep consistent with kernel driver's name
++  (https://patchwork.ozlabs.org/patch/970154/), i40evf is no need to maintain.
++  Starting from 21.05, the default VF driver of i40e will be iavf, but i40evf
++  can still be used if users specify the devarg "driver=i40evf". I40evf will
++  be deleted in DPDK 21.11.
+diff --git a/drivers/common/iavf/iavf_devids.h b/drivers/common/iavf/iavf_devids.h
+index 2e63aac289..1c3acb586d 100644
+--- a/drivers/common/iavf/iavf_devids.h
++++ b/drivers/common/iavf/iavf_devids.h
+@@ -13,5 +13,7 @@
+ #define IAVF_DEV_ID_VF_HV		0x1571
+ #define IAVF_DEV_ID_ADAPTIVE_VF		0x1889
+ #define IAVF_DEV_ID_X722_VF		0x37CD
++#define IAVF_DEV_ID_X722_A0_VF          0x374D
++
+ 
+ #endif /* _IAVF_DEVIDS_H_ */
+diff --git a/drivers/net/i40e/i40e_ethdev_vf.c b/drivers/net/i40e/i40e_ethdev_vf.c
+index 69cab8e739..3d61c092d8 100644
+--- a/drivers/net/i40e/i40e_ethdev_vf.c
++++ b/drivers/net/i40e/i40e_ethdev_vf.c
+@@ -1592,9 +1592,53 @@ i40evf_dev_uninit(struct rte_eth_dev *eth_dev)
+ 	return 0;
+ }
+ 
++static int
++i40evf_check_driver_handler(__rte_unused const char *key,
++			    const char *value, __rte_unused void *opaque)
++{
++	if (strcmp(value, "i40evf"))
++		return -1;
++
++	return 0;
++}
++
++static int
++i40evf_driver_selected(struct rte_devargs *devargs)
++{
++	struct rte_kvargs *kvlist;
++	const char *key = "driver";
++	int ret = 0;
++
++	if (devargs == NULL)
++		return 0;
++
++	kvlist = rte_kvargs_parse(devargs->args, NULL);
++	if (kvlist == NULL)
++		return 0;
++
++	if (!rte_kvargs_count(kvlist, key))
++		goto exit;
++
++	/* i40evf driver selected when there's a key-value pair:
++	 * driver=i40evf
++	 */
++	if (rte_kvargs_process(kvlist, key,
++			       i40evf_check_driver_handler, NULL) < 0)
++		goto exit;
++
++	ret = 1;
++
++exit:
++	rte_kvargs_free(kvlist);
++	return ret;
++}
++
+ static int eth_i40evf_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ 	struct rte_pci_device *pci_dev)
+ {
++	if (!i40evf_driver_selected(pci_dev->device.devargs))
++		return 1;
++
+ 	return rte_eth_dev_pci_generic_probe(pci_dev,
+ 		sizeof(struct i40e_adapter), i40evf_dev_init);
+ }
+@@ -1617,6 +1661,7 @@ static struct rte_pci_driver rte_i40evf_pmd = {
+ RTE_PMD_REGISTER_PCI(net_i40e_vf, rte_i40evf_pmd);
+ RTE_PMD_REGISTER_PCI_TABLE(net_i40e_vf, pci_id_i40evf_map);
+ RTE_PMD_REGISTER_KMOD_DEP(net_i40e_vf, "* igb_uio | vfio-pci");
++RTE_PMD_REGISTER_PARAM_STRING(net_i40e_vf, "driver=i40evf");
+ 
+ static int
+ i40evf_dev_configure(struct rte_eth_dev *dev)
+diff --git a/drivers/net/iavf/iavf_ethdev.c b/drivers/net/iavf/iavf_ethdev.c
+index c3aa4cd725..f22c3ccdb9 100644
+--- a/drivers/net/iavf/iavf_ethdev.c
++++ b/drivers/net/iavf/iavf_ethdev.c
+@@ -76,6 +76,10 @@ static int iavf_dev_filter_ctrl(struct rte_eth_dev *dev,
+ 
+ static const struct rte_pci_id pci_id_iavf_map[] = {
+ 	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_ADAPTIVE_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_VF_HV) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_X722_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_X722_A0_VF) },
+ 	{ .vendor_id = 0, /* sentinel */ },
+ };
+ 
+@@ -1516,10 +1520,59 @@ iavf_dcf_cap_selected(struct rte_devargs *devargs)
+ 	return ret;
+ }
+ 
++static int
++iavf_drv_i40evf_check_handler(__rte_unused const char *key,
++			      const char *value, __rte_unused void *opaque)
++{
++	if (strcmp(value, "i40evf"))
++		return -1;
++
++	return 0;
++}
++
++static int
++iavf_drv_i40evf_selected(struct rte_devargs *devargs, uint16_t device_id)
++{
++	struct rte_kvargs *kvlist;
++	const char *key = "driver";
++	int ret = 0;
++
++	if (device_id != IAVF_DEV_ID_VF &&
++	    device_id != IAVF_DEV_ID_VF_HV &&
++	    device_id != IAVF_DEV_ID_X722_VF &&
++	    device_id != IAVF_DEV_ID_X722_A0_VF)
++		return 0;
++
++	if (devargs == NULL)
++		return 0;
++
++	kvlist = rte_kvargs_parse(devargs->args, NULL);
++	if (kvlist == NULL)
++		return 0;
++
++	if (!rte_kvargs_count(kvlist, key))
++		goto exit;
++
++	/* i40evf driver selected when there's a key-value pair:
++	 * driver=i40evf
++	 */
++	if (rte_kvargs_process(kvlist, key,
++			       iavf_drv_i40evf_check_handler, NULL) < 0)
++		goto exit;
++
++	ret = 1;
++
++exit:
++	rte_kvargs_free(kvlist);
++	return ret;
++}
++
+ static int eth_iavf_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ 			     struct rte_pci_device *pci_dev)
+ {
+-	if (iavf_dcf_cap_selected(pci_dev->device.devargs))
++	if (iavf_dcf_cap_selected(pci_dev->device.devargs) ||
++	    iavf_drv_i40evf_selected(pci_dev->device.devargs,
++				     pci_dev->id.device_id))
+ 		return 1;
+ 
+ 	return rte_eth_dev_pci_generic_probe(pci_dev,
+@@ -1542,7 +1595,7 @@ static struct rte_pci_driver rte_iavf_pmd = {
+ RTE_PMD_REGISTER_PCI(net_iavf, rte_iavf_pmd);
+ RTE_PMD_REGISTER_PCI_TABLE(net_iavf, pci_id_iavf_map);
+ RTE_PMD_REGISTER_KMOD_DEP(net_iavf, "* igb_uio | vfio-pci");
+-RTE_PMD_REGISTER_PARAM_STRING(net_iavf, "cap=dcf");
++RTE_PMD_REGISTER_PARAM_STRING(net_iavf, "cap=dcf driver=i40evf");
+ RTE_LOG_REGISTER(iavf_logtype_init, pmd.net.iavf.init, NOTICE);
+ RTE_LOG_REGISTER(iavf_logtype_driver, pmd.net.iavf.driver, NOTICE);
+ #ifdef RTE_LIBRTE_IAVF_DEBUG_RX
+-- 
+2.20.1
+

build/external/patches/dpdk_20.08/0003-backport-dpdk-usertools-support-python-3-only.patch

@@ -0,0 +1,212 @@
+From 858b4575513fe72dce95370944b0da237b755204 Mon Sep 17 00:00:00 2001
+From: Dave Wallace <dwallacelf@gmail.com>
+Date: Thu, 15 Oct 2020 15:22:22 -0400
+Subject: [PATCH] backport dpdk usertools support python 3 only
+
+Applicable usertools section of DPDK patch:
+http://git.dpdk.org/dpdk/commit/?id=3f6f83626cf4967a99382a6518a614a1bf3d2c20
+
+Required to avoid build failure of 'make install-ext-deps' on CentOS-8 due
+to brp-mangle-shebangs failing on un-versioned python shebang (e.g.
+'#! /usr/bin/env python'.
+
+Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
+---
+ usertools/cpu_layout.py                  | 15 ++-------------
+ usertools/dpdk-devbind.py                | 22 ++++------------------
+ usertools/dpdk-pmdinfo.py                |  7 +------
+ usertools/dpdk-telemetry-client.py       | 18 +++---------------
+ usertools/dpdk-telemetry.py              |  2 +-
+ 5 files changed, 11 insertions(+), 53 deletions(-)
+
+diff --git a/usertools/cpu_layout.py b/usertools/cpu_layout.py
+index 5423c7965..cc3963821 100755
+--- a/usertools/cpu_layout.py
++++ b/usertools/cpu_layout.py
+@@ -1,19 +1,8 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2010-2014 Intel Corporation
+ # Copyright(c) 2017 Cavium, Inc. All rights reserved.
+
+-from __future__ import print_function
+-import sys
+-try:
+-    xrange # Python 2
+-except NameError:
+-    xrange = range # Python 3
+-
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ sockets = []
+ cores = []
+ core_map = {}
+@@ -21,7 +10,7 @@
+ fd = open("{}/kernel_max".format(base_path))
+ max_cpus = int(fd.read())
+ fd.close()
+-for cpu in xrange(max_cpus + 1):
++for cpu in range(max_cpus + 1):
+     try:
+         fd = open("{}/cpu{}/topology/core_id".format(base_path, cpu))
+     except IOError:
+diff --git a/usertools/dpdk-devbind.py b/usertools/dpdk-devbind.py
+index 094c2ffc8..8278a748d 100755
+--- a/usertools/dpdk-devbind.py
++++ b/usertools/dpdk-devbind.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2010-2014 Intel Corporation
+ #
+
+-from __future__ import print_function
+ import sys
+ import os
+ import getopt
+@@ -12,10 +11,6 @@
+ from os.path import exists, abspath, dirname, basename
+ from os.path import join as path_join
+
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ # The PCI base class for all devices
+ network_class = {'Class': '02', 'Vendor': None, 'Device': None,
+                     'SVendor': None, 'SDevice': None}
+@@ -154,14 +149,6 @@ def usage():
+
+     """ % locals())  # replace items from local variables
+
+-
+-# This is roughly compatible with check_output function in subprocess module
+-# which is only available in python 2.7.
+-def check_output(args, stderr=None):
+-    '''Run a command and capture its output'''
+-    return subprocess.Popen(args, stdout=subprocess.PIPE,
+-                            stderr=stderr).communicate()[0]
+-
+ # check if a specific kernel module is loaded
+ def module_is_loaded(module):
+     global loaded_modules
+@@ -218,8 +205,7 @@ def get_pci_device_details(dev_id, probe_lspci):
+     device = {}
+
+     if probe_lspci:
+-        extra_info = check_output(["lspci", "-vmmks", dev_id]).splitlines()
+-
++        extra_info = subprocess.check_output(["lspci", "-vmmks", dev_id]).splitlines()
+         # parse lspci details
+         for line in extra_info:
+             if len(line) == 0:
+@@ -255,7 +241,7 @@ def get_device_details(devices_type):
+     # first loop through and read details for all devices
+     # request machine readable format, with numeric IDs and String
+     dev = {}
+-    dev_lines = check_output(["lspci", "-Dvmmnnk"]).splitlines()
++    dev_lines = subprocess.check_output(["lspci", "-Dvmmnnk"]).splitlines()
+     for dev_line in dev_lines:
+         if len(dev_line) == 0:
+             if device_type_match(dev, devices_type):
+@@ -283,7 +269,7 @@ def get_device_details(devices_type):
+         # check what is the interface if any for an ssh connection if
+         # any to this host, so we can mark it later.
+         ssh_if = []
+-        route = check_output(["ip", "-o", "route"])
++        route = subprocess.check_output(["ip", "-o", "route"])
+         # filter out all lines for 169.254 routes
+         route = "\n".join(filter(lambda ln: not ln.startswith("169.254"),
+                              route.decode().splitlines()))
+diff --git a/usertools/dpdk-pmdinfo.py b/usertools/dpdk-pmdinfo.py
+index f9ed75517..166198279 100755
+--- a/usertools/dpdk-pmdinfo.py
++++ b/usertools/dpdk-pmdinfo.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2016  Neil Horman <nhorman@tuxdriver.com>
+
+@@ -7,8 +7,6 @@
+ # Utility to dump PMD_INFO_STRING support from an object file
+ #
+ # -------------------------------------------------------------------------
+-from __future__ import print_function
+-from __future__ import unicode_literals
+ import json
+ import io
+ import os
+@@ -28,9 +26,6 @@
+ pcidb = None
+
+ # ===========================================
+-if sys.version_info.major < 3:
+-        print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-        print("Please use Python 3 instead", file=sys.stderr)
+
+ class Vendor:
+     """
+diff --git a/usertools/dpdk-telemetry-client.py b/usertools/dpdk-telemetry-client.py
+index 98d28fa89..d8e439027 100755
+--- a/usertools/dpdk-telemetry-client.py
++++ b/usertools/dpdk-telemetry-client.py
+@@ -1,10 +1,7 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2018 Intel Corporation
+
+-from __future__ import print_function
+-from __future__ import unicode_literals
+-
+ import socket
+ import os
+ import sys
+@@ -18,15 +15,6 @@
+ GLOBAL_METRICS_REQ = "{\"action\":0,\"command\":\"global_stat_values\",\"data\":null}"
+ DEFAULT_FP = "/var/run/dpdk/default_client"
+
+-try:
+-    raw_input  # Python 2
+-except NameError:
+-    raw_input = input  # Python 3
+-
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ class Socket:
+
+     def __init__(self):
+@@ -86,7 +74,7 @@ def requestMetrics(self): # Requests metrics for given client
+
+     def repeatedlyRequestMetrics(self, sleep_time): # Recursively requests metrics for given client
+         print("\nPlease enter the number of times you'd like to continuously request Metrics:")
+-        n_requests = int(raw_input("\n:"))
++        n_requests = int(input("\n:"))
+         print("\033[F") #Removes the user input from screen, cleans it up
+         print("\033[K")
+         for i in range(n_requests):
+@@ -107,7 +95,7 @@ def interactiveMenu(self, sleep_time): # Creates Interactive menu within the scr
+             print("[4] Unregister client")
+
+             try:
+-                self.choice = int(raw_input("\n:"))
++                self.choice = int(input("\n:"))
+                 print("\033[F") #Removes the user input for screen, cleans it up
+                 print("\033[K")
+                 if self.choice == 1:
+diff --git a/usertools/dpdk-telemetry.py b/usertools/dpdk-telemetry.py
+index 8e4039d57..181859658 100755
+--- a/usertools/dpdk-telemetry.py
++++ b/usertools/dpdk-telemetry.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/python3
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2020 Intel Corporation

build/external/rpm/vpp-ext-deps.spec

@@ -1,6 +1,10 @@
 %define _install_dir	/opt/vpp/external/%(uname -m)
 %define _make_args	-C ../.. BUILD_DIR=%{_topdir}/tmp INSTALL_DIR=%{buildroot}%{_install_dir}
 
+%{!?__python3: %global __python3 /usr/bin/python3}
+%global __python %{__python3}
+%global _pylib /usr/lib/python3.6/site-packages
+
 Name:		vpp-ext-deps
 Version:	%{_version}
 Release:	%{_release}

docs/Makefile

@@ -27,6 +27,8 @@ help:
 # Catch-all target: route all unknown targets to Sphinx using the new
 # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
 %: Makefile
+# Generate dynamic content
+	@python3 ./includes_renderer.py
 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
 
 spell:

docs/gettingstarted/index.rst

@@ -11,7 +11,7 @@ code that provides tools that are used in a development environment.
 
 This section covers the following:
 
-* Describes how to manually install VPP Binaries on different OS platforms (Ubuntu, Centos, openSUSE) and then how to configure and use VPP.
+* Describes how to manually install VPP Binaries on different OS platforms (Ubuntu, Centos) and then how to configure and use VPP.
 * Describes the different types of VPP packages, which are used in both basic and developer installs.
 * A VPP tutorial which is a great way to learn VPP basics.
 

docs/gettingstarted/installing/index.rst

@@ -10,8 +10,8 @@ Downloading and Installing VPP
 If you want to use VPP it can be convenient to install the binaries from
 existing packages. This guide describes how to pull, install and run the VPP packages.
 
-This section provides directions on how to Install VPP binaries on Ubuntu, Centos,
-and openSUSE platforms.
+This section provides directions on how to Install VPP binaries on
+Ubuntu, and Centos platforms.
 
 FD.io VPP is installed using Package Cloud. For a complete set of
 instructions on how to install VPP with package cloud please refer
@@ -36,15 +36,6 @@ The following are instructions on how to install VPP on Centos.
 
    centos
 
-Installing on openSUSE
---------------------------------------
-
-The following are instructions on how to install VPP on openSUSE.
-
-.. toctree::
-
-   opensuse
-
 Package Descriptions
 ----------------------------------
 

docs/gettingstarted/installing/opensuse.rst

@@ -1,57 +0,0 @@
-.. _opensuse:
-
-.. toctree::
-
-Installing
-==========
-
-To install VPP on openSUSE, first install the following release, and then execute
-the associated commands.
-
-openSUSE Tumbleweed (rolling release)
-------------------------------------------------------------
-
-.. code-block:: console
-
-   sudo zypper install vpp vpp-plugins
-
-openSUSE Leap 42.3
---------------------------------
-
-.. code-block:: console
-
-   sudo zypper addrepo --name network https://download.opensuse.org/repositories/network/openSUSE_Leap_42.3/network.repo
-   sudo zypper install vpp vpp-plugins
-
-Uninstall
-=========
-
-To uninstall the vpp plugins, run the following command:
-
-.. code-block:: console
-
-   sudo zypper remove -u vpp vpp-plugins
-
-openSUSE Tumbleweed (rolling release)
--------------------------------------
-
-To uninstall the openSUSE Tumbleweed, run the following command:
-
-.. code-block:: console
-
-   sudo zypper remove -u vpp vpp-plugins
-
-openSUSE Leap 42.3
-------------------
-
-.. code-block:: console
-
-   sudo zypper remove -u vpp vpp-plugins
-   sudo zypper removerepo network
-
-For More Information
-====================
-For more information on VPP with openSUSE, please look at the following post.
-
-* https://www.suse.com/communities/blog/vector-packet-processing-vpp-opensuse/
-

docs/gettingstarted/installing/packages.rst

@@ -35,19 +35,7 @@ vpp-plugins
 
 Vector Packet Processing plugin modules.
 
-* acl
-* dpdk
-* flowprobe
-* gtpu
-* ixge
-* kubeproxy
-* l2e
-* lb
-* memif
-* nat
-* pppoe
-* sixrd
-* stn
+.. include:: ../../dynamic_includes/plugin_list.inc
 
 vpp-dbg
 -------

docs/gettingstarted/installing/ubuntu.rst

@@ -1,11 +1,11 @@
 .. _ubuntu:
 
 .. toctree::
- 
-Ubuntu 18.04 - Setup the FD.io Repository
-==========================================
 
-Choose one of the following releases to install. 
+Ubuntu - Setup the FD.io Repository
+===================================
+
+Choose one of the following releases to install.
 
 Update the OS
 -----------------------
@@ -85,4 +85,4 @@ Uninstall the  packages by running the following command:
 
 .. code-block:: console
 
-  sudo apt-get remove --purge vpp*
+  sudo apt-get remove --purge "vpp*"

docs/includes_renderer.py

@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+#  Copyright (c) 2020. Vinci Consulting Corp. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import glob
+import inspect
+import os.path
+import re
+
+
+class ContentRenderer:
+    name = ""
+    curr_path = os.path.abspath(inspect.getsourcefile(lambda: 0))
+    vpp_root = curr_path.rsplit("/", 2)[0]
+    output_dir = f"{vpp_root}/docs/dynamic_includes/"
+
+    def render(self):
+        raise NotImplementedError
+
+
+class PluginRenderer(ContentRenderer):
+    name = "plugin_list.inc"
+
+    plugin_dir = f"{ContentRenderer.vpp_root}/src/plugins"
+
+    pattern = r'VLIB_PLUGIN_REGISTER\s?\(\)\s*=\s*{.*\.description\s?=\s?"([^"]*)".*};'  # noqa: 501
+    regex = re.compile(pattern, re.MULTILINE | re.DOTALL)
+
+    def render(self):
+        with open(f"{self.__class__.output_dir}{self.__class__.name}",
+                  "w") as output:
+            with os.scandir(self.__class__.plugin_dir) as pdir:
+                for entry in sorted(pdir, key=lambda entry: entry.name):
+                    if not entry.name.startswith('.') and entry.is_dir():
+                        description = "<no-description-found>"
+                        # we use glob because a plugin can (ioam for now)
+                        # define the plugin definition in
+                        # a further subdirectory.
+                        for f in glob.iglob(f'{self.__class__.plugin_dir}/'
+                                            f'{entry.name}/**',
+                                            recursive=True):
+                            if f.endswith('.c'):
+                                with open(f, "r", encoding="utf-8") \
+                                        as src:
+                                    for match in self.__class__.regex.finditer(
+                                            src.read()):
+                                        description = "%s" % (match.group(1))
+
+                        output.write(f"* {entry.name} - {description}\n")
+
+
+# if this list grows substantially, we can move the classes to
+# a folder and import them.
+renderers = [PluginRenderer,
+             ]
+
+
+def main():
+    print("rendering dynamic includes...")
+    for renderer in renderers:
+        renderer().render()
+    print("done.")
+
+
+if __name__ == "__main__":
+    main()

docs/reference/vppvagrant/Vagrantfile

@@ -9,9 +9,6 @@ Vagrant.configure(2) do |config|
     config.vm.box = "centos/7"
     config.vm.box_version = "1708.01"
     config.ssh.insert_key = false
-  elsif distro == 'opensuse'
-    config.vm.box = "opensuse/openSUSE-42.3-x86_64"
-    config.vm.box_version = "1.0.4.20170726"
   else
     config.vm.box = "puppetlabs/ubuntu-16.04-64-nocm"
   end

docs/reference/vppvagrant/boxSetup.rst

@@ -34,9 +34,6 @@ Looking at the :ref:`vppVagrantfile`, we can see that the default OS is Ubuntu 1
         config.vm.box = "centos/7"
         config.vm.box_version = "1708.01"
         config.ssh.insert_key = false
-      elsif distro == 'opensuse'
-        config.vm.box = "opensuse/openSUSE-42.3-x86_64"
-        config.vm.box_version = "1.0.4.20170726"
       else
         config.vm.box = "puppetlabs/ubuntu-16.04-64-nocm"
 

docs/usecases/index.rst

@@ -20,3 +20,4 @@ extensive list, but should give a sampling of the many features contained in FD.
    networksim
    webapp
    container_test
+   trafficgen

docs/usecases/trafficgen.md

@@ -0,0 +1,105 @@
+Vpp Stateless Traffic Generation
+================================
+
+It's simple to configure vpp as a high-performance stateless traffic
+generator. A couple of vpp worker threads running on an older system
+can easily generate 20 MPPS' worth of traffic.
+
+In the configurations shown below, we connect a vpp traffic generator
+and a vpp UUT using two 40 gigabit ethernet ports on each system:
+
+```
+ +-------------------+           +-------------------+
+ | traffic generator |           | UUT               |
+ | port 0            | <=======> | port 0            |
+ | 192.168.40.2/24   |           | 192.168.40.1/24   |
+ +-------------------+           +-------------------+
+
+ +-------------------+           +-------------------+
+ | traffic generator |           | UUT               |
+ | port 1            | <=======> | port 1            |
+ | 192.168.41.2/24   |           | 192.168.41.1/24   |
+ +-------------------+           +-------------------+
+```
+
+Traffic Generator Setup Script
+------------------------------
+
+```
+ set int ip address FortyGigabitEthernet2/0/0 192.168.40.2/24
+ set int ip address FortyGigabitEthernet2/0/1 192.168.41.2/24
+ set int state FortyGigabitEthernet2/0/0 up
+ set int state FortyGigabitEthernet2/0/1 up
+
+ comment { send traffic to the VPP UUT }
+
+ packet-generator new {
+     name worker0
+     worker 0
+     limit 0
+     rate 1.2e7
+     size 128-128
+     tx-interface FortyGigabitEthernet2/0/0
+     node FortyGigabitEthernet2/0/0-output
+     data { IP4: 1.2.40 -> 3cfd.fed0.b6c8
+            UDP: 192.168.40.10 -> 192.168.50.10
+            UDP: 1234 -> 2345
+            incrementing 114
+     }
+ }
+
+ packet-generator new {
+     name worker1
+     worker 1
+     limit 0
+     rate 1.2e7
+     size 128-128
+     tx-interface FortyGigabitEthernet2/0/1
+     node FortyGigabitEthernet2/0/1-output
+     data { IP4: 1.2.4 -> 3cfd.fed0.b6c9
+            UDP: 192.168.41.10 -> 192.168.51.10
+            UDP: 1234 -> 2345
+            incrementing 114
+     }
+ }
+
+ comment { delete return traffic on sight }
+
+ ip route add 192.168.50.0/24 via drop
+ ip route add 192.168.51.0/24 via drop
+```
+
+Note 1: the destination MAC addresses shown in the configuration (e.g.
+3cfd.fed0.b6c8 and 3cfd.fed0.b6c9) **must** match the vpp UUT port MAC
+addresses.
+
+Note 2: this script assumes that /etc/vpp/startup.conf and/or the
+command-line in use specifies (at least) two worker threads. Uncomment
+"workers 2" in the cpu configuration section of /etc/vpp/startup.conf:
+
+```
+ ## Specify a number of workers to be created
+ ## Workers are pinned to N consecutive CPU cores while skipping "skip-cores" CPU core(s)
+ ## and main thread's CPU core
+ workers 2
+```
+
+Any plausible packet generator script - including one which replays
+pcap captures - can be used.
+
+
+UUT Setup Script
+----------------
+
+The vpp UUT uses a couple of static routes to forward traffic back to
+the traffic generator:
+
+```
+ set int ip address FortyGigabitEthernet2/0/0 192.168.40.1/24
+ set int ip address FortyGigabitEthernet2/0/1 192.168.41.1/24
+ set int state FortyGigabitEthernet2/0/0 up
+ set int state FortyGigabitEthernet2/0/1 up
+
+ ip route add 192.168.50.10/32 via 192.168.41.2
+ ip route add 192.168.51.10/32 via 192.168.40.2
+```

doxygen/Makefile

@@ -35,7 +35,6 @@ OS_ID ?= $(shell grep '^ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g')
 # Package dependencies
 DOC_DEB_DEPENDS = doxygen graphviz python3-pyparsing python3-jinja2
 DOC_RPM_DEPENDS = doxygen graphviz python3-pyparsing python3-jinja2
-DOC_SUSE_RPM_DEPENDS = doxygen graphviz python3-pyparsing python3-Jinja2
 DOC_MAC_BIN_DEPENDS = doxygen dot git
 DOC_MAC_PY_DEPENDS = pyparsing jinja2
 
@@ -156,8 +155,6 @@ else ifeq ($(OS_ID),darwin)
 			false; \
 		); \
 	done
-else ifeq ($(OS_ID),opensuse)
-	@sudo zypper install $(CONFIRM) $(DOC_SUSE_RPM_DEPENDS)
 else
 	$(error "Building documentation currently works only on Ubuntu, CentOS, MacOS and OpenSUSE systems.")
 endif

doxygen/user_doc.md

@@ -4,24 +4,22 @@ User Documentation    {#user_doc}
 Several modules provide operational, dataplane-user focused documentation.
 
 - [GUI guided user demo](https://wiki.fd.io/view/VPP_Sandbox/vpp-userdemo)
+- @subpage af_xdp_doc
 - @subpage avf_plugin_doc
 - @subpage bfd_doc
 - @subpage dpdk_crypto_ipsec_doc
 - @subpage dhcp6_pd_doc
 - @subpage flowprobe_plugin_doc
 - @subpage ioam_plugin_doc
-- @subpage kp_plugin_doc
 - @subpage lacp_plugin_doc
 - @subpage lb_plugin_doc
 - @subpage lldp_doc
 - @subpage map_doc
 - @subpage marvel_plugin_doc
-- @subpage srv6_mobile_plugin
 - @subpage mtu_doc
 - @subpage nat64_doc
 - @subpage nat_ha_doc
 - @subpage qos_doc
-- @subpage quic_doc
 - @subpage rdma_doc
 - @subpage selinux_doc
 - @subpage span_doc
@@ -29,3 +27,4 @@ Several modules provide operational, dataplane-user focused documentation.
 - @subpage srv6_doc
 - @subpage vcl_ldpreload_doc
 - @subpage vmxnet3_doc
+- @subpage wireguard_plugin_doc

extras/rpm/Makefile

@@ -26,18 +26,7 @@ PC=%
 
 all: RPM
 
-# SUSE rolling-release (a.k.a. Tumbleweed)
-ifeq ($(filter opensuse-tumbleweed,$(OS_ID)),$(OS_ID))
-SPEC_FILE='vpp-suse.spec'
-# SUSE osleap15
-else ifeq ($(filter opensuse-leap,$(OS_ID)),$(OS_ID))
-SPEC_FILE='vpp-suse.spec'
-# SUSE leap42.x
-else ifeq ($(filter opensuse,$(OS_ID)),$(OS_ID))
-SPEC_FILE='vpp-suse.spec'
-else
 SPEC_FILE='vpp.spec'
-endif
 
 spec:
 	@echo $(TARBALL)

extras/rpm/vpp.spec

@@ -60,7 +60,6 @@ BuildRequires: python3, python36-devel, python3-virtualenv
 BuildRequires: cmake
 %else
 %if 0%{rhel} >= 7
-Requires: epel-release
 Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, net-tools, pciutils, python36
 Requires: boost-filesystem mbedtls libffi-devel
 BuildRequires: epel-release
@@ -150,7 +149,7 @@ This package contains the python bindings for the vpp api
 Summary: VPP api python3 bindings
 Group: Development/Libraries
 Requires: vpp = %{_version}-%{_release}, vpp-lib = %{_version}-%{_release}, libffi-devel
-Requires: python-setuptools
+Requires: python3-setuptools
 
 %description api-python3
 This package contains the python3 bindings for the vpp api
@@ -169,7 +168,10 @@ Requires(post): python3-policycoreutils
 This package contains a tailored VPP SELinux policy
 
 %prep
-%setup -q -n %{name}-%{_version}
+%setup -q -c -T -n %{name}-%{_version}
+cd ..
+unxz --stdout ./SOURCES/%{name}-%{_version}-%{_release}.tar.xz | tar --extract --touch
+cd -
 
 %pre
 # Add the vpp group
@@ -180,7 +182,7 @@ groupadd -f -r vpp
 . /opt/rh/devtoolset-9/enable
 %endif
 %if %{with aesni}
-    make bootstrap
+    make install-dep
     make -C build-root PLATFORM=vpp TAG=%{_vpp_tag} install-packages
 %else
     make bootstrap AESNI=n

extras/scripts/crcchecker.py

@@ -96,19 +96,34 @@ def filelist_from_patchset():
     return set(filelist)
 
 def is_deprecated(d, k):
-    if 'options' in d[k] and 'deprecated' in d[k]['options']:
-        return True
+    if 'options' in d[k]:
+        if 'deprecated' in d[k]['options']:
+            return True
+        # recognize the deprecated format
+        if 'status' in d[k]['options'] and d[k]['options']['status'] == 'deprecated':
+            print("WARNING: please use 'option deprecated;'")
+            return True
     return False
 
 def is_in_progress(d, k):
-    try:
-        if d[k]['options']['status'] == 'in_progress':
+    if 'options' in d[k]:
+        if 'in_progress' in d[k]['options']:
             return True
-    except:
-        return False
+        # recognize the deprecated format
+        if  'status' in d[k]['options'] and d[k]['options']['status'] == 'in_progress':
+            print("WARNING: please use 'option in_progress;'")
+            return True
+    return False
 
-def report(old, new, added, removed, modified, same):
+def report(new, old):
+    added, removed, modified, same = dict_compare(new, old)
     backwards_incompatible = 0
+    # print the full list of in-progress messages
+    # they should eventually either disappear of become supported
+    for k in new.keys():
+        newversion = int(new[k]['version'])
+        if newversion == 0 or is_in_progress(new, k):
+            print(f'in-progress: {k}')
     for k in added:
         print(f'added: {k}')
     for k in removed:
@@ -126,6 +141,17 @@ def report(old, new, added, removed, modified, same):
             print(f'modified: ** {k}')
         else:
             print(f'modified: {k}')
+
+    # check which messages are still there but were marked for deprecation
+    for k in new.keys():
+        newversion = int(new[k]['version'])
+        if newversion > 0 and is_deprecated(new, k):
+            if k in old:
+                if not is_deprecated(old, k):
+                    print(f'deprecated: {k}')
+            else:
+                print(f'added+deprecated: {k}')
+
     return backwards_incompatible
 
 
@@ -150,8 +176,7 @@ def main():
     if args.diff:
         oldcrcs = crc_from_apigen(None, args.diff[0])
         newcrcs = crc_from_apigen(None, args.diff[1])
-        added, removed, modified, same = dict_compare(newcrcs, oldcrcs)
-        backwards_incompatible = report(oldcrcs, newcrcs, added, removed, modified, same)
+        backwards_incompatible = report(newcrcs, oldcrcs)
         sys.exit(0)
 
     # Dump CRC for messages in given files / revision
@@ -186,8 +211,7 @@ def main():
         newcrcs.update(crc_from_apigen(None, f))
         oldcrcs.update(crc_from_apigen(revision, f))
 
-    added, removed, modified, same = dict_compare(newcrcs, oldcrcs)
-    backwards_incompatible = report(oldcrcs, newcrcs, added, removed, modified, same)
+    backwards_incompatible = report(newcrcs, oldcrcs)
 
     if args.check_patchset:
         if backwards_incompatible:

extras/scripts/tests/test_crcchecker.sh

@@ -77,6 +77,29 @@ git add crccheck.api
 git commit -m "deprecated api";
 extras/scripts/crcchecker.py --check-patchset
 
+echo "TEST 7.1: Verify we can delete deprecated message (old/confused style)"
+cat >crccheck_dep.api <<EOL
+option version="1.0.0";
+autoreply define crccheck
+{
+  option status="deprecated";
+  bool foo;
+};
+EOL
+git add crccheck_dep.api
+git commit -m "deprecated api";
+# delete API
+cat >crccheck_dep.api <<EOL
+option version="1.0.0";
+autoreply define crccheck_2
+{
+  bool foo;
+};
+EOL
+git add crccheck_dep.api
+git commit -m "deprecated api";
+extras/scripts/crcchecker.py --check-patchset
+
 echo "TEST 8: Verify that we can not rename a non-deprecated message"
 sed -i -e 's/crccheck_2/crccheck_3/g' crccheck.api
 git add crccheck.api
@@ -107,6 +130,13 @@ git add crccheck.api
 git commit -m "renamed in-progress api";
 extras/scripts/crcchecker.py --check-patchset
 
+echo "TEST11.1: Switch to new designation of in-progress API"
+sed -i -e 's/status="in_progress"/in_progress/g' crccheck.api
+git add crccheck.api
+git commit -m "new designation of in-progress api";
+extras/scripts/crcchecker.py --check-patchset
+
+
 echo "TEST12: Verify we can add a field to an in-progress API"
 sed -i -e 's/foobar;/foobar; bool new_baz;/g' crccheck.api
 git add crccheck.api