ipsec: fix AES CBC IV generation (CVE-2022-46397)

For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.

Fixes: VPP-2037
Type: fix

Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>

.gitignore

@@ -81,6 +81,7 @@ GTAGS
 /build-root/.doxygen-bootstrap.ok
 /build-root/.doxygen-siphon.dep
 /docs/_build
+/docs/dynamic_includes
 /sphinx_venv
 !/docs/Makefile
 

.gitreview

@@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/2101

Makefile

@@ -122,7 +122,7 @@ ifeq ($(OS_ID),fedora)
 	RPM_DEPENDS_GROUPS = 'C Development Tools and Libraries'
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),centos-8)
 	RPM_DEPENDS += yum-utils
-	RPM_DEPENDS += compat-openssl10
+	RPM_DEPENDS += compat-openssl10 openssl-devel
 	RPM_DEPENDS += python2-devel python36-devel python3-ply
 	RPM_DEPENDS += python3-virtualenv python3-jsonschema
 	RPM_DEPENDS += cmake

build/external/packages/rdma-core.mk

@@ -39,6 +39,7 @@ define  rdma-core_config_cmds
 	  $(CMAKE) -G Ninja $(rdma-core_src_dir) \
 	    -DENABLE_STATIC=1 -DENABLE_RESOLVE_NEIGH=0 -DNO_PYVERBS=1 -DENABLE_VALGRIND=0\
 	    -DCMAKE_BUILD_TYPE=$(RDMA_BUILD_TYPE) -DCMAKE_INSTALL_PREFIX=$(rdma-core_install_dir) \
+	    -DCMAKE_INSTALL_LIBDIR=lib \
 	    -DCMAKE_C_FLAGS='-fPIC -fvisibility=hidden' > $(rdma-core_config_log)
 endef
 
@@ -52,6 +53,8 @@ define  rdma-core_install_cmds
 	find $(rdma-core_install_dir) -name '*.a' -exec mv -v {} $(rdma-core_install_dir)/lib \; >> $(rdma-core_install_log)
 	rmdir -v $(rdma-core_install_dir)/util $(rdma-core_install_dir)/lib/statics >> $(rdma-core_install_log)
 	sed '/Libs.private:/ s/$$/ -lrdma_util -lccan/' -i $(rdma-core_install_dir)/lib/pkgconfig/libibverbs.pc
+	sed '/Libs.private:/ s/ \S*\(rdmav25\)\S*//g'   -i $(rdma-core_install_dir)/lib/pkgconfig/libibverbs.pc
+	sed '/Libs.private:/ s/-lefa//g'                -i $(rdma-core_install_dir)/lib/pkgconfig/libibverbs.pc
 endef
 
 $(eval $(call package,rdma-core))

build/external/patches/dpdk_20.11/0001-net-iavf-deprecate-i40evf-pmd.patch

@@ -0,0 +1,232 @@
+From 7b44e3f10ac886eaece0ee3ed217ba7219ec41c1 Mon Sep 17 00:00:00 2001
+From: Robin Zhang <robinx.zhang@intel.com>
+Date: Mon, 19 Apr 2021 03:05:39 +0000
+Subject: [PATCH] net/iavf: deprecate i40evf pmd
+
+The i40evf PMD will be deprecated, iavf will be the only VF driver for
+Intel 700 serial (i40e) NIC family. To reach this, there will be 2 steps:
+
+Step 1: iavf will be the default VF driver, while i40evf still can be
+selected by devarg: "driver=i40evf".
+This is covered by this patch, which include:
+1) add all 700 serial NIC VF device ID into iavf PMD
+2) skip probe if devargs contain "driver=i40evf" in iavf
+3) continue probe if devargs contain "driver=i40evf" in i40evf
+
+Step 2: i40evf and related devarg are removed, this will happen at DPDK
+21.11
+
+Between step 1 and step 2, no new feature will be added into i40evf except
+bug fix.
+
+Signed-off-by: Robin Zhang <robinx.zhang@intel.com>
+Acked-by: Qi Zhang <qi.z.zhang@intel.com>
+Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
+Acked-by: Beilei Xing <beilei.xing@intel.com>
+---
+ doc/guides/nics/intel_vf.rst         |  6 +++
+ doc/guides/rel_notes/deprecation.rst |  8 ++++
+ drivers/common/iavf/iavf_devids.h    |  2 +
+ drivers/net/i40e/i40e_ethdev_vf.c    | 45 ++++++++++++++++++++++
+ drivers/net/iavf/iavf_ethdev.c       | 57 +++++++++++++++++++++++++++-
+ 5 files changed, 116 insertions(+), 2 deletions(-)
+
+diff --git a/doc/guides/nics/intel_vf.rst b/doc/guides/nics/intel_vf.rst
+index 529ff4a955..fcea8151bf 100644
+--- a/doc/guides/nics/intel_vf.rst
++++ b/doc/guides/nics/intel_vf.rst
+@@ -88,6 +88,12 @@ For more detail on SR-IOV, please refer to the following documents:
+     assignment in hypervisor. Take qemu for example, the device assignment should carry the IAVF device id (0x1889) like
+     ``-device vfio-pci,x-pci-device-id=0x1889,host=03:0a.0``.
+ 
++    Starting from DPDK 21.05, the default VF driver for Intel® 700 Series Ethernet Controller will be IAVF. No new feature
++    will be added into i40evf except bug fix until it's removed in DPDK 21.11. Between DPDK 21.05 and 21.11, by using the
++    ``devargs`` option ``driver=i40evf``, i40evf PMD still can be used on Intel® 700 Series Ethernet Controller, for example::
++
++    -a 81:02.0,driver=i40evf
++
+     When IAVF is backed by an Intel® E810 device, the "Protocol Extraction" feature which is supported by ice PMD is also
+     available for IAVF PMD. The same devargs with the same parameters can be applied to IAVF PMD, for detail please reference
+     the section ``Protocol extraction for per queue`` of ice.rst.
+diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
+index 82c1a90a37..ea41be51a7 100644
+--- a/doc/guides/rel_notes/deprecation.rst
++++ b/doc/guides/rel_notes/deprecation.rst
+@@ -125,3 +125,11 @@ Deprecation Notices
+ * cmdline: ``cmdline`` structure will be made opaque to hide platform-specific
+   content. On Linux and FreeBSD, supported prior to DPDK 20.11,
+   original structure will be kept until DPDK 21.11.
++
++* i40e: As there are both i40evf and iavf pmd, the functions of them are
++  duplicated. And now more and more advanced features are developed on iavf.
++  To keep consistent with kernel driver's name
++  (https://patchwork.ozlabs.org/patch/970154/), i40evf is no need to maintain.
++  Starting from 21.05, the default VF driver of i40e will be iavf, but i40evf
++  can still be used if users specify the devarg "driver=i40evf". I40evf will
++  be deleted in DPDK 21.11.
+diff --git a/drivers/common/iavf/iavf_devids.h b/drivers/common/iavf/iavf_devids.h
+index 722c2e4f49..0f98375a09 100644
+--- a/drivers/common/iavf/iavf_devids.h
++++ b/drivers/common/iavf/iavf_devids.h
+@@ -13,5 +13,7 @@
+ #define IAVF_DEV_ID_VF_HV		0x1571
+ #define IAVF_DEV_ID_ADAPTIVE_VF		0x1889
+ #define IAVF_DEV_ID_X722_VF		0x37CD
++#define IAVF_DEV_ID_X722_A0_VF          0x374D
++
+ 
+ #endif /* _IAVF_DEVIDS_H_ */
+diff --git a/drivers/net/i40e/i40e_ethdev_vf.c b/drivers/net/i40e/i40e_ethdev_vf.c
+index 2909b4d894..b5706a6a7f 100644
+--- a/drivers/net/i40e/i40e_ethdev_vf.c
++++ b/drivers/net/i40e/i40e_ethdev_vf.c
+@@ -1656,9 +1656,53 @@ i40evf_dev_uninit(struct rte_eth_dev *eth_dev)
+ 	return 0;
+ }
+ 
++static int
++i40evf_check_driver_handler(__rte_unused const char *key,
++			    const char *value, __rte_unused void *opaque)
++{
++	if (strcmp(value, "i40evf"))
++		return -1;
++
++	return 0;
++}
++
++static int
++i40evf_driver_selected(struct rte_devargs *devargs)
++{
++	struct rte_kvargs *kvlist;
++	const char *key = "driver";
++	int ret = 0;
++
++	if (devargs == NULL)
++		return 0;
++
++	kvlist = rte_kvargs_parse(devargs->args, NULL);
++	if (kvlist == NULL)
++		return 0;
++
++	if (!rte_kvargs_count(kvlist, key))
++		goto exit;
++
++	/* i40evf driver selected when there's a key-value pair:
++	 * driver=i40evf
++	 */
++	if (rte_kvargs_process(kvlist, key,
++			       i40evf_check_driver_handler, NULL) < 0)
++		goto exit;
++
++	ret = 1;
++
++exit:
++	rte_kvargs_free(kvlist);
++	return ret;
++}
++
+ static int eth_i40evf_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ 	struct rte_pci_device *pci_dev)
+ {
++	if (!i40evf_driver_selected(pci_dev->device.devargs))
++		return 1;
++
+ 	return rte_eth_dev_pci_generic_probe(pci_dev,
+ 		sizeof(struct i40e_adapter), i40evf_dev_init);
+ }
+@@ -1681,6 +1725,7 @@ static struct rte_pci_driver rte_i40evf_pmd = {
+ RTE_PMD_REGISTER_PCI(net_i40e_vf, rte_i40evf_pmd);
+ RTE_PMD_REGISTER_PCI_TABLE(net_i40e_vf, pci_id_i40evf_map);
+ RTE_PMD_REGISTER_KMOD_DEP(net_i40e_vf, "* igb_uio | vfio-pci");
++RTE_PMD_REGISTER_PARAM_STRING(net_i40e_vf, "driver=i40evf");
+ 
+ static int
+ i40evf_dev_configure(struct rte_eth_dev *dev)
+diff --git a/drivers/net/iavf/iavf_ethdev.c b/drivers/net/iavf/iavf_ethdev.c
+index 4d37722022..721cdcc14e 100644
+--- a/drivers/net/iavf/iavf_ethdev.c
++++ b/drivers/net/iavf/iavf_ethdev.c
+@@ -127,6 +127,10 @@ static int iavf_set_mc_addr_list(struct rte_eth_dev *dev,
+ 
+ static const struct rte_pci_id pci_id_iavf_map[] = {
+ 	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_ADAPTIVE_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_VF_HV) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_X722_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_X722_A0_VF) },
+ 	{ .vendor_id = 0, /* sentinel */ },
+ };
+ 
+@@ -2331,10 +2335,59 @@ iavf_dcf_cap_selected(struct rte_devargs *devargs)
+ 	return ret;
+ }
+ 
++static int
++iavf_drv_i40evf_check_handler(__rte_unused const char *key,
++			      const char *value, __rte_unused void *opaque)
++{
++	if (strcmp(value, "i40evf"))
++		return -1;
++
++	return 0;
++}
++
++static int
++iavf_drv_i40evf_selected(struct rte_devargs *devargs, uint16_t device_id)
++{
++	struct rte_kvargs *kvlist;
++	const char *key = "driver";
++	int ret = 0;
++
++	if (device_id != IAVF_DEV_ID_VF &&
++	    device_id != IAVF_DEV_ID_VF_HV &&
++	    device_id != IAVF_DEV_ID_X722_VF &&
++	    device_id != IAVF_DEV_ID_X722_A0_VF)
++		return 0;
++
++	if (devargs == NULL)
++		return 0;
++
++	kvlist = rte_kvargs_parse(devargs->args, NULL);
++	if (kvlist == NULL)
++		return 0;
++
++	if (!rte_kvargs_count(kvlist, key))
++		goto exit;
++
++	/* i40evf driver selected when there's a key-value pair:
++	 * driver=i40evf
++	 */
++	if (rte_kvargs_process(kvlist, key,
++			       iavf_drv_i40evf_check_handler, NULL) < 0)
++		goto exit;
++
++	ret = 1;
++
++exit:
++	rte_kvargs_free(kvlist);
++	return ret;
++}
++
+ static int eth_iavf_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ 			     struct rte_pci_device *pci_dev)
+ {
+-	if (iavf_dcf_cap_selected(pci_dev->device.devargs))
++	if (iavf_dcf_cap_selected(pci_dev->device.devargs) ||
++	    iavf_drv_i40evf_selected(pci_dev->device.devargs,
++				     pci_dev->id.device_id))
+ 		return 1;
+ 
+ 	return rte_eth_dev_pci_generic_probe(pci_dev,
+@@ -2357,7 +2410,7 @@ static struct rte_pci_driver rte_iavf_pmd = {
+ RTE_PMD_REGISTER_PCI(net_iavf, rte_iavf_pmd);
+ RTE_PMD_REGISTER_PCI_TABLE(net_iavf, pci_id_iavf_map);
+ RTE_PMD_REGISTER_KMOD_DEP(net_iavf, "* igb_uio | vfio-pci");
+-RTE_PMD_REGISTER_PARAM_STRING(net_iavf, "cap=dcf");
++RTE_PMD_REGISTER_PARAM_STRING(net_iavf, "cap=dcf driver=i40evf");
+ RTE_LOG_REGISTER(iavf_logtype_init, pmd.net.iavf.init, NOTICE);
+ RTE_LOG_REGISTER(iavf_logtype_driver, pmd.net.iavf.driver, NOTICE);
+ #ifdef RTE_LIBRTE_IAVF_DEBUG_RX
+-- 
+2.20.1
+

docs/Makefile

@@ -27,6 +27,8 @@ help:
 # Catch-all target: route all unknown targets to Sphinx using the new
 # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
 %: Makefile
+# Generate dynamic content
+	@python3 ./includes_renderer.py
 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
 
 spell:

docs/gettingstarted/installing/packages.rst

@@ -35,19 +35,7 @@ vpp-plugins
 
 Vector Packet Processing plugin modules.
 
-* acl
-* dpdk
-* flowprobe
-* gtpu
-* ixge
-* kubeproxy
-* l2e
-* lb
-* memif
-* nat
-* pppoe
-* sixrd
-* stn
+.. include:: ../../dynamic_includes/plugin_list.inc
 
 vpp-dbg
 -------

docs/gettingstarted/installing/ubuntu.rst

@@ -1,11 +1,11 @@
 .. _ubuntu:
 
 .. toctree::
- 
-Ubuntu 18.04 - Setup the FD.io Repository
-==========================================
 
-Choose one of the following releases to install. 
+Ubuntu - Setup the FD.io Repository
+===================================
+
+Choose one of the following releases to install.
 
 Update the OS
 -----------------------
@@ -85,4 +85,4 @@ Uninstall the  packages by running the following command:
 
 .. code-block:: console
 
-  sudo apt-get remove --purge vpp*
+  sudo apt-get remove --purge "vpp*"

docs/includes_renderer.py

@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+#  Copyright (c) 2020. Vinci Consulting Corp. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import glob
+import inspect
+import os.path
+import re
+
+
+class ContentRenderer:
+    name = ""
+    curr_path = os.path.abspath(inspect.getsourcefile(lambda: 0))
+    vpp_root = curr_path.rsplit("/", 2)[0]
+    output_dir = f"{vpp_root}/docs/dynamic_includes/"
+
+    def render(self):
+        raise NotImplementedError
+
+
+class PluginRenderer(ContentRenderer):
+    name = "plugin_list.inc"
+
+    plugin_dir = f"{ContentRenderer.vpp_root}/src/plugins"
+
+    pattern = r'VLIB_PLUGIN_REGISTER\s?\(\)\s*=\s*{.*\.description\s?=\s?"([^"]*)".*};'  # noqa: 501
+    regex = re.compile(pattern, re.MULTILINE | re.DOTALL)
+
+    def render(self):
+        with open(f"{self.__class__.output_dir}{self.__class__.name}",
+                  "w") as output:
+            with os.scandir(self.__class__.plugin_dir) as pdir:
+                for entry in sorted(pdir, key=lambda entry: entry.name):
+                    if not entry.name.startswith('.') and entry.is_dir():
+                        description = "<no-description-found>"
+                        # we use glob because a plugin can (ioam for now)
+                        # define the plugin definition in
+                        # a further subdirectory.
+                        for f in glob.iglob(f'{self.__class__.plugin_dir}/'
+                                            f'{entry.name}/**',
+                                            recursive=True):
+                            if f.endswith('.c'):
+                                with open(f, "r", encoding="utf-8") \
+                                        as src:
+                                    for match in self.__class__.regex.finditer(
+                                            src.read()):
+                                        description = "%s" % (match.group(1))
+
+                        output.write(f"* {entry.name} - {description}\n")
+
+
+# if this list grows substantially, we can move the classes to
+# a folder and import them.
+renderers = [PluginRenderer,
+             ]
+
+
+def main():
+    print("rendering dynamic includes...")
+    for renderer in renderers:
+        renderer().render()
+    print("done.")
+
+
+if __name__ == "__main__":
+    main()

docs/usecases/homegateway.rst

@@ -1,285 +0,0 @@
-.. _homegateway:
-
-.. toctree::
-
-Using VPP as a Home Gateway
-===========================
-
-Vpp running on a small system (with appropriate NICs) makes a fine
-home gateway. The resulting system performs far in excess of
-requirements: a TAG=vpp_debug image runs at a vector size of ~1.2
-terminating a 150-mbit down / 10-mbit up cable modem connection.
-
-At a minimum, install sshd and the isc-dhcp-server. If you prefer, you
-can use dnsmasq.
-
-Configuration files
--------------------
-
-/etc/vpp/startup.conf::
-
- unix {
-   nodaemon
-   log /var/log/vpp/vpp.log
-   full-coredump
-   cli-listen /run/vpp/cli.sock
-   startup-config /setup.gate
-   poll-sleep-usec 100
-   gid vpp
- }
- api-segment {
-   gid vpp
- }
- dpdk {
-      dev 0000:03:00.0
-      dev 0000:14:00.0
-      etc.
-  }
-
-  plugins {
-	## Disable all plugins, selectively enable specific plugins
-        ## YMMV, you may wish to enable other plugins (acl, etc.)
-	plugin default { disable }
-	plugin dpdk_plugin.so { enable }
-	plugin nat_plugin.so { enable }
-        ## if you plan to use the time-based MAC filter
-	plugin mactime_plugin.so { enable }
-  }
-
-/etc/dhcp/dhcpd.conf::
-
- subnet 192.168.1.0 netmask 255.255.255.0 {
-   range 192.168.1.10 192.168.1.99;
-   option routers 192.168.1.1;
-   option domain-name-servers 8.8.8.8;
- }
-
-If you decide to enable the vpp dns name resolver, substitute
-192.168.1.2 for 8.8.8.8 in the dhcp server configuration.
-
-/etc/default/isc-dhcp-server::
-
-  # On which interfaces should the DHCP server (dhcpd) serve DHCP requests?
-  #	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
-  INTERFACESv4="lstack"
-  INTERFACESv6=""
-
-/etc/ssh/sshd_config::
-
- # What ports, IPs and protocols we listen for
- Port <REDACTED-high-number-port>
- # Change to no to disable tunnelled clear text passwords
- PasswordAuthentication no
-
-For your own comfort and safety, do NOT allow password authentication
-and do not answer ssh requests on port 22. Experience shows several
-hack attempts per hour on port 22, but none (ever) on random
-high-number ports.
-
-vpp configuration (/setup.gate)::
-
-  comment { This is the WAN interface }
-  set int state GigabitEthernet3/0/0 up
-  comment { set int mac address GigabitEthernet3/0/0 mac-to-clone-if-needed }
-  set dhcp client intfc GigabitEthernet3/0/0 hostname vppgate
-
-  comment { Create a BVI loopback interface}
-  loop create
-  set int l2 bridge loop0 1 bvi
-  set int ip address loop0 192.168.1.1/24
-  set int state loop0 up
-
-  comment { Add more inside interfaces as needed ... }
-  set int l2 bridge GigabitEthernet0/14/0 1
-  set int state GigabitEthernet0/14/0 up
-
-  comment { dhcp server and host-stack access }
-  create tap host-if-name lstack host-ip4-addr 192.168.1.2/24 host-ip4-gw 192.168.1.1
-  set int l2 bridge tap0 1
-  set int state tap0 up
-
-  comment { Configure NAT}
-  nat44 add interface address GigabitEthernet3/0/0
-  set interface nat44 in loop0 out GigabitEthernet3/0/0
-
-  comment { allow inbound ssh to the <REDACTED-high-number-port> }
-  nat44 add static mapping local 192.168.1.2 <REDACTED> external GigabitEthernet3/0/0 <REDACTED> tcp
-
-  comment { if you want to use the vpp DNS server, add the following }
-  comment { Remember to adjust the isc-dhcp-server configuration appropriately }
-  comment { nat44 add identity mapping external GigabitEthernet3/0/0 udp 53053  }
-  comment { bin dns_name_server_add_del 8.8.8.8 }
-  comment { bin dns_name_server_add_del 68.87.74.166 }
-  comment { bin dns_enable_disable }
-  comment { see patch below, which adds these commands }
-  service restart isc-dhcp-server
-
-Systemd configuration
----------------------
-
-In a typical home-gateway use-case, vpp owns the one-and-only WAN link
-with a prayer of reaching the public internet. Simple things like
-updating distro software requires use of the "lstack" interface
-created above, and configuring a plausible upstream DNS name resolver.
-
-Configure /etc/systemd/resolved.conf as follows.
-
-/etc/systemd/resolved.conf::
-
-  [Resolve]
-  DNS=8.8.8.8
-  #FallbackDNS=
-  #Domains=
-  #LLMNR=no
-  #MulticastDNS=no
-  #DNSSEC=no
-  #Cache=yes
-  #DNSStubListener=yes
-
-Netplan configuration
----------------------
-
-If you want to configure a static IP address on one of your
-home-gateway Ethernet ports on Ubuntu 18.04, you'll need to configure
-netplan. Netplan is relatively new. It and the network manager GUI and
-can be cranky. In the configuration shown below,
-s/enp4s0/<your-interface>/...
-
-/etc/netplan-01-netcfg.yaml::
-
-  # This file describes the network interfaces available on your system
-  # For more information, see netplan(5).
-  network:
-    version: 2
-    renderer: networkd
-    ethernets:
-      enp4s0:
-        dhcp4: no
-        addresses: [192.168.2.254/24]
-        gateway4: 192.168.2.100
-        nameservers:
-          search: [my.local]
-          addresses: [8.8.8.8]
-
-/etc/systemd/network-10.enp4s0.network::
-
-  [Match]
-  Name=enp4s0
-
-  [Link]
-  RequiredForOnline=no
-
-  [Network]
-  ConfigureWithoutCarrier=true
-  Address=192.168.2.254/24
-
-Note that we've picked an IP address for the home gateway which is on
-an independent unrouteable subnet. This is handy for installing (and
-possibly reverting) new vpp software.
-
-Installing new vpp software
----------------------------
-
-If you're **sure** that a given set of vpp Debian packages will
-install and work properly, you can install them while logged into the
-gateway via the lstack / nat path. This procedure is a bit like
-standing on a rug and yanking it. If all goes well, a perfect
-back-flip occurs.  If not, you may wish that you'd configured a static
-IP address on a reserved Ethernet interface as described above.
-
-Installing a new vpp image via ssh to 192.168.1.2::
-
-  # nohup dpkg -i *.deb >/dev/null 2>&1 &
-
-Within a few seconds, the inbound ssh connection SHOULD begin to respond
-again. If it does not, you'll have to debug the issue(s).
-
-Testing new software
---------------------
-
-If you frequently test new home gateway software, it may be handy to
-set up a test gateway behind your production gateway. This testing
-methodology reduces complaints from family members, to name one benefit.
-
-Change the inside network (dhcp) subnet from 192.168.1.0/24 to
-192.168.3.0/24, change the (dhcp) advertised router to 192.168.3.1,
-reconfigure the vpp tap interface addresses onto the 192.168.3.0/24
-subnet, and you should be all set.
-
-This scenario nats traffic twice: first, from the 192.168.3.0/24
-network onto the 192.168.1.0/24 network. Next, from the 192.168.1.0/24
-network onto the public internet.
-
-Patches
--------
-
-You'll need this patch to add the "service restart" command::
-
-  diff --git a/src/vpp/vnet/main.c b/src/vpp/vnet/main.c
-  index 6e136e19..69189c93 100644
-  --- a/src/vpp/vnet/main.c
-  +++ b/src/vpp/vnet/main.c
-  @@ -18,6 +18,8 @@
-   #include <vlib/unix/unix.h>
-   #include <vnet/plugin/plugin.h>
-   #include <vnet/ethernet/ethernet.h>
-  +#include <vnet/ip/ip4_packet.h>
-  +#include <vnet/ip/format.h>
-   #include <vpp/app/version.h>
-   #include <vpp/api/vpe_msg_enum.h>
-   #include <limits.h>
-  @@ -400,6 +402,63 @@ VLIB_CLI_COMMAND (test_crash_command, static) = {
-
-   #endif
-
-  +static clib_error_t *
-  +restart_isc_dhcp_server_command_fn (vlib_main_t * vm,
-  +                                    unformat_input_t * input,
-  +                                    vlib_cli_command_t * cmd)
-  +{
-  +  int rv __attribute__((unused));
-  +  /* Wait three seconds... */
-  +  vlib_process_suspend (vm, 3.0);
-  +
-  +  rv = system ("/usr/sbin/service isc-dhcp-server restart");
-  +
-  +  vlib_cli_output (vm, "Restarted the isc-dhcp-server...");
-  +  return 0;
-  +}
-  +
-  +/* *INDENT-OFF* */
-  +VLIB_CLI_COMMAND (restart_isc_dhcp_server_command, static) = {
-  +  .path = "service restart isc-dhcp-server",
-  +  .short_help = "restarts the isc-dhcp-server",
-  +  .function = restart_isc_dhcp_server_command_fn,
-  +};
-  +/* *INDENT-ON* */
-  +
-
-
-Using the time-based mac filter plugin
---------------------------------------
-
-If you need to restrict network access for certain devices to specific
-daily time ranges, configure the "mactime" plugin. Add it to the list
-of enabled plugins in /etc/vpp/startup.conf, then enable the feature
-on the NAT "inside" interfaces::
-
-  bin mactime_enable_disable GigabitEthernet0/14/0
-  bin mactime_enable_disable GigabitEthernet0/14/1
-  ...
-
-Create the required src-mac-address rule database. There are 4 rule
-entry types:
-
-* allow-static - pass traffic from this mac address
-* drop-static - drop traffic from this mac address
-* allow-range - pass traffic from this mac address at specific times
-* drop-range - drop traffic from this mac address at specific times
-
-Here are some examples::
-
-  bin mactime_add_del_range name alarm-system mac 00:de:ad:be:ef:00 allow-static
-  bin mactime_add_del_range name unwelcome mac 00:de:ad:be:ef:01 drop-static
-  bin mactime_add_del_range name not-during-business-hours mac <mac> drop-range Mon - Fri 7:59 - 18:01
-  bin mactime_add_del_range name monday-busines-hours mac <mac> allow-range Mon 7:59 - 18:01

docs/usecases/index.rst

@@ -15,8 +15,9 @@ extensive list, but should give a sampling of the many features contained in FD.
    vmxnet3
    acls
    vppcloud
-   homegateway
+   hgw
    contiv/index.rst
    networksim
    webapp
    container_test
+   trafficgen

docs/usecases/trafficgen.md

@@ -0,0 +1,105 @@
+Vpp Stateless Traffic Generation
+================================
+
+It's simple to configure vpp as a high-performance stateless traffic
+generator. A couple of vpp worker threads running on an older system
+can easily generate 20 MPPS' worth of traffic.
+
+In the configurations shown below, we connect a vpp traffic generator
+and a vpp UUT using two 40 gigabit ethernet ports on each system:
+
+```
+ +-------------------+           +-------------------+
+ | traffic generator |           | UUT               |
+ | port 0            | <=======> | port 0            |
+ | 192.168.40.2/24   |           | 192.168.40.1/24   |
+ +-------------------+           +-------------------+
+
+ +-------------------+           +-------------------+
+ | traffic generator |           | UUT               |
+ | port 1            | <=======> | port 1            |
+ | 192.168.41.2/24   |           | 192.168.41.1/24   |
+ +-------------------+           +-------------------+
+```
+
+Traffic Generator Setup Script
+------------------------------
+
+```
+ set int ip address FortyGigabitEthernet2/0/0 192.168.40.2/24
+ set int ip address FortyGigabitEthernet2/0/1 192.168.41.2/24
+ set int state FortyGigabitEthernet2/0/0 up
+ set int state FortyGigabitEthernet2/0/1 up
+
+ comment { send traffic to the VPP UUT }
+
+ packet-generator new {
+     name worker0
+     worker 0
+     limit 0
+     rate 1.2e7
+     size 128-128
+     tx-interface FortyGigabitEthernet2/0/0
+     node FortyGigabitEthernet2/0/0-output
+     data { IP4: 1.2.40 -> 3cfd.fed0.b6c8
+            UDP: 192.168.40.10 -> 192.168.50.10
+            UDP: 1234 -> 2345
+            incrementing 114
+     }
+ }
+
+ packet-generator new {
+     name worker1
+     worker 1
+     limit 0
+     rate 1.2e7
+     size 128-128
+     tx-interface FortyGigabitEthernet2/0/1
+     node FortyGigabitEthernet2/0/1-output
+     data { IP4: 1.2.4 -> 3cfd.fed0.b6c9
+            UDP: 192.168.41.10 -> 192.168.51.10
+            UDP: 1234 -> 2345
+            incrementing 114
+     }
+ }
+
+ comment { delete return traffic on sight }
+
+ ip route add 192.168.50.0/24 via drop
+ ip route add 192.168.51.0/24 via drop
+```
+
+Note 1: the destination MAC addresses shown in the configuration (e.g.
+3cfd.fed0.b6c8 and 3cfd.fed0.b6c9) **must** match the vpp UUT port MAC
+addresses.
+
+Note 2: this script assumes that /etc/vpp/startup.conf and/or the
+command-line in use specifies (at least) two worker threads. Uncomment
+"workers 2" in the cpu configuration section of /etc/vpp/startup.conf:
+
+```
+ ## Specify a number of workers to be created
+ ## Workers are pinned to N consecutive CPU cores while skipping "skip-cores" CPU core(s)
+ ## and main thread's CPU core
+ workers 2
+```
+
+Any plausible packet generator script - including one which replays
+pcap captures - can be used.
+
+
+UUT Setup Script
+----------------
+
+The vpp UUT uses a couple of static routes to forward traffic back to
+the traffic generator:
+
+```
+ set int ip address FortyGigabitEthernet2/0/0 192.168.40.1/24
+ set int ip address FortyGigabitEthernet2/0/1 192.168.41.1/24
+ set int state FortyGigabitEthernet2/0/0 up
+ set int state FortyGigabitEthernet2/0/1 up
+
+ ip route add 192.168.50.10/32 via 192.168.41.2
+ ip route add 192.168.51.10/32 via 192.168.40.2
+```

doxygen/dev_doc.md

@@ -19,4 +19,5 @@ Programming notes for developers.
 - @subpage handoff_queue_demo_plugin
 - @subpage lcov_code_coverage
 - @subpage mdata_doc
+- @subpage mempreload_doc
 

doxygen/test_framework_doc.md

@@ -4,6 +4,8 @@ Test Framework Documentation    {#test_framework_doc}
 PyDoc generated documentation for the "make test" framework is available for
 the following releases:
 
+- [Test framework documentation for VPP 21.01](https://docs.fd.io/vpp/21.01/vpp_make_test/html)
+- [Test framework documentation for VPP 20.09](https://docs.fd.io/vpp/20.09/vpp_make_test/html)
 - [Test framework documentation for VPP 20.05](https://docs.fd.io/vpp/20.05/vpp_make_test/html)
 - [Test framework documentation for VPP 20.01](https://docs.fd.io/vpp/20.01/vpp_make_test/html)
 - [Test framework documentation for VPP 19.08](https://docs.fd.io/vpp/19.08/vpp_make_test/html)

doxygen/user_doc.md

@@ -29,3 +29,5 @@ Several modules provide operational, dataplane-user focused documentation.
 - @subpage srv6_doc
 - @subpage vcl_ldpreload_doc
 - @subpage vmxnet3_doc
+- @subpage af_xdp_doc
+- @subpage wireguard_plugin_doc

src/plugins/avf/output.c

@@ -47,8 +47,8 @@ struct avf_ip4_psh
 
 struct avf_ip6_psh
 {
-  u32 src[4];
-  u32 dst[4];
+  ip6_address_t src;
+  ip6_address_t dst;
   u32 l4len;
   u32 proto;
 };
@@ -67,7 +67,7 @@ avf_tx_prepare_cksum (vlib_buffer_t * b, u8 is_tso)
   u32 is_ip6 = b->flags & VNET_BUFFER_F_IS_IP6;
   ASSERT (!is_tcp || !is_udp);
   ASSERT (is_ip4 || is_ip6);
-  i16 l2_hdr_offset = vnet_buffer (b)->l2_hdr_offset;
+  i16 l2_hdr_offset = b->current_data;
   i16 l3_hdr_offset = vnet_buffer (b)->l3_hdr_offset;
   i16 l4_hdr_offset = vnet_buffer (b)->l4_hdr_offset;
   u16 l2_len = l3_hdr_offset - l2_hdr_offset;
@@ -113,8 +113,8 @@ avf_tx_prepare_cksum (vlib_buffer_t * b, u8 is_tso)
       else
 	{
 	  struct avf_ip6_psh psh = { 0 };
-	  clib_memcpy_fast (&psh.src, &ip6->src_address, 16);
-	  clib_memcpy_fast (&psh.dst, &ip6->dst_address, 16);
+	  psh.src = ip6->src_address;
+	  psh.dst = ip6->dst_address;
 	  psh.proto = clib_host_to_net_u32 ((u32) ip6->protocol);
 	  psh.l4len = is_tso ? 0 : ip6->payload_length;
 	  sum = ~ip_csum (&psh, sizeof (psh));
@@ -156,9 +156,8 @@ avf_tx_fill_ctx_desc (vlib_main_t * vm, avf_txq_t * txq, avf_tx_desc_t * d,
   /* Acquire a reference on the placeholder buffer */
   ctx_ph->ref_count++;
 
-  u16 l234hdr_sz =
-    vnet_buffer (b)->l4_hdr_offset -
-    vnet_buffer (b)->l2_hdr_offset + vnet_buffer2 (b)->gso_l4_hdr_sz;
+  u16 l234hdr_sz = vnet_buffer (b)->l4_hdr_offset - b->current_data +
+    vnet_buffer2 (b)->gso_l4_hdr_sz;
   u16 tlen = vlib_buffer_length_in_chain (vm, b) - l234hdr_sz;
   d[0].qword[0] = 0;
   d[0].qword[1] = AVF_TXD_DTYP_CTX | AVF_TXD_CTX_CMD_TSO

src/plugins/crypto_openssl/main.c

@@ -253,7 +253,7 @@ openssl_ops_enc_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[],
 			       /* is_gcm */ 1);
 }
 
-static_always_inline u32
+static_always_inline __clib_unused u32
 openssl_ops_enc_chacha20_poly1305 (vlib_main_t * vm, vnet_crypto_op_t * ops[],
 				   vnet_crypto_op_chunk_t * chunks, u32 n_ops,
 				   const EVP_CIPHER * cipher)
@@ -317,7 +317,7 @@ openssl_ops_dec_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[],
 			       /* is_gcm */ 1);
 }
 
-static_always_inline u32
+static_always_inline __clib_unused u32
 openssl_ops_dec_chacha20_poly1305 (vlib_main_t * vm, vnet_crypto_op_t * ops[],
 				   vnet_crypto_op_chunk_t * chunks, u32 n_ops,
 				   const EVP_CIPHER * cipher)

src/plugins/dpdk/device/init.c

@@ -29,6 +29,7 @@
 #include <vlib/vmbus/vmbus.h>
 
 #include <rte_ring.h>
+#include <rte_vect.h>
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -1527,6 +1528,10 @@ dpdk_config (vlib_main_t * vm, unformat_input_t * input)
   ret = rte_eal_init (vec_len (conf->eal_init_args),
 		      (char **) conf->eal_init_args);
 
+  /* enable the AVX-512 vPMDs in DPDK */
+  if (clib_cpu_supports_avx512_bitalg ())
+    rte_vect_set_max_simd_bitwidth (RTE_VECT_SIMD_512);
+
   /* lazy umount hugepages */
   umount2 ((char *) huge_dir_path, MNT_DETACH);
   rmdir ((char *) huge_dir_path);

src/plugins/nat/in2out_ed.c

@@ -366,6 +366,10 @@ slow_path_ed (snat_main_t * sm,
   ip4_address_t sm_addr;
   u16 sm_port;
   u32 sm_fib_index;
+
+  ctx.now = now;
+  ctx.thread_index = thread_index;
+
   /* First try to match static mapping by local address and port */
   if (snat_static_mapping_match
       (sm, l_addr, l_port, rx_fib_index, nat_proto, &sm_addr, &sm_port,
@@ -458,8 +462,6 @@ slow_path_ed (snat_main_t * sm,
   clib_bihash_kv_16_8_t in2out_ed_kv;
   init_ed_kv (&in2out_ed_kv, l_addr, l_port, r_addr, r_port, rx_fib_index,
 	      proto, thread_index, s - tsm->sessions);
-  ctx.now = now;
-  ctx.thread_index = thread_index;
   if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, &in2out_ed_kv,
 					       nat44_i2o_ed_is_idle_session_cb,
 					       &ctx))

src/plugins/rdma/input.c

@@ -974,7 +974,7 @@ rdma_device_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 							   n_rx_packets, bc);
 	  n_rx_bytes =
 	    rdma_device_mlx5dv_fast_input (vm, rxq, bufs, mask, &bt, to_next,
-					   n_rx_packets, bc, ~1);
+					   n_rx_packets, bc, ~0);
 
 	  /* If there are chained buffers, some of the head buffers have a current length
 	     higher than buf_sz: it needs to be fixed */

src/plugins/wireguard/README.md

@@ -1,4 +1,4 @@
-# Wireguard vpp-plugin
+# Wireguard vpp-plugin  {#wireguard_plugin_doc}
 
 ## Overview
 This plugin is an implementation of [wireguard protocol](https://www.wireguard.com/) for VPP. It allows one to create secure VPN tunnels.

src/scripts/version

@@ -30,6 +30,11 @@ TAG=$(echo ${vstring} | cut -d- -f1 | sed -e 's/^v//')
 ADD=$(echo ${vstring} | cut -s -d- -f2)
 POINT=$(echo ${TAG} | cut -d. -f3)
 
+# during make pkg-rpm vstring ends up being vXX.YY, which is not what we expect. Fix it up.
+if [ -z "${ADD}" ]; then
+  ADD="0"
+fi
+
 # if this is a "implicit zeroth" release (e.g. 19.08), check if we need to add ".0"
 # to fix the artifact versioning sorting
 if [ -z "${POINT}" ]; then

src/vlib/node_init.c

@@ -40,6 +40,7 @@
 #include <sys/types.h>
 #include <fcntl.h>
 #include <vlib/vlib.h>
+#include <vnet/vnet.h>
 
 typedef struct _vlib_node_march_variant
 {
@@ -89,9 +90,9 @@ unformat_vlib_node_variant (unformat_input_t * input, va_list * args)
 }
 
 static_always_inline void
-vlib_update_nr_variant_default (vlib_node_registration_t * nr, u8 * variant)
+vlib_update_nr_variant_default (vlib_node_fn_registration_t * fnr,
+				u8 * variant)
 {
-  vlib_node_fn_registration_t *fnr = nr->node_fn_registrations;
   vlib_node_fn_registration_t *p_reg = 0;
   vlib_node_fn_registration_t *v_reg = 0;
   u32 tmp;
@@ -127,6 +128,8 @@ vlib_early_node_config (vlib_main_t * vm, unformat_input_t * input)
 {
   clib_error_t *error = 0;
   vlib_node_registration_t *nr, **all;
+  vnet_device_class_t *c;
+  vnet_main_t *vnm = vnet_get_main ();
   unformat_input_t sub_input;
   uword *hash = 0, *p;
   u8 *variant = 0;
@@ -161,10 +164,20 @@ vlib_early_node_config (vlib_main_t * vm, unformat_input_t * input)
 	      nr = vm->node_main.node_registrations;
 	      while (nr)
 		{
-		  vlib_update_nr_variant_default (nr, variant);
+		  vlib_update_nr_variant_default (nr->node_fn_registrations,
+						  variant);
 		  nr = nr->next_registration;
 		}
 
+	      /* also apply it to interfaces */
+	      c = vnm->device_class_registrations;
+	      while (c)
+		{
+		  vlib_update_nr_variant_default (c->tx_fn_registrations,
+						  variant);
+		  c = c->next_class_registration;
+		}
+
 	      vec_free (variant);
 	    }
 	}
@@ -192,7 +205,8 @@ vlib_early_node_config (vlib_main_t * vm, unformat_input_t * input)
 					      "please specify a valid node variant");
 		  vec_add1 (variant, 0);
 
-		  vlib_update_nr_variant_default (nr, variant);
+		  vlib_update_nr_variant_default (nr->node_fn_registrations,
+						  variant);
 
 		  vec_free (variant);
 		}

src/vnet/adj/adj_glean.c

@@ -258,8 +258,8 @@ adj_glean_get_src (fib_protocol_t proto,
                    u32 sw_if_index,
                    const ip46_address_t *nh)
 {
+    const ip46_address_t *conn, *source;
     const ip_adjacency_t *adj;
-    ip46_address_t *conn;
     adj_index_t ai;
 
     if (vec_len(adj_gleans[proto]) <= sw_if_index ||
@@ -274,23 +274,33 @@ adj_glean_get_src (fib_protocol_t proto,
     if (nh)
         pfx.fp_addr = *nh;
 
+    /*
+     * An interface can have more than one glean address. Where
+     * possible we want to return a source address from the same
+     * subnet as the destination. If this is not possible then any address
+     * will do.
+     */
+    source = NULL;
+
     hash_foreach_mem(conn, ai, adj_gleans[proto][sw_if_index],
     ({
         adj = adj_get(ai);
 
         if (adj->sub_type.glean.rx_pfx.fp_len > 0)
         {
+            source = &adj->sub_type.glean.rx_pfx.fp_addr;
+
             /* if no destination is specified use the just glean */
             if (NULL == nh)
-                return (&adj->sub_type.glean.rx_pfx.fp_addr);
+                return (source);
 
             /* check the clean covers the desintation */
             if (fib_prefix_is_cover(&adj->sub_type.glean.rx_pfx, &pfx))
-                return (&adj->sub_type.glean.rx_pfx.fp_addr);
+                return (source);
         }
     }));
 
-    return (NULL);
+    return (source);
 }
 
 void

src/vnet/crypto/crypto.h

@@ -306,7 +306,7 @@ typedef struct
   i16 integ_start_offset;
   u32 crypto_total_length;
   /* adj total_length for integ, e.g.4 bytes for IPSec ESN */
-  u16 integ_length_adj;
+  i16 integ_length_adj;
   u8 *iv;
   union
   {
@@ -605,7 +605,7 @@ vnet_crypto_async_add_to_frame (vlib_main_t * vm,
 				u32 key_index,
 				u32 crypto_len, i16 integ_len_adj,
 				i16 crypto_start_offset,
-				u16 integ_start_offset,
+				i16 integ_start_offset,
 				u32 buffer_index,
 				u16 next_node,
 				u8 * iv, u8 * tag, u8 * aad, u8 flags)

src/vnet/interface.c

@@ -807,7 +807,7 @@ vnet_register_interface (vnet_main_t * vnm,
   vnet_config_main_t *cm;
   u32 hw_index, i;
   char *tx_node_name = NULL, *output_node_name = NULL;
-  vlib_node_function_t *output_node = vnet_interface_output_node_get ();
+  vlib_node_function_t *output_node = vnet_interface_output_node_get (vm);
 
   pool_get (im->hw_interfaces, hw);
   clib_memset (hw, 0, sizeof (*hw));

src/vnet/interface.h

@@ -326,6 +326,7 @@ CLIB_MARCH_SFX (devclass##_tx_fn_multiarch_register) (void)		\
   vlib_node_fn_registration_t *r;					\
   r = &CLIB_MARCH_SFX (devclass##_tx_fn_registration);			\
   r->priority = CLIB_MARCH_FN_PRIORITY();				\
+  r->name = CLIB_MARCH_VARIANT_STR;					\
   r->next_registration = devclass.tx_fn_registrations;			\
   devclass.tx_fn_registrations = r;					\
 }									\
@@ -918,7 +919,7 @@ void vnet_pcap_drop_trace_filter_add_del (u32 error_index, int is_add);
 
 int vnet_interface_name_renumber (u32 sw_if_index, u32 new_show_dev_instance);
 
-vlib_node_function_t *vnet_interface_output_node_get (void);
+vlib_node_function_t *vnet_interface_output_node_get (vlib_main_t * vm);
 
 void vnet_register_format_buffer_opaque_helper
   (vnet_buffer_opquae_formatter_t fn);