sr: use correct reply to sr_policy_add_v2

Type: fix
Fixes: c4c205b091934d96a173f4c0d75ef7e888298ac7

Change-Id: I110729601a9f19451297883b781ec56e2b31465b
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
(cherry picked from commit 3a05db6264a4b2edf1fc7e6c35ee3b688baa463a)

.gitreview

@@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/2310

docs/aboutvpp/releasenotes/index.rst

@@ -6,6 +6,7 @@ Release notes
 .. toctree::
     :maxdepth: 2
 
+    v23.10
     v23.06
     v23.02
     v22.10.1

extras/scripts/crcchecker.py

@@ -82,13 +82,15 @@ def filelist_from_git_ls():
 
 def is_uncommitted_changes():
     """Returns true if there are uncommitted changes in the repo"""
-    git_status = "git status --porcelain -uno"
-    returncode = run(git_status.split(), stdout=PIPE, stderr=PIPE)
-    if returncode.returncode != 0:
-        sys.exit(returncode.returncode)
+    # Don't run this check in the Jenkins CI
+    if os.getenv("FDIOTOOLS_IMAGE") is None:
+        git_status = "git status --porcelain -uno"
+        returncode = run(git_status.split(), stdout=PIPE, stderr=PIPE)
+        if returncode.returncode != 0:
+            sys.exit(returncode.returncode)
 
-    if returncode.stdout:
-        return True
+        if returncode.stdout:
+            return True
     return False
 
 

src/plugins/dpdk/cryptodev/cryptodev.c

@@ -672,50 +672,73 @@ cryptodev_show_cache_rings_fn (vlib_main_t *vm, unformat_input_t *input,
 {
   cryptodev_main_t *cmt = &cryptodev_main;
   u32 thread_index = 0;
+  u16 i;
   vec_foreach_index (thread_index, cmt->per_thread_data)
     {
       cryptodev_engine_thread_t *cet = cmt->per_thread_data + thread_index;
       cryptodev_cache_ring_t *ring = &cet->cache_ring;
       u16 head = ring->head;
       u16 tail = ring->tail;
-      u16 n_cached = ((head == tail) && (ring->frames[head].f == 0)) ?
-			     0 :
-		     ((head == tail) && (ring->frames[head].f != 0)) ?
-			     (CRYPTODEV_CACHE_QUEUE_MASK + 1) :
-		     (head > tail) ?
-			     (head - tail) :
-			     (CRYPTODEV_CACHE_QUEUE_MASK - tail + head);
+      u16 n_cached = (CRYPTODEV_CACHE_QUEUE_SIZE - tail + head) &
+		     CRYPTODEV_CACHE_QUEUE_MASK;
 
       u16 enq_head = ring->enq_head;
       u16 deq_tail = ring->deq_tail;
       u16 n_frames_inflight =
-	((enq_head == deq_tail) && (ring->frames[enq_head].f == 0)) ?
+	(enq_head == deq_tail) ?
 		0 :
-	((enq_head == deq_tail) && (ring->frames[enq_head].f != 0)) ?
-		CRYPTODEV_CACHE_QUEUE_MASK + 1 :
-	(enq_head > deq_tail) ?
-		(enq_head - deq_tail) :
-		(CRYPTODEV_CACHE_QUEUE_MASK - deq_tail + enq_head);
-
+		((CRYPTODEV_CACHE_QUEUE_SIZE + enq_head - deq_tail) &
+	   CRYPTODEV_CACHE_QUEUE_MASK);
+      /* even if some elements of dequeued frame are still pending for deq
+       * we consider the frame as processed */
       u16 n_frames_processed =
-	((tail == deq_tail) && (ring->frames[deq_tail].f == 0)) ? 0 :
-	((tail == deq_tail) && (ring->frames[deq_tail].f != 0)) ? 1 :
-	(deq_tail > tail) ? (deq_tail - tail + 1) :
-				  (CRYPTODEV_CACHE_QUEUE_MASK - tail + deq_tail - 1);
+	((tail == deq_tail) && (ring->frames[deq_tail].f == 0)) ?
+		0 :
+		((CRYPTODEV_CACHE_QUEUE_SIZE - tail + deq_tail) &
+	   CRYPTODEV_CACHE_QUEUE_MASK) +
+	    1;
+      /* even if some elements of enqueued frame are still pending for enq
+       * we consider the frame as enqueued */
+      u16 n_frames_pending =
+	(head == enq_head) ? 0 :
+				   ((CRYPTODEV_CACHE_QUEUE_SIZE - enq_head + head) &
+			      CRYPTODEV_CACHE_QUEUE_MASK) -
+			       1;
+
+      u16 elts_to_enq =
+	(ring->frames[enq_head].n_elts - ring->frames[enq_head].enq_elts_head);
+      u16 elts_to_deq =
+	(ring->frames[deq_tail].n_elts - ring->frames[deq_tail].deq_elts_tail);
+
+      u32 elts_total = 0;
+
+      for (i = 0; i < CRYPTODEV_CACHE_QUEUE_SIZE; i++)
+	elts_total += ring->frames[i].n_elts;
 
       if (vlib_num_workers () > 0 && thread_index == 0)
 	continue;
 
       vlib_cli_output (vm, "\n\n");
-      vlib_cli_output (vm, "Frames total: %u", n_cached);
-      vlib_cli_output (vm, "Frames pending in the ring: %u",
-		       n_cached - n_frames_inflight - n_frames_processed);
+      vlib_cli_output (vm, "Frames cached in the ring: %u", n_cached);
+      vlib_cli_output (vm, "Frames cached but not processed: %u",
+		       n_frames_pending);
       vlib_cli_output (vm, "Frames inflight: %u", n_frames_inflight);
-      vlib_cli_output (vm, "Frames dequed but not returned: %u",
-		       n_frames_processed);
+      vlib_cli_output (vm, "Frames processed: %u", n_frames_processed);
+      vlib_cli_output (vm, "Elements total: %u", elts_total);
       vlib_cli_output (vm, "Elements inflight: %u", cet->inflight);
-      vlib_cli_output (vm, "Head: %u", head);
-      vlib_cli_output (vm, "Tail: %u", tail);
+      vlib_cli_output (vm, "Head index: %u", head);
+      vlib_cli_output (vm, "Tail index: %u", tail);
+      vlib_cli_output (vm, "Current frame index beeing enqueued: %u",
+		       enq_head);
+      vlib_cli_output (vm, "Current frame index being dequeued: %u", deq_tail);
+      vlib_cli_output (vm,
+		       "Elements in current frame to be enqueued: %u, waiting "
+		       "to be enqueued: %u",
+		       ring->frames[enq_head].n_elts, elts_to_enq);
+      vlib_cli_output (vm,
+		       "Elements in current frame to be dequeued: %u, waiting "
+		       "to be dequeued: %u",
+		       ring->frames[deq_tail].n_elts, elts_to_deq);
       vlib_cli_output (vm, "\n\n");
     }
   return 0;

src/plugins/dpdk/cryptodev/cryptodev.h

@@ -32,6 +32,7 @@
 #define CRYPTODEV_MAX_IV_SIZE	   16
 #define CRYPTODEV_MAX_AAD_SIZE	   16
 #define CRYPTODEV_MAX_N_SGL	   8 /**< maximum number of segments */
+#define CRYPTODEV_MAX_PROCESED_IN_CACHE_QUEUE 8
 
 #define CRYPTODEV_IV_OFFSET  (offsetof (cryptodev_op_t, iv))
 #define CRYPTODEV_AAD_OFFSET (offsetof (cryptodev_op_t, aad))
@@ -303,19 +304,24 @@ cryptodev_cache_ring_push (cryptodev_cache_ring_t *r,
 			   vnet_crypto_async_frame_t *f)
 {
   u16 head = r->head;
+  u16 tail = r->tail;
+
   cryptodev_cache_ring_elt_t *ring_elt = &r->frames[head];
   /**
    * in debug mode we do the ring sanity test when a frame is enqueued to
    * the ring.
    **/
 #if CLIB_DEBUG > 0
-  u16 tail = r->tail;
   u16 n_cached = (head >= tail) ? (head - tail) :
 					(CRYPTODEV_CACHE_QUEUE_MASK - tail + head);
-  ERROR_ASSERT (n_cached < VNET_CRYPTO_FRAME_POOL_SIZE);
+  ERROR_ASSERT (n_cached < CRYPTODEV_CACHE_QUEUE_SIZE);
   ERROR_ASSERT (r->raw == 0 && r->frames[head].raw == 0 &&
 		r->frames[head].f == 0);
 #endif
+  /*the ring capacity is CRYPTODEV_CACHE_QUEUE_SIZE - 1*/
+  if (PREDICT_FALSE (head + 1) == tail)
+    return 0;
+
   ring_elt->f = f;
   ring_elt->n_elts = f->n_elts;
   /* update head */

src/plugins/dpdk/cryptodev/cryptodev_op_data_path.c

@@ -148,6 +148,9 @@ cryptodev_frame_linked_algs_enqueue (vlib_main_t *vm,
   cryptodev_cache_ring_elt_t *ring_elt =
     cryptodev_cache_ring_push (ring, frame);
 
+  if (PREDICT_FALSE (ring_elt == NULL))
+    return -1;
+
   ring_elt->aad_len = 1;
   ring_elt->op_type = (u8) op_type;
   return 0;
@@ -295,6 +298,10 @@ cryptodev_frame_aead_enqueue (vlib_main_t *vm,
   ERROR_ASSERT (frame->n_elts > 0);
   cryptodev_cache_ring_elt_t *ring_elt =
     cryptodev_cache_ring_push (ring, frame);
+
+  if (PREDICT_FALSE (ring_elt == NULL))
+    return -1;
+
   ring_elt->aad_len = aad_len;
   ring_elt->op_type = (u8) op_type;
   return 0;
@@ -462,7 +469,7 @@ cryptodev_frame_dequeue_internal (vlib_main_t *vm, u32 *nb_elts_processed,
   vnet_crypto_async_frame_t *frame = NULL;
   cryptodev_cache_ring_t *ring = &cet->cache_ring;
   u16 *const deq = &ring->deq_tail;
-  u16 n_deq, idx, left_to_deq, i;
+  u16 n_deq, left_to_deq;
   u16 max_to_deq = 0;
   u16 inflight = cet->inflight;
   u8 dequeue_more = 0;
@@ -472,29 +479,12 @@ cryptodev_frame_dequeue_internal (vlib_main_t *vm, u32 *nb_elts_processed,
   u32 n_elts, n;
   u64 err0 = 0, err1 = 0, err2 = 0, err3 = 0; /* partial errors mask */
 
-  idx = ring->deq_tail;
-
-  for (i = 0; i < VNET_CRYPTO_FRAME_POOL_SIZE; i++)
-    {
-      u32 frame_inflight =
-	CRYPTODEV_CACHE_RING_GET_FRAME_ELTS_INFLIGHT (ring, idx);
-
-      if (PREDICT_TRUE (frame_inflight > 0))
-	break;
-      idx++;
-      idx &= (VNET_CRYPTO_FRAME_POOL_SIZE - 1);
-    }
-
-  ERROR_ASSERT (i != VNET_CRYPTO_FRAME_POOL_SIZE);
-  ring->deq_tail = idx;
-
   left_to_deq =
     ring->frames[*deq].f->n_elts - ring->frames[*deq].deq_elts_tail;
   max_to_deq = clib_min (left_to_deq, CRYPTODE_DEQ_MAX);
 
   /* deq field can be used to track frame that is currently dequeued
    based on that you can specify the amount of elements to deq for the frame */
-
   n_deq =
     rte_cryptodev_dequeue_burst (cet->cryptodev_id, cet->cryptodev_q,
 				 (struct rte_crypto_op **) cops, max_to_deq);
@@ -547,9 +537,13 @@ cryptodev_frame_dequeue_internal (vlib_main_t *vm, u32 *nb_elts_processed,
   ring->frames[*deq].deq_elts_tail += n_deq;
   if (cryptodev_cache_ring_update_deq_tail (ring, deq))
     {
+      u32 fr_processed =
+	(CRYPTODEV_CACHE_QUEUE_SIZE - ring->tail + ring->deq_tail) &
+	CRYPTODEV_CACHE_QUEUE_MASK;
+
       *nb_elts_processed = frame->n_elts;
       *enqueue_thread_idx = frame->enqueue_thread_index;
-      dequeue_more = (max_to_deq < CRYPTODE_DEQ_MAX);
+      dequeue_more = (fr_processed < CRYPTODEV_MAX_PROCESED_IN_CACHE_QUEUE);
     }
 
   cet->inflight = inflight;

src/plugins/dpdk/cryptodev/cryptodev_raw_data_path.c

@@ -118,6 +118,9 @@ cryptodev_frame_linked_algs_enqueue (vlib_main_t *vm,
   cryptodev_cache_ring_elt_t *ring_elt =
     cryptodev_cache_ring_push (ring, frame);
 
+  if (PREDICT_FALSE (ring_elt == NULL))
+    return -1;
+
   ring_elt->aad_len = 1;
   ring_elt->op_type = (u8) op_type;
   return 0;
@@ -272,6 +275,9 @@ cryptodev_raw_aead_enqueue (vlib_main_t *vm, vnet_crypto_async_frame_t *frame,
   cryptodev_cache_ring_elt_t *ring_elt =
     cryptodev_cache_ring_push (ring, frame);
 
+  if (PREDICT_FALSE (ring_elt == NULL))
+    return -1;
+
   ring_elt->aad_len = aad_len;
   ring_elt->op_type = (u8) op_type;
   return 0;
@@ -466,32 +472,17 @@ cryptodev_raw_dequeue_internal (vlib_main_t *vm, u32 *nb_elts_processed,
   cryptodev_cache_ring_t *ring = &cet->cache_ring;
   u16 *const deq = &ring->deq_tail;
   u32 n_success;
-  u16 n_deq, indice, i, left_to_deq;
+  u16 n_deq, i, left_to_deq;
   u16 max_to_deq = 0;
   u16 inflight = cet->inflight;
   u8 dequeue_more = 0;
   int dequeue_status;
 
-  indice = *deq;
-
-  for (i = 0; i < VNET_CRYPTO_FRAME_POOL_SIZE; i++)
-    {
-      if (PREDICT_TRUE (
-	    CRYPTODEV_CACHE_RING_GET_FRAME_ELTS_INFLIGHT (ring, indice) > 0))
-	break;
-      indice += 1;
-      indice &= CRYPTODEV_CACHE_QUEUE_MASK;
-    }
-
-  ERROR_ASSERT (i != VNET_CRYPTO_FRAME_POOL_SIZE);
-
-  *deq = indice;
-
   left_to_deq = ring->frames[*deq].n_elts - ring->frames[*deq].deq_elts_tail;
   max_to_deq = clib_min (left_to_deq, CRYPTODE_DEQ_MAX);
 
-  /* you can use deq field to track frame that is currently dequeued */
-  /* based on that you can specify the amount of elements to deq for the frame
+  /* deq field can be used to track frame that is currently dequeued */
+  /* based on thatthe amount of elements to deq for the frame can be specified
    */
 
   n_deq = rte_cryptodev_raw_dequeue_burst (
@@ -516,9 +507,13 @@ cryptodev_raw_dequeue_internal (vlib_main_t *vm, u32 *nb_elts_processed,
 
   if (cryptodev_cache_ring_update_deq_tail (ring, deq))
     {
+      u32 fr_processed =
+	(CRYPTODEV_CACHE_QUEUE_SIZE - ring->tail + ring->deq_tail) &
+	CRYPTODEV_CACHE_QUEUE_MASK;
+
       *nb_elts_processed = frame->n_elts;
       *enqueue_thread_idx = frame->enqueue_thread_index;
-      dequeue_more = max_to_deq < CRYPTODE_DEQ_MAX;
+      dequeue_more = (fr_processed < CRYPTODEV_MAX_PROCESED_IN_CACHE_QUEUE);
     }
 
   int res =
@@ -555,24 +550,18 @@ cryptodev_raw_dequeue (vlib_main_t *vm, u32 *nb_elts_processed,
   u8 dequeue_more = 1;
 
   while (cet->inflight > 0 && dequeue_more)
-    {
       dequeue_more = cryptodev_raw_dequeue_internal (vm, nb_elts_processed,
 						     enqueue_thread_idx);
-    }
 
   if (PREDICT_TRUE (ring->frames[ring->enq_head].f != 0))
     cryptodev_enqueue_frame_to_qat (vm, &ring->frames[ring->enq_head]);
 
-  if (PREDICT_TRUE (ring_elt->f != 0))
+  if (PREDICT_TRUE (ring_elt->f != 0) &&
+      (ring_elt->n_elts == ring_elt->deq_elts_tail))
     {
-      if (ring_elt->enq_elts_head == ring_elt->deq_elts_tail)
-	{
-	  vlib_node_set_interrupt_pending (
-	    vlib_get_main_by_index (vm->thread_index), cm->crypto_node_index);
-	  ret_frame = cryptodev_cache_ring_pop (ring);
-
-	  return ret_frame;
-	}
+      vlib_node_set_interrupt_pending (
+	vlib_get_main_by_index (vm->thread_index), cm->crypto_node_index);
+      ret_frame = cryptodev_cache_ring_pop (ring);
     }
 
   return ret_frame;

src/plugins/flowprobe/flowprobe.c

@@ -245,6 +245,7 @@ flowprobe_template_rewrite_inline (ipfix_exporter_t *exp, flow_report_t *fr,
   flowprobe_main_t *fm = &flowprobe_main;
   flowprobe_record_t flags = fr->opaque.as_uword;
   bool collect_ip4 = false, collect_ip6 = false;
+  bool collect_l4 = false;
 
   stream = &exp->streams[fr->stream_index];
 
@@ -257,6 +258,10 @@ flowprobe_template_rewrite_inline (ipfix_exporter_t *exp, flow_report_t *fr,
       if (which == FLOW_VARIANT_L2_IP6)
 	flags |= FLOW_RECORD_L2_IP6;
     }
+  if (flags & FLOW_RECORD_L4)
+    {
+      collect_l4 = (which != FLOW_VARIANT_L2);
+    }
 
   field_count += flowprobe_template_common_field_count ();
   if (flags & FLOW_RECORD_L2)
@@ -265,7 +270,7 @@ flowprobe_template_rewrite_inline (ipfix_exporter_t *exp, flow_report_t *fr,
     field_count += flowprobe_template_ip4_field_count ();
   if (collect_ip6)
     field_count += flowprobe_template_ip6_field_count ();
-  if (flags & FLOW_RECORD_L4)
+  if (collect_l4)
     field_count += flowprobe_template_l4_field_count ();
 
   /* allocate rewrite space */
@@ -304,7 +309,7 @@ flowprobe_template_rewrite_inline (ipfix_exporter_t *exp, flow_report_t *fr,
     f = flowprobe_template_ip4_fields (f);
   if (collect_ip6)
     f = flowprobe_template_ip6_fields (f);
-  if (flags & FLOW_RECORD_L4)
+  if (collect_l4)
     f = flowprobe_template_l4_fields (f);
 
   /* Back to the template packet... */
@@ -503,6 +508,43 @@ flowprobe_create_state_tables (u32 active_timer)
   return error;
 }
 
+static clib_error_t *
+flowprobe_clear_state_if_index (u32 sw_if_index)
+{
+  flowprobe_main_t *fm = &flowprobe_main;
+  clib_error_t *error = 0;
+  u32 worker_i;
+  u32 entry_i;
+
+  if (fm->active_timer > 0)
+    {
+      vec_foreach_index (worker_i, fm->pool_per_worker)
+	{
+	  pool_foreach_index (entry_i, fm->pool_per_worker[worker_i])
+	    {
+	      flowprobe_entry_t *e =
+		pool_elt_at_index (fm->pool_per_worker[worker_i], entry_i);
+	      if (e->key.rx_sw_if_index == sw_if_index ||
+		  e->key.tx_sw_if_index == sw_if_index)
+		{
+		  e->packetcount = 0;
+		  e->octetcount = 0;
+		  e->prot.tcp.flags = 0;
+		  if (fm->passive_timer > 0)
+		    {
+		      tw_timer_stop_2t_1w_2048sl (
+			fm->timers_per_worker[worker_i],
+			e->passive_timer_handle);
+		    }
+		  flowprobe_delete_by_index (worker_i, entry_i);
+		}
+	    }
+	}
+    }
+
+  return error;
+}
+
 static int
 validate_feature_on_interface (flowprobe_main_t * fm, u32 sw_if_index,
 			       u8 which)
@@ -548,12 +590,17 @@ flowprobe_interface_add_del_feature (flowprobe_main_t *fm, u32 sw_if_index,
     {
       if (which == FLOW_VARIANT_L2)
 	{
+	  if (!is_add)
+	    {
+	      flowprobe_flush_callback_l2 ();
+	    }
 	  if (fm->record & FLOW_RECORD_L2)
 	    {
 	      rv = flowprobe_template_add_del (1, UDP_DST_PORT_ipfix, flags,
 					       flowprobe_data_callback_l2,
 					       flowprobe_template_rewrite_l2,
 					       is_add, &template_id);
+	      fm->template_reports[flags] = (is_add) ? template_id : 0;
 	    }
 	  if (fm->record & FLOW_RECORD_L3 || fm->record & FLOW_RECORD_L4)
 	    {
@@ -576,20 +623,30 @@ flowprobe_interface_add_del_feature (flowprobe_main_t *fm, u32 sw_if_index,
 		flags | FLOW_RECORD_L2_IP4;
 	      fm->context[FLOW_VARIANT_L2_IP6].flags =
 		flags | FLOW_RECORD_L2_IP6;
-
-	      fm->template_reports[flags] = template_id;
 	    }
 	}
       else if (which == FLOW_VARIANT_IP4)
-	rv = flowprobe_template_add_del (1, UDP_DST_PORT_ipfix, flags,
-					 flowprobe_data_callback_ip4,
-					 flowprobe_template_rewrite_ip4,
-					 is_add, &template_id);
+	{
+	  if (!is_add)
+	    {
+	      flowprobe_flush_callback_ip4 ();
+	    }
+	  rv = flowprobe_template_add_del (
+	    1, UDP_DST_PORT_ipfix, flags, flowprobe_data_callback_ip4,
+	    flowprobe_template_rewrite_ip4, is_add, &template_id);
+	  fm->template_reports[flags] = (is_add) ? template_id : 0;
+	}
       else if (which == FLOW_VARIANT_IP6)
-	rv = flowprobe_template_add_del (1, UDP_DST_PORT_ipfix, flags,
-					 flowprobe_data_callback_ip6,
-					 flowprobe_template_rewrite_ip6,
-					 is_add, &template_id);
+	{
+	  if (!is_add)
+	    {
+	      flowprobe_flush_callback_ip6 ();
+	    }
+	  rv = flowprobe_template_add_del (
+	    1, UDP_DST_PORT_ipfix, flags, flowprobe_data_callback_ip6,
+	    flowprobe_template_rewrite_ip6, is_add, &template_id);
+	  fm->template_reports[flags] = (is_add) ? template_id : 0;
+	}
     }
   if (rv && rv != VNET_API_ERROR_VALUE_EXIST)
     {
@@ -600,7 +657,6 @@ flowprobe_interface_add_del_feature (flowprobe_main_t *fm, u32 sw_if_index,
   if (which != (u8) ~ 0)
     {
       fm->context[which].flags = fm->record;
-      fm->template_reports[flags] = (is_add) ? template_id : 0;
     }
 
   if (direction == FLOW_DIRECTION_RX || direction == FLOW_DIRECTION_BOTH)
@@ -645,6 +701,11 @@ flowprobe_interface_add_del_feature (flowprobe_main_t *fm, u32 sw_if_index,
 	vlib_process_signal_event (vm, flowprobe_timer_node.index, 1, 0);
     }
 
+  if (!is_add && fm->initialized)
+    {
+      flowprobe_clear_state_if_index (sw_if_index);
+    }
+
   return 0;
 }
 

src/plugins/flowprobe/flowprobe.h

@@ -168,6 +168,8 @@ typedef struct
 extern flowprobe_main_t flowprobe_main;
 extern vlib_node_registration_t flowprobe_walker_node;
 
+void flowprobe_delete_by_index (u32 my_cpu_number, u32 poolindex);
+
 void flowprobe_flush_callback_ip4 (void);
 void flowprobe_flush_callback_ip6 (void);
 void flowprobe_flush_callback_l2 (void);

src/plugins/flowprobe/node.c

@@ -384,9 +384,11 @@ add_to_flow_record_state (vlib_main_t *vm, vlib_node_runtime_t *node,
   flowprobe_record_t flags = fm->context[which].flags;
   bool collect_ip4 = false, collect_ip6 = false;
   ASSERT (b);
-  ethernet_header_t *eth = ethernet_buffer_get_header (b);
+  ethernet_header_t *eth = (direction == FLOW_DIRECTION_TX) ?
+				   vlib_buffer_get_current (b) :
+				   ethernet_buffer_get_header (b);
   u16 ethertype = clib_net_to_host_u16 (eth->type);
-  u16 l2_hdr_sz = sizeof (ethernet_header_t);
+  i16 l3_hdr_offset = (u8 *) eth - b->data + sizeof (ethernet_header_t);
   /* *INDENT-OFF* */
   flowprobe_key_t k = {};
   /* *INDENT-ON* */
@@ -423,13 +425,13 @@ add_to_flow_record_state (vlib_main_t *vm, vlib_node_runtime_t *node,
       while (clib_net_to_host_u16 (ethv->type) == ETHERNET_TYPE_VLAN)
 	{
 	  ethv++;
-	  l2_hdr_sz += sizeof (ethernet_vlan_header_tv_t);
+	  l3_hdr_offset += sizeof (ethernet_vlan_header_tv_t);
 	}
       k.ethertype = ethertype = clib_net_to_host_u16 ((ethv)->type);
     }
   if (collect_ip6 && ethertype == ETHERNET_TYPE_IP6)
     {
-      ip6 = (ip6_header_t *) (b->data + l2_hdr_sz);
+      ip6 = (ip6_header_t *) (b->data + l3_hdr_offset);
       if (flags & FLOW_RECORD_L3)
 	{
 	  k.src_address.as_u64[0] = ip6->src_address.as_u64[0];
@@ -448,7 +450,7 @@ add_to_flow_record_state (vlib_main_t *vm, vlib_node_runtime_t *node,
     }
   if (collect_ip4 && ethertype == ETHERNET_TYPE_IP4)
     {
-      ip4 = (ip4_header_t *) (b->data + l2_hdr_sz);
+      ip4 = (ip4_header_t *) (b->data + l3_hdr_offset);
       if (flags & FLOW_RECORD_L3)
 	{
 	  k.src_address.ip4.as_u32 = ip4->src_address.as_u32;
@@ -701,6 +703,7 @@ flowprobe_export_entry (vlib_main_t * vm, flowprobe_entry_t * e)
   ipfix_exporter_t *exp = pool_elt_at_index (flow_report_main.exporters, 0);
   vlib_buffer_t *b0;
   bool collect_ip4 = false, collect_ip6 = false;
+  bool collect_l4 = false;
   flowprobe_variant_t which = e->key.which;
   flowprobe_record_t flags = fm->context[which].flags;
   u16 offset =
@@ -719,6 +722,10 @@ flowprobe_export_entry (vlib_main_t * vm, flowprobe_entry_t * e)
       collect_ip4 = which == FLOW_VARIANT_L2_IP4 || which == FLOW_VARIANT_IP4;
       collect_ip6 = which == FLOW_VARIANT_L2_IP6 || which == FLOW_VARIANT_IP6;
     }
+  if (flags & FLOW_RECORD_L4)
+    {
+      collect_l4 = (which != FLOW_VARIANT_L2);
+    }
 
   offset += flowprobe_common_add (b0, e, offset);
 
@@ -728,13 +735,14 @@ flowprobe_export_entry (vlib_main_t * vm, flowprobe_entry_t * e)
     offset += flowprobe_l3_ip6_add (b0, e, offset);
   if (collect_ip4)
     offset += flowprobe_l3_ip4_add (b0, e, offset);
-  if (flags & FLOW_RECORD_L4)
+  if (collect_l4)
     offset += flowprobe_l4_add (b0, e, offset);
 
   /* Reset per flow-export counters */
   e->packetcount = 0;
   e->octetcount = 0;
   e->last_exported = vlib_time_now (vm);
+  e->prot.tcp.flags = 0;
 
   b0->current_length = offset;
 
@@ -955,8 +963,7 @@ flowprobe_flush_callback_l2 (void)
   flush_record (FLOW_VARIANT_L2_IP6);
 }
 
-
-static void
+void
 flowprobe_delete_by_index (u32 my_cpu_number, u32 poolindex)
 {
   flowprobe_main_t *fm = &flowprobe_main;

src/plugins/memif/memif.c

@@ -100,6 +100,8 @@ memif_disconnect (memif_if_t * mif, clib_error_t * err)
   memif_region_t *mr;
   memif_queue_t *mq;
   int i;
+  vlib_main_t *vm = vlib_get_main ();
+  int with_barrier = 0;
 
   if (mif == 0)
     return;
@@ -141,6 +143,12 @@ memif_disconnect (memif_if_t * mif, clib_error_t * err)
       clib_mem_free (mif->sock);
     }
 
+  if (vlib_worker_thread_barrier_held () == 0)
+    {
+      with_barrier = 1;
+      vlib_worker_thread_barrier_sync (vm);
+    }
+
   /* *INDENT-OFF* */
   vec_foreach_index (i, mif->rx_queues)
     {
@@ -198,6 +206,9 @@ memif_disconnect (memif_if_t * mif, clib_error_t * err)
   vec_free (mif->remote_name);
   vec_free (mif->remote_if_name);
   clib_fifo_free (mif->msg_queue);
+
+  if (with_barrier)
+    vlib_worker_thread_barrier_release (vm);
 }
 
 static clib_error_t *

src/plugins/tlsopenssl/tls_openssl.c

@@ -72,7 +72,7 @@ openssl_ctx_free (tls_ctx_t * ctx)
 
       SSL_free (oc->ssl);
       vec_free (ctx->srv_hostname);
-
+      SSL_CTX_free (oc->client_ssl_ctx);
 #ifdef HAVE_OPENSSL_ASYNC
   openssl_evt_free (ctx->evt_index, ctx->c_thread_index);
 #endif
@@ -163,7 +163,7 @@ openssl_lctx_get (u32 lctx_index)
     return -1;
 
 static int
-openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl)
+openssl_read_from_ssl_into_fifo (svm_fifo_t *f, SSL *ssl, u32 max_len)
 {
   int read, rv, n_fs, i;
   const int n_segs = 2;
@@ -174,6 +174,7 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl)
   if (!max_enq)
     return 0;
 
+  max_enq = clib_min (max_len, max_enq);
   n_fs = svm_fifo_provision_chunks (f, fs, n_segs, max_enq);
   if (n_fs < 0)
     return 0;
@@ -533,9 +534,10 @@ static inline int
 openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session)
 {
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
+  const u32 max_len = 128 << 10;
   session_t *app_session;
-  int read;
   svm_fifo_t *f;
+  int read;
 
   if (PREDICT_FALSE (SSL_in_init (oc->ssl)))
     {
@@ -549,7 +551,7 @@ openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session)
   app_session = session_get_from_handle (ctx->app_session_handle);
   f = app_session->rx_fifo;
 
-  read = openssl_read_from_ssl_into_fifo (f, oc->ssl);
+  read = openssl_read_from_ssl_into_fifo (f, oc->ssl, max_len);
 
   /* Unrecoverable protocol error. Reset connection */
   if (PREDICT_FALSE (read < 0))
@@ -558,8 +560,7 @@ openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session)
       return 0;
     }
 
-  /* If handshake just completed, session may still be in accepting state */
-  if (read && app_session->session_state >= SESSION_STATE_READY)
+  if (read)
     tls_notify_app_enqueue (ctx, app_session);
 
   if ((SSL_pending (oc->ssl) > 0) ||
@@ -738,30 +739,31 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
       return -1;
     }
 
-  oc->ssl_ctx = SSL_CTX_new (method);
-  if (oc->ssl_ctx == NULL)
+  oc->client_ssl_ctx = SSL_CTX_new (method);
+  if (oc->client_ssl_ctx == NULL)
     {
       TLS_DBG (1, "SSL_CTX_new returned null");
       return -1;
     }
 
-  SSL_CTX_set_ecdh_auto (oc->ssl_ctx, 1);
-  SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+  SSL_CTX_set_ecdh_auto (oc->client_ssl_ctx, 1);
+  SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
 #ifdef HAVE_OPENSSL_ASYNC
   if (om->async)
-    SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ASYNC);
+    SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ASYNC);
 #endif
-  rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) om->ciphers);
+  rv =
+    SSL_CTX_set_cipher_list (oc->client_ssl_ctx, (const char *) om->ciphers);
   if (rv != 1)
     {
       TLS_DBG (1, "Couldn't set cipher");
       return -1;
     }
 
-  SSL_CTX_set_options (oc->ssl_ctx, flags);
-  SSL_CTX_set_cert_store (oc->ssl_ctx, om->cert_store);
+  SSL_CTX_set_options (oc->client_ssl_ctx, flags);
+  SSL_CTX_set1_cert_store (oc->client_ssl_ctx, om->cert_store);
 
-  oc->ssl = SSL_new (oc->ssl_ctx);
+  oc->ssl = SSL_new (oc->client_ssl_ctx);
   if (oc->ssl == NULL)
     {
       TLS_DBG (1, "Couldn't initialize ssl struct");

src/plugins/tlsopenssl/tls_openssl.h

@@ -33,7 +33,7 @@ typedef struct tls_ctx_openssl_
 {
   tls_ctx_t ctx;			/**< First */
   u32 openssl_ctx_index;
-  SSL_CTX *ssl_ctx;
+  SSL_CTX *client_ssl_ctx;
   SSL *ssl;
   BIO *rbio;
   BIO *wbio;

src/plugins/tlspicotls/tls_picotls.c

@@ -445,7 +445,7 @@ picotls_ctx_read (tls_ctx_t *ctx, session_t *tcp_session)
   app_session = session_get_from_handle (ctx->app_session_handle);
   wrote = ptls_tcp_to_app_write (ptls_ctx, app_session->rx_fifo, tcp_rx_fifo);
 
-  if (wrote && app_session->session_state >= SESSION_STATE_READY)
+  if (wrote)
     tls_notify_app_enqueue (ctx, app_session);
 
   if (ptls_ctx->read_buffer_offset || svm_fifo_max_dequeue (tcp_rx_fifo))

src/vnet/bfd/bfd_udp.c

@@ -483,7 +483,7 @@ bfd_transport_udp6 (vlib_main_t *vm, vlib_node_runtime_t *rt, u32 bi,
 				     is_echo ? &bm->tx_echo_counter :
 						     &bm->tx_counter);
     }
-  return 1;
+  return rv;
 }
 
 static bfd_session_t *

src/vnet/ethernet/interface.c

@@ -303,8 +303,17 @@ ethernet_mac_change (vnet_hw_interface_t * hi,
 
   {
     ethernet_address_change_ctx_t *cb;
+    u32 id, sw_if_index;
     vec_foreach (cb, em->address_change_callbacks)
-      cb->function (em, hi->sw_if_index, cb->function_opaque);
+      {
+	cb->function (em, hi->sw_if_index, cb->function_opaque);
+	/* clang-format off */
+	hash_foreach (id, sw_if_index, hi->sub_interface_sw_if_index_by_id,
+	({
+	  cb->function (em, sw_if_index, cb->function_opaque);
+	}));
+	/* clang-format on */
+      }
   }
 
   return (NULL);

src/vnet/fib/fib_entry.h

@@ -153,10 +153,14 @@ typedef enum fib_entry_src_attribute_t_ {
      * the source is inherited from its cover
      */
     FIB_ENTRY_SRC_ATTRIBUTE_INHERITED,
+    /**
+     * the source is currently used as glean src address
+     */
+    FIB_ENTRY_SRC_ATTRIBUTE_PROVIDES_GLEAN,
     /**
      * Marker. add new entries before this one.
      */
-    FIB_ENTRY_SRC_ATTRIBUTE_LAST = FIB_ENTRY_SRC_ATTRIBUTE_INHERITED,
+    FIB_ENTRY_SRC_ATTRIBUTE_LAST = FIB_ENTRY_SRC_ATTRIBUTE_PROVIDES_GLEAN,
 } fib_entry_src_attribute_t;
 
 
@@ -166,6 +170,7 @@ typedef enum fib_entry_src_attribute_t_ {
     [FIB_ENTRY_SRC_ATTRIBUTE_ACTIVE] = "active", \
     [FIB_ENTRY_SRC_ATTRIBUTE_STALE] = "stale",      \
     [FIB_ENTRY_SRC_ATTRIBUTE_INHERITED] = "inherited", \
+    [FIB_ENTRY_SRC_ATTRIBUTE_PROVIDES_GLEAN] = "provides-glean", \
 }
 
 #define FOR_EACH_FIB_SRC_ATTRIBUTE(_item)      		\
@@ -180,6 +185,7 @@ typedef enum fib_entry_src_flag_t_ {
     FIB_ENTRY_SRC_FLAG_ACTIVE = (1 << FIB_ENTRY_SRC_ATTRIBUTE_ACTIVE),
     FIB_ENTRY_SRC_FLAG_STALE = (1 << FIB_ENTRY_SRC_ATTRIBUTE_STALE),
     FIB_ENTRY_SRC_FLAG_INHERITED = (1 << FIB_ENTRY_SRC_ATTRIBUTE_INHERITED),
+    FIB_ENTRY_SRC_FLAG_PROVIDES_GLEAN = (1 << FIB_ENTRY_SRC_ATTRIBUTE_PROVIDES_GLEAN),
 } __attribute__ ((packed)) fib_entry_src_flag_t;
 
 extern u8 * format_fib_entry_src_flags(u8 *s, va_list *args);

src/vnet/fib/fib_entry_src_interface.c

@@ -87,8 +87,16 @@ fib_entry_src_interface_update_glean (fib_entry_t *cover,
             if (fib_prefix_is_cover(&adj->sub_type.glean.rx_pfx,
                                     &local->fe_prefix))
             {
-                adj->sub_type.glean.rx_pfx.fp_addr = local->fe_prefix.fp_addr;
-                return (1);
+		fib_entry_src_t *local_src;
+
+		local_src = fib_entry_src_find (local, FIB_SOURCE_INTERFACE);
+		if (local_src != NULL)
+		  {
+		    adj->sub_type.glean.rx_pfx.fp_addr =
+		      local->fe_prefix.fp_addr;
+		    local_src->fes_flags |= FIB_ENTRY_SRC_FLAG_PROVIDES_GLEAN;
+		    return (1);
+		  }
             }
         }
     }
@@ -116,6 +124,52 @@ fib_entry_src_interface_path_swap (fib_entry_src_t *src,
     src->fes_pl = fib_path_list_create(pl_flags, paths);
 }
 
+typedef struct fesi_find_glean_ctx_t_ {
+  fib_node_index_t glean_node_index;
+} fesi_find_glean_ctx_t;
+
+static walk_rc_t
+fib_entry_src_interface_find_glean_walk (fib_entry_t *cover,
+					 fib_node_index_t covered,
+					 void *ctx)
+{
+  fesi_find_glean_ctx_t *find_glean_ctx = ctx;
+  fib_entry_t *covered_entry;
+  fib_entry_src_t *covered_src;
+
+  covered_entry = fib_entry_get (covered);
+  covered_src = fib_entry_src_find (covered_entry, FIB_SOURCE_INTERFACE);
+  if ((covered_src != NULL) &&
+      (covered_src->fes_flags & FIB_ENTRY_SRC_FLAG_PROVIDES_GLEAN))
+    {
+      find_glean_ctx->glean_node_index = covered;
+      return WALK_STOP;
+    }
+
+  return WALK_CONTINUE;
+}
+
+static fib_entry_t *
+fib_entry_src_interface_find_glean (fib_entry_t *cover)
+{
+  fib_entry_src_t *src;
+
+  src = fib_entry_src_find (cover, FIB_SOURCE_INTERFACE);
+  if (src == NULL)
+    /* the cover is not an interface source */
+    return NULL;
+
+  fesi_find_glean_ctx_t ctx = {
+    .glean_node_index = ~0,
+  };
+
+  fib_entry_cover_walk (cover, fib_entry_src_interface_find_glean_walk,
+			&ctx);
+
+  return (ctx.glean_node_index == ~0) ? NULL :
+					fib_entry_get (ctx.glean_node_index);
+}
+
 /*
  * Source activate. 
  * Called when the source is teh new longer best source on the entry
@@ -128,6 +182,8 @@ fib_entry_src_interface_activate (fib_entry_src_t *src,
 
     if (FIB_ENTRY_FLAG_LOCAL & src->fes_entry_flags)
     {
+	u8 update_glean;
+
 	/*
 	 * Track the covering attached/connected cover. This is so that
 	 * during an attached export of the cover, this local prefix is
@@ -141,10 +197,17 @@ fib_entry_src_interface_activate (fib_entry_src_t *src,
 
 	cover = fib_entry_get(src->u.interface.fesi_cover);
 
+	/*
+	 * Before adding as a child of the cover, check whether an existing
+	 * child has already been used to populate the glean adjacency. If so,
+	 * we don't need to update the adjacency.
+	 */
+	update_glean = (fib_entry_src_interface_find_glean (cover) == NULL);
 	src->u.interface.fesi_sibling =
 	    fib_entry_cover_track(cover, fib_entry_get_index(fib_entry));
 
-        fib_entry_src_interface_update_glean(cover, fib_entry);
+	if (update_glean)
+	  fib_entry_src_interface_update_glean(cover, fib_entry);
     }
 
     return (!0);
@@ -167,15 +230,19 @@ fib_entry_src_interface_deactivate (fib_entry_src_t *src,
     if (FIB_NODE_INDEX_INVALID != src->u.interface.fesi_cover)
     {
 	cover = fib_entry_get(src->u.interface.fesi_cover);
-
 	fib_entry_cover_untrack(cover, src->u.interface.fesi_sibling);
 
 	src->u.interface.fesi_cover = FIB_NODE_INDEX_INVALID;
 	src->u.interface.fesi_sibling = ~0;
 
-        fib_entry_cover_walk(cover,
-                             fib_entry_src_interface_update_glean_walk,
-                             NULL);
+	/* If this was the glean address, find a new one */
+	if (src->fes_flags & FIB_ENTRY_SRC_FLAG_PROVIDES_GLEAN)
+	  {
+	    fib_entry_cover_walk(cover,
+				fib_entry_src_interface_update_glean_walk,
+				NULL);
+	    src->fes_flags &= ~FIB_ENTRY_SRC_FLAG_PROVIDES_GLEAN;
+	  }
     }
 }
 

src/vnet/fib/fib_path.c

@@ -1365,7 +1365,8 @@ fib_path_create (fib_node_index_t pl_index,
 	dpo_copy(&path->exclusive.fp_ex_dpo, &rpath->dpo);
     }
     else if ((path->fp_cfg_flags & FIB_PATH_CFG_FLAG_ICMP_PROHIBIT) ||
-        (path->fp_cfg_flags & FIB_PATH_CFG_FLAG_ICMP_UNREACH))
+	(path->fp_cfg_flags & FIB_PATH_CFG_FLAG_ICMP_UNREACH) ||
+	(path->fp_cfg_flags & FIB_PATH_CFG_FLAG_DROP))
     {
         path->fp_type = FIB_PATH_TYPE_SPECIAL;
     }

src/vnet/fib/fib_table.c

@@ -534,7 +534,11 @@ fib_table_route_path_fixup (const fib_prefix_t *prefix,
     else if (fib_route_path_is_attached(path))
     {
         path->frp_flags |= FIB_ROUTE_PATH_GLEAN;
-        fib_prefix_normalize(prefix, &path->frp_connected);
+        /*
+         * attached prefixes are not suitable as the source of ARP requests
+         * so don't save the prefix in the glean adj
+         */
+        clib_memset(&path->frp_connected, 0, sizeof(path->frp_connected));
     }
     if (*eflags & FIB_ENTRY_FLAG_DROP)
     {

src/vnet/ip-neighbor/ip4_neighbor.c

@@ -187,12 +187,16 @@ ip4_arp_inline (vlib_main_t * vm,
 	      /* resolve the packet's destination */
 	      ip4_header_t *ip0 = vlib_buffer_get_current (p0);
 	      resolve0 = ip0->dst_address;
-	      src0 = adj0->sub_type.glean.rx_pfx.fp_addr.ip4;
 	    }
+	  else
+	    /* resolve the incomplete adj */
+	    resolve0 = adj0->sub_type.nbr.next_hop.ip4;
+
+	  if (is_glean && adj0->sub_type.glean.rx_pfx.fp_len)
+	    /* the glean is for a connected, local prefix */
+	    src0 = adj0->sub_type.glean.rx_pfx.fp_addr.ip4;
 	  else
 	    {
-	      /* resolve the incomplete adj */
-	      resolve0 = adj0->sub_type.nbr.next_hop.ip4;
 	      /* Src IP address in ARP header. */
 	      if (!fib_sas4_get (sw_if_index0, &resolve0, &src0) &&
 		  !ip4_sas_by_sw_if_index (sw_if_index0, &resolve0, &src0))

src/vnet/ipsec/esp_encrypt.c

@@ -690,6 +690,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 	  current_sa_packets = current_sa_bytes = 0;
 
 	  sa0 = ipsec_sa_get (sa_index0);
+	  current_sa_index = sa_index0;
 
 	  if (PREDICT_FALSE ((sa0->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
 			      sa0->integ_alg == IPSEC_INTEG_ALG_NONE) &&
@@ -701,7 +702,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 					  sa_index0);
 	      goto trace;
 	    }
-	  current_sa_index = sa_index0;
 	  vlib_prefetch_combined_counter (&ipsec_sa_counters, thread_index,
 					  current_sa_index);
 

src/vnet/session/session.c

@@ -596,7 +596,7 @@ session_program_io_event (app_worker_t *app_wrk, session_t *s,
       /* Special events for connectionless sessions */
       et += SESSION_IO_EVT_BUILTIN_RX - SESSION_IO_EVT_RX;
 
-      ASSERT (s->thread_index == 0);
+      ASSERT (s->thread_index == 0 || et == SESSION_IO_EVT_TX_MAIN);
       session_event_t evt = {
 	.event_type = et,
 	.session_handle = session_handle (s),

src/vnet/session/session_input.c

@@ -77,10 +77,12 @@ app_worker_flush_events_inline (app_worker_t *app_wrk, u32 thread_index,
 {
   application_t *app = application_get (app_wrk->app_index);
   svm_msg_q_t *mq = app_wrk->event_queue;
+  u8 ring_index, mq_is_cong;
+  session_state_t old_state;
   session_event_t *evt;
   u32 n_evts = 128, i;
-  u8 ring_index, mq_is_cong;
   session_t *s;
+  int rv;
 
   n_evts = clib_min (n_evts, clib_fifo_elts (app_wrk->wrk_evts[thread_index]));
 
@@ -111,16 +113,18 @@ app_worker_flush_events_inline (app_worker_t *app_wrk, u32 thread_index,
 	{
 	case SESSION_IO_EVT_RX:
 	  s = session_get (evt->session_index, thread_index);
-	  s->flags &= ~SESSION_F_RX_EVT;
 	  /* Application didn't confirm accept yet */
-	  if (PREDICT_FALSE (s->session_state == SESSION_STATE_ACCEPTING))
+	  if (PREDICT_FALSE (s->session_state == SESSION_STATE_ACCEPTING ||
+			     s->session_state == SESSION_STATE_CONNECTING))
 	    break;
+	  s->flags &= ~SESSION_F_RX_EVT;
 	  app->cb_fns.builtin_app_rx_callback (s);
 	  break;
 	/* Handle sessions that might not be on current thread */
 	case SESSION_IO_EVT_BUILTIN_RX:
 	  s = session_get_from_handle_if_valid (evt->session_handle);
-	  if (!s || s->session_state == SESSION_STATE_ACCEPTING)
+	  if (!s || s->session_state == SESSION_STATE_ACCEPTING ||
+	      s->session_state == SESSION_STATE_CONNECTING)
 	    break;
 	  s->flags &= ~SESSION_F_RX_EVT;
 	  app->cb_fns.builtin_app_rx_callback (s);
@@ -145,16 +149,46 @@ app_worker_flush_events_inline (app_worker_t *app_wrk, u32 thread_index,
 	  break;
 	case SESSION_CTRL_EVT_ACCEPTED:
 	  s = session_get (evt->session_index, thread_index);
-	  app->cb_fns.session_accept_callback (s);
+	  old_state = s->session_state;
+	  if (app->cb_fns.session_accept_callback (s))
+	    {
+	      session_close (s);
+	      s->app_wrk_index = SESSION_INVALID_INDEX;
+	      break;
+	    }
+	  if (is_builtin)
+	    {
+	      if (old_state >= SESSION_STATE_TRANSPORT_CLOSING)
+		{
+		  session_set_state (s, old_state);
+		  app_worker_close_notify (app_wrk, s);
+		}
+	    }
 	  break;
 	case SESSION_CTRL_EVT_CONNECTED:
 	  if (!(evt->as_u64[1] & 0xffffffff))
-	    s = session_get (evt->session_index, thread_index);
+	    {
+	      s = session_get (evt->session_index, thread_index);
+	      old_state = s->session_state;
+	    }
 	  else
 	    s = 0;
-	  app->cb_fns.session_connected_callback (app_wrk->wrk_index,
-						  evt->as_u64[1] >> 32, s,
-						  evt->as_u64[1] & 0xffffffff);
+	  rv = app->cb_fns.session_connected_callback (
+	    app_wrk->wrk_index, evt->as_u64[1] >> 32, s,
+	    evt->as_u64[1] & 0xffffffff);
+	  if (!s)
+	    break;
+	  if (rv)
+	    {
+	      session_close (s);
+	      s->app_wrk_index = SESSION_INVALID_INDEX;
+	      break;
+	    }
+	  if (old_state >= SESSION_STATE_TRANSPORT_CLOSING)
+	    {
+	      session_set_state (s, old_state);
+	      app_worker_close_notify (app_wrk, s);
+	    }
 	  break;
 	case SESSION_CTRL_EVT_DISCONNECTED:
 	  s = session_get (evt->session_index, thread_index);

src/vnet/session/session_node.c

@@ -456,6 +456,7 @@ session_mq_accepted_reply_handler (session_worker_t *wrk,
       a->app_index = mp->context;
       a->handle = mp->handle;
       vnet_disconnect_session (a);
+      s->app_wrk_index = SESSION_INVALID_INDEX;
       return;
     }
 
@@ -1611,7 +1612,9 @@ session_tx_fifo_dequeue_internal (session_worker_t * wrk,
   clib_llist_index_t ei;
   u32 n_packets;
 
-  if (PREDICT_FALSE (s->session_state >= SESSION_STATE_TRANSPORT_CLOSED))
+  if (PREDICT_FALSE ((s->session_state >= SESSION_STATE_TRANSPORT_CLOSED) ||
+		     (s->session_state == SESSION_STATE_CONNECTING &&
+		      (s->flags & SESSION_F_HALF_OPEN))))
     return 0;
 
   /* Clear custom-tx flag used to request reschedule for tx */
@@ -1784,7 +1787,7 @@ session_event_dispatch_io (session_worker_t * wrk, vlib_node_runtime_t * node,
       break;
     case SESSION_IO_EVT_RX:
       s = session_event_get_session (wrk, e);
-      if (!s)
+      if (!s || s->session_state >= SESSION_STATE_TRANSPORT_CLOSED)
 	break;
       transport_app_rx_evt (session_get_transport_proto (s),
 			    s->connection_index, s->thread_index);

src/vnet/srv6/sr_api.c

@@ -163,7 +163,7 @@ vl_api_sr_policy_add_v2_t_handler (vl_api_sr_policy_add_v2_t *mp)
 		   mp->type, ntohl (mp->fib_table), mp->is_encap, 0, NULL);
   vec_free (segments);
 
-  REPLY_MACRO (VL_API_SR_POLICY_ADD_REPLY);
+  REPLY_MACRO (VL_API_SR_POLICY_ADD_V2_REPLY);
 }
 
 static void

src/vnet/tcp/tcp_input.c

@@ -2123,7 +2123,7 @@ tcp46_rcv_process_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 	case TCP_STATE_SYN_RCVD:
 
 	  /* Make sure the segment is exactly right */
-	  if (tc->rcv_nxt != vnet_buffer (b[0])->tcp.seq_number || is_fin)
+	  if (tc->rcv_nxt != vnet_buffer (b[0])->tcp.seq_number)
 	    {
 	      tcp_send_reset_w_pkt (tc, b[0], thread_index, is_ip4);
 	      error = TCP_ERROR_SEGMENT_INVALID;
@@ -2143,6 +2143,10 @@ tcp46_rcv_process_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 	      goto drop;
 	    }
 
+	  /* Avoid notifying app if connection is about to be closed */
+	  if (PREDICT_FALSE (is_fin))
+	    break;
+
 	  /* Update rtt and rto */
 	  tcp_estimate_initial_rtt (tc);
 	  tcp_connection_tx_pacer_update (tc);
@@ -2363,15 +2367,15 @@ tcp46_rcv_process_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 			    tcp_cfg.closewait_time);
 	  break;
 	case TCP_STATE_SYN_RCVD:
-	  /* Send FIN-ACK, enter LAST-ACK and because the app was not
-	   * notified yet, set a cleanup timer instead of relying on
-	   * disconnect notify and the implicit close call. */
+	  /* Send FIN-ACK and enter TIME-WAIT, as opposed to LAST-ACK,
+	   * because the app was not notified yet and we want to avoid
+	   * session state transitions to ensure cleanup does not
+	   * propagate to app. */
 	  tcp_connection_timers_reset (tc);
 	  tc->rcv_nxt += 1;
 	  tcp_send_fin (tc);
-	  tcp_connection_set_state (tc, TCP_STATE_LAST_ACK);
-	  tcp_timer_set (&wrk->timer_wheel, tc, TCP_TIMER_WAITCLOSE,
-			 tcp_cfg.lastack_time);
+	  tcp_connection_set_state (tc, TCP_STATE_TIME_WAIT);
+	  tcp_program_cleanup (wrk, tc);
 	  break;
 	case TCP_STATE_CLOSE_WAIT:
 	case TCP_STATE_CLOSING:
@@ -3238,6 +3242,8 @@ do {                                                       	\
   _(FIN_WAIT_2, TCP_FLAG_RST | TCP_FLAG_ACK, TCP_INPUT_NEXT_RCV_PROCESS,
     TCP_ERROR_NONE);
   _(FIN_WAIT_2, TCP_FLAG_SYN, TCP_INPUT_NEXT_RCV_PROCESS, TCP_ERROR_NONE);
+  _ (FIN_WAIT_2, TCP_FLAG_SYN | TCP_FLAG_ACK, TCP_INPUT_NEXT_RCV_PROCESS,
+     TCP_ERROR_NONE);
   _(CLOSE_WAIT, TCP_FLAG_ACK, TCP_INPUT_NEXT_RCV_PROCESS, TCP_ERROR_NONE);
   _(CLOSE_WAIT, TCP_FLAG_FIN | TCP_FLAG_ACK, TCP_INPUT_NEXT_RCV_PROCESS,
     TCP_ERROR_NONE);

src/vnet/tcp/tcp_output.c

@@ -667,6 +667,7 @@ tcp_send_reset_w_pkt (tcp_connection_t * tc, vlib_buffer_t * pkt,
 
   b = vlib_get_buffer (vm, bi);
   tcp_init_buffer (vm, b);
+  vnet_buffer (b)->tcp.connection_index = tc->c_c_index;
 
   /* Make and write options */
   tcp_hdr_len = sizeof (tcp_header_t);

src/vnet/tls/tls.c

@@ -227,7 +227,12 @@ tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err)
   app_session->opaque = ctx->parent_app_api_context;
 
   if ((err = app_worker_init_connected (app_wrk, app_session)))
-    goto failed;
+    {
+      app_worker_connect_notify (app_wrk, 0, err, ctx->parent_app_api_context);
+      ctx->no_app_session = 1;
+      session_free (app_session);
+      return -1;
+    }
 
   app_session->session_state = SESSION_STATE_READY;
   parent_app_api_ctx = ctx->parent_app_api_context;
@@ -244,9 +249,6 @@ tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err)
 
   return 0;
 
-failed:
-  ctx->no_app_session = 1;
-  tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ());
 send_reply:
   return app_worker_connect_notify (app_wrk, 0, err,
 				    ctx->parent_app_api_context);
@@ -486,6 +488,9 @@ tls_session_accept_callback (session_t * tls_session)
    * on tls_session rx and potentially invalidating the session pool */
   app_session = session_alloc (ctx->c_thread_index);
   app_session->session_state = SESSION_STATE_CREATED;
+  app_session->session_type =
+    session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4);
+  app_session->connection_index = ctx->tls_ctx_handle;
   ctx->c_s_index = app_session->session_index;
 
   TLS_DBG (1, "Accept on listener %u new connection [%u]%x",
@@ -511,7 +516,7 @@ tls_app_rx_callback (session_t * tls_session)
     return 0;
 
   ctx = tls_ctx_get (tls_session->opaque);
-  if (PREDICT_FALSE (ctx->no_app_session))
+  if (PREDICT_FALSE (ctx->no_app_session || ctx->app_closed))
     {
       TLS_DBG (1, "Local App closed");
       return 0;
@@ -938,15 +943,18 @@ tls_cleanup_ho (u32 ho_index)
 int
 tls_custom_tx_callback (void *session, transport_send_params_t * sp)
 {
-  session_t *app_session = (session_t *) session;
+  session_t *as = (session_t *) session;
   tls_ctx_t *ctx;
 
-  if (PREDICT_FALSE (app_session->session_state
-		     >= SESSION_STATE_TRANSPORT_CLOSED))
-    return 0;
+  if (PREDICT_FALSE (as->session_state >= SESSION_STATE_TRANSPORT_CLOSED ||
+		     as->session_state <= SESSION_STATE_ACCEPTING))
+    {
+      sp->flags |= TRANSPORT_SND_F_DESCHED;
+      return 0;
+    }
 
-  ctx = tls_ctx_get (app_session->connection_index);
-  return tls_ctx_write (ctx, app_session, sp);
+  ctx = tls_ctx_get (as->connection_index);
+  return tls_ctx_write (ctx, as, sp);
 }
 
 u8 *
@@ -1057,6 +1065,7 @@ format_tls_half_open (u8 * s, va_list * args)
 {
   u32 ho_index = va_arg (*args, u32);
   u32 __clib_unused thread_index = va_arg (*args, u32);
+  u32 __clib_unused verbose = va_arg (*args, u32);
   session_t *tcp_ho;
   tls_ctx_t *ho_ctx;
 
@@ -1102,7 +1111,7 @@ tls_enable (vlib_main_t * vm, u8 is_en)
   vnet_app_attach_args_t _a, *a = &_a;
   u64 options[APP_OPTIONS_N_OPTIONS];
   tls_main_t *tm = &tls_main;
-  u32 fifo_size = 128 << 12;
+  u32 fifo_size = 512 << 10;
 
   if (!is_en)
     {