VPP 19.04 Release Notes

Change-Id: I66b35c7c03303bc7200c01e9da926bce778b2d6b
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>

.gitreview

@@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/1904

RELEASE.md

@@ -1,5 +1,6 @@
 # Release Notes    {#release_notes}
 
+* @subpage release_notes_1904
 * @subpage release_notes_19011
 * @subpage release_notes_1901
 * @subpage release_notes_1810
@@ -16,6 +17,284 @@
 * @subpage release_notes_1609
 * @subpage release_notes_1606
 
+@page release_notes_1904 Release notes for VPP 19.04
+
+More than 700 commits since the 19.01 release.
+
+## Features
+
+### Infrastructure
+- DPDK 19.02 integration
+- Buffer manager rework and improvements
+- Python3 migration (work in progress)
+  - vppapigen
+  - Python API wrappers
+  - Docs generation
+  - vpp_config
+  - "make test" python3 readiness and refactoring
+- Add "make test-gcov" target to main Makefile
+- Refactor multiarch code
+- vfctl script: bind VF to vfio-pci after VF is created
+- cmake cross-compilation support
+- CLI control of graph dispatch elogs
+- AppImage packaging (disabled by default)
+- Complete upstreaming of wireshark dissector
+- Remove JVPP which is now an FD.io project
+- Punt infra: manage dispatch of exception packets
+
+### VNET & Plugins
+- BVI Interface
+- Deprecate TAP cli
+- Experimental TAP interface TCP segmentation offload
+- Vmxnet3 driver plugin
+- LACP passive mode
+- ACL plugin refactoring
+- RDMA (ibverb) driver plugin - MLX5 with multiqueue
+- IPSEC
+  - Intel IPSEC-MB engine plugin
+  - Tunnel fragmentation
+  - CLI improvements
+  - Performance improvements
+  - API modernisation and improvements
+  - New Tests and test refactoring
+- Crypto
+  - Introduce crypto infra
+  - crypto_ia32 plugin
+  - Add support for AEAD and AES-GCM
+  - Implement rfc4231 test cases
+  - Implement crypto tests per RFC2202
+- Perfmon improvements
+  - Python to C parser for intel CPUs
+  - 2-way parallel stat collection
+  - Collect data on selected thread(s)
+
+### Host stack
+- Improve ldp/vls/vcl support for multi-process and multi-threaded applications
+- Major refactor/cleanup of session layer
+- Refactor cut-through sessions to use a custom transport
+- Baseline QUIC transport support
+
+## Known issues
+
+For the full list of issues please refer to fd.io [JIRA](https://jira.fd.io).
+
+## Issues fixed
+
+For the full list of fixed issues please refer to:
+- fd.io [JIRA](https://jira.fd.io)
+- git [commit log](https://git.fd.io/vpp/log/?h=stable/1904)
+
+## API changes
+
+Description of results:
+
+* _Definition changed_: indicates that the API file was modified between releases.
+* _Only in image_: indicates the API is new for this release.
+* _Only in file_: indicates the API has been removed in this release.
+
+
+Message Name                                                 | Result
+-------------------------------------------------------------|------------------
+accept_session                                               | only in file
+accept_session_reply                                         | only in file
+bind_sock_reply                                              | definition changed
+bind_uri_reply                                               | definition changed
+bvi_create                                                   | only in image
+bvi_create_reply                                             | only in image
+bvi_delete                                                   | only in image
+bvi_delete_reply                                             | only in image
+connect_session                                              | only in file
+connect_session_reply                                        | only in file
+ct6_enable                                                   | only in image
+ct6_enable_disable                                           | only in image
+gbp_contract_add_del_reply                                   | definition changed
+gbp_endpoint_group_del                                       | definition changed
+gbp_endpoint_learn_set_inactive_threshold                    | only in file
+gbp_endpoint_learn_set_inactive_threshold_reply              | only in file
+ikev2_plugin_get_version                                     | only in image
+ikev2_plugin_get_version_reply                               | only in image
+ip4_arp_event                                                | definition changed
+ip6_nd_event                                                 | definition changed
+ip6_ra_event                                                 | definition changed
+ip6nd_proxy_add_del                                          | definition changed
+ip6nd_proxy_details                                          | definition changed
+ip_container_proxy_add_del                                   | definition changed
+ip_neighbor_add_del                                          | definition changed
+ip_neighbor_details                                          | definition changed
+ip_probe_neighbor                                            | definition changed
+ip_source_and_port_range_check_add_del                       | definition changed
+ipsec_backend_details                                        | definition changed
+ipsec_gre_add_del_tunnel                                     | only in file
+ipsec_gre_add_del_tunnel_reply                               | only in file
+ipsec_gre_tunnel_add_del                                     | only in image
+ipsec_gre_tunnel_add_del_reply                               | only in image
+ipsec_gre_tunnel_details                                     | definition changed
+ipsec_sa_details                                             | definition changed
+ipsec_sa_set_key                                             | definition changed
+ipsec_sad_add_del_entry                                      | only in file
+ipsec_sad_add_del_entry_reply                                | only in file
+ipsec_sad_entry_add_del                                      | only in image
+ipsec_sad_entry_add_del_reply                                | only in image
+ipsec_select_backend                                         | definition changed
+ipsec_spd_add_del_entry                                      | only in file
+ipsec_spd_add_del_entry_reply                                | only in file
+ipsec_spd_details                                            | definition changed
+ipsec_spd_entry_add_del                                      | only in image
+ipsec_spd_entry_add_del_reply                                | only in image
+ipsec_tunnel_if_add_del                                      | definition changed
+lb_conf                                                      | definition changed
+map_add_domain                                               | definition changed
+map_domain_details                                           | definition changed
+nat_ha_flush                                                 | only in image
+nat_ha_flush_reply                                           | only in image
+nat_ha_get_failover                                          | only in image
+nat_ha_get_failover_reply                                    | only in image
+nat_ha_get_listener                                          | only in image
+nat_ha_get_listener_reply                                    | only in image
+nat_ha_resync                                                | only in image
+nat_ha_resync_completed_event                                | only in image
+nat_ha_resync_reply                                          | only in image
+nat_ha_set_failover                                          | only in image
+nat_ha_set_failover_reply                                    | only in image
+nat_ha_set_listener                                          | only in image
+nat_ha_set_listener_reply                                    | only in image
+reset_session                                                | only in file
+reset_session_reply                                          | only in file
+sw_interface_ip6nd_ra_prefix                                 | definition changed
+sw_interface_set_dpdk_hqos_pipe                              | only in file
+sw_interface_set_dpdk_hqos_pipe_reply                        | only in file
+sw_interface_set_dpdk_hqos_subport                           | only in file
+sw_interface_set_dpdk_hqos_subport_reply                     | only in file
+sw_interface_set_dpdk_hqos_tctbl                             | only in file
+sw_interface_set_dpdk_hqos_tctbl_reply                       | only in file
+sw_interface_tap_details                                     | only in file
+sw_interface_tap_dump                                        | only in file
+sw_interface_virtio_pci_details                              | only in image
+sw_interface_virtio_pci_dump                                 | only in image
+tap_connect                                                  | only in file
+tap_connect_reply                                            | only in file
+tap_delete                                                   | only in file
+tap_delete_reply                                             | only in file
+tap_modify                                                   | only in file
+tap_modify_reply                                             | only in file
+virtio_pci_create                                            | only in image
+virtio_pci_create_reply                                      | only in image
+virtio_pci_delete                                            | only in image
+virtio_pci_delete_reply                                      | only in image
+vmxnet3_create                                               | definition changed
+vmxnet3_details                                              | definition changed
+want_ip4_arp_events                                          | definition changed
+want_ip6_nd_events                                           | definition changed
+
+Found 90 api message signature differences
+
+### Patches that changed API definitions
+
+| @c src/vnet/interface.api ||
+| ------- | ------- |
+| [3b0d7e42f](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=3b0d7e42f) | Revert "API: Cleanup APIs interface.api" |
+| [e63325e3c](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=e63325e3c) | API: Cleanup APIs interface.api |
+| [bb2c7b580](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=bb2c7b580) | Update documentation for src/vnet/interface.api sw_interface_dump |
+
+| @c src/vnet/interface_types.api ||
+| ------- | ------- |
+| [3b0d7e42f](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=3b0d7e42f) | Revert "API: Cleanup APIs interface.api" |
+| [e63325e3c](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=e63325e3c) | API: Cleanup APIs interface.api |
+
+| @c src/vnet/ip/ip.api ||
+| ------- | ------- |
+| [48ae19e90](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=48ae19e90) | API: Add python2.7 support for enum flags via aenum |
+| [37029305c](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=37029305c) | Use IP and MAC API types for neighbors |
+
+| @c src/vnet/session/session.api ||
+| ------- | ------- |
+| [6442401c2](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=6442401c2) | session: remove deprecated binary apis |
+
+| @c src/vnet/vxlan-gbp/vxlan_gbp.api ||
+| ------- | ------- |
+| [4dd4cf4f9](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=4dd4cf4f9) | GBP: fixes for l3-out routing |
+
+| @c src/vnet/ipsec/ipsec.api ||
+| ------- | ------- |
+| [1e3aa5e21](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=1e3aa5e21) | ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESN |
+| [1ba5bc8d8](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=1ba5bc8d8) | ipsec: add ipv6 support for ipsec tunnel interface |
+| [5d704aea5](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=5d704aea5) | updates now that flags are supported on the API |
+| [53f526b68](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=53f526b68) | TEST: IPSEC NAT-T with UDP header |
+| [7c44d78ef](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=7c44d78ef) | IKEv2 to plugin |
+| [eba31eceb](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=eba31eceb) | IPSEC: move SA counters into the stats segment |
+| [8d7c50200](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=8d7c50200) | IPSEC: no second lookup after tunnel encap |
+| [a09c1ff5b](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=a09c1ff5b) | IPSEC: SPD counters in the stats sgement |
+| [17dcec0b9](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=17dcec0b9) | IPSEC: API modernisation |
+
+| @c src/vnet/ipsec-gre/ipsec_gre.api ||
+| ------- | ------- |
+| [e524d45ef](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=e524d45ef) | IPSEC-GRE: fixes and API update to common types. |
+
+| @c src/vnet/l2/l2.api ||
+| ------- | ------- |
+| [192b13f96](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=192b13f96) | BVI Interface |
+| [5daf0c55c](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=5daf0c55c) | add default NONE flag for bd_flags |
+
+| @c src/vnet/tcp/tcp.api ||
+| ------- | ------- |
+| [c5df8c71c](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=c5df8c71c) | host stack: update stale copyright |
+
+| @c src/vnet/devices/virtio/virtio.api ||
+| ------- | ------- |
+| [d6c15af33](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=d6c15af33) | virtio: Native virtio driver |
+
+| @c src/vnet/udp/udp.api ||
+| ------- | ------- |
+| [c5df8c71c](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=c5df8c71c) | host stack: update stale copyright |
+
+| @c src/plugins/ct6/ct6.api ||
+| ------- | ------- |
+| [a55df1081](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=a55df1081) | ipv6 connection tracking plugin |
+
+| @c src/plugins/vmxnet3/vmxnet3.api ||
+| ------- | ------- |
+| [ee8ba6877](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=ee8ba6877) | vmxnet3: auto bind support |
+| [854559d15](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=854559d15) | vmxnet3: RSS support |
+| [773291163](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=773291163) | vmxnet3: multiple TX queues support |
+
+| @c src/plugins/ikev2/ikev2.api ||
+| ------- | ------- |
+| [7c44d78ef](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=7c44d78ef) | IKEv2 to plugin |
+
+| @c src/plugins/gbp/gbp.api ||
+| ------- | ------- |
+| [1aa35576e](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=1aa35576e) | GBP: Counters per-contract |
+| [8ea109e40](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=8ea109e40) | gbp: Add bd flags |
+| [7bd343509](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=7bd343509) | GBP: custom-dump functions |
+| [fa0ac2c56](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=fa0ac2c56) | GBP: contracts API fixed length of allowed ethertypes |
+| [5d704aea5](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=5d704aea5) | updates now that flags are supported on the API |
+| [4ba67723d](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=4ba67723d) | GBP: use sclass in the DP for policy |
+| [8da9fc659](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=8da9fc659) | GBP: learn from ARP and L2 packets |
+| [32f6d8e0c](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=32f6d8e0c) | GBP: per-group EP retention policy |
+| [879d11c25](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=879d11c25) | GBP: Sclass to src-epg conversions |
+
+| @c src/plugins/nat/nat.api ||
+| ------- | ------- |
+| [8feeaff56](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=8feeaff56) | Typos. A bunch of typos I've been collecting. |
+| [34931eb47](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=34931eb47) | NAT44: active-passive HA (VPP-1571) |
+
+| @c src/plugins/map/map.api ||
+| ------- | ------- |
+| [4dc5c7b90](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=4dc5c7b90) | MAP: Add optional user-supplied 'tag' field in MAPs. |
+
+| @c src/plugins/lb/lb.api ||
+| ------- | ------- |
+| [f7f13347b](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=f7f13347b) | tests: update test_lb.py to use api call lb_conf. |
+
+| @c src/plugins/cdp/cdp.api ||
+| ------- | ------- |
+| [76ef6094c](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=76ef6094c) | tests: cdp plugin. Replace cdp enable cli command with API call. |
+
+| @c src/vpp/api/vpe.api ||
+| ------- | ------- |
+| [1aaf0e343](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=1aaf0e343) | deprecate tapcli |
+
+
 @page release_notes_19011 Release notes for VPP 19.01.1
 
 This is bug fix release.

build/external/packages/ipsec-mb.mk

@@ -25,7 +25,8 @@ define  ipsec-mb_config_cmds
 endef
 
 define  ipsec-mb_build_cmds
-	@true
+	echo "BUILDING"
+	make -C $(ipsec-mb_src_dir) DEBUG=y NASM=$(ipsec-mb_install_dir)/bin/nasm 
 endef
 
 define  ipsec-mb_install_cmds

docs/etc/requirements.txt

@@ -20,4 +20,4 @@ Sphinx==1.8.2
 sphinx-rtd-theme==0.4.2
 sphinxcontrib-websupport==1.1.0
 typing==3.6.6
-urllib3==1.24.1
+urllib3==1.24.2

doxygen/dev_doc.md

@@ -12,3 +12,6 @@ Programming notes for developers.
 - @subpage acl_lookup_context
 - @subpage libmemif_doc
 - @subpage syslog_doc
+- @subpage ipfix_doc
+- @subpage stats_doc
+- @subpage if_stats_client_doc

doxygen/user_doc.md

@@ -7,6 +7,7 @@ Several modules provide operational, dataplane-user focused documentation.
 - @subpage avf_plugin_doc
 - @subpage bfd_doc
 - @subpage dpdk_crypto_ipsec_doc
+- @subpage dhcp6_pd_doc
 - @subpage flowprobe_plugin_doc
 - @subpage ioam_plugin_doc
 - @subpage ipsec_gre_doc
@@ -16,10 +17,13 @@ Several modules provide operational, dataplane-user focused documentation.
 - @subpage lldp_doc
 - @subpage map_doc
 - @subpage marvel_plugin_doc
+- @subpage mtu_doc
 - @subpage nat64_doc
+- @subpage nat_ha_doc
 - @subpage qos_doc
 - @subpage selinux_doc
 - @subpage span_doc
 - @subpage srmpls_doc
 - @subpage srv6_doc
 - @subpage vcl_ldpreload_doc
+- @subpage vmxnet3_doc

extras/rpm/vpp.spec

@@ -46,7 +46,7 @@ Summary: Vector Packet Processing
 License: ASL 2.0
 Version: %{_version}
 Release: %{_release}
-Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, net-tools, pciutils, python
+Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, epel-release, net-tools, pciutils, python, python36
 BuildRequires: systemd, chrpath
 BuildRequires: check, check-devel
 %if 0%{?fedora}
@@ -57,10 +57,14 @@ BuildRequires: mbedtls-devel
 BuildRequires: cmake
 %else
 %if 0%{rhel} == 7
+BuildRequires: epel-release
 BuildRequires: devtoolset-7-toolchain
 BuildREquires: openssl-devel
-BuildRequires: python-devel, python-virtualenv, python-ply
+BuildRequires: python-devel, python-virtualenv
+BuildRequires: mbedtls-devel
+BuildRequires: python36-devel python36-pip python36-ply
 BuildRequires: cmake3
+BuildRequires: boost-filesystem
 %endif
 %endif
 BuildRequires: libffi-devel
@@ -83,7 +87,7 @@ vpp_json_test - vector packet engine JSON test tool
 %package lib
 Summary: VPP libraries
 Group: System Environment/Libraries
-Requires: vpp-selinux-policy = %{_version}-%{_release}
+Requires: vpp-selinux-policy = %{_version}-%{_release} boost-filesystem
 
 %description lib
 This package contains the VPP shared libraries, including:
@@ -111,7 +115,7 @@ vppinfra
 %package plugins
 Summary: Vector Packet Processing--runtime plugins
 Group: System Environment/Libraries
-Requires: vpp = %{_version}-%{_release} numactl-libs
+Requires: vpp = %{_version}-%{_release} numactl-libs mbedtls
 %description plugins
 This package contains VPP plugins
 

extras/scripts/list_api_changes.py

@@ -1,8 +1,8 @@
 #!/usr/bin/env python
 import os, fnmatch, subprocess
 
-starttag = 'v19.01-rc0'
-endtag = 'v19.01'
+starttag = 'v19.04-rc0'
+endtag = 'HEAD'
 emit_md = True
 apifiles = []
 

extras/vpp_if_stats/README.md

@@ -1,4 +1,4 @@
-# VPP interface stats client
+# VPP interface stats client {#if_stats_client_doc}
 
 This is a source code and a binary of a 'thin client' to collect, 
 aggregate and expose VPP interface stats through VPP stats socket API. 

src/plugins/crypto_ipsecmb/CMakeLists.txt

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+if(NOT CMAKE_SYSTEM_PROCESSOR MATCHES "amd64.*|x86_64.*|AMD64.*")
+  return()
+endif()
+
 find_path(IPSECMB_INCLUDE_DIR NAMES intel-ipsec-mb.h HINTS ${IPSECMB_INCLUDE_DIR_HINT})
 find_library(IPSECMB_LIB NAMES libIPSec_MB.a HINTS ${IPSECMB_LIB_DIR_HINT})
 
@@ -33,3 +37,5 @@ if(IPSECMB_INCLUDE_DIR AND IPSECMB_LIB)
 else()
 	message(STATUS "Intel IPSecMB not found")
 endif()
+
+target_compile_options(crypto_ipsecmb_plugin PRIVATE "-march=silvermont")

src/plugins/crypto_openssl/main.c

@@ -112,15 +112,20 @@ openssl_ops_enc_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops,
   for (i = 0; i < n_ops; i++)
     {
       vnet_crypto_op_t *op = ops[i];
+      u32 nonce[3];
       int len;
 
       if (op->flags & VNET_CRYPTO_OP_FLAG_INIT_IV)
-	RAND_bytes (op->iv, op->iv_len);
+	RAND_bytes (op->iv, 8);
+
+      nonce[0] = op->salt;
+      clib_memcpy_fast (nonce + 1, op->iv, 8);
 
       EVP_EncryptInit_ex (ctx, cipher, 0, 0, 0);
-      EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, op->iv_len, NULL);
-      EVP_EncryptInit_ex (ctx, 0, 0, op->key, op->iv);
-      EVP_EncryptUpdate (ctx, NULL, &len, op->aad, op->aad_len);
+      EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL);
+      EVP_EncryptInit_ex (ctx, 0, 0, op->key, (u8 *) nonce);
+      if (op->aad_len)
+	EVP_EncryptUpdate (ctx, NULL, &len, op->aad, op->aad_len);
       EVP_EncryptUpdate (ctx, op->dst, &len, op->src, op->len);
       EVP_EncryptFinal_ex (ctx, op->dst + len, &len);
       EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_GET_TAG, op->tag_len, op->tag);
@@ -136,7 +141,7 @@ openssl_ops_dec_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops,
   openssl_per_thread_data_t *ptd = vec_elt_at_index (per_thread_data,
 						     vm->thread_index);
   EVP_CIPHER_CTX *ctx = ptd->evp_cipher_ctx;
-  u32 i;
+  u32 i, n_fail = 0;
   for (i = 0; i < n_ops; i++)
     {
       vnet_crypto_op_t *op = ops[i];
@@ -145,16 +150,20 @@ openssl_ops_dec_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops,
       EVP_DecryptInit_ex (ctx, cipher, 0, 0, 0);
       EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, op->iv_len, 0);
       EVP_DecryptInit_ex (ctx, 0, 0, op->key, op->iv);
-      EVP_DecryptUpdate (ctx, 0, &len, op->aad, op->aad_len);
+      if (op->aad_len)
+	EVP_DecryptUpdate (ctx, 0, &len, op->aad, op->aad_len);
       EVP_DecryptUpdate (ctx, op->dst, &len, op->src, op->len);
       EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, op->tag_len, op->tag);
 
       if (EVP_DecryptFinal_ex (ctx, op->dst + len, &len) > 0)
 	op->status = VNET_CRYPTO_OP_STATUS_COMPLETED;
       else
-	op->status = VNET_CRYPTO_OP_STATUS_FAIL_DECRYPT;
+	{
+	  n_fail++;
+	  op->status = VNET_CRYPTO_OP_STATUS_FAIL_DECRYPT;
+	}
     }
-  return n_ops;
+  return n_ops - n_fail;
 }
 
 static_always_inline u32

src/plugins/lb/lb.c

@@ -1375,6 +1375,7 @@ lb_init (vlib_main_t * vm)
   //Allocate and init default VIP.
   lbm->vips = 0;
   pool_get(lbm->vips, default_vip);
+  default_vip->new_flow_table_mask = 0;
   default_vip->prefix.ip6.as_u64[0] = 0xffffffffffffffffL;
   default_vip->prefix.ip6.as_u64[1] = 0xffffffffffffffffL;
   default_vip->protocol = ~0;
@@ -1418,6 +1419,12 @@ lb_init (vlib_main_t * vm)
   default_as->address.ip6.as_u64[0] = 0xffffffffffffffffL;
   default_as->address.ip6.as_u64[1] = 0xffffffffffffffffL;
 
+  /* Generate a valid flow table for default VIP */
+  default_vip->as_indexes = NULL;
+  lb_get_writer_lock();
+  lb_vip_update_new_flow_table(default_vip);
+  lb_put_writer_lock();
+
   lbm->vip_index_by_nodeport
     = hash_create_mem (0, sizeof(u16), sizeof (uword));
 

src/plugins/nat/nat_ha_doc.md

@@ -1,4 +1,4 @@
-# Active-Passive NAT HA
+# Active-Passive NAT HA {#nat_ha_doc}
 
 ## Introduction
 

src/plugins/unittest/crypto_test.c

@@ -81,6 +81,10 @@ test_crypto (vlib_main_t * vm, crypto_test_main_t * tm)
       r = r->next;
     }
 
+  /* no tests registered */
+  if (n_ops == 0)
+    return 0;
+
   vec_sort_with_function (rv, sort_registrations);
 
   vec_validate_aligned (computed_data, computed_data_total_len - 1,
@@ -158,8 +162,6 @@ test_crypto (vlib_main_t * vm, crypto_test_main_t * tm)
 	  op->user_data = i;
 	  op++;
 	}
-      /* next */
-      r = r->next;
     }
   /* *INDENT-ON* */
 
@@ -177,6 +179,7 @@ test_crypto (vlib_main_t * vm, crypto_test_main_t * tm)
 	{
 	case VNET_CRYPTO_OP_TYPE_AEAD_ENCRYPT:
 	  exp_tag = &r->tag;
+          /* fall through */
 	case VNET_CRYPTO_OP_TYPE_ENCRYPT:
 	  exp_ct = &r->ciphertext;
 	  break;

src/plugins/vmxnet3/README.md

@@ -1,4 +1,4 @@
-# VMWARE vmxnet3 device driver plugin
+# VMWARE vmxnet3 device driver plugin {#vmxnet3_doc}
 
 ##Overview
 This plugin provides native PCI driver support for VMWare vmxnet3.

src/vlib/unix/input.c

@@ -248,7 +248,7 @@ linux_epoll_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
   for (e = em->epoll_events; e < em->epoll_events + n_fds_ready; e++)
     {
       u32 i = e->data.u32;
-      clib_file_t *f = fm->file_pool + i;
+      clib_file_t *f = pool_elt_at_index (fm->file_pool, i);
       clib_error_t *errors[4];
       int n_errors = 0;
 
@@ -285,14 +285,18 @@ linux_epoll_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	{
 	  if (e->events & EPOLLIN)
 	    {
-	      errors[n_errors] = f->read_function (f);
 	      f->read_events++;
+	      errors[n_errors] = f->read_function (f);
+	      /* Make sure f is valid if the file pool moves */
+	      if (pool_is_free_index (fm->file_pool, i))
+		continue;
+	      f = pool_elt_at_index (fm->file_pool, i);
 	      n_errors += errors[n_errors] != 0;
 	    }
 	  if (e->events & EPOLLOUT)
 	    {
-	      errors[n_errors] = f->write_function (f);
 	      f->write_events++;
+	      errors[n_errors] = f->write_function (f);
 	      n_errors += errors[n_errors] != 0;
 	    }
 	}
@@ -300,8 +304,8 @@ linux_epoll_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	{
 	  if (f->error_function)
 	    {
-	      errors[n_errors] = f->error_function (f);
 	      f->error_events++;
+	      errors[n_errors] = f->error_function (f);
 	      n_errors += errors[n_errors] != 0;
 	    }
 	  else

src/vnet/MTU.md

@@ -1,4 +1,4 @@
-# Introduction
+# MTU Introduction {#mtu_doc}
 Maximum Transmission Unit is a term used to describe the maximum sized "thingy" that can be sent out an interface. It can refer to the maximum frame size that a NIC can send. On Ethernet that would include the Ethernet header but typically not the IGF. It can refer to the maximum packet size, that is, on Ethernet an MTU of 1500, would allow an IPv4 packet of 1500 bytes, that would result in an Ethernet frame of 1518 bytes.
 
 # MTU in VPP

src/vnet/adj/adj.c

@@ -179,7 +179,7 @@ format_ip_adjacency (u8 * s, va_list * args)
         s = format (s, "\n   counts:[%Ld:%Ld]", counts.packets, counts.bytes);
 	s = format (s, "\n   locks:%d", adj->ia_node.fn_locks);
 	s = format(s, "\n delegates:\n  ");
-        adj_delegate_format(s, adj);
+        s = adj_delegate_format(s, adj);
 
 	s = format(s, "\n children:");
         if (fib_node_list_get_size(adj->ia_node.fn_children))

src/vnet/bonding/device.c

@@ -104,6 +104,17 @@ bond_set_l2_mode_function (vnet_main_t * vnm,
 	ethernet_set_rx_redirect (vnm, sif_hw, 1);
       }
     }
+  else if ((bif_hw->l2_if_count == 0) && (l2_if_adjust == -1))
+    {
+      /* Just removed last L2 subinterface on this port */
+      vec_foreach (sw_if_index, bif->slaves)
+      {
+	sif_hw = vnet_get_sup_hw_interface (vnm, *sw_if_index);
+
+	/* Allow ip packets to go directly to ip4-input etc */
+	ethernet_set_rx_redirect (vnm, sif_hw, 0);
+      }
+    }
 
   return 0;
 }

src/vnet/crypto/crypto.c

@@ -119,8 +119,11 @@ vnet_crypto_set_handler (char *alg_name, char *engine)
       if (id == 0)
 	continue;
       od = vec_elt_at_index (cm->opt_data, id);
-      od->active_engine_index = p[0];
-      cm->ops_handlers[id] = ce->ops_handlers[id];
+      if (ce->ops_handlers[id])
+	{
+	  od->active_engine_index = p[0];
+	  cm->ops_handlers[id] = ce->ops_handlers[id];
+	}
     }
 
   return 0;

src/vnet/crypto/crypto.h

@@ -112,7 +112,7 @@ typedef struct
   u8 flags;
 #define VNET_CRYPTO_OP_FLAG_INIT_IV (1 << 0)
 #define VNET_CRYPTO_OP_FLAG_HMAC_CHECK (1 << 1)
-  u32 len;
+  u32 len, salt;
   u16 aad_len;
   u8 key_len, iv_len, digest_len, tag_len;
   u8 *key;

src/vnet/devices/tap/tap.c

@@ -175,6 +175,9 @@ tap_create_if (vlib_main_t * vm, tap_create_if_args_t * args)
   _IOCTL (vif->tap_fd, TUNSETIFF, (void *) &ifr);
   vif->ifindex = if_nametoindex (ifr.ifr_ifrn.ifrn_name);
 
+  if (!args->host_if_name)
+    args->host_if_name = (u8 *) ifr.ifr_ifrn.ifrn_name;
+
   unsigned int offload = 0;
   hdrsz = sizeof (struct virtio_net_hdr_v1);
   if (args->tap_flags & TAP_FLAG_GSO)

src/vnet/fib/fib_path.c

@@ -1883,6 +1883,9 @@ fib_path_resolve (fib_node_index_t path_index)
 	fib_path_attached_next_hop_set(path);
 	break;
     case FIB_PATH_TYPE_ATTACHED:
+    {
+        dpo_id_t tmp = DPO_INVALID;
+
         /*
          * path->attached.fp_interface
          */
@@ -1891,12 +1894,18 @@ fib_path_resolve (fib_node_index_t path_index)
         {
             path->fp_oper_flags &= ~FIB_PATH_OPER_FLAG_RESOLVED;
         }
-        dpo_set(&path->fp_dpo,
+        dpo_set(&tmp,
                 DPO_ADJACENCY,
                 path->fp_nh_proto,
                 fib_path_attached_get_adj(path,
                                           dpo_proto_to_link(path->fp_nh_proto)));
 
+        /*
+         * re-fetch after possible mem realloc
+         */
+        path = fib_path_get(path_index);
+        dpo_copy(&path->fp_dpo, &tmp);
+
         /*
          * become a child of the adjacency so we receive updates
          * when the interface state changes
@@ -1904,7 +1913,9 @@ fib_path_resolve (fib_node_index_t path_index)
         path->fp_sibling = adj_child_add(path->fp_dpo.dpoi_index,
                                          FIB_NODE_TYPE_PATH,
                                          fib_path_get_index(path));
+        dpo_reset(&tmp);
 	break;
+    }
     case FIB_PATH_TYPE_RECURSIVE:
     {
 	/*

src/vnet/ipfix-export/ipfix_doc.md

@@ -1,4 +1,4 @@
-# IPFIX support {#ipfix}
+# IPFIX support {#ipfix_doc}
 
 VPP includes a high-performance IPFIX record exporter. This note
 explains how to use the internal APIs to export IPFIX data, and how to

src/vnet/ipsec/esp.h

@@ -54,6 +54,20 @@ typedef CLIB_PACKED (struct {
 }) ip6_and_esp_header_t;
 /* *INDENT-ON* */
 
+/**
+ * AES GCM Additional Authentication data
+ */
+typedef struct esp_aead_t_
+{
+  /**
+   * for GCM: when using ESN it's:
+   *   SPI, seq-hi, seg-low
+   * else
+   *   SPI, seq-low
+   */
+  u32 data[3];
+} __clib_packed esp_aead_t;
+
 #define ESP_SEQ_MAX		(4294967295UL)
 #define ESP_MAX_BLOCK_SIZE	(16)
 #define ESP_MAX_IV_SIZE		(16)
@@ -117,6 +131,26 @@ hmac_calc (vlib_main_t * vm, ipsec_sa_t * sa, u8 * data, int data_len,
   return sa->integ_icv_size;
 }
 
+always_inline void
+esp_aad_fill (vnet_crypto_op_t * op,
+	      const esp_header_t * esp, const ipsec_sa_t * sa)
+{
+  esp_aead_t *aad;
+
+  aad = (esp_aead_t *) op->aad;
+  clib_memcpy_fast (aad, esp, 8);
+
+  if (ipsec_sa_is_set_USE_ESN (sa))
+    {
+      /* SPI, seq-hi, seq-low */
+      aad->data[2] = aad->data[1];
+      aad->data[1] = clib_host_to_net_u32 (sa->seq_hi);
+      op->aad_len = 12;
+    }
+  else
+    /* SPI, seq-low */
+    op->aad_len = 8;
+}
 #endif /* __ESP_H__ */
 
 /*

src/vnet/ipsec/esp_decrypt.c

@@ -177,7 +177,7 @@ esp_decrypt_inline (vlib_main_t * vm,
       payload = b[0]->data + pd->current_data;
 
       /* we need 4 extra bytes for HMAC calculation when ESN are used */
-      if ((sa0->flags & IPSEC_SA_FLAG_USE_ESN) && pd->icv_sz &&
+      if (ipsec_sa_is_set_USE_ESN (sa0) && pd->icv_sz &&
 	  (pd->current_data + pd->current_length + 4 > buffer_data_size))
 	{
 	  b[0]->error = node->errors[ESP_DECRYPT_ERROR_NO_TAIL_SPACE];
@@ -197,7 +197,7 @@ esp_decrypt_inline (vlib_main_t * vm,
       current_sa_pkts += 1;
       current_sa_bytes += pd->current_length;
 
-      if (PREDICT_TRUE (cpd.icv_sz > 0))
+      if (PREDICT_TRUE (sa0->integ_op_id != VNET_CRYPTO_OP_NONE))
 	{
 	  vnet_crypto_op_t *op;
 	  vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES);
@@ -211,7 +211,7 @@ esp_decrypt_inline (vlib_main_t * vm,
 	  op->digest = payload + len;
 	  op->digest_len = cpd.icv_sz;
 	  op->len = len;
-	  if (PREDICT_TRUE (sa0->flags & IPSEC_SA_FLAG_USE_ESN))
+	  if (ipsec_sa_is_set_USE_ESN (sa0))
 	    {
 	      /* shift ICV for 4 bytes to insert ESN */
 	      u8 tmp[ESP_MAX_ICV_SIZE], sz = sizeof (sa0->seq_hi);
@@ -219,7 +219,7 @@ esp_decrypt_inline (vlib_main_t * vm,
 	      clib_memcpy_fast (payload + len, &sa0->seq_hi, sz);
 	      clib_memcpy_fast (payload + len + sz, tmp, ESP_MAX_ICV_SIZE);
 	      op->len += sz;
-	      op->dst += sz;
+	      op->digest += sz;
 	    }
 	}
 
@@ -232,11 +232,42 @@ esp_decrypt_inline (vlib_main_t * vm,
 	  vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
 	  vnet_crypto_op_init (op, sa0->crypto_dec_op_id);
 	  op->key = sa0->crypto_key.data;
-	  op->key_len = sa0->crypto_key.len;
 	  op->iv = payload;
-	  op->iv_len = cpd.iv_sz;
+
+	  if (ipsec_sa_is_set_IS_AEAD (sa0))
+	    {
+	      esp_header_t *esp0;
+	      esp_aead_t *aad;
+	      u8 *scratch;
+	      u32 salt;
+
+	      /*
+	       * construct the AAD and the nonce (Salt || IV) in a scratch
+	       * space in front of the IP header.
+	       */
+	      scratch = payload - esp_sz;
+	      esp0 = (esp_header_t *) (scratch);
+
+	      scratch -= (sizeof (*aad) + pd->hdr_sz);
+	      op->aad = scratch;
+
+	      esp_aad_fill (op, esp0, sa0);
+
+	      /*
+	       * we don't need to refer to the ESP header anymore so we
+	       * can overwrite it with the salt and use the IV where it is
+	       * to form the nonce = (Salt + IV)
+	       */
+	      salt = clib_host_to_net_u32 (sa0->salt);
+	      op->iv -= sizeof (sa0->salt);
+	      clib_memcpy_fast (op->iv, &salt, sizeof (sa0->salt));
+	      op->iv_len = cpd.iv_sz + sizeof (sa0->salt);
+
+	      op->tag = payload + len;
+	      op->tag_len = 16;
+	    }
 	  op->src = op->dst = payload += cpd.iv_sz;
-	  op->len = len;
+	  op->len = len - cpd.iv_sz;
 	  op->user_data = b - bufs;
 	}
 
@@ -287,7 +318,7 @@ esp_decrypt_inline (vlib_main_t * vm,
 	      bi = op->user_data;
 
 	      if (op->status == VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC)
-		err = ESP_DECRYPT_ERROR_INTEG_ERROR;
+		err = ESP_DECRYPT_ERROR_DECRYPTION_FAILED;
 	      else
 		err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
 

src/vnet/ipsec/esp_encrypt.c

@@ -112,19 +112,26 @@ esp_add_footer_and_icv (vlib_buffer_t * b, u8 block_size, u8 icv_sz)
 static_always_inline void
 esp_update_ip4_hdr (ip4_header_t * ip4, u16 len, int is_transport, int is_udp)
 {
-  ip_csum_t sum = ip4->checksum;
-  u16 old_len = 0;
+  ip_csum_t sum;
+  u16 old_len;
+
+  len = clib_net_to_host_u16 (len);
+  old_len = ip4->length;
 
   if (is_transport)
     {
       u8 prot = is_udp ? IP_PROTOCOL_UDP : IP_PROTOCOL_IPSEC_ESP;
-      old_len = ip4->length;
-      sum = ip_csum_update (sum, ip4->protocol, prot, ip4_header_t, protocol);
-      ip4->protocol = prot;
-    }
 
-  ip4->length = len = clib_net_to_host_u16 (len);
-  sum = ip_csum_update (ip4->checksum, old_len, len, ip4_header_t, length);
+      sum = ip_csum_update (ip4->checksum, ip4->protocol,
+			    prot, ip4_header_t, protocol);
+      ip4->protocol = prot;
+
+      sum = ip_csum_update (sum, old_len, len, ip4_header_t, length);
+    }
+  else
+    sum = ip_csum_update (ip4->checksum, old_len, len, ip4_header_t, length);
+
+  ip4->length = len;
   ip4->checksum = ip_csum_fold (sum);
 }
 
@@ -402,14 +409,16 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      ip6_header_t *ip6 = (ip6_header_t *) (ip_hdr);
 	      *next_hdr_ptr = ip6->protocol;
 	      ip6->protocol = IP_PROTOCOL_IPSEC_ESP;
-	      ip6->payload_length = payload_len + hdr_len - l2_len - ip_len;
+	      ip6->payload_length =
+		clib_host_to_net_u16 (payload_len + hdr_len - l2_len -
+				      ip_len);
 	    }
 	  else
 	    {
 	      u16 len;
 	      ip4_header_t *ip4 = (ip4_header_t *) (ip_hdr);
 	      *next_hdr_ptr = ip4->protocol;
-	      len = payload_len + hdr_len + l2_len;
+	      len = payload_len + hdr_len - l2_len;
 	      if (udp)
 		{
 		  esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 1);
@@ -431,13 +440,26 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	  vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
 	  vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
 	  op->iv = payload - iv_sz;
-	  op->iv_len = iv_sz;
 	  op->src = op->dst = payload;
 	  op->key = sa0->crypto_key.data;
-	  op->key_len = sa0->crypto_key.len;
 	  op->len = payload_len - icv_sz;
 	  op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
 	  op->user_data = b - bufs;
+	  op->salt = sa0->salt;
+
+	  if (ipsec_sa_is_set_IS_AEAD (sa0))
+	    {
+	      /*
+	       * construct the AAD in a scratch space in front
+	       * of the IP header.
+	       */
+	      op->aad = payload - hdr_len - sizeof (esp_aead_t);
+
+	      esp_aad_fill (op, esp, sa0);
+
+	      op->tag = payload + op->len;
+	      op->tag_len = 16;
+	    }
 	}
 
       if (sa0->integ_op_id)
@@ -455,7 +477,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	  if (ipsec_sa_is_set_USE_ESN (sa0))
 	    {
 	      u32 seq_hi = clib_net_to_host_u32 (sa0->seq_hi);
-	      clib_memcpy_fast (op->dst, &seq_hi, sizeof (seq_hi));
+	      clib_memcpy_fast (op->digest, &seq_hi, sizeof (seq_hi));
 	      op->len += sizeof (seq_hi);
 	    }
 	}

src/vnet/ipsec/ipsec.c

@@ -38,13 +38,6 @@ ipsec_check_ah_support (ipsec_sa_t * sa)
 static clib_error_t *
 ipsec_check_esp_support (ipsec_sa_t * sa)
 {
-  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
-    return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg");
-  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192)
-    return clib_error_return (0, "unsupported aes-gcm-192 crypto-alg");
-  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)
-    return clib_error_return (0, "unsupported aes-gcm-256 crypto-alg");
-
   return 0;
 }
 
@@ -293,6 +286,24 @@ ipsec_init (vlib_main_t * vm)
   a->dec_op_id = VNET_CRYPTO_OP_AES_256_CBC_DEC;
   a->iv_size = a->block_size = 16;
 
+  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_128;
+  a->enc_op_id = VNET_CRYPTO_OP_AES_128_GCM_ENC;
+  a->dec_op_id = VNET_CRYPTO_OP_AES_128_GCM_DEC;
+  a->iv_size = a->block_size = 8;
+  a->icv_size = 16;
+
+  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_192;
+  a->enc_op_id = VNET_CRYPTO_OP_AES_192_GCM_ENC;
+  a->dec_op_id = VNET_CRYPTO_OP_AES_192_GCM_DEC;
+  a->iv_size = a->block_size = 8;
+  a->icv_size = 16;
+
+  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_256;
+  a->enc_op_id = VNET_CRYPTO_OP_AES_256_GCM_ENC;
+  a->dec_op_id = VNET_CRYPTO_OP_AES_256_GCM_DEC;
+  a->iv_size = a->block_size = 8;
+  a->icv_size = 16;
+
   vec_validate (im->integ_algs, IPSEC_INTEG_N_ALG - 1);
   ipsec_main_integ_alg_t *i;