ipsec: fix AES CBC IV generation (CVE-2022-46397)

For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.

Fixes: VPP-2037
Type: fix

Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>

.gitignore

@@ -81,6 +81,7 @@ GTAGS
 /build-root/.doxygen-bootstrap.ok
 /build-root/.doxygen-siphon.dep
 /docs/_build
+/docs/dynamic_includes
 /sphinx_venv
 !/docs/Makefile
 

.gitreview

@@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/2009

MAINTAINERS

@@ -60,6 +60,9 @@ M:	Dave Barach <dave@barachs.net>
 M:	Damjan Marion <damarion@cisco.com>
 F:	src/vlib/
 E:	src/vlib/buffer*.[ch]
+E:	src/vlib/pci/
+E:	src/vlib/linux/pci.[ch]
+E:	src/vlib/linux/vfio.[ch]
 
 Vector Library - Buffer Management
 I:	buffers
@@ -67,6 +70,13 @@ M:	Damjan Marion <damarion@cisco.com>
 M:	Dave Barach <dave@barachs.net>
 F:	src/vlib/buffer*.[ch]
 
+Vector Library - PCI
+I:	pci
+M:	Damjan Marion <damarion@cisco.com>
+F:	src/vlib/pci/
+F:	src/vlib/linux/pci.[ch]
+F:	src/vlib/linux/vfio.[ch]
+
 Binary API Libraries
 I:	api
 M:	Dave Barach <dave@barachs.net>
@@ -180,11 +190,6 @@ M:	Damjan Marion <damarion@cisco.com>
 M:	Neale Ranns <nranns@cisco.com>
 F:	src/vnet/crypto/
 
-VNET COP
-I:	cop
-M:	Dave Barach <dave@barachs.net>
-F:	src/vnet/cop/
-
 VNET TEIB
 I:	teib
 M:	Neale Ranns <nranns@cisco.com>
@@ -195,17 +200,17 @@ I:	span
 M:	N/A
 F:	src/vnet/span
 
-Crypto native Plugin
+Plugin - Crypto - native
 I:	crypto-native
 M:	Damjan Marion <damarion@cisco.com>
 F:	src/plugins/crypto_native/
 
-Crypto openssl Plugin
+Plugin - Crypto - OpenSSL
 I:	crypto-openssl
 M:	Damjan Marion <damarion@cisco.com>
 F:	src/plugins/crypto_openssl/
 
-Crypto ipsecmb Plugin
+Plugin - Crypto - ipsecmb
 I:	crypto-ipsecmb
 M:	Neale Ranns <nranns@cisco.com>
 F:	src/plugins/crypto_ipsecmb/
@@ -353,6 +358,11 @@ I:	abf
 M:	Neale Ranns <nranns@cisco.com>
 F:	src/plugins/abf/
 
+Plugin - Allow / Deny List
+I:	adl
+M:	Dave Barach <dave@barachs.net>
+F:	src/plugins/adl/
+
 Plugin - Simple DNS name resolver
 I:	dns
 M:	Dave Barach <dave@barachs.net>
@@ -419,6 +429,8 @@ Plugin - Internet Key Exchange (IKEv2) Protocol
 I:	ikev2
 M:	Damjan Marion <damarion@cisco.com>
 M:	Neale Ranns <nranns@cisco.com>
+M:	Filip Tehlar <ftehlar@cisco.com>
+M:	Benoît Ganne <bganne@cisco.com>
 F:	src/plugins/ikev2/
 
 Plugin - Internet Group Management Protocol (IGMP)
@@ -670,6 +682,17 @@ I:	urpf
 M:	Neale Ranns <nranns@cisco.com>
 F:	src/plugins/urpf
 
+Plugin - CNat
+I:	cnat
+M:	Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
+M:	Neale Ranns <nranns@cisco.com>
+F:	src/plugins/cnat
+
+Plugin - Wireguard
+I:	wireguard
+M:	Artem Glazychev <artem.glazychev@xored.com>
+F:	src/plugins/wireguard
+
 VPP Config Tooling
 I:	vpp_config
 M:	John DeNisco <jdenisco@cisco.com>
@@ -680,6 +703,12 @@ I:	bash
 M:	Dave Wallace <dwallacelf@gmail.com>
 F:	extras/bash/
 
+Plugin - AF_XDP driver
+I:	af_xdp
+M:	Benoît Ganne <bganne@cisco.com>
+M:	Damjan Marion <damarion@cisco.com>
+F:	src/plugins/af_xdp/
+
 THE REST
 I:	misc
 C:	Contact vpp-dev Mailing List <vpp-dev@fd.io>

Makefile

@@ -55,42 +55,45 @@ endif
 
 ifeq ($(filter ubuntu debian,$(OS_ID)),$(OS_ID))
 PKG=deb
-else ifeq ($(filter rhel centos fedora opensuse opensuse-leap opensuse-tumbleweed,$(OS_ID)),$(OS_ID))
+else ifeq ($(filter rhel centos fedora,$(OS_ID)),$(OS_ID))
 PKG=rpm
 endif
 
 # +libganglia1-dev if building the gmond plugin
 
 DEB_DEPENDS  = curl build-essential autoconf automake ccache
-DEB_DEPENDS += debhelper dkms git libtool libapr1-dev dh-systemd
+DEB_DEPENDS += debhelper dkms git libtool libapr1-dev dh-systemd dh-python
 DEB_DEPENDS += libconfuse-dev git-review exuberant-ctags cscope pkg-config
 DEB_DEPENDS += lcov chrpath autoconf indent clang-format libnuma-dev
-DEB_DEPENDS += python-all python3-all python3-setuptools
-DEB_DEPENDS += python-virtualenv python-pip check
+DEB_DEPENDS += python3-all python3-setuptools check
 DEB_DEPENDS += libboost-all-dev libffi-dev python3-ply libmbedtls-dev
 DEB_DEPENDS += cmake ninja-build uuid-dev python3-jsonschema python3-yaml
 DEB_DEPENDS += python3-venv  # ensurepip
 DEB_DEPENDS += python3-dev   # needed for python3 -m pip install psutil
 # python3.6 on 16.04 requires python36-dev
 
-LIBFFI=libffi6 # works on all but 20.04
+LIBFFI=libffi6 # works on all but 20.04 and debian-testing
 
-ifeq ($(OS_VERSION_ID),16.04)
-	DEB_DEPENDS += python-dev
-	DEB_DEPENDS += libssl-dev
-else ifeq ($(OS_VERSION_ID),18.04)
-	DEB_DEPENDS += python-dev
+ifeq ($(OS_VERSION_ID),18.04)
+	DEB_DEPENDS += python-dev python-all python-pip python-virtualenv
 	DEB_DEPENDS += libssl-dev
 	DEB_DEPENDS += clang-9
 else ifeq ($(OS_VERSION_ID),20.04)
-	LIBFFI=libffi7
-else ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-8)
+	DEB_DEPENDS += python3-virtualenv
 	DEB_DEPENDS += libssl-dev
-	APT_ARGS = -t jessie-backports
+	DEB_DEPENDS += libelf-dev # for libbpf (af_xdp)
+	LIBFFI=libffi7
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-9)
 	DEB_DEPENDS += libssl1.0-dev
+	DEB_DEPENDS += python-all python-pip
+	DEB_DEPENDS += python-dev python-all python-pip python-virtualenv
+else ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-10)
+	DEB_DEPENDS += libssl-dev
+	DEB_DEPENDS += libelf-dev # for libbpf (af_xdp)
 else
 	DEB_DEPENDS += libssl-dev
+	DEB_DEPENDS += libelf-dev # for libbpf (af_xdp)
+	LIBFFI=libffi7
 endif
 
 DEB_DEPENDS += $(LIBFFI)
@@ -104,6 +107,9 @@ RPM_DEPENDS += selinux-policy selinux-policy-devel
 RPM_DEPENDS += ninja-build
 RPM_DEPENDS += libuuid-devel
 RPM_DEPENDS += mbedtls-devel
+RPM_DEPENDS += ccache
+RPM_DEPENDS += xmlto
+RPM_DEPENDS += elfutils-libelf-devel
 
 ifeq ($(OS_ID),fedora)
 	RPM_DEPENDS += dnf-utils
@@ -116,8 +122,8 @@ ifeq ($(OS_ID),fedora)
 	RPM_DEPENDS_GROUPS = 'C Development Tools and Libraries'
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),centos-8)
 	RPM_DEPENDS += yum-utils
-	RPM_DEPENDS += compat-openssl10
-	RPM_DEPENDS += python36-devel python3-ply
+	RPM_DEPENDS += compat-openssl10 openssl-devel
+	RPM_DEPENDS += python2-devel python36-devel python3-ply
 	RPM_DEPENDS += python3-virtualenv python3-jsonschema
 	RPM_DEPENDS += cmake
 	RPM_DEPENDS_GROUPS = 'Development Tools'
@@ -127,7 +133,7 @@ else
 	RPM_DEPENDS += python36-ply  # for vppapigen
 	RPM_DEPENDS += python3-devel python3-pip
 	RPM_DEPENDS += python-virtualenv python36-jsonschema
-	RPM_DEPENDS += devtoolset-9
+	RPM_DEPENDS += devtoolset-9 devtoolset-9-libasan-devel
 	RPM_DEPENDS += cmake3
 	RPM_DEPENDS_GROUPS = 'Development Tools'
 endif
@@ -135,42 +141,11 @@ endif
 # +ganglia-devel if building the ganglia plugin
 
 RPM_DEPENDS += chrpath libffi-devel rpm-build
-# lowercase- replace spaces with dashes.
-SUSE_NAME= $(shell grep '^NAME=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g' | sed -e 's/ /-/' | awk '{print tolower($$0)}')
-SUSE_ID= $(shell grep '^VERSION_ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g' | cut -d' ' -f2)
-RPM_SUSE_BUILDTOOLS_DEPS = autoconf automake ccache check-devel chrpath
-RPM_SUSE_BUILDTOOLS_DEPS += clang cmake indent libtool make ninja python3-ply
 
-RPM_SUSE_DEVEL_DEPS = glibc-devel-static libnuma-devel
-RPM_SUSE_DEVEL_DEPS += libopenssl-devel openssl-devel mbedtls-devel libuuid-devel
-
-RPM_SUSE_PYTHON_DEPS = python-devel python3-devel python-pip python3-pip
-RPM_SUSE_PYTHON_DEPS += python-rpm-macros python3-rpm-macros
-
-RPM_SUSE_PLATFORM_DEPS = distribution-release shadow rpm-build
-
-ifeq ($(OS_ID),opensuse)
-ifeq ($(SUSE_NAME),tumbleweed)
-	RPM_SUSE_DEVEL_DEPS = libboost_headers1_68_0-devel-1.68.0  libboost_thread1_68_0-devel-1.68.0 gcc
-	RPM_SUSE_PYTHON_DEPS += python3-ply python2-virtualenv
-endif
-ifeq ($(SUSE_ID),15.0)
-	RPM_SUSE_DEVEL_DEPS += libboost_headers-devel libboost_thread-devel gcc
-	RPM_SUSE_PYTHON_DEPS += python3-ply python2-virtualenv
-else
-	RPM_SUSE_DEVEL_DEPS += libboost_headers1_68_0-devel-1.68.0 gcc6
-	RPM_SUSE_PYTHON_DEPS += python-virtualenv
-endif
-endif
-
-ifeq ($(OS_ID),opensuse-leap)
-ifeq ($(SUSE_ID),15.0)
-	RPM_SUSE_DEVEL_DEPS += libboost_headers-devel libboost_thread-devel gcc git curl
-	RPM_SUSE_PYTHON_DEPS += python3-ply python2-virtualenv
-endif
-endif
-
-RPM_SUSE_DEPENDS += $(RPM_SUSE_BUILDTOOLS_DEPS) $(RPM_SUSE_DEVEL_DEPS) $(RPM_SUSE_PYTHON_DEPS) $(RPM_SUSE_PLATFORM_DEPS)
+RPM_DEPENDS_DEBUG  = glibc-debuginfo e2fsprogs-debuginfo
+RPM_DEPENDS_DEBUG += krb5-debuginfo openssl-debuginfo
+RPM_DEPENDS_DEBUG += zlib-debuginfo nss-softokn-debuginfo
+RPM_DEPENDS_DEBUG += yum-plugin-auto-update-debug-info
 
 ifneq ($(wildcard $(STARTUP_DIR)/startup.conf),)
         STARTUP_CONF ?= $(STARTUP_DIR)/startup.conf
@@ -282,7 +257,7 @@ ifeq ($(filter ubuntu debian,$(OS_ID)),$(OS_ID))
 	exit 0
 else ifneq ("$(wildcard /etc/redhat-release)","")
 	@for i in $(RPM_DEPENDS) ; do \
-	    RPM=$$(basename -s .rpm "$${i##*/}" | cut -d- -f1,2,3)  ;	\
+	    RPM=$$(basename -s .rpm "$${i##*/}" | cut -d- -f1,2,3,4)  ;	\
 	    MISSING+=$$(rpm -q $$RPM | grep "^package")	   ;    \
 	done							   ;	\
 	if [ -n "$$MISSING" ] ; then \
@@ -301,13 +276,6 @@ bootstrap:
 .PHONY: install-dep
 install-dep:
 ifeq ($(filter ubuntu debian,$(OS_ID)),$(OS_ID))
-ifeq ($(OS_VERSION_ID),14.04)
-	@sudo -E apt-get $(CONFIRM) $(FORCE) install software-properties-common
-endif
-ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-8)
-	@grep -q jessie-backports /etc/apt/sources.list /etc/apt/sources.list.d/* 2> /dev/null \
-           || ( echo "Please install jessie-backports" ; exit 1 )
-endif
 	@sudo -E apt-get update
 	@sudo -E apt-get $(APT_ARGS) $(CONFIRM) $(FORCE) install $(DEB_DEPENDS)
 else ifneq ("$(wildcard /etc/redhat-release)","")
@@ -317,29 +285,23 @@ ifeq ($(OS_ID),rhel)
 	@sudo -E yum install $(CONFIRM) $(RPM_DEPENDS)
 	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs mbedtls-devel zlib
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),centos-8)
+	@sudo -E dnf install $(CONFIRM) dnf-plugins-core epel-release
+	@sudo -E dnf config-manager --set-enabled \
+          $(shell dnf repolist all 2>/dev/null|grep -i powertools|cut -d' ' -f1)
 	@sudo -E dnf groupinstall $(CONFIRM) $(RPM_DEPENDS_GROUPS)
 	@sudo -E dnf install $(CONFIRM) $(RPM_DEPENDS)
 else ifeq ($(OS_ID),centos)
 	@sudo -E yum install $(CONFIRM) centos-release-scl-rh epel-release
 	@sudo -E yum groupinstall $(CONFIRM) $(RPM_DEPENDS_GROUPS)
 	@sudo -E yum install $(CONFIRM) $(RPM_DEPENDS)
-	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs mbedtls-devel zlib
+	@sudo -E yum install $(CONFIRM) --enablerepo=base-debuginfo $(RPM_DEPENDS_DEBUG)
 else ifeq ($(OS_ID),fedora)
 	@sudo -E dnf groupinstall $(CONFIRM) $(RPM_DEPENDS_GROUPS)
 	@sudo -E dnf install $(CONFIRM) $(RPM_DEPENDS)
 	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs mbedtls-devel zlib
 endif
-else ifeq ($(filter opensuse-tumbleweed,$(OS_ID)),$(OS_ID))
-	@sudo -E zypper refresh
-	@sudo -E zypper install -y $(RPM_SUSE_DEPENDS)
-else ifeq ($(filter opensuse-leap,$(OS_ID)),$(OS_ID))
-	@sudo -E zypper refresh
-	@sudo -E zypper install  -y $(RPM_SUSE_DEPENDS)
-else ifeq ($(filter opensuse,$(OS_ID)),$(OS_ID))
-	@sudo -E zypper refresh
-	@sudo -E zypper install -y $(RPM_SUSE_DEPENDS)
 else
-	$(error "This option currently works only on Ubuntu, Debian, RHEL, CentOS or openSUSE systems")
+	$(error "This option currently works only on Ubuntu, Debian, RHEL, or CentOS systems")
 endif
 	git config commit.template .git_commit_template.txt
 

build-root/Makefile

@@ -765,7 +765,7 @@ find_source_for_package =									\
       exit 1;											\
     fi ;											\
     $(call build_msg_fn,Fix file dates in $${g}/$(PACKAGE_SOURCE)) ;					\
-    (cd $${s} ; $(MU_BUILD_ROOT_DIR)/autowank --touch) ;					\
+    : the timestamp-adjustment script used to be invoked at this point ;			\
   fi ;												\
   s=`cd $${s} && pwd` ;										\
   $(call build_msg_fn,Source found in $${s})

build/external/Makefile

@@ -39,13 +39,14 @@ include packages/ipsec-mb.mk
 include packages/quicly.mk
 include packages/dpdk.mk
 include packages/rdma-core.mk
+include packages/libbpf.mk
 
 .PHONY: clean
 clean:
 	@rm -rf $(B) $(I)
 
 .PHONY: install
-install: dpdk-install rdma-core-install quicly-install
+install: dpdk-install rdma-core-install quicly-install libbpf-install
 
 .PHONY: config
 config: dpdk-config rdma-core-config

build/external/packages.mk

@@ -79,7 +79,7 @@ $(B)/.$1.patch.ok: $(B)/.$1.extract.ok
 ifneq ($$(wildcard $$($1_patch_dir)/*.patch),)
 	@for f in $$($1_patch_dir)/*.patch ; do \
 		echo "Applying patch: $$$$(basename $$$$f)" ; \
-		patch -p1 -d $$($1_src_dir) < $$$$f ; \
+		patch -p1 -d $$($1_src_dir) --no-backup-if-mismatch < $$$$f ; \
 	done
 endif
 	@touch $$@

build/external/packages/dpdk.mk

@@ -21,13 +21,13 @@ DPDK_MLX5_PMD                ?= n
 DPDK_TAP_PMD                 ?= n
 DPDK_FAILSAFE_PMD            ?= n
 
-DPDK_VERSION                 ?= 20.02
+DPDK_VERSION                 ?= 20.08
 DPDK_BASE_URL                ?= http://fast.dpdk.org/rel
 DPDK_TARBALL                 := dpdk-$(DPDK_VERSION).tar.xz
 DPDK_TAR_URL                 := $(DPDK_BASE_URL)/$(DPDK_TARBALL)
 DPDK_18.11_TARBALL_MD5_CKSUM := 04b86f4a77f4f81a7fbd26467dd2ea9f
-DPDK_19.08_TARBALL_MD5_CKSUM := 8a6f5bd844b7a06b34787063409298ed
-DPDK_20.02_TARBALL_MD5_CKSUM := e20171462d6b2252dfbae1de8c45ba10
+DPDK_20.05_TARBALL_MD5_CKSUM := 7c6f3e7f7de2422775c4cba116012c4d
+DPDK_20.08_TARBALL_MD5_CKSUM := 64badd32cd6bc0761befc8f2402c2148
 MACHINE=$(shell uname -m)
 
 # replace dot with space, and if 3rd word exists we deal with stable dpdk rel
@@ -166,6 +166,7 @@ DPDK_MAKE_ARGS := -C $(DPDK_SOURCE) -j $(JOBS) \
 	EXTRA_LDFLAGS="$(DPDK_EXTRA_LDFLAGS)" \
 	CPU_CFLAGS="$(DPDK_CPU_CFLAGS)" \
 	DESTDIR=$(I) \
+	MAKE_PAUSE=n \
         $(DPDK_MAKE_EXTRA_ARGS)
 
 define set
@@ -228,6 +229,10 @@ $(B)/custom-config: $(B)/.dpdk-patch.ok Makefile
 	$(call set,RTE_LIBRTE_IFPGA_BUS,n)
 	$(call set,RTE_LIBRTE_BBDEV,n)
 	$(call set,RTE_LIBRTE_BBDEV_NULL,n)
+	$(call set,RTE_LIBRTE_GRAPH,n)
+	$(call set,RTE_LIBRTE_NODE,n)
+	$(call set,RTE_LIBRTE_FIB,n)
+	$(call set,RTE_LIBRTE_RIB,n)
 	$(call set,RTE_TEST_PMD,n)
 	$(call set,RTE_KNI_KMOD,n)
 	$(call set,RTE_EAL_IGB_UIO,n)

build/external/packages/libbpf.mk

@@ -0,0 +1,57 @@
+# Copyright (c) 2018 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LIBBPF_DEBUG?=n
+
+libbpf_version             := 0.1.0
+libbpf_tarball             := v$(libbpf_version).tar.gz
+libbpf_tarball_md5sum_0.1.0 := 00b991a6e2d28d797a56ab1575ed40e1
+libbpf_tarball_md5sum      := $(libbpf_tarball_md5sum_$(libbpf_version))
+libbpf_tarball_strip_dirs  := 1
+libbpf_url                 := https://github.com/libbpf/libbpf/archive/$(libbpf_tarball)
+
+LIBBPF_CFLAGS:=-g -Werror -Wall -fPIC -fvisibility=hidden
+ifeq ($(LIBBPF_DEBUG),y)
+  LIBBPF_CFLAGS+= -O0
+else
+  LIBBPF_CFLAGS+= -O2
+endif
+
+# check for libelf, zlib and kernel if_xdp.h presence
+LIBBPF_DEPS_CHECK:="\#include <linux/if_xdp.h>\\n\#include <gelf.h>\\n\#include <zlib.h>\\nint main(void){return 0;}"
+LIBBPF_DEPS_CHECK:=$(shell echo -e $(LIBBPF_DEPS_CHECK) | $(CC) -xc -lelf -lz -o /dev/null - > /dev/null 2>&1)
+LIBBPF_DEPS_CHECK:=$(.SHELLSTATUS)
+
+define  libbpf_config_cmds
+	@true
+endef
+
+define  libbpf_build_cmds__
+	BUILD_STATIC_ONLY=y OBJDIR='$(libbpf_build_dir)' PREFIX='' DESTDIR='$(libbpf_install_dir)' CFLAGS='$(LIBBPF_CFLAGS)' make -C '$(libbpf_src_dir)/src' $(1) > $(2)
+endef
+
+define  libbpf_build_cmds
+	$(call libbpf_build_cmds__,,$(libbpf_build_log))
+endef
+
+define  libbpf_install_cmds
+	$(call libbpf_build_cmds__,install,$(libbpf_install_log))
+endef
+
+ifneq ($(LIBBPF_DEPS_CHECK),0)
+  $(warning "Missing libbpf dependencies. libbpf will be skipped.")
+libbpf-install:
+	@true
+else
+  $(eval $(call package,libbpf))
+endif

build/external/packages/rdma-core.mk

@@ -13,11 +13,10 @@
 
 RDMA_CORE_DEBUG?=n
 
-rdma-core_version             := 28.0
+rdma-core_version             := 31.0
 rdma-core_tarball             := rdma-core-$(rdma-core_version).tar.gz
-rdma-core_tarball_md5sum_25.0 := d8839edaae4cb6dacdacc4b5a824854c
-rdma-core_tarball_md5sum_26.0 := e68ad88679f37a0285d4d5b820e6b689
 rdma-core_tarball_md5sum_28.0 := 780125feed6c599f2f22228db1a5996e
+rdma-core_tarball_md5sum_31.0 := 6076b2cfd5b0b22b88f1fb8dffd1aef7
 rdma-core_tarball_md5sum      := $(rdma-core_tarball_md5sum_$(rdma-core_version))
 rdma-core_tarball_strip_dirs  := 1
 rdma-core_url                 := http://github.com/linux-rdma/rdma-core/releases/download/v$(rdma-core_version)/$(rdma-core_tarball)

build/external/patches/README

@@ -24,7 +24,7 @@ for release tag “v2.2.0” and will create a branch named “two_dot_two”.
 
 5. Create the patch files with format-patch. This creates all the patch files
 for your branch (two_dot_two), with your latest commits as the last ones.
- # git format-patch master..two_dot_two
+ # git format-patch main..two_dot_two
 
 6. Copy, add and commit the new patches into the patches directory.
 

build/external/patches/dpdk_20.08/0001-net-iavf-deprecate-i40evf-pmd.patch

@@ -0,0 +1,232 @@
+From bd048f56bc4b85fed31f34db676f1ad67c86bd16 Mon Sep 17 00:00:00 2001
+From: Robin Zhang <robinx.zhang@intel.com>
+Date: Mon, 19 Apr 2021 03:05:39 +0000
+Subject: [PATCH] net/iavf: deprecate i40evf pmd
+
+The i40evf PMD will be deprecated, iavf will be the only VF driver for
+Intel 700 serial (i40e) NIC family. To reach this, there will be 2 steps:
+
+Step 1: iavf will be the default VF driver, while i40evf still can be
+selected by devarg: "driver=i40evf".
+This is covered by this patch, which include:
+1) add all 700 serial NIC VF device ID into iavf PMD
+2) skip probe if devargs contain "driver=i40evf" in iavf
+3) continue probe if devargs contain "driver=i40evf" in i40evf
+
+Step 2: i40evf and related devarg are removed, this will happen at DPDK
+21.11
+
+Between step 1 and step 2, no new feature will be added into i40evf except
+bug fix.
+
+Signed-off-by: Robin Zhang <robinx.zhang@intel.com>
+Acked-by: Qi Zhang <qi.z.zhang@intel.com>
+Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
+Acked-by: Beilei Xing <beilei.xing@intel.com>
+---
+ doc/guides/nics/intel_vf.rst         |  6 +++
+ doc/guides/rel_notes/deprecation.rst |  8 ++++
+ drivers/common/iavf/iavf_devids.h    |  2 +
+ drivers/net/i40e/i40e_ethdev_vf.c    | 45 ++++++++++++++++++++++
+ drivers/net/iavf/iavf_ethdev.c       | 57 +++++++++++++++++++++++++++-
+ 5 files changed, 116 insertions(+), 2 deletions(-)
+
+diff --git a/doc/guides/nics/intel_vf.rst b/doc/guides/nics/intel_vf.rst
+index ade5152595..b95200698d 100644
+--- a/doc/guides/nics/intel_vf.rst
++++ b/doc/guides/nics/intel_vf.rst
+@@ -88,6 +88,12 @@ For more detail on SR-IOV, please refer to the following documents:
+     assignment in hypervisor. Take qemu for example, the device assignment should carry the IAVF device id (0x1889) like
+     ``-device vfio-pci,x-pci-device-id=0x1889,host=03:0a.0``.
+ 
++    Starting from DPDK 21.05, the default VF driver for Intel® 700 Series Ethernet Controller will be IAVF. No new feature
++    will be added into i40evf except bug fix until it's removed in DPDK 21.11. Between DPDK 21.05 and 21.11, by using the
++    ``devargs`` option ``driver=i40evf``, i40evf PMD still can be used on Intel® 700 Series Ethernet Controller, for example::
++
++    -a 81:02.0,driver=i40evf
++
+ The PCIE host-interface of Intel Ethernet Switch FM10000 Series VF infrastructure
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ 
+diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
+index c2770feeae..25caf4e52d 100644
+--- a/doc/guides/rel_notes/deprecation.rst
++++ b/doc/guides/rel_notes/deprecation.rst
+@@ -335,3 +335,11 @@ Deprecation Notices
+   ``make``. Given environments are too much variables for such a simple script,
+   it will be removed in DPDK 20.11.
+   Some useful parts may be converted into specific scripts.
++
++* i40e: As there are both i40evf and iavf pmd, the functions of them are
++  duplicated. And now more and more advanced features are developed on iavf.
++  To keep consistent with kernel driver's name
++  (https://patchwork.ozlabs.org/patch/970154/), i40evf is no need to maintain.
++  Starting from 21.05, the default VF driver of i40e will be iavf, but i40evf
++  can still be used if users specify the devarg "driver=i40evf". I40evf will
++  be deleted in DPDK 21.11.
+diff --git a/drivers/common/iavf/iavf_devids.h b/drivers/common/iavf/iavf_devids.h
+index 2e63aac289..1c3acb586d 100644
+--- a/drivers/common/iavf/iavf_devids.h
++++ b/drivers/common/iavf/iavf_devids.h
+@@ -13,5 +13,7 @@
+ #define IAVF_DEV_ID_VF_HV		0x1571
+ #define IAVF_DEV_ID_ADAPTIVE_VF		0x1889
+ #define IAVF_DEV_ID_X722_VF		0x37CD
++#define IAVF_DEV_ID_X722_A0_VF          0x374D
++
+ 
+ #endif /* _IAVF_DEVIDS_H_ */
+diff --git a/drivers/net/i40e/i40e_ethdev_vf.c b/drivers/net/i40e/i40e_ethdev_vf.c
+index 69cab8e739..3d61c092d8 100644
+--- a/drivers/net/i40e/i40e_ethdev_vf.c
++++ b/drivers/net/i40e/i40e_ethdev_vf.c
+@@ -1592,9 +1592,53 @@ i40evf_dev_uninit(struct rte_eth_dev *eth_dev)
+ 	return 0;
+ }
+ 
++static int
++i40evf_check_driver_handler(__rte_unused const char *key,
++			    const char *value, __rte_unused void *opaque)
++{
++	if (strcmp(value, "i40evf"))
++		return -1;
++
++	return 0;
++}
++
++static int
++i40evf_driver_selected(struct rte_devargs *devargs)
++{
++	struct rte_kvargs *kvlist;
++	const char *key = "driver";
++	int ret = 0;
++
++	if (devargs == NULL)
++		return 0;
++
++	kvlist = rte_kvargs_parse(devargs->args, NULL);
++	if (kvlist == NULL)
++		return 0;
++
++	if (!rte_kvargs_count(kvlist, key))
++		goto exit;
++
++	/* i40evf driver selected when there's a key-value pair:
++	 * driver=i40evf
++	 */
++	if (rte_kvargs_process(kvlist, key,
++			       i40evf_check_driver_handler, NULL) < 0)
++		goto exit;
++
++	ret = 1;
++
++exit:
++	rte_kvargs_free(kvlist);
++	return ret;
++}
++
+ static int eth_i40evf_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ 	struct rte_pci_device *pci_dev)
+ {
++	if (!i40evf_driver_selected(pci_dev->device.devargs))
++		return 1;
++
+ 	return rte_eth_dev_pci_generic_probe(pci_dev,
+ 		sizeof(struct i40e_adapter), i40evf_dev_init);
+ }
+@@ -1617,6 +1661,7 @@ static struct rte_pci_driver rte_i40evf_pmd = {
+ RTE_PMD_REGISTER_PCI(net_i40e_vf, rte_i40evf_pmd);
+ RTE_PMD_REGISTER_PCI_TABLE(net_i40e_vf, pci_id_i40evf_map);
+ RTE_PMD_REGISTER_KMOD_DEP(net_i40e_vf, "* igb_uio | vfio-pci");
++RTE_PMD_REGISTER_PARAM_STRING(net_i40e_vf, "driver=i40evf");
+ 
+ static int
+ i40evf_dev_configure(struct rte_eth_dev *dev)
+diff --git a/drivers/net/iavf/iavf_ethdev.c b/drivers/net/iavf/iavf_ethdev.c
+index c3aa4cd725..f22c3ccdb9 100644
+--- a/drivers/net/iavf/iavf_ethdev.c
++++ b/drivers/net/iavf/iavf_ethdev.c
+@@ -76,6 +76,10 @@ static int iavf_dev_filter_ctrl(struct rte_eth_dev *dev,
+ 
+ static const struct rte_pci_id pci_id_iavf_map[] = {
+ 	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_ADAPTIVE_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_VF_HV) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_X722_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_X722_A0_VF) },
+ 	{ .vendor_id = 0, /* sentinel */ },
+ };
+ 
+@@ -1516,10 +1520,59 @@ iavf_dcf_cap_selected(struct rte_devargs *devargs)
+ 	return ret;
+ }
+ 
++static int
++iavf_drv_i40evf_check_handler(__rte_unused const char *key,
++			      const char *value, __rte_unused void *opaque)
++{
++	if (strcmp(value, "i40evf"))
++		return -1;
++
++	return 0;
++}
++
++static int
++iavf_drv_i40evf_selected(struct rte_devargs *devargs, uint16_t device_id)
++{
++	struct rte_kvargs *kvlist;
++	const char *key = "driver";
++	int ret = 0;
++
++	if (device_id != IAVF_DEV_ID_VF &&
++	    device_id != IAVF_DEV_ID_VF_HV &&
++	    device_id != IAVF_DEV_ID_X722_VF &&
++	    device_id != IAVF_DEV_ID_X722_A0_VF)
++		return 0;
++
++	if (devargs == NULL)
++		return 0;
++
++	kvlist = rte_kvargs_parse(devargs->args, NULL);
++	if (kvlist == NULL)
++		return 0;
++
++	if (!rte_kvargs_count(kvlist, key))
++		goto exit;
++
++	/* i40evf driver selected when there's a key-value pair:
++	 * driver=i40evf
++	 */
++	if (rte_kvargs_process(kvlist, key,
++			       iavf_drv_i40evf_check_handler, NULL) < 0)
++		goto exit;
++
++	ret = 1;
++
++exit:
++	rte_kvargs_free(kvlist);
++	return ret;
++}
++
+ static int eth_iavf_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ 			     struct rte_pci_device *pci_dev)
+ {
+-	if (iavf_dcf_cap_selected(pci_dev->device.devargs))
++	if (iavf_dcf_cap_selected(pci_dev->device.devargs) ||
++	    iavf_drv_i40evf_selected(pci_dev->device.devargs,
++				     pci_dev->id.device_id))
+ 		return 1;
+ 
+ 	return rte_eth_dev_pci_generic_probe(pci_dev,
+@@ -1542,7 +1595,7 @@ static struct rte_pci_driver rte_iavf_pmd = {
+ RTE_PMD_REGISTER_PCI(net_iavf, rte_iavf_pmd);
+ RTE_PMD_REGISTER_PCI_TABLE(net_iavf, pci_id_iavf_map);
+ RTE_PMD_REGISTER_KMOD_DEP(net_iavf, "* igb_uio | vfio-pci");
+-RTE_PMD_REGISTER_PARAM_STRING(net_iavf, "cap=dcf");
++RTE_PMD_REGISTER_PARAM_STRING(net_iavf, "cap=dcf driver=i40evf");
+ RTE_LOG_REGISTER(iavf_logtype_init, pmd.net.iavf.init, NOTICE);
+ RTE_LOG_REGISTER(iavf_logtype_driver, pmd.net.iavf.driver, NOTICE);
+ #ifdef RTE_LIBRTE_IAVF_DEBUG_RX
+-- 
+2.20.1
+

build/external/patches/dpdk_20.08/0003-backport-dpdk-usertools-support-python-3-only.patch

@@ -0,0 +1,212 @@
+From 858b4575513fe72dce95370944b0da237b755204 Mon Sep 17 00:00:00 2001
+From: Dave Wallace <dwallacelf@gmail.com>
+Date: Thu, 15 Oct 2020 15:22:22 -0400
+Subject: [PATCH] backport dpdk usertools support python 3 only
+
+Applicable usertools section of DPDK patch:
+http://git.dpdk.org/dpdk/commit/?id=3f6f83626cf4967a99382a6518a614a1bf3d2c20
+
+Required to avoid build failure of 'make install-ext-deps' on CentOS-8 due
+to brp-mangle-shebangs failing on un-versioned python shebang (e.g.
+'#! /usr/bin/env python'.
+
+Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
+---
+ usertools/cpu_layout.py                  | 15 ++-------------
+ usertools/dpdk-devbind.py                | 22 ++++------------------
+ usertools/dpdk-pmdinfo.py                |  7 +------
+ usertools/dpdk-telemetry-client.py       | 18 +++---------------
+ usertools/dpdk-telemetry.py              |  2 +-
+ 5 files changed, 11 insertions(+), 53 deletions(-)
+
+diff --git a/usertools/cpu_layout.py b/usertools/cpu_layout.py
+index 5423c7965..cc3963821 100755
+--- a/usertools/cpu_layout.py
++++ b/usertools/cpu_layout.py
+@@ -1,19 +1,8 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2010-2014 Intel Corporation
+ # Copyright(c) 2017 Cavium, Inc. All rights reserved.
+
+-from __future__ import print_function
+-import sys
+-try:
+-    xrange # Python 2
+-except NameError:
+-    xrange = range # Python 3
+-
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ sockets = []
+ cores = []
+ core_map = {}
+@@ -21,7 +10,7 @@
+ fd = open("{}/kernel_max".format(base_path))
+ max_cpus = int(fd.read())
+ fd.close()
+-for cpu in xrange(max_cpus + 1):
++for cpu in range(max_cpus + 1):
+     try:
+         fd = open("{}/cpu{}/topology/core_id".format(base_path, cpu))
+     except IOError:
+diff --git a/usertools/dpdk-devbind.py b/usertools/dpdk-devbind.py
+index 094c2ffc8..8278a748d 100755
+--- a/usertools/dpdk-devbind.py
++++ b/usertools/dpdk-devbind.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2010-2014 Intel Corporation
+ #
+
+-from __future__ import print_function
+ import sys
+ import os
+ import getopt
+@@ -12,10 +11,6 @@
+ from os.path import exists, abspath, dirname, basename
+ from os.path import join as path_join
+
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ # The PCI base class for all devices
+ network_class = {'Class': '02', 'Vendor': None, 'Device': None,
+                     'SVendor': None, 'SDevice': None}
+@@ -154,14 +149,6 @@ def usage():
+
+     """ % locals())  # replace items from local variables
+
+-
+-# This is roughly compatible with check_output function in subprocess module
+-# which is only available in python 2.7.
+-def check_output(args, stderr=None):
+-    '''Run a command and capture its output'''
+-    return subprocess.Popen(args, stdout=subprocess.PIPE,
+-                            stderr=stderr).communicate()[0]
+-
+ # check if a specific kernel module is loaded
+ def module_is_loaded(module):
+     global loaded_modules
+@@ -218,8 +205,7 @@ def get_pci_device_details(dev_id, probe_lspci):
+     device = {}
+
+     if probe_lspci:
+-        extra_info = check_output(["lspci", "-vmmks", dev_id]).splitlines()
+-
++        extra_info = subprocess.check_output(["lspci", "-vmmks", dev_id]).splitlines()
+         # parse lspci details
+         for line in extra_info:
+             if len(line) == 0:
+@@ -255,7 +241,7 @@ def get_device_details(devices_type):
+     # first loop through and read details for all devices
+     # request machine readable format, with numeric IDs and String
+     dev = {}
+-    dev_lines = check_output(["lspci", "-Dvmmnnk"]).splitlines()
++    dev_lines = subprocess.check_output(["lspci", "-Dvmmnnk"]).splitlines()
+     for dev_line in dev_lines:
+         if len(dev_line) == 0:
+             if device_type_match(dev, devices_type):
+@@ -283,7 +269,7 @@ def get_device_details(devices_type):
+         # check what is the interface if any for an ssh connection if
+         # any to this host, so we can mark it later.
+         ssh_if = []
+-        route = check_output(["ip", "-o", "route"])
++        route = subprocess.check_output(["ip", "-o", "route"])
+         # filter out all lines for 169.254 routes
+         route = "\n".join(filter(lambda ln: not ln.startswith("169.254"),
+                              route.decode().splitlines()))
+diff --git a/usertools/dpdk-pmdinfo.py b/usertools/dpdk-pmdinfo.py
+index f9ed75517..166198279 100755
+--- a/usertools/dpdk-pmdinfo.py
++++ b/usertools/dpdk-pmdinfo.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2016  Neil Horman <nhorman@tuxdriver.com>
+
+@@ -7,8 +7,6 @@
+ # Utility to dump PMD_INFO_STRING support from an object file
+ #
+ # -------------------------------------------------------------------------
+-from __future__ import print_function
+-from __future__ import unicode_literals
+ import json
+ import io
+ import os
+@@ -28,9 +26,6 @@
+ pcidb = None
+
+ # ===========================================
+-if sys.version_info.major < 3:
+-        print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-        print("Please use Python 3 instead", file=sys.stderr)
+
+ class Vendor:
+     """
+diff --git a/usertools/dpdk-telemetry-client.py b/usertools/dpdk-telemetry-client.py
+index 98d28fa89..d8e439027 100755
+--- a/usertools/dpdk-telemetry-client.py
++++ b/usertools/dpdk-telemetry-client.py
+@@ -1,10 +1,7 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2018 Intel Corporation
+
+-from __future__ import print_function
+-from __future__ import unicode_literals
+-
+ import socket
+ import os
+ import sys
+@@ -18,15 +15,6 @@
+ GLOBAL_METRICS_REQ = "{\"action\":0,\"command\":\"global_stat_values\",\"data\":null}"
+ DEFAULT_FP = "/var/run/dpdk/default_client"
+
+-try:
+-    raw_input  # Python 2
+-except NameError:
+-    raw_input = input  # Python 3
+-
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ class Socket:
+
+     def __init__(self):
+@@ -86,7 +74,7 @@ def requestMetrics(self): # Requests metrics for given client
+
+     def repeatedlyRequestMetrics(self, sleep_time): # Recursively requests metrics for given client
+         print("\nPlease enter the number of times you'd like to continuously request Metrics:")
+-        n_requests = int(raw_input("\n:"))
++        n_requests = int(input("\n:"))
+         print("\033[F") #Removes the user input from screen, cleans it up
+         print("\033[K")
+         for i in range(n_requests):
+@@ -107,7 +95,7 @@ def interactiveMenu(self, sleep_time): # Creates Interactive menu within the scr
+             print("[4] Unregister client")
+
+             try:
+-                self.choice = int(raw_input("\n:"))
++                self.choice = int(input("\n:"))
+                 print("\033[F") #Removes the user input for screen, cleans it up
+                 print("\033[K")
+                 if self.choice == 1:
+diff --git a/usertools/dpdk-telemetry.py b/usertools/dpdk-telemetry.py
+index 8e4039d57..181859658 100755
+--- a/usertools/dpdk-telemetry.py
++++ b/usertools/dpdk-telemetry.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/python3
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2020 Intel Corporation

build/external/rpm/vpp-ext-deps.spec

@@ -1,6 +1,10 @@
 %define _install_dir	/opt/vpp/external/%(uname -m)
 %define _make_args	-C ../.. BUILD_DIR=%{_topdir}/tmp INSTALL_DIR=%{buildroot}%{_install_dir}
 
+%{!?__python3: %global __python3 /usr/bin/python3}
+%global __python %{__python3}
+%global _pylib /usr/lib/python3.6/site-packages
+
 Name:		vpp-ext-deps
 Version:	%{_version}
 Release:	%{_release}

docs/Makefile

@@ -27,6 +27,8 @@ help:
 # Catch-all target: route all unknown targets to Sphinx using the new
 # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
 %: Makefile
+# Generate dynamic content
+	@python3 ./includes_renderer.py
 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
 
 spell:

docs/about.rst

@@ -4,6 +4,6 @@
 About
 =====
 
-**VPP Version:** 20.01-rc0~785-g1063f2ae8
+**VPP Version:** 20.09-rc0~244-g9fefa8916
 
-**Built on:** Tue Dec 10 19:22:28 GMT 2019
+**Built on:** Tue Jul 28 14:58:41 GMT 2020

docs/gettingstarted/developers/VPPAPI.md

@@ -0,0 +1 @@
+../../../src/tools/vppapigen/VPPAPI.md

docs/gettingstarted/developers/add_plugin.rst

@@ -7,7 +7,7 @@ Adding a plugin
 
 Overview
 ________
- 
+
 This section shows how a VPP developer can create a new plugin, and
 add it to VPP. We assume that we are starting from the VPP <top-of-workspace>.
 
@@ -21,7 +21,7 @@ Create your new plugin
 Change directory to **./src/plugins**, and run the plugin generator:
 
 .. code-block:: console
-    
+
     $ cd ./src/plugins
     $ ../../extras/emacs/make-plugin.sh
     <snip>
@@ -36,7 +36,7 @@ Change directory to **./src/plugins**, and run the plugin generator:
     Plugin name: myplugin
     Dispatch type [dual or qs]: dual
     (Shell command succeeded with no output)
-    
+
     OK...
 
 The plugin generator script asks two questions: the name of the
@@ -65,9 +65,8 @@ Here are the generated files. We'll go through them in a moment.
 
     $ cd ./myplugin
     $ ls
-    CMakeLists.txt        myplugin.c           myplugin_periodic.c  setup.pg
-    myplugin_all_api_h.h  myplugin.h           myplugin_test.c
-    myplugin.api          myplugin_msg_enum.h  node.c
+    CMakeLists.txt  myplugin.api  myplugin.c  myplugin.h
+    myplugin_periodic.c  myplugin_test.c  node.c  setup.pg
 
 Due to recent build system improvements, you **don't** need to touch
 any other files to integrate your new plugin into the vpp build. Simply
@@ -92,7 +91,7 @@ As a quick sanity check, run vpp and make sure that
 "myplugin_plugin.so" and "myplugin_test_plugin.so" are loaded:
 
 .. code-block:: console
-    
+
     $ cd <top-of-workspace>
     $ make run
     <snip>
@@ -122,25 +121,21 @@ the copyright notice:
 
 The rest of the build recipe is pretty simple:
 
-.. code-block:: console
+.. code-block:: CMake
 
     add_vpp_plugin (myplugin
     SOURCES
-    myplugin.c 
-    node.c 
+    myplugin.c
+    node.c
     myplugin_periodic.c
     myplugin.h
-    
+
     MULTIARCH_SOURCES
-    node.c 
-    
+    node.c
+
     API_FILES
     myplugin.api
-    
-    INSTALL_HEADERS
-    myplugin_all_api_h.h
-    myplugin_msg_enum.h
-    
+
     API_TEST_SOURCES
     myplugin_test.c
     )
@@ -178,13 +173,13 @@ binary API message dispatcher, and to add its messages to vpp's global
 Vpp itself uses dlsym(...) to track down the vlib_plugin_registration_t
 generated by the VLIB_PLUGIN_REGISTER macro:
 
-.. code-block:: console
+.. code-block:: C
 
-    VLIB_PLUGIN_REGISTER () = 
+    VLIB_PLUGIN_REGISTER () =
       {
         .version = VPP_BUILD_VER,
         .description = "myplugin plugin description goes here",
-      };  
+      };
 
 Vpp only loads .so files from the plugin directory which contain an
 instance of this data structure.
@@ -193,7 +188,7 @@ You can enable or disable specific vpp plugins from the command
 line. By default, plugins are loaded. To change that behavior, set
 default_disabled in the macro VLIB_PLUGIN_REGISTER:
 
-.. code-block:: console
+.. code-block:: C
 
     VLIB_PLUGIN_REGISTER () =
       {
@@ -205,14 +200,14 @@ default_disabled in the macro VLIB_PLUGIN_REGISTER:
 The boilerplate generator places the graph node dispatch function
 onto the "device-input" feature arc. This may or may not be useful.
 
-.. code-block:: console
+.. code-block:: C
 
     VNET_FEATURE_INIT (myplugin, static) =
     {
       .arc_name = "device-input",
       .node_name = "myplugin",
       .runs_before = VNET_FEATURES ("ethernet-input"),
-    };  
+    };
 
 As given by the plugin generator, myplugin.c contains the binary API
 message handler for a generic "please enable my feature on such and
@@ -243,20 +238,53 @@ node.c
 This is the generated graph node dispatch function. You'll need to
 rewrite it to solve the problem at hand. It will save considerable
 time and aggravation to retain the **structure** of the node dispatch
-function. 
+function.
 
 Even for an expert, it's a waste of time to reinvent the *loop
 structure*, enqueue patterns, and so forth. Simply tear out and
 replace the specimen 1x, 2x, 4x packet processing code with code
 relevant to the problem you're trying to solve.
 
+myplugin.api
+------------
+
+This contains the API message definition. Here we only have defined
+a single one named ``myplugin_enable_disable`` and an implicit
+``myplugin_enable_disable_reply`` containing only a return value due
+to the ``autoreply`` keyword.
+
+The syntax reference for ``.api`` files can be found at VPP API Language
+
+Addressing the binary API with this message will run the handler defined
+in ``myplugin.c`` as ``vl_api_myplugin_enable_disable_t_handler``.
+It will receive a message pointer ``*mp`` which is the struct defined
+in ``myplugin.api`` and should return another message pointer ``*rmp``,
+of the reply type. That's what ``REPLY_MACRO`` does.
+
+To be noted, all API messages are in net-endian and vpp is host-endian,
+so you will need to use :
+
+* ``u32 value = ntohl(mp->value);``
+* ``rmp->value = htonl(value);``
+
+You can now use this API with :ref:`GoLang bindings <add_plugin_goapi>`
+
+myplugin_periodic.c
+-------------------
+
+This defines a VPP process, a routine that will run indefinitely and
+be woken up intermittently, here to process plugin events.
+
+To be noted, vlib_processes aren't thread-safe, and data structures
+should be locked when shared between workers.
+
 Plugin "Friends with Benefits"
 ------------------------------
 
 In vpp VLIB_INIT_FUNCTION functions, It's reasonably common to see a
 specific init function invoke other init functions:
 
-.. code-block:: console
+.. code-block:: C
 
     if ((error = vlib_call_init_function (vm, some_other_init_function))
        return error;
@@ -264,7 +292,7 @@ specific init function invoke other init functions:
 In the case where one plugin needs to call a init function in another
 plugin, use the vlib_call_plugin_init_function macro:
 
-.. code-block:: console
+.. code-block:: C
 
     if ((error = vlib_call_plugin_init_function (vm, "otherpluginname", some_init_function))
        return error;
@@ -274,7 +302,7 @@ This allows sequencing between plugin init functions.
 If you wish to obtain a pointer to a symbol in another plugin, use the
 vlib_plugin_get_symbol(...) API:
 
-.. code-block:: console
+.. code-block:: C
 
     void *p = vlib_get_plugin_symbol ("plugin_name", "symbol");
 

docs/gettingstarted/developers/add_plugin_goapi.rst

@@ -0,0 +1,83 @@
+.. _add_plugin_goapi:
+
+Add a plugin's GO API
+=====================
+
+In order to use your plugin's API with GO, you will need to use
+a GO client and GO definitions of the API messages that you defined
+in ``myplugin.api`` (go bindings).
+
+These two things can be found in `govpp <https://github.com/FDio/govpp>`_
+
+* The API client lives in `./core`
+* The api-generator lives in `./binapigen`
+* A sample of its output (the go bindings) for VPP's latest version lives in `./binapi`
+
+To generate the go bindings for your plugin. Assuming :
+* ``/home/vpp`` is a VPP clone with your plugin in it.
+* ``/home/controlplane`` is a go controlplane repo
+
+.. code-block:: console
+
+    $ mkdir /home/controlplane/vpp-go-bindings
+    $ git clone https://github.com/FDio/govpp>
+    $ cd govpp
+    $ BINAPI_DIR=/home/controlplane/vpp-go-bindings VPP_DIR=/home/vpp make gen-binapi-from-code
+
+This will generate the go-bindings in ``/home/controlplane/vpp-go-bindings``
+For example ``vpp-go-bindings/myplugin/myplugin.ba.go`` will contain :
+
+.. code-block:: go
+
+    // MypluginEnableDisable defines message 'myplugin_enable_disable'.
+    type MypluginEnableDisable struct {
+	    EnableDisable bool                           `binapi:"bool,name=enable_disable" json:"enable_disable,omitempty"`
+	    SwIfIndex     interface_types.InterfaceIndex `binapi:"interface_index,name=sw_if_index" json:"sw_if_index,omitempty"`
+    }
+
+
+You can then use the generated go bindings in your go code like this :
+
+.. code-block:: go
+
+    package main
+
+    import (
+	    "fmt"
+	    "git.fd.io/govpp.git"
+	    "git.fd.io/govpp.git/binapi/interfaces"
+	    "git.fd.io/govpp.git/binapi/vpe"
+
+	    "myplugin.io/controlplane/vpp-go-bindings/myplugin/myplugin"
+    )
+
+    func main() {
+	    // Connect to VPP
+	    conn, _ := govpp.Connect("/run/vpp/api.sock")
+	    defer conn.Disconnect()
+
+	    // Open channel
+	    ch, _ := conn.NewAPIChannel()
+	    defer ch.Close()
+
+	    request := &vpe.MypluginEnableDisable{
+		EnableDisable: true,
+	    }
+	    reply := &vpe.MypluginEnableDisableReply{}
+
+	    err := ch.SendRequest(request).ReceiveReply(reply)
+	    if err != nil {
+		    fmt.Errorf("SendRequest: %w\n", err)
+	    }
+    }
+
+As you will need to import (or ``go get "git.fd.io/govpp.git"``) to leverage the API
+client in your code, you might want to use the api-generator directly from the
+clone ``go build`` fetches for you. You can do this with :
+
+.. code-block:: console
+
+  $ export GOVPP_DIR=$(go list -f '{{.Dir}}' -m git.fd.io/govpp.git)
+  $ cd $GOVPP_DIR && go build -o /some/bin/dir ./cmd/binapi-generator
+  $ # instead of make gen-binapi-from-code you can rewrite the code to target
+  $ # your version ./binapi-generator

docs/gettingstarted/developers/cnat.rst

@@ -0,0 +1 @@
+../../../src/plugins/cnat/cnat.rst

docs/gettingstarted/developers/cross_compile_macos.rst

@@ -10,19 +10,19 @@ This is a first attempt to support Cross compilation of VPP on MacOS for develop
 
 * You'll need to install the following packages
 
-.. code-block:: bash
+.. code-block:: console
 
-  pip3 install ply
-  brew install diffutils gnu-sed pkg-config ninja crosstool-ng
+  $ pip3 install ply pyyaml jsonschema
+  $ brew install diffutils gnu-sed pkg-config ninja crosstool-ng
 
-* You'll also need to install ``gnu-ident 2.2.11`` to be able to ``make checkstyle``. You can get it from `GNU <https://www.gnu.org/prep/ftp.html>`_
+* You'll also need to install ``gnu-ident 2.2.11`` to be able to ``make checkstyle``. This can be done with :ref:`this doc<install_indent_2_2_11>`
 * You should link the binaries to make them available in your path with their original names e.g. :
 
-.. code-block:: bash
+.. code-block:: console
 
-  ln -s $(which gsed) /usr/local/bin/sed
-  ln -s $(which gindent) /usr/local/bin/indent
-  ln -s /usr/local/Cellar/diffutils/3.7/bin/diff /usr/local/bin/diff
+  $ ln -s $(which gsed) /usr/local/bin/sed
+  $ ln -s $(which gindent) /usr/local/bin/indent
+  $ ln -s /usr/local/Cellar/diffutils/3.7/bin/diff /usr/local/bin/diff
 
 
 **Setup**
@@ -35,17 +35,17 @@ For now we don't support e-build so dpdk, rdma, quicly won't be compiled as part
 
 To build with the toolchain do:
 
-.. code-block:: bash
+.. code-block:: console
 
-  $VPP_DIR/extras/scripts/cross_compile_macos.sh build
+  $ $VPP_DIR/extras/scripts/cross_compile_macos.sh build
 
 
 To get the compile_commands.json do
 
-.. code-block:: bash
+.. code-block:: console
 
-  $VPP_DIR/extras/scripts/cross_compile_macos.sh cc
-  # >> ./build-root/build-vpp[_debug]-native/vpp/compile_commands.json
+  $ $VPP_DIR/extras/scripts/cross_compile_macos.sh cc
+  $ >> ./build-root/build-vpp[_debug]-native/vpp/compile_commands.json
 
 
 
@@ -54,4 +54,19 @@ This should build vpp on MacOS
 
 Good luck :)
 
+.. _install_indent_2_2_11 :
 
+Installing indent 2.2.11
+------------------------
+
+In order to install indent on macos :
+
+.. code-block:: bash
+
+    $ wget http://mirror.sergal.org/gnu/indent/indent-2.2.11.tar.gz
+    $ tar -xzvf indent-2.2.11.tar.gz
+    $ cd indent-2.2.11
+    $ ./configure --disable-dependency-tracking --disable-debug --program-prefix=g --prefix=/usr/local/Cellar/gnu-indent/2.2.11
+
+Install will exit with an error code, but indent 2.2.11 will still be installed in ``/usr/local/bin/gindent``
+Other mirrors can be found on the `GNU website <https://www.gnu.org/prep/ftp.html>`_

docs/gettingstarted/developers/fib20/tunnels.rst

@@ -10,7 +10,7 @@ beforehand, so the recursive switch can be avoided if the packet can follow the
 already constructed data-plane graph for the tunnel's destination. This process
 of joining to DP graphs together is termed *stacking*.
   
-.. figure:: /_images/fib20fig2.png
+.. figure:: /_images/fib20fig11.png
 
 Figure 11: Tunnel control plane object diagram
 

docs/gettingstarted/developers/gitreview.rst

@@ -83,7 +83,22 @@ For example for a document with only patches you should add the tag **docs:**.
 .. code-block:: console
 
     $ git add <filename>
-    $ git commit -s -m "<*TAG*>: <*COMMIT_MESSAGE*>"
+    $ git commit -s
+
+The commit comment should have something like the following comment:
+
+.. code-block:: console
+
+   docs: A brief description of the commit
+
+   Type: Improvement (The type of commit this could be: Improvement, Fix or Feature)
+
+   A detailed description of the commit could go here.
+
+Push the patch for review.
+
+.. code-block:: console
+
     $ git review
 
 If you are creating a draft, meaning you do not want your changes reviewed yet, do the following:

docs/gettingstarted/developers/index.rst

@@ -22,6 +22,7 @@ The Developers section covers the following areas:
    running_vpp
    gdb_examples
    add_plugin
+   add_plugin_goapi
    gitreview
    softwarearchitecture
    infrastructure
@@ -41,3 +42,5 @@ The Developers section covers the following areas:
    punt
    quic_plugin
    cross_compile_macos.rst
+   cnat
+   VPPAPI.md

docs/gettingstarted/developers/vlib.md

@@ -540,6 +540,54 @@ certain cli command has the potential to hurt packet processing
 performance by running for too long, do the work incrementally in a
 process node. The client can wait.
 
+### Macro expansion
+
+The vpp debug CLI engine includes a recursive macro expander. This
+is quite useful for factoring out address and/or interface name
+specifics:
+
+```
+   define ip1 192.168.1.1/24
+   define ip2 192.168.2.1/24
+   define iface1 GigabitEthernet3/0/0
+   define iface2 loop1
+
+   set int ip address $iface1 $ip1
+   set int ip address $iface2 $(ip2)
+
+   undefine ip1
+   undefine ip2
+   undefine iface1
+   undefine iface2
+```
+
+Each socket (or telnet) debug CLI session has its own macro
+tables. All debug CLI sessions which use CLI_INBAND binary API
+messages share a single table.
+
+The macro expander recognizes circular defintions:
+
+```
+    define foo \$(bar)
+    define bar \$(mumble)
+    define mumble \$(foo)
+```
+
+At 8 levels of recursion, the macro expander throws up its hands and
+replies "CIRCULAR."
+
+### Macro-related debug CLI commands
+
+In addition to the "define" and "undefine" debug CLI commands, use
+"show macro [noevaluate]" to dump the macro table. The "echo" debug
+CLI command will evaluate and print its argument:
+
+```
+    vpp# define foo This\ Is\ Foo
+    vpp# echo $foo
+    This Is Foo
+```
+
 Handing off buffers between threads
 -----------------------------------
 
@@ -645,3 +693,199 @@ enqueue node by freeing dropped packets, or by pushing them to
 "error-drop." Either of those actions would be a severe error.
 
 * It's perfectly OK to enqueue packets to the current thread.
+
+Handoff Demo Plugin
+-------------------
+
+Check out the sample (plugin) example in
+.../src/examples/handoffdemo. If you want to build the handoff demo plugin:
+
+```
+$ cd .../src/plugins
+$ ln -s ../examples/handoffdemo
+```
+
+This plugin provides a simple example of how to hand off packets
+between threads. We used it to debug packet-tracer handoff tracing
+support.
+
+# Packet generator input script
+
+```
+ packet-generator new {
+    name x
+    limit 5
+    size 128-128
+    interface local0
+    node handoffdemo-1
+    data {
+        incrementing 30
+    }
+ }
+```
+# Start vpp with 2 worker threads
+
+The demo plugin hands packets from worker 1 to worker 2.
+
+# Enable tracing, and start the packet generator
+
+```
+  trace add pg-input 100
+  packet-generator enable
+```
+
+# Sample Run
+
+```
+  DBGvpp# ex /tmp/pg_input_script
+  DBGvpp# pa en
+  DBGvpp# sh err
+   Count                    Node                  Reason
+         5              handoffdemo-1             packets handed off processed
+         5              handoffdemo-2             completed packets
+  DBGvpp# show run
+  Thread 1 vpp_wk_0 (lcore 0)
+  Time 133.9, average vectors/node 5.00, last 128 main loops 0.00 per node 0.00
+    vector rates in 3.7331e-2, out 0.0000e0, drop 0.0000e0, punt 0.0000e0
+               Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call
+  handoffdemo-1                    active                  1               5               0          4.76e3            5.00
+  pg-input                        disabled                 2               5               0          5.58e4            2.50
+  unix-epoll-input                 polling             22760               0               0          2.14e7            0.00
+  ---------------
+  Thread 2 vpp_wk_1 (lcore 2)
+  Time 133.9, average vectors/node 5.00, last 128 main loops 0.00 per node 0.00
+    vector rates in 0.0000e0, out 0.0000e0, drop 3.7331e-2, punt 0.0000e0
+               Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call
+  drop                             active                  1               5               0          1.35e4            5.00
+  error-drop                       active                  1               5               0          2.52e4            5.00
+  handoffdemo-2                    active                  1               5               0          2.56e4            5.00
+  unix-epoll-input                 polling             22406               0               0          2.18e7            0.00
+```
+
+Enable the packet tracer and run it again...
+
+```
+  DBGvpp# trace add pg-input 100
+  DBGvpp# pa en
+  DBGvpp# sh trace
+  sh trace
+  ------------------- Start of thread 0 vpp_main -------------------
+  No packets in trace buffer
+  ------------------- Start of thread 1 vpp_wk_0 -------------------
+  Packet 1
+
+  00:06:50:520688: pg-input
+    stream x, 128 bytes, 0 sw_if_index
+    current data 0, length 128, buffer-pool 0, ref-count 1, trace handle 0x1000000
+    00000000: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d0000
+    00000020: 0000000000000000000000000000000000000000000000000000000000000000
+    00000040: 0000000000000000000000000000000000000000000000000000000000000000
+    00000060: 0000000000000000000000000000000000000000000000000000000000000000
+  00:06:50:520762: handoffdemo-1
+    HANDOFFDEMO: current thread 1
+
+  Packet 2
+
+  00:06:50:520688: pg-input
+    stream x, 128 bytes, 0 sw_if_index
+    current data 0, length 128, buffer-pool 0, ref-count 1, trace handle 0x1000001
+    00000000: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d0000
+    00000020: 0000000000000000000000000000000000000000000000000000000000000000
+    00000040: 0000000000000000000000000000000000000000000000000000000000000000
+    00000060: 0000000000000000000000000000000000000000000000000000000000000000
+  00:06:50:520762: handoffdemo-1
+    HANDOFFDEMO: current thread 1
+
+  Packet 3
+
+  00:06:50:520688: pg-input
+    stream x, 128 bytes, 0 sw_if_index
+    current data 0, length 128, buffer-pool 0, ref-count 1, trace handle 0x1000002
+    00000000: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d0000
+    00000020: 0000000000000000000000000000000000000000000000000000000000000000
+    00000040: 0000000000000000000000000000000000000000000000000000000000000000
+    00000060: 0000000000000000000000000000000000000000000000000000000000000000
+  00:06:50:520762: handoffdemo-1
+    HANDOFFDEMO: current thread 1
+
+  Packet 4
+
+  00:06:50:520688: pg-input
+    stream x, 128 bytes, 0 sw_if_index
+    current data 0, length 128, buffer-pool 0, ref-count 1, trace handle 0x1000003
+    00000000: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d0000
+    00000020: 0000000000000000000000000000000000000000000000000000000000000000
+    00000040: 0000000000000000000000000000000000000000000000000000000000000000
+    00000060: 0000000000000000000000000000000000000000000000000000000000000000
+  00:06:50:520762: handoffdemo-1
+    HANDOFFDEMO: current thread 1
+
+  Packet 5
+
+  00:06:50:520688: pg-input
+    stream x, 128 bytes, 0 sw_if_index
+    current data 0, length 128, buffer-pool 0, ref-count 1, trace handle 0x1000004
+    00000000: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d0000
+    00000020: 0000000000000000000000000000000000000000000000000000000000000000
+    00000040: 0000000000000000000000000000000000000000000000000000000000000000
+    00000060: 0000000000000000000000000000000000000000000000000000000000000000
+  00:06:50:520762: handoffdemo-1
+    HANDOFFDEMO: current thread 1
+
+  ------------------- Start of thread 2 vpp_wk_1 -------------------
+  Packet 1
+
+  00:06:50:520796: handoff_trace
+    HANDED-OFF: from thread 1 trace index 0
+  00:06:50:520796: handoffdemo-2
+    HANDOFFDEMO: current thread 2
+  00:06:50:520867: error-drop
+    rx:local0
+  00:06:50:520914: drop
+    handoffdemo-2: completed packets
+
+  Packet 2
+
+  00:06:50:520796: handoff_trace
+    HANDED-OFF: from thread 1 trace index 1
+  00:06:50:520796: handoffdemo-2
+    HANDOFFDEMO: current thread 2
+  00:06:50:520867: error-drop
+    rx:local0
+  00:06:50:520914: drop
+    handoffdemo-2: completed packets
+
+  Packet 3
+
+  00:06:50:520796: handoff_trace
+    HANDED-OFF: from thread 1 trace index 2
+  00:06:50:520796: handoffdemo-2
+    HANDOFFDEMO: current thread 2
+  00:06:50:520867: error-drop
+    rx:local0
+  00:06:50:520914: drop
+    handoffdemo-2: completed packets
+
+  Packet 4
+
+  00:06:50:520796: handoff_trace
+    HANDED-OFF: from thread 1 trace index 3
+  00:06:50:520796: handoffdemo-2
+    HANDOFFDEMO: current thread 2
+  00:06:50:520867: error-drop
+    rx:local0
+  00:06:50:520914: drop
+    handoffdemo-2: completed packets
+
+  Packet 5
+
+  00:06:50:520796: handoff_trace
+    HANDED-OFF: from thread 1 trace index 4
+  00:06:50:520796: handoffdemo-2
+    HANDOFFDEMO: current thread 2
+  00:06:50:520867: error-drop
+    rx:local0
+  00:06:50:520914: drop
+    handoffdemo-2: completed packets
+ DBGvpp#
+```

docs/gettingstarted/index.rst

@@ -11,7 +11,7 @@ code that provides tools that are used in a development environment.
 
 This section covers the following:
 
-* Describes how to manually install VPP Binaries on different OS platforms (Ubuntu, Centos, openSUSE) and then how to configure and use VPP.
+* Describes how to manually install VPP Binaries on different OS platforms (Ubuntu, Centos) and then how to configure and use VPP.
 * Describes the different types of VPP packages, which are used in both basic and developer installs.
 * A VPP tutorial which is a great way to learn VPP basics.