misc: 19.08.1 Release Notes

NB: due to a API-breaking fix
(https://gerrit.fd.io/r/#/c/vpp/+/21762/)
for a critical issue that was necessary, we are deferring
the artifacts for 19.08

Change-Id: If4f73dd7bc2964cb0a765ee6006b944f075a423b
Type: docs
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

.gitreview

@@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/1908

MAINTAINERS

@@ -300,6 +300,11 @@ Y:	src/plugins/flowprobe/FEATURE.yaml
 M:	Ole Troan <otroan@employees.org>
 F:	src/plugins/flowprobe/
 
+Plugin - http_static
+I:	http_static
+M:	Dave Barach <dbarach@cisco.com>
+F:	src/plugins/http_static/
+
 Plugin - Group Based Policy (GBP)
 I:	gbp
 M:	Neale Ranns <nranns@cisco.com>
@@ -389,6 +394,11 @@ I:	nsim
 M:	Dave Barach <dave@barachs.net>
 F:	src/plugins/nsim/
 
+Plugin - Simple DNS name resolver
+I:	dns
+M:	Dave Barach <dave@barachs.net>
+F:	src/plugins/dns/
+
 Test Infrastructure
 I:	tests
 M:	Klement Sekera <ksekera@cisco.com>
@@ -435,6 +445,11 @@ I:	vppapigen
 M:	Ole Troan <otroan@employees.org>
 F:	src/tools/vppapigen/
 
+API trace tool
+I:	vppapitrace
+M:	Ole Troan <otroan@employees.org>
+F:	src/tools/vppapitrace/
+
 Binary API Compiler for C and C++
 I:	vapi
 M:	Ole Troan <ot@cisco.com>

Makefile

@@ -101,7 +101,7 @@ else
 	RPM_DEPENDS += yum-utils
 	RPM_DEPENDS += openssl-devel
 	RPM_DEPENDS += python-devel python36-ply
-	RPM_DEPENDS += python36-devel python36-pip
+	RPM_DEPENDS += python3-devel python3-pip
 	RPM_DEPENDS += python-virtualenv python36-jsonschema
 	RPM_DEPENDS += devtoolset-7
 	RPM_DEPENDS += cmake3

docs/featuresbyrelease/index.rst

@@ -9,6 +9,7 @@ This section provides information about the features that are provided for each
 .. toctree::
    :maxdepth: 1
 
+   vpp1908
    vpp1904
    vpp1901
    vpp18.10

docs/featuresbyrelease/vpp1908.md

@@ -0,0 +1,140 @@
+## Features for Release VPP 19.08
+
+### Infrastructure
+- API
+  - API language: new types and limits support
+  - Python API - add support for defaults
+  - Export ip_types.api for out-of-tree plugins use
+  - Refactor ipip.api with explicit types
+- DPDK
+  - 19.05 integration
+  - Remove bonding code
+  - Rework extended stats
+- Debugging & Servicability
+  - debug CLI leak-checker
+  - vlib: add "memory-trace stats-segment"
+  - vppapitrace JSON/API trace converter
+  - ARP: add arp-disabled node
+  - igmp: Trace more data from input packets
+  - ip: Trace the packet from the punt node
+  - Python API debug introspection improvements
+  - Pin dependencies for make test infra
+  - FEATURE.yaml meta-data infrastructure
+  - tcp: add cc stats plotting tools
+  - Packet tracer support for thread handoffs
+- libmemif: support for multi-thread connection establishment
+- svm
+  - fifo ooo reads/writes with multiple chunks
+  - support addition/removal of chunks to fifos
+- vppinfra
+  - Mapped pcap file support
+  - More AVX2 and AVX512 inlines
+  - VLIB_INIT_FUNCTION sequencing rework
+  - refactor spinlocks and rwlocks
+  - add rbtree
+  - add doubly linked list
+- rdma: bump rdma-core to v25.0
+- stats
+  - Add the number of worker threads and per worker thread vector rates
+  - Support multiple workers for error counters
+
+### VNET & Plugins
+- New Plugins
+  - HTTP static page server with TLS support
+  - L3 cross connect
+- acl: implement stat-segment counters
+- arp: add feature arcs: arp-reply, arp-input, arp-proxy
+- avf: improved logging and added 2.5/5 Gbps speeds
+- bonding: NUMA-related improvements
+- crypto: add support for AES-CTR cipher
+- fib
+  - FIB Entry tracking
+  - Support the POP of a Pseudo Wire Control Word
+- gbp
+  - Anonymous l3-out subnets support
+  - ARP unicast forward in gbp bridge domain
+  - An Endpoint can change sclass
+  - Consider data-plane learnt source better than control-plane
+  - VRF scoped contracts
+- gso (experimental)
+  - Add support to pg interfaces
+  - Add support to vhost user
+  - Add support to native virtio
+  - Add support for tagged interfaces
+- punt: allow to specify packets by IP protocol Type
+- ip6-local: hop-by-hop protocol demux table
+- ipsec
+  - intel-ipsec-mb version 0.52
+  - AH encrypt rework
+  - handle UDP keepalives
+  - support GCM in ESP
+- virtio
+  - Refactor control queue support
+- dhcp-client: DSCP marking for transmitted packets
+- Idle resource usage improvements
+  - Allocate bihash virtual space on demand
+  - gre: don't register gre input nodes unless a gre tunnel is created
+  - gtpu: don't register udp ports unless a tunnel is created
+  - lacp: create lacp-process on demand
+  - lisp-cp: start lisp retry service on demand
+  - start the cdp period and dns resolver process on demand
+  - vat: unload unused vat plugins
+- nat: api cleanup & update
+- nsim: make available as an output feature
+- load-balance performance improvements
+- l2: Add support for arp unicast forwarding
+- mactime
+  - Mini-ACLs
+  - Per-MAC allow-with-quota feature
+- qos
+  - QoS dump APIs
+  - Store function
+- rdma: add support for promiscuous mode (l2-switching and xconnect)
+- sr: update the Segment Routing definition to be compliant with current in IETF
+- udp-ping: disable due to conflict with mldv2
+- vxlan-gpe: improve encap performance
+- vom
+  - QoS support
+  - Bridge domain arp unicast forwarding flag
+  - Bridge domain unknown unicast flooding flag
+
+### Host stack
+- session
+  - API to support manual svm fifo resizing
+  - Improved session output scheduler and close state machine
+  - Transport and session cleanup notifications for builtin apps
+  - Session migration notifications for builtin apps
+  - Support for no session layer lookup transports (quic and tls)
+  - Ability to retrieve local/remote endpoint in transport vft
+  - Cleanup segment manager and fifo segment
+  - Fix vpp to app msg generation on enqueue fail
+  - Improve event logging
+  - Moved test applications to hsa plugin
+- tcp
+  - Congestion control algorithm enhancements
+  - Delivery rate estimator
+  - ACK/retransmission refactor and pacing
+  - Add tcp-input sibling nodes without full 6-tuple lookup
+  - More RFC4898 connection statistics
+  - Allow custom output next node
+  - Allow custom congestion control algorithms
+- quic
+  - Multi-thread support
+  - Logs readability improvements
+  - Multistream support
+- tls
+  - Fix close with data and listen failures
+  - Handle TCP transport rests
+  - Support endpoint retrieval interface
+- vcl
+  - support quic streams and "connectable listeners"
+  - worker unregister api
+  - fix epoll with large events batch
+  - ldp: add option to eanble transparent TLS connections
+- udp:
+  - support close with data
+  - fixed session migration
+- sctp
+  - add option to enable/disable default to disable
+  - moved from vnet to plugins
+

extras/http/setup.http

@@ -0,0 +1,6 @@
+set term pag off
+create tap host-if-name lstack host-ip4-addr 192.168.10.2/24
+set int ip address tap0 192.168.10.1/24
+set int state tap0 up
+
+http static server www-root /scratch/fdio-site-fork/public uri tls://0.0.0.0/1234 cache-size 10m fifo-size 2048

extras/http/startup.cfg

@@ -0,0 +1,7 @@
+unix {
+     interactive
+}
+
+tls {
+    use-test-cert-in-ca
+}

extras/oddbuf/setup.oddbuf

@@ -0,0 +1,276 @@
+set term pag off
+loop create
+set int state loop0 up
+oddbuf enable loop0
+
+packet-generator new {
+    name oddbuf
+    limit 1
+    size 300-300
+    interface loop0
+    node ethernet-input
+    data { IP4: 1.2.3 -> 4.5.6
+           UDP: 11.22.33.44 -> 11.22.34.44
+           UDP: 1234 -> 2345
+           incrementing 286
+    }
+}
+pcap dispatch trace on max 10000 buffer-trace pg-input 1000
+
+oddbuf configure n_to_copy 2 offset 1 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 1 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 2 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 3 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 4 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 5 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 6 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 7 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 0 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 1 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 2 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 3 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 4 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 5 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 6 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 7 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 0 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 1 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 2 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 3 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 4 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 5 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 6 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 7 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 0 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 1 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 2 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 3 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 4 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 5 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 6 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 7 first_offset 5
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 1 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 1 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 2 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 3 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 4 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 5 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 6 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 2 offset 7 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 0 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 1 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 2 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 3 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 4 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 5 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 6 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 3 offset 7 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 0 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 1 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 2 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 3 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 4 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 5 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 6 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 4 offset 7 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 0 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 1 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 2 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 3 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 4 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 5 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 6 first_offset 0
+pa en oddbuf
+suspend
+
+oddbuf configure n_to_copy 5 offset 7 first_offset 0
+pa en oddbuf
+suspend
+
+pcap dispatch trace off

extras/pcapcli/setup.pcapcli

@@ -0,0 +1,34 @@
+set term pag off
+loop create
+loop create
+set int ip address loop0 192.168.1.1/24
+set int state loop0 up
+
+set int ip address loop1 192.168.2.1/24
+set int state loop1 up
+
+packet-generator new {
+    name pg0
+    limit 1
+    size 300-300
+    interface loop0
+    node ethernet-input
+    data { IP4: 1.2.3 -> 4.5.6
+           UDP: 192.168.1.10 -> 192.168.2.10
+           UDP: 1234 -> 2345
+           incrementing 286
+    }
+}
+
+packet-generator new {
+    name pg1
+    limit 1
+    size 300-300
+    interface loop1
+    node ethernet-input
+    data { IP4: 1.2.3 -> 4.5.6
+           UDP: 192.168.2.10 -> 192.168.1.10
+           UDP: 1234 -> 2345
+           incrementing 286
+    }
+}

extras/rpm/vpp.spec

@@ -10,6 +10,17 @@
 %endif
 %define _vpp_install_dir install-%{_vpp_tag}-native
 
+# Failsafe backport of Python2-macros for RHEL <= 6
+%{!?python_sitelib: %global python_sitelib      %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
+%{!?python_sitearch:    %global python_sitearch     %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
+%{!?python_version: %global python_version      %(%{__python} -c "import sys; sys.stdout.write(sys.version[:3])")}
+%{!?__python2:      %global __python2       %{__python}}
+%{!?python2_sitelib:    %global python2_sitelib     %{python_sitelib}}
+%{!?python2_sitearch:   %global python2_sitearch    %{python_sitearch}}
+%{!?python2_version:    %global python2_version     %{python_version}}
+
+%{!?python2_minor_version: %define python2_minor_version %(%{__python} -c "import sys ; print sys.version[2:3]")}
+
 %{?systemd_requires}
 
 
@@ -39,12 +50,13 @@ BuildRequires: systemd, chrpath
 BuildRequires: check, check-devel
 BuildRequires: mbedtls-devel mbedtls
 %if 0%{?fedora}
-Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, net-tools, pciutils, python3
+Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, net-tools, pciutils
 Requires: compat-openssl10
 Requires: boost-filesystem mbedtls libffi-devel
 BuildRequires: subunit, subunit-devel
 BuildRequires: compat-openssl10-devel
-BuildRequires: python3-devel, python3-virtualenv
+BuildRequires: python, python-devel, python-virtualenv, python-ply
+BuildRequires: python3, python36-devel, python3-virtualenv
 BuildRequires: cmake
 %else
 %if 0%{rhel} == 7
@@ -128,6 +140,15 @@ Requires: python-setuptools
 %description api-python
 This package contains the python bindings for the vpp api
 
+%package api-python3
+Summary: VPP api python3 bindings
+Group: Development/Libraries
+Requires: vpp = %{_version}-%{_release}, vpp-lib = %{_version}-%{_release}, libffi-devel
+Requires: python-setuptools
+
+%description api-python3
+This package contains the python3 bindings for the vpp api
+
 %package selinux-policy
 Summary: VPP Security-Enhanced Linux (SELinux) policy
 Group: System Environment/Base
@@ -154,6 +175,7 @@ groupadd -f -r vpp
     make bootstrap AESNI=n
     make -C build-root PLATFORM=vpp AESNI=n TAG=%{_vpp_tag} install-packages
 %endif
+cd %{_mu_build_dir}/../src/vpp-api/python && %py2_build
 cd %{_mu_build_dir}/../src/vpp-api/python && %py3_build
 cd %{_mu_build_dir}/../extras/selinux && make -f %{_datadir}/selinux/devel/Makefile
 
@@ -210,6 +232,7 @@ do
 done
 
 # Python bindings
+cd %{_mu_build_dir}/../src/vpp-api/python && %py2_install
 cd %{_mu_build_dir}/../src/vpp-api/python && %py3_install
 
 # SELinux Policy
@@ -366,6 +389,10 @@ fi
 
 %files api-python
 %defattr(644,root,root,755)
+%{python2_sitelib}/vpp_*
+
+%files api-python3
+%defattr(644,root,root,755)
 %{python3_sitelib}/vpp_*
 
 %files selinux-policy

src/plugins/acl/acl.c

@@ -391,17 +391,50 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index)
       /* filled in once only */
       am->combined_acl_counters[i].stat_segment_name = (void *)
 	format (0, "/acl/%d/matches%c", i, 0);
-      clib_warning ("add stats segment: %s",
-		    am->combined_acl_counters[i].stat_segment_name);
-      i32 rule_count = vec_len (am->acls[acl_index].rules);
+      i32 rule_count = vec_len (am->acls[i].rules);
       /* Validate one extra so we always have at least one counter for an ACL */
       vlib_validate_combined_counter (&am->combined_acl_counters[i],
 				      rule_count);
-      vlib_zero_combined_counter (&am->combined_acl_counters[i], rule_count);
+      vlib_clear_combined_counters (&am->combined_acl_counters[i]);
     }
+
+  /* (re)validate for the actual ACL that is getting added/updated */
+  i32 rule_count = vec_len (am->acls[acl_index].rules);
+  /* Validate one extra so we always have at least one counter for an ACL */
+  vlib_validate_combined_counter (&am->combined_acl_counters[acl_index],
+				  rule_count);
+  vlib_clear_combined_counters (&am->combined_acl_counters[acl_index]);
   acl_plugin_counter_unlock (am);
 }
 
+static int
+acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len)
+{
+  ip4_address_t ip4_addr;
+  ip4_address_t ip4_mask;
+  ip4_address_t ip4_masked_addr;
+
+  memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr));
+  ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask);
+  ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32;
+  return (ip4_masked_addr.as_u32 != ip4_addr.as_u32);
+}
+
+static int
+acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
+{
+  ip6_address_t ip6_addr;
+  ip6_address_t ip6_mask;
+  ip6_address_t ip6_masked_addr;
+
+  memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr));
+  ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask);
+  ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0];
+  ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1];
+  return (ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0]
+	  || ip6_masked_addr.as_u64[1] != ip6_addr.as_u64[1]);
+}
+
 static int
 acl_add_list (u32 count, vl_api_acl_rule_t rules[],
 	      u32 * acl_list_index, u8 * tag)
@@ -416,6 +449,43 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
     clib_warning ("API dbg: acl_add_list index %d tag %s", *acl_list_index,
 		  tag);
 
+  /* check if what they request is consistent */
+  for (i = 0; i < count; i++)
+    {
+      if (rules[i].is_ipv6)
+	{
+	  if (rules[i].src_ip_prefix_len > 128)
+	    return VNET_API_ERROR_INVALID_VALUE;
+	  if (rules[i].dst_ip_prefix_len > 128)
+	    return VNET_API_ERROR_INVALID_VALUE;
+	  if (acl_api_ip6_invalid_prefix
+	      (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
+	    return VNET_API_ERROR_INVALID_SRC_ADDRESS;
+	  if (acl_api_ip6_invalid_prefix
+	      (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
+	    return VNET_API_ERROR_INVALID_DST_ADDRESS;
+	}
+      else
+	{
+	  if (rules[i].src_ip_prefix_len > 32)
+	    return VNET_API_ERROR_INVALID_VALUE;
+	  if (rules[i].dst_ip_prefix_len > 32)
+	    return VNET_API_ERROR_INVALID_VALUE;
+	  if (acl_api_ip4_invalid_prefix
+	      (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
+	    return VNET_API_ERROR_INVALID_SRC_ADDRESS;
+	  if (acl_api_ip4_invalid_prefix
+	      (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
+	    return VNET_API_ERROR_INVALID_DST_ADDRESS;
+	}
+      if (ntohs (rules[i].srcport_or_icmptype_first) >
+	  ntohs (rules[i].srcport_or_icmptype_last))
+	return VNET_API_ERROR_INVALID_VALUE_2;
+      if (ntohs (rules[i].dstport_or_icmpcode_first) >
+	  ntohs (rules[i].dstport_or_icmpcode_last))
+	return VNET_API_ERROR_INVALID_VALUE_2;
+    }
+
   if (*acl_list_index != ~0)
     {
       /* They supplied some number, let's see if this ACL exists */
@@ -1945,7 +2015,7 @@ static void
   vl_api_acl_stats_intf_counters_enable_reply_t *rmp;
   int rv;
 
-  rv = acl_stats_intf_counters_enable_disable (am, ntohl (mp->enable));
+  rv = acl_stats_intf_counters_enable_disable (am, mp->enable);
 
   REPLY_MACRO (VL_API_ACL_DEL_REPLY);
 }

src/plugins/acl/acl_test.c

@@ -68,7 +68,8 @@ _(acl_interface_add_del_reply) \
 _(macip_acl_interface_add_del_reply) \
 _(acl_interface_set_acl_list_reply) \
 _(acl_interface_set_etype_whitelist_reply) \
-_(macip_acl_del_reply)
+_(macip_acl_del_reply) \
+_(acl_stats_intf_counters_enable_reply)
 
 #define foreach_reply_retval_aclindex_handler  \
 _(acl_add_replace_reply) \
@@ -310,7 +311,8 @@ _(MACIP_ACL_INTERFACE_ADD_DEL_REPLY, macip_acl_interface_add_del_reply)  \
 _(MACIP_ACL_INTERFACE_GET_REPLY, macip_acl_interface_get_reply)  \
 _(ACL_PLUGIN_CONTROL_PING_REPLY, acl_plugin_control_ping_reply) \
 _(ACL_PLUGIN_GET_VERSION_REPLY, acl_plugin_get_version_reply) \
-_(ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES_REPLY,acl_plugin_get_conn_table_max_entries_reply)
+_(ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES_REPLY,acl_plugin_get_conn_table_max_entries_reply) \
+_(ACL_STATS_INTF_COUNTERS_ENABLE_REPLY, acl_stats_intf_counters_enable_reply)
 
 static int api_acl_plugin_get_version (vat_main_t * vam)
 {
@@ -574,6 +576,36 @@ static int api_acl_plugin_get_conn_table_max_entries (vat_main_t * vam)
     return ret;
 }
 
+static int api_acl_stats_intf_counters_enable (vat_main_t * vam)
+{
+    acl_test_main_t * sm = &acl_test_main;
+    unformat_input_t * i = vam->input;
+    vl_api_acl_stats_intf_counters_enable_t * mp;
+    u32 msg_size = sizeof(*mp);
+    int ret;
+
+    vam->result_ready = 0;
+    mp = vl_msg_api_alloc_as_if_client(msg_size);
+    memset (mp, 0, msg_size);
+    mp->_vl_msg_id = ntohs (VL_API_ACL_STATS_INTF_COUNTERS_ENABLE + sm->msg_id_base);
+    mp->client_index = vam->my_client_index;
+    mp->enable = 1;
+
+    while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+        if (unformat (i, "disable"))
+            mp->enable = 0;
+        else
+            break;
+    }
+
+    /* send it... */
+    S(mp);
+
+    /* Wait for a reply... */
+    W (ret);
+    return ret;
+}
+
 
 /*
  * Read the series of ACL entries from file in the following format:
@@ -1485,7 +1517,8 @@ _(macip_acl_del, "<acl-idx>")\
 _(macip_acl_dump, "[<acl-idx>]") \
 _(macip_acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] acl <acl-idx>") \
 _(macip_acl_interface_get, "") \
-_(acl_plugin_get_conn_table_max_entries, "")
+_(acl_plugin_get_conn_table_max_entries, "") \
+_(acl_stats_intf_counters_enable, "[disable]")
 
 
 static

src/plugins/acl/test/test_acl_plugin_l2l3.py

@@ -103,9 +103,11 @@ class TestACLpluginL2L3(VppTestCase):
         half = cls.remote_hosts_count // 2
         cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
         cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
+        reply = cls.vapi.papi.acl_stats_intf_counters_enable(enable=1)
 
     @classmethod
     def tearDownClass(cls):
+        reply = cls.vapi.papi.acl_stats_intf_counters_enable(enable=0)
         super(TestACLpluginL2L3, cls).tearDownClass()
 
     def tearDown(self):
@@ -471,6 +473,7 @@ class TestACLpluginL2L3(VppTestCase):
                                              acls=[acl_idx['L2']])
         self.applied_acl_shuffle(self.pg0.sw_if_index)
         self.applied_acl_shuffle(self.pg2.sw_if_index)
+        return {'L2': acl_idx['L2'], 'L3': acl_idx['L3']}
 
     def apply_acl_ip46_both_directions_reflect(self,
                                                primary_is_bridged_to_routed,
@@ -531,13 +534,21 @@ class TestACLpluginL2L3(VppTestCase):
 
     def apply_acl_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
                                          is_reflect, add_eh):
-        self.apply_acl_ip46_x_to_y(False, test_l2_deny, is_ip6,
-                                   is_reflect, add_eh)
+        return self.apply_acl_ip46_x_to_y(False, test_l2_deny, is_ip6,
+                                          is_reflect, add_eh)
 
     def apply_acl_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
                                          is_reflect, add_eh):
-        self.apply_acl_ip46_x_to_y(True, test_l2_deny, is_ip6,
-                                   is_reflect, add_eh)
+        return self.apply_acl_ip46_x_to_y(True, test_l2_deny, is_ip6,
+                                          is_reflect, add_eh)
+
+    def verify_acl_packet_count(self, acl_idx, packet_count):
+        matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
+        self.logger.info("stat seg for ACL %d: %s" % (acl_idx, repr(matches)))
+        total_count = 0
+        for p in matches[0]:
+            total_count = total_count + p['packets']
+        self.assertEqual(total_count, packet_count)
 
     def run_traffic_ip46_x_to_y(self, bridged_to_routed,
                                 test_l2_deny, is_ip6,
@@ -560,34 +571,41 @@ class TestACLpluginL2L3(VppTestCase):
         packet_count = self.get_packet_count_for_if_idx(self.loop0.sw_if_index)
         rcvd1 = rx_if.get_capture(packet_count)
         self.verify_capture(self.loop0, self.pg2, rcvd1, bridged_to_routed)
+        return len(stream)
 
     def run_traffic_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
                                            is_reflect, is_established, add_eh,
                                            stateful_icmp=False):
-        self.run_traffic_ip46_x_to_y(False, test_l2_deny, is_ip6,
-                                     is_reflect, is_established, add_eh,
-                                     stateful_icmp)
+        return self.run_traffic_ip46_x_to_y(False, test_l2_deny, is_ip6,
+                                            is_reflect, is_established, add_eh,
+                                            stateful_icmp)
 
     def run_traffic_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
                                            is_reflect, is_established, add_eh,
                                            stateful_icmp=False):
-        self.run_traffic_ip46_x_to_y(True, test_l2_deny, is_ip6,
-                                     is_reflect, is_established, add_eh,
-                                     stateful_icmp)
+        return self.run_traffic_ip46_x_to_y(True, test_l2_deny, is_ip6,
+                                            is_reflect, is_established, add_eh,
+                                            stateful_icmp)
 
     def run_test_ip46_routed_to_bridged(self, test_l2_deny,
                                         is_ip6, is_reflect, add_eh):
-        self.apply_acl_ip46_routed_to_bridged(test_l2_deny,
-                                              is_ip6, is_reflect, add_eh)
-        self.run_traffic_ip46_routed_to_bridged(test_l2_deny, is_ip6,
-                                                is_reflect, False, add_eh)
+        acls = self.apply_acl_ip46_routed_to_bridged(test_l2_deny,
+                                                     is_ip6, is_reflect,
+                                                     add_eh)
+        pkts = self.run_traffic_ip46_routed_to_bridged(test_l2_deny, is_ip6,
+                                                       is_reflect, False,
+                                                       add_eh)
+        self.verify_acl_packet_count(acls['L3'], pkts)
 
     def run_test_ip46_bridged_to_routed(self, test_l2_deny,
                                         is_ip6, is_reflect, add_eh):
-        self.apply_acl_ip46_bridged_to_routed(test_l2_deny,
-                                              is_ip6, is_reflect, add_eh)
-        self.run_traffic_ip46_bridged_to_routed(test_l2_deny, is_ip6,
-                                                is_reflect, False, add_eh)
+        acls = self.apply_acl_ip46_bridged_to_routed(test_l2_deny,
+                                                     is_ip6, is_reflect,
+                                                     add_eh)
+        pkts = self.run_traffic_ip46_bridged_to_routed(test_l2_deny, is_ip6,
+                                                       is_reflect, False,
+                                                       add_eh)
+        self.verify_acl_packet_count(acls['L2'], pkts)
 
     def run_test_ip46_routed_to_bridged_and_back(self, test_l2_action,
                                                  is_ip6, add_eh,

src/plugins/avf/device.c

@@ -693,7 +693,8 @@ avf_op_config_irq_map (vlib_main_t * vm, avf_device_t * ad)
 
   imi->vecmap[0].vector_id = 1;
   imi->vecmap[0].vsi_id = ad->vsi_id;
-  imi->vecmap[0].rxq_map = 1;
+  imi->vecmap[0].rxq_map = (1 << ad->n_rx_queues) - 1;
+  imi->vecmap[0].txq_map = (1 << ad->n_tx_queues) - 1;
 
   avf_log_debug (ad, "config_irq_map: vsi_id %u vector_id %u rxq_map %u",
 		 ad->vsi_id, imi->vecmap[0].vector_id,

src/plugins/crypto_ia32/CMakeLists.txt

@@ -29,6 +29,6 @@ foreach(VARIANT ${VARIANTS})
   set(l crypto_ia32_${v})
   add_library(${l} OBJECT aes_cbc.c aes_gcm.c)
   set_target_properties(${l} PROPERTIES POSITION_INDEPENDENT_CODE ON)
-  target_compile_options(${l} PUBLIC ${f} -Wall -fno-common)
+  target_compile_options(${l} PUBLIC ${f} -Wall -fno-common -maes)
   target_sources(crypto_ia32_plugin PRIVATE $<TARGET_OBJECTS:${l}>)
 endforeach()

src/plugins/crypto_ipsecmb/CMakeLists.txt

@@ -33,7 +33,7 @@ if(IPSECMB_INCLUDE_DIR AND IPSECMB_LIB)
 		${IPSECMB_LINK_FLAGS}
 		)
 
-	target_compile_options(crypto_ipsecmb_plugin PRIVATE "-march=silvermont")
+	target_compile_options(crypto_ipsecmb_plugin PRIVATE "-march=silvermont" "-maes")
 	message(STATUS "Intel IPSecMB found: ${IPSECMB_INCLUDE_DIR}")
 else()
 	message(STATUS "Intel IPSecMB not found")

src/plugins/dns/CMakeLists.txt

@@ -0,0 +1,33 @@
+
+# Copyright (c) <current-year> <your-organization>
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+add_vpp_plugin(dns
+  SOURCES
+  dns.c
+  dns.h
+  request_node.c
+  reply_node.c
+  resolver_process.c
+
+  API_FILES
+  dns.api
+
+  INSTALL_HEADERS
+  dns_all_api_h.h
+  dns_msg_enum.h
+  dns_packet.h
+
+  API_TEST_SOURCES
+  dns_test.c
+)

src/plugins/dns/dns.api

@@ -12,7 +12,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
- 
+
 option version = "1.0.0";
 
 /** \brief enable/disable name resolution
@@ -21,7 +21,7 @@ option version = "1.0.0";
     @param context - sender context, to match reply w/ request
     @param is_enable - 1 = enable, 0 = disable
 */
-autoreply define dns_enable_disable {
+autoreply manual_print define dns_enable_disable {
     u32 client_index;
     u32 context;
     u8 enable;
@@ -35,7 +35,7 @@ autoreply define dns_enable_disable {
     @param is_add - add = 1, delete = 0
     @param server_address - server ip address
 */
-autoreply define dns_name_server_add_del {
+autoreply manual_print define dns_name_server_add_del {
     u32 client_index;
     u32 context;
     u8 is_ip6;
@@ -49,7 +49,7 @@ autoreply define dns_name_server_add_del {
     @param context - sender context, to match reply w/ request
     @param name - the name to resolve
 */
-define dns_resolve_name {
+manual_print define dns_resolve_name {
     u32 client_index;
     u32 context;
     u8 name[256];
@@ -81,7 +81,7 @@ define dns_resolve_name_reply {
     @param is_ip6 - set if the reverse-DNS request is an ip6 address
     @param address - the address to map to a name
 */
-define dns_resolve_ip {
+manual_print define dns_resolve_ip {
     u32 client_index;
     u32 context;
     u8 is_ip6;
@@ -100,4 +100,3 @@ define dns_resolve_ip_reply {
     i32 retval;
     u8 name[256];
 };
-

src/plugins/dns/dns.h

@@ -21,9 +21,10 @@
 #include <vppinfra/error.h>
 
 #include <vppinfra/hash.h>
-#include <vnet/dns/dns_packet.h>
+#include <dns/dns_packet.h>
 #include <vnet/ip/ip.h>
 #include <vppinfra/lock.h>
+#include <vlibapi/api_common.h>
 
 typedef struct
 {
@@ -98,6 +99,7 @@ typedef struct
   /** Find cached record by name */
   uword *cache_entry_by_name;
   clib_spinlock_t cache_lock;
+  int cache_lock_tag;
 
   /** enable / disable flag */
   int is_enabled;
@@ -117,9 +119,13 @@ typedef struct
   u32 max_ttl_in_seconds;
   u32 random_seed;
 
+  /** message-ID base */
+  u16 msg_id_base;
+
   /* convenience */
   vlib_main_t *vlib_main;
   vnet_main_t *vnet_main;
+  api_main_t *api_main;
 } dns_main_t;
 
 extern dns_main_t dns_main;
@@ -127,7 +133,6 @@ extern dns_main_t dns_main;
 extern vlib_node_registration_t dns46_reply_node;
 extern vlib_node_registration_t dns4_request_node;
 extern vlib_node_registration_t dns6_request_node;
-extern vlib_node_registration_t dns_resolver_node;
 
 #define foreach_dns46_request_error                                     \
 _(NONE, "No error")							\
@@ -151,7 +156,9 @@ _(DISABLED, "DNS pkts punted (feature disabled)")       \
 _(PROCESSED, "DNS reply pkts processed")                \
 _(NO_ELT, "No DNS pool element")                        \
 _(FORMAT_ERROR, "DNS format errors")                    \
-_(TEST_DROP, "DNS reply pkt dropped for test purposes")
+_(TEST_DROP, "DNS reply pkt dropped for test purposes") \
+_(MULTIPLE_REPLY, "DNS multiple reply packets")	        \
+_(NO_UNRESOLVED_ENTRY, "No unresolved entry for pkt")
 
 typedef enum
 {
@@ -192,11 +199,14 @@ void vnet_dns_create_resolver_process (dns_main_t * dm);
 format_function_t format_dns_reply;
 
 static inline void
-dns_cache_lock (dns_main_t * dm)
+dns_cache_lock (dns_main_t * dm, int tag)
 {
   if (dm->cache_lock)
     {
+      ASSERT (tag);
+      ASSERT (dm->cache_lock_tag == 0);
       clib_spinlock_lock (&dm->cache_lock);
+      dm->cache_lock_tag = tag;
     }
 }
 
@@ -205,6 +215,8 @@ dns_cache_unlock (dns_main_t * dm)
 {
   if (dm->cache_lock)
     {
+      ASSERT (dm->cache_lock_tag);
+      dm->cache_lock_tag = 0;
       clib_spinlock_unlock (&dm->cache_lock);
     }
 }

src/plugins/dns/dns_all_api_h.h

@@ -0,0 +1,19 @@
+
+/*
+ * dns_all_api_h.h - skeleton vpp engine plug-in api #include file
+ *
+ * Copyright (c) <current-year> <your-organization>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/* Include the generated file, see BUILT_SOURCES in Makefile.am */
+#include <dns/dns.api.h>

src/plugins/dns/dns_msg_enum.h

@@ -0,0 +1,31 @@
+
+/*
+ * dns_msg_enum.h - skeleton vpp engine plug-in message enumeration
+ *
+ * Copyright (c) <current-year> <your-organization>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef included_dns_msg_enum_h
+#define included_dns_msg_enum_h
+
+#include <vppinfra/byte_order.h>
+
+#define vl_msg_id(n,h) n,
+typedef enum {
+#include <dns/dns_all_api_h.h>
+    /* We'll want to know how many messages IDs we need... */
+    VL_MSG_FIRST_AVAILABLE,
+} vl_msg_id_t;
+#undef vl_msg_id
+
+#endif /* included_dns_msg_enum_h */