ipsec: fix AES CBC IV generation (CVE-2022-46397)

For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.

Fixes: VPP-2037
Type: fix

Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>

.gitignore

@@ -81,6 +81,7 @@ GTAGS
 /build-root/.doxygen-bootstrap.ok
 /build-root/.doxygen-siphon.dep
 /docs/_build
+/docs/dynamic_includes
 /sphinx_venv
 !/docs/Makefile
 

Makefile

@@ -72,7 +72,7 @@ DEB_DEPENDS += python3-venv  # ensurepip
 DEB_DEPENDS += python3-dev   # needed for python3 -m pip install psutil
 # python3.6 on 16.04 requires python36-dev
 
-LIBFFI=libffi6 # works on all but 20.04
+LIBFFI=libffi6 # works on all but 20.04 and debian-testing
 
 ifeq ($(OS_VERSION_ID),18.04)
 	DEB_DEPENDS += python-dev python-all python-pip python-virtualenv
@@ -92,6 +92,8 @@ else ifeq ($(OS_ID)-$(OS_VERSION_ID),debian-10)
 	DEB_DEPENDS += libelf-dev # for libbpf (af_xdp)
 else
 	DEB_DEPENDS += libssl-dev
+	DEB_DEPENDS += libelf-dev # for libbpf (af_xdp)
+	LIBFFI=libffi7
 endif
 
 DEB_DEPENDS += $(LIBFFI)
@@ -120,7 +122,7 @@ ifeq ($(OS_ID),fedora)
 	RPM_DEPENDS_GROUPS = 'C Development Tools and Libraries'
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),centos-8)
 	RPM_DEPENDS += yum-utils
-	RPM_DEPENDS += compat-openssl10
+	RPM_DEPENDS += compat-openssl10 openssl-devel
 	RPM_DEPENDS += python2-devel python36-devel python3-ply
 	RPM_DEPENDS += python3-virtualenv python3-jsonschema
 	RPM_DEPENDS += cmake
@@ -283,8 +285,9 @@ ifeq ($(OS_ID),rhel)
 	@sudo -E yum install $(CONFIRM) $(RPM_DEPENDS)
 	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs mbedtls-devel zlib
 else ifeq ($(OS_ID)-$(OS_VERSION_ID),centos-8)
-	@sudo -E dnf install $(CONFIRM) epel-release
-	@sudo -E dnf config-manager --set-enabled PowerTools
+	@sudo -E dnf install $(CONFIRM) dnf-plugins-core epel-release
+	@sudo -E dnf config-manager --set-enabled \
+          $(shell dnf repolist all 2>/dev/null|grep -i powertools|cut -d' ' -f1)
 	@sudo -E dnf groupinstall $(CONFIRM) $(RPM_DEPENDS_GROUPS)
 	@sudo -E dnf install $(CONFIRM) $(RPM_DEPENDS)
 else ifeq ($(OS_ID),centos)

build/external/packages.mk

@@ -79,7 +79,7 @@ $(B)/.$1.patch.ok: $(B)/.$1.extract.ok
 ifneq ($$(wildcard $$($1_patch_dir)/*.patch),)
 	@for f in $$($1_patch_dir)/*.patch ; do \
 		echo "Applying patch: $$$$(basename $$$$f)" ; \
-		patch -p1 -d $$($1_src_dir) < $$$$f ; \
+		patch -p1 -d $$($1_src_dir) --no-backup-if-mismatch < $$$$f ; \
 	done
 endif
 	@touch $$@

build/external/packages/libbpf.mk

@@ -27,8 +27,10 @@ else
   LIBBPF_CFLAGS+= -O2
 endif
 
-IF_XDP:=$(shell echo "\#include <linux/if_xdp.h>" | $(CC) -E -xc - > /dev/null 2>&1)
-IF_XDP:=$(.SHELLSTATUS)
+# check for libelf, zlib and kernel if_xdp.h presence
+LIBBPF_DEPS_CHECK:="\#include <linux/if_xdp.h>\\n\#include <gelf.h>\\n\#include <zlib.h>\\nint main(void){return 0;}"
+LIBBPF_DEPS_CHECK:=$(shell echo -e $(LIBBPF_DEPS_CHECK) | $(CC) -xc -lelf -lz -o /dev/null - > /dev/null 2>&1)
+LIBBPF_DEPS_CHECK:=$(.SHELLSTATUS)
 
 define  libbpf_config_cmds
 	@true
@@ -46,8 +48,8 @@ define  libbpf_install_cmds
 	$(call libbpf_build_cmds__,install,$(libbpf_install_log))
 endef
 
-ifneq ($(IF_XDP),0)
-  $(warning "linux/if_xdp.h was not found on this system. libbpf will be skipped.")
+ifneq ($(LIBBPF_DEPS_CHECK),0)
+  $(warning "Missing libbpf dependencies. libbpf will be skipped.")
 libbpf-install:
 	@true
 else

build/external/patches/README

@@ -24,7 +24,7 @@ for release tag “v2.2.0” and will create a branch named “two_dot_two”.
 
 5. Create the patch files with format-patch. This creates all the patch files
 for your branch (two_dot_two), with your latest commits as the last ones.
- # git format-patch master..two_dot_two
+ # git format-patch main..two_dot_two
 
 6. Copy, add and commit the new patches into the patches directory.
 

build/external/patches/dpdk_20.08/0001-net-iavf-deprecate-i40evf-pmd.patch

@@ -0,0 +1,232 @@
+From bd048f56bc4b85fed31f34db676f1ad67c86bd16 Mon Sep 17 00:00:00 2001
+From: Robin Zhang <robinx.zhang@intel.com>
+Date: Mon, 19 Apr 2021 03:05:39 +0000
+Subject: [PATCH] net/iavf: deprecate i40evf pmd
+
+The i40evf PMD will be deprecated, iavf will be the only VF driver for
+Intel 700 serial (i40e) NIC family. To reach this, there will be 2 steps:
+
+Step 1: iavf will be the default VF driver, while i40evf still can be
+selected by devarg: "driver=i40evf".
+This is covered by this patch, which include:
+1) add all 700 serial NIC VF device ID into iavf PMD
+2) skip probe if devargs contain "driver=i40evf" in iavf
+3) continue probe if devargs contain "driver=i40evf" in i40evf
+
+Step 2: i40evf and related devarg are removed, this will happen at DPDK
+21.11
+
+Between step 1 and step 2, no new feature will be added into i40evf except
+bug fix.
+
+Signed-off-by: Robin Zhang <robinx.zhang@intel.com>
+Acked-by: Qi Zhang <qi.z.zhang@intel.com>
+Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
+Acked-by: Beilei Xing <beilei.xing@intel.com>
+---
+ doc/guides/nics/intel_vf.rst         |  6 +++
+ doc/guides/rel_notes/deprecation.rst |  8 ++++
+ drivers/common/iavf/iavf_devids.h    |  2 +
+ drivers/net/i40e/i40e_ethdev_vf.c    | 45 ++++++++++++++++++++++
+ drivers/net/iavf/iavf_ethdev.c       | 57 +++++++++++++++++++++++++++-
+ 5 files changed, 116 insertions(+), 2 deletions(-)
+
+diff --git a/doc/guides/nics/intel_vf.rst b/doc/guides/nics/intel_vf.rst
+index ade5152595..b95200698d 100644
+--- a/doc/guides/nics/intel_vf.rst
++++ b/doc/guides/nics/intel_vf.rst
+@@ -88,6 +88,12 @@ For more detail on SR-IOV, please refer to the following documents:
+     assignment in hypervisor. Take qemu for example, the device assignment should carry the IAVF device id (0x1889) like
+     ``-device vfio-pci,x-pci-device-id=0x1889,host=03:0a.0``.
+ 
++    Starting from DPDK 21.05, the default VF driver for Intel® 700 Series Ethernet Controller will be IAVF. No new feature
++    will be added into i40evf except bug fix until it's removed in DPDK 21.11. Between DPDK 21.05 and 21.11, by using the
++    ``devargs`` option ``driver=i40evf``, i40evf PMD still can be used on Intel® 700 Series Ethernet Controller, for example::
++
++    -a 81:02.0,driver=i40evf
++
+ The PCIE host-interface of Intel Ethernet Switch FM10000 Series VF infrastructure
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ 
+diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
+index c2770feeae..25caf4e52d 100644
+--- a/doc/guides/rel_notes/deprecation.rst
++++ b/doc/guides/rel_notes/deprecation.rst
+@@ -335,3 +335,11 @@ Deprecation Notices
+   ``make``. Given environments are too much variables for such a simple script,
+   it will be removed in DPDK 20.11.
+   Some useful parts may be converted into specific scripts.
++
++* i40e: As there are both i40evf and iavf pmd, the functions of them are
++  duplicated. And now more and more advanced features are developed on iavf.
++  To keep consistent with kernel driver's name
++  (https://patchwork.ozlabs.org/patch/970154/), i40evf is no need to maintain.
++  Starting from 21.05, the default VF driver of i40e will be iavf, but i40evf
++  can still be used if users specify the devarg "driver=i40evf". I40evf will
++  be deleted in DPDK 21.11.
+diff --git a/drivers/common/iavf/iavf_devids.h b/drivers/common/iavf/iavf_devids.h
+index 2e63aac289..1c3acb586d 100644
+--- a/drivers/common/iavf/iavf_devids.h
++++ b/drivers/common/iavf/iavf_devids.h
+@@ -13,5 +13,7 @@
+ #define IAVF_DEV_ID_VF_HV		0x1571
+ #define IAVF_DEV_ID_ADAPTIVE_VF		0x1889
+ #define IAVF_DEV_ID_X722_VF		0x37CD
++#define IAVF_DEV_ID_X722_A0_VF          0x374D
++
+ 
+ #endif /* _IAVF_DEVIDS_H_ */
+diff --git a/drivers/net/i40e/i40e_ethdev_vf.c b/drivers/net/i40e/i40e_ethdev_vf.c
+index 69cab8e739..3d61c092d8 100644
+--- a/drivers/net/i40e/i40e_ethdev_vf.c
++++ b/drivers/net/i40e/i40e_ethdev_vf.c
+@@ -1592,9 +1592,53 @@ i40evf_dev_uninit(struct rte_eth_dev *eth_dev)
+ 	return 0;
+ }
+ 
++static int
++i40evf_check_driver_handler(__rte_unused const char *key,
++			    const char *value, __rte_unused void *opaque)
++{
++	if (strcmp(value, "i40evf"))
++		return -1;
++
++	return 0;
++}
++
++static int
++i40evf_driver_selected(struct rte_devargs *devargs)
++{
++	struct rte_kvargs *kvlist;
++	const char *key = "driver";
++	int ret = 0;
++
++	if (devargs == NULL)
++		return 0;
++
++	kvlist = rte_kvargs_parse(devargs->args, NULL);
++	if (kvlist == NULL)
++		return 0;
++
++	if (!rte_kvargs_count(kvlist, key))
++		goto exit;
++
++	/* i40evf driver selected when there's a key-value pair:
++	 * driver=i40evf
++	 */
++	if (rte_kvargs_process(kvlist, key,
++			       i40evf_check_driver_handler, NULL) < 0)
++		goto exit;
++
++	ret = 1;
++
++exit:
++	rte_kvargs_free(kvlist);
++	return ret;
++}
++
+ static int eth_i40evf_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ 	struct rte_pci_device *pci_dev)
+ {
++	if (!i40evf_driver_selected(pci_dev->device.devargs))
++		return 1;
++
+ 	return rte_eth_dev_pci_generic_probe(pci_dev,
+ 		sizeof(struct i40e_adapter), i40evf_dev_init);
+ }
+@@ -1617,6 +1661,7 @@ static struct rte_pci_driver rte_i40evf_pmd = {
+ RTE_PMD_REGISTER_PCI(net_i40e_vf, rte_i40evf_pmd);
+ RTE_PMD_REGISTER_PCI_TABLE(net_i40e_vf, pci_id_i40evf_map);
+ RTE_PMD_REGISTER_KMOD_DEP(net_i40e_vf, "* igb_uio | vfio-pci");
++RTE_PMD_REGISTER_PARAM_STRING(net_i40e_vf, "driver=i40evf");
+ 
+ static int
+ i40evf_dev_configure(struct rte_eth_dev *dev)
+diff --git a/drivers/net/iavf/iavf_ethdev.c b/drivers/net/iavf/iavf_ethdev.c
+index c3aa4cd725..f22c3ccdb9 100644
+--- a/drivers/net/iavf/iavf_ethdev.c
++++ b/drivers/net/iavf/iavf_ethdev.c
+@@ -76,6 +76,10 @@ static int iavf_dev_filter_ctrl(struct rte_eth_dev *dev,
+ 
+ static const struct rte_pci_id pci_id_iavf_map[] = {
+ 	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_ADAPTIVE_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_VF_HV) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_X722_VF) },
++	{ RTE_PCI_DEVICE(IAVF_INTEL_VENDOR_ID, IAVF_DEV_ID_X722_A0_VF) },
+ 	{ .vendor_id = 0, /* sentinel */ },
+ };
+ 
+@@ -1516,10 +1520,59 @@ iavf_dcf_cap_selected(struct rte_devargs *devargs)
+ 	return ret;
+ }
+ 
++static int
++iavf_drv_i40evf_check_handler(__rte_unused const char *key,
++			      const char *value, __rte_unused void *opaque)
++{
++	if (strcmp(value, "i40evf"))
++		return -1;
++
++	return 0;
++}
++
++static int
++iavf_drv_i40evf_selected(struct rte_devargs *devargs, uint16_t device_id)
++{
++	struct rte_kvargs *kvlist;
++	const char *key = "driver";
++	int ret = 0;
++
++	if (device_id != IAVF_DEV_ID_VF &&
++	    device_id != IAVF_DEV_ID_VF_HV &&
++	    device_id != IAVF_DEV_ID_X722_VF &&
++	    device_id != IAVF_DEV_ID_X722_A0_VF)
++		return 0;
++
++	if (devargs == NULL)
++		return 0;
++
++	kvlist = rte_kvargs_parse(devargs->args, NULL);
++	if (kvlist == NULL)
++		return 0;
++
++	if (!rte_kvargs_count(kvlist, key))
++		goto exit;
++
++	/* i40evf driver selected when there's a key-value pair:
++	 * driver=i40evf
++	 */
++	if (rte_kvargs_process(kvlist, key,
++			       iavf_drv_i40evf_check_handler, NULL) < 0)
++		goto exit;
++
++	ret = 1;
++
++exit:
++	rte_kvargs_free(kvlist);
++	return ret;
++}
++
+ static int eth_iavf_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ 			     struct rte_pci_device *pci_dev)
+ {
+-	if (iavf_dcf_cap_selected(pci_dev->device.devargs))
++	if (iavf_dcf_cap_selected(pci_dev->device.devargs) ||
++	    iavf_drv_i40evf_selected(pci_dev->device.devargs,
++				     pci_dev->id.device_id))
+ 		return 1;
+ 
+ 	return rte_eth_dev_pci_generic_probe(pci_dev,
+@@ -1542,7 +1595,7 @@ static struct rte_pci_driver rte_iavf_pmd = {
+ RTE_PMD_REGISTER_PCI(net_iavf, rte_iavf_pmd);
+ RTE_PMD_REGISTER_PCI_TABLE(net_iavf, pci_id_iavf_map);
+ RTE_PMD_REGISTER_KMOD_DEP(net_iavf, "* igb_uio | vfio-pci");
+-RTE_PMD_REGISTER_PARAM_STRING(net_iavf, "cap=dcf");
++RTE_PMD_REGISTER_PARAM_STRING(net_iavf, "cap=dcf driver=i40evf");
+ RTE_LOG_REGISTER(iavf_logtype_init, pmd.net.iavf.init, NOTICE);
+ RTE_LOG_REGISTER(iavf_logtype_driver, pmd.net.iavf.driver, NOTICE);
+ #ifdef RTE_LIBRTE_IAVF_DEBUG_RX
+-- 
+2.20.1
+

build/external/patches/dpdk_20.08/0003-backport-dpdk-usertools-support-python-3-only.patch

@@ -0,0 +1,212 @@
+From 858b4575513fe72dce95370944b0da237b755204 Mon Sep 17 00:00:00 2001
+From: Dave Wallace <dwallacelf@gmail.com>
+Date: Thu, 15 Oct 2020 15:22:22 -0400
+Subject: [PATCH] backport dpdk usertools support python 3 only
+
+Applicable usertools section of DPDK patch:
+http://git.dpdk.org/dpdk/commit/?id=3f6f83626cf4967a99382a6518a614a1bf3d2c20
+
+Required to avoid build failure of 'make install-ext-deps' on CentOS-8 due
+to brp-mangle-shebangs failing on un-versioned python shebang (e.g.
+'#! /usr/bin/env python'.
+
+Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
+---
+ usertools/cpu_layout.py                  | 15 ++-------------
+ usertools/dpdk-devbind.py                | 22 ++++------------------
+ usertools/dpdk-pmdinfo.py                |  7 +------
+ usertools/dpdk-telemetry-client.py       | 18 +++---------------
+ usertools/dpdk-telemetry.py              |  2 +-
+ 5 files changed, 11 insertions(+), 53 deletions(-)
+
+diff --git a/usertools/cpu_layout.py b/usertools/cpu_layout.py
+index 5423c7965..cc3963821 100755
+--- a/usertools/cpu_layout.py
++++ b/usertools/cpu_layout.py
+@@ -1,19 +1,8 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2010-2014 Intel Corporation
+ # Copyright(c) 2017 Cavium, Inc. All rights reserved.
+
+-from __future__ import print_function
+-import sys
+-try:
+-    xrange # Python 2
+-except NameError:
+-    xrange = range # Python 3
+-
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ sockets = []
+ cores = []
+ core_map = {}
+@@ -21,7 +10,7 @@
+ fd = open("{}/kernel_max".format(base_path))
+ max_cpus = int(fd.read())
+ fd.close()
+-for cpu in xrange(max_cpus + 1):
++for cpu in range(max_cpus + 1):
+     try:
+         fd = open("{}/cpu{}/topology/core_id".format(base_path, cpu))
+     except IOError:
+diff --git a/usertools/dpdk-devbind.py b/usertools/dpdk-devbind.py
+index 094c2ffc8..8278a748d 100755
+--- a/usertools/dpdk-devbind.py
++++ b/usertools/dpdk-devbind.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2010-2014 Intel Corporation
+ #
+
+-from __future__ import print_function
+ import sys
+ import os
+ import getopt
+@@ -12,10 +11,6 @@
+ from os.path import exists, abspath, dirname, basename
+ from os.path import join as path_join
+
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ # The PCI base class for all devices
+ network_class = {'Class': '02', 'Vendor': None, 'Device': None,
+                     'SVendor': None, 'SDevice': None}
+@@ -154,14 +149,6 @@ def usage():
+
+     """ % locals())  # replace items from local variables
+
+-
+-# This is roughly compatible with check_output function in subprocess module
+-# which is only available in python 2.7.
+-def check_output(args, stderr=None):
+-    '''Run a command and capture its output'''
+-    return subprocess.Popen(args, stdout=subprocess.PIPE,
+-                            stderr=stderr).communicate()[0]
+-
+ # check if a specific kernel module is loaded
+ def module_is_loaded(module):
+     global loaded_modules
+@@ -218,8 +205,7 @@ def get_pci_device_details(dev_id, probe_lspci):
+     device = {}
+
+     if probe_lspci:
+-        extra_info = check_output(["lspci", "-vmmks", dev_id]).splitlines()
+-
++        extra_info = subprocess.check_output(["lspci", "-vmmks", dev_id]).splitlines()
+         # parse lspci details
+         for line in extra_info:
+             if len(line) == 0:
+@@ -255,7 +241,7 @@ def get_device_details(devices_type):
+     # first loop through and read details for all devices
+     # request machine readable format, with numeric IDs and String
+     dev = {}
+-    dev_lines = check_output(["lspci", "-Dvmmnnk"]).splitlines()
++    dev_lines = subprocess.check_output(["lspci", "-Dvmmnnk"]).splitlines()
+     for dev_line in dev_lines:
+         if len(dev_line) == 0:
+             if device_type_match(dev, devices_type):
+@@ -283,7 +269,7 @@ def get_device_details(devices_type):
+         # check what is the interface if any for an ssh connection if
+         # any to this host, so we can mark it later.
+         ssh_if = []
+-        route = check_output(["ip", "-o", "route"])
++        route = subprocess.check_output(["ip", "-o", "route"])
+         # filter out all lines for 169.254 routes
+         route = "\n".join(filter(lambda ln: not ln.startswith("169.254"),
+                              route.decode().splitlines()))
+diff --git a/usertools/dpdk-pmdinfo.py b/usertools/dpdk-pmdinfo.py
+index f9ed75517..166198279 100755
+--- a/usertools/dpdk-pmdinfo.py
++++ b/usertools/dpdk-pmdinfo.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2016  Neil Horman <nhorman@tuxdriver.com>
+
+@@ -7,8 +7,6 @@
+ # Utility to dump PMD_INFO_STRING support from an object file
+ #
+ # -------------------------------------------------------------------------
+-from __future__ import print_function
+-from __future__ import unicode_literals
+ import json
+ import io
+ import os
+@@ -28,9 +26,6 @@
+ pcidb = None
+
+ # ===========================================
+-if sys.version_info.major < 3:
+-        print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-        print("Please use Python 3 instead", file=sys.stderr)
+
+ class Vendor:
+     """
+diff --git a/usertools/dpdk-telemetry-client.py b/usertools/dpdk-telemetry-client.py
+index 98d28fa89..d8e439027 100755
+--- a/usertools/dpdk-telemetry-client.py
++++ b/usertools/dpdk-telemetry-client.py
+@@ -1,10 +1,7 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2018 Intel Corporation
+
+-from __future__ import print_function
+-from __future__ import unicode_literals
+-
+ import socket
+ import os
+ import sys
+@@ -18,15 +15,6 @@
+ GLOBAL_METRICS_REQ = "{\"action\":0,\"command\":\"global_stat_values\",\"data\":null}"
+ DEFAULT_FP = "/var/run/dpdk/default_client"
+
+-try:
+-    raw_input  # Python 2
+-except NameError:
+-    raw_input = input  # Python 3
+-
+-if sys.version_info.major < 3:
+-    print("WARNING: Python 2 is deprecated for use in DPDK, and will not work in future releases.", file=sys.stderr)
+-    print("Please use Python 3 instead", file=sys.stderr)
+-
+ class Socket:
+
+     def __init__(self):
+@@ -86,7 +74,7 @@ def requestMetrics(self): # Requests metrics for given client
+
+     def repeatedlyRequestMetrics(self, sleep_time): # Recursively requests metrics for given client
+         print("\nPlease enter the number of times you'd like to continuously request Metrics:")
+-        n_requests = int(raw_input("\n:"))
++        n_requests = int(input("\n:"))
+         print("\033[F") #Removes the user input from screen, cleans it up
+         print("\033[K")
+         for i in range(n_requests):
+@@ -107,7 +95,7 @@ def interactiveMenu(self, sleep_time): # Creates Interactive menu within the scr
+             print("[4] Unregister client")
+
+             try:
+-                self.choice = int(raw_input("\n:"))
++                self.choice = int(input("\n:"))
+                 print("\033[F") #Removes the user input for screen, cleans it up
+                 print("\033[K")
+                 if self.choice == 1:
+diff --git a/usertools/dpdk-telemetry.py b/usertools/dpdk-telemetry.py
+index 8e4039d57..181859658 100755
+--- a/usertools/dpdk-telemetry.py
++++ b/usertools/dpdk-telemetry.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/python3
++#! /usr/bin/env python3
+ # SPDX-License-Identifier: BSD-3-Clause
+ # Copyright(c) 2020 Intel Corporation

build/external/rpm/vpp-ext-deps.spec

@@ -1,6 +1,10 @@
 %define _install_dir	/opt/vpp/external/%(uname -m)
 %define _make_args	-C ../.. BUILD_DIR=%{_topdir}/tmp INSTALL_DIR=%{buildroot}%{_install_dir}
 
+%{!?__python3: %global __python3 /usr/bin/python3}
+%global __python %{__python3}
+%global _pylib /usr/lib/python3.6/site-packages
+
 Name:		vpp-ext-deps
 Version:	%{_version}
 Release:	%{_release}

docs/Makefile

@@ -27,6 +27,8 @@ help:
 # Catch-all target: route all unknown targets to Sphinx using the new
 # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
 %: Makefile
+# Generate dynamic content
+	@python3 ./includes_renderer.py
 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
 
 spell:

docs/gettingstarted/installing/packages.rst

@@ -35,19 +35,7 @@ vpp-plugins
 
 Vector Packet Processing plugin modules.
 
-* acl
-* dpdk
-* flowprobe
-* gtpu
-* ixge
-* kubeproxy
-* l2e
-* lb
-* memif
-* nat
-* pppoe
-* sixrd
-* stn
+.. include:: ../../dynamic_includes/plugin_list.inc
 
 vpp-dbg
 -------

docs/gettingstarted/installing/ubuntu.rst

@@ -1,11 +1,11 @@
 .. _ubuntu:
 
 .. toctree::
- 
-Ubuntu 18.04 - Setup the FD.io Repository
-==========================================
 
-Choose one of the following releases to install. 
+Ubuntu - Setup the FD.io Repository
+===================================
+
+Choose one of the following releases to install.
 
 Update the OS
 -----------------------
@@ -85,4 +85,4 @@ Uninstall the  packages by running the following command:
 
 .. code-block:: console
 
-  sudo apt-get remove --purge vpp*
+  sudo apt-get remove --purge "vpp*"

docs/includes_renderer.py

@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+#  Copyright (c) 2020. Vinci Consulting Corp. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import glob
+import inspect
+import os.path
+import re
+
+
+class ContentRenderer:
+    name = ""
+    curr_path = os.path.abspath(inspect.getsourcefile(lambda: 0))
+    vpp_root = curr_path.rsplit("/", 2)[0]
+    output_dir = f"{vpp_root}/docs/dynamic_includes/"
+
+    def render(self):
+        raise NotImplementedError
+
+
+class PluginRenderer(ContentRenderer):
+    name = "plugin_list.inc"
+
+    plugin_dir = f"{ContentRenderer.vpp_root}/src/plugins"
+
+    pattern = r'VLIB_PLUGIN_REGISTER\s?\(\)\s*=\s*{.*\.description\s?=\s?"([^"]*)".*};'  # noqa: 501
+    regex = re.compile(pattern, re.MULTILINE | re.DOTALL)
+
+    def render(self):
+        with open(f"{self.__class__.output_dir}{self.__class__.name}",
+                  "w") as output:
+            with os.scandir(self.__class__.plugin_dir) as pdir:
+                for entry in sorted(pdir, key=lambda entry: entry.name):
+                    if not entry.name.startswith('.') and entry.is_dir():
+                        description = "<no-description-found>"
+                        # we use glob because a plugin can (ioam for now)
+                        # define the plugin definition in
+                        # a further subdirectory.
+                        for f in glob.iglob(f'{self.__class__.plugin_dir}/'
+                                            f'{entry.name}/**',
+                                            recursive=True):
+                            if f.endswith('.c'):
+                                with open(f, "r", encoding="utf-8") \
+                                        as src:
+                                    for match in self.__class__.regex.finditer(
+                                            src.read()):
+                                        description = "%s" % (match.group(1))
+
+                        output.write(f"* {entry.name} - {description}\n")
+
+
+# if this list grows substantially, we can move the classes to
+# a folder and import them.
+renderers = [PluginRenderer,
+             ]
+
+
+def main():
+    print("rendering dynamic includes...")
+    for renderer in renderers:
+        renderer().render()
+    print("done.")
+
+
+if __name__ == "__main__":
+    main()

docs/usecases/index.rst

@@ -20,3 +20,4 @@ extensive list, but should give a sampling of the many features contained in FD.
    networksim
    webapp
    container_test
+   trafficgen

docs/usecases/trafficgen.md

@@ -0,0 +1,105 @@
+Vpp Stateless Traffic Generation
+================================
+
+It's simple to configure vpp as a high-performance stateless traffic
+generator. A couple of vpp worker threads running on an older system
+can easily generate 20 MPPS' worth of traffic.
+
+In the configurations shown below, we connect a vpp traffic generator
+and a vpp UUT using two 40 gigabit ethernet ports on each system:
+
+```
+ +-------------------+           +-------------------+
+ | traffic generator |           | UUT               |
+ | port 0            | <=======> | port 0            |
+ | 192.168.40.2/24   |           | 192.168.40.1/24   |
+ +-------------------+           +-------------------+
+
+ +-------------------+           +-------------------+
+ | traffic generator |           | UUT               |
+ | port 1            | <=======> | port 1            |
+ | 192.168.41.2/24   |           | 192.168.41.1/24   |
+ +-------------------+           +-------------------+
+```
+
+Traffic Generator Setup Script
+------------------------------
+
+```
+ set int ip address FortyGigabitEthernet2/0/0 192.168.40.2/24
+ set int ip address FortyGigabitEthernet2/0/1 192.168.41.2/24
+ set int state FortyGigabitEthernet2/0/0 up
+ set int state FortyGigabitEthernet2/0/1 up
+
+ comment { send traffic to the VPP UUT }
+
+ packet-generator new {
+     name worker0
+     worker 0
+     limit 0
+     rate 1.2e7
+     size 128-128
+     tx-interface FortyGigabitEthernet2/0/0
+     node FortyGigabitEthernet2/0/0-output
+     data { IP4: 1.2.40 -> 3cfd.fed0.b6c8
+            UDP: 192.168.40.10 -> 192.168.50.10
+            UDP: 1234 -> 2345
+            incrementing 114
+     }
+ }
+
+ packet-generator new {
+     name worker1
+     worker 1
+     limit 0
+     rate 1.2e7
+     size 128-128
+     tx-interface FortyGigabitEthernet2/0/1
+     node FortyGigabitEthernet2/0/1-output
+     data { IP4: 1.2.4 -> 3cfd.fed0.b6c9
+            UDP: 192.168.41.10 -> 192.168.51.10
+            UDP: 1234 -> 2345
+            incrementing 114
+     }
+ }
+
+ comment { delete return traffic on sight }
+
+ ip route add 192.168.50.0/24 via drop
+ ip route add 192.168.51.0/24 via drop
+```
+
+Note 1: the destination MAC addresses shown in the configuration (e.g.
+3cfd.fed0.b6c8 and 3cfd.fed0.b6c9) **must** match the vpp UUT port MAC
+addresses.
+
+Note 2: this script assumes that /etc/vpp/startup.conf and/or the
+command-line in use specifies (at least) two worker threads. Uncomment
+"workers 2" in the cpu configuration section of /etc/vpp/startup.conf:
+
+```
+ ## Specify a number of workers to be created
+ ## Workers are pinned to N consecutive CPU cores while skipping "skip-cores" CPU core(s)
+ ## and main thread's CPU core
+ workers 2
+```
+
+Any plausible packet generator script - including one which replays
+pcap captures - can be used.
+
+
+UUT Setup Script
+----------------
+
+The vpp UUT uses a couple of static routes to forward traffic back to
+the traffic generator:
+
+```
+ set int ip address FortyGigabitEthernet2/0/0 192.168.40.1/24
+ set int ip address FortyGigabitEthernet2/0/1 192.168.41.1/24
+ set int state FortyGigabitEthernet2/0/0 up
+ set int state FortyGigabitEthernet2/0/1 up
+
+ ip route add 192.168.50.10/32 via 192.168.41.2
+ ip route add 192.168.51.10/32 via 192.168.40.2
+```

src/pkg/debian/control.in

@@ -51,6 +51,9 @@ Description: Vector Packet Processing--runtime libraries
 Package: vpp-plugin-core
 Architecture: any
 Depends: vpp (= ${source:Version}),
+         libmbedtls12 | libmbedtls10,
+         libmbedx509-0,
+         libmbedcrypto3 | libmbedcrypto1 | libmbedcrypto0,
          ${shlibs:Depends}
 Description: Vector Packet Processing--runtime core plugins
  This package contains VPP core plugins
@@ -76,6 +79,9 @@ Description: VPP Python API bindings
 Package: python3-vpp-api
 Architecture: any
 Depends: vpp (= ${source:Version}),
+         python3-cffi,
+         python3-ply,
+         python3-pycparser,
          ${python3:Depends},
 	 ${misc:Depends}
 Description: VPP Python3 API bindings

src/plugins/af_xdp/af_xdp.api

@@ -31,7 +31,7 @@ enum af_xdp_mode
     @param context - sender context, to match reply w/ request
     @param host_if - Linux netdev interface name
     @param name - new af_xdp interface name (optional)
-    @param rxq_num - number of receive queues (optional)
+    @param rxq_num - number of receive queues. 65535 can be used as special value to request all available queues (optional)
     @param rxq_size - receive queue size (optional)
     @param txq_size - transmit queue size (optional)
     @param mode - operation mode (optional)
@@ -50,7 +50,7 @@ define af_xdp_create
   u16 txq_size [default=0];
   vl_api_af_xdp_mode_t mode [default=0];
   string prog[256];
-  option vat_help = "<host-if linux-ifname> [name ifname] [rx-queue-size size] [tx-queue-size size] [num-rx-queues num] [prog pathname] [zero-copy|no-zero-copy]";
+  option vat_help = "<host-if linux-ifname> [name ifname] [rx-queue-size size] [tx-queue-size size] [num-rx-queues <num|all>] [prog pathname] [zero-copy|no-zero-copy]";
   option status="in_progress";
 };
 

src/plugins/af_xdp/af_xdp.h

@@ -22,6 +22,8 @@
 #include <vnet/interface.h>
 #include <bpf/xsk.h>
 
+#define AF_XDP_NUM_RX_QUEUES_ALL        ((u16)-1)
+
 #define af_xdp_log(lvl, dev, f, ...) \
   vlib_log(lvl, af_xdp_main.log_class, "%v: " f, (dev)->name, ##__VA_ARGS__)
 

src/plugins/af_xdp/af_xdp_doc.md

@@ -17,8 +17,13 @@ Because of AF_XDP restrictions, the MTU is limited to below PAGE_SIZE
 (4096-bytes on most systems) minus 256-bytes, and they are additional
 limitations depending upon specific Linux device drivers.
 As a rule of thumb, a MTU of 3000-bytes or less should be safe.
-Furthermore, upon UMEM creation, the kernel allocates a physically-contiguous structure, whose size is proportional to the number of 4KB pages contained in the UMEM. That allocation might fail when the number of buffers allocated by VPP is too high. That number can be controlled with the `buffers { buffers-per-numa }` configuration option.
-Finally, note that because of this limitation, this plugin is unlikely to be compatible with the use of 1GB hugepages.
+Furthermore, upon UMEM creation, the kernel allocates a
+physically-contiguous structure, whose size is proportional to the number
+of 4KB pages contained in the UMEM. That allocation might fail when
+the number of buffers allocated by VPP is too high. That number can be
+controlled with the `buffers { buffers-per-numa }` configuration option.
+Finally, note that because of this limitation, this plugin is unlikely
+to be compatible with the use of 1GB hugepages.
 
 ## Requirements
 The Linux kernel interface must be up and have enough queues before
@@ -31,9 +36,10 @@ AF_XDP interface, and only them. Depending on your configuration, there
 will usually be several RX queues (typically 1 per core) and packets are
 spread accross queues by RSS. In order to receive consistent traffic,
 you **must** program the NIC dispatching accordingly. The simplest way
-to get all the packets is to reconfigure the Linux kernel driver to use
-only `num_rx_queues` RX queues (ie all NIC queues will be associated
-with the AF_XDP socket):
+to get all the packets is to specify `num-rx-queues all` to grab all
+available queues or to reconfigure the Linux kernel driver to use only
+`num_rx_queues` RX queues (ie all NIC queues will be associated with
+the AF_XDP socket):
 ```
 ~# ethtool -L <iface> combined <num_rx_queues>
 ```
@@ -57,25 +63,21 @@ kernel interface in promiscuous mode:
 
 ## Security considerations
 When creating an AF_XDP interface, it will receive all packets arriving
-to the NIC RX queue #0. You need to configure the Linux kernel NIC
-driver properly to ensure that only intented packets will arrive in
-this queue. There is no way to filter the packets after-the-fact using
-eg. netfilter or eBPF.
+to the NIC RX queue [0, num_rx_queues[`. You need to configure the Linux
+kernel NIC driver properly to ensure that only intented packets will
+arrive in this queue. There is no way to filter the packets after-the-fact
+using eg. netfilter or eBPF.
 
 ## Quickstart
-1. Setup the Linux kernel interface (enp216s0f0 here) to use 4 queues:
-```
-~# ethtool -L enp216s0f0 combined 4
-```
-2. Put the Linux kernel interface up and in promiscuous mode:
+1. Put the Linux kernel interface up and in promiscuous mode:
 ```
 ~# ip l set dev enp216s0f0 promisc on up
 ```
-3. Create the AF_XDP interface:
+2. Create the AF_XDP interface:
 ```
-~# vppctl create int af_xdp host-if enp216s0f0 num-rx-queues 4
+~# vppctl create int af_xdp host-if enp216s0f0 num-rx-queues all
 ```
-4. Use the interface as usual, eg.:
+3. Use the interface as usual, eg.:
 ```
 ~# vppctl set int ip addr enp216s0f0/0 1.1.1.1/24
 ~# vppctl set int st enp216s0f0/0 up

src/plugins/af_xdp/cli.c

@@ -47,7 +47,7 @@ af_xdp_create_command_fn (vlib_main_t * vm, unformat_input_t * input,
 /* *INDENT-OFF* */
 VLIB_CLI_COMMAND (af_xdp_create_command, static) = {
   .path = "create interface af_xdp",
-  .short_help = "create interface af_xdp <host-if linux-ifname> [name ifname] [rx-queue-size size] [tx-queue-size size] [num-rx-queues num] [prog pathname] [zero-copy|no-zero-copy]",
+  .short_help = "create interface af_xdp <host-if linux-ifname> [name ifname] [rx-queue-size size] [tx-queue-size size] [num-rx-queues <num|all>] [prog pathname] [zero-copy|no-zero-copy]",
   .function = af_xdp_create_command_fn,
 };
 /* *INDENT-ON* */

src/plugins/af_xdp/device.c

@@ -22,6 +22,7 @@
 #include <vlib/vlib.h>
 #include <vlib/unix/unix.h>
 #include <vlib/pci/pci.h>
+#include <vppinfra/linux/sysfs.h>
 #include <vppinfra/unix.h>
 #include <vnet/ethernet/ethernet.h>
 #include "af_xdp.h"
@@ -171,14 +172,27 @@ static int
 af_xdp_create_queue (vlib_main_t * vm, af_xdp_create_if_args_t * args,
 		     af_xdp_device_t * ad, int qid, int rxq_num, int txq_num)
 {
-  struct xsk_umem **umem = vec_elt_at_index (ad->umem, qid);
-  struct xsk_socket **xsk = vec_elt_at_index (ad->xsk, qid);
-  af_xdp_rxq_t *rxq = vec_elt_at_index (ad->rxqs, qid);
-  af_xdp_txq_t *txq = vec_elt_at_index (ad->txqs, qid);
+  struct xsk_umem **umem;
+  struct xsk_socket **xsk;
+  af_xdp_rxq_t *rxq;
+  af_xdp_txq_t *txq;
   struct xsk_umem_config umem_config;
   struct xsk_socket_config sock_config;
   struct xdp_options opt;
   socklen_t optlen;
+
+  vec_validate_aligned (ad->umem, qid, CLIB_CACHE_LINE_BYTES);
+  umem = vec_elt_at_index (ad->umem, qid);
+
+  vec_validate_aligned (ad->xsk, qid, CLIB_CACHE_LINE_BYTES);
+  xsk = vec_elt_at_index (ad->xsk, qid);
+
+  vec_validate_aligned (ad->rxqs, qid, CLIB_CACHE_LINE_BYTES);
+  rxq = vec_elt_at_index (ad->rxqs, qid);
+
+  vec_validate_aligned (ad->txqs, qid, CLIB_CACHE_LINE_BYTES);
+  txq = vec_elt_at_index (ad->txqs, qid);
+
   /*
    * fq and cq must always be allocated even if unused
    * whereas rx and tx indicates whether we want rxq, txq, or both
@@ -260,21 +274,18 @@ err0:
 static int
 af_xdp_get_numa (const char *ifname)
 {
-  FILE *fptr;
+  char *path;
+  clib_error_t *err;
   int numa;
-  char *s;
 
-  s = (char *) format (0, "/sys/class/net/%s/device/numa_node%c", ifname, 0);
-  fptr = fopen (s, "rb");
-  vec_free (s);
-
-  if (!fptr)
-    return 0;
-
-  if (fscanf (fptr, "%d\n", &numa) != 1)
+  path =
+    (char *) format (0, "/sys/class/net/%s/device/numa_node%c", ifname, 0);
+  err = clib_sysfs_read (path, "%d", &numa);
+  if (err || numa < 0)
     numa = 0;
 
-  fclose (fptr);
+  clib_error_free (err);
+  vec_free (path);
   return numa;
 }
 
@@ -335,10 +346,6 @@ af_xdp_create_if (vlib_main_t * vm, af_xdp_create_if_args_t * args)
     goto err1;
 
   q_num = clib_max (rxq_num, txq_num);
-  vec_validate_aligned (ad->rxqs, q_num - 1, CLIB_CACHE_LINE_BYTES);
-  vec_validate_aligned (ad->txqs, q_num - 1, CLIB_CACHE_LINE_BYTES);
-  vec_validate_aligned (ad->umem, q_num - 1, CLIB_CACHE_LINE_BYTES);
-  vec_validate_aligned (ad->xsk, q_num - 1, CLIB_CACHE_LINE_BYTES);
   ad->txq_num = txq_num;
   for (i = 0; i < q_num; i++)
     {
@@ -347,10 +354,10 @@ af_xdp_create_if (vlib_main_t * vm, af_xdp_create_if_args_t * args)
 	  /*
 	   * queue creation failed
 	   * it is only a fatal error if we could not create the number of rx
-	   * queues requested explicitely by the user
+	   * queues requested explicitely by the user and the user did not
+	   * requested 'max'
 	   * we might create less tx queues than workers but this is ok
 	   */
-	  af_xdp_txq_t *txq;
 
 	  /* fixup vectors length */
 	  vec_set_len (ad->umem, i);
@@ -358,15 +365,17 @@ af_xdp_create_if (vlib_main_t * vm, af_xdp_create_if_args_t * args)
 	  vec_set_len (ad->rxqs, i);
 	  vec_set_len (ad->txqs, i);
 
-	  if (i < rxq_num)
+	  if (i < rxq_num && AF_XDP_NUM_RX_QUEUES_ALL != rxq_num)
 	    goto err1;		/* failed creating requested rxq: fatal error, bailing out */
 
-	  /*
-	   * we created all rxq but failed some txq: not an error but
-	   * initialize lock for shared txq
-	   */
-	  ad->txq_num = i;
-	  vec_foreach (txq, ad->txqs) clib_spinlock_init (&txq->lock);
+	  if (i < txq_num)
+	    {
+	      /* we created less txq than threads not an error but initialize lock for shared txq */
+	      af_xdp_txq_t *txq;
+	      ad->txq_num = i;
+	      vec_foreach (txq, ad->txqs) clib_spinlock_init (&txq->lock);
+	    }
+
 	  args->rv = 0;
 	  clib_error_free (args->error);
 	  break;
@@ -406,7 +415,7 @@ af_xdp_create_if (vlib_main_t * vm, af_xdp_create_if_args_t * args)
   vnet_hw_interface_set_input_node (vnm, ad->hw_if_index,
 				    af_xdp_input_node.index);
 
-  for (i = 0; i < rxq_num; i++)
+  for (i = 0; i < vec_len (ad->rxqs); i++)
     {
       af_xdp_rxq_t *rxq = vec_elt_at_index (ad->rxqs, i);
       clib_file_t f = {

src/plugins/af_xdp/unformat.c

@@ -40,6 +40,8 @@ unformat_af_xdp_create_if_args (unformat_input_t * input, va_list * vargs)
 	;
       else if (unformat (line_input, "tx-queue-size %u", &args->txq_size))
 	;
+      else if (unformat (line_input, "num-rx-queues all"))
+	args->rxq_num = AF_XDP_NUM_RX_QUEUES_ALL;
       else if (unformat (line_input, "num-rx-queues %u", &args->rxq_num))
 	;
       else if (unformat (line_input, "prog %s", &args->prog))

src/plugins/crypto_native/crypto_native.h

@@ -23,11 +23,7 @@ typedef void *(crypto_native_key_fn_t) (vnet_crypto_key_t * key);
 typedef struct
 {
   CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
-#if __VAES__
   u8x16 cbc_iv[16];
-#else
-  u8x16 cbc_iv[4];
-#endif
 } crypto_native_per_thread_data_t;
 
 typedef struct

src/plugins/dns/dns.c

@@ -68,14 +68,13 @@ dns_cache_clear (dns_main_t * dm)
 }
 
 static int
-dns_enable_disable (dns_main_t * dm, int is_enable)
+dns_enable_disable (vlib_main_t * vm, dns_main_t * dm, int is_enable)
 {
   vlib_thread_main_t *tm = &vlib_thread_main;
   u32 n_vlib_mains = tm->n_vlib_mains;
-  vlib_main_t *vm = dm->vlib_main;
 
   /* Create the resolver process if not done already */
-  vnet_dns_create_resolver_process (dm);
+  vnet_dns_create_resolver_process (vm, dm);
 
   if (is_enable)
     {
@@ -122,10 +121,11 @@ static void vl_api_dns_enable_disable_t_handler
   (vl_api_dns_enable_disable_t * mp)
 {
   vl_api_dns_enable_disable_reply_t *rmp;
+  vlib_main_t *vm = vlib_get_main ();
   dns_main_t *dm = &dns_main;
   int rv;
 
-  rv = dns_enable_disable (dm, mp->enable);
+  rv = dns_enable_disable (vm, dm, mp->enable);
 
   REPLY_MACRO (VL_API_DNS_ENABLE_DISABLE_REPLY);
 }
@@ -218,10 +218,9 @@ static void vl_api_dns_name_server_add_del_t_handler
 }
 
 void
-vnet_dns_send_dns4_request (dns_main_t * dm,
+vnet_dns_send_dns4_request (vlib_main_t * vm, dns_main_t * dm,
 			    dns_cache_entry_t * ep, ip4_address_t * server)
 {
-  vlib_main_t *vm = dm->vlib_main;
   f64 now = vlib_time_now (vm);
   u32 bi;
   vlib_buffer_t *b;
@@ -288,7 +287,7 @@ vnet_dns_send_dns4_request (dns_main_t * dm,
 found_src_address:
 
   /* Go get a buffer */
-  if (vlib_buffer_alloc (dm->vlib_main, &bi, 1) != 1)
+  if (vlib_buffer_alloc (vm, &bi, 1) != 1)
     return;
 
   b = vlib_get_buffer (vm, bi);
@@ -337,10 +336,9 @@ found_src_address:
 }
 
 void
-vnet_dns_send_dns6_request (dns_main_t * dm,
+vnet_dns_send_dns6_request (vlib_main_t * vm, dns_main_t * dm,
 			    dns_cache_entry_t * ep, ip6_address_t * server)
 {
-  vlib_main_t *vm = dm->vlib_main;
   f64 now = vlib_time_now (vm);
   u32 bi;
   vlib_buffer_t *b;
@@ -397,7 +395,7 @@ vnet_dns_send_dns6_request (dns_main_t * dm,
 found_src_address:
 
   /* Go get a buffer */
-  if (vlib_buffer_alloc (dm->vlib_main, &bi, 1) != 1)
+  if (vlib_buffer_alloc (vm, &bi, 1) != 1)
     return;
 
   b = vlib_get_buffer (vm, bi);
@@ -536,7 +534,8 @@ vnet_dns_labels_to_name (u8 * label, u8 * full_text, u8 ** parse_from_here)
 }
 
 void
-vnet_send_dns_request (dns_main_t * dm, dns_cache_entry_t * ep)
+vnet_send_dns_request (vlib_main_t * vm, dns_main_t * dm,
+		       dns_cache_entry_t * ep)
 {
   dns_header_t *h;
   dns_query_t *qp;
@@ -610,7 +609,7 @@ vnet_send_dns_request (dns_main_t * dm, dns_cache_entry_t * ep)
 	  if (vec_len (dm->ip6_name_servers))
 	    {
 	      vnet_dns_send_dns6_request
-		(dm, ep, dm->ip6_name_servers + ep->server_rotor);
+		(vm, dm, ep, dm->ip6_name_servers + ep->server_rotor);
 	      goto out;
 	    }
 	  else
@@ -619,7 +618,7 @@ vnet_send_dns_request (dns_main_t * dm, dns_cache_entry_t * ep)
       if (vec_len (dm->ip4_name_servers))
 	{
 	  vnet_dns_send_dns4_request
-	    (dm, ep, dm->ip4_name_servers + ep->server_rotor);
+	    (vm, dm, ep, dm->ip4_name_servers + ep->server_rotor);
 	  goto out;
 	}
     }
@@ -647,14 +646,14 @@ vnet_send_dns_request (dns_main_t * dm, dns_cache_entry_t * ep)
 
   if (ep->server_af == 1 /* ip6 */ )
     vnet_dns_send_dns6_request
-      (dm, ep, dm->ip6_name_servers + ep->server_rotor);
+      (vm, dm, ep, dm->ip6_name_servers + ep->server_rotor);
   else
     vnet_dns_send_dns4_request
-      (dm, ep, dm->ip4_name_servers + ep->server_rotor);
+      (vm, dm, ep, dm->ip4_name_servers + ep->server_rotor);
 
 out:
 
-  vlib_process_signal_event_mt (dm->vlib_main,
+  vlib_process_signal_event_mt (vm,
 				dm->resolver_process_node_index,
 				DNS_RESOLVER_EVENT_PENDING, 0);
 }
@@ -808,8 +807,8 @@ dns_add_static_entry (dns_main_t * dm, u8 * name, u8 * dns_reply_data)
 }
 
 int
-vnet_dns_resolve_name (dns_main_t * dm, u8 * name, dns_pending_request_t * t,
-		       dns_cache_entry_t ** retp)
+vnet_dns_resolve_name (vlib_main_t * vm, dns_main_t * dm, u8 * name,
+		       dns_pending_request_t * t, dns_cache_entry_t ** retp)
 {
   dns_cache_entry_t *ep;
   int rv;
@@ -818,7 +817,7 @@ vnet_dns_resolve_name (dns_main_t * dm, u8 * name, dns_pending_request_t * t,
   dns_pending_request_t *pr;
   int count;
 
-  now = vlib_time_now (dm->vlib_main);
+  now = vlib_time_now (vm);
 
   /* In case we can't actually answer the question right now... */
   *retp = 0;
@@ -950,7 +949,7 @@ re_resolve:
       clib_memcpy (pr->dst_address, t->dst_address, count);
     }
 
-  vnet_send_dns_request (dm, ep);
+  vnet_send_dns_request (vm, dm, ep);
   dns_cache_unlock (dm);
   return 0;
 }
@@ -964,7 +963,8 @@ _(pending_requests)
  */
 
 int
-vnet_dns_cname_indirection_nolock (dns_main_t * dm, u32 ep_index, u8 * reply)
+vnet_dns_cname_indirection_nolock (vlib_main_t * vm, dns_main_t * dm,
+				   u32 ep_index, u8 * reply)
 {
   dns_header_t *h;
   dns_query_t *qp;
@@ -1074,7 +1074,7 @@ vnet_dns_cname_indirection_nolock (dns_main_t * dm, u32 ep_index, u8 * reply)
 
 found_last_request:
 
-  now = vlib_time_now (dm->vlib_main);
+  now = vlib_time_now (vm);
   cname = vnet_dns_labels_to_name (rr->rdata, reply, &pos2);
   /* Save the cname */
   vec_add1 (cname, 0);
@@ -1154,7 +1154,7 @@ found_last_request:
    */
 
   vec_add1 (dm->unresolved_entries, next_ep - dm->entries);
-  vnet_send_dns_request (dm, next_ep);
+  vnet_send_dns_request (vm, dm, next_ep);
   return (1);
 }
 
@@ -1438,6 +1438,7 @@ vnet_dns_response_to_name (u8 * response,
 static void
 vl_api_dns_resolve_name_t_handler (vl_api_dns_resolve_name_t * mp)
 {
+  vlib_main_t *vm = vlib_get_main ();
   dns_main_t *dm = &dns_main;
   vl_api_dns_resolve_name_reply_t *rmp;
   dns_cache_entry_t *ep;
@@ -1451,7 +1452,7 @@ vl_api_dns_resolve_name_t_handler (vl_api_dns_resolve_name_t * mp)
   t0->client_index = mp->client_index;
   t0->client_context = mp->context;
 
-  rv = vnet_dns_resolve_name (dm, mp->name, t0, &ep);
+  rv = vnet_dns_resolve_name (vm, dm, mp->name, t0, &ep);
 
   /* Error, e.g. not enabled? Tell the user */
   if (rv < 0)
@@ -1471,17 +1472,12 @@ vl_api_dns_resolve_name_t_handler (vl_api_dns_resolve_name_t * mp)
     rmp->retval = clib_host_to_net_u32 (rv);
   }));
   /* *INDENT-ON* */
-
-  /*
-   * dns_resolve_name leaves the cache locked when it returns
-   * a cached result, so unlock it here.
-   */
-  dns_cache_unlock (dm);
 }
 
 static void
 vl_api_dns_resolve_ip_t_handler (vl_api_dns_resolve_ip_t * mp)
 {
+  vlib_main_t *vm = vlib_get_main ();
   dns_main_t *dm = &dns_main;
   vl_api_dns_resolve_ip_reply_t *rmp;
   dns_cache_entry_t *ep;
@@ -1529,7 +1525,7 @@ vl_api_dns_resolve_ip_t_handler (vl_api_dns_resolve_ip_t * mp)
   t0->client_index = mp->client_index;
   t0->client_context = mp->context;
 
-  rv = vnet_dns_resolve_name (dm, lookup_name, t0, &ep);
+  rv = vnet_dns_resolve_name (vm, dm, lookup_name, t0, &ep);
 
   vec_free (lookup_name);
 
@@ -1551,12 +1547,6 @@ vl_api_dns_resolve_ip_t_handler (vl_api_dns_resolve_ip_t * mp)
     rmp->retval = clib_host_to_net_u32 (rv);
   }));
   /* *INDENT-ON* */
-
-  /*
-   * vnet_dns_resolve_name leaves the cache locked when it returns
-   * a cached result, so unlock it here.
-   */
-  dns_cache_unlock (dm);
 }
 
 static clib_error_t *
@@ -2728,18 +2718,19 @@ VLIB_CLI_COMMAND (test_dns_expire_command) =
 #endif
 
 void
-vnet_send_dns6_reply (dns_main_t * dm, dns_pending_request_t * pr,
-		      dns_cache_entry_t * ep, vlib_buffer_t * b0)
+vnet_send_dns6_reply (vlib_main_t * vm, dns_main_t * dm,
+		      dns_pending_request_t * pr, dns_cache_entry_t * ep,
+		      vlib_buffer_t * b0)
 {
   clib_warning ("Unimplemented...");
 }
 
 
 void
-vnet_send_dns4_reply (dns_main_t * dm, dns_pending_request_t * pr,
-		      dns_cache_entry_t * ep, vlib_buffer_t * b0)
+vnet_send_dns4_reply (vlib_main_t * vm, dns_main_t * dm,
+		      dns_pending_request_t * pr, dns_cache_entry_t * ep,
+		      vlib_buffer_t * b0)
 {
-  vlib_main_t *vm = dm->vlib_main;
   u32 bi = 0;
   fib_prefix_t prefix;
   fib_node_index_t fei;
@@ -3051,7 +3042,6 @@ dns_init (vlib_main_t * vm)
 {
   dns_main_t *dm = &dns_main;
 
-  dm->vlib_main = vm;
   dm->vnet_main = vnet_get_main ();
   dm->name_cache_size = 1000;
   dm->max_ttl_in_seconds = 86400;

src/plugins/dns/dns.h

@@ -123,7 +123,6 @@ typedef struct
   u16 msg_id_base;
 
   /* convenience */
-  vlib_main_t *vlib_main;
   vnet_main_t *vnet_main;
   api_main_t *api_main;
 } dns_main_t;
@@ -168,33 +167,36 @@ typedef enum
     DNS46_REPLY_N_ERROR,
 } dns46_reply_error_t;
 
-void vnet_send_dns_request (dns_main_t * dm, dns_cache_entry_t * ep);
-int
-vnet_dns_cname_indirection_nolock (dns_main_t * dm, u32 ep_index, u8 * reply);
+void vnet_send_dns_request (vlib_main_t * vm, dns_main_t * dm,
+			    dns_cache_entry_t * ep);
+int vnet_dns_cname_indirection_nolock (vlib_main_t * vm, dns_main_t * dm,
+				       u32 ep_index, u8 * reply);
 
 int vnet_dns_delete_entry_by_index_nolock (dns_main_t * dm, u32 index);
 
 int
-vnet_dns_resolve_name (dns_main_t * dm, u8 * name, dns_pending_request_t * t,
-		       dns_cache_entry_t ** retp);
+vnet_dns_resolve_name (vlib_main_t * vm, dns_main_t * dm, u8 * name,
+		       dns_pending_request_t * t, dns_cache_entry_t ** retp);
 
 void
-vnet_dns_send_dns6_request (dns_main_t * dm,
+vnet_dns_send_dns6_request (vlib_main_t * vm, dns_main_t * dm,
 			    dns_cache_entry_t * ep, ip6_address_t * server);
 void
-vnet_dns_send_dns4_request (dns_main_t * dm,
+vnet_dns_send_dns4_request (vlib_main_t * vm, dns_main_t * dm,
 			    dns_cache_entry_t * ep, ip4_address_t * server);
 
-void vnet_send_dns4_reply (dns_main_t * dm, dns_pending_request_t * t,
-			   dns_cache_entry_t * ep, vlib_buffer_t * b0);
+void vnet_send_dns4_reply (vlib_main_t * vm, dns_main_t * dm,
+			   dns_pending_request_t * t, dns_cache_entry_t * ep,
+			   vlib_buffer_t * b0);
 
-void vnet_send_dns6_reply (dns_main_t * dm, dns_pending_request_t * t,
-			   dns_cache_entry_t * ep, vlib_buffer_t * b0);
+void vnet_send_dns6_reply (vlib_main_t * vm, dns_main_t * dm,
+			   dns_pending_request_t * t, dns_cache_entry_t * ep,
+			   vlib_buffer_t * b0);
 
 u8 *vnet_dns_labels_to_name (u8 * label, u8 * full_text,
 			     u8 ** parse_from_here);
 
-void vnet_dns_create_resolver_process (dns_main_t * dm);
+void vnet_dns_create_resolver_process (vlib_main_t * vm, dns_main_t * dm);
 
 format_function_t format_dns_reply;
 

src/plugins/dns/request_node.c

@@ -242,14 +242,14 @@ dns46_request_inline (vlib_main_t * vm,
 	    clib_memcpy_fast (t0->dst_address, ip40->src_address.as_u8,
 			      sizeof (ip4_address_t));
 
-	  vnet_dns_resolve_name (dm, name0, t0, &ep0);
+	  vnet_dns_resolve_name (vm, dm, name0, t0, &ep0);
 
 	  if (ep0)
 	    {
 	      if (is_ip6)
-		vnet_send_dns6_reply (dm, t0, ep0, b0);
+		vnet_send_dns6_reply (vm, dm, t0, ep0, b0);
 	      else
-		vnet_send_dns4_reply (dm, t0, ep0, b0);
+		vnet_send_dns4_reply (vm, dm, t0, ep0, b0);
 	      next0 = DNS46_REQUEST_NEXT_IP_LOOKUP;
 	    }
 	  else

src/plugins/dns/resolver_process.c

@@ -36,9 +36,8 @@ vnet_dns_response_to_name (u8 * response,
 			   u32 * min_ttlp);
 
 static void
-resolve_event (dns_main_t * dm, f64 now, u8 * reply)
+resolve_event (vlib_main_t * vm, dns_main_t * dm, f64 now, u8 * reply)
 {
-  vlib_main_t *vm = dm->vlib_main;
   dns_pending_request_t *pr;
   dns_header_t *d;
   u32 pool_index;
@@ -76,7 +75,7 @@ resolve_event (dns_main_t * dm, f64 now, u8 * reply)
     vec_free (ep->dns_response);
 
   /* Handle [sic] recursion AKA CNAME indirection */
-  rv = vnet_dns_cname_indirection_nolock (dm, pool_index, reply);
+  rv = vnet_dns_cname_indirection_nolock (vm, dm, pool_index, reply);
 
   /* CNAME found, further resolution pending, we're done here */
   if (rv > 0)
@@ -109,7 +108,7 @@ resolve_event (dns_main_t * dm, f64 now, u8 * reply)
 	    clib_warning ("Try server %U", format_ip6_address,
 			  dm->ip6_name_servers + ep->server_rotor);
 	  vnet_dns_send_dns6_request
-	    (dm, ep, dm->ip6_name_servers + ep->server_rotor);
+	    (vm, dm, ep, dm->ip6_name_servers + ep->server_rotor);
 	}
       else
 	{
@@ -132,7 +131,7 @@ resolve_event (dns_main_t * dm, f64 now, u8 * reply)
 	    clib_warning ("Try server %U", format_ip4_address,
 			  dm->ip4_name_servers + ep->server_rotor);
 	  vnet_dns_send_dns4_request
-	    (dm, ep, dm->ip4_name_servers + ep->server_rotor);
+	    (vm, dm, ep, dm->ip4_name_servers + ep->server_rotor);
 	}
       dns_cache_unlock (dm);
       return;
@@ -222,9 +221,9 @@ reply:
 	case DNS_PEER_PENDING_IP_TO_NAME:
 	case DNS_PEER_PENDING_NAME_TO_IP:
 	  if (pr->is_ip6)
-	    vnet_send_dns6_reply (dm, pr, ep, 0 /* allocate a buffer */ );
+	    vnet_send_dns6_reply (vm, dm, pr, ep, 0 /* allocate a buffer */ );
 	  else
-	    vnet_send_dns4_reply (dm, pr, ep, 0 /* allocate a buffer */ );
+	    vnet_send_dns4_reply (vm, dm, pr, ep, 0 /* allocate a buffer */ );
 	  break;
 	default:
 	  clib_warning ("request type %d unknown", pr->request_type);
@@ -286,7 +285,7 @@ reply:
 }
 
 static void
-retry_scan (dns_main_t * dm, f64 now)
+retry_scan (vlib_main_t * vm, dns_main_t * dm, f64 now)
 {
   int i;
   dns_cache_entry_t *ep;
@@ -297,7 +296,7 @@ retry_scan (dns_main_t * dm, f64 now)
       ep = pool_elt_at_index (dm->entries, dm->unresolved_entries[i]);
 
       ASSERT ((ep->flags & DNS_CACHE_ENTRY_FLAG_VALID) == 0);
-      vnet_send_dns_request (dm, ep);
+      vnet_send_dns_request (vm, dm, ep);
       dns_cache_unlock (dm);
     }
 }
@@ -330,11 +329,11 @@ dns_resolver_process (vlib_main_t * vm,
 
 	case DNS_RESOLVER_EVENT_RESOLVED:
 	  for (i = 0; i < vec_len (event_data); i++)
-	    resolve_event (dm, now, (u8 *) event_data[i]);
+	    resolve_event (vm, dm, now, (u8 *) event_data[i]);
 	  break;
 
 	case ~0:		/* timeout */
-	  retry_scan (dm, now);
+	  retry_scan (vm, dm, now);
 	  break;
 	}
       vec_reset_length (event_data);
@@ -347,7 +346,7 @@ dns_resolver_process (vlib_main_t * vm,
 }
 
 void
-vnet_dns_create_resolver_process (dns_main_t * dm)
+vnet_dns_create_resolver_process (vlib_main_t * vm, dns_main_t * dm)
 {
   /* Already created the resolver process? */
   if (dm->resolver_process_node_index > 0)
@@ -355,7 +354,7 @@ vnet_dns_create_resolver_process (dns_main_t * dm)
 
   /* No, create it now and make a note of the node index */
   dm->resolver_process_node_index = vlib_process_create
-    (dm->vlib_main, "dns-resolver-process",
+    (vm, "dns-resolver-process",
      dns_resolver_process, 16 /* log2_n_stack_bytes */ );
 }
 

src/plugins/ikev2/ikev2.api

@@ -251,6 +251,20 @@ autoreply define ikev2_profile_set_id
   option status="in_progress";
 };
 
+/** \brief IKEv2: Disable NAT traversal
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param name - IKEv2 profile name
+*/
+autoreply define ikev2_profile_disable_natt
+{
+  u32 client_index;
+  u32 context;
+
+  string name[64];
+  option status="in_progress";
+};
+
 /** \brief IKEv2: Set IKEv2 profile traffic selector parameters
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
@@ -264,7 +278,7 @@ autoreply define ikev2_profile_set_ts
 
   string name[64];
   vl_api_ikev2_ts_t ts;
-  option vat_help = "name <profile_name> protocol <proto> start_port <port> end_port <port> start_addr <ip4> end_addr <ip4> (local|remote)";
+  option vat_help = "name <profile_name> protocol <proto> start_port <port> end_port <port> start_addr <ip> end_addr <ip> (local|remote)";
   option status="in_progress";
 };
 

src/plugins/ikev2/ikev2.h

@@ -44,14 +44,20 @@ typedef CLIB_PACKED (struct {
 }) ike_header_t;
 /* *INDENT-ON* */
 
+#define ike_hdr_is_response(_h) ((_h)->flags & IKEV2_HDR_FLAG_RESPONSE)
+#define ike_hdr_is_request(_h) (!ike_hdr_is_response(_h))
+#define ike_hdr_is_initiator(_h) ((_h)->flags & IKEV2_HDR_FLAG_INITIATOR)
+#define ike_hdr_is_responder(_h) (!(ike_hdr_is_initiator(_h)))
+
 /* *INDENT-OFF* */
-typedef CLIB_PACKED (struct
-		     {
-		     u8 nextpayload;
-		     u8 flags;
-		     u16 length;
-		     u16 dh_group;
-		     u8 reserved[2]; u8 payload[0];}) ike_ke_payload_header_t;
+typedef CLIB_PACKED (struct {
+  u8 nextpayload;
+  u8 flags;
+  u16 length;
+  u16 dh_group;
+  u8 reserved[2];
+  u8 payload[0];
+}) ike_ke_payload_header_t;
 /* *INDENT-ON* */
 
 /* *INDENT-OFF* */
@@ -368,6 +374,12 @@ typedef enum
 #undef _
 } ikev2_id_type_t;
 
+typedef enum
+{
+  TS_IPV4_ADDR_RANGE = 7,
+  TS_IPV6_ADDR_RANGE = 8,
+} ikev2_traffic_selector_type_t;
+
 clib_error_t *ikev2_init (vlib_main_t * vm);
 clib_error_t *ikev2_set_local_key (vlib_main_t * vm, u8 * file);
 clib_error_t *ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add);
@@ -378,11 +390,11 @@ clib_error_t *ikev2_set_profile_id (vlib_main_t * vm, u8 * name,
 				    u8 id_type, u8 * data, int is_local);
 clib_error_t *ikev2_set_profile_ts (vlib_main_t * vm, u8 * name,
 				    u8 protocol_id, u16 start_port,
-				    u16 end_port, ip4_address_t start_addr,
-				    ip4_address_t end_addr, int is_local);
+				    u16 end_port, ip_address_t start_addr,
+				    ip_address_t end_addr, int is_local);
 clib_error_t *ikev2_set_profile_responder (vlib_main_t * vm, u8 * name,
 					   u32 sw_if_index,
-					   ip4_address_t ip4);
+					   ip_address_t addr);
 clib_error_t *ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name,
 						ikev2_transform_encr_type_t
 						crypto_alg,