nat: fix nat44 vrf handlers

Change of enums used in REPLY_MACRO() to appropriate one
for handlers:
-vl_api_nat44_ed_add_del_vrf_table_t_handler
-vl_api_nat44_ed_add_del_vrf_route_t_handler

Type: fix

Change-Id: I58e97817b1678da7c025c0d03a8b938a4e0f7b6c
Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
(cherry picked from commit 2c03879ce4)

MAINTAINERS

@@ -817,6 +817,12 @@ I:	rpm-packaging
 M:	Laszlo Kiraly <laszlo.kiraly@est.tech>
 F:	src/extras/rpm/opensuse
 
+VPP StrongSwan Daemon
+I:	vpp-swan
+M:	Fan Zhang <roy.fan.zhang@intel.com>
+M:	Gabriel Oginski <gabrielx.oginski@intel.com>
+F:	extras/strongswan/vpp_sswan
+
 THE REST
 I:	misc
 M:	vpp-dev Mailing List <vpp-dev@fd.io>

docs/aboutvpp/releasenotes/index.rst

@@ -6,7 +6,9 @@ Release notes
 .. toctree::
     :maxdepth: 2
 
+    v22.10.1
+    v22.10
+    v22.06.1
     v22.06
     v22.02
-    v21.10.1
     past

docs/aboutvpp/releasenotes/past.rst

@@ -6,6 +6,7 @@ Past releases
 .. toctree::
     :maxdepth: 1
 
+    v21.10.1
     v21.10
     v21.06
     v21.01
@@ -38,4 +39,3 @@ Past releases
     v17.01
     v16.09
     v16.06
-

docs/aboutvpp/releasenotes/v22.06.1.rst

@@ -0,0 +1,12 @@
+Release notes for VPP 22.06.1
+=============================
+
+This is bug fix release.
+
+Of particular importance, this release contains the fix for
+`JIRA VPP-2307: CVE-2022-46397 FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV in AES-CBC mode <https://jira.fd.io/browse/VPP-2037>`__
+
+For the full list of fixed issues please refer to:
+
+- fd.io `JIRA <https://jira.fd.io>`__
+- git `commit log <https://git.fd.io/vpp/log/?h=stable/2206>`__

docs/aboutvpp/releasenotes/v22.10.1.rst

@@ -0,0 +1,12 @@
+Release notes for VPP 22.10.1
+=============================
+
+This is bug fix release.
+
+Of particular importance, this release contains the fix for
+`JIRA VPP-2307: CVE-2022-46397 FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV in AES-CBC mode <https://jira.fd.io/browse/VPP-2037>`__
+
+For the full list of fixed issues please refer to:
+
+- fd.io `JIRA <https://jira.fd.io>`__
+- git `commit log <https://git.fd.io/vpp/log/?h=stable/2210>`__

docs/gettingstarted/troubleshooting/mem.rst

@@ -26,7 +26,7 @@ To dump memory traces for analysis:
 
 .. code-block:: console
 
-    $ vppctl show memory-trace on main-heap
+    $ vppctl show memory main-heap verbose
     Thread 0 vpp_main
       base 0x7fffb6422000, size 1g, locked, unmap-on-destroy, name 'main heap'
 	page stats: page-size 4K, total 262144, mapped 30343, not-mapped 231801

extras/packetforge/packetforge.py

@@ -145,7 +145,7 @@ def GetMask(item):
     if "format" in item:
         format = item["format"]
         if format == "mac":
-            mask = "ff.ff.ff.ff.ff.ff"
+            mask = "ff:ff:ff:ff:ff:ff"
         elif format == "ipv4":
             mask = "255.255.255.255"
         elif format == "ipv6":

extras/packetforge/parsegraph/nodes/gtppsc.json

@@ -4,7 +4,7 @@
     "layout" : [
         {
             "name" : "length",
-            "size" : "1",
+            "size" : "8",
             "default" : "1",
             "readonly" : "true"
         },
@@ -23,6 +23,10 @@
         {
             "name" : "qfi",
             "size" : "6"
+        },
+        {
+            "name" : "nextext",
+            "size" : "8"
         }
     ]
 }

extras/strongswan/vpp_sswan/Makefile

@@ -0,0 +1,108 @@
+# the directory to the strongSwan sources
+SWANDIR=${CURDIR}/../../../build-root/build-vpp-native/external/sswan
+# location of config.h
+CONFIGH=$(SWANDIR)/config.h
+# default install prefix: /usr/local or /usr
+PREFIX=/usr
+# location of the installed strongSwan libraries
+SWANLIBS=$(PREFIX)/lib/ipsec/
+# location of the strongSwan plugins
+SWANPLUGINS=$(PREFIX)/lib/ipsec/plugins
+# location of the strongSwan archive
+SWANARCHIVE=${CURDIR}/../../../build/external/downloads
+# default install configuration files:
+PREFIX_SYS_CONF=/etc
+# target location of the plugin config snippet: $(PREFIX)/etc/strongswan.d/charon/ or /etc/strongswan.d/charon/
+PLUGINCONF=$(PREFIX_SYS_CONF)/strongswan.d/charon/
+# location of the  VPP libraries
+VPPLIBS=$(CURDIR)/../../../build-root/install-vpp-native/vpp/lib/x86_64-linux-gnu
+# the directory to the VPP sources
+VPPDIR=../../../build-root/install-vpp-native/vpp/include
+
+TARGET=libstrongswan-kernel-vpp.so
+
+# tested only with 5.9.5 and 5.9.6 version of strongSwan
+VERSION_SSWAN=5.9.6
+
+CFLAGS=-O2 -g -Wall -Wextra -fpic
+
+CFLAGS_I=-include $(CONFIGH) \
+	-I$(SWANDIR)/src/libstrongswan \
+	-I$(SWANDIR)/src/libcharon
+
+LDFLAGS= -lvppinfra \
+	-lvlibmemoryclient \
+	-lvppapiclient \
+	-lsvm \
+	-lvlib
+
+VERSION_VPP=$(shell (dpkg -s vpp | grep Version) | grep -Po '(?<=Version: )\d\d.\d\d')
+
+# check if VPP is installed
+ifneq ($(shell test "$(shell ldconfig -p | grep vppinfra.so | awk 'NR==1{print $$1;}')" && echo "yes"), yes)
+# check if VPPDIR exists
+ifeq ($(shell test -d $(VPPDIR) && echo "yes"), yes)
+	CFLAGS_I += -I$(VPPDIR)
+endif
+# check if VPPLIBS exists
+ifeq ($(shell test -d $(VPPLIBS) && echo "yes"), yes)
+	LDFLAGS += -L$(VPPLIBS)
+	LDFLAGS += -Wl,-rpath=$(VPPLIBS)
+endif
+endif
+
+SOURCES=$(wildcard *.c)
+OBJECTS=$(SOURCES:.c=.o)
+
+all: pull-swan $(TARGET)
+
+pull-swan:
+	@if [ -d "${SWANDIR}" ]; then \
+	  rm -rf ${SWANDIR} ; \
+	fi
+	@if ! [ -f "${SWANARCHIVE}/strongswan-${VERSION_SSWAN}.tar.gz" ]; then \
+	  curl -o ${SWANARCHIVE}/strongswan-${VERSION_SSWAN}.tar.gz -LO https://github.com/strongswan/strongswan/archive/${VERSION_SSWAN}.tar.gz; \
+	fi
+	@if ! [ -d "${CURDIR}/../../../build-root/build-vpp-native/external/" ]; then \
+	  mkdir ${CURDIR}/../../../build-root/build-vpp-native/external; \
+	fi
+	tar -zxof ${SWANARCHIVE}/strongswan-${VERSION_SSWAN}.tar.gz -C ${CURDIR}/../../../build-root/build-vpp-native/external/
+	mv ${CURDIR}/../../../build-root/build-vpp-native/external/strongswan-${VERSION_SSWAN} ${SWANDIR}
+	cd ${SWANDIR} && ./autogen.sh
+	cd ${SWANDIR} && ./configure --prefix=${PREFIX} --sysconfdir=${PREFIX_SYS_CONF} --enable-libipsec --enable-systemd --enable-swanctl --disable-gmp --enable-openssl
+	cd ${SWANDIR} && make -j$(nproc)
+#	cd ${SWANDIR} && sudo make install
+
+# check if VPP is installed
+ifneq ($(shell test "$(shell ldconfig -p | grep vppinfra.so | awk 'NR==1{print $$1;}')" && echo "yes"), yes)
+	$(info INFO: Not found installed VPP - checking if locally VPP exists)
+# check if VPPDIR exists
+ifneq ($(shell test -d $(VPPDIR) && echo "yes"), yes)
+	$(error ERROR: Not found installed VPP and locally VPP - please install or build)
+else
+# check if VPPLIBS exists
+ifneq ($(shell test -d $(VPPLIBS) && echo "yes"), yes)
+	$(error ERROR: directory $(VPPLIBS) - doesn't exists, please compile VPP before build this)
+else
+	$(info INFO: Found locally VPP)
+endif
+endif
+else
+	$(info INFO: Found installed VPP in version: $(VERSION_VPP))
+endif
+
+$(TARGET): $(OBJECTS)
+	gcc $(CFLAGS) -shared -DPIC $(OBJECTS) $(LDFLAGS) -Wl,-soname -Wl,$(TARGET) -o $@
+	cp $(TARGET) ${SWANDIR}
+
+%.o: %.c
+	gcc $(CFLAGS) $(CFLAGS_I) -c $< -o $@ $(LDFLAGS)
+
+install:
+	cp $(TARGET) $(SWANPLUGINS)/$(TARGET)
+	cp kernel-vpp.conf $(PLUGINCONF)
+
+clean:
+	rm -f *.so *.o
+
+.PHONY: clean install all

extras/strongswan/vpp_sswan/README.rst

@@ -0,0 +1,128 @@
+.. _vpp_sswan_doc:
+
+VPP-SSWAN
+=======================
+
+``VPP-SSWAN`` is a StrongSwan plugin that helps offloading Strongswan IPsec ESP
+process from Linux Kernel to ``VPP``.
+
+The kernel-vpp plugin is an interface to the IPsec and networking backend for
+`VPP <https://wiki.fd.io/view/VPP>`__ platform using the
+`VPP C API <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API>`__.
+It provides address and routing lookup functionality and installs routes for
+IPsec traffic.
+It installs and maintains Security Associations and Policies to the
+`VPP IPsec <https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec>`__.
+
+Prerequisites
+-------------
+
+``VPP`` in release mode should be built before compiling ``vpp-swan plugin``.
+The dependencies of ``StrongSwan`` should be installed before building
+``VPP-SSWAN``. In addition ``libsystemd-dev`` should be installed.
+
+Build VPP Strongswan Plugin
+-------------
+
+The following list of things will be done to build ``vpp-swan plugin``:
+
+- download strongswan source code to:
+``path/to/vpp/build/external/downloads``
+
+- unzip source code strongswan to:
+``path/to/vpp/build-root/build-vpp-native/external/sswan``
+
+- check if you have installed packages: ``libsystemd-dev`` on your OS
+
+- configure strongswan by:
+``./configure --prefix=/usr --sysconfdir=/etc --enable-libipsec
+--enable-systemd --enable-swanctl --disable-gmp --enable-openssl``
+
+- compile strongswan in:
+``path/to/vpp/build-root/build-vpp-native/external/sswan``
+
+- compile ``vpp-swan plugin`` by:
+
+::
+
+   ./make all
+
+- if everything it ok, copy the compiled ``vpp-swan plugin`` to:
+``/usr/lib/ipsec/plugins``
+
+Build/install Strongswan
+-------------
+
+It is recommended to use ``Strongswan`` in version ``5.9.6`` or ``5.9.5``
+installed from this script, due to configuration Strongswan that is required.
+Only version ``5.9.5`` and ``5.9.6`` was tested with this plugin.
+
+To install the built Strongswan, please execute the following command:
+
+::
+
+   path/to/vpp/build-root/build-vpp-native/external/sswan/sudo make install
+
+Insert plugin in runtime mode
+-------------
+
+After builded this plugin and also installed Strongswan you can loaded plugin
+into Strongswan directory by:
+
+::
+
+   ./make install
+
+Or you can do manually copy ``libstrongswan-kernel-vpp.so`` into:
+``/usr/lib/ipsec/plugins`` and also ``kernel-vpp.conf`` into: ``/etc/strongswan.d/charon/``
+
+And also you should restart Strongswan by:
+
+::
+
+   systemctl restart strongswan.service
+
+Configuration Strongswan
+-------------
+In ``swanctl.conf`` file you can find example configuration to initialize
+connections between two endpoints.
+
+Copy this file into: ``/etc/swanctl/conf.d/swanctl.conf``
+
+Configuration VPP
+-------------
+
+In your ``startup.conf`` add these following commands:
+
+::
+
+   plugins {
+     plugin linux_cp_plugin.so { enable }
+     plugin ikev2_plugin.so { disable }
+    }
+
+   linux-cp {
+      lcp-sync
+   }
+
+To enable ``CP Plugin`` and disable ``IKEv2`` plugin.
+
+These following commands executed in ``VPP``:
+
+::
+
+   lcp create eth2 host-if eth2
+   set interface state eth2 up
+   set interface ip address eth2 192.168.0.2/24
+   set int state eth1 up
+   set int ip addr eth1 192.168.200.1/24
+
+To create interface by ``CP Plugin`` and also setup two ethernet interfaces.
+
+Misc
+-------------
+This plugin is based on:
+`https://github.com/matfabia/strongswan
+<https://github.com/matfabia/strongswan>`__
+
+Author: Matus Fabian <matfabia@cisco.com>

extras/strongswan/vpp_sswan/kernel-vpp.conf

@@ -0,0 +1,7 @@
+kernel-vpp {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}

extras/strongswan/vpp_sswan/kernel_vpp_ipsec.h

@@ -0,0 +1,41 @@
+#ifndef KERNEL_VPP_IPSEC_H_
+#define KERNEL_VPP_IPSEC_H_
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_vpp_ipsec_t kernel_vpp_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using Netlink.
+ */
+struct kernel_vpp_ipsec_t
+{
+
+  /**
+   * Implements kernel_ipsec_t interface
+   */
+  kernel_ipsec_t interface;
+};
+
+/**
+ * Create a vpp kernel ipsec interface instance.
+ *
+ * @return          kernel_vpp_ipsec_t instance
+ */
+kernel_vpp_ipsec_t *kernel_vpp_ipsec_create ();
+
+#endif /** KERNEL_VPP_IPSEC_H_ @}*/

extras/strongswan/vpp_sswan/kernel_vpp_net.h

@@ -0,0 +1,41 @@
+#ifndef KERNEL_VPP_NET_H_
+#define KERNEL_VPP_NET_H_
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_vpp_net_t kernel_vpp_net_t;
+
+/**
+ * Implementation of the kernel network interface using Netlink.
+ */
+struct kernel_vpp_net_t
+{
+
+  /**
+   * Implements kernel_net_t interface
+   */
+  kernel_net_t interface;
+};
+
+/**
+ * Create a vpp kernel network interface instance.
+ *
+ * @return          kernel_vpp_net_t instance
+ */
+kernel_vpp_net_t *kernel_vpp_net_create ();
+
+#endif /** KERNEL_VPP_NET_H_ @}*/

extras/strongswan/vpp_sswan/kernel_vpp_plugin.c

@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <utils/debug.h>
+#include <vlibapi/api.h>
+#include <vlibmemory/api.h>
+
+#define vl_typedefs
+#define vl_endianfun
+/* Include the (first) vlib-api API definition layer */
+#include <vlibmemory/vl_memory_api_h.h>
+/* Include the current layer (third) vpp API definition layer */
+#include <vpp/api/vpe_types.api.h>
+#include <vpp/api/vpe.api.h>
+#undef vl_typedefs
+#undef vl_endianfun
+
+#include "kernel_vpp_plugin.h"
+#include "kernel_vpp_shared.h"
+#include "kernel_vpp_ipsec.h"
+#include "kernel_vpp_net.h"
+
+typedef struct private_kernel_vpp_plugin_t private_kernel_vpp_plugin_t;
+
+/**
+ * private data of kernel vpp plugin
+ */
+struct private_kernel_vpp_plugin_t
+{
+  /**
+   * implements plugin interface
+   */
+  kernel_vpp_plugin_t public;
+
+  vac_t *vac;
+};
+
+METHOD (plugin_t, get_name, char *, private_kernel_vpp_plugin_t *this)
+{
+  return "kernel-vpp";
+}
+
+METHOD (plugin_t, get_features, int, private_kernel_vpp_plugin_t *this,
+	plugin_feature_t *features[])
+{
+  static plugin_feature_t f[] = {
+    PLUGIN_CALLBACK (kernel_ipsec_register, kernel_vpp_ipsec_create),
+    PLUGIN_PROVIDE (CUSTOM, "kernel-ipsec"),
+    PLUGIN_CALLBACK (kernel_net_register, kernel_vpp_net_create),
+    PLUGIN_PROVIDE (CUSTOM, "kernel-net"),
+  };
+  *features = f;
+  return countof (f);
+}
+
+METHOD (plugin_t, destroy, void, private_kernel_vpp_plugin_t *this)
+{
+  if (this->vac)
+    {
+      lib->set (lib, "kernel-vpp-vac", NULL);
+      this->vac->destroy (this->vac);
+    }
+  free (this);
+}
+
+plugin_t *
+kernel_vpp_plugin_create ()
+{
+  private_kernel_vpp_plugin_t *this;
+
+  INIT(this,
+        .public = {
+            .plugin = {
+                .get_name = _get_name,
+                .get_features = _get_features,
+                .destroy = _destroy,
+            },
+        },
+    );
+
+  this->vac = vac_create ("strongswan");
+  if (!this->vac)
+    {
+      DBG1 (DBG_KNL, "vac_create failed");
+      destroy (this);
+      return NULL;
+    }
+  lib->set (lib, "kernel-vpp-vac", this->vac);
+
+  return &this->public.plugin;
+}

extras/strongswan/vpp_sswan/kernel_vpp_plugin.h

@@ -0,0 +1,34 @@
+#ifndef KERNEL_VPP_PLUGIN_H_
+#define KERNEL_VPP_PLUGIN_H_
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_vpp_plugin_t kernel_vpp_plugin_t;
+
+/**
+ * vpp kernel interface plugin
+ */
+struct kernel_vpp_plugin_t
+{
+
+  /**
+   * implements plugin interface
+   */
+  plugin_t plugin;
+};
+
+#endif /** KERNEL_VPP_PLUGIN_H_ @}*/

extras/strongswan/vpp_sswan/kernel_vpp_shared.h

@@ -0,0 +1,85 @@
+#ifndef KERNEL_VPP_SHARED_H_
+#define KERNEL_VPP_SHARED_H_
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+typedef struct vac_t vac_t;
+
+/**
+ * Callback function invoked for received event messages.
+ *
+ * @param data     associated event message, destroyed by VPP API wrapper
+ * @param data_len length of the event message
+ * @param ctx      user data, as passed to register_event
+ */
+typedef void (*event_cb_t) (char *data, int data_len, void *ctx);
+
+/**
+ * Wrapper around VPP binary API client.
+ */
+struct vac_t
+{
+
+  /**
+   * Destroy the VPP API client.
+   */
+  void (*destroy) (vac_t *this);
+
+  /**
+   * Send VPP API message and wait for a reply
+   *
+   * @param in      VPP API message to send
+   * @param in_len  length of the message to send
+   * @param out     received VPP API message
+   * @param out_len length of the received message
+   */
+  status_t (*send) (vac_t *this, char *in, int in_len, char **out,
+		    int *out_len);
+
+  /**
+   * Send VPP API dump message and wait for a reply.
+   *
+   * @param in      VPP API message to send
+   * @param in_len  length of the message to send
+   * @param out     received VPP API message
+   * @param out_len length of the received message
+   */
+  status_t (*send_dump) (vac_t *this, char *in, int in_len, char **out,
+			 int *out_len);
+
+  /**
+   * Register for VPP API event of a given kind.
+   *
+   * @param in       VPP API event message to register
+   * @param in_len   length of the event message to register
+   * @param cb       callback function to register
+   * @param event_id event ID
+   * @param ctx      user data passed to callback invocations
+   */
+  status_t (*register_event) (vac_t *this, char *in, int in_len, event_cb_t cb,
+			      uint16_t event_id, void *ctx);
+};
+
+extern vac_t *vac;
+
+/**
+ * Establishing a binary API connection to VPP.
+ *
+ * @param name client name
+ * @return     vac_t instance
+ */
+vac_t *vac_create (char *name);
+
+#endif /* KERNEL_VPP_SHARED_H_ */

extras/strongswan/vpp_sswan/swanctl.conf

@@ -0,0 +1,35 @@
+connections {
+  net-net {
+    local_addrs = 192.168.0.2
+    remote_addrs = 192.168.0.1
+    local {
+      auth = psk
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = psk
+      id = moon.strongswan.org
+    }
+    children {
+      net-net {
+        local_ts = 192.168.200.0/24
+        remote_ts = 192.168.100.0/24
+        esp_proposals = aes128-sha1-modp2048
+        rekey_time = 240m
+      }
+    }
+    version = 2
+    mobike = yes
+    encap = no # NAT-T if needed
+    proposals = aes128-sha256-x25519
+    }
+}
+secrets {
+  ike-net-net {
+    id = moon.strongswan.org
+    secret = simplepsk
+  }
+}
+
+# Include config snippets
+include conf.d/*.conf

src/plugins/cnat/cnat.rst

@@ -75,8 +75,8 @@ To show existing translations and sessions you can use
 
 .. code-block:: console
 
-  cnat show session verbose
-  cant show translation
+  show cnat session verbose
+  show cnat translation
 
 
 SourceNATing outgoing traffic
@@ -94,10 +94,18 @@ address assigned to an interface)
 
 .. code-block:: console
 
-  cnat snat with 30.0.0.1
-  cnat snat exclude 20.0.0.0/24
+  set cnat snat-policy addr 30.0.0.1
+  set cnat snat-policy if-pfx
+  set cnat snat-policy if table include-v4 tap0
+  set cnat snat-policy prefix 20.0.0.0/24
   set interface feature tap0 cnat-snat-ip4 arc ip4-unicast
 
+To show the enforced snat policies:
+
+.. code-block:: console
+
+  show cnat snat-policy
+
 Other parameters
 ----------------
 
@@ -105,7 +113,7 @@ In vpp's startup file, you can also configure the bihash sizes for
 
 * the translation bihash ``(proto, port) -> translation``
 * the session bihash ``src_ip, src_port, dest_ip, dest_port, proto -> new_src_ip, new_src_port, new_dest_ip, new_dest_port``
-* the snat bihash for searching ``snat exclude`` prefixes
+* the snat bihash for searching ``snat-policy`` excluded prefixes
 
 .. code-block:: console
 

src/plugins/crypto_sw_scheduler/main.c

@@ -260,17 +260,22 @@ process_ops (vlib_main_t * vm, vnet_crypto_async_frame_t * f,
 
   n_fail = n_ops - vnet_crypto_process_ops (vm, op, n_ops);
 
-  while (n_fail)
+  /*
+   * If we had a failure in the ops then we need to walk all the ops
+   * and set the status in the corresponding frame. This status is
+   * not set in the case with no failures, as in that case the overall
+   * frame status is success.
+   */
+  if (n_fail)
     {
-      ASSERT (op - ops < n_ops);
-
-      if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
+      for (int i = 0; i < n_ops; i++)
 	{
+	  ASSERT (op - ops < n_ops);
+
 	  f->elts[op->user_data].status = op->status;
-	  *state = VNET_CRYPTO_FRAME_STATE_ELT_ERROR;
-	  n_fail--;
+	  op++;
 	}
-      op++;
+      *state = VNET_CRYPTO_FRAME_STATE_ELT_ERROR;
     }
 }
 
@@ -287,17 +292,22 @@ process_chained_ops (vlib_main_t * vm, vnet_crypto_async_frame_t * f,
 
   n_fail = n_ops - vnet_crypto_process_chained_ops (vm, op, chunks, n_ops);
 
-  while (n_fail)
+  /*
+   * If we had a failure in the ops then we need to walk all the ops
+   * and set the status in the corresponding frame. This status is
+   * not set in the case with no failures, as in that case the overall
+   * frame status is success.
+   */
+  if (n_fail)
     {
-      ASSERT (op - ops < n_ops);
-
-      if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
+      for (int i = 0; i < n_ops; i++)
 	{
+	  ASSERT (op - ops < n_ops);
+
 	  f->elts[op->user_data].status = op->status;
-	  *state = VNET_CRYPTO_FRAME_STATE_ELT_ERROR;
-	  n_fail--;
+	  op++;
 	}
-      op++;
+      *state = VNET_CRYPTO_FRAME_STATE_ELT_ERROR;
     }
 }
 
@@ -471,6 +481,15 @@ crypto_sw_scheduler_process_aead (vlib_main_t *vm,
 	      tail = current_queue->tail;
 	      head = current_queue->head;
 
+	      /* Skip this queue unless tail < head or head has overflowed
+	       * and tail has not. At the point where tail overflows (== 0),
+	       * the largest possible value of head is (queue size - 1).
+	       * Prior to that, the largest possible value of head is
+	       * (queue size - 2).
+	       */
+	      if ((tail > head) && (head >= CRYPTO_SW_SCHEDULER_QUEUE_MASK))
+		goto skip_queue;
+
 	      for (j = tail; j != head; j++)
 		{
 
@@ -488,6 +507,7 @@ crypto_sw_scheduler_process_aead (vlib_main_t *vm,
 		    }
 		}
 
+	    skip_queue:
 	      if (found || i == ptd->last_serve_lcore_id)
 		{
 		  CLIB_MEMORY_STORE_BARRIER ();

src/plugins/dpdk/CMakeLists.txt

@@ -104,7 +104,9 @@ else()
       else()
         message(WARNING "EXPERIMENTAL: DPDK plugin without dlopen mode")
 	vpp_plugin_find_library(dpdk IBVERBS_LIB "libibverbs.a")
-	string_append(DPDK_LINK_FLAGS "${IBVERBS_LIB} -Wl,--exclude-libs,ALL")
+	vpp_plugin_find_library(dpdk MLX5_LIB "libmlx5.a")
+	vpp_plugin_find_library(dpdk MLX4_LIB "libmlx4.a")
+	string_append(DPDK_LINK_FLAGS "-Wl,--whole-archive,${IBVERBS_LIB},${MLX5_LIB},${MLX4_LIB} -Wl,--no-whole-archive,--exclude-libs,ALL")
       endif()
     endif()
 endif()

src/plugins/nat/nat44-ed/nat44_ed_api.c

@@ -1202,7 +1202,7 @@ vl_api_nat44_ed_add_del_vrf_table_t_handler (
   vl_api_nat44_ed_add_del_vrf_table_reply_t *rmp;
   int rv = nat44_ed_add_del_vrf_table (clib_net_to_host_u32 (mp->table_vrf_id),
 				       mp->is_add);
-  REPLY_MACRO (VL_API_NAT44_ED_ADD_DEL_VRF_TABLE);
+  REPLY_MACRO (VL_API_NAT44_ED_ADD_DEL_VRF_TABLE_REPLY);
 }
 
 static void
@@ -1214,7 +1214,7 @@ vl_api_nat44_ed_add_del_vrf_route_t_handler (
   int rv =
     nat44_ed_add_del_vrf_route (clib_net_to_host_u32 (mp->table_vrf_id),
 				clib_net_to_host_u32 (mp->vrf_id), mp->is_add);
-  REPLY_MACRO (VL_API_NAT44_ED_ADD_DEL_VRF_ROUTE);
+  REPLY_MACRO (VL_API_NAT44_ED_ADD_DEL_VRF_ROUTE_REPLY);
 }
 
 static void

src/plugins/unittest/counter_test.c

@@ -89,6 +89,9 @@ test_simple_counter_expand (vlib_main_t *vm)
       epoch = new_epoch;
     }
 
+  vlib_free_simple_counter (&counter);
+  vlib_validate_simple_counter (&counter, 0);
+
   return 0;
 }
 
@@ -136,6 +139,9 @@ test_combined_counter_expand (vlib_main_t *vm)
       epoch = new_epoch;
     }
 
+  vlib_free_combined_counter (&counter);
+  vlib_validate_combined_counter (&counter, 0);
+
   return 0;
 }
 

src/vlib/counter.c

@@ -108,7 +108,10 @@ vlib_free_simple_counter (vlib_simple_counter_main_t * cm)
       vec_free (cm->counters);
     }
   else
-    vlib_stats_remove_entry (cm->stats_entry_index);
+    {
+      vlib_stats_remove_entry (cm->stats_entry_index);
+      cm->counters = NULL;
+    }
 }
 
 void
@@ -176,7 +179,10 @@ vlib_free_combined_counter (vlib_combined_counter_main_t * cm)
       vec_free (cm->counters);
     }
   else
-    vlib_stats_remove_entry (cm->stats_entry_index);
+    {
+      vlib_stats_remove_entry (cm->stats_entry_index);
+      cm->counters = NULL;
+    }
 }
 
 u32

src/vnet/crypto/crypto.h

@@ -338,7 +338,7 @@ typedef struct
   i16 crypto_start_offset; /* first buffer offset */
   i16 integ_start_offset;
   /* adj total_length for integ, e.g.4 bytes for IPSec ESN */
-  u16 integ_length_adj;
+  i16 integ_length_adj;
   vnet_crypto_op_status_t status : 8;
   u8 flags; /**< share same VNET_CRYPTO_OP_FLAG_* values */
 } vnet_crypto_async_frame_elt_t;
@@ -628,7 +628,7 @@ static_always_inline void
 vnet_crypto_async_add_to_frame (vlib_main_t *vm, vnet_crypto_async_frame_t *f,
 				u32 key_index, u32 crypto_len,
 				i16 integ_len_adj, i16 crypto_start_offset,
-				u16 integ_start_offset, u32 buffer_index,
+				i16 integ_start_offset, u32 buffer_index,
 				u16 next_node, u8 *iv, u8 *tag, u8 *aad,
 				u8 flags)
 {

src/vnet/ipsec/esp_decrypt.c

@@ -1189,7 +1189,7 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
       else
 	esp_decrypt_prepare_sync_op (
 	  vm, node, ptd, &crypto_ops, &integ_ops, op, sa0, payload, len,
-	  cpd.icv_sz, cpd.iv_sz, pd, pd2, b[0], sync_next, b - bufs);
+	  cpd.icv_sz, cpd.iv_sz, pd, pd2, b[0], sync_next, n_sync);
       /* next */
     next:
       if (ESP_DECRYPT_ERROR_RX_PKTS != err)

src/vnet/ipsec/esp_encrypt.c

@@ -215,6 +215,24 @@ esp_get_ip6_hdr_len (ip6_header_t * ip6, ip6_ext_header_t ** ext_hdr)
   return len;
 }
 
+/* IPsec IV generation: IVs requirements differ depending of the
+ * encryption mode: IVs must be unpredictable for AES-CBC whereas it can
+ * be predictable but should never be reused with the same key material
+ * for CTR and GCM.
+ * We use a packet counter as the IV for CTR and GCM, and to ensure the
+ * IV is unpredictable for CBC, it is then encrypted using the same key
+ * as the message. You can refer to NIST SP800-38a and NIST SP800-38d
+ * for more details. */
+static_always_inline void *
+esp_generate_iv (ipsec_sa_t *sa, void *payload, int iv_sz)
+{
+  ASSERT (iv_sz >= sizeof (u64));
+  u64 *iv = (u64 *) (payload - iv_sz);
+  clib_memset_u8 (iv, 0, iv_sz);
+  *iv = sa->iv_counter++;
+  return iv;
+}
+
 static_always_inline void
 esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
 			 vnet_crypto_op_t * ops, vlib_buffer_t * b[],
@@ -368,27 +386,29 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
       vnet_crypto_op_t *op;
       vec_add2_aligned (crypto_ops[0], op, 1, CLIB_CACHE_LINE_BYTES);
       vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
+      u8 *crypto_start = payload;
+      /* esp_add_footer_and_icv() in esp_encrypt_inline() makes sure we always
+       * have enough space for ESP header and footer which includes ICV */
+      ASSERT (payload_len > icv_sz);
+      u16 crypto_len = payload_len - icv_sz;
+
+      /* generate the IV in front of the payload */
+      void *pkt_iv = esp_generate_iv (sa0, payload, iv_sz);
 
-      op->src = op->dst = payload;
       op->key_index = sa0->crypto_key_index;
-      op->len = payload_len - icv_sz;
       op->user_data = bi;
 
       if (ipsec_sa_is_set_IS_CTR (sa0))
 	{
-	  ASSERT (sizeof (u64) == iv_sz);
 	  /* construct nonce in a scratch space in front of the IP header */
 	  esp_ctr_nonce_t *nonce =
-	    (esp_ctr_nonce_t *) (payload - sizeof (u64) - hdr_len -
-				 sizeof (*nonce));
-	  u64 *pkt_iv = (u64 *) (payload - sizeof (u64));
-
+	    (esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce));
 	  if (ipsec_sa_is_set_IS_AEAD (sa0))
 	    {
 	      /* constuct aad in a scratch space in front of the nonce */
 	      op->aad = (u8 *) nonce - sizeof (esp_aead_t);
 	      op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi);
-	      op->tag = payload + op->len;
+	      op->tag = payload + crypto_len;
 	      op->tag_len = 16;
 	    }
 	  else
@@ -397,13 +417,17 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
 	    }
 
 	  nonce->salt = sa0->salt;
-	  nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa0->ctr_iv_counter++);
+	  nonce->iv = *(u64 *) pkt_iv;
 	  op->iv = (u8 *) nonce;
 	}
       else
 	{
-	  op->iv = payload - iv_sz;
-	  op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
+	  /* construct zero iv in front of the IP header */
+	  op->iv = pkt_iv - hdr_len - iv_sz;
+	  clib_memset_u8 (op->iv, 0, iv_sz);
+	  /* include iv field in crypto */
+	  crypto_start -= iv_sz;
+	  crypto_len += iv_sz;
 	}
 
       if (lb != b[0])
@@ -412,8 +436,15 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
 	  op->flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
 	  op->chunk_index = vec_len (ptd->chunks);
 	  op->tag = vlib_buffer_get_tail (lb) - icv_sz;
-	  esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz, payload,
-				    payload_len, &op->n_chunks);
+	  esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz,
+				    crypto_start, crypto_len + icv_sz,
+				    &op->n_chunks);
+	}
+      else
+	{
+	  /* not chained */
+	  op->src = op->dst = crypto_start;
+	  op->len = crypto_len;
 	}
     }
 
@@ -463,26 +494,26 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
   u8 *tag, *iv, *aad = 0;
   u8 flag = 0;
   u32 key_index;
-  i16 crypto_start_offset, integ_start_offset = 0;
+  i16 crypto_start_offset, integ_start_offset;
   u16 crypto_total_len, integ_total_len;
 
   post->next_index = next;
 
   /* crypto */
-  crypto_start_offset = payload - b->data;
+  crypto_start_offset = integ_start_offset = payload - b->data;
   crypto_total_len = integ_total_len = payload_len - icv_sz;
   tag = payload + crypto_total_len;
 
   key_index = sa->linked_key_index;
 
+  /* generate the IV in front of the payload */
+  void *pkt_iv = esp_generate_iv (sa, payload, iv_sz);
+
   if (ipsec_sa_is_set_IS_CTR (sa))
     {
-      ASSERT (sizeof (u64) == iv_sz);
       /* construct nonce in a scratch space in front of the IP header */
-      esp_ctr_nonce_t *nonce = (esp_ctr_nonce_t *) (payload - sizeof (u64) -
-						    hdr_len - sizeof (*nonce));
-      u64 *pkt_iv = (u64 *) (payload - sizeof (u64));
-
+      esp_ctr_nonce_t *nonce =
+	(esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce));
       if (ipsec_sa_is_set_IS_AEAD (sa))
 	{
 	  /* constuct aad in a scratch space in front of the nonce */
@@ -496,13 +527,17 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
 	}
 
       nonce->salt = sa->salt;
-      nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa->ctr_iv_counter++);
+      nonce->iv = *(u64 *) pkt_iv;
       iv = (u8 *) nonce;
     }
   else
     {
-      iv = payload - iv_sz;
-      flag |= VNET_CRYPTO_OP_FLAG_INIT_IV;
+      /* construct zero iv in front of the IP header */
+      iv = pkt_iv - hdr_len - iv_sz;
+      clib_memset_u8 (iv, 0, iv_sz);
+      /* include iv field in crypto */
+      crypto_start_offset -= iv_sz;
+      crypto_total_len += iv_sz;
     }
 
   if (lb != b)
@@ -510,13 +545,14 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
       /* chain */
       flag |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
       tag = vlib_buffer_get_tail (lb) - icv_sz;
-      crypto_total_len = esp_encrypt_chain_crypto (vm, ptd, sa, b, lb, icv_sz,
-						   payload, payload_len, 0);
+      crypto_total_len = esp_encrypt_chain_crypto (
+	vm, ptd, sa, b, lb, icv_sz, b->data + crypto_start_offset,
+	crypto_total_len + icv_sz, 0);
     }
 
   if (sa->integ_op_id)
     {
-      integ_start_offset = crypto_start_offset - iv_sz - sizeof (esp_header_t);
+      integ_start_offset -= iv_sz + sizeof (esp_header_t);
       integ_total_len += iv_sz + sizeof (esp_header_t);
 
       if (b != lb)