Compare commits
18 Commits
v23.10-rc1
...
v22.06.1
Author | SHA1 | Date | |
---|---|---|---|
|
1513b381d8 | ||
|
9b8dc82531 | ||
|
d03b3bf62f | ||
|
0ded107caf | ||
|
9dac6f9675 | ||
|
fa27d4d4f1 | ||
|
0d352a97c5 | ||
|
0ffc5016dd | ||
|
6777efdda0 | ||
|
996550c62f | ||
|
b65e76e108 | ||
|
40d811fee8 | ||
|
ea4bcec987 | ||
|
2d4b5c3670 | ||
|
d9f83ae3f1 | ||
|
ea7a4cb891 | ||
|
5373a6bcc8 | ||
|
211fa4748c |
@ -2,3 +2,4 @@
|
||||
host=gerrit.fd.io
|
||||
port=29418
|
||||
project=vpp
|
||||
defaultbranch=stable/2206
|
||||
|
@ -41,6 +41,7 @@ F: src/vnet/bonding/
|
||||
Sphinx Documents
|
||||
I: docs
|
||||
M: John DeNisco <jdenisco@cisco.com>
|
||||
M: Dave Wallace <dwallacelf@gmail.com>
|
||||
F: docs/
|
||||
|
||||
Infrastructure Library
|
||||
|
486
build/external/patches/dpdk_22.03/0001-net-iavf-add-basic-neon-rx.patch
vendored
Normal file
486
build/external/patches/dpdk_22.03/0001-net-iavf-add-basic-neon-rx.patch
vendored
Normal file
File diff suppressed because it is too large
Load Diff
@ -6,7 +6,8 @@ Release notes
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
v22.06.1
|
||||
v22.06
|
||||
v22.02
|
||||
v21.10.1
|
||||
v21.10
|
||||
past
|
||||
|
@ -6,6 +6,7 @@ Past releases
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
v21.10
|
||||
v21.06
|
||||
v21.01
|
||||
v20.09
|
||||
@ -37,4 +38,3 @@ Past releases
|
||||
v17.01
|
||||
v16.09
|
||||
v16.06
|
||||
|
||||
|
12
docs/aboutvpp/releasenotes/v22.06.1.rst
Normal file
12
docs/aboutvpp/releasenotes/v22.06.1.rst
Normal file
@ -0,0 +1,12 @@
|
||||
Release notes for VPP 22.06.1
|
||||
=============================
|
||||
|
||||
This is bug fix release.
|
||||
|
||||
Of particular importance, this release contains the fix for
|
||||
`JIRA VPP-2307: CVE-2022-46397 FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV in AES-CBC mode <https://jira.fd.io/browse/VPP-2037>`__
|
||||
|
||||
For the full list of fixed issues please refer to:
|
||||
|
||||
- fd.io `JIRA <https://jira.fd.io>`__
|
||||
- git `commit log <https://git.fd.io/vpp/log/?h=stable/2206>`__
|
605
docs/aboutvpp/releasenotes/v22.06.rst
Normal file
605
docs/aboutvpp/releasenotes/v22.06.rst
Normal file
File diff suppressed because it is too large
Load Diff
@ -16,17 +16,17 @@ Skills to be Learned
|
||||
VPP commands learned in this exercise
|
||||
--------------------------------------
|
||||
|
||||
#. `create host-interface <https://docs.fd.io/vpp/17.04/clicmd_src_vnet_devices_af_packet.html#clicmd_create_host-interface>`_
|
||||
#. `set int state <https://docs.fd.io/vpp/17.04/clicmd_src_vnet.html#clicmd_set_interface_state>`_
|
||||
#. `set int ip address <https://docs.fd.io/vpp/17.04/clicmd_src_vnet_ip.html#clicmd_set_interface_ip_address>`_
|
||||
#. `show hardware <https://docs.fd.io/vpp/17.04/clicmd_src_vnet.html#clicmd_show_hardware-interfaces>`_
|
||||
#. `show int <https://docs.fd.io/vpp/17.04/clicmd_src_vnet.html#clicmd_show_interfaces>`_
|
||||
#. `show int addr <https://docs.fd.io/vpp/17.04/clicmd_src_vnet.html#clicmd_show_interfaces>`_
|
||||
#. `trace add <https://docs.fd.io/vpp/17.04/clicmd_src_vlib.html#clicmd_trace_add>`_
|
||||
#. `clear trace <https://docs.fd.io/vpp/17.04/clicmd_src_vlib.html#clicmd_clear_trace>`_
|
||||
#. `ping <https://docs.fd.io/vpp/17.04/clicmd_src_vnet_ip.html#clicmd_ping>`_
|
||||
#. `show ip neighbors <https://docs.fd.io/vpp/21.06/db/dba/clicmd_src_vnet_ip-neighbor.html#clicmd_show_ip_neighbors>`_
|
||||
#. `show ip fib <https://docs.fd.io/vpp/17.04/clicmd_src_vnet_fib.html#clicmd_show_ip_fib>`_
|
||||
#. `create host-interface <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet_devices_af_packet.html#create-host-interface>`_
|
||||
#. `set int state <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet.html#set-interface-state>`_
|
||||
#. `set int ip address <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet_ip.html#set-interface-ip-address>`_
|
||||
#. `show hardware <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet.html#show-hardware-interfaces>`_
|
||||
#. `show int <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet.html#show-interface>`_
|
||||
#. `show int addr <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet.html#show-interface>`_
|
||||
#. `trace add <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vlib.html#trace-add>`_
|
||||
#. `clear trace <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vlib.html#clear-trace>`_
|
||||
#. `ping <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_plugins_ping.html>`_
|
||||
#. `show ip neighbors <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet_ip-neighbor.html#show-ip-neighbors>`_
|
||||
#. `show ip fib <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet_fib.html#show-ip-fib>`_
|
||||
|
||||
Topology
|
||||
---------
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -10,7 +10,7 @@ back-and-forth (i.e. ICMP echo/ping requests and HTTP GET requests).
|
||||
The intent of this example is to provide a relatively simple example of
|
||||
connecting containers via VPP and allowing others to use it as a springboard of
|
||||
sorts for their own projects and examples. Besides Docker and a handful of
|
||||
common Linux command-line utlities, not much else is required to build this
|
||||
common Linux command-line utilities, not much else is required to build this
|
||||
example (due to most of the dependencies being lumped inside the containers
|
||||
themselves).
|
||||
|
||||
@ -60,7 +60,7 @@ project.
|
||||
other scripts in this project. Intended to be sourced (i.e. not intended to
|
||||
be run directly). Some of the helper functions are used at run-time within
|
||||
the containers, while others are intended to be run in the default namespace
|
||||
on the host operating system to help with run-time configuration/bringup of
|
||||
on the host operating system to help with run-time configuration/bring up of
|
||||
the testbench.
|
||||
* ``Dockerfile.vpp_testbench``: used to build the various Docker images used in
|
||||
this project (i.e. so VPP, our test tools, etc.; are all encapsulated within
|
||||
@ -81,7 +81,7 @@ Getting Started
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
First, we'll assume you are running on a Ubuntu 20.04 x86_64 setup (either on a
|
||||
bare metal host or in a virtual machine), and have acquirec a copy of the
|
||||
bare metal host or in a virtual machine), and have acquired a copy of the
|
||||
project files (either by cloning the VPP git repository, or duplicating them
|
||||
from :ref:`sec_file_listings_vpp_testbench`). Now, just run ``make``. The
|
||||
process should take a few minutes as it pulls the baseline Ubuntu Docker image,
|
||||
@ -96,11 +96,11 @@ can be cleaned-up via ``make stop``, and the whole process of starting,
|
||||
testing, stopping, etc.; can be repeated as needed.
|
||||
|
||||
In addition to starting up the containers, ``make start`` will establish
|
||||
variaous types of links/connections between the two containers, making use of
|
||||
various types of links/connections between the two containers, making use of
|
||||
both the Linux network stack, as well as VPP, to handle the "plumbing"
|
||||
involved. This is to allow various types of connections between the two
|
||||
containers, and to allow the reader to experiment with them (i.e. using
|
||||
``vppctl`` to congfigure or trace packets going over VPP-managed links, use
|
||||
``vppctl`` to configure or trace packets going over VPP-managed links, use
|
||||
traditional Linux command line utilities like ``tcpdump``, ``iproute2``,
|
||||
``ping``, etc.; to accomplish similar tasks over links managed purely by the
|
||||
Linux network stack, etc.). Later labs will also encourage readers to compare
|
||||
@ -177,4 +177,3 @@ entrypoint_server.sh
|
||||
:caption: entrypoint_server.sh
|
||||
:language: shell
|
||||
:linenos:
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -36,54 +36,41 @@ typedef struct
|
||||
volatile int active_open_establishing;
|
||||
volatile int po_disconnected;
|
||||
volatile int ao_disconnected;
|
||||
|
||||
u32 ps_index;
|
||||
u32 po_thread_index;
|
||||
} proxy_session_t;
|
||||
|
||||
typedef struct
|
||||
{
|
||||
svm_queue_t *vl_input_queue; /**< vpe input queue */
|
||||
/** per-thread vectors */
|
||||
svm_msg_q_t **server_event_queue;
|
||||
svm_msg_q_t **active_open_event_queue;
|
||||
proxy_session_t *sessions; /**< session pool, shared */
|
||||
clib_spinlock_t sessions_lock; /**< lock for session pool */
|
||||
u8 **rx_buf; /**< intermediate rx buffers */
|
||||
|
||||
u32 cli_node_index; /**< cli process node index */
|
||||
u32 server_client_index; /**< server API client handle */
|
||||
u32 server_app_index; /**< server app index */
|
||||
u32 active_open_client_index; /**< active open API client handle */
|
||||
u32 active_open_app_index; /**< active open index after attach */
|
||||
|
||||
uword *proxy_session_by_server_handle;
|
||||
uword *proxy_session_by_active_open_handle;
|
||||
u32 ckpair_index; /**< certkey pair index for tls */
|
||||
|
||||
/*
|
||||
* Configuration params
|
||||
*/
|
||||
u8 *connect_uri; /**< URI for slave's connect */
|
||||
u32 configured_segment_size;
|
||||
u32 fifo_size; /**< initial fifo size */
|
||||
u32 max_fifo_size; /**< max fifo size */
|
||||
u8 high_watermark; /**< high watermark (%) */
|
||||
u8 low_watermark; /**< low watermark (%) */
|
||||
u32 private_segment_count; /**< Number of private fifo segs */
|
||||
u32 private_segment_size; /**< size of private fifo segs */
|
||||
u64 segment_size; /**< size of fifo segs */
|
||||
u8 prealloc_fifos; /**< Request fifo preallocation */
|
||||
int rcv_buffer_size;
|
||||
session_endpoint_cfg_t server_sep;
|
||||
session_endpoint_cfg_t client_sep;
|
||||
|
||||
u32 ckpair_index;
|
||||
/*
|
||||
* Test state variables
|
||||
*/
|
||||
proxy_session_t *sessions; /**< Session pool, shared */
|
||||
clib_spinlock_t sessions_lock;
|
||||
u32 **connection_index_by_thread;
|
||||
pthread_t client_thread_handle;
|
||||
|
||||
/*
|
||||
* Flags
|
||||
*/
|
||||
u8 is_init;
|
||||
u8 prealloc_fifos; /**< Request fifo preallocation */
|
||||
} proxy_main_t;
|
||||
|
||||
extern proxy_main_t proxy_main;
|
||||
|
@ -1345,7 +1345,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
|
||||
|
||||
next0 = next1 = NAT44_EI_IN2OUT_NEXT_LOOKUP;
|
||||
|
||||
if (PREDICT_FALSE (ip0->ttl == 1))
|
||||
if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
|
||||
{
|
||||
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
|
||||
icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
|
||||
@ -1564,7 +1564,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
|
||||
rx_fib_index1 =
|
||||
vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index1);
|
||||
|
||||
if (PREDICT_FALSE (ip1->ttl == 1))
|
||||
if (PREDICT_FALSE (!is_output_feature && ip1->ttl == 1))
|
||||
{
|
||||
vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
|
||||
icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
|
||||
@ -1811,7 +1811,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
|
||||
rx_fib_index0 =
|
||||
vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index0);
|
||||
|
||||
if (PREDICT_FALSE (ip0->ttl == 1))
|
||||
if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
|
||||
{
|
||||
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
|
||||
icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
|
||||
|
@ -876,6 +876,14 @@ quic_on_receive (quicly_stream_t * stream, size_t off, const void *src,
|
||||
{
|
||||
/* Streams live on the same thread so (f, stream_data) should stay consistent */
|
||||
rlen = svm_fifo_enqueue (f, len, (u8 *) src);
|
||||
if (PREDICT_FALSE (rlen < 0))
|
||||
{
|
||||
/*
|
||||
* drop, fifo full
|
||||
* drop, fifo grow
|
||||
*/
|
||||
return;
|
||||
}
|
||||
QUIC_DBG (3, "Session [idx %u, app_wrk %u, ti %u, rx-fifo 0x%llx]: "
|
||||
"Enqueuing %u (rlen %u) at off %u in %u space, ",
|
||||
stream_session->session_index,
|
||||
@ -898,6 +906,14 @@ quic_on_receive (quicly_stream_t * stream, size_t off, const void *src,
|
||||
rlen = svm_fifo_enqueue_with_offset (f,
|
||||
off - stream_data->app_rx_data_len,
|
||||
len, (u8 *) src);
|
||||
if (PREDICT_FALSE (rlen < 0))
|
||||
{
|
||||
/*
|
||||
* drop, fifo full
|
||||
* drop, fifo grow
|
||||
*/
|
||||
return;
|
||||
}
|
||||
QUIC_ASSERT (rlen == 0);
|
||||
}
|
||||
return;
|
||||
|
@ -562,6 +562,8 @@ always_inline uword
|
||||
wg_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
|
||||
vlib_frame_t *frame, u8 is_ip4, u16 async_next_node)
|
||||
{
|
||||
vnet_main_t *vnm = vnet_get_main ();
|
||||
vnet_interface_main_t *im = &vnm->interface_main;
|
||||
wg_main_t *wmp = &wg_main;
|
||||
wg_per_thread_data_t *ptd =
|
||||
vec_elt_at_index (wmp->per_thread_data, vm->thread_index);
|
||||
@ -802,6 +804,11 @@ wg_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
|
||||
last_peer_time_idx = peer_idx;
|
||||
}
|
||||
|
||||
vlib_increment_combined_counter (im->combined_sw_if_counters +
|
||||
VNET_INTERFACE_COUNTER_RX,
|
||||
vm->thread_index, peer->wg_sw_if_index,
|
||||
1 /* packets */, b[0]->current_length);
|
||||
|
||||
trace:
|
||||
if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
|
||||
(b[0]->flags & VLIB_BUFFER_IS_TRACED)))
|
||||
@ -861,6 +868,8 @@ wg_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
|
||||
always_inline uword
|
||||
wg_input_post (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
|
||||
{
|
||||
vnet_main_t *vnm = vnet_get_main ();
|
||||
vnet_interface_main_t *im = &vnm->interface_main;
|
||||
wg_main_t *wmp = &wg_main;
|
||||
vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
|
||||
u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
|
||||
@ -920,6 +929,12 @@ wg_input_post (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
|
||||
wg_timers_any_authenticated_packet_traversal (peer);
|
||||
last_peer_time_idx = peer_idx;
|
||||
}
|
||||
|
||||
vlib_increment_combined_counter (im->combined_sw_if_counters +
|
||||
VNET_INTERFACE_COUNTER_RX,
|
||||
vm->thread_index, peer->wg_sw_if_index,
|
||||
1 /* packets */, b[0]->current_length);
|
||||
|
||||
trace:
|
||||
if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
|
||||
(b[0]->flags & VLIB_BUFFER_IS_TRACED)))
|
||||
|
@ -790,7 +790,8 @@ vppcom_session_disconnect (u32 session_handle)
|
||||
if (session->listener_index != VCL_INVALID_SESSION_INDEX)
|
||||
{
|
||||
listen_session = vcl_session_get (wrk, session->listener_index);
|
||||
listen_session->n_accepted_sessions--;
|
||||
if (listen_session)
|
||||
listen_session->n_accepted_sessions--;
|
||||
}
|
||||
|
||||
return VPPCOM_OK;
|
||||
|
@ -338,7 +338,7 @@ typedef struct
|
||||
i16 crypto_start_offset; /* first buffer offset */
|
||||
i16 integ_start_offset;
|
||||
/* adj total_length for integ, e.g.4 bytes for IPSec ESN */
|
||||
u16 integ_length_adj;
|
||||
i16 integ_length_adj;
|
||||
vnet_crypto_op_status_t status : 8;
|
||||
u8 flags; /**< share same VNET_CRYPTO_OP_FLAG_* values */
|
||||
} vnet_crypto_async_frame_elt_t;
|
||||
@ -628,7 +628,7 @@ static_always_inline void
|
||||
vnet_crypto_async_add_to_frame (vlib_main_t *vm, vnet_crypto_async_frame_t *f,
|
||||
u32 key_index, u32 crypto_len,
|
||||
i16 integ_len_adj, i16 crypto_start_offset,
|
||||
u16 integ_start_offset, u32 buffer_index,
|
||||
i16 integ_start_offset, u32 buffer_index,
|
||||
u16 next_node, u8 *iv, u8 *tag, u8 *aad,
|
||||
u8 flags)
|
||||
{
|
||||
|
@ -20,14 +20,14 @@ impractical to parse headers which are split over multiple vnet
|
||||
buffers, vnet_buffer_chain_linearize() is called after reassembly so
|
||||
that L2/L3/L4 headers can be found in first buffer. Full reassembly
|
||||
is costly and shouldn't be used unless necessary. Full reassembly is by
|
||||
default enabled for both ipv4 and ipv6 traffic for "forus" traffic
|
||||
default enabled for both ipv4 and ipv6 "for us" traffic
|
||||
- that is packets aimed at VPP addresses. This can be disabled via API
|
||||
if desired, in which case "forus" fragments are dropped.
|
||||
if desired, in which case "for us" fragments are dropped.
|
||||
|
||||
2. Shallow (virtual) reassembly allows various classifying and/or
|
||||
translating features to work with fragments without having to
|
||||
understand fragmentation. It works by extracting L4 data and adding
|
||||
them to vnet_buffer for each packet/fragment passing throught SVR
|
||||
them to vnet_buffer for each packet/fragment passing through SVR
|
||||
nodes. This operation is performed for both fragments and regular
|
||||
packets, allowing consuming code to treat all packets in same way. SVR
|
||||
caches incoming packet fragments (buffers) until first fragment is
|
||||
@ -42,7 +42,7 @@ Multi-worker behaviour
|
||||
Both reassembly types deal with fragments arriving on different workers
|
||||
via handoff mechanism. All reassembly contexts are stored in pools.
|
||||
Bihash mapping 5-tuple key to a value containing pool index and thread
|
||||
index is used for lookups. When a lookup finds an existing reasembly on
|
||||
index is used for lookups. When a lookup finds an existing reassembly on
|
||||
a different thread, it hands off the fragment to that thread. If lookup
|
||||
fails, a new reassembly context is created and current worker becomes
|
||||
owner of that context. Further fragments received on other worker
|
||||
@ -64,7 +64,7 @@ fragments per packet.
|
||||
Custom applications
|
||||
^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Both reassembly features allow to be used by custom applicatind which
|
||||
Both reassembly features allow to be used by custom application which
|
||||
are not part of VPP source tree. Be it patches or 3rd party plugins,
|
||||
they can build their own graph paths by using "-custom*" versions of
|
||||
nodes. Reassembly then reads next_index and error_next_index for each
|
||||
|
@ -479,7 +479,15 @@ flow_report_process_send (vlib_main_t *vm, flow_report_main_t *frm,
|
||||
|
||||
nf = fr->flow_data_callback (frm, exp, fr, nf, to_next, next_node);
|
||||
if (nf)
|
||||
vlib_put_frame_to_node (vm, next_node, nf);
|
||||
{
|
||||
if (nf->n_vectors)
|
||||
vlib_put_frame_to_node (vm, next_node, nf);
|
||||
else
|
||||
{
|
||||
vlib_node_runtime_t *rt = vlib_node_get_runtime (vm, next_node);
|
||||
vlib_frame_free (vm, rt, nf);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static uword
|
||||
|
@ -237,6 +237,24 @@ esp_get_ip6_hdr_len (ip6_header_t * ip6, ip6_ext_header_t ** ext_hdr)
|
||||
return len;
|
||||
}
|
||||
|
||||
/* IPsec IV generation: IVs requirements differ depending of the
|
||||
* encryption mode: IVs must be unpredictable for AES-CBC whereas it can
|
||||
* be predictable but should never be reused with the same key material
|
||||
* for CTR and GCM.
|
||||
* We use a packet counter as the IV for CTR and GCM, and to ensure the
|
||||
* IV is unpredictable for CBC, it is then encrypted using the same key
|
||||
* as the message. You can refer to NIST SP800-38a and NIST SP800-38d
|
||||
* for more details. */
|
||||
static_always_inline void *
|
||||
esp_generate_iv (ipsec_sa_t *sa, void *payload, int iv_sz)
|
||||
{
|
||||
ASSERT (iv_sz >= sizeof (u64));
|
||||
u64 *iv = (u64 *) (payload - iv_sz);
|
||||
clib_memset_u8 (iv, 0, iv_sz);
|
||||
*iv = sa->iv_counter++;
|
||||
return iv;
|
||||
}
|
||||
|
||||
static_always_inline void
|
||||
esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
|
||||
vnet_crypto_op_t * ops, vlib_buffer_t * b[],
|
||||
@ -390,27 +408,29 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
|
||||
vnet_crypto_op_t *op;
|
||||
vec_add2_aligned (crypto_ops[0], op, 1, CLIB_CACHE_LINE_BYTES);
|
||||
vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
|
||||
u8 *crypto_start = payload;
|
||||
/* esp_add_footer_and_icv() in esp_encrypt_inline() makes sure we always
|
||||
* have enough space for ESP header and footer which includes ICV */
|
||||
ASSERT (payload_len > icv_sz);
|
||||
u16 crypto_len = payload_len - icv_sz;
|
||||
|
||||
/* generate the IV in front of the payload */
|
||||
void *pkt_iv = esp_generate_iv (sa0, payload, iv_sz);
|
||||
|
||||
op->src = op->dst = payload;
|
||||
op->key_index = sa0->crypto_key_index;
|
||||
op->len = payload_len - icv_sz;
|
||||
op->user_data = bi;
|
||||
|
||||
if (ipsec_sa_is_set_IS_CTR (sa0))
|
||||
{
|
||||
ASSERT (sizeof (u64) == iv_sz);
|
||||
/* construct nonce in a scratch space in front of the IP header */
|
||||
esp_ctr_nonce_t *nonce =
|
||||
(esp_ctr_nonce_t *) (payload - sizeof (u64) - hdr_len -
|
||||
sizeof (*nonce));
|
||||
u64 *pkt_iv = (u64 *) (payload - sizeof (u64));
|
||||
|
||||
(esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce));
|
||||
if (ipsec_sa_is_set_IS_AEAD (sa0))
|
||||
{
|
||||
/* constuct aad in a scratch space in front of the nonce */
|
||||
op->aad = (u8 *) nonce - sizeof (esp_aead_t);
|
||||
op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi);
|
||||
op->tag = payload + op->len;
|
||||
op->tag = payload + crypto_len;
|
||||
op->tag_len = 16;
|
||||
}
|
||||
else
|
||||
@ -419,13 +439,17 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
|
||||
}
|
||||
|
||||
nonce->salt = sa0->salt;
|
||||
nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa0->ctr_iv_counter++);
|
||||
nonce->iv = *(u64 *) pkt_iv;
|
||||
op->iv = (u8 *) nonce;
|
||||
}
|
||||
else
|
||||
{
|
||||
op->iv = payload - iv_sz;
|
||||
op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
|
||||
/* construct zero iv in front of the IP header */
|
||||
op->iv = pkt_iv - hdr_len - iv_sz;
|
||||
clib_memset_u8 (op->iv, 0, iv_sz);
|
||||
/* include iv field in crypto */
|
||||
crypto_start -= iv_sz;
|
||||
crypto_len += iv_sz;
|
||||
}
|
||||
|
||||
if (lb != b[0])
|
||||
@ -434,8 +458,15 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
|
||||
op->flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
|
||||
op->chunk_index = vec_len (ptd->chunks);
|
||||
op->tag = vlib_buffer_get_tail (lb) - icv_sz;
|
||||
esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz, payload,
|
||||
payload_len, &op->n_chunks);
|
||||
esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz,
|
||||
crypto_start, crypto_len + icv_sz,
|
||||
&op->n_chunks);
|
||||
}
|
||||
else
|
||||
{
|
||||
/* not chained */
|
||||
op->src = op->dst = crypto_start;
|
||||
op->len = crypto_len;
|
||||
}
|
||||
}
|
||||
|
||||
@ -485,26 +516,26 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
|
||||
u8 *tag, *iv, *aad = 0;
|
||||
u8 flag = 0;
|
||||
u32 key_index;
|
||||
i16 crypto_start_offset, integ_start_offset = 0;
|
||||
i16 crypto_start_offset, integ_start_offset;
|
||||
u16 crypto_total_len, integ_total_len;
|
||||
|
||||
post->next_index = next;
|
||||
|
||||
/* crypto */
|
||||
crypto_start_offset = payload - b->data;
|
||||
crypto_start_offset = integ_start_offset = payload - b->data;
|
||||
crypto_total_len = integ_total_len = payload_len - icv_sz;
|
||||
tag = payload + crypto_total_len;
|
||||
|
||||
key_index = sa->linked_key_index;
|
||||
|
||||
/* generate the IV in front of the payload */
|
||||
void *pkt_iv = esp_generate_iv (sa, payload, iv_sz);
|
||||
|
||||
if (ipsec_sa_is_set_IS_CTR (sa))
|
||||
{
|
||||
ASSERT (sizeof (u64) == iv_sz);
|
||||
/* construct nonce in a scratch space in front of the IP header */
|
||||
esp_ctr_nonce_t *nonce = (esp_ctr_nonce_t *) (payload - sizeof (u64) -
|
||||
hdr_len - sizeof (*nonce));
|
||||
u64 *pkt_iv = (u64 *) (payload - sizeof (u64));
|
||||
|
||||
esp_ctr_nonce_t *nonce =
|
||||
(esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce));
|
||||
if (ipsec_sa_is_set_IS_AEAD (sa))
|
||||
{
|
||||
/* constuct aad in a scratch space in front of the nonce */
|
||||
@ -518,13 +549,17 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
|
||||
}
|
||||
|
||||
nonce->salt = sa->salt;
|
||||
nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa->ctr_iv_counter++);
|
||||
nonce->iv = *(u64 *) pkt_iv;
|
||||
iv = (u8 *) nonce;
|
||||
}
|
||||
else
|
||||
{
|
||||
iv = payload - iv_sz;
|
||||
flag |= VNET_CRYPTO_OP_FLAG_INIT_IV;
|
||||
/* construct zero iv in front of the IP header */
|
||||
iv = pkt_iv - hdr_len - iv_sz;
|
||||
clib_memset_u8 (iv, 0, iv_sz);
|
||||
/* include iv field in crypto */
|
||||
crypto_start_offset -= iv_sz;
|
||||
crypto_total_len += iv_sz;
|
||||
}
|
||||
|
||||
if (lb != b)
|
||||
@ -532,13 +567,14 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
|
||||
/* chain */
|
||||
flag |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
|
||||
tag = vlib_buffer_get_tail (lb) - icv_sz;
|
||||
crypto_total_len = esp_encrypt_chain_crypto (vm, ptd, sa, b, lb, icv_sz,
|
||||
payload, payload_len, 0);
|
||||
crypto_total_len = esp_encrypt_chain_crypto (
|
||||
vm, ptd, sa, b, lb, icv_sz, b->data + crypto_start_offset,
|
||||
crypto_total_len + icv_sz, 0);
|
||||
}
|
||||
|
||||
if (sa->integ_op_id)
|
||||
{
|
||||
integ_start_offset = crypto_start_offset - iv_sz - sizeof (esp_header_t);
|
||||
integ_start_offset -= iv_sz + sizeof (esp_header_t);
|
||||
integ_total_len += iv_sz + sizeof (esp_header_t);
|
||||
|
||||
if (b != lb)
|
||||
|
@ -133,7 +133,7 @@ typedef struct
|
||||
u32 seq;
|
||||
u32 seq_hi;
|
||||
u64 replay_window;
|
||||
u64 ctr_iv_counter;
|
||||
u64 iv_counter;
|
||||
dpo_id_t dpo;
|
||||
|
||||
vnet_crypto_key_index_t crypto_key_index;
|
||||
|
@ -1312,6 +1312,7 @@ session_dgram_accept (transport_connection_t * tc, u32 listener_index,
|
||||
}
|
||||
|
||||
session_lookup_add_connection (tc, session_handle (s));
|
||||
s->session_state = SESSION_STATE_ACCEPTING;
|
||||
|
||||
app_wrk = app_worker_get (s->app_wrk_index);
|
||||
if ((rv = app_worker_accept_notify (app_wrk, s)))
|
||||
@ -1684,7 +1685,7 @@ session_vpp_wrk_mqs_alloc (session_main_t *smm)
|
||||
* if larger than minimum size.
|
||||
*/
|
||||
mqs_seg_size = svm_msg_q_size_to_alloc (cfg) * vec_len (smm->wrk);
|
||||
mqs_seg_size = mqs_seg_size + (32 << 10);
|
||||
mqs_seg_size = mqs_seg_size + (1 << 20);
|
||||
mqs_seg_size = clib_max (mqs_seg_size, smm->wrk_mqs_segment_size);
|
||||
|
||||
mqs_seg->ssvm.ssvm_size = mqs_seg_size;
|
||||
@ -2098,6 +2099,9 @@ session_config_fn (vlib_main_t * vm, unformat_input_t * input)
|
||||
else
|
||||
clib_warning ("event queue length %d too small, ignored", nitems);
|
||||
}
|
||||
else if (unformat (input, "wrk-mqs-segment-size %U",
|
||||
unformat_memory_size, &smm->wrk_mqs_segment_size))
|
||||
;
|
||||
else if (unformat (input, "preallocated-sessions %d",
|
||||
&smm->preallocated_sessions))
|
||||
;
|
||||
@ -2174,7 +2178,7 @@ session_config_fn (vlib_main_t * vm, unformat_input_t * input)
|
||||
else if (unformat (input, "segment-baseva 0x%lx", &tmp))
|
||||
;
|
||||
else if (unformat (input, "evt_qs_seg_size %U", unformat_memory_size,
|
||||
&tmp))
|
||||
&smm->wrk_mqs_segment_size))
|
||||
;
|
||||
else if (unformat (input, "event-queue-length %d", &nitems))
|
||||
{
|
||||
|
@ -841,7 +841,6 @@ session_enable_disable_fn (vlib_main_t * vm, unformat_input_t * input,
|
||||
vlib_cli_command_t * cmd)
|
||||
{
|
||||
u8 is_en = 2;
|
||||
clib_error_t *error;
|
||||
|
||||
while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
|
||||
{
|
||||
@ -850,12 +849,8 @@ session_enable_disable_fn (vlib_main_t * vm, unformat_input_t * input,
|
||||
else if (unformat (input, "disable"))
|
||||
is_en = 0;
|
||||
else
|
||||
{
|
||||
error = clib_error_return (0, "unknown input `%U'",
|
||||
format_unformat_error, input);
|
||||
unformat_free (input);
|
||||
return error;
|
||||
}
|
||||
return clib_error_return (0, "unknown input `%U'",
|
||||
format_unformat_error, input);
|
||||
}
|
||||
|
||||
if (is_en > 1)
|
||||
|
@ -204,7 +204,7 @@ class QUICEchoExtTestCase(QUICTestCase):
|
||||
"enable",
|
||||
"poll-main",
|
||||
"evt_qs_memfd_seg",
|
||||
"evt_qs_seg_size",
|
||||
"wrk-mqs-segment-size",
|
||||
"64M",
|
||||
"event-queue-length",
|
||||
f"{evt_q_len}",
|
||||
|
Reference in New Issue
Block a user