Compare commits

...

18 Commits

Author SHA1 Message Date
Dave Wallace
1513b381d8 misc: VPP 22.06.1 Release Notes
Type: docs
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I8770a35c801126ffd2de8f58d79e6616642709a9
2023-02-10 13:28:46 -05:00
Benoît Ganne
9b8dc82531 ipsec: fix AES CBC IV generation (CVE-2022-46397)
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.

Fixes: VPP-2037
Type: fix

Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-02-03 21:04:24 -05:00
Tianyu Li
d03b3bf62f dpdk: fix arm iavf rx vector path on 22.03
dpdk 22.03 introduces iavf driver but misses rx vector path on Arm.
This causes VF fail to receive packet when running VPP device test
with no-multi-seg configuration.

Add iavf basic Neon RX support to fix this.

Type: fix
Fixes: 2f132efc3caf ("dpdk: bump to DPDK v22.03")

Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I75ae74c8060428cee0e1c235feab1246c014801e
2022-08-25 17:19:46 +08:00
Matthew Smith
0ded107caf wireguard: increment interface RX counters
Type: improvement

When packets were received and processed successfully, increment the
byte/packet counters for the tunnel interface.

Change-Id: I42855607ac6916de641be42aac86c9942cc97140
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
(cherry picked from commit 42928beec9f4dc87dcf61332a39801a454c1d7bc)
2022-08-14 21:43:07 +00:00
Jon Loeliger
9dac6f9675 ipfix-export: Fix frame leak in flow_report_process_send()
The flow_report_process_send() function always allocates a frame.
However, when no template_send is needed, template_bi is ~0.
When this happens, no vectors are placed in the frame.  When
the frame is then "put", a check for n_vectors == 0 prevents
the frame from actually being placed back on the free list.
Fix that by using a direct call to vlib_frame_free() when
there are no frame vctors.

Type: fix
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I936b5cea4cb3c358247c3d2e1a77d034a322ea76
(cherry picked from commit eaa83c0439c13b76525224267c23d0cf52a6668b)
2022-08-14 21:42:44 +00:00
Alexander Skorichenko
fa27d4d4f1 nat: disable nat44-ei-in2out-output ttl check
Type: fix

A packet passing through nat44-ei-in2out-output,
has its ttl value validated in earlier nodes.
"ip4-input" node checks ttl for locally generated packets.
"ip4-rewrite" node validates ttl in forwarded packets.

Thus for example, the ED counterpart disables ttl checks
in its "nat44-ed-in2out-output" node.
This patch updates nat44 EI conditions for ttl checks to
those currently used in nat44 ED case, meaning no extra ttl
validation for in2out when output-feature is enabled.

Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
Change-Id: Idd15d7c9a746b60c0a6dac5537d00ef10c257fdc
(cherry picked from commit d1ca70c7e11dac7b9fff802ca5f1d9051c984c34)
2022-07-19 12:24:51 +00:00
Andrew Yourtchenko
0d352a97c5 misc: VPP 22.06 Release Notes
Type: docs
Change-Id: I15971b21fd660b4893218640c0d5e5a5247868f1
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2022-06-29 12:13:49 +00:00
Florin Coras
0ffc5016dd vcl: check if listener valid on disconnect cleanup
Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie057d0d5a51d3226a1a188cf9d48a5d82dc4a3c7
2022-06-29 11:55:45 +00:00
fanxb
6777efdda0 quic:fix crash rx_fifo full or grow
if when the rx_fifo grows, svm_fifo_enqueue() return -4,
stream_data->app_rx_data_len += rlen type conversion occurs,
Finally,stream->recvstate.data_off calculation is wrong.

Type:fix

Signed-off-by: fanxb <fxb_mail@163.com>
Change-Id: Iae11f0c453f32d836f4148d70e3b121545a53a90
(cherry picked from commit 5b4b4c05ff06b866b90b0df9b2be2ed28e606f16)
2022-06-29 02:15:30 +00:00
Pratikshya Prasai
996550c62f docs: fix broken links
Type: docs

Signed-off-by: Pratikshya Prasai <pratikshyaprasai2112@gmail.com>
Change-Id: I729de9e18624c63a72ec415a05c55617cb360c47
(cherry picked from commit 365fabea1eac892b838a258d39e6e6eee8adbd2d)
2022-06-29 02:02:03 +00:00
Florin Coras
b65e76e108 session: fix connected udp accepts
Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0963bae4b56b08c0a9ab4ee1f2738013217e1fb7
(cherry picked from commit fc20c8e50f2784ad62b97bdb0094605d2b86f596)
2022-06-29 00:36:02 +00:00
Florin Coras
40d811fee8 session quic: allow custom config of rx mqs seg size
Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Idc0fdebfea29c241d8a36128241ccec03eace5fd
(cherry picked from commit cf5c774b594d4b403e817886c8d41efd927f06b4)
2022-06-28 22:42:01 +00:00
Florin Coras
ea4bcec987 hsa: allow first segments larger than 4g for proxy
Type: improvement

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I9c502a491ff56806a2e631f7a4c18903a2e93ab2
(cherry picked from commit c2ab1bdbc73f2743979f8779c027adc04d79bf22)
2022-06-10 16:34:43 +00:00
Florin Coras
2d4b5c3670 hsa: dealloc proxy fifos on right thread
Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia66c12e1da126d0d8d101b645e6dc8454c3826d6
(cherry picked from commit db8dd260d5d8ac798a9524f29e746b9094eb73bf)
2022-06-09 19:06:43 +00:00
Florin Coras
d9f83ae3f1 hsa: refactor proxy session lookup and cleanup
Type: improvement

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic68627bbca676cc78b0be05bc1fa0f386f5d27fa
(cherry picked from commit 7b8d26c136081563c89e50df3d16a37f2ad3e489)
2022-06-08 15:27:42 +00:00
Filip Tehlar
ea7a4cb891 session: fix double free in CLI
Type: fix

Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I646ac946d0b07929dfdd1966a4f4a3b697768040
(cherry picked from commit af21b2e6994893e97ad0fef52ca154c69a4a09cb)
2022-06-03 15:44:02 +00:00
Dave Wallace
5373a6bcc8 docs: update spelling word list and fix typos
- update wordlist and fix typos so that 'make docs-spell' passes
- sort spelling_wordlist.txt
- update docs maintainers list

Type: docs

Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I38ac7850c604c323427d2bb6877ea98bd10bcc38
(cherry picked from commit dac97e2c627ca3a911dac7fd8eb268bde23f853f)
2022-05-25 21:24:04 +00:00
Andrew Yourtchenko
211fa4748c misc: Initial changes for stable/2206 branch
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ib8092fd21db3d21254ebdc7d7ace270c035fced8
2022-05-25 12:08:44 +00:00
24 changed files with 2082 additions and 904 deletions

View File

@ -2,3 +2,4 @@
host=gerrit.fd.io
port=29418
project=vpp
defaultbranch=stable/2206

View File

@ -41,6 +41,7 @@ F: src/vnet/bonding/
Sphinx Documents
I: docs
M: John DeNisco <jdenisco@cisco.com>
M: Dave Wallace <dwallacelf@gmail.com>
F: docs/
Infrastructure Library

File diff suppressed because it is too large Load Diff

View File

@ -6,7 +6,8 @@ Release notes
.. toctree::
:maxdepth: 2
v22.06.1
v22.06
v22.02
v21.10.1
v21.10
past

View File

@ -6,6 +6,7 @@ Past releases
.. toctree::
:maxdepth: 1
v21.10
v21.06
v21.01
v20.09
@ -37,4 +38,3 @@ Past releases
v17.01
v16.09
v16.06

View File

@ -0,0 +1,12 @@
Release notes for VPP 22.06.1
=============================
This is bug fix release.
Of particular importance, this release contains the fix for
`JIRA VPP-2307: CVE-2022-46397 FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV in AES-CBC mode <https://jira.fd.io/browse/VPP-2037>`__
For the full list of fixed issues please refer to:
- fd.io `JIRA <https://jira.fd.io>`__
- git `commit log <https://git.fd.io/vpp/log/?h=stable/2206>`__

File diff suppressed because it is too large Load Diff

View File

@ -16,17 +16,17 @@ Skills to be Learned
VPP commands learned in this exercise
--------------------------------------
#. `create host-interface <https://docs.fd.io/vpp/17.04/clicmd_src_vnet_devices_af_packet.html#clicmd_create_host-interface>`_
#. `set int state <https://docs.fd.io/vpp/17.04/clicmd_src_vnet.html#clicmd_set_interface_state>`_
#. `set int ip address <https://docs.fd.io/vpp/17.04/clicmd_src_vnet_ip.html#clicmd_set_interface_ip_address>`_
#. `show hardware <https://docs.fd.io/vpp/17.04/clicmd_src_vnet.html#clicmd_show_hardware-interfaces>`_
#. `show int <https://docs.fd.io/vpp/17.04/clicmd_src_vnet.html#clicmd_show_interfaces>`_
#. `show int addr <https://docs.fd.io/vpp/17.04/clicmd_src_vnet.html#clicmd_show_interfaces>`_
#. `trace add <https://docs.fd.io/vpp/17.04/clicmd_src_vlib.html#clicmd_trace_add>`_
#. `clear trace <https://docs.fd.io/vpp/17.04/clicmd_src_vlib.html#clicmd_clear_trace>`_
#. `ping <https://docs.fd.io/vpp/17.04/clicmd_src_vnet_ip.html#clicmd_ping>`_
#. `show ip neighbors <https://docs.fd.io/vpp/21.06/db/dba/clicmd_src_vnet_ip-neighbor.html#clicmd_show_ip_neighbors>`_
#. `show ip fib <https://docs.fd.io/vpp/17.04/clicmd_src_vnet_fib.html#clicmd_show_ip_fib>`_
#. `create host-interface <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet_devices_af_packet.html#create-host-interface>`_
#. `set int state <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet.html#set-interface-state>`_
#. `set int ip address <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet_ip.html#set-interface-ip-address>`_
#. `show hardware <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet.html#show-hardware-interfaces>`_
#. `show int <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet.html#show-interface>`_
#. `show int addr <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet.html#show-interface>`_
#. `trace add <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vlib.html#trace-add>`_
#. `clear trace <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vlib.html#clear-trace>`_
#. `ping <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_plugins_ping.html>`_
#. `show ip neighbors <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet_ip-neighbor.html#show-ip-neighbors>`_
#. `show ip fib <https://docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_vnet_fib.html#show-ip-fib>`_
Topology
---------

File diff suppressed because it is too large Load Diff

View File

@ -10,7 +10,7 @@ back-and-forth (i.e. ICMP echo/ping requests and HTTP GET requests).
The intent of this example is to provide a relatively simple example of
connecting containers via VPP and allowing others to use it as a springboard of
sorts for their own projects and examples. Besides Docker and a handful of
common Linux command-line utlities, not much else is required to build this
common Linux command-line utilities, not much else is required to build this
example (due to most of the dependencies being lumped inside the containers
themselves).
@ -81,7 +81,7 @@ Getting Started
^^^^^^^^^^^^^^^
First, we'll assume you are running on a Ubuntu 20.04 x86_64 setup (either on a
bare metal host or in a virtual machine), and have acquirec a copy of the
bare metal host or in a virtual machine), and have acquired a copy of the
project files (either by cloning the VPP git repository, or duplicating them
from :ref:`sec_file_listings_vpp_testbench`). Now, just run ``make``. The
process should take a few minutes as it pulls the baseline Ubuntu Docker image,
@ -96,11 +96,11 @@ can be cleaned-up via ``make stop``, and the whole process of starting,
testing, stopping, etc.; can be repeated as needed.
In addition to starting up the containers, ``make start`` will establish
variaous types of links/connections between the two containers, making use of
various types of links/connections between the two containers, making use of
both the Linux network stack, as well as VPP, to handle the "plumbing"
involved. This is to allow various types of connections between the two
containers, and to allow the reader to experiment with them (i.e. using
``vppctl`` to congfigure or trace packets going over VPP-managed links, use
``vppctl`` to configure or trace packets going over VPP-managed links, use
traditional Linux command line utilities like ``tcpdump``, ``iproute2``,
``ping``, etc.; to accomplish similar tasks over links managed purely by the
Linux network stack, etc.). Later labs will also encourage readers to compare
@ -177,4 +177,3 @@ entrypoint_server.sh
:caption: entrypoint_server.sh
:language: shell
:linenos:

File diff suppressed because it is too large Load Diff

View File

@ -36,54 +36,41 @@ typedef struct
volatile int active_open_establishing;
volatile int po_disconnected;
volatile int ao_disconnected;
u32 ps_index;
u32 po_thread_index;
} proxy_session_t;
typedef struct
{
svm_queue_t *vl_input_queue; /**< vpe input queue */
/** per-thread vectors */
svm_msg_q_t **server_event_queue;
svm_msg_q_t **active_open_event_queue;
proxy_session_t *sessions; /**< session pool, shared */
clib_spinlock_t sessions_lock; /**< lock for session pool */
u8 **rx_buf; /**< intermediate rx buffers */
u32 cli_node_index; /**< cli process node index */
u32 server_client_index; /**< server API client handle */
u32 server_app_index; /**< server app index */
u32 active_open_client_index; /**< active open API client handle */
u32 active_open_app_index; /**< active open index after attach */
uword *proxy_session_by_server_handle;
uword *proxy_session_by_active_open_handle;
u32 ckpair_index; /**< certkey pair index for tls */
/*
* Configuration params
*/
u8 *connect_uri; /**< URI for slave's connect */
u32 configured_segment_size;
u32 fifo_size; /**< initial fifo size */
u32 max_fifo_size; /**< max fifo size */
u8 high_watermark; /**< high watermark (%) */
u8 low_watermark; /**< low watermark (%) */
u32 private_segment_count; /**< Number of private fifo segs */
u32 private_segment_size; /**< size of private fifo segs */
u64 segment_size; /**< size of fifo segs */
u8 prealloc_fifos; /**< Request fifo preallocation */
int rcv_buffer_size;
session_endpoint_cfg_t server_sep;
session_endpoint_cfg_t client_sep;
u32 ckpair_index;
/*
* Test state variables
*/
proxy_session_t *sessions; /**< Session pool, shared */
clib_spinlock_t sessions_lock;
u32 **connection_index_by_thread;
pthread_t client_thread_handle;
/*
* Flags
*/
u8 is_init;
u8 prealloc_fifos; /**< Request fifo preallocation */
} proxy_main_t;
extern proxy_main_t proxy_main;

View File

@ -1345,7 +1345,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
next0 = next1 = NAT44_EI_IN2OUT_NEXT_LOOKUP;
if (PREDICT_FALSE (ip0->ttl == 1))
if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
{
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
@ -1564,7 +1564,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
rx_fib_index1 =
vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index1);
if (PREDICT_FALSE (ip1->ttl == 1))
if (PREDICT_FALSE (!is_output_feature && ip1->ttl == 1))
{
vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
@ -1811,7 +1811,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
rx_fib_index0 =
vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index0);
if (PREDICT_FALSE (ip0->ttl == 1))
if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
{
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,

View File

@ -876,6 +876,14 @@ quic_on_receive (quicly_stream_t * stream, size_t off, const void *src,
{
/* Streams live on the same thread so (f, stream_data) should stay consistent */
rlen = svm_fifo_enqueue (f, len, (u8 *) src);
if (PREDICT_FALSE (rlen < 0))
{
/*
* drop, fifo full
* drop, fifo grow
*/
return;
}
QUIC_DBG (3, "Session [idx %u, app_wrk %u, ti %u, rx-fifo 0x%llx]: "
"Enqueuing %u (rlen %u) at off %u in %u space, ",
stream_session->session_index,
@ -898,6 +906,14 @@ quic_on_receive (quicly_stream_t * stream, size_t off, const void *src,
rlen = svm_fifo_enqueue_with_offset (f,
off - stream_data->app_rx_data_len,
len, (u8 *) src);
if (PREDICT_FALSE (rlen < 0))
{
/*
* drop, fifo full
* drop, fifo grow
*/
return;
}
QUIC_ASSERT (rlen == 0);
}
return;

View File

@ -562,6 +562,8 @@ always_inline uword
wg_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
vlib_frame_t *frame, u8 is_ip4, u16 async_next_node)
{
vnet_main_t *vnm = vnet_get_main ();
vnet_interface_main_t *im = &vnm->interface_main;
wg_main_t *wmp = &wg_main;
wg_per_thread_data_t *ptd =
vec_elt_at_index (wmp->per_thread_data, vm->thread_index);
@ -802,6 +804,11 @@ wg_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
last_peer_time_idx = peer_idx;
}
vlib_increment_combined_counter (im->combined_sw_if_counters +
VNET_INTERFACE_COUNTER_RX,
vm->thread_index, peer->wg_sw_if_index,
1 /* packets */, b[0]->current_length);
trace:
if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
(b[0]->flags & VLIB_BUFFER_IS_TRACED)))
@ -861,6 +868,8 @@ wg_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
always_inline uword
wg_input_post (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
{
vnet_main_t *vnm = vnet_get_main ();
vnet_interface_main_t *im = &vnm->interface_main;
wg_main_t *wmp = &wg_main;
vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
@ -920,6 +929,12 @@ wg_input_post (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
wg_timers_any_authenticated_packet_traversal (peer);
last_peer_time_idx = peer_idx;
}
vlib_increment_combined_counter (im->combined_sw_if_counters +
VNET_INTERFACE_COUNTER_RX,
vm->thread_index, peer->wg_sw_if_index,
1 /* packets */, b[0]->current_length);
trace:
if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
(b[0]->flags & VLIB_BUFFER_IS_TRACED)))

View File

@ -790,6 +790,7 @@ vppcom_session_disconnect (u32 session_handle)
if (session->listener_index != VCL_INVALID_SESSION_INDEX)
{
listen_session = vcl_session_get (wrk, session->listener_index);
if (listen_session)
listen_session->n_accepted_sessions--;
}

View File

@ -338,7 +338,7 @@ typedef struct
i16 crypto_start_offset; /* first buffer offset */
i16 integ_start_offset;
/* adj total_length for integ, e.g.4 bytes for IPSec ESN */
u16 integ_length_adj;
i16 integ_length_adj;
vnet_crypto_op_status_t status : 8;
u8 flags; /**< share same VNET_CRYPTO_OP_FLAG_* values */
} vnet_crypto_async_frame_elt_t;
@ -628,7 +628,7 @@ static_always_inline void
vnet_crypto_async_add_to_frame (vlib_main_t *vm, vnet_crypto_async_frame_t *f,
u32 key_index, u32 crypto_len,
i16 integ_len_adj, i16 crypto_start_offset,
u16 integ_start_offset, u32 buffer_index,
i16 integ_start_offset, u32 buffer_index,
u16 next_node, u8 *iv, u8 *tag, u8 *aad,
u8 flags)
{

View File

@ -20,14 +20,14 @@ impractical to parse headers which are split over multiple vnet
buffers, vnet_buffer_chain_linearize() is called after reassembly so
that L2/L3/L4 headers can be found in first buffer. Full reassembly
is costly and shouldn't be used unless necessary. Full reassembly is by
default enabled for both ipv4 and ipv6 traffic for "forus" traffic
default enabled for both ipv4 and ipv6 "for us" traffic
- that is packets aimed at VPP addresses. This can be disabled via API
if desired, in which case "for us" fragments are dropped.
2. Shallow (virtual) reassembly allows various classifying and/or
translating features to work with fragments without having to
understand fragmentation. It works by extracting L4 data and adding
them to vnet_buffer for each packet/fragment passing throught SVR
them to vnet_buffer for each packet/fragment passing through SVR
nodes. This operation is performed for both fragments and regular
packets, allowing consuming code to treat all packets in same way. SVR
caches incoming packet fragments (buffers) until first fragment is
@ -42,7 +42,7 @@ Multi-worker behaviour
Both reassembly types deal with fragments arriving on different workers
via handoff mechanism. All reassembly contexts are stored in pools.
Bihash mapping 5-tuple key to a value containing pool index and thread
index is used for lookups. When a lookup finds an existing reasembly on
index is used for lookups. When a lookup finds an existing reassembly on
a different thread, it hands off the fragment to that thread. If lookup
fails, a new reassembly context is created and current worker becomes
owner of that context. Further fragments received on other worker
@ -64,7 +64,7 @@ fragments per packet.
Custom applications
^^^^^^^^^^^^^^^^^^^
Both reassembly features allow to be used by custom applicatind which
Both reassembly features allow to be used by custom application which
are not part of VPP source tree. Be it patches or 3rd party plugins,
they can build their own graph paths by using "-custom*" versions of
nodes. Reassembly then reads next_index and error_next_index for each

View File

@ -479,7 +479,15 @@ flow_report_process_send (vlib_main_t *vm, flow_report_main_t *frm,
nf = fr->flow_data_callback (frm, exp, fr, nf, to_next, next_node);
if (nf)
{
if (nf->n_vectors)
vlib_put_frame_to_node (vm, next_node, nf);
else
{
vlib_node_runtime_t *rt = vlib_node_get_runtime (vm, next_node);
vlib_frame_free (vm, rt, nf);
}
}
}
static uword

View File

@ -237,6 +237,24 @@ esp_get_ip6_hdr_len (ip6_header_t * ip6, ip6_ext_header_t ** ext_hdr)
return len;
}
/* IPsec IV generation: IVs requirements differ depending of the
* encryption mode: IVs must be unpredictable for AES-CBC whereas it can
* be predictable but should never be reused with the same key material
* for CTR and GCM.
* We use a packet counter as the IV for CTR and GCM, and to ensure the
* IV is unpredictable for CBC, it is then encrypted using the same key
* as the message. You can refer to NIST SP800-38a and NIST SP800-38d
* for more details. */
static_always_inline void *
esp_generate_iv (ipsec_sa_t *sa, void *payload, int iv_sz)
{
ASSERT (iv_sz >= sizeof (u64));
u64 *iv = (u64 *) (payload - iv_sz);
clib_memset_u8 (iv, 0, iv_sz);
*iv = sa->iv_counter++;
return iv;
}
static_always_inline void
esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
vnet_crypto_op_t * ops, vlib_buffer_t * b[],
@ -390,27 +408,29 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
vnet_crypto_op_t *op;
vec_add2_aligned (crypto_ops[0], op, 1, CLIB_CACHE_LINE_BYTES);
vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
u8 *crypto_start = payload;
/* esp_add_footer_and_icv() in esp_encrypt_inline() makes sure we always
* have enough space for ESP header and footer which includes ICV */
ASSERT (payload_len > icv_sz);
u16 crypto_len = payload_len - icv_sz;
/* generate the IV in front of the payload */
void *pkt_iv = esp_generate_iv (sa0, payload, iv_sz);
op->src = op->dst = payload;
op->key_index = sa0->crypto_key_index;
op->len = payload_len - icv_sz;
op->user_data = bi;
if (ipsec_sa_is_set_IS_CTR (sa0))
{
ASSERT (sizeof (u64) == iv_sz);
/* construct nonce in a scratch space in front of the IP header */
esp_ctr_nonce_t *nonce =
(esp_ctr_nonce_t *) (payload - sizeof (u64) - hdr_len -
sizeof (*nonce));
u64 *pkt_iv = (u64 *) (payload - sizeof (u64));
(esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce));
if (ipsec_sa_is_set_IS_AEAD (sa0))
{
/* constuct aad in a scratch space in front of the nonce */
op->aad = (u8 *) nonce - sizeof (esp_aead_t);
op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi);
op->tag = payload + op->len;
op->tag = payload + crypto_len;
op->tag_len = 16;
}
else
@ -419,13 +439,17 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
}
nonce->salt = sa0->salt;
nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa0->ctr_iv_counter++);
nonce->iv = *(u64 *) pkt_iv;
op->iv = (u8 *) nonce;
}
else
{
op->iv = payload - iv_sz;
op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
/* construct zero iv in front of the IP header */
op->iv = pkt_iv - hdr_len - iv_sz;
clib_memset_u8 (op->iv, 0, iv_sz);
/* include iv field in crypto */
crypto_start -= iv_sz;
crypto_len += iv_sz;
}
if (lb != b[0])
@ -434,8 +458,15 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
op->flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
op->chunk_index = vec_len (ptd->chunks);
op->tag = vlib_buffer_get_tail (lb) - icv_sz;
esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz, payload,
payload_len, &op->n_chunks);
esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz,
crypto_start, crypto_len + icv_sz,
&op->n_chunks);
}
else
{
/* not chained */
op->src = op->dst = crypto_start;
op->len = crypto_len;
}
}
@ -485,26 +516,26 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
u8 *tag, *iv, *aad = 0;
u8 flag = 0;
u32 key_index;
i16 crypto_start_offset, integ_start_offset = 0;
i16 crypto_start_offset, integ_start_offset;
u16 crypto_total_len, integ_total_len;
post->next_index = next;
/* crypto */
crypto_start_offset = payload - b->data;
crypto_start_offset = integ_start_offset = payload - b->data;
crypto_total_len = integ_total_len = payload_len - icv_sz;
tag = payload + crypto_total_len;
key_index = sa->linked_key_index;
/* generate the IV in front of the payload */
void *pkt_iv = esp_generate_iv (sa, payload, iv_sz);
if (ipsec_sa_is_set_IS_CTR (sa))
{
ASSERT (sizeof (u64) == iv_sz);
/* construct nonce in a scratch space in front of the IP header */
esp_ctr_nonce_t *nonce = (esp_ctr_nonce_t *) (payload - sizeof (u64) -
hdr_len - sizeof (*nonce));
u64 *pkt_iv = (u64 *) (payload - sizeof (u64));
esp_ctr_nonce_t *nonce =
(esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce));
if (ipsec_sa_is_set_IS_AEAD (sa))
{
/* constuct aad in a scratch space in front of the nonce */
@ -518,13 +549,17 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
}
nonce->salt = sa->salt;
nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa->ctr_iv_counter++);
nonce->iv = *(u64 *) pkt_iv;
iv = (u8 *) nonce;
}
else
{
iv = payload - iv_sz;
flag |= VNET_CRYPTO_OP_FLAG_INIT_IV;
/* construct zero iv in front of the IP header */
iv = pkt_iv - hdr_len - iv_sz;
clib_memset_u8 (iv, 0, iv_sz);
/* include iv field in crypto */
crypto_start_offset -= iv_sz;
crypto_total_len += iv_sz;
}
if (lb != b)
@ -532,13 +567,14 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
/* chain */
flag |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
tag = vlib_buffer_get_tail (lb) - icv_sz;
crypto_total_len = esp_encrypt_chain_crypto (vm, ptd, sa, b, lb, icv_sz,
payload, payload_len, 0);
crypto_total_len = esp_encrypt_chain_crypto (
vm, ptd, sa, b, lb, icv_sz, b->data + crypto_start_offset,
crypto_total_len + icv_sz, 0);
}
if (sa->integ_op_id)
{
integ_start_offset = crypto_start_offset - iv_sz - sizeof (esp_header_t);
integ_start_offset -= iv_sz + sizeof (esp_header_t);
integ_total_len += iv_sz + sizeof (esp_header_t);
if (b != lb)

View File

@ -133,7 +133,7 @@ typedef struct
u32 seq;
u32 seq_hi;
u64 replay_window;
u64 ctr_iv_counter;
u64 iv_counter;
dpo_id_t dpo;
vnet_crypto_key_index_t crypto_key_index;

View File

@ -1312,6 +1312,7 @@ session_dgram_accept (transport_connection_t * tc, u32 listener_index,
}
session_lookup_add_connection (tc, session_handle (s));
s->session_state = SESSION_STATE_ACCEPTING;
app_wrk = app_worker_get (s->app_wrk_index);
if ((rv = app_worker_accept_notify (app_wrk, s)))
@ -1684,7 +1685,7 @@ session_vpp_wrk_mqs_alloc (session_main_t *smm)
* if larger than minimum size.
*/
mqs_seg_size = svm_msg_q_size_to_alloc (cfg) * vec_len (smm->wrk);
mqs_seg_size = mqs_seg_size + (32 << 10);
mqs_seg_size = mqs_seg_size + (1 << 20);
mqs_seg_size = clib_max (mqs_seg_size, smm->wrk_mqs_segment_size);
mqs_seg->ssvm.ssvm_size = mqs_seg_size;
@ -2098,6 +2099,9 @@ session_config_fn (vlib_main_t * vm, unformat_input_t * input)
else
clib_warning ("event queue length %d too small, ignored", nitems);
}
else if (unformat (input, "wrk-mqs-segment-size %U",
unformat_memory_size, &smm->wrk_mqs_segment_size))
;
else if (unformat (input, "preallocated-sessions %d",
&smm->preallocated_sessions))
;
@ -2174,7 +2178,7 @@ session_config_fn (vlib_main_t * vm, unformat_input_t * input)
else if (unformat (input, "segment-baseva 0x%lx", &tmp))
;
else if (unformat (input, "evt_qs_seg_size %U", unformat_memory_size,
&tmp))
&smm->wrk_mqs_segment_size))
;
else if (unformat (input, "event-queue-length %d", &nitems))
{

View File

@ -841,7 +841,6 @@ session_enable_disable_fn (vlib_main_t * vm, unformat_input_t * input,
vlib_cli_command_t * cmd)
{
u8 is_en = 2;
clib_error_t *error;
while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
{
@ -850,12 +849,8 @@ session_enable_disable_fn (vlib_main_t * vm, unformat_input_t * input,
else if (unformat (input, "disable"))
is_en = 0;
else
{
error = clib_error_return (0, "unknown input `%U'",
return clib_error_return (0, "unknown input `%U'",
format_unformat_error, input);
unformat_free (input);
return error;
}
}
if (is_en > 1)

View File

@ -204,7 +204,7 @@ class QUICEchoExtTestCase(QUICTestCase):
"enable",
"poll-main",
"evt_qs_memfd_seg",
"evt_qs_seg_size",
"wrk-mqs-segment-size",
"64M",
"event-queue-length",
f"{evt_q_len}",