Compare commits

...

6 Commits

Author SHA1 Message Date
Ray Kinsella
15db851d93 ip: vtep fixes for alignment and cache update.
Minor fixes for Intel AVX-512 alignment, and cache update.

Type: fix

Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I9f9bebb4ecb3265ffc765affd1ed94d0ba979066
(cherry picked from commit 480600662ccbe6175971053ac732e1e92295a43f)
2021-01-13 14:43:41 +00:00
Ray Kinsella
bf40e3eff9 crypto-openssl: chacha support in openssl version
Fix build errors related to chachapoly when the
system openssl version is < 0x10100000.

Type: fix

Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I62283fcc44c952ddd4d6a9f621c18e8be1af8af1
(cherry picked from commit bf93c6e9bf340e323157ca2b4ffa8e83a36e5108)
2021-01-13 13:58:22 +01:00
Paul Vinciguerra
f097300c2b docs: update list of plugins
The list of plugins is outdated.

This change introduces a dynamically
generated list of the plugins along with their descriptions,
extracted directly from the sources.

Type: docs

Change-Id: Icb7b65e6b45289e257d71a1c18d10f62ced59cbe
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
(cherry picked from commit 630ca994e0ff210a3de80d73bb395c931d2fd83f)
2020-12-21 23:23:33 +00:00
Paul Vinciguerra
da45810ce9 docs: fix missing quotes in ubuntu install instructions
type: docs

Change-Id: Ifa09b63924f4b7bf2719bba6ada0e1122407641c
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
(cherry picked from commit ac9a585c6207ac876025f924aeb96ddcac8c8805)
2020-12-18 23:38:04 +00:00
Dave Barach
5208cb021a docs: revise home gateway use-case documentation
Switch to markdown format.

Update docs to current production configs. Add remote software
installation scripts.

Type: docs

Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ieaf507a4393c1e4600fb40ae0722c52472bb0f8f
(cherry picked from commit 5bfaa6e7e3225f06403be718eb6185b5fad01c91)
2020-12-17 13:12:51 +00:00
Andrew Yourtchenko
9dab7b9416 misc: Initial changes for stable/2101 branch
Change-Id: Iff6360ced87bdded50ad3aa4a028d5373bac3e1d
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2020-12-16 12:36:48 +00:00
14 changed files with 596 additions and 308 deletions

1
.gitignore vendored
View File

@ -81,6 +81,7 @@ GTAGS
/build-root/.doxygen-bootstrap.ok
/build-root/.doxygen-siphon.dep
/docs/_build
/docs/dynamic_includes
/sphinx_venv
!/docs/Makefile

View File

@ -2,3 +2,4 @@
host=gerrit.fd.io
port=29418
project=vpp
defaultbranch=stable/2101

View File

@ -1,5 +1,6 @@
# Release Notes {#release_notes}
* @subpage release_notes_2101
* @subpage release_notes_2009
* @subpage release_notes_20051
* @subpage release_notes_2005
@ -30,6 +31,10 @@
* @subpage release_notes_1609
* @subpage release_notes_1606
@page release_notes_2101 Release notes for VPP 21.01
TBD
@page release_notes_2009 Release notes for VPP 20.09
More than 458 commits since the previous release, including 266 fixes.

View File

@ -27,6 +27,8 @@ help:
# Catch-all target: route all unknown targets to Sphinx using the new
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
%: Makefile
# Generate dynamic content
@python3 ./includes_renderer.py
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
spell:

View File

View File

@ -35,19 +35,7 @@ vpp-plugins
Vector Packet Processing plugin modules.
* acl
* dpdk
* flowprobe
* gtpu
* ixge
* kubeproxy
* l2e
* lb
* memif
* nat
* pppoe
* sixrd
* stn
.. include:: ../../dynamic_includes/plugin_list.inc
vpp-dbg
-------

View File

@ -1,11 +1,11 @@
.. _ubuntu:
.. toctree::
Ubuntu 18.04 - Setup the FD.io Repository
==========================================
Choose one of the following releases to install.
Ubuntu - Setup the FD.io Repository
===================================
Choose one of the following releases to install.
Update the OS
-----------------------
@ -85,4 +85,4 @@ Uninstall the packages by running the following command:
.. code-block:: console
sudo apt-get remove --purge vpp*
sudo apt-get remove --purge "vpp*"

77
docs/includes_renderer.py Normal file
View File

@ -0,0 +1,77 @@
#!/usr/bin/env python3
# Copyright (c) 2020. Vinci Consulting Corp. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import glob
import inspect
import os.path
import re
class ContentRenderer:
name = ""
curr_path = os.path.abspath(inspect.getsourcefile(lambda: 0))
vpp_root = curr_path.rsplit("/", 2)[0]
output_dir = f"{vpp_root}/docs/dynamic_includes/"
def render(self):
raise NotImplementedError
class PluginRenderer(ContentRenderer):
name = "plugin_list.inc"
plugin_dir = f"{ContentRenderer.vpp_root}/src/plugins"
pattern = r'VLIB_PLUGIN_REGISTER\s?\(\)\s*=\s*{.*\.description\s?=\s?"([^"]*)".*};' # noqa: 501
regex = re.compile(pattern, re.MULTILINE | re.DOTALL)
def render(self):
with open(f"{self.__class__.output_dir}{self.__class__.name}",
"w") as output:
with os.scandir(self.__class__.plugin_dir) as pdir:
for entry in sorted(pdir, key=lambda entry: entry.name):
if not entry.name.startswith('.') and entry.is_dir():
description = "<no-description-found>"
# we use glob because a plugin can (ioam for now)
# define the plugin definition in
# a further subdirectory.
for f in glob.iglob(f'{self.__class__.plugin_dir}/'
f'{entry.name}/**',
recursive=True):
if f.endswith('.c'):
with open(f, "r", encoding="utf-8") \
as src:
for match in self.__class__.regex.finditer(
src.read()):
description = "%s" % (match.group(1))
output.write(f"* {entry.name} - {description}\n")
# if this list grows substantially, we can move the classes to
# a folder and import them.
renderers = [PluginRenderer,
]
def main():
print("rendering dynamic includes...")
for renderer in renderers:
renderer().render()
print("done.")
if __name__ == "__main__":
main()

497
docs/usecases/hgw.md Normal file

File diff suppressed because it is too large Load Diff

View File

@ -1,285 +0,0 @@
.. _homegateway:
.. toctree::
Using VPP as a Home Gateway
===========================
Vpp running on a small system (with appropriate NICs) makes a fine
home gateway. The resulting system performs far in excess of
requirements: a TAG=vpp_debug image runs at a vector size of ~1.2
terminating a 150-mbit down / 10-mbit up cable modem connection.
At a minimum, install sshd and the isc-dhcp-server. If you prefer, you
can use dnsmasq.
Configuration files
-------------------
/etc/vpp/startup.conf::
unix {
nodaemon
log /var/log/vpp/vpp.log
full-coredump
cli-listen /run/vpp/cli.sock
startup-config /setup.gate
poll-sleep-usec 100
gid vpp
}
api-segment {
gid vpp
}
dpdk {
dev 0000:03:00.0
dev 0000:14:00.0
etc.
}
plugins {
## Disable all plugins, selectively enable specific plugins
## YMMV, you may wish to enable other plugins (acl, etc.)
plugin default { disable }
plugin dpdk_plugin.so { enable }
plugin nat_plugin.so { enable }
## if you plan to use the time-based MAC filter
plugin mactime_plugin.so { enable }
}
/etc/dhcp/dhcpd.conf::
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.99;
option routers 192.168.1.1;
option domain-name-servers 8.8.8.8;
}
If you decide to enable the vpp dns name resolver, substitute
192.168.1.2 for 8.8.8.8 in the dhcp server configuration.
/etc/default/isc-dhcp-server::
# On which interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="lstack"
INTERFACESv6=""
/etc/ssh/sshd_config::
# What ports, IPs and protocols we listen for
Port <REDACTED-high-number-port>
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
For your own comfort and safety, do NOT allow password authentication
and do not answer ssh requests on port 22. Experience shows several
hack attempts per hour on port 22, but none (ever) on random
high-number ports.
vpp configuration (/setup.gate)::
comment { This is the WAN interface }
set int state GigabitEthernet3/0/0 up
comment { set int mac address GigabitEthernet3/0/0 mac-to-clone-if-needed }
set dhcp client intfc GigabitEthernet3/0/0 hostname vppgate
comment { Create a BVI loopback interface}
loop create
set int l2 bridge loop0 1 bvi
set int ip address loop0 192.168.1.1/24
set int state loop0 up
comment { Add more inside interfaces as needed ... }
set int l2 bridge GigabitEthernet0/14/0 1
set int state GigabitEthernet0/14/0 up
comment { dhcp server and host-stack access }
create tap host-if-name lstack host-ip4-addr 192.168.1.2/24 host-ip4-gw 192.168.1.1
set int l2 bridge tap0 1
set int state tap0 up
comment { Configure NAT}
nat44 add interface address GigabitEthernet3/0/0
set interface nat44 in loop0 out GigabitEthernet3/0/0
comment { allow inbound ssh to the <REDACTED-high-number-port> }
nat44 add static mapping local 192.168.1.2 <REDACTED> external GigabitEthernet3/0/0 <REDACTED> tcp
comment { if you want to use the vpp DNS server, add the following }
comment { Remember to adjust the isc-dhcp-server configuration appropriately }
comment { nat44 add identity mapping external GigabitEthernet3/0/0 udp 53053 }
comment { bin dns_name_server_add_del 8.8.8.8 }
comment { bin dns_name_server_add_del 68.87.74.166 }
comment { bin dns_enable_disable }
comment { see patch below, which adds these commands }
service restart isc-dhcp-server
Systemd configuration
---------------------
In a typical home-gateway use-case, vpp owns the one-and-only WAN link
with a prayer of reaching the public internet. Simple things like
updating distro software requires use of the "lstack" interface
created above, and configuring a plausible upstream DNS name resolver.
Configure /etc/systemd/resolved.conf as follows.
/etc/systemd/resolved.conf::
[Resolve]
DNS=8.8.8.8
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#Cache=yes
#DNSStubListener=yes
Netplan configuration
---------------------
If you want to configure a static IP address on one of your
home-gateway Ethernet ports on Ubuntu 18.04, you'll need to configure
netplan. Netplan is relatively new. It and the network manager GUI and
can be cranky. In the configuration shown below,
s/enp4s0/<your-interface>/...
/etc/netplan-01-netcfg.yaml::
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
enp4s0:
dhcp4: no
addresses: [192.168.2.254/24]
gateway4: 192.168.2.100
nameservers:
search: [my.local]
addresses: [8.8.8.8]
/etc/systemd/network-10.enp4s0.network::
[Match]
Name=enp4s0
[Link]
RequiredForOnline=no
[Network]
ConfigureWithoutCarrier=true
Address=192.168.2.254/24
Note that we've picked an IP address for the home gateway which is on
an independent unrouteable subnet. This is handy for installing (and
possibly reverting) new vpp software.
Installing new vpp software
---------------------------
If you're **sure** that a given set of vpp Debian packages will
install and work properly, you can install them while logged into the
gateway via the lstack / nat path. This procedure is a bit like
standing on a rug and yanking it. If all goes well, a perfect
back-flip occurs. If not, you may wish that you'd configured a static
IP address on a reserved Ethernet interface as described above.
Installing a new vpp image via ssh to 192.168.1.2::
# nohup dpkg -i *.deb >/dev/null 2>&1 &
Within a few seconds, the inbound ssh connection SHOULD begin to respond
again. If it does not, you'll have to debug the issue(s).
Testing new software
--------------------
If you frequently test new home gateway software, it may be handy to
set up a test gateway behind your production gateway. This testing
methodology reduces complaints from family members, to name one benefit.
Change the inside network (dhcp) subnet from 192.168.1.0/24 to
192.168.3.0/24, change the (dhcp) advertised router to 192.168.3.1,
reconfigure the vpp tap interface addresses onto the 192.168.3.0/24
subnet, and you should be all set.
This scenario nats traffic twice: first, from the 192.168.3.0/24
network onto the 192.168.1.0/24 network. Next, from the 192.168.1.0/24
network onto the public internet.
Patches
-------
You'll need this patch to add the "service restart" command::
diff --git a/src/vpp/vnet/main.c b/src/vpp/vnet/main.c
index 6e136e19..69189c93 100644
--- a/src/vpp/vnet/main.c
+++ b/src/vpp/vnet/main.c
@@ -18,6 +18,8 @@
#include <vlib/unix/unix.h>
#include <vnet/plugin/plugin.h>
#include <vnet/ethernet/ethernet.h>
+#include <vnet/ip/ip4_packet.h>
+#include <vnet/ip/format.h>
#include <vpp/app/version.h>
#include <vpp/api/vpe_msg_enum.h>
#include <limits.h>
@@ -400,6 +402,63 @@ VLIB_CLI_COMMAND (test_crash_command, static) = {
#endif
+static clib_error_t *
+restart_isc_dhcp_server_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ int rv __attribute__((unused));
+ /* Wait three seconds... */
+ vlib_process_suspend (vm, 3.0);
+
+ rv = system ("/usr/sbin/service isc-dhcp-server restart");
+
+ vlib_cli_output (vm, "Restarted the isc-dhcp-server...");
+ return 0;
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (restart_isc_dhcp_server_command, static) = {
+ .path = "service restart isc-dhcp-server",
+ .short_help = "restarts the isc-dhcp-server",
+ .function = restart_isc_dhcp_server_command_fn,
+};
+/* *INDENT-ON* */
+
Using the time-based mac filter plugin
--------------------------------------
If you need to restrict network access for certain devices to specific
daily time ranges, configure the "mactime" plugin. Add it to the list
of enabled plugins in /etc/vpp/startup.conf, then enable the feature
on the NAT "inside" interfaces::
bin mactime_enable_disable GigabitEthernet0/14/0
bin mactime_enable_disable GigabitEthernet0/14/1
...
Create the required src-mac-address rule database. There are 4 rule
entry types:
* allow-static - pass traffic from this mac address
* drop-static - drop traffic from this mac address
* allow-range - pass traffic from this mac address at specific times
* drop-range - drop traffic from this mac address at specific times
Here are some examples::
bin mactime_add_del_range name alarm-system mac 00:de:ad:be:ef:00 allow-static
bin mactime_add_del_range name unwelcome mac 00:de:ad:be:ef:01 drop-static
bin mactime_add_del_range name not-during-business-hours mac <mac> drop-range Mon - Fri 7:59 - 18:01
bin mactime_add_del_range name monday-busines-hours mac <mac> allow-range Mon 7:59 - 18:01

View File

@ -15,7 +15,7 @@ extensive list, but should give a sampling of the many features contained in FD.
vmxnet3
acls
vppcloud
homegateway
hgw
contiv/index.rst
networksim
webapp

View File

@ -4,6 +4,8 @@ Test Framework Documentation {#test_framework_doc}
PyDoc generated documentation for the "make test" framework is available for
the following releases:
- [Test framework documentation for VPP 21.01](https://docs.fd.io/vpp/21.01/vpp_make_test/html)
- [Test framework documentation for VPP 20.09](https://docs.fd.io/vpp/20.09/vpp_make_test/html)
- [Test framework documentation for VPP 20.05](https://docs.fd.io/vpp/20.05/vpp_make_test/html)
- [Test framework documentation for VPP 20.01](https://docs.fd.io/vpp/20.01/vpp_make_test/html)
- [Test framework documentation for VPP 19.08](https://docs.fd.io/vpp/19.08/vpp_make_test/html)

View File

@ -253,7 +253,7 @@ openssl_ops_enc_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[],
/* is_gcm */ 1);
}
static_always_inline u32
static_always_inline __clib_unused u32
openssl_ops_enc_chacha20_poly1305 (vlib_main_t * vm, vnet_crypto_op_t * ops[],
vnet_crypto_op_chunk_t * chunks, u32 n_ops,
const EVP_CIPHER * cipher)
@ -317,7 +317,7 @@ openssl_ops_dec_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[],
/* is_gcm */ 1);
}
static_always_inline u32
static_always_inline __clib_unused u32
openssl_ops_dec_chacha20_poly1305 (vlib_main_t * vm, vnet_crypto_op_t * ops[],
vnet_crypto_op_chunk_t * chunks, u32 n_ops,
const EVP_CIPHER * cipher)

View File

@ -130,11 +130,11 @@ vtep4_check_vector (vtep_table_t * t, vlib_buffer_t * b0, ip4_header_t * ip40,
#ifdef CLIB_HAVE_VEC512
u64x8 k4_u64x8 = u64x8_splat (k4.as_u64);
u64x8 cache = u64x8_load_aligned (vtep4_u512->vtep4_cache);
u64x8 cache = u64x8_load_unaligned (vtep4_u512->vtep4_cache);
u8 result = u64x8_mask_is_equal (cache, k4_u64x8);
if (PREDICT_TRUE (result != 0))
{
k4.as_u64 =
last_k4->as_u64 =
vtep4_u512->vtep4_cache[count_trailing_zeros (result)].as_u64;
return VTEP_CHECK_PASS_UNCHANGED;
}