gerrit.fd Code Review

packetforge: add packetforge for generic flow to extras

Add a new tool packetforge to extras. This tool is to support generic flow.
Packetforge is a library to translate naming or json profile format flow
pattern to the required input of generic flow, i.e. spec and mask. Using
python script flow_create.py, it can add and enable a new flow rule for
an interface via flow VAPI, and can delete an existed flow rule as well.
Command examples are shown below. Json profile examples can be found in
./parsegraph/samples.

Naming format input:
python flow_create.py --add -p "mac()/ipv4(src=1.1.1.1,dst=2.2.2.2)/udp()"
-a "redirect-to-queue 3" -i 1
python flow_create.py --del -i 1 -I 0

Json profile format input:
python flow_create.py -f "./flow_rule_examples/mac_ipv4.json" -i 1

With this command, flow rule can be added or deleted, and the flow
entry can be listed with "show flow entry" command in VPP CLI.

Packetforge is based on a parsegraph. The parsegraph can be built by
users. A Spec can be found in ./parsegraph as guidance. More details
about packetforge are in README file.

Type: feature

Signed-off-by: Ting Xu <ting.xu@intel.com>
Change-Id: Ia9f539741c5dca27ff236f2bcc493c5dd48c0df1

vcl: align the RST behaviour with kernel

When ESTABLISHED TCP connection is terminated by an RST packet,
EPOLLHUP + EPOLLRDHUP would be updeliever by VCL. If not using
VPP, app would receive EPOLLHUP + EPOLLERR + EPOLLIN(if requested) +
EPOLLRDHUP(if requested).

libevent will interpret the two cases as different EV combinations.

Below is the code snippet for libevent v2.12:

  if (what & EPOLLERR) {
    ev = EV_READ | EV_WRITE;
  } else if ((what & EPOLLHUP) && !(what & EPOLLRDHUP)) {
    ev = EV_READ | EV_WRITE;
  } else {
    if (what & EPOLLIN)
      ev |= EV_READ;
    if (what & EPOLLOUT)
      ev |= EV_WRITE;
    if (what & EPOLLRDHUP)
      ev |= EV_CLOSED;
}

Type: fix
Signed-off-by: Yacan Liu <liuyacan@corp.netease.com>
Change-Id: Ice3d2861183b6ea499f66b727bbe175eeae5cb05

tests: run tests against a running VPP

Usage:
test/run.py -r -t {test_filter}
Instead of starting a new instance of VPP, when the -r argument
is provided, test is run against a running VPP instance. Optionally,
one can also set the VPP socket directory using the -d
argument. The default location for socket files is
/var/run/user/${uid}/vpp and /var/run/vpp if VPP is started
as root.

Type: improvement

Change-Id: I05e57a067fcb90fb49973f8159fc17925b741f1a
Signed-off-by: Naveen Joy <najoy@cisco.com>

misc: add test framework for host stack

Type: feature

Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I5a64a2c095cae3a4d5f8fdc73e624b010339ec8e

cnat: coverity fix

Type: fix

Change-Id: Ib127331507724f853071e66ca1ddfc773a8ed200
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>

tests: skip tests failing on ubuntu 22.04

Type: test

Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I218059de5d05680d661f302293475b6c2a7bf81d

igmp: validate ip router alert option length

It's known there're one or more 32-bit increments in the ip
header. So just check ip router alert option length with minimal
performance impact, and don't care of the total options length.

Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I46dd06516f793846b931a1dc8612f2735f8d24d3

abf: add API parameter n_paths range checks

Also check for non-zero rpath length in CLI cmd.
While there, no need to use "else" after a return.
Also while there, notice and fix numerous input_line
buffer leaks and fix them.

Type: fix
Fixes: 669d07dc016757b856e1014a415996cf9f0ebc58

Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I18ea44b7b82e8938c3e793e7c2a04dfe157076d8

build: install missing headers

Type: fix

Change-Id: I4eb2a7190de90553c91133f940e068ed649120cb
Signed-off-by: Benoît Ganne <bganne@cisco.com>

teib: fix segv during failed deletion of entry

Type: fix

If an attempt is made to delete a teib entry and the entry does not
exist, a message is logged. The format string contained an extra "%U",
which results in a segv.

Change-Id: I9b1d6ba63601982ba6ac8607cf710e34c311702a
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

arp: update error reason when checking for proxy-arp

When we follow arp feature arc for proxy-arp, we should still update
the error reason in case proxy-arp cannot handle the arp request and
drops it.

Type: improvement

Change-Id: I046df017ca2056cfc12af0f0a968b401058bcd6d
Signed-off-by: Benoît Ganne <bganne@cisco.com>

linux-cp: fix some CLI error messages

Type: fix

If unrecognized input was provided to the commands which add or delete a
pair, the error message was being created incorrectly and only displayed
something like "unknown input `'". Provide the correct argument to
format_unformat_error so that the actual unrecognized input is printed.

There also was no error or useful information printed if only the base
command were provided without any additional arguments. This should
print a warning about what required data was missing. Reorganize code to
handle this and to make sure that memory gets freed appropriately.

Change-Id: If454714f50cf41b3b56cfadfbf017f1d160e13a4
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

lisp: fix coverity 277315

Handle the case of the mapping not being found by GID.

Type: fix
Change-Id: Ibce3b9e8419c0dddca97b4d0d5a71f25dfd529d8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

virtio: add support for per queue packet counter

Type: improvement

Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I21a701a556b88a9d81f0e074a59fa34b3746b1d9

vcl: add hugepage for vcl configure and svm

add hugepage for vcl configure and svm

Type: feature

Signed-off-by: Junfeng Wang <drenfong.wang@intel.com>
Change-Id: I6a8905e3fec23d840e629114b1e5a403d0a258ef

session: support dma option

add dma support to session, acclerate host-stack with dma

Type: feature

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Signed-off-by: Junfeng Wang <drenfong.wang@intel.com>
Change-Id: I3d492921d69d9e3e0b34d33adc33fba3bde9e1cc

prom: fix coverity 277312, 277317

If one attempts to add a pattern with zero length, first time
it will succeed, and the second time it will cause an invalid memcmp call.

Solution: do not allow to add zero-length patterns.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ic08e021486153be605a4b12a2fe4422307bf68d2

nat: fix nat44-ed port range with multiple workers

The number of available dynamic ports is set to (0xffff - 1024) =
64511, which is not divisable by the pow2 number of workers - the
only integer divisors are 31 and 2081.
So, total dynamic port range of all workers will be less than it:
    1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536
    2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535
    4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533
    8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529
    ...
As seen, with multiple workers there are unused trailing ports for every
nat pool address and that is the reason of out-of-bound index in the
worker array on out2in path due (port - 1024) / port_per_thread math.
This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets
to unused ports will go to existing worker and dropped there.

Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6:
6.  Port Number Ranges
   o  the System Ports, also known as the Well Known Ports, from 0-1023
      (assigned by IANA)
   o  the User Ports, also known as the Registered Ports, from 1024-
      49151 (assigned by IANA)
   o  the Dynamic Ports, also known as the Private or Ephemeral Ports,
      from 49152-65535 (never assigned)

According that let's allocate dynamic ports from 1024 and have full port
range with a wide range of the workers number - 64 integer divisors in
total, including pow2 ones:
    1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536
    2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536
    3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536
    4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536
    5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534
    6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536
    7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536
    8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536
    ...
Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required
when the numbers of workers is not the integer divisor of 64512.

Type: fix
Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a
Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>

ip-neighbor: fix debug log format output

Type: fix

Signed-off-by: luoyaozu <luoyaozu@foxmail.com>
Change-Id: Ibfebe4da0197d1f60bf9edd3873fe1f776b680a4

ip: show fib index in ip4 reassembly trace

Type: improvement
Change-Id: I371237803e2c3cb0e1b42b94f422867465e2bff6
Signed-off-by: Damjan Marion <dmarion@me.com>

ipsec: make chacha20-poly1305 available via API

Type: feature

Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I4e03f60f34acd7809ddc5a743650bedbb95b2e98

vlib: add vlib_frame_bitmap_is_bit_set

Type: improvement
Change-Id: I2f3fab893a10b060f91b07ee17b8727d241830ea
Signed-off-by: Damjan Marion <dmarion@me.com>

ipsec: introduce fast path ipv4 inbound matching

This patch introduces fast path matching for inbound traffic ipv4.
Fast path uses bihash tables in order to find matching policy. Adding
and removing policies in fast path is much faster than in current
implementation. It is still new feature and further work needs
and can be done in order to improve perfromance.

Type: feature

Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: Ifbd5bfecc21b76ddf8363f5dc089d77595196675

fib: fix path copy function to deal with provided DPO in exclusive path

DPO in the new copy was not locked ...

Type: fix
Fixes: 0bfe5d8

Change-Id: I39f1368de459af91c4bb857d98a4b531bd5692a6
Signed-off-by: Damjan Marion <dmarion@me.com>

vlib: don't leak node frames on refork

Free node frames in worker mains on refork. Otherwise these frames are
never returned to free pool and it causes massive memory leaks if
performed under traffic load

Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I15cbf024a3f4b4082445fd5e5aaa10bfcf77f363

vppinfra: add clib_array_mask_set_u32()

Type: improvement
Change-Id: Idf1fb054d5ff495d772d01a79cbc6cd1b409d377
Signed-off-by: Damjan Marion <damarion@cisco.com>

nat: fix nat44-ed-in2out fast path next node

When a session is found expired, the next node of in2out fast path
should be in2out slow path instead of out2in slow path.

Type: fix
Signed-off-by: Jing Peng <jing@meter.com>
Change-Id: If1dd920502089c25b33bea5434823b0496a44499

fib: missing headers

Type: improvement
Change-Id: I7f52222706200c31a731fadfb84513549ccb532d
Signed-off-by: Damjan Marion <dmarion@me.com>

wireguard: eliminate some calls to main thread

Type: improvement

Roaming functionality allows the peer address to change. The main thread
was being called to update a peer's address if necessary after
processing a received packet. Check in the worker whether this is
necessary before incurring the overhead of the RPC to the main thread.

Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I02184b92dc658e0f57dd39993a3b2f9944187b45

avf: check for VLAN_TOGGLE capability

The ability to modify the vlan setting must be checked prior to using
VIRTCHNL_OP_DISABLE_VLAN_STRIPPING_V2 both for inner and outer vlan
stripping

Change-Id: Iffe306c34b81a6077ad6ba5deb3f5b61b5475897
Type: fix
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>

dpdk-cryptodev: reduce request to enable async

Originally initialization cryptodev device(s) calls double request
to enabled async mode and increased ref count twice for async mode.
Due to this cannot be change any assigned async handlers to other
async crypto engine.

The fixes reduce double request to enable async mode in initialization
cryptodev device(s) and VPP can be change assigned async handlers
to other crypto engine after disabled all async feature, for example:
ipsec, wireguard.

Type: fix

Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: If22e682c3c10de781d05c2e09b5420f75be151c3

build: Cleanup python2 from suse build and uplift opensuse version

- default to opensuse-leap 15.4, no python2 support in this version
- deprecate version openSUSE 15.0, openSUSE 15.3 still supported

Type: make

Signed-off-by: Laszlo Kiraly <laszlo.kiraly@est.tech>
Change-Id: Ic7178ff5238e2669bc45166c1f13d3f077f6069b
Signed-off-by: Laszlo Kiraly <laszlo.kiraly@est.tech>

vrrp: fix cli functions according to short_help

test output before fix:
  DBGvpp# vrrp proto start sw_if_index 1 vr_id 1
  vrrp proto: unknown input `sw_if_index 1 vr_id 1'
  DBGvpp# vrrp vr track-if add sw_if_index 1 vr_id 1 track-index 1
priority 30
  vrrp vr track-if: Please specify an interface

Type: fix

Signed-off-by: luoyaozu <luoyaozu@foxmail.com>
Change-Id: Ib8ba67e920b23008d9246318ec8f8f17bf0bea95

ip: fix punt socket overflow

client_pathname is usually smaller than pc->caddr.sun_path. snprint()
ensures we stop at the NULL character or sizeof(sun_path) whichever
comes 1st. It also guarantees NULL character termination.

Type: fix

Change-Id: I9fc2a706beab931d50d32d03f7fafca7c6c2fb0b
Signed-off-by: Benoît Ganne <bganne@cisco.com>

build: set OS_ID_LIKE only if unset

cmake MATCHES directive with the empty regex "" always match, including
non-empty strings.

Type: fix
Fixes: 534dfc1f18db74f4a2c78d62fe6893daba56dc86

Change-Id: If085b29da15a6d7fc680cebb823183fd3c7eea68
Signed-off-by: Benoît Ganne <bganne@cisco.com>

ipsec: fix coverity 249212

zero-initialize the variables

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I51c3856865eab037f646a0d184e82ecb3b5b3216

build: remove lto flags in dpdk build

- Ubuntu 22.04 enables LTO by default and dpdk
  adds lto flags to CFLAGS. This CI jobs to fail
  with OOM-Kill (especially on ARM64) due to lto
  consuming large amounts of memory.

Type: make

Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I5a3d3a08e2caddb4790b281b80b16081567aed5b

udp: store mss and sw_if_index to udp_connection_t

Store mss and sw_if_index to udp_connection_t and display them via
show sessipn verbose 2

Type: fix

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I32928f3f4195b178873dc1bada702e035d99c464

nat: fix coverity 249194

Zero-initialize a variable.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Iccf2eb4bf26755d6cd93fc70df3c5481d69ce7eb

nat: fix coverity 249178

Zero-initialize the variable

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I4ee127ac3e2a3beffa11bbc96db1f3254b3f7c5d

pppoe: fix coverity 218437, 218401

Initialize the session index in case of error to ~0,
so is defined in case trace needs to copy it.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Iddf6df42c09d2abc11e5821944eb4f41692e6e3e

gso: zero-initialize gho struct

It may contain garbage in debug builds resulting in wrong
gho detected flags and offsets.

Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: Ia79633262185016f527e7dc6c67334cda6f055f2

devices: fix coverity warning

Type: fix

Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I0a58c0f54d8be31a0a78bef00152fb2cc193840e

devices: add support for polling mode

Type: improvement

Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I8d84dc8b7f5c5e863c32838cfafc3d366e2a7e00

dpdk: fix arm iavf rx vector path on 22.03

dpdk 22.03 introduces iavf driver but misses rx vector path on Arm.
This causes VF fail to receive packet when running VPP device test
with no-multi-seg configuration.

Add iavf basic Neon RX support to fix this.

Type: fix
Fixes: 2f132efc3caf ("dpdk: bump to DPDK v22.03")

Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I75ae74c8060428cee0e1c235feab1246c014801e

l2: skip arp term for locally originated packets

Mark arp packet as locally originated when probing/replying and don't apply any
arp-term logic against it.

Type: fix
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
Change-Id: I305ff5cac8cac456decf92f21b961aa4ce286079

tcp: do not overcount ooo bytes

Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic81702bffb5b3189db48efe1ab3b237fa2bf75f2

dma_intel: fix the wrong unformat type

The unformat type for "%d" should be u32 or int, otherwise the 'did' in
high stack address will be overflow to zero by the 'qid' which is in the
low stack address.

Like input "dev wq3.2" will return "did=0, qid=2".

Type: fix
Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
Change-Id: I0fe1d5b03e2c47e0a7925193e2c2f1ccc31d3e90

memif: Process bad descriptors correctly in memif_process_desc

When there is a bad descriptor, it may in the beginning, in the middle,
or at the end of the batch if the batch has more than 3 descriptors.
When processing a bad descriptor is encountered in the batch, we need to
rollback n_buffers in memif_process_desc(), or the statement in the same
function
memif_add_copy_op (ptd, mb0 + src_off, bytes_to_copy,
dst_off, n_buffers - 1);
is wrong because it picks up the wrong buffer_vec_index of the bad
descriptor while parsing a good descriptor immediately following the
bad descriptor. n_buffers was incremented in the beginning of
while (n_left) loop.

The other problem is we should count the number of bad packets and
reduce ptd->n_packets to get the correct number of packets for subsequent
processing in device_input.

The last fix is to check if n_buffers == 0 in device_input and skip
doing any descriptor copy. This case can happen when all the descriptors
are bad in the batch.

Type: fix

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I28ed1d87236b045657006755747b5750a9a733be

ethernet: fix coverity 214973

Ensure that the ethernet_input_inline_dmac_check which directly derefererences ei,
is called only if ei is set.

Type: fix
Change-Id: I2d3bce63ee457825a5d375a6102225f3abf67703
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

vlib: fix coverity 274750, part 2

Add another missing null check.

Type: fix
Change-Id: Iec4de548810efe369a6e61b8787131230506cff6
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

vlib: fix coverity 277203

Fix integer overflow.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I72de6f88be064f188204d0f6d3167a3a8d7de58d

dpdk: bump to 22.07

Type: feature

This patch bumps DPDK version to 22.07.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: I72ecb31ca15774aed4453778042120610020a0c1

ethernet: refactor the redundant code

Following the discussion during the review
of b46a4e69e5db18ef792415439d04a0ab22c59386,
remove the redundant ei0. This resulted in realization
that in order for this code to do anything useful,
the ei must be always non-zero, so rewrite the logical
condition for it. Also, make it a conjunction which seems simpler
to understand.

Type: improvement
Change-Id: Ibd7b2a63e4aeaf97eb1a98af8e69aed2ff7dd577
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

vlib: use error description when dropping packets

Using the error name makes it less explicit in the packet trace than
the error description when a packet is dropped. Example of the trace
when the TTL is <=1:

01:03:17:015278: drop
ip4-input: time_expired

We should have "ip4 ttl <= 1" instead of "time_expired"

Type: fix
Change-Id: Ic9decf10d609cc938e39d0f449359e41c406267e
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>

ethernet: fix mac address increment error

Using "ip neighbor <ip-addr> <mac-addr> static count <count>" to add
static ARP entries will output wrong mac addresses due to lack of
big/little endian conversion. Fix this error by converting mac address
from big endian to little endian before doing the self-increment.

Before patched:

vpp# ip neighbor rdma-0 198.18.1.1 01:aa:bb:cc:dd:e0 static count 5
vpp# show ip neighbor
    Time                       IP                    Flags      Ethernet              Interface
      4.4400               198.18.1.5                  S    05:aa:bb:cc:dd:e0 rdma-0
      4.4399               198.18.1.4                  S    04:aa:bb:cc:dd:e0 rdma-0
      4.4399               198.18.1.3                  S    03:aa:bb:cc:dd:e0 rdma-0
      4.4399               198.18.1.2                  S    02:aa:bb:cc:dd:e0 rdma-0
      4.4399               198.18.1.1                  S    01:aa:bb:cc:dd:e0 rdma-0

After patched:

vpp# ip neighbor rdma-0 198.18.1.1 01:aa:bb:cc:dd:e0 static count 5
vpp# show ip neighbor
    Time                       IP                    Flags      Ethernet              Interface
      4.4528               198.18.1.5                  S    01:aa:bb:cc:dd:e4 rdma-0
      4.4528               198.18.1.4                  S    01:aa:bb:cc:dd:e3 rdma-0
      4.4528               198.18.1.3                  S    01:aa:bb:cc:dd:e2 rdma-0
      4.4527               198.18.1.2                  S    01:aa:bb:cc:dd:e1 rdma-0
      4.4527               198.18.1.1                  S    01:aa:bb:cc:dd:e0 rdma-0

Type: fix
Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: Iec1e00e381e4aba96639f831e7e42e070be3f278

fib: fix coverity 249175

Add an assert to express the constraint to coverity without
incurring the overhead in release builds.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I2c22f8b2565c645d95c9c0be37381060e151420f

fib: fix coverity 253539

Add an ASSERT so coverity is aware of the assumption taken,
without incurring any penalty in release build.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I3e7e1e77059492315409efbed47657f9e56d167c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

ethernet: fix coverity 218549

Check that the pointer is non-null before dereferencing it.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I611a1042d08bbe455dd09a4fa5711fe86c440240

nat: fix coverity 249202

In case of a bad packet, the bihash kv is not initialized before being
copied in the trace. Make sure it is initialized to 0.

Type: fix

Change-Id: I22fcfe99f3586d0fa128493059547a56557b8fb5
Signed-off-by: Benoît Ganne <bganne@cisco.com>

libmemif: fix the buffer size

Type: fix

Previously, libmemif can only use buffer size which
have to be power of 2. memif protocol does not enforce
this. This patch fixes this issue.

Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ic71e6a51685e2c2228c744920797064d4c7c65c9

libmemif: add support for custom buffer-size and headroom in icmp example app

Type: improvement

Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I2bdaee7938a3747e3217d6901ec3c66f1ee3da61

linux-cp: fix coverity 216937

Initialize the host_sw_if_index to ~0 so in the error cases
the variable is set to something predictable.

Type: fix
Change-Id: Ic55e4f0cbfa286e85dfb54b89b5321af18a439a1
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

nsh: fix coverity 249201

Zero-initialize the temporary struct, else a->map.adj_index is being used unset.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ia02636ea1e911250d6aa5e413de48e1e09863880

build: disable gcc warning stringop-overflow for gcc-10 or greater

- this warning causes build errors with gcc on ubuntu 22.04

Type: make

Change-Id: Id8f6ab44b2315ce8a4564ea924d799ecb6f57fdf
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>

vlib: introduce DMA infrastructure

This patch introduces DMA infrastructure into vlib. This is well known
that large amount of memory movements will drain core resource. Nowadays
more and more hardware accelerators were designed out for freeing core
from this burden. Meanwhile some restrictions still remained when
utilizing hardware accelerators, e.g. cross numa throughput will have a
significant drop compared to same node. Normally the number of hardware
accelerator instances will less than cores number, not to mention that
applications number will even beyond the number of cores. Some hardware
may support share virtual address with cores, while others are not.

Here we introduce new DMA infrastructure which can fulfill the
requirements of vpp applications like session and memif and in the
meantime dealing with hardware limitations.

Here is some design backgrounds:

  Backend is the abstract of resource which allocated from DMA device
  and can do some basic operations like configuration, DMA copy and
  result query.

  Config is the abstract of application DMA requirement. Application
  need to request an unique config index from DMA infrastructure. This
  unique config index is associated with backend resource. Two options
  cpu fallback and barrier before last can be specified in config.
  DMA transfer will be performed by CPU when backend is busy if cpu
  fallback option is enabled. DMA transfer callback will be in order
  if barrier before last option is enabled.

  We constructs all the stuffs that DMA transfer request needed into
  DMA batch. It contains the pattern of DMA descriptors and function
  pointers for submission and callback. One DMA transfer request need
  multiple times batch update and one time batch submission.

  DMA backends will assigned to config's workers threads equally. Lock
  will be used for thread-safety if same backends assigned to multiple
  threads. Backend node will check all the pending requests in worker
  thread and do callback with the pointer of DMA batch if transfer
  completed. Application can utilize cookie in DMA batch for selves
  usage.

DMA architecture:

   +----------+   +----------+           +----------+   +----------+
   | Config1  |   | Config2  |           | Config1  |   | Config2  |
   +----------+   +----------+           +----------+   +----------+
        ||             ||                     ||             ||
   +-------------------------+           +-------------------------+
   |  DMA polling thread A   |           |  DMA polling thread B   |
   +-------------------------+           +-------------------------+
               ||                                     ||
           +----------+                          +----------+
           | Backend1 |                          | Backend2 |
           +----------+                          +----------+

Type: feature

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Change-Id: I1725e0c26687985aac29618c9abe4f5e0de08ebf

wireguard: fix ipv6 payload_length computation

The ipv6 header length should not be counted in the ipv6 payload length.
This is similar to https://gerrit.fd.io/r/c/vpp/+/36945.

Type: fix
Change-Id: I22de0ff828175829102a85288513ee3f55709108
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>

vlib: allow longer version string

Type: improvement

When trying to use a version string in a downstream build that appends a
timestamp to the standard version string, compiling fails because the
version string is too long for the version and version_required fields
in vlib_plugin_registration_t. Increase the size of those arrays from 32
to 64 chars.

Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I3632139e5ae7110aa4769359f380ad29522ad4ed

ipsec: fix coverity 249204

Zero-initialize the temporary struct, else coverity complains about a bunch of uninitialized fields.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I45dc42134f06917a7459d615804f978a175bec0f

linux-cp: handle AF_BRIDGE neighbors

Type: improvement

VPP crashes when a linux-cp tap is added to a bridge on the host system
because rtnl_neigh_get_dst() returns NULL for the neighbor message that
is sent by the kernel.

Check for NULL before trying to use the address from a neighbor in a
netlink message.

Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I8a683d815a09620df9c0cc76e18df39828428e2c
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

lisp: address the issues raised by coverity 249165

Add the error checks in parsing, aimed to avoid parser walking past the end of packet in case the data
is garbage.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I9541b555a18baf63cb8081bcd7a4c2750f2ed012

rdma: fix coverity 249197

flags is u64, makes sure we do not overflow when shifting.

Type: fix

Change-Id: Ieea34187c0b568dc4d24c9415b9cff36907a5a87
Signed-off-by: Benoît Ganne <bganne@cisco.com>

vppinfra: fix coverity 249217

Zero-initialize the temporary struct.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I8d73feae427a17470c47d1551ba7078213b589fc

classify: fix coverity 249223

Day1 latent integer overflow.

vnet_classify_add_del defines new_hash as u32 - so replace a u64 type with u32
in split_and_rehash as well.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I51384a2db1caa4099b4d2ac25cd185bd108da037

nat: simplify per-protocol code by using an array

rather than using obfuscated macro hacery, simplify
the per-protocol data management by directly using
an array of NAT protocol types.

Type: refactor

Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I6fe987556ac9f402f8d490da0740e2b91440304c

vlib: memory leak in vlib_register_errors on create and delete interface

format returns a vector which must be free or memory is leaked.

From show memory
  3716528    66716 0x7fffbfeb0db0 _vec_resize_internal + 0xe6
                                  _vec_add + 0x164
                                  do_percent + 0xb82
                                  va_format + 0xb9
                                  format + 0x156
                                  vlib_register_errors + 0x76c
                                  setup_tx_node + 0x5c
                                  vnet_register_interface + 0xca6
                                  vnet_eth_register_interface + 0xdd
                                  memif_create_if + 0x975
                                  memif_create_command_fn + 0x461
                                  vlib_cli_dispatch_sub_commands + 0xec8

(gdb) list *(vlib_register_errors + 0x76c)
0x7ffff6e8280c is in vlib_register_errors (/home/sluong/vpp/vpp/src/vlib/error.c:224).
219
220   vec_validate (nm->node_by_error, n->error_heap_index + n_errors - 1);
221
222   for (u32 i = 0; i < n_errors; i++)
223     {
224       t.format = (char *) format (0, "%v %s: %%d", n->name, cd[i].name);
225       vm->error_elog_event_types[n->error_heap_index + i] = t;
226       nm->node_by_error[n->error_heap_index + i] = n->index;
227     }

Type: fix

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I2983f081b7e2c1b2d18d66afe45282933efbe127

ipsec: enable UDP encap for IPv6 ESP tun protect

Type: improvement

If an SA protecting an IPv6 tunnel interface has UDP encapsulation
enabled, the code in esp_encrypt_inline() inserts a UDP header but does
not set the next protocol or the UDP payload length, so the peer that
receives the packet drops it. Set the next protocol field and the UDP
payload length correctly.

The port(s) for UDP encapsulation of IPsec was not registered for IPv6.
Add this registration for IPv6 SAs when UDP encapsulation is enabled.

Add punt handling for IPv6 IKE on NAT-T port.
Add registration of linux-cp for the new punt reason.
Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect

Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268

unittest: fix coverity 274736

Free up the vapi context in case of failure.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I4f64e8718014d714f1b82877e69d2354b5fa44fb

wireguard: fix error type for crypto backend

Crypto backend errors should not be using the same error as missing
keypair.

Type: fix

Change-Id: I78c2b3df3f08a354463b7824349b08627f2b023c
Signed-off-by: Benoît Ganne <bganne@cisco.com>

wireguard: fix ipv6 handshake packet

IPv6 payload length should not include the size of the IPv6 header.

Type: fix

Change-Id: Iedcd17d0af8d72d9b5f8f9b605da7c99e151bc9d
Signed-off-by: Benoît Ganne <bganne@cisco.com>

vppinfra: correct clib_bitmap_set() return comment

Fix a copy-n-paste issue that left clib_bitmap_set()'s return
type documentation incorrect. Chnage it to indicate that
the function returns a new pointer for the bitmap that could
be different due to a possible reallocation.

Type: docs

Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: Ia193c4673c0e4d1760e91cd7f80ebe1868a3c9b5

nat: Replace port refcounts with simple bitvectors

Previously, each address maintained an array of 32-bit
reference counts for each of 65K possible ports for each
of 4 NAT protocols.  Totalling 1MB per address.  Wow.

A close read of the code shows that an "is used" check
precedes each attempted reference count increment.
That means the refcount never actually gets above 1.
That in turn means algorithmically, a bit vector is
sufficient.  And one need not be allocated for more
than the highest validated port referenced.

These changes introduce a dynamically sized bit vector
replacing the reference counts, for a maximum of 32K
if all 4 protocols use port 65535.  In fact, protocol
OTHER is never used, so at most 24K will be used, and
none of it will be "statically" allocated per address.

Type: fix
Fixes: 85bee7548bc5a360851d92807dae6d4159b68314

Change-Id: I7fd70050e7bf4871692a862231f8f38cf0158132
Signed-off-by: Jon Loeliger <jdl@netgate.com>

dns: fix coverity 249189, 249198

Zero-initialize the temporary struct on stack.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I89ced4cca8e832827fe054e2e60986de5910360c

nsh: fix coverity 249169

Zero-initialize the temporary struct on stack.

Type: fix
Change-Id: I651f87deeb79c6c073d5c510435fa268893a3b0e
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

ip-neighbor: Declarative .api counters.

Type: improvement

plus the addition of the 'thorttle' counter of IP6.

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ic845247a9f3288caa755c33e79ae2eb6d2029d09

ip: Use .api declarative counters for ICMP.

Type: improvement

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I3d36faa60075658fd59eb5bbe16efcb48664691b

ikev2: accept key exchange on CREATE_CHILD_SA

In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload
to enable stronger guarantees of forward secrecy.
When the KEi payload is included in the CREATE_CHILD_SA request,
responder should reply with the KEr payload and complete the key
exchange, in accordance with the RFC.

Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638

ikev2: fix possible SEGV

Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: Icbd452b43ecaafe46def1276c98f7e8cbf761e51

svm: fix coverity 249207,249209

Zero-initialize the temporary struct.

Type: fix
Change-Id: I6f7a35ace6002aa75dc986c7c7eca614c9c5c3ed
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

vlib: fix coverity 274744

Add a missing null check

Type: fix
Change-Id: Id1b27341480c9d62185496ae1d832360119ec198
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

vlib: fix coverity 274750

Add a missing null check.

Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ie6234804e2b89adc918ef9075f9defbb1fd35e44

memif: crash on recceiving a bad descriptor

We validate each descriptor via memif_validate_desc_data and set
desc_status to non-zero for the corresponding descriptor when
the descriptor is bad. However, desc_status is not propagated back to
xor_status in memif_validate_desc_data which eventually sets
ptd->xor_status.

Not setting ptd->xor_status causes us to treat all descriptors as
"simple". In that case, when we try to copy also the bad descriptors to
the buffers, it results a crash since desc_data is not set to point
to the correct memory in the descriptor.

The fix is to set xor_status in memif_validate_desc_data such that if
there is a bad descriptor in the frame, "is_simple" is set to false and
we have to selectively copy only the good descriptors to the buffers.

Type: fix

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I780f51a42aa0f8745edcddebbe02b2961c183598

wireguard: fix fib entry tracking

Type: fix

After peers roaming support addition, FIB entry tracking stopped
working. For example, it can be observed when an adjacency is stacked on
a FIB entry by the plugin and the FIB entry hasn't got ARP resolution
yet. Once the FIB entry gets ARP resolution, the adjacency is not
re-stacked as it used to. This results in endless ARP requests when a
traffic is sent via the adjacency.

This is broken because the plugin stopped using "midchain delegate" with
peers roaming support addition. The reason is that "midchain delegate"
didn't support stacking on a different FIB entry which is needed when
peer's endpoint changes. Now it is supported there (added in 36892).

With this fix, start using "midchane delegate" again and thus, fix FIB
entry tracking. Also, cover this in tests.

Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371

fib: support "midchain delegate" removal

Type: improvement

Currently, once an adjacency is stacked on a FIB entry via
adj_midchain_delegate_stack(), "midchain delegate" is created for the
adjacency and the FIB index is stored there. And all further calls to
adj_midchain_delegate_stack() even passing another FIB index will cause
the function to still use the stored one. In other words, there is
currently no way to stack an adjacency on another FIB index if "midchain
delegate" already exists for it.

Being able to stack on another FIB index is needed for the wireguard
plugin. As per the protocol, peers can roam between different external
endpoints. When an authenticated packet is received and it was sent from
a different endpoint than currently stored, the endpoint needs to be
updated and all futher communication needs to happen with that endpoint.
Thus, the corresponding to that peer adjacencies need to be stacked on
the FIB entry that corresponds to the new endpoint.

With this change, add adj_midchain_delegate_remove() that removes
"midchain delegate". When stacking on another FIB entry is needed,
existing "midchain delegate" can be removed and then, a new one created
with a new FIB index via adj_midchain_delegate_stack().

Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ibc1c99b248a5ef8ef64867f39f494fab627a1741

tests: move "venv" to "build-root" directory from "test" directory

Type: refactor

- refactored VPP test code to remove "ignore_path" variable
from "discover_tests" function and "run_test" code
- configured VPP test makefile, config file, and 'run.sh' shell script
to move "venv" directory from "test" dir to "build-root" dir

Signed-off-by: Saima Yunus <yunus.saima.234@gmail.com>
Change-Id: Id2beecbb99f24ce13ed118a1869c5adbef247e50

nat: fix potential out-of-bound worker array index

In several NAT submodules, the number of available ports (0xffff - 1024)
may not be divisible by the number of workers, so port_per_thread is
determined by integer division, which is the floor of the quotient.
Later when a worker index is needed, dividing the port with port_per_thread
may yield an out-of-bound array index into the workers array.

As an example, assume 2 workers are configured, then port_per_thread
will be (0xffff - 1024) / 2, which is 32255. When we compute a worker
index with port 0xffff, we get (0xffff - 1024) / 32255, which is 2,
but since we only have 2 workers, only 0 and 1 are valid indices.

This patch fixes the problem by adding a modulo at the end of the division.

Type: fix
Signed-off-by: Jing Peng <pj.hades@gmail.com>
Change-Id: Ieae3d5faf716410422610484a68222f1c957f3f8

vrrp: fix SIGABRT crash by ASSERT() when deleting vrrp vr(MASTER state)

we need cancel vrrp_vr_timer when deleting vrrp vr

Type: fix

Signed-off-by: luoyaozu <luoyaozu@chinatelecom.cn>
Change-Id: I8ea01f1943d6e3e60c4990c5be945de613bc8b53

docs: fix spellcheck error for Ubuntu 22.04

Type: fix

Signed-off-by: Saima Yunus <yunus.saima.234@gmail.com>
Change-Id: I975990aeead6d34f0317a37e917bd92c0c89276e

http_static: validate session before sending

Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I18b9d0d67f5fe4c1714427259df29026153d8dd1

build: remove cnxk support from dpdk external deps

- the cnxk code fails to link using the gcc-11 toolchain
  included in the ARM64 Ubuntu-22.04 distro. This is required
  for Ubuntu-22.04 CI jobs (both docker image building & CI
  job execution on ARM64)
- Currently unable to replicate this failure on the dpdk repo.

Type: fix

Change-Id: Ice44aef9f0f721b4c88ac78f92a14bda87dc80a6
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>