This patch initializes the salt value used by the following cipher
algorithms:
- CBC: random salt
- GCM/CTR: the key required is 20B, and the last 4B are used as salt.
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Introduce a specific cryptodev queue size macro.
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Application will segfault if there is IPv4 or IPv6 and no SP/ACL rules
for IPv4 or IPv6 respectively.
Avoid checking the ACL/SP in such cases.
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
RFC3686: Using AES Counter (CTR) Mode With IPsec ESP.`
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Add support for AES-GCM (Galois-Counter Mode).
RFC4106: The Use of Galois-Counter Mode (GCM) in IPSec ESP.
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
NIST SP800-38A recommends two methods to generate unpredictable IVs
(Initilisation Vector) for CBC mode:
1) Apply the forward function to a nonce (ie. counter)
2) Use a FIPS-approved random number generator
This patch implements the first recommended method by using the forward
function to generate the IV.
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
This patch enables ZUC EEA3 cipher algorithm and
ZUC EIA3 authentication algorithm support to
l2fwd-crypto sample application.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Deepak Kumar Jain <deepak.k.jain@intel.com>
This patch adds two sample configuration files to ipsec-secgw sample
application. The sample configuration files show how to setup
back-to-back systems that would forward traffic through an IPsec
tunnel.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
This patch adds the configuration file support to ipsec_secgw
sample application. Instead of hard-coded rules, the users can
specify their own SP, SA, and routing rules in the configuration
file. A command line option "-f" is added to pass the
configuration file location to the application.
Configuration item formats:
SP rule format:
sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \
<proto> <sport> <dport>
SA rule format:
sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \
<mode> <src_ip> <dst_ip>
Routing rule format:
rt <ip_ver> <src_ip> <dst_ip> <port>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
SNOW 3G algorithm has all uppercase letters in its name
and a space between SNOW and 3G, but some references of it
had some lowercase letters or no space.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Deepak Kumar Jain <deepak.k.jain@intel.com>
When VMDQ is enabled, different NICs have different behaviors for
disabling VLAN strip. In detail, i40e only enables/disables it of
PF's main vsi; fm10k cannot disable VLAN strip, etc. We now remove
this option, --vlan-strip, to reduce any confusion. And now, VLAN
strip will be enabled and cannot be disabled.
Reported-by: Qian Xu <qian.q.xu@intel.com>
Signed-off-by: Jianfeng Tan <jianfeng.tan@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
When examples/vhost runs in client mode, only one QEMU can be connected.
This is because that examples/vhost just supports one socket file. This
patch is to add multiple sockets support for examples/vhost.
Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
Acked-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
In examples/vhost, "dev-basename" is a program option, which is to set
the vhost-net socket used by vhost-user, or the character device used
by vhost-cuse. Since vhost-cuse should be dropped, and "dev-basename"
is not a suitable name for the vhost-net socket. Therefore, this patch
is to change this option name for examples/vhost.
Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Now that hotplug has been moved to eal, there is no reason to keep the
device type in this layer.
Signed-off-by: David Marchand <david.marchand@6wind.com>
Signed-off-by: Shreyansh Jain <shreyansh.jain@nxp.com>
This patch fixes ip_pipeline panic in app_init_core_map while preparing cpu
core map in powerpc with SMT off. cpu_core_map_compute_linux currently prepares
core mapping based on file existence in sysfs ie.
/sys/devices/system/cpu/cpu<LCORE_NUM>/topology/physical_package_id
/sys/devices/system/cpu/cpu<LCORE_NUM>/topology/core_id
These files do not exist for lcores which are offline for any reason (as in
powerpc, while SMT is off). In this situation, this function should further
continue preparing map for other online lcores instead of returning with -1
for a first unavailable lcore.
Also, in SMT=off scenario for powerpc, lcore ids can not be always indexed from
0 upto 'number of cores present' (/sys/devices/system/cpu/present). For eg, for
an online lcore 32, core_id returned in sysfs is 112 where online lcores are
10 (as in one configuration), hence sysfs lcore id can not be checked with
indexing lcore number before positioning lcore map array.
Signed-off-by: Gowrishankar Muthukrishnan <gowrishankar.m@linux.vnet.ibm.com>
Acked-by: Chao Zhu <chaozhu@linux.vnet.ibm.com>
Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
Due to regular lintian checks in Debian packaging it surfaced that these
two scripts had a space in their #! statement.
It is changed to an interpreter compatible with Python 2 and 3.
Fixes: 8673a3e8 ("examples/ip_pipeline: add config diagram generator")
Fixes: fa667b46 ("examples/ip_pipeline: add core mappings script")
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
Following discussions on the mailing list [1] and since nobody stood up to
implement the necessary cleanups, here is the ivshmem integration removal.
There is not much to say about this patch, a lot of code is being removed.
The default configuration file for packet_ordering example is replaced with
the "native" x86 file.
The only tricky part is in eal_memory with the memseg index stuff.
More cleanups can be done after this but will come in subsequent patchsets.
[1]: http://dpdk.org/ml/archives/dev/2016-June/040844.html
Signed-off-by: David Marchand <david.marchand@6wind.com>
Acked-by: Panu Matilainen <pmatilai@redhat.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
This configuration is example configuration for flow classification.
This fix changes the offset and mask value to compute the hash correctly.
This fix does not involve code change and do not impact compilation,
build and performance.
Fixes: 93771a569daa ("examples/ip_pipeline: rework flow classification CLI")
Signed-off-by: Sankar Chokkalingam <sankarx.chokkalingam@intel.com>
Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
There is a dependency on librt with old glibc.
The -lrt option was added everywhere it is needed but was also
added in some applications makefiles as the first link option.
The problem is this option is really useful only if added after
the objects or libraries using it (except if using --whole-archive).
And the -lrt options put after were removed to avoid duplicates.
It was resulting in errors linking test application:
eal_timer.c:(.text+0x128): undefined reference to `clock_gettime'
eal_timer.c:(.text+0x166): undefined reference to `clock_gettime'
eal_alarm.c:(.text+0xda): undefined reference to `clock_gettime'
eal_alarm.c:(.text+0x211): undefined reference to `clock_gettime'
It is fixed by removing superfluous -lrt in app makefiles.
Fixes: 281948b4753e ("mk: fix missing librt dependencies")
Fixes: 2f6414f4baf1 ("mk: fix static link with glibc < 2.17")
Reported-by: Piotr Azarewicz <piotrx.t.azarewicz@intel.com>
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
icc version 16.0.2, compile error:
examples/l2fwd-ivshmem/host/host.c(157):
error #3656: variable "total_vm_packets_dropped"
may be used before its value is set
total_vm_packets_dropped += ctrl->vm_ports[portid].stats.dropped;
^
Fixes: 6aa497249172 ("examples/l2fwd-ivshmem: import sample application")
Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
In TM, the read size should be lesser than the write size to improve
performance.
This enables the TM ports to push maximum packets to the output port.
This fix changes the burst_read value from 64 to 24 in default_tm_params.
Signed-off-by: Sankar Chokkalingam <sankarx.chokkalingam@intel.com>
Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
IP Pipeline application with the configuration for Flow Classification
IPV6 did not instantiate.
Parse error in section "PIPELINE1": entry "dma_src_mask" too long
The dma_src_mask check in pipeline_passthrough_parse_args() is wrong.
This fix increases the length of dma_src_mask by 1 for NULL termination
and corrected the validation of dma_src_mask length.
This fix is also propagated to pipeline_fc_parse_args() for key_mask_str
validation.
Signed-off-by: Sankar Chokkalingam <sankarx.chokkalingam@intel.com>
Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
Error while executing action flow bulk command
pipeline> p 1 action flow bulk ./config/action.txt
Command "action flow bulk" failed
pipeline>
The flow action entries are added successfully.
But the return value is not computed correctly.
Due to this, the error message appears on CLI.
The return value is computed with rsp->n_flows after rsp pointer is freed.
This fix computes the return value before rsp pointer is freed.
Signed-off-by: Sankar Chokkalingam <sankarx.chokkalingam@intel.com>
Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
pthread_detach() function was returning 0 even when not calling
lthread_detach(), due to missing braces in conditional
(extra indentation was applied, giving a hint this is the correct fix).
Fixes: 433ba6228f9a ("examples/performance-thread: add pthread_shim app")
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Tested-by: John McNamara <john.mcnamara@intel.com>
Acked-by: John McNamara <john.mcnamara@intel.com>
We find significant perfermance drop introduced by below commit,
when vhost example is started with --mergeable 0 and inside vm,
kernel virtio-net driver is used to do ip based forwarding.
The commit, 859b480d5afd ("vhost: add guest offload setting"), adds
support for VIRTIO_NET_F_GUEST_TSO4 and VIRTIO_NET_F_GUEST_TSO6,
in vhost lib. But inside vhost example, the way to disable tso only
excludes the direction from virtio to vhost, but not the opposite
direction. When mergeable is disabled, it triggers big_packets path
of virtio-net driver to prepare to receive possible big packets with
size of 64K. Because mergeable is off, for each entry of avail ring,
virtio driver uses 19 desc chained together, with one desc pointing
to header, other 18 desc pointing to 4K-sized pages. But QEMU only
creates 256 desc entries for each vq, which results in that only 13
packets can be received. VM kernel can quickly handle those packets
and go to sleep (HLT).
As QEMU has no option to set the desc entries of a vq, so here,
we disable VIRTIO_NET_F_GUEST_TSO4 and VIRTIO_NET_F_GUEST_TSO6
with VIRTIO_NET_F_HOST_TSO4 and VIRTIO_NET_F_HOST_TSO6 when we
disable tso of vhost example, to avoid VM kernel virtio driver
go into big_packets path.
Fixes: 9fd72e3cbd29 ("examples/vhost: add virtio offload")
Reported-by: Qian Xu <qian.q.xu@intel.com>
Signed-off-by: Jianfeng Tan <jianfeng.tan@intel.com>
Tested-by: Qian Xu <qian.q.xu@intel.com>
Acked-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
The usual device sequence is configure, queue setup and start.
Crypto device should be started before use.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
The usual device sequence is configure, queue setup and start.
Crypto device should be started before use.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
GCC 4.5.x does not handle well initializing anonymous union and/or
structs.
To make the compiler happy we name those anonymous union/struct.
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
When sending Inbound non IPSec traffic that matches an Inbound Security
Policy set to Protect, the code will check that the SPI of the packet
and the associated Security Association match.
That check should only be done for IPSec packets and results in SEGFAULT
when done on non IPSec packets.
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
This patch improve generate_random_key() function by replacing rand()
function with reading from /dev/urandom.
CID 120136 : Calling risky function (DC.WEAK_CRYPTO)
dont_call: rand should not be used for security related applications, as
linear congruential algorithms are too easy to break
Coverity issue: 120136
Signed-off-by: Piotr Azarewicz <piotrx.t.azarewicz@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Zero packets can be returned by rte_eth_rx_burst() and
rte_distributor_returned_pkts() inside lcore_rx(), so
for zero packet scenario instead of proceeding to
next operations we should continue to the next iteration of the
loop to avoid unnecessary processing overhead which is causing
rx packets to be dropped and hence distributor failing to forward the
packets.
Fixes: 07db4a97 ("examples/distributor: new sample app")
Signed-off-by: Reshma Pattan <reshma.pattan@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
This commit adds Python script for generating diagram of the application
configuration file. This script requires graphviz package to be installed
on the machine. The input config file is translated to an output file in
DOT syntax, which is then used to create the image file using graphviz.
To run the script, following command is used;
./diagram-generator.py -f <input configuration file>
Some optional arguments are as follows:
-h, --help show this help message and exit
Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
Acked-by: John McNamara <john.mcnamara@intel.com>
Macro CHANNEL_CMDS_MAX_CPUS stand for the maximum number of cores
controlled by virtual channels. This macro only be used in the example,
so remove it from library to example header file.
Signed-off-by: Marvin Liu <yong.liu@intel.com>
The example is calling rte_eal_wait_lcore without checking return value.
Now it is fixed by checking the value and print proper message.
Coverity issue: 37789, 37790
Fixes: cc7e8ae84faa ("examples/bond: add example application for link bonding mode 6")
Signed-off-by: Piotr Azarewicz <piotrx.t.azarewicz@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Coverity reported lots of out-of-bounds in function
vxlan_link, these issues should happen when index
port_id evaluates to 2, cause size of arrays is
2 in structure.
Fix this issue by modifying judgement condition, make
sure port_id is less than 2.
Coverity issue: 107121, 107122, 107123, 107124, 107125
Fixes: 4abe471ed6fc ("examples/tep_term: implement VXLAN processing")
Signed-off-by: Beilei Xing <beilei.xing@intel.com>
Update l3fwd example usage and documentation with missing options.
Signed-off-by: Beilei Xing <beilei.xing@intel.com>
Acked-by: John McNamara <john.mcnamara@intel.com>
crypto_statistics array was not big enough for storing
all the possible crypto device statistics, as its size was
RTE_MAX_ETHPORTS, but should be RTE_CRYPTO_MAX_DEVS, leading
this to a potential out-of-bounds issue.
Coverity issue: 120145
Fixes: 387259bd6c67 ("examples/l2fwd-crypto: add sample application")
Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Crypto operations are enqueued in the crypto devices
when the crypto device buffers are full (MAX_PKT_BURST),
in order to be more efficient.
The problem is that operations might be stuck in those buffers,
if they never get full, and therefore, those operations
will never be performed.
Therefore, it is necessary to have a buffer flush mechanism,
similar to the one used for flush the TX buffers, so eventually,
all packets received are ciphered and sent out.
Fixes: 387259bd6c67 ("examples/l2fwd-crypto: add sample application")
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
When the specified cores and memory lie on different NUMA socket with
physical NIC, vhost fails to set up Rx queue, and exits without any
hints. This could leads to confusion of users.
This patch fixes it by adding some error messages when calling ether
APIs returns errors.
Suggested-by: Yulong Pei <yulong.pei@intel.com>
Signed-off-by: Jianfeng Tan <jianfeng.tan@intel.com>
Acked-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
The multi_process example do not need rte_hash.
But these examples cannot compile if rte_hash is not available:
- ipsec-secgw (was already protected - no change)
- ipv4_multicast
- l3fwd-power
- l3fwd-vf
- tep_termination
- ip_pipeline
The ip_pipeline example is not disabled because its dependencies
are handled with #ifdef. It may require a separate fix.
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
The ethtool app was allocating too little space for 64-bit
registers which resulted in memory corruption.
Removes hard-coded assumption that device registers
are always 32 bits wide. The rte_eth_dev_get_reg_length
and rte_eth_dev_get_reg_info callbacks did not
provide register size to the app in any way while is
needed to allocate correct number of bytes before
retrieving registers using rte_eth_dev_get_reg.
This commit changes rte_eth_dev_get_reg_info so that
it can be used to retrieve both the number of registers
and their width, and removes the now-redundant
rte_eth_dev_get_reg_length.
Signed-off-by: Zyta Szpak <zyta.szpak@semihalf.com>
Acked-by: Remy Horton <remy.horton@intel.com>
The mempool_count and mempool_free_count behaved contrary to what their
names suggested. The free_count function actually returned the number of
elements that were allocated from the pool, not the number unallocated as
the name implied.
Fix this by introducing two new functions to replace the old ones,
* rte_mempool_avail_count to replace rte_mempool_count
* rte_mempool_in_use_count to replace rte_mempool_free_count
In this patch, the new functions are added, and the old ones are marked
as deprecated. All apps and examples that use the old functions are
updated to use the new functions.
Fixes: af75078fece3 ("first public release")
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Some libraries were missing their dependency on eal, mbuf, mempool,
ring and kvargs.
It is revealed by the linker option "-z defs".
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
Add a new paramter (flags) to rte_vhost_driver_register(). DPDK
vhost-user acts as client mode when RTE_VHOST_USER_CLIENT flag
is set. The flags would also allow future extensions without
breaking the API (again).
The rest is straingfoward then: allocate a unix socket, and
bind/listen for server, connect for client.
This extension is for vhost-user only, therefore we simply quit
and report error when any flags are given for vhost-cuse.
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
With all the previous prepare works, we are just one step away from
the final ABI refactoring. That is, to change current API to let them
stick to vid instead of the old virtio_net dev.
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Tested-by: Rich Lane <rich.lane@bigswitch.com>
Acked-by: Rich Lane <rich.lane@bigswitch.com>