Release notes for VPP 23.02

More than 243 commits since the previous release, including 118 fixes.

Of particular importance, this release contains the fix for JIRA VPP-2307: CVE-2022-46397 FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV in AES-CBC mode

Features

  • Binary API Compiler for Python

  • Plugins

    • AVF Device driver

    • CNat

    • Crypto - ipsecmb

    • DPDK

      • Add Intel QAT 200xx series support (a57549ad2)

    • HTTP

    • Unicast Reverse Path forwarding

      • Add mode for specific fib index lookup (b3605eab5)

  • VNET

    • Device Drivers

    • IPSec

      • Introduce fast path ipv6 inbound matching (06abf2352)

      • Remove redundant policy array in fast path spd (14bf6a8fb)

      • New api for sa ips and ports updates (4117b24ac)

    • Segment Routing (IPv6 and MPLS)

    • UDP

  • VPP Comms Library

    • Add api to check if vcl disconnected from VPP (6ff8e90ed)

  • VPP StrongSwan Daemon

Known issues

For the full list of issues please refer to fd.io JIRA.

Fixed issues

For the full list of fixed issues please refer to: - fd.io JIRA - git commit log

API changes

Description of results:

  • Definition changed: indicates that the API file was modified between releases.

  • Only in image: indicates the API is new for this release.

  • Only in file: indicates the API has been removed in this release.

Message Name

Result

bridge_domain_add_del_v2

only in image

bridge_domain_add_del_v2_reply

only in image

ipsec_sad_entry_update

only in image

ipsec_sad_entry_update_reply

only in image

nat44_del_user

only in file

nat44_del_user_reply

only in file

nat44_ei_user_session_v2_details

only in image

nat44_ei_user_session_v2_dump

only in image

nat44_user_session_v3_details

only in image

nat44_user_session_v3_dump

only in image

nat_get_addr_and_port_alloc_alg

only in file

nat_get_addr_and_port_alloc_alg_reply

only in file

nat_ha_flush

only in file

nat_ha_flush_reply

only in file

nat_ha_get_failover

only in file

nat_ha_get_failover_reply

only in file

nat_ha_get_listener

only in file

nat_ha_get_listener_reply

only in file

nat_ha_resync

only in file

nat_ha_resync_completed_event

only in file

nat_ha_resync_reply

only in file

nat_ha_set_failover

only in file

nat_ha_set_failover_reply

only in file

nat_ha_set_listener

only in file

nat_ha_set_listener_reply

only in file

nat_set_addr_and_port_alloc_alg

only in file

nat_set_addr_and_port_alloc_alg_reply

only in file

sr_localsids_with_packet_stats_details

only in image

sr_localsids_with_packet_stats_dump

only in image

sr_pt_iface_add

only in image

sr_pt_iface_add_reply

only in image

sr_pt_iface_del

only in image

sr_pt_iface_del_reply

only in image

sr_pt_iface_details

only in image

sr_pt_iface_dump

only in image

urpf_update_v2

only in image

urpf_update_v2_reply

only in image

Found 37 api message signature differences

Newly deprecated API messages

These messages are still there in the API, but can and probably will disappear in the next release.

  • bridge_domain_add_del

  • bridge_domain_add_del_reply

  • create_vhost_user_if

  • create_vhost_user_if_reply

  • ipsec_spd_entry_add_del_reply

  • modify_vhost_user_if

  • modify_vhost_user_if_reply

In-progress API messages

These messages are provided for testing and experimentation only. They are not subject to any compatibility process, and therefore can arbitrarily change or disappear at any moment. Also they may have less than satisfactory testing, making them unsuitable for other use than the technology preview. If you are intending to use these messages in production projects, please collaborate with the feature maintainer on their productization.

  • abf_itf_attach_add_del

  • abf_itf_attach_add_del_reply

  • abf_itf_attach_details

  • abf_itf_attach_dump

  • abf_plugin_get_version

  • abf_plugin_get_version_reply

  • abf_policy_add_del

  • abf_policy_add_del_reply

  • abf_policy_details

  • abf_policy_dump

  • acl_plugin_use_hash_lookup_get

  • acl_plugin_use_hash_lookup_get_reply

  • acl_plugin_use_hash_lookup_set

  • acl_plugin_use_hash_lookup_set_reply

  • adl_allowlist_enable_disable

  • adl_allowlist_enable_disable_reply

  • adl_interface_enable_disable

  • adl_interface_enable_disable_reply

  • cnat_get_snat_addresses

  • cnat_get_snat_addresses_reply

  • cnat_session_details

  • cnat_session_dump

  • cnat_session_purge

  • cnat_session_purge_reply

  • cnat_set_snat_addresses

  • cnat_set_snat_addresses_reply

  • cnat_set_snat_policy

  • cnat_set_snat_policy_reply

  • cnat_snat_policy_add_del_exclude_pfx

  • cnat_snat_policy_add_del_exclude_pfx_reply

  • cnat_snat_policy_add_del_if

  • cnat_snat_policy_add_del_if_reply

  • cnat_translation_del

  • cnat_translation_del_reply

  • cnat_translation_details

  • cnat_translation_dump

  • cnat_translation_update

  • cnat_translation_update_reply

  • crypto_sw_scheduler_set_worker

  • crypto_sw_scheduler_set_worker_reply

  • det44_get_timeouts_reply

  • det44_interface_add_del_feature

  • det44_interface_add_del_feature_reply

  • det44_interface_details

  • det44_interface_dump

  • det44_plugin_enable_disable

  • det44_plugin_enable_disable_reply

  • det44_set_timeouts

  • det44_set_timeouts_reply

  • flow_add

  • flow_add_reply

  • flow_add_v2

  • flow_add_v2_reply

  • flow_del

  • flow_del_reply

  • flow_disable

  • flow_disable_reply

  • flow_enable

  • flow_enable_reply

  • flowprobe_get_params

  • flowprobe_get_params_reply

  • flowprobe_interface_add_del

  • flowprobe_interface_add_del_reply

  • flowprobe_interface_details

  • flowprobe_interface_dump

  • flowprobe_set_params

  • flowprobe_set_params_reply

  • gbp_bridge_domain_add

  • gbp_bridge_domain_add_reply

  • gbp_bridge_domain_del

  • gbp_bridge_domain_del_reply

  • gbp_bridge_domain_details

  • gbp_bridge_domain_dump

  • gbp_bridge_domain_dump_reply

  • gbp_contract_add_del

  • gbp_contract_add_del_reply

  • gbp_contract_details

  • gbp_contract_dump

  • gbp_endpoint_add

  • gbp_endpoint_add_reply

  • gbp_endpoint_del

  • gbp_endpoint_del_reply

  • gbp_endpoint_details

  • gbp_endpoint_dump

  • gbp_endpoint_group_add

  • gbp_endpoint_group_add_reply

  • gbp_endpoint_group_del

  • gbp_endpoint_group_del_reply

  • gbp_endpoint_group_details

  • gbp_endpoint_group_dump

  • gbp_ext_itf_add_del

  • gbp_ext_itf_add_del_reply

  • gbp_ext_itf_details

  • gbp_ext_itf_dump

  • gbp_recirc_add_del

  • gbp_recirc_add_del_reply

  • gbp_recirc_details

  • gbp_recirc_dump

  • gbp_route_domain_add

  • gbp_route_domain_add_reply

  • gbp_route_domain_del

  • gbp_route_domain_del_reply

  • gbp_route_domain_details

  • gbp_route_domain_dump

  • gbp_route_domain_dump_reply

  • gbp_subnet_add_del

  • gbp_subnet_add_del_reply

  • gbp_subnet_details

  • gbp_subnet_dump

  • gbp_vxlan_tunnel_add

  • gbp_vxlan_tunnel_add_reply

  • gbp_vxlan_tunnel_del

  • gbp_vxlan_tunnel_del_reply

  • gbp_vxlan_tunnel_details

  • gbp_vxlan_tunnel_dump

  • ikev2_child_sa_details

  • ikev2_child_sa_dump

  • ikev2_initiate_del_child_sa

  • ikev2_initiate_del_child_sa_reply

  • ikev2_initiate_del_ike_sa

  • ikev2_initiate_del_ike_sa_reply

  • ikev2_initiate_rekey_child_sa

  • ikev2_initiate_rekey_child_sa_reply

  • ikev2_initiate_sa_init

  • ikev2_initiate_sa_init_reply

  • ikev2_nonce_get

  • ikev2_nonce_get_reply

  • ikev2_profile_add_del

  • ikev2_profile_add_del_reply

  • ikev2_profile_details

  • ikev2_profile_disable_natt

  • ikev2_profile_disable_natt_reply

  • ikev2_profile_dump

  • ikev2_profile_set_auth

  • ikev2_profile_set_auth_reply

  • ikev2_profile_set_id

  • ikev2_profile_set_id_reply

  • ikev2_profile_set_ipsec_udp_port

  • ikev2_profile_set_ipsec_udp_port_reply

  • ikev2_profile_set_liveness

  • ikev2_profile_set_liveness_reply

  • ikev2_profile_set_ts

  • ikev2_profile_set_ts_reply

  • ikev2_profile_set_udp_encap

  • ikev2_profile_set_udp_encap_reply

  • ikev2_sa_details

  • ikev2_sa_dump

  • ikev2_set_esp_transforms

  • ikev2_set_esp_transforms_reply

  • ikev2_set_ike_transforms

  • ikev2_set_ike_transforms_reply

  • ikev2_set_local_key

  • ikev2_set_local_key_reply

  • ikev2_set_responder

  • ikev2_set_responder_hostname

  • ikev2_set_responder_hostname_reply

  • ikev2_set_responder_reply

  • ikev2_set_sa_lifetime

  • ikev2_set_sa_lifetime_reply

  • ikev2_set_tunnel_interface

  • ikev2_set_tunnel_interface_reply

  • ikev2_traffic_selector_details

  • ikev2_traffic_selector_dump

  • ip_route_add_del_v2

  • ip_route_add_del_v2_reply

  • ip_route_lookup_v2

  • ip_route_lookup_v2_reply

  • ip_route_v2_details

  • ip_route_v2_dump

  • l2_emulation

  • l2_emulation_reply

  • lcp_default_ns_get_reply

  • lcp_default_ns_set

  • lcp_default_ns_set_reply

  • lcp_itf_pair_add_del

  • lcp_itf_pair_add_del_reply

  • lcp_itf_pair_add_del_v2

  • lcp_itf_pair_details

  • mdata_enable_disable

  • mdata_enable_disable_reply

  • nat44_ei_add_del_address_range

  • nat44_ei_add_del_address_range_reply

  • nat44_ei_add_del_static_mapping

  • nat44_ei_add_del_static_mapping_reply

  • nat44_ei_address_details

  • nat44_ei_address_dump

  • nat44_ei_del_session

  • nat44_ei_del_session_reply

  • nat44_ei_del_user

  • nat44_ei_del_user_reply

  • nat44_ei_forwarding_enable_disable

  • nat44_ei_forwarding_enable_disable_reply

  • nat44_ei_ha_flush

  • nat44_ei_ha_flush_reply

  • nat44_ei_ha_resync

  • nat44_ei_ha_resync_completed_event

  • nat44_ei_ha_resync_reply

  • nat44_ei_ha_set_failover

  • nat44_ei_ha_set_failover_reply

  • nat44_ei_ha_set_listener

  • nat44_ei_ha_set_listener_reply

  • nat44_ei_interface_add_del_feature

  • nat44_ei_interface_add_del_feature_reply

  • nat44_ei_interface_details

  • nat44_ei_interface_dump

  • nat44_ei_ipfix_enable_disable

  • nat44_ei_ipfix_enable_disable_reply

  • nat44_ei_plugin_enable_disable

  • nat44_ei_plugin_enable_disable_reply

  • nat44_ei_set_addr_and_port_alloc_alg

  • nat44_ei_set_addr_and_port_alloc_alg_reply

  • nat44_ei_set_fq_options

  • nat44_ei_set_fq_options_reply

  • nat44_ei_set_mss_clamping

  • nat44_ei_set_mss_clamping_reply

  • nat44_ei_set_timeouts

  • nat44_ei_set_timeouts_reply

  • nat44_ei_set_workers

  • nat44_ei_set_workers_reply

  • nat44_ei_show_fq_options

  • nat44_ei_show_fq_options_reply

  • nat44_ei_show_running_config

  • nat44_ei_show_running_config_reply

  • nat44_ei_static_mapping_details

  • nat44_ei_static_mapping_dump

  • nat44_ei_user_details

  • nat44_ei_user_dump

  • nat44_ei_user_session_details

  • nat44_ei_user_session_dump

  • nat44_ei_user_session_v2_details

  • nat44_ei_user_session_v2_dump

  • nat44_ei_worker_details

  • nat44_ei_worker_dump

  • nat64_plugin_enable_disable

  • nat64_plugin_enable_disable_reply

  • oddbuf_enable_disable

  • oddbuf_enable_disable_reply

  • pg_interface_enable_disable_coalesce

  • pg_interface_enable_disable_coalesce_reply

  • pnat_binding_add

  • pnat_binding_add_reply

  • pnat_binding_add_v2

  • pnat_binding_add_v2_reply

  • pnat_binding_attach

  • pnat_binding_attach_reply

  • pnat_binding_del

  • pnat_binding_del_reply

  • pnat_binding_detach

  • pnat_binding_detach_reply

  • pnat_bindings_details

  • pnat_bindings_get

  • pnat_bindings_get_reply

  • pnat_interfaces_details

  • pnat_interfaces_get

  • pnat_interfaces_get_reply

  • sample_macswap_enable_disable

  • sample_macswap_enable_disable_reply

  • sr_localsids_with_packet_stats_details

  • sr_localsids_with_packet_stats_dump

  • sr_policies_with_sl_index_details

  • sr_policies_with_sl_index_dump

  • sw_interface_set_vxlan_gbp_bypass

  • sw_interface_set_vxlan_gbp_bypass_reply

  • test_addresses

  • test_addresses2

  • test_addresses2_reply

  • test_addresses3

  • test_addresses3_reply

  • test_addresses_reply

  • test_empty

  • test_empty_reply

  • test_enum

  • test_enum_reply

  • test_interface

  • test_interface_reply

  • test_prefix

  • test_prefix_reply

  • test_string

  • test_string2

  • test_string2_reply

  • test_string_reply

  • test_vla

  • test_vla2

  • test_vla2_reply

  • test_vla3

  • test_vla3_reply

  • test_vla4

  • test_vla4_reply

  • test_vla5

  • test_vla5_reply

  • test_vla_reply

  • trace_capture_packets

  • trace_capture_packets_reply

  • trace_clear_capture

  • trace_clear_capture_reply

  • trace_details

  • trace_dump

  • trace_dump_reply

  • trace_set_filters

  • trace_set_filters_reply

  • vxlan_gbp_tunnel_add_del

  • vxlan_gbp_tunnel_add_del_reply

  • vxlan_gbp_tunnel_details

  • vxlan_gbp_tunnel_dump

  • want_wireguard_peer_events

  • want_wireguard_peer_events_reply

  • wg_set_async_mode

  • wg_set_async_mode_reply

  • wireguard_interface_create

  • wireguard_interface_create_reply

  • wireguard_interface_delete

  • wireguard_interface_delete_reply

  • wireguard_interface_details

  • wireguard_interface_dump

  • wireguard_peer_add

  • wireguard_peer_add_reply

  • wireguard_peer_event

  • wireguard_peer_remove

  • wireguard_peer_remove_reply

  • wireguard_peers_details

  • wireguard_peers_dump

Patches that changed API definitions

src/plugins/af_packet/af_packet.api

src/plugins/vhost/vhost_user.api

  • 7eba44d1e vhost: convert vhost device driver to a plugin

src/plugins/nat/nat44-ed/nat44_ed.api

  • a923ce591 nat: cleanup of deprecated features

  • 91246bc6a nat: report time between current vpp time and last_heard

src/plugins/nat/nat44-ei/nat44_ei.api

  • 91246bc6a nat: report time between current vpp time and last_heard

src/plugins/urpf/urpf.api

  • b3605eab5 urpf: add mode for specific fib index lookup

src/vnet/udp/udp.api

  • 5c801b362 udp: add udp encap source port entropy support

src/vnet/ip/ip.api

  • d92524687 vnet: fix ip4 version and IHL check

src/vnet/ipsec/ipsec.api

  • 4117b24ac ipsec: new api for sa ips and ports updates

  • 520cde406 ipsec: use correct reply message

src/vnet/srv6/sr_pt.api

src/vnet/srv6/sr.api

  • 9503eb59c sr: new messages created to return packet statistics in sr localsid details

src/vnet/l2/l2.api

  • 0f8f4351b l2: Add bridge_domain_add_del_v2 to l2 api

src/vnet/bfd/bfd.api

  • 415b6a7c7 bfd: fix bfd udp error enum incompatibility