diff options
author | Zachary Leaf <zachary.leaf@arm.com> | 2021-06-07 03:01:07 -0500 |
---|---|---|
committer | Neale Ranns <neale@graphiant.com> | 2021-06-29 14:52:41 +0000 |
commit | fbab65bc1c186a3029804e32e678c0fe7f823f8e (patch) | |
tree | 529284dd5aba361b33e3e51be27afa47b618f6b5 | |
parent | b940fd4d5a16b62a5aa09b924140a135fd06c6bb (diff) |
ipsec: increment SPD policy counters for bypass and discard actions in ipsec4_input_node
ipsec_spd_policy_counters are incremented only for matched inbound
PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have
SPD policy counters that should be incremented on match.
This fix increments the counters for inbound BYPASS and DISCARD actions.
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49
-rw-r--r-- | src/vnet/ipsec/ipsec_input.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c index 15a0796fb15..96bad28c2b5 100644 --- a/src/vnet/ipsec/ipsec_input.c +++ b/src/vnet/ipsec/ipsec_input.c @@ -294,7 +294,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, if (PREDICT_TRUE ((p0 != NULL))) { ipsec_bypassed += 1; + pi0 = p0 - im->policies; + vlib_increment_combined_counter ( + &ipsec_spd_policy_counters, thread_index, pi0, 1, + clib_net_to_host_u16 (ip0->length)); + goto trace0; } else @@ -312,7 +317,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, if (PREDICT_TRUE ((p0 != NULL))) { ipsec_dropped += 1; + pi0 = p0 - im->policies; + vlib_increment_combined_counter ( + &ipsec_spd_policy_counters, thread_index, pi0, 1, + clib_net_to_host_u16 (ip0->length)); + next[0] = IPSEC_INPUT_NEXT_DROP; goto trace0; } @@ -380,7 +390,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, if (PREDICT_TRUE ((p0 != NULL))) { ipsec_bypassed += 1; + pi0 = p0 - im->policies; + vlib_increment_combined_counter ( + &ipsec_spd_policy_counters, thread_index, pi0, 1, + clib_net_to_host_u16 (ip0->length)); + goto trace1; } else @@ -398,7 +413,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, if (PREDICT_TRUE ((p0 != NULL))) { ipsec_dropped += 1; + pi0 = p0 - im->policies; + vlib_increment_combined_counter ( + &ipsec_spd_policy_counters, thread_index, pi0, 1, + clib_net_to_host_u16 (ip0->length)); + next[0] = IPSEC_INPUT_NEXT_DROP; goto trace1; } |