summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZachary Leaf <zachary.leaf@arm.com>2021-06-07 03:01:07 -0500
committerNeale Ranns <neale@graphiant.com>2021-06-29 14:52:41 +0000
commitfbab65bc1c186a3029804e32e678c0fe7f823f8e (patch)
tree529284dd5aba361b33e3e51be27afa47b618f6b5
parentb940fd4d5a16b62a5aa09b924140a135fd06c6bb (diff)
ipsec: increment SPD policy counters for bypass and discard actions in ipsec4_input_node
ipsec_spd_policy_counters are incremented only for matched inbound PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have SPD policy counters that should be incremented on match. This fix increments the counters for inbound BYPASS and DISCARD actions. Type: fix Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49
-rw-r--r--src/vnet/ipsec/ipsec_input.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 15a0796fb15..96bad28c2b5 100644
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -294,7 +294,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
if (PREDICT_TRUE ((p0 != NULL)))
{
ipsec_bypassed += 1;
+
pi0 = p0 - im->policies;
+ vlib_increment_combined_counter (
+ &ipsec_spd_policy_counters, thread_index, pi0, 1,
+ clib_net_to_host_u16 (ip0->length));
+
goto trace0;
}
else
@@ -312,7 +317,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
if (PREDICT_TRUE ((p0 != NULL)))
{
ipsec_dropped += 1;
+
pi0 = p0 - im->policies;
+ vlib_increment_combined_counter (
+ &ipsec_spd_policy_counters, thread_index, pi0, 1,
+ clib_net_to_host_u16 (ip0->length));
+
next[0] = IPSEC_INPUT_NEXT_DROP;
goto trace0;
}
@@ -380,7 +390,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
if (PREDICT_TRUE ((p0 != NULL)))
{
ipsec_bypassed += 1;
+
pi0 = p0 - im->policies;
+ vlib_increment_combined_counter (
+ &ipsec_spd_policy_counters, thread_index, pi0, 1,
+ clib_net_to_host_u16 (ip0->length));
+
goto trace1;
}
else
@@ -398,7 +413,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
if (PREDICT_TRUE ((p0 != NULL)))
{
ipsec_dropped += 1;
+
pi0 = p0 - im->policies;
+ vlib_increment_combined_counter (
+ &ipsec_spd_policy_counters, thread_index, pi0, 1,
+ clib_net_to_host_u16 (ip0->length));
+
next[0] = IPSEC_INPUT_NEXT_DROP;
goto trace1;
}