diff options
author | Neale Ranns <neale@graphiant.com> | 2022-08-09 03:34:51 +0000 |
---|---|---|
committer | Beno�t Ganne <bganne@cisco.com> | 2022-08-11 06:51:07 +0000 |
commit | 93688d7341ada44755dc0432de3e3dbaaa8aa111 (patch) | |
tree | a468a2d86cd2b96b662ab8f408ed02ab921de4d5 | |
parent | 13a74ae25d606f0ee85b65a57d7cba8bba86c2c2 (diff) |
ipsec: Use .api declared error counters
Type: improvement
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ica7de5a493389c6f53b7cf04e06939473a63d2b9
-rw-r--r-- | src/vnet/ipsec/ah_decrypt.c | 31 | ||||
-rw-r--r-- | src/vnet/ipsec/ah_encrypt.c | 28 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 64 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 68 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.api | 268 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_tun_in.c | 56 | ||||
-rw-r--r-- | test/template_ipsec.py | 30 | ||||
-rw-r--r-- | test/test_ipsec_tun_if_esp.py | 6 |
8 files changed, 348 insertions, 203 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c index 1ad372a7de0..c9209d6ceb0 100644 --- a/src/vnet/ipsec/ah_decrypt.c +++ b/src/vnet/ipsec/ah_decrypt.c @@ -23,6 +23,7 @@ #include <vnet/ipsec/esp.h> #include <vnet/ipsec/ah.h> #include <vnet/ipsec/ipsec_io.h> +#include <vnet/ipsec/ipsec.api_enum.h> #define foreach_ah_decrypt_next \ _(DROP, "error-drop") \ @@ -38,28 +39,6 @@ typedef enum AH_DECRYPT_N_NEXT, } ah_decrypt_next_t; -#define foreach_ah_decrypt_error \ - _ (RX_PKTS, "AH pkts received") \ - _ (DECRYPTION_FAILED, "AH decryption failed") \ - _ (INTEG_ERROR, "Integrity check failed") \ - _ (NO_TAIL_SPACE, "not enough buffer tail space (dropped)") \ - _ (DROP_FRAGMENTS, "IP fragments drop") \ - _ (REPLAY, "SA replayed packet") - -typedef enum -{ -#define _(sym,str) AH_DECRYPT_ERROR_##sym, - foreach_ah_decrypt_error -#undef _ - AH_DECRYPT_N_ERROR, -} ah_decrypt_error_t; - -static char *ah_decrypt_error_strings[] = { -#define _(sym,string) string, - foreach_ah_decrypt_error -#undef _ -}; - typedef struct { ipsec_integ_alg_t integ_alg; @@ -443,8 +422,8 @@ VLIB_REGISTER_NODE (ah4_decrypt_node) = { .format_trace = format_ah_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ah_decrypt_error_strings), - .error_strings = ah_decrypt_error_strings, + .n_errors = AH_DECRYPT_N_ERROR, + .error_counters = ah_decrypt_error_counters, .n_next_nodes = AH_DECRYPT_N_NEXT, .next_nodes = { @@ -470,8 +449,8 @@ VLIB_REGISTER_NODE (ah6_decrypt_node) = { .format_trace = format_ah_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ah_decrypt_error_strings), - .error_strings = ah_decrypt_error_strings, + .n_errors = AH_DECRYPT_N_ERROR, + .error_counters = ah_decrypt_error_counters, .n_next_nodes = AH_DECRYPT_N_NEXT, .next_nodes = { diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c index bb971e40811..7116a160926 100644 --- a/src/vnet/ipsec/ah_encrypt.c +++ b/src/vnet/ipsec/ah_encrypt.c @@ -22,6 +22,7 @@ #include <vnet/ipsec/ipsec.h> #include <vnet/ipsec/esp.h> #include <vnet/ipsec/ah.h> +#include <vnet/ipsec/ipsec.api_enum.h> #include <vnet/tunnel/tunnel_dp.h> #define foreach_ah_encrypt_next \ @@ -38,25 +39,6 @@ typedef enum AH_ENCRYPT_N_NEXT, } ah_encrypt_next_t; -#define foreach_ah_encrypt_error \ - _ (RX_PKTS, "AH pkts received") \ - _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \ - _ (SEQ_CYCLED, "sequence number cycled (packet dropped)") - -typedef enum -{ -#define _(sym,str) AH_ENCRYPT_ERROR_##sym, - foreach_ah_encrypt_error -#undef _ - AH_ENCRYPT_N_ERROR, -} ah_encrypt_error_t; - -static char *ah_encrypt_error_strings[] = { -#define _(sym,string) string, - foreach_ah_encrypt_error -#undef _ -}; - typedef struct { u32 sa_index; @@ -462,8 +444,8 @@ VLIB_REGISTER_NODE (ah4_encrypt_node) = { .format_trace = format_ah_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ah_encrypt_error_strings), - .error_strings = ah_encrypt_error_strings, + .n_errors = AH_ENCRYPT_N_ERROR, + .error_counters = ah_encrypt_error_counters, .n_next_nodes = AH_ENCRYPT_N_NEXT, .next_nodes = { @@ -488,8 +470,8 @@ VLIB_REGISTER_NODE (ah6_encrypt_node) = { .format_trace = format_ah_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ah_encrypt_error_strings), - .error_strings = ah_encrypt_error_strings, + .n_errors = AH_ENCRYPT_N_ERROR, + .error_counters = ah_encrypt_error_counters, .n_next_nodes = AH_ENCRYPT_N_NEXT, .next_nodes = { diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index 21159fba84b..af90bc4c7ba 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -23,6 +23,7 @@ #include <vnet/ipsec/esp.h> #include <vnet/ipsec/ipsec_io.h> #include <vnet/ipsec/ipsec_tun.h> +#include <vnet/ipsec/ipsec.api_enum.h> #include <vnet/gre/packet.h> @@ -57,35 +58,6 @@ typedef enum ESP_DECRYPT_POST_N_NEXT, } esp_decrypt_post_next_t; -#define foreach_esp_decrypt_error \ - _ (RX_PKTS, "ESP pkts received") \ - _ (RX_POST_PKTS, "ESP-POST pkts received") \ - _ (HANDOFF, "hand-off") \ - _ (DECRYPTION_FAILED, "ESP decryption failed") \ - _ (INTEG_ERROR, "Integrity check failed") \ - _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \ - _ (REPLAY, "SA replayed packet") \ - _ (RUNT, "undersized packet") \ - _ (NO_BUFFERS, "no buffers (packet dropped)") \ - _ (OVERSIZED_HEADER, "buffer with oversized header (dropped)") \ - _ (NO_TAIL_SPACE, "no enough buffer tail space (dropped)") \ - _ (TUN_NO_PROTO, "no tunnel protocol") \ - _ (UNSUP_PAYLOAD, "unsupported payload") - -typedef enum -{ -#define _(sym,str) ESP_DECRYPT_ERROR_##sym, - foreach_esp_decrypt_error -#undef _ - ESP_DECRYPT_N_ERROR, -} esp_decrypt_error_t; - -static char *esp_decrypt_error_strings[] = { -#define _(sym,string) string, - foreach_esp_decrypt_error -#undef _ -}; - typedef struct { u32 seq; @@ -96,6 +68,8 @@ typedef struct ipsec_integ_alg_t integ_alg; } esp_decrypt_trace_t; +typedef vl_counter_esp_decrypt_enum_t esp_decrypt_error_t; + /* The number of byres in the hisequence number */ #define N_HI_ESN_BYTES 4 @@ -1481,8 +1455,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .n_next_nodes = ESP_DECRYPT_N_NEXT, .next_nodes = { @@ -1501,8 +1475,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_post_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .sibling_of = "esp4-decrypt", }; @@ -1513,8 +1487,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .n_next_nodes = ESP_DECRYPT_N_NEXT, .next_nodes = { @@ -1533,8 +1507,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_post_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .sibling_of = "esp6-decrypt", }; @@ -1544,8 +1518,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_node) = { .vector_size = sizeof (u32), .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .n_next_nodes = ESP_DECRYPT_N_NEXT, .next_nodes = { [ESP_DECRYPT_NEXT_DROP] = "ip4-drop", @@ -1563,8 +1537,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_post_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .sibling_of = "esp4-decrypt-tun", }; @@ -1574,8 +1548,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_node) = { .vector_size = sizeof (u32), .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .n_next_nodes = ESP_DECRYPT_N_NEXT, .next_nodes = { [ESP_DECRYPT_NEXT_DROP] = "ip6-drop", @@ -1593,8 +1567,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_post_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .sibling_of = "esp6-decrypt-tun", }; diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 9d3a835699f..d28f4f5e425 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -23,6 +23,7 @@ #include <vnet/ipsec/ipsec.h> #include <vnet/ipsec/ipsec_tun.h> +#include <vnet/ipsec/ipsec.api_enum.h> #include <vnet/ipsec/esp.h> #include <vnet/tunnel/tunnel_dp.h> @@ -43,31 +44,6 @@ typedef enum ESP_ENCRYPT_N_NEXT, } esp_encrypt_next_t; -#define foreach_esp_encrypt_error \ - _ (RX_PKTS, "ESP pkts received") \ - _ (POST_RX_PKTS, "ESP-post pkts received") \ - _ (HANDOFF, "Hand-off") \ - _ (SEQ_CYCLED, "sequence number cycled (packet dropped)") \ - _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \ - _ (CRYPTO_QUEUE_FULL, "crypto queue full (packet dropped)") \ - _ (NO_BUFFERS, "no buffers (packet dropped)") \ - _ (NO_PROTECTION, "no protecting SA (packet dropped)") \ - _ (NO_ENCRYPTION, "no Encrypting SA (packet dropped)") - -typedef enum -{ -#define _(sym,str) ESP_ENCRYPT_ERROR_##sym, - foreach_esp_encrypt_error -#undef _ - ESP_ENCRYPT_N_ERROR, -} esp_encrypt_error_t; - -static char *esp_encrypt_error_strings[] = { -#define _(sym,string) string, - foreach_esp_encrypt_error -#undef _ -}; - typedef struct { u32 sa_index; @@ -84,6 +60,8 @@ typedef struct u32 next_index; } esp_encrypt_post_trace_t; +typedef vl_counter_esp_encrypt_enum_t esp_encrypt_error_t; + /* packet trace format function */ static u8 * format_esp_encrypt_trace (u8 * s, va_list * args) @@ -1182,8 +1160,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop", @@ -1211,8 +1189,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1232,8 +1210,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1252,8 +1230,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1272,8 +1250,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1302,8 +1280,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt-tun", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1322,8 +1300,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1354,8 +1332,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp-mpls-encrypt-tun", - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1372,8 +1350,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1400,8 +1378,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp-mpls-encrypt-tun", - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; #ifndef CLIB_MARCH_VARIANT diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 18df893c0d4..401564bd39b 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -505,6 +505,274 @@ autoreply define ipsec_set_async_mode { bool async_enable; }; +counters esp_decrypt { + rx_pkts { + severity info; + type counter64; + units "packets"; + description "ESP pkts received"; + }; + rx_post_pkts { + severity info; + type counter64; + units "packets"; + description "ESP-POST pkts received"; + }; + handoff { + severity info; + type counter64; + units "packets"; + description "hand-off"; + }; + decryption_failed { + severity error; + type counter64; + units "packets"; + description "ESP decryption failed"; + }; + integ_error { + severity error; + type counter64; + units "packets"; + description "integrity check failed"; + }; + crypto_engine_error { + severity error; + type counter64; + units "packets"; + description "crypto engine error (packet dropped)"; + }; + replay { + severity error; + type counter64; + units "packets"; + description "SA replayed packet"; + }; + runt { + severity error; + type counter64; + units "packets"; + description "undersized packet"; + }; + no_buffers { + severity error; + type counter64; + units "packets"; + description "no buffers (packet dropped)"; + }; + oversized_header { + severity error; + type counter64; + units "packets"; + description "buffer with oversized header (dropped)"; + }; + no_tail_space { + severity error; + type counter64; + units "packets"; + description "no enough buffer tail space (dropped)"; + }; + tun_no_proto { + severity error; + type counter64; + units "packets"; + description "no tunnel protocol"; + }; + unsup_payload { + severity error; + type counter64; + units "packets"; + description "unsupported payload"; + }; +}; + +counters esp_encrypt { + rx_pkts { + severity info; + type counter64; + units "packets"; + description "ESP pkts received"; + }; + post_rx_pkts { + severity info; + type counter64; + units "packets"; + description "ESP-post pkts received"; + }; + handoff { + severity info; + type counter64; + units "packets"; + description "Hand-off"; + }; + seq_cycled { + severity error; + type counter64; + units "packets"; + description "sequence number cycled (packet dropped)"; + }; + crypto_engine_error { + severity error; + type counter64; + units "packets"; + description "crypto engine error (packet dropped)"; + }; + crypto_queue_full { + severity error; + type counter64; + units "packets"; + description "crypto queue full (packet dropped)"; + }; + no_buffers { + severity error; + type counter64; + units "packets"; + description "no buffers (packet dropped)"; + }; + no_protection { + severity error; + type counter64; + units "packets"; + description "no protecting SA (packet dropped)"; + }; + no_encryption { + severity error; + type counter64; + units "packets"; + description "no Encrypting SA (packet dropped)"; + }; +}; + +counters ah_encrypt { + rx_pkts { + severity info; + type counter64; + units "packets"; + description "AH pkts received"; + }; + crypto_engine_error { + severity error; + type counter64; + units "packets"; + description "crypto engine error (packet dropped)"; + }; + seq_cycled { + severity error; + type counter64; + units "packets"; + description "sequence number cycled (packet dropped)"; + }; +}; + +counters ah_decrypt { + rx_pkts { + severity info; + type counter64; + units "packets"; + description "AH pkts received"; + }; + decryption_failed { + severity error; + type counter64; + units "packets"; + description "AH decryption failed"; + }; + integ_error { + severity error; + type counter64; + units "packets"; + description "Integrity check failed"; + }; + no_tail_space { + severity error; + type counter64; + units "packets"; + description "not enough buffer tail space (dropped)"; + }; + drop_fragments { + severity error; + type counter64; + units "packets"; + description "IP fragments drop"; + }; + replay { + severity error; + type counter64; + units "packets"; + description "SA replayed packet"; + }; +}; + +counters ipsec_tun { + rx { + severity info; + type counter64; + units "packets"; + description "good packets received"; + }; + disabled { + severity error; + type counter64; + units "packets"; + description "ipsec packets received on disabled interface"; + }; + no_tunnel { + severity error; + type counter64; + units "packets"; + description "no matching tunnel"; + }; + tunnel_mismatch { + severity error; + type counter64; + units "packets"; + description "SPI-tunnel mismatch"; + }; + nat_keepalive { + severity info; + type counter64; + units "packets"; + description "NAT Keepalive"; + }; + too_short { + severity error; + type counter64; + units "packets"; + description "Too Short"; + }; + spi_0 { + severity info; + type counter64; + units "packets"; + description "SPI 0"; + }; +}; + +paths { + "/err/esp4-encrypt" "esp_encrypt"; + "/err/esp4-encrypt-post" "esp_encrypt"; + "/err/esp4-encrypt-tun" "esp_encrypt"; + "/err/esp4-encrypt-tun-post" "esp_encrypt"; + "/err/esp6-encrypt" "esp_encrypt"; + "/err/esp6-encrypt-post" "esp_encrypt"; + "/err/esp6-encrypt-tun" "esp_encrypt"; + "/err/esp6-encrypt-tun-post" "esp_encrypt"; + "/err/esp-mpls-encrypt-tun" "esp_encrypt"; + "/err/esp-mpls-encrypt-tun-post" "esp_encrypt"; + "/err/esp4-decrypt" "esp_decrypt"; + "/err/esp4-decrypt-post" "esp_decrypt"; + "/err/esp4-decrypt-tun" "esp_decrypt"; + "/err/esp4-decrypt-tun-post" "esp_decrypt"; + "/err/esp6-decrypt" "esp_decrypt"; + "/err/esp6-decrypt-post" "esp_decrypt"; + "/err/esp6-decrypt-tun" "esp_decrypt"; + "/err/esp6-decrypt-tun-post" "esp_decrypt"; + "/err/ah4-encrypt" "ah_encrypt"; + "/err/ah6-encrypt" "ah_encrypt"; + "/err/ipsec4-tun-input" "ipsec_tun"; + "/err/ipsec6-tun-input" "ipsec_tun"; +}; + /* * Local Variables: * eval: (c-set-style "gnu") diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c index c414be05f7e..8e97fbcc740 100644 --- a/src/vnet/ipsec/ipsec_tun_in.c +++ b/src/vnet/ipsec/ipsec_tun_in.c @@ -24,31 +24,10 @@ #include <vnet/ipsec/ipsec_io.h> #include <vnet/ipsec/ipsec_punt.h> #include <vnet/ipsec/ipsec_tun.h> +#include <vnet/ipsec/ipsec.api_enum.h> #include <vnet/ip/ip4_input.h> -/* Statistics (not really errors) */ -#define foreach_ipsec_tun_protect_input_error \ - _(RX, "good packets received") \ - _(DISABLED, "ipsec packets received on disabled interface") \ - _(NO_TUNNEL, "no matching tunnel") \ - _(TUNNEL_MISMATCH, "SPI-tunnel mismatch") \ - _(NAT_KEEPALIVE, "NAT Keepalive") \ - _(TOO_SHORT, "Too Short") \ - _(SPI_0, "SPI 0") - -static char *ipsec_tun_protect_input_error_strings[] = { -#define _(sym,string) string, - foreach_ipsec_tun_protect_input_error -#undef _ -}; - -typedef enum -{ -#define _(sym,str) IPSEC_TUN_PROTECT_INPUT_ERROR_##sym, - foreach_ipsec_tun_protect_input_error -#undef _ - IPSEC_TUN_PROTECT_INPUT_N_ERROR, -} ipsec_tun_protect_input_error_t; +typedef vl_counter_ipsec_tun_enum_t ipsec_tun_protect_input_error_t; typedef enum ipsec_tun_next_t_ { @@ -93,14 +72,14 @@ ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node, { if (PREDICT_FALSE (0 == esp->spi)) { - b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_SPI_0]; + b->error = node->errors[IPSEC_TUN_ERROR_SPI_0]; b->punt_reason = ipsec_punt_reason[(ip4->protocol == IP_PROTOCOL_UDP ? IPSEC_PUNT_IP4_SPI_UDP_0 : IPSEC_PUNT_IP4_NO_SUCH_TUNNEL)]; } else { - b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL]; + b->error = node->errors[IPSEC_TUN_ERROR_NO_TUNNEL]; b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL]; } return VNET_DEVICE_INPUT_NEXT_PUNT; @@ -110,7 +89,7 @@ always_inline u16 ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node, vlib_buffer_t * b, const esp_header_t * esp) { - b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL]; + b->error = node->errors[IPSEC_TUN_ERROR_NO_TUNNEL]; b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL]; return VNET_DEVICE_INPUT_NEXT_PUNT; @@ -206,8 +185,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (clib_net_to_host_u16 (udp0->length) == 9 && esp0->spi_bytes[0] == 0xff) { - b[0]->error = - node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NAT_KEEPALIVE]; + b[0]->error = node->errors[IPSEC_TUN_ERROR_NAT_KEEPALIVE]; next[0] = VNET_DEVICE_INPUT_NEXT_IP4_DROP; len0 = 0; @@ -230,7 +208,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (len0 < sizeof (esp_header_t)) { - b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT]; + b[0]->error = node->errors[IPSEC_TUN_ERROR_TOO_SHORT]; next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP : VNET_DEVICE_INPUT_NEXT_IP4_DROP; @@ -309,7 +287,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_increment_combined_counter (drop_counter, thread_index, sw_if_index0, 1, len0); n_disabled++; - b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED]; + b[0]->error = node->errors[IPSEC_TUN_ERROR_DISABLED]; next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP : VNET_DEVICE_INPUT_NEXT_IP4_DROP; goto trace00; @@ -377,12 +355,10 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, thread_index, last_sw_if_index, n_packets, n_bytes); - vlib_node_increment_counter (vm, node->node_index, - IPSEC_TUN_PROTECT_INPUT_ERROR_RX, - from_frame->n_vectors - (n_disabled + - n_no_tunnel)); - vlib_node_increment_counter (vm, node->node_index, - IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL, + vlib_node_increment_counter (vm, node->node_index, IPSEC_TUN_ERROR_RX, + from_frame->n_vectors - + (n_disabled + n_no_tunnel)); + vlib_node_increment_counter (vm, node->node_index, IPSEC_TUN_ERROR_NO_TUNNEL, n_no_tunnel); vlib_buffer_enqueue_to_next (vm, node, from, nexts, from_frame->n_vectors); @@ -403,8 +379,8 @@ VLIB_REGISTER_NODE (ipsec4_tun_input_node) = { .vector_size = sizeof (u32), .format_trace = format_ipsec_tun_protect_input_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings), - .error_strings = ipsec_tun_protect_input_error_strings, + .n_errors = IPSEC_TUN_N_ERROR, + .error_counters = ipsec_tun_error_counters, .sibling_of = "device-input", }; /* *INDENT-ON* */ @@ -422,8 +398,8 @@ VLIB_REGISTER_NODE (ipsec6_tun_input_node) = { .vector_size = sizeof (u32), .format_trace = format_ipsec_tun_protect_input_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings), - .error_strings = ipsec_tun_protect_input_error_strings, + .n_errors = IPSEC_TUN_N_ERROR, + .error_counters = ipsec_tun_error_counters, .sibling_of = "device-input", }; /* *INDENT-ON* */ diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 2295b7579c5..ce188622a9e 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -330,12 +330,12 @@ class IpsecTra4(object): """verify methods for Transport v4""" def get_replay_counts(self, p): - replay_node_name = "/err/%s/SA replayed packet" % self.tra4_decrypt_node_name[0] + replay_node_name = "/err/%s/replay" % self.tra4_decrypt_node_name[0] count = self.statistics.get_err_counter(replay_node_name) if p.async_mode: replay_post_node_name = ( - "/err/%s/SA replayed packet" % self.tra4_decrypt_node_name[p.async_mode] + "/err/%s/replay" % self.tra4_decrypt_node_name[p.async_mode] ) count += self.statistics.get_err_counter(replay_post_node_name) @@ -344,13 +344,11 @@ class IpsecTra4(object): def get_hash_failed_counts(self, p): if ESP == self.encryption_type and p.crypt_algo == "AES-GCM": hash_failed_node_name = ( - "/err/%s/ESP decryption failed" - % self.tra4_decrypt_node_name[p.async_mode] + "/err/%s/decryption_failed" % self.tra4_decrypt_node_name[p.async_mode] ) else: hash_failed_node_name = ( - "/err/%s/Integrity check failed" - % self.tra4_decrypt_node_name[p.async_mode] + "/err/%s/integ_error" % self.tra4_decrypt_node_name[p.async_mode] ) count = self.statistics.get_err_counter(hash_failed_node_name) @@ -365,10 +363,7 @@ class IpsecTra4(object): esn_on = p.vpp_tra_sa.esn_en ar_on = p.flags & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY - seq_cycle_node_name = ( - "/err/%s/sequence number cycled (packet dropped)" - % self.tra4_encrypt_node_name - ) + seq_cycle_node_name = "/err/%s/seq_cycled" % self.tra4_encrypt_node_name replay_count = self.get_replay_counts(p) hash_failed_count = self.get_hash_failed_counts(p) seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name) @@ -605,18 +600,13 @@ class IpsecTra4(object): p = self.params[socket.AF_INET] esn_en = p.vpp_tra_sa.esn_en - seq_cycle_node_name = ( - "/err/%s/sequence number cycled (packet dropped)" - % self.tra4_encrypt_node_name - ) + seq_cycle_node_name = "/err/%s/seq_cycled" % self.tra4_encrypt_node_name replay_count = self.get_replay_counts(p) hash_failed_count = self.get_hash_failed_counts(p) seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name) if ESP == self.encryption_type: - undersize_node_name = ( - "/err/%s/undersized packet" % self.tra4_decrypt_node_name[0] - ) + undersize_node_name = "/err/%s/runt" % self.tra4_decrypt_node_name[0] undersize_count = self.statistics.get_err_counter(undersize_node_name) # @@ -1459,7 +1449,7 @@ class IpsecTun4(object): ) self.send_and_assert_no_replies(self.tun_if, pkt * 31) self.assert_error_counter_equal( - "/err/%s/NAT Keepalive" % self.tun4_input_node, 31 + "/err/%s/nat_keepalive" % self.tun4_input_node, 31 ) pkt = ( @@ -1469,7 +1459,7 @@ class IpsecTun4(object): / Raw(b"\xfe") ) self.send_and_assert_no_replies(self.tun_if, pkt * 31) - self.assert_error_counter_equal("/err/%s/Too Short" % self.tun4_input_node, 31) + self.assert_error_counter_equal("/err/%s/too_short" % self.tun4_input_node, 31) pkt = ( Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) @@ -1479,7 +1469,7 @@ class IpsecTun4(object): / Padding(0 * 21) ) self.send_and_assert_no_replies(self.tun_if, pkt * 31) - self.assert_error_counter_equal("/err/%s/Too Short" % self.tun4_input_node, 62) + self.assert_error_counter_equal("/err/%s/too_short" % self.tun4_input_node, 62) class IpsecTun4Tests(IpsecTun4): diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 9da75f0a4aa..d10ad216bd6 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -1842,7 +1842,7 @@ class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests): dst=self.pg1.remote_ip6, ) self.send_and_assert_no_replies(self.tun_if, tx) - node_name = "/err/%s/unsupported payload" % self.tun4_decrypt_node_name[0] + node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0] self.assertEqual(1, self.statistics.get_err_counter(node_name)) @@ -2577,9 +2577,7 @@ class TestIpsec6TunProtect(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6): # bounce the interface state p.tun_if.admin_down() self.verify_drop_tun_66(np, count=127) - node = ( - "/err/ipsec6-tun-input/%s" % "ipsec packets received on disabled interface" - ) + node = "/err/ipsec6-tun-input/disabled" self.assertEqual(127, self.statistics.get_err_counter(node)) p.tun_if.admin_up() self.verify_tun_66(np, count=127) |