summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <neale@graphiant.com>2022-08-09 03:34:51 +0000
committerBeno�t Ganne <bganne@cisco.com>2022-08-11 06:51:07 +0000
commit93688d7341ada44755dc0432de3e3dbaaa8aa111 (patch)
treea468a2d86cd2b96b662ab8f408ed02ab921de4d5
parent13a74ae25d606f0ee85b65a57d7cba8bba86c2c2 (diff)
ipsec: Use .api declared error counters
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ica7de5a493389c6f53b7cf04e06939473a63d2b9
-rw-r--r--src/vnet/ipsec/ah_decrypt.c31
-rw-r--r--src/vnet/ipsec/ah_encrypt.c28
-rw-r--r--src/vnet/ipsec/esp_decrypt.c64
-rw-r--r--src/vnet/ipsec/esp_encrypt.c68
-rw-r--r--src/vnet/ipsec/ipsec.api268
-rw-r--r--src/vnet/ipsec/ipsec_tun_in.c56
-rw-r--r--test/template_ipsec.py30
-rw-r--r--test/test_ipsec_tun_if_esp.py6
8 files changed, 348 insertions, 203 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index 1ad372a7de0..c9209d6ceb0 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -23,6 +23,7 @@
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ah.h>
#include <vnet/ipsec/ipsec_io.h>
+#include <vnet/ipsec/ipsec.api_enum.h>
#define foreach_ah_decrypt_next \
_(DROP, "error-drop") \
@@ -38,28 +39,6 @@ typedef enum
AH_DECRYPT_N_NEXT,
} ah_decrypt_next_t;
-#define foreach_ah_decrypt_error \
- _ (RX_PKTS, "AH pkts received") \
- _ (DECRYPTION_FAILED, "AH decryption failed") \
- _ (INTEG_ERROR, "Integrity check failed") \
- _ (NO_TAIL_SPACE, "not enough buffer tail space (dropped)") \
- _ (DROP_FRAGMENTS, "IP fragments drop") \
- _ (REPLAY, "SA replayed packet")
-
-typedef enum
-{
-#define _(sym,str) AH_DECRYPT_ERROR_##sym,
- foreach_ah_decrypt_error
-#undef _
- AH_DECRYPT_N_ERROR,
-} ah_decrypt_error_t;
-
-static char *ah_decrypt_error_strings[] = {
-#define _(sym,string) string,
- foreach_ah_decrypt_error
-#undef _
-};
-
typedef struct
{
ipsec_integ_alg_t integ_alg;
@@ -443,8 +422,8 @@ VLIB_REGISTER_NODE (ah4_decrypt_node) = {
.format_trace = format_ah_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ah_decrypt_error_strings),
- .error_strings = ah_decrypt_error_strings,
+ .n_errors = AH_DECRYPT_N_ERROR,
+ .error_counters = ah_decrypt_error_counters,
.n_next_nodes = AH_DECRYPT_N_NEXT,
.next_nodes = {
@@ -470,8 +449,8 @@ VLIB_REGISTER_NODE (ah6_decrypt_node) = {
.format_trace = format_ah_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ah_decrypt_error_strings),
- .error_strings = ah_decrypt_error_strings,
+ .n_errors = AH_DECRYPT_N_ERROR,
+ .error_counters = ah_decrypt_error_counters,
.n_next_nodes = AH_DECRYPT_N_NEXT,
.next_nodes = {
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c
index bb971e40811..7116a160926 100644
--- a/src/vnet/ipsec/ah_encrypt.c
+++ b/src/vnet/ipsec/ah_encrypt.c
@@ -22,6 +22,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ah.h>
+#include <vnet/ipsec/ipsec.api_enum.h>
#include <vnet/tunnel/tunnel_dp.h>
#define foreach_ah_encrypt_next \
@@ -38,25 +39,6 @@ typedef enum
AH_ENCRYPT_N_NEXT,
} ah_encrypt_next_t;
-#define foreach_ah_encrypt_error \
- _ (RX_PKTS, "AH pkts received") \
- _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \
- _ (SEQ_CYCLED, "sequence number cycled (packet dropped)")
-
-typedef enum
-{
-#define _(sym,str) AH_ENCRYPT_ERROR_##sym,
- foreach_ah_encrypt_error
-#undef _
- AH_ENCRYPT_N_ERROR,
-} ah_encrypt_error_t;
-
-static char *ah_encrypt_error_strings[] = {
-#define _(sym,string) string,
- foreach_ah_encrypt_error
-#undef _
-};
-
typedef struct
{
u32 sa_index;
@@ -462,8 +444,8 @@ VLIB_REGISTER_NODE (ah4_encrypt_node) = {
.format_trace = format_ah_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ah_encrypt_error_strings),
- .error_strings = ah_encrypt_error_strings,
+ .n_errors = AH_ENCRYPT_N_ERROR,
+ .error_counters = ah_encrypt_error_counters,
.n_next_nodes = AH_ENCRYPT_N_NEXT,
.next_nodes = {
@@ -488,8 +470,8 @@ VLIB_REGISTER_NODE (ah6_encrypt_node) = {
.format_trace = format_ah_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ah_encrypt_error_strings),
- .error_strings = ah_encrypt_error_strings,
+ .n_errors = AH_ENCRYPT_N_ERROR,
+ .error_counters = ah_encrypt_error_counters,
.n_next_nodes = AH_ENCRYPT_N_NEXT,
.next_nodes = {
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 21159fba84b..af90bc4c7ba 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -23,6 +23,7 @@
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ipsec_io.h>
#include <vnet/ipsec/ipsec_tun.h>
+#include <vnet/ipsec/ipsec.api_enum.h>
#include <vnet/gre/packet.h>
@@ -57,35 +58,6 @@ typedef enum
ESP_DECRYPT_POST_N_NEXT,
} esp_decrypt_post_next_t;
-#define foreach_esp_decrypt_error \
- _ (RX_PKTS, "ESP pkts received") \
- _ (RX_POST_PKTS, "ESP-POST pkts received") \
- _ (HANDOFF, "hand-off") \
- _ (DECRYPTION_FAILED, "ESP decryption failed") \
- _ (INTEG_ERROR, "Integrity check failed") \
- _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \
- _ (REPLAY, "SA replayed packet") \
- _ (RUNT, "undersized packet") \
- _ (NO_BUFFERS, "no buffers (packet dropped)") \
- _ (OVERSIZED_HEADER, "buffer with oversized header (dropped)") \
- _ (NO_TAIL_SPACE, "no enough buffer tail space (dropped)") \
- _ (TUN_NO_PROTO, "no tunnel protocol") \
- _ (UNSUP_PAYLOAD, "unsupported payload")
-
-typedef enum
-{
-#define _(sym,str) ESP_DECRYPT_ERROR_##sym,
- foreach_esp_decrypt_error
-#undef _
- ESP_DECRYPT_N_ERROR,
-} esp_decrypt_error_t;
-
-static char *esp_decrypt_error_strings[] = {
-#define _(sym,string) string,
- foreach_esp_decrypt_error
-#undef _
-};
-
typedef struct
{
u32 seq;
@@ -96,6 +68,8 @@ typedef struct
ipsec_integ_alg_t integ_alg;
} esp_decrypt_trace_t;
+typedef vl_counter_esp_decrypt_enum_t esp_decrypt_error_t;
+
/* The number of byres in the hisequence number */
#define N_HI_ESN_BYTES 4
@@ -1481,8 +1455,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
+ .n_errors = ESP_DECRYPT_N_ERROR,
+ .error_counters = esp_decrypt_error_counters,
.n_next_nodes = ESP_DECRYPT_N_NEXT,
.next_nodes = {
@@ -1501,8 +1475,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_post_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
+ .n_errors = ESP_DECRYPT_N_ERROR,
+ .error_counters = esp_decrypt_error_counters,
.sibling_of = "esp4-decrypt",
};
@@ -1513,8 +1487,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
+ .n_errors = ESP_DECRYPT_N_ERROR,
+ .error_counters = esp_decrypt_error_counters,
.n_next_nodes = ESP_DECRYPT_N_NEXT,
.next_nodes = {
@@ -1533,8 +1507,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_post_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
+ .n_errors = ESP_DECRYPT_N_ERROR,
+ .error_counters = esp_decrypt_error_counters,
.sibling_of = "esp6-decrypt",
};
@@ -1544,8 +1518,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_node) = {
.vector_size = sizeof (u32),
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
+ .n_errors = ESP_DECRYPT_N_ERROR,
+ .error_counters = esp_decrypt_error_counters,
.n_next_nodes = ESP_DECRYPT_N_NEXT,
.next_nodes = {
[ESP_DECRYPT_NEXT_DROP] = "ip4-drop",
@@ -1563,8 +1537,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_post_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
+ .n_errors = ESP_DECRYPT_N_ERROR,
+ .error_counters = esp_decrypt_error_counters,
.sibling_of = "esp4-decrypt-tun",
};
@@ -1574,8 +1548,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_node) = {
.vector_size = sizeof (u32),
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
+ .n_errors = ESP_DECRYPT_N_ERROR,
+ .error_counters = esp_decrypt_error_counters,
.n_next_nodes = ESP_DECRYPT_N_NEXT,
.next_nodes = {
[ESP_DECRYPT_NEXT_DROP] = "ip6-drop",
@@ -1593,8 +1567,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_post_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
+ .n_errors = ESP_DECRYPT_N_ERROR,
+ .error_counters = esp_decrypt_error_counters,
.sibling_of = "esp6-decrypt-tun",
};
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 9d3a835699f..d28f4f5e425 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -23,6 +23,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ipsec_tun.h>
+#include <vnet/ipsec/ipsec.api_enum.h>
#include <vnet/ipsec/esp.h>
#include <vnet/tunnel/tunnel_dp.h>
@@ -43,31 +44,6 @@ typedef enum
ESP_ENCRYPT_N_NEXT,
} esp_encrypt_next_t;
-#define foreach_esp_encrypt_error \
- _ (RX_PKTS, "ESP pkts received") \
- _ (POST_RX_PKTS, "ESP-post pkts received") \
- _ (HANDOFF, "Hand-off") \
- _ (SEQ_CYCLED, "sequence number cycled (packet dropped)") \
- _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \
- _ (CRYPTO_QUEUE_FULL, "crypto queue full (packet dropped)") \
- _ (NO_BUFFERS, "no buffers (packet dropped)") \
- _ (NO_PROTECTION, "no protecting SA (packet dropped)") \
- _ (NO_ENCRYPTION, "no Encrypting SA (packet dropped)")
-
-typedef enum
-{
-#define _(sym,str) ESP_ENCRYPT_ERROR_##sym,
- foreach_esp_encrypt_error
-#undef _
- ESP_ENCRYPT_N_ERROR,
-} esp_encrypt_error_t;
-
-static char *esp_encrypt_error_strings[] = {
-#define _(sym,string) string,
- foreach_esp_encrypt_error
-#undef _
-};
-
typedef struct
{
u32 sa_index;
@@ -84,6 +60,8 @@ typedef struct
u32 next_index;
} esp_encrypt_post_trace_t;
+typedef vl_counter_esp_encrypt_enum_t esp_encrypt_error_t;
+
/* packet trace format function */
static u8 *
format_esp_encrypt_trace (u8 * s, va_list * args)
@@ -1182,8 +1160,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_node) = {
.format_trace = format_esp_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = { [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop",
@@ -1211,8 +1189,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp4-encrypt",
- .n_errors = ARRAY_LEN(esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1232,8 +1210,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp4-encrypt",
- .n_errors = ARRAY_LEN(esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1252,8 +1230,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp4-encrypt",
- .n_errors = ARRAY_LEN(esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1272,8 +1250,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_node) = {
.format_trace = format_esp_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
@@ -1302,8 +1280,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp4-encrypt-tun",
- .n_errors = ARRAY_LEN(esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1322,8 +1300,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_node) = {
.format_trace = format_esp_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
@@ -1354,8 +1332,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp-mpls-encrypt-tun",
- .n_errors = ARRAY_LEN (esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1372,8 +1350,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_node) = {
.format_trace = format_esp_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
@@ -1400,8 +1378,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp-mpls-encrypt-tun",
- .n_errors = ARRAY_LEN (esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
+ .n_errors = ESP_ENCRYPT_N_ERROR,
+ .error_counters = esp_encrypt_error_counters,
};
#ifndef CLIB_MARCH_VARIANT
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 18df893c0d4..401564bd39b 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -505,6 +505,274 @@ autoreply define ipsec_set_async_mode {
bool async_enable;
};
+counters esp_decrypt {
+ rx_pkts {
+ severity info;
+ type counter64;
+ units "packets";
+ description "ESP pkts received";
+ };
+ rx_post_pkts {
+ severity info;
+ type counter64;
+ units "packets";
+ description "ESP-POST pkts received";
+ };
+ handoff {
+ severity info;
+ type counter64;
+ units "packets";
+ description "hand-off";
+ };
+ decryption_failed {
+ severity error;
+ type counter64;
+ units "packets";
+ description "ESP decryption failed";
+ };
+ integ_error {
+ severity error;
+ type counter64;
+ units "packets";
+ description "integrity check failed";
+ };
+ crypto_engine_error {
+ severity error;
+ type counter64;
+ units "packets";
+ description "crypto engine error (packet dropped)";
+ };
+ replay {
+ severity error;
+ type counter64;
+ units "packets";
+ description "SA replayed packet";
+ };
+ runt {
+ severity error;
+ type counter64;
+ units "packets";
+ description "undersized packet";
+ };
+ no_buffers {
+ severity error;
+ type counter64;
+ units "packets";
+ description "no buffers (packet dropped)";
+ };
+ oversized_header {
+ severity error;
+ type counter64;
+ units "packets";
+ description "buffer with oversized header (dropped)";
+ };
+ no_tail_space {
+ severity error;
+ type counter64;
+ units "packets";
+ description "no enough buffer tail space (dropped)";
+ };
+ tun_no_proto {
+ severity error;
+ type counter64;
+ units "packets";
+ description "no tunnel protocol";
+ };
+ unsup_payload {
+ severity error;
+ type counter64;
+ units "packets";
+ description "unsupported payload";
+ };
+};
+
+counters esp_encrypt {
+ rx_pkts {
+ severity info;
+ type counter64;
+ units "packets";
+ description "ESP pkts received";
+ };
+ post_rx_pkts {
+ severity info;
+ type counter64;
+ units "packets";
+ description "ESP-post pkts received";
+ };
+ handoff {
+ severity info;
+ type counter64;
+ units "packets";
+ description "Hand-off";
+ };
+ seq_cycled {
+ severity error;
+ type counter64;
+ units "packets";
+ description "sequence number cycled (packet dropped)";
+ };
+ crypto_engine_error {
+ severity error;
+ type counter64;
+ units "packets";
+ description "crypto engine error (packet dropped)";
+ };
+ crypto_queue_full {
+ severity error;
+ type counter64;
+ units "packets";
+ description "crypto queue full (packet dropped)";
+ };
+ no_buffers {
+ severity error;
+ type counter64;
+ units "packets";
+ description "no buffers (packet dropped)";
+ };
+ no_protection {
+ severity error;
+ type counter64;
+ units "packets";
+ description "no protecting SA (packet dropped)";
+ };
+ no_encryption {
+ severity error;
+ type counter64;
+ units "packets";
+ description "no Encrypting SA (packet dropped)";
+ };
+};
+
+counters ah_encrypt {
+ rx_pkts {
+ severity info;
+ type counter64;
+ units "packets";
+ description "AH pkts received";
+ };
+ crypto_engine_error {
+ severity error;
+ type counter64;
+ units "packets";
+ description "crypto engine error (packet dropped)";
+ };
+ seq_cycled {
+ severity error;
+ type counter64;
+ units "packets";
+ description "sequence number cycled (packet dropped)";
+ };
+};
+
+counters ah_decrypt {
+ rx_pkts {
+ severity info;
+ type counter64;
+ units "packets";
+ description "AH pkts received";
+ };
+ decryption_failed {
+ severity error;
+ type counter64;
+ units "packets";
+ description "AH decryption failed";
+ };
+ integ_error {
+ severity error;
+ type counter64;
+ units "packets";
+ description "Integrity check failed";
+ };
+ no_tail_space {
+ severity error;
+ type counter64;
+ units "packets";
+ description "not enough buffer tail space (dropped)";
+ };
+ drop_fragments {
+ severity error;
+ type counter64;
+ units "packets";
+ description "IP fragments drop";
+ };
+ replay {
+ severity error;
+ type counter64;
+ units "packets";
+ description "SA replayed packet";
+ };
+};
+
+counters ipsec_tun {
+ rx {
+ severity info;
+ type counter64;
+ units "packets";
+ description "good packets received";
+ };
+ disabled {
+ severity error;
+ type counter64;
+ units "packets";
+ description "ipsec packets received on disabled interface";
+ };
+ no_tunnel {
+ severity error;
+ type counter64;
+ units "packets";
+ description "no matching tunnel";
+ };
+ tunnel_mismatch {
+ severity error;
+ type counter64;
+ units "packets";
+ description "SPI-tunnel mismatch";
+ };
+ nat_keepalive {
+ severity info;
+ type counter64;
+ units "packets";
+ description "NAT Keepalive";
+ };
+ too_short {
+ severity error;
+ type counter64;
+ units "packets";
+ description "Too Short";
+ };
+ spi_0 {
+ severity info;
+ type counter64;
+ units "packets";
+ description "SPI 0";
+ };
+};
+
+paths {
+ "/err/esp4-encrypt" "esp_encrypt";
+ "/err/esp4-encrypt-post" "esp_encrypt";
+ "/err/esp4-encrypt-tun" "esp_encrypt";
+ "/err/esp4-encrypt-tun-post" "esp_encrypt";
+ "/err/esp6-encrypt" "esp_encrypt";
+ "/err/esp6-encrypt-post" "esp_encrypt";
+ "/err/esp6-encrypt-tun" "esp_encrypt";
+ "/err/esp6-encrypt-tun-post" "esp_encrypt";
+ "/err/esp-mpls-encrypt-tun" "esp_encrypt";
+ "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
+ "/err/esp4-decrypt" "esp_decrypt";
+ "/err/esp4-decrypt-post" "esp_decrypt";
+ "/err/esp4-decrypt-tun" "esp_decrypt";
+ "/err/esp4-decrypt-tun-post" "esp_decrypt";
+ "/err/esp6-decrypt" "esp_decrypt";
+ "/err/esp6-decrypt-post" "esp_decrypt";
+ "/err/esp6-decrypt-tun" "esp_decrypt";
+ "/err/esp6-decrypt-tun-post" "esp_decrypt";
+ "/err/ah4-encrypt" "ah_encrypt";
+ "/err/ah6-encrypt" "ah_encrypt";
+ "/err/ipsec4-tun-input" "ipsec_tun";
+ "/err/ipsec6-tun-input" "ipsec_tun";
+};
+
/*
* Local Variables:
* eval: (c-set-style "gnu")
diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c
index c414be05f7e..8e97fbcc740 100644
--- a/src/vnet/ipsec/ipsec_tun_in.c
+++ b/src/vnet/ipsec/ipsec_tun_in.c
@@ -24,31 +24,10 @@
#include <vnet/ipsec/ipsec_io.h>
#include <vnet/ipsec/ipsec_punt.h>
#include <vnet/ipsec/ipsec_tun.h>
+#include <vnet/ipsec/ipsec.api_enum.h>
#include <vnet/ip/ip4_input.h>
-/* Statistics (not really errors) */
-#define foreach_ipsec_tun_protect_input_error \
- _(RX, "good packets received") \
- _(DISABLED, "ipsec packets received on disabled interface") \
- _(NO_TUNNEL, "no matching tunnel") \
- _(TUNNEL_MISMATCH, "SPI-tunnel mismatch") \
- _(NAT_KEEPALIVE, "NAT Keepalive") \
- _(TOO_SHORT, "Too Short") \
- _(SPI_0, "SPI 0")
-
-static char *ipsec_tun_protect_input_error_strings[] = {
-#define _(sym,string) string,
- foreach_ipsec_tun_protect_input_error
-#undef _
-};
-
-typedef enum
-{
-#define _(sym,str) IPSEC_TUN_PROTECT_INPUT_ERROR_##sym,
- foreach_ipsec_tun_protect_input_error
-#undef _
- IPSEC_TUN_PROTECT_INPUT_N_ERROR,
-} ipsec_tun_protect_input_error_t;
+typedef vl_counter_ipsec_tun_enum_t ipsec_tun_protect_input_error_t;
typedef enum ipsec_tun_next_t_
{
@@ -93,14 +72,14 @@ ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node,
{
if (PREDICT_FALSE (0 == esp->spi))
{
- b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_SPI_0];
+ b->error = node->errors[IPSEC_TUN_ERROR_SPI_0];
b->punt_reason = ipsec_punt_reason[(ip4->protocol == IP_PROTOCOL_UDP ?
IPSEC_PUNT_IP4_SPI_UDP_0 :
IPSEC_PUNT_IP4_NO_SUCH_TUNNEL)];
}
else
{
- b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
+ b->error = node->errors[IPSEC_TUN_ERROR_NO_TUNNEL];
b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL];
}
return VNET_DEVICE_INPUT_NEXT_PUNT;
@@ -110,7 +89,7 @@ always_inline u16
ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node,
vlib_buffer_t * b, const esp_header_t * esp)
{
- b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
+ b->error = node->errors[IPSEC_TUN_ERROR_NO_TUNNEL];
b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL];
return VNET_DEVICE_INPUT_NEXT_PUNT;
@@ -206,8 +185,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (clib_net_to_host_u16 (udp0->length) == 9 &&
esp0->spi_bytes[0] == 0xff)
{
- b[0]->error =
- node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NAT_KEEPALIVE];
+ b[0]->error = node->errors[IPSEC_TUN_ERROR_NAT_KEEPALIVE];
next[0] = VNET_DEVICE_INPUT_NEXT_IP4_DROP;
len0 = 0;
@@ -230,7 +208,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (len0 < sizeof (esp_header_t))
{
- b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT];
+ b[0]->error = node->errors[IPSEC_TUN_ERROR_TOO_SHORT];
next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP :
VNET_DEVICE_INPUT_NEXT_IP4_DROP;
@@ -309,7 +287,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_increment_combined_counter
(drop_counter, thread_index, sw_if_index0, 1, len0);
n_disabled++;
- b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED];
+ b[0]->error = node->errors[IPSEC_TUN_ERROR_DISABLED];
next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP :
VNET_DEVICE_INPUT_NEXT_IP4_DROP;
goto trace00;
@@ -377,12 +355,10 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
thread_index,
last_sw_if_index, n_packets, n_bytes);
- vlib_node_increment_counter (vm, node->node_index,
- IPSEC_TUN_PROTECT_INPUT_ERROR_RX,
- from_frame->n_vectors - (n_disabled +
- n_no_tunnel));
- vlib_node_increment_counter (vm, node->node_index,
- IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL,
+ vlib_node_increment_counter (vm, node->node_index, IPSEC_TUN_ERROR_RX,
+ from_frame->n_vectors -
+ (n_disabled + n_no_tunnel));
+ vlib_node_increment_counter (vm, node->node_index, IPSEC_TUN_ERROR_NO_TUNNEL,
n_no_tunnel);
vlib_buffer_enqueue_to_next (vm, node, from, nexts, from_frame->n_vectors);
@@ -403,8 +379,8 @@ VLIB_REGISTER_NODE (ipsec4_tun_input_node) = {
.vector_size = sizeof (u32),
.format_trace = format_ipsec_tun_protect_input_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings),
- .error_strings = ipsec_tun_protect_input_error_strings,
+ .n_errors = IPSEC_TUN_N_ERROR,
+ .error_counters = ipsec_tun_error_counters,
.sibling_of = "device-input",
};
/* *INDENT-ON* */
@@ -422,8 +398,8 @@ VLIB_REGISTER_NODE (ipsec6_tun_input_node) = {
.vector_size = sizeof (u32),
.format_trace = format_ipsec_tun_protect_input_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings),
- .error_strings = ipsec_tun_protect_input_error_strings,
+ .n_errors = IPSEC_TUN_N_ERROR,
+ .error_counters = ipsec_tun_error_counters,
.sibling_of = "device-input",
};
/* *INDENT-ON* */
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 2295b7579c5..ce188622a9e 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -330,12 +330,12 @@ class IpsecTra4(object):
"""verify methods for Transport v4"""
def get_replay_counts(self, p):
- replay_node_name = "/err/%s/SA replayed packet" % self.tra4_decrypt_node_name[0]
+ replay_node_name = "/err/%s/replay" % self.tra4_decrypt_node_name[0]
count = self.statistics.get_err_counter(replay_node_name)
if p.async_mode:
replay_post_node_name = (
- "/err/%s/SA replayed packet" % self.tra4_decrypt_node_name[p.async_mode]
+ "/err/%s/replay" % self.tra4_decrypt_node_name[p.async_mode]
)
count += self.statistics.get_err_counter(replay_post_node_name)
@@ -344,13 +344,11 @@ class IpsecTra4(object):
def get_hash_failed_counts(self, p):
if ESP == self.encryption_type and p.crypt_algo == "AES-GCM":
hash_failed_node_name = (
- "/err/%s/ESP decryption failed"
- % self.tra4_decrypt_node_name[p.async_mode]
+ "/err/%s/decryption_failed" % self.tra4_decrypt_node_name[p.async_mode]
)
else:
hash_failed_node_name = (
- "/err/%s/Integrity check failed"
- % self.tra4_decrypt_node_name[p.async_mode]
+ "/err/%s/integ_error" % self.tra4_decrypt_node_name[p.async_mode]
)
count = self.statistics.get_err_counter(hash_failed_node_name)
@@ -365,10 +363,7 @@ class IpsecTra4(object):
esn_on = p.vpp_tra_sa.esn_en
ar_on = p.flags & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
- seq_cycle_node_name = (
- "/err/%s/sequence number cycled (packet dropped)"
- % self.tra4_encrypt_node_name
- )
+ seq_cycle_node_name = "/err/%s/seq_cycled" % self.tra4_encrypt_node_name
replay_count = self.get_replay_counts(p)
hash_failed_count = self.get_hash_failed_counts(p)
seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
@@ -605,18 +600,13 @@ class IpsecTra4(object):
p = self.params[socket.AF_INET]
esn_en = p.vpp_tra_sa.esn_en
- seq_cycle_node_name = (
- "/err/%s/sequence number cycled (packet dropped)"
- % self.tra4_encrypt_node_name
- )
+ seq_cycle_node_name = "/err/%s/seq_cycled" % self.tra4_encrypt_node_name
replay_count = self.get_replay_counts(p)
hash_failed_count = self.get_hash_failed_counts(p)
seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
if ESP == self.encryption_type:
- undersize_node_name = (
- "/err/%s/undersized packet" % self.tra4_decrypt_node_name[0]
- )
+ undersize_node_name = "/err/%s/runt" % self.tra4_decrypt_node_name[0]
undersize_count = self.statistics.get_err_counter(undersize_node_name)
#
@@ -1459,7 +1449,7 @@ class IpsecTun4(object):
)
self.send_and_assert_no_replies(self.tun_if, pkt * 31)
self.assert_error_counter_equal(
- "/err/%s/NAT Keepalive" % self.tun4_input_node, 31
+ "/err/%s/nat_keepalive" % self.tun4_input_node, 31
)
pkt = (
@@ -1469,7 +1459,7 @@ class IpsecTun4(object):
/ Raw(b"\xfe")
)
self.send_and_assert_no_replies(self.tun_if, pkt * 31)
- self.assert_error_counter_equal("/err/%s/Too Short" % self.tun4_input_node, 31)
+ self.assert_error_counter_equal("/err/%s/too_short" % self.tun4_input_node, 31)
pkt = (
Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac)
@@ -1479,7 +1469,7 @@ class IpsecTun4(object):
/ Padding(0 * 21)
)
self.send_and_assert_no_replies(self.tun_if, pkt * 31)
- self.assert_error_counter_equal("/err/%s/Too Short" % self.tun4_input_node, 62)
+ self.assert_error_counter_equal("/err/%s/too_short" % self.tun4_input_node, 62)
class IpsecTun4Tests(IpsecTun4):
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index 9da75f0a4aa..d10ad216bd6 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -1842,7 +1842,7 @@ class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests):
dst=self.pg1.remote_ip6,
)
self.send_and_assert_no_replies(self.tun_if, tx)
- node_name = "/err/%s/unsupported payload" % self.tun4_decrypt_node_name[0]
+ node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0]
self.assertEqual(1, self.statistics.get_err_counter(node_name))
@@ -2577,9 +2577,7 @@ class TestIpsec6TunProtect(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
# bounce the interface state
p.tun_if.admin_down()
self.verify_drop_tun_66(np, count=127)
- node = (
- "/err/ipsec6-tun-input/%s" % "ipsec packets received on disabled interface"
- )
+ node = "/err/ipsec6-tun-input/disabled"
self.assertEqual(127, self.statistics.get_err_counter(node))
p.tun_if.admin_up()
self.verify_tun_66(np, count=127)