diff options
author | Neale Ranns <neale@graphiant.com> | 2021-09-21 12:34:19 +0000 |
---|---|---|
committer | Beno�t Ganne <bganne@cisco.com> | 2021-09-29 14:27:48 +0000 |
commit | e11203e5b8fd61986573e0cba9e47cefcf50e60d (patch) | |
tree | b5b34bf9742962290ebed720963b72ce5045c6da /src/vnet/ipsec/ah_decrypt.c | |
parent | 979545e79579bdc6fe3cb2d3cfd0036c588acb32 (diff) |
ipsec: Record the number of packets lost from an SA
Type: feature
Gaps in the sequence numbers received on an SA indicate packets that were lost.
Gaps are identified using the anti-replay window that records the sequences seen.
Publish the number of lost packets in the stats segment at /net/ipsec/sa/lost
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8af1c09b7b25a705e18bf82e1623b3ce19e5a74d
Diffstat (limited to 'src/vnet/ipsec/ah_decrypt.c')
-rw-r--r-- | src/vnet/ipsec/ah_decrypt.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c index 182ed3d231c..1ad372a7de0 100644 --- a/src/vnet/ipsec/ah_decrypt.c +++ b/src/vnet/ipsec/ah_decrypt.c @@ -315,6 +315,7 @@ ah_decrypt_inline (vlib_main_t * vm, { ip4_header_t *oh4; ip6_header_t *oh6; + u64 n_lost = 0; if (next[0] < AH_DECRYPT_N_NEXT) goto trace; @@ -323,7 +324,7 @@ ah_decrypt_inline (vlib_main_t * vm, if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)) { - /* redo the anit-reply check. see esp_decrypt for details */ + /* redo the anti-reply check. see esp_decrypt for details */ if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi, true, NULL)) { @@ -331,7 +332,10 @@ ah_decrypt_inline (vlib_main_t * vm, next[0] = AH_DECRYPT_NEXT_DROP; goto trace; } - ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi); + n_lost = ipsec_sa_anti_replay_advance (sa0, thread_index, pd->seq, + pd->seq_hi); + vlib_prefetch_simple_counter (&ipsec_sa_lost_counters, thread_index, + pd->sa_index); } u16 ah_hdr_len = sizeof (ah_header_t) + pd->icv_size @@ -398,6 +402,10 @@ ah_decrypt_inline (vlib_main_t * vm, } } + if (PREDICT_FALSE (n_lost)) + vlib_increment_simple_counter (&ipsec_sa_lost_counters, thread_index, + pd->sa_index, n_lost); + vnet_buffer (b[0])->sw_if_index[VLIB_TX] = (u32) ~ 0; trace: if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED)) |