ipsec: add per-SA error counters

Error counters are added on a per-node basis. In Ipsec, it is useful to also track the errors that occured per SA. Type: feature Change-Id: Iabcdcb439f67ad3c6c202b36ffc44ab39abac1bc Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
author: Arthur de Kerhor <arthurdekerhor@gmail.com> 2022-11-16 19:12:05 +0100
committer: Beno�t Ganne <bganne@cisco.com> 2023-03-23 08:58:55 +0000
commit: ad95b06181c354291f4433c5e550cb89c5122252 (patch)
tree: f40bc5447c51cbe5f4f5fc5ca5a8e54f72297268 /src/vnet/ipsec/ah_decrypt.c
parent: f6ba56296c4034d299784b828a8ac1661adc74da (diff)
1 files changed, 26 insertions, 19 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index c9209d6ceb0..ce4610dae6e 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -23,7 +23,6 @@
 #include <vnet/ipsec/esp.h>
 #include <vnet/ipsec/ah.h>
 #include <vnet/ipsec/ipsec_io.h>
-#include <vnet/ipsec/ipsec.api_enum.h>
 
 #define foreach_ah_decrypt_next                 \
   _(DROP, "error-drop")                         \
@@ -104,8 +103,9 @@ ah_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
       if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
 	{
 	  u32 bi = op->user_data;
-	  b[bi]->error = node->errors[AH_DECRYPT_ERROR_INTEG_ERROR];
-	  nexts[bi] = AH_DECRYPT_NEXT_DROP;
+	  ah_decrypt_set_next_index (
+	    b[bi], node, vm->thread_index, AH_DECRYPT_ERROR_INTEG_ERROR, bi,
+	    nexts, AH_DECRYPT_NEXT_DROP, vnet_buffer (b[bi])->ipsec.sad_index);
 	  n_fail--;
 	}
       op++;
@@ -145,8 +145,7 @@ ah_decrypt_inline (vlib_main_t * vm,
 	{
 	  if (current_sa_index != ~0)
 	    vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
-					     current_sa_index,
-					     current_sa_pkts,
+					     current_sa_index, current_sa_pkts,
 					     current_sa_bytes);
 	  current_sa_index = vnet_buffer (b[0])->ipsec.sad_index;
 	  sa0 = ipsec_sa_get (current_sa_index);
@@ -190,8 +189,9 @@ ah_decrypt_inline (vlib_main_t * vm,
 	{
 	  if (ip4_is_fragment (ih4))
 	    {
-	      b[0]->error = node->errors[AH_DECRYPT_ERROR_DROP_FRAGMENTS];
-	      next[0] = AH_DECRYPT_NEXT_DROP;
+	      ah_decrypt_set_next_index (
+		b[0], node, vm->thread_index, AH_DECRYPT_ERROR_DROP_FRAGMENTS,
+		0, next, AH_DECRYPT_NEXT_DROP, current_sa_index);
 	      goto next;
 	    }
 	  pd->ip_hdr_size = ip4_header_bytes (ih4);
@@ -204,8 +204,9 @@ ah_decrypt_inline (vlib_main_t * vm,
       if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, ~0, false,
 					       &pd->seq_hi))
 	{
-	  b[0]->error = node->errors[AH_DECRYPT_ERROR_REPLAY];
-	  next[0] = AH_DECRYPT_NEXT_DROP;
+	  ah_decrypt_set_next_index (b[0], node, vm->thread_index,
+				     AH_DECRYPT_ERROR_REPLAY, 0, next,
+				     AH_DECRYPT_NEXT_DROP, current_sa_index);
 	  goto next;
 	}
 
@@ -220,8 +221,9 @@ ah_decrypt_inline (vlib_main_t * vm,
 			     pd->current_data + b[0]->current_length
 			     + sizeof (u32) > buffer_data_size))
 	    {
-	      b[0]->error = node->errors[AH_DECRYPT_ERROR_NO_TAIL_SPACE];
-	      next[0] = AH_DECRYPT_NEXT_DROP;
+	      ah_decrypt_set_next_index (
+		b[0], node, vm->thread_index, AH_DECRYPT_ERROR_NO_TAIL_SPACE,
+		0, next, AH_DECRYPT_NEXT_DROP, current_sa_index);
 	      goto next;
 	    }
 
@@ -307,14 +309,16 @@ ah_decrypt_inline (vlib_main_t * vm,
 	  if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi,
 						   true, NULL))
 	    {
-	      b[0]->error = node->errors[AH_DECRYPT_ERROR_REPLAY];
-	      next[0] = AH_DECRYPT_NEXT_DROP;
+	      ah_decrypt_set_next_index (b[0], node, vm->thread_index,
+					 AH_DECRYPT_ERROR_REPLAY, 0, next,
+					 AH_DECRYPT_NEXT_DROP, pd->sa_index);
 	      goto trace;
 	    }
 	  n_lost = ipsec_sa_anti_replay_advance (sa0, thread_index, pd->seq,
 						 pd->seq_hi);
-	  vlib_prefetch_simple_counter (&ipsec_sa_lost_counters, thread_index,
-					pd->sa_index);
+	  vlib_prefetch_simple_counter (
+	    &ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST], thread_index,
+	    pd->sa_index);
 	}
 
       u16 ah_hdr_len = sizeof (ah_header_t) + pd->icv_size
@@ -330,8 +334,10 @@ ah_decrypt_inline (vlib_main_t * vm,
 	    next[0] = AH_DECRYPT_NEXT_IP6_INPUT;
 	  else
 	    {
-	      b[0]->error = node->errors[AH_DECRYPT_ERROR_DECRYPTION_FAILED];
-	      next[0] = AH_DECRYPT_NEXT_DROP;
+	      ah_decrypt_set_next_index (b[0], node, vm->thread_index,
+					 AH_DECRYPT_ERROR_DECRYPTION_FAILED, 0,
+					 next, AH_DECRYPT_NEXT_DROP,
+					 pd->sa_index);
 	      goto trace;
 	    }
 	}
@@ -382,8 +388,9 @@ ah_decrypt_inline (vlib_main_t * vm,
 	}
 
       if (PREDICT_FALSE (n_lost))
-	vlib_increment_simple_counter (&ipsec_sa_lost_counters, thread_index,
-				       pd->sa_index, n_lost);
+	vlib_increment_simple_counter (
+	  &ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST], thread_index,
+	  pd->sa_index, n_lost);
 
       vnet_buffer (b[0])->sw_if_index[VLIB_TX] = (u32) ~ 0;
     trace:
author	Arthur de Kerhor <arthurdekerhor@gmail.com>	2022-11-16 19:12:05 +0100
committer	Beno�t Ganne <bganne@cisco.com>	2023-03-23 08:58:55 +0000
commit	ad95b06181c354291f4433c5e550cb89c5122252 (patch)
tree	f40bc5447c51cbe5f4f5fc5ca5a8e54f72297268 /src/vnet/ipsec/ah_decrypt.c
parent	f6ba56296c4034d299784b828a8ac1661adc74da (diff)