summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/esp_decrypt.c
diff options
context:
space:
mode:
authorNeale Ranns <neale@graphiant.com>2021-09-21 12:34:19 +0000
committerBeno�t Ganne <bganne@cisco.com>2021-09-29 14:27:48 +0000
commite11203e5b8fd61986573e0cba9e47cefcf50e60d (patch)
treeb5b34bf9742962290ebed720963b72ce5045c6da /src/vnet/ipsec/esp_decrypt.c
parent979545e79579bdc6fe3cb2d3cfd0036c588acb32 (diff)
ipsec: Record the number of packets lost from an SA
Type: feature Gaps in the sequence numbers received on an SA indicate packets that were lost. Gaps are identified using the anti-replay window that records the sequences seen. Publish the number of lost packets in the stats segment at /net/ipsec/sa/lost Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I8af1c09b7b25a705e18bf82e1623b3ce19e5a74d
Diffstat (limited to 'src/vnet/ipsec/esp_decrypt.c')
-rw-r--r--src/vnet/ipsec/esp_decrypt.c19
1 files changed, 14 insertions, 5 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index e30fc9effcb..f1e8065b8ff 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -748,10 +748,11 @@ out:
}
static_always_inline void
-esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node,
- esp_decrypt_packet_data_t * pd,
- esp_decrypt_packet_data2_t * pd2, vlib_buffer_t * b,
- u16 * next, int is_ip6, int is_tun, int is_async)
+esp_decrypt_post_crypto (vlib_main_t *vm, const vlib_node_runtime_t *node,
+ const esp_decrypt_packet_data_t *pd,
+ const esp_decrypt_packet_data2_t *pd2,
+ vlib_buffer_t *b, u16 *next, int is_ip6, int is_tun,
+ int is_async)
{
ipsec_sa_t *sa0 = ipsec_sa_get (pd->sa_index);
vlib_buffer_t *lb = b;
@@ -790,7 +791,11 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node,
return;
}
- ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi);
+ u64 n_lost =
+ ipsec_sa_anti_replay_advance (sa0, vm->thread_index, pd->seq, pd->seq_hi);
+
+ vlib_prefetch_simple_counter (&ipsec_sa_lost_counters, vm->thread_index,
+ pd->sa_index);
if (pd->is_chain)
{
@@ -1011,6 +1016,10 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node,
}
}
}
+
+ if (PREDICT_FALSE (n_lost))
+ vlib_increment_simple_counter (&ipsec_sa_lost_counters, vm->thread_index,
+ pd->sa_index, n_lost);
}
always_inline uword