ipsec: Record the number of packets lost from an SA

Type: feature

Gaps in the sequence numbers received on an SA indicate packets that were lost.
Gaps are identified using the anti-replay window that records the sequences seen.

Publish the number of lost packets in the stats segment at /net/ipsec/sa/lost

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8af1c09b7b25a705e18bf82e1623b3ce19e5a74d

1 files changed, 7 insertions, 0 deletions

diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index b5d58d0c053..387d8a747a3 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -28,6 +28,10 @@ vlib_combined_counter_main_t ipsec_sa_counters = {
   .name = "SA",
   .stat_segment_name = "/net/ipsec/sa",
 };
+vlib_simple_counter_main_t ipsec_sa_lost_counters = {
+  .name = "SA-lost",
+  .stat_segment_name = "/net/ipsec/sa/lost",
+};
 
 ipsec_sa_t *ipsec_sa_pool;
 
@@ -193,6 +197,8 @@ ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto,
 
   vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
   vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
+  vlib_validate_simple_counter (&ipsec_sa_lost_counters, sa_index);
+  vlib_zero_simple_counter (&ipsec_sa_lost_counters, sa_index);
 
   tunnel_copy (tun, &sa->tunnel);
   sa->id = id;
@@ -422,6 +428,7 @@ void
 ipsec_sa_clear (index_t sai)
 {
   vlib_zero_combined_counter (&ipsec_sa_counters, sai);
+  vlib_zero_simple_counter (&ipsec_sa_lost_counters, sai);
 }
 
 void