summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
authorKlement Sekera <ksekera@cisco.com>2018-11-30 14:37:03 +0100
committerDave Barach <openvpp@barachs.net>2018-12-04 21:46:13 +0000
commit2e02ba0ddaa8fecbd4b6397787658bd29fcca749 (patch)
tree6b99899860249d2add26424274db3bd7b56099f2 /src/vnet/ipsec
parent01f3f894fc180060ef8ee1c8b4acb4421d12ebe3 (diff)
ipsec: simplify bumping counters - cosmetic change
Change-Id: Ibb55427ed49d0277854a352922c6c4bb007bf072 Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ah_decrypt.c46
-rw-r--r--src/vnet/ipsec/ah_encrypt.c19
-rw-r--r--src/vnet/ipsec/esp_decrypt.c57
-rw-r--r--src/vnet/ipsec/esp_encrypt.c29
4 files changed, 35 insertions, 116 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index a2fc07faebf..c8c89028f9d 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -158,14 +158,8 @@ ah_decrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (rv))
{
- if (is_ip6)
- vlib_node_increment_counter (vm,
- ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_REPLAY, 1);
- else
- vlib_node_increment_counter (vm,
- ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_REPLAY, 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ AH_DECRYPT_ERROR_REPLAY, 1);
goto trace;
}
}
@@ -212,16 +206,9 @@ ah_decrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (memcmp (digest, sig, icv_size)))
{
- if (is_ip6)
- vlib_node_increment_counter (vm,
- ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- else
- vlib_node_increment_counter (vm,
- ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ AH_DECRYPT_ERROR_INTEG_ERROR,
+ 1);
goto trace;
}
@@ -248,16 +235,9 @@ ah_decrypt_inline (vlib_main_t * vm,
next0 = AH_DECRYPT_NEXT_IP6_INPUT;
else
{
- if (is_ip6)
- vlib_node_increment_counter (vm,
- ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
- else
- vlib_node_increment_counter (vm,
- ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ AH_DECRYPT_ERROR_DECRYPTION_FAILED,
+ 1);
goto trace;
}
}
@@ -320,14 +300,8 @@ ah_decrypt_inline (vlib_main_t * vm,
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
- if (is_ip6)
- vlib_node_increment_counter (vm, ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
- else
- vlib_node_increment_counter (vm, ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
+ vlib_node_increment_counter (vm, node->node_index, AH_DECRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
return from_frame->n_vectors;
}
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c
index 6529828f0e9..0dc1612db5e 100644
--- a/src/vnet/ipsec/ah_encrypt.c
+++ b/src/vnet/ipsec/ah_encrypt.c
@@ -127,12 +127,8 @@ ah_encrypt_inline (vlib_main_t * vm,
{
clib_warning ("sequence number counter has cycled SPI %u",
sa0->spi);
- if (is_ip6)
- vlib_node_increment_counter (vm, ah6_encrypt_node.index,
- AH_ENCRYPT_ERROR_SEQ_CYCLED, 1);
- else
- vlib_node_increment_counter (vm, ah4_encrypt_node.index,
- AH_ENCRYPT_ERROR_SEQ_CYCLED, 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ AH_ENCRYPT_ERROR_SEQ_CYCLED, 1);
//TODO need to confirm if below is needed
to_next[0] = i_bi0;
to_next += 1;
@@ -314,14 +310,9 @@ ah_encrypt_inline (vlib_main_t * vm,
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
- if (is_ip6)
- vlib_node_increment_counter (vm, ah6_encrypt_node.index,
- AH_ENCRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
- else
- vlib_node_increment_counter (vm, ah4_encrypt_node.index,
- AH_ENCRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
+ vlib_node_increment_counter (vm, node->node_index,
+ AH_ENCRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
return from_frame->n_vectors;
}
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 8ef160a4b32..68cb825f23b 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -131,14 +131,8 @@ esp_decrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (vec_len (empty_buffers) < n_left_from))
{
- if (is_ip6)
- vlib_node_increment_counter (vm, esp6_decrypt_node.index,
- ESP_DECRYPT_ERROR_NO_BUFFER,
- n_left_from);
- else
- vlib_node_increment_counter (vm, esp4_decrypt_node.index,
- ESP_DECRYPT_ERROR_NO_BUFFER,
- n_left_from);
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_DECRYPT_ERROR_NO_BUFFER, n_left_from);
goto free_buffers_and_exit;
}
@@ -190,14 +184,8 @@ esp_decrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (rv))
{
- if (is_ip6)
- vlib_node_increment_counter (vm,
- esp6_decrypt_node.index,
- ESP_DECRYPT_ERROR_REPLAY, 1);
- else
- vlib_node_increment_counter (vm,
- esp4_decrypt_node.index,
- ESP_DECRYPT_ERROR_REPLAY, 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_DECRYPT_ERROR_REPLAY, 1);
o_bi0 = i_bi0;
to_next[0] = o_bi0;
to_next += 1;
@@ -224,16 +212,9 @@ esp_decrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (memcmp (icv, sig, icv_size)))
{
- if (is_ip6)
- vlib_node_increment_counter (vm,
- esp6_decrypt_node.index,
- ESP_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- else
- vlib_node_increment_counter (vm,
- esp4_decrypt_node.index,
- ESP_DECRYPT_ERROR_INTEG_ERROR,
- 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_DECRYPT_ERROR_INTEG_ERROR,
+ 1);
o_bi0 = i_bi0;
to_next[0] = o_bi0;
to_next += 1;
@@ -329,16 +310,9 @@ esp_decrypt_inline (vlib_main_t * vm,
next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
else
{
- if (is_ip6)
- vlib_node_increment_counter (vm,
- esp6_decrypt_node.index,
- ESP_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
- else
- vlib_node_increment_counter (vm,
- esp4_decrypt_node.index,
- ESP_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_DECRYPT_ERROR_DECRYPTION_FAILED,
+ 1);
o_b0 = 0;
goto trace;
}
@@ -410,14 +384,9 @@ esp_decrypt_inline (vlib_main_t * vm,
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
- if (is_ip6)
- vlib_node_increment_counter (vm, esp6_decrypt_node.index,
- ESP_DECRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
- else
- vlib_node_increment_counter (vm, esp4_decrypt_node.index,
- ESP_DECRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_DECRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
free_buffers_and_exit:
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 101c5efbfc8..4f2d7707395 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -137,14 +137,8 @@ esp_encrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (vec_len (empty_buffers) < n_left_from))
{
- if (is_ip6)
- vlib_node_increment_counter (vm, esp6_encrypt_node.index,
- ESP_ENCRYPT_ERROR_NO_BUFFER,
- n_left_from);
- else
- vlib_node_increment_counter (vm, esp4_encrypt_node.index,
- ESP_ENCRYPT_ERROR_NO_BUFFER,
- n_left_from);
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_ENCRYPT_ERROR_NO_BUFFER, n_left_from);
clib_warning ("not enough empty buffers. discarding frame");
goto free_buffers_and_exit;
}
@@ -189,12 +183,8 @@ esp_encrypt_inline (vlib_main_t * vm,
{
clib_warning ("sequence number counter has cycled SPI %u",
sa0->spi);
- if (is_ip6)
- vlib_node_increment_counter (vm, esp6_encrypt_node.index,
- ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1);
- else
- vlib_node_increment_counter (vm, esp4_encrypt_node.index,
- ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1);
//TODO: rekey SA
o_bi0 = i_bi0;
to_next[0] = o_bi0;
@@ -428,14 +418,9 @@ esp_encrypt_inline (vlib_main_t * vm,
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
- if (is_ip6)
- vlib_node_increment_counter (vm, esp6_encrypt_node.index,
- ESP_ENCRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
- else
- vlib_node_increment_counter (vm, esp4_encrypt_node.index,
- ESP_ENCRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_ENCRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
free_buffers_and_exit:
if (recycle)
ScriptArg import TrafficScriptArg from scapy.layers.inet import IP, ICMP from scapy.all import Ether, Raw def main(): # start_size - start size of the ICMPv4 echo data # end_size - end size of the ICMPv4 echo data # step - increment step args = TrafficScriptArg(['src_mac', 'dst_mac', 'src_ip', 'dst_ip', 'start_size', 'end_size', 'step']) rxq = RxQueue(args.get_arg('rx_if')) txq = TxQueue(args.get_arg('tx_if')) src_mac = args.get_arg('src_mac') dst_mac = args.get_arg('dst_mac') src_ip = args.get_arg('src_ip') dst_ip = args.get_arg('dst_ip') start_size = int(args.get_arg('start_size')) end_size = int(args.get_arg('end_size')) step = int(args.get_arg('step')) echo_id = 0xa # generate some random data buffer data = bytearray(os.urandom(end_size)) sent_packets = [] pkt_send = create_gratuitous_arp_request(src_mac, src_ip) sent_packets.append(pkt_send) txq.send(pkt_send) # send ICMP echo request with incremented data length and receive ICMP # echo reply for echo_seq in range(start_size, end_size+1, step): pkt_send = (Ether(src=src_mac, dst=dst_mac) / IP(src=src_ip, dst=dst_ip) / ICMP(id=echo_id, seq=echo_seq) / Raw(load=data[0:echo_seq])) sent_packets.append(pkt_send) txq.send(pkt_send) ether = rxq.recv(ignore=sent_packets) if ether is None: raise RuntimeError( 'ICMP echo reply seq {0} Rx timeout'.format(echo_seq)) if not ether.haslayer(IP): raise RuntimeError( 'Unexpected packet with no IPv4 received {0}'.format( ether.__repr__())) ipv4 = ether['IP'] if not ipv4.haslayer(ICMP): raise RuntimeError( 'Unexpected packet with no ICMP received {0}'.format( ipv4.__repr__())) icmpv4 = ipv4['ICMP'] if icmpv4.id != echo_id or icmpv4.seq != echo_seq: raise RuntimeError( 'Invalid ICMP echo reply received ID {0} seq {1} should be ' \ 'ID {2} seq {3}, {0}'.format(icmpv4.id, icmpv4.seq, echo_id, echo_seq)) chksum = icmpv4.chksum del icmpv4.chksum tmp = ICMP(str(icmpv4)) if not checksum_equal(tmp.chksum, chksum): raise RuntimeError( 'Invalid checksum {0} should be {1}'.format(chksum, tmp.chksum)) if 'Raw' in icmpv4: load = icmpv4['Raw'].load else: load = "" if load != data[0:echo_seq]: raise RuntimeError( 'Received ICMP payload does not match sent payload') sys.exit(0) if __name__ == "__main__": main()