summaryrefslogtreecommitdiffstats
path: root/src/vnet
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-02-17 18:04:27 +0000
committerDamjan Marion <dmarion@me.com>2019-02-18 13:05:17 +0000
commiteba31ecebed1a7d168da17194cab7a8955761f2b (patch)
treefe640b26f9dc98d7aaf5ff0ade2d643a1b86cbbe /src/vnet
parent684586786e98bc779e269c0d879a2a4d3f1f4bce (diff)
IPSEC: move SA counters into the stats segment
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r--src/vnet/ipsec/ah_decrypt.c10
-rw-r--r--src/vnet/ipsec/ah_encrypt.c9
-rw-r--r--src/vnet/ipsec/esp_decrypt.c4
-rw-r--r--src/vnet/ipsec/esp_encrypt.c8
-rw-r--r--src/vnet/ipsec/ikev2.c5
-rw-r--r--src/vnet/ipsec/ipsec.api8
-rw-r--r--src/vnet/ipsec/ipsec_api.c12
-rw-r--r--src/vnet/ipsec/ipsec_cli.c1
-rw-r--r--src/vnet/ipsec/ipsec_format.c3
-rw-r--r--src/vnet/ipsec/ipsec_sa.c14
-rw-r--r--src/vnet/ipsec/ipsec_sa.h10
11 files changed, 66 insertions, 18 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index 7d2bf814fcc..629e7f031c4 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -81,7 +81,7 @@ ah_decrypt_inline (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * from_frame,
int is_ip6)
{
- u32 n_left_from, *from, next_index, *to_next;
+ u32 n_left_from, *from, next_index, *to_next, thread_index;
ipsec_main_t *im = &ipsec_main;
ipsec_proto_main_t *em = &ipsec_proto_main;
from = vlib_frame_vector_args (from_frame);
@@ -89,6 +89,7 @@ ah_decrypt_inline (vlib_main_t * vm,
int icv_size = 0;
next_index = node->cached_next_index;
+ thread_index = vm->thread_index;
while (n_left_from > 0)
{
@@ -131,6 +132,9 @@ ah_decrypt_inline (vlib_main_t * vm,
sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, sa_index0);
+ vlib_prefetch_combined_counter (&ipsec_sa_counters,
+ thread_index, sa_index0);
+
if (is_ip6)
{
ip6_ext_header_t *prev = NULL;
@@ -164,8 +168,10 @@ ah_decrypt_inline (vlib_main_t * vm,
}
}
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
- sa0->total_data_size += i_b0->current_length;
icv_size =
em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c
index 66286094682..5f6a0991be3 100644
--- a/src/vnet/ipsec/ah_encrypt.c
+++ b/src/vnet/ipsec/ah_encrypt.c
@@ -84,13 +84,14 @@ ah_encrypt_inline (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * from_frame,
int is_ip6)
{
- u32 n_left_from, *from, *to_next = 0, next_index;
+ u32 n_left_from, *from, *to_next = 0, next_index, thread_index;
int icv_size = 0;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
ipsec_main_t *im = &ipsec_main;
ipsec_proto_main_t *em = &ipsec_proto_main;
next_index = node->cached_next_index;
+ thread_index = vm->thread_index;
while (n_left_from > 0)
{
@@ -131,9 +132,9 @@ ah_encrypt_inline (vlib_main_t * vm,
AH_ENCRYPT_ERROR_SEQ_CYCLED, 1);
goto trace;
}
-
-
- sa0->total_data_size += i_b0->current_length;
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
ssize_t adv;
ih0 = vlib_buffer_get_current (i_b0);
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 5a3ccdcacd9..0cf31ffb000 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -193,7 +193,9 @@ esp_decrypt_inline (vlib_main_t * vm,
}
}
- sa0->total_data_size += i_b0->current_length;
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
{
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index e1690439c88..ffa02115858 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -182,6 +182,9 @@ esp_encrypt_inline (vlib_main_t * vm,
sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, sa_index0);
+ vlib_prefetch_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0);
+
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
clib_warning ("sequence number counter has cycled SPI %u",
@@ -195,8 +198,6 @@ esp_encrypt_inline (vlib_main_t * vm,
goto trace;
}
- sa0->total_data_size += i_b0->current_length;
-
/* grab free buffer */
last_empty_buffer = vec_len (empty_buffers) - 1;
o_bi0 = empty_buffers[last_empty_buffer];
@@ -330,6 +331,9 @@ esp_encrypt_inline (vlib_main_t * vm,
}
ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG);
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE))
{
diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c
index 3d5c0f766cf..d85feee4274 100644
--- a/src/vnet/ipsec/ikev2.c
+++ b/src/vnet/ipsec/ikev2.c
@@ -3376,6 +3376,7 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
ikev2_sa_t *fsa = 0;
ikev2_child_sa_t *fchild = 0;
f64 now = vlib_time_now (vm);
+ vlib_counter_t counts;
/* Search for the SA and child SA */
vec_foreach (tkm, km->per_thread_data)
@@ -3394,11 +3395,13 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
}));
/* *INDENT-ON* */
}
+ vlib_get_combined_counter (&ipsec_sa_counters,
+ ipsec_sa->stat_index, &counts);
if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
{
if (!fchild->is_expired
- && ipsec_sa->total_data_size > fsa->profile->lifetime_maxdata)
+ && counts.bytes > fsa->profile->lifetime_maxdata)
{
fchild->time_to_expiration = now;
}
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index ece0b024485..91d21d4dce9 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -293,13 +293,19 @@ typedef ipsec_sad_entry
@param context - sender context, to match reply w/ request
@param entry - Entry to add or delete
*/
-autoreply define ipsec_sad_entry_add_del
+define ipsec_sad_entry_add_del
{
u32 client_index;
u32 context;
u8 is_add;
vl_api_ipsec_sad_entry_t entry;
};
+define ipsec_sad_entry_add_del_reply
+{
+ u32 context;
+ i32 retval;
+ u32 stat_index;
+};
/** \brief IPsec: Update Security Association keys
@param client_index - opaque cookie to identify the sender
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 2d464b31290..a26f486d6ef 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -354,7 +354,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
ipsec_integ_alg_t integ_alg;
ipsec_protocol_t proto;
ipsec_sa_flags_t flags;
- u32 id, spi;
+ u32 id, spi, sa_index;
int rv;
#if WITH_LIBSSL > 0
@@ -390,7 +390,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
rv = ipsec_sa_add (id, spi, proto,
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
- 0, &tun_src, &tun_dst, NULL);
+ 0, &tun_src, &tun_dst, &sa_index);
else
rv = ipsec_sa_del (id);
@@ -399,7 +399,12 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
#endif
out:
- REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY);
+ /* *INDENT-OFF* */
+ REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
+ {
+ rmp->stat_index = htonl (sa_index);
+ });
+ /* *INDENT-ON* */
}
static void
@@ -708,7 +713,6 @@ send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg,
}
if (sa->use_anti_replay)
mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
- mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size);
vl_api_send_msg (reg, (u8 *) mp);
}
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 52a30a428d0..22fbcdf9599 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -594,6 +594,7 @@ clear_ipsec_counters_command_fn (vlib_main_t * vm,
vlib_cli_command_t * cmd)
{
vlib_clear_combined_counters (&ipsec_spd_policy_counters);
+ vlib_clear_combined_counters (&ipsec_sa_counters);
return (NULL);
}
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 04a2a0b5be1..dc66569702e 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -238,6 +238,7 @@ format_ipsec_sa (u8 * s, va_list * args)
{
u32 sai = va_arg (*args, u32);
ipsec_main_t *im = &ipsec_main;
+ vlib_counter_t counts;
u32 tx_table_id;
ipsec_sa_t *sa;
@@ -261,6 +262,8 @@ format_ipsec_sa (u8 * s, va_list * args)
s = format (s, "\n integrity alg %U%s%U",
format_ipsec_integ_alg, sa->integ_alg,
sa->integ_alg ? " key " : "", format_ipsec_key, &sa->integ_key);
+ vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
+ s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
if (sa->is_tunnel)
{
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index c4721c7afad..fc8520d5ebb 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -16,6 +16,16 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/fib/fib_table.h>
+/**
+ * @brief
+ * SA packet & bytes counters
+ */
+vlib_combined_counter_main_t ipsec_sa_counters = {
+ .name = "SA",
+ .stat_segment_name = "/net/ipsec/sa",
+};
+
+
static clib_error_t *
ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa,
u32 sa_index, int is_add)
@@ -106,8 +116,12 @@ ipsec_sa_add (u32 id,
fib_node_init (&sa->node, FIB_NODE_TYPE_IPSEC_SA);
sa_index = sa - im->sad;
+ vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
+ vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
+
sa->id = id;
sa->spi = spi;
+ sa->stat_index = sa_index;
sa->protocol = proto;
sa->crypto_alg = crypto_alg;
clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 2e39566bd63..2601f51038a 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -101,6 +101,7 @@ typedef struct
fib_node_t node;
u32 id;
u32 spi;
+ u32 stat_index;
ipsec_protocol_t protocol;
ipsec_crypto_alg_t crypto_alg;
@@ -131,11 +132,14 @@ typedef struct
u32 last_seq;
u32 last_seq_hi;
u64 replay_window;
-
- /* lifetime data */
- u64 total_data_size;
} ipsec_sa_t;
+/**
+ * @brief
+ * SA packet & bytes counters
+ */
+extern vlib_combined_counter_main_t ipsec_sa_counters;
+
extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
extern int ipsec_sa_add (u32 id,