ipsec: add per-SA error counters

Error counters are added on a per-node basis. In Ipsec, it is useful to also track the errors that occured per SA. Type: feature Change-Id: Iabcdcb439f67ad3c6c202b36ffc44ab39abac1bc Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
author: Arthur de Kerhor <arthurdekerhor@gmail.com> 2022-11-16 19:12:05 +0100
committer: Beno�t Ganne <bganne@cisco.com> 2023-03-23 08:58:55 +0000
commit: ad95b06181c354291f4433c5e550cb89c5122252 (patch)
tree: f40bc5447c51cbe5f4f5fc5ca5a8e54f72297268 /test
parent: f6ba56296c4034d299784b828a8ac1661adc74da (diff)
4 files changed, 43 insertions, 13 deletions
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 72784dd4ea7..ba1c2465f12 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -632,10 +632,17 @@ class IpsecTra4(object):
         replay_count = self.get_replay_counts(p)
         hash_failed_count = self.get_hash_failed_counts(p)
         seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
+        hash_err = "integ_error"
 
         if ESP == self.encryption_type:
             undersize_node_name = "/err/%s/runt" % self.tra4_decrypt_node_name[0]
             undersize_count = self.statistics.get_err_counter(undersize_node_name)
+            # For AES-GCM an error in the hash is reported as a decryption failure
+            if p.crypt_algo == "AES-GCM":
+                hash_err = "decryption_failed"
+        # In async mode, we don't report errors in the hash.
+        if p.async_mode:
+            hash_err = ""
 
         #
         # send packets with seq numbers 1->34
@@ -661,6 +668,8 @@ class IpsecTra4(object):
         self.send_and_assert_no_replies(self.tra_if, pkts, timeout=0.2)
         replay_count += len(pkts)
         self.assertEqual(self.get_replay_counts(p), replay_count)
+        err = p.tra_sa_in.get_err("replay")
+        self.assertEqual(err, replay_count)
 
         #
         # now send a batch of packets all with the same sequence number
@@ -677,6 +686,8 @@ class IpsecTra4(object):
         recv_pkts = self.send_and_expect(self.tra_if, pkts * 8, self.tra_if, n_rx=1)
         replay_count += 7
         self.assertEqual(self.get_replay_counts(p), replay_count)
+        err = p.tra_sa_in.get_err("replay")
+        self.assertEqual(err, replay_count)
 
         #
         # now move the window over to 257 (more than one byte) and into Case A
@@ -694,6 +705,8 @@ class IpsecTra4(object):
         self.send_and_assert_no_replies(self.tra_if, pkt * 3, timeout=0.2)
         replay_count += 3
         self.assertEqual(self.get_replay_counts(p), replay_count)
+        err = p.tra_sa_in.get_err("replay")
+        self.assertEqual(err, replay_count)
 
         # the window size is 64 packets
         # in window are still accepted
@@ -724,6 +737,9 @@ class IpsecTra4(object):
 
         hash_failed_count += 17
         self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count)
+        if hash_err != "":
+            err = p.tra_sa_in.get_err(hash_err)
+            self.assertEqual(err, hash_failed_count)
 
         # a malformed 'runt' packet
         #  created by a mis-constructed SA
@@ -739,6 +755,8 @@ class IpsecTra4(object):
 
             undersize_count += 17
             self.assert_error_counter_equal(undersize_node_name, undersize_count)
+            err = p.tra_sa_in.get_err("runt")
+            self.assertEqual(err, undersize_count)
 
         # which we can determine since this packet is still in the window
         pkt = Ether(
@@ -767,10 +785,15 @@ class IpsecTra4(object):
             # wrap. but since it isn't then the verify will fail.
             hash_failed_count += 17
             self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count)
+            if hash_err != "":
+                err = p.tra_sa_in.get_err(hash_err)
+                self.assertEqual(err, hash_failed_count)
 
         else:
             replay_count += 17
             self.assertEqual(self.get_replay_counts(p), replay_count)
+            err = p.tra_sa_in.get_err("replay")
+            self.assertEqual(err, replay_count)
 
         # valid packet moves the window over to 258
         pkt = Ether(
@@ -861,6 +884,9 @@ class IpsecTra4(object):
 
             hash_failed_count += 1
             self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count)
+            if hash_err != "":
+                err = p.tra_sa_in.get_err(hash_err)
+                self.assertEqual(err, hash_failed_count)
 
             #
             # but if we move the window forward to case B, then we can wrap
@@ -894,6 +920,8 @@ class IpsecTra4(object):
             self.send_and_assert_no_replies(self.tra_if, pkts, timeout=0.2)
             seq_cycle_count += len(pkts)
             self.assert_error_counter_equal(seq_cycle_node_name, seq_cycle_count)
+            err = p.tra_sa_out.get_err("seq_cycled")
+            self.assertEqual(err, seq_cycle_count)
 
         # move the security-associations seq number on to the last we used
         self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
@@ -924,7 +952,7 @@ class IpsecTra4(object):
         ]
         self.send_and_expect(self.tra_if, pkts, self.tra_if)
 
-        self.assertEqual(p.tra_sa_in.get_lost(), 0)
+        self.assertEqual(p.tra_sa_in.get_err("lost"), 0)
 
         # skip a sequence number
         pkts = [
@@ -939,7 +967,7 @@ class IpsecTra4(object):
         ]
         self.send_and_expect(self.tra_if, pkts, self.tra_if)
 
-        self.assertEqual(p.tra_sa_in.get_lost(), 0)
+        self.assertEqual(p.tra_sa_in.get_err("lost"), 0)
 
         # the lost packet are counted untill we get up past the first
         # sizeof(replay_window) packets
@@ -955,7 +983,7 @@ class IpsecTra4(object):
         ]
         self.send_and_expect(self.tra_if, pkts, self.tra_if)
 
-        self.assertEqual(p.tra_sa_in.get_lost(), 1)
+        self.assertEqual(p.tra_sa_in.get_err("lost"), 1)
 
         # lost of holes in the sequence
         pkts = [
@@ -982,7 +1010,7 @@ class IpsecTra4(object):
         ]
         self.send_and_expect(self.tra_if, pkts, self.tra_if)
 
-        self.assertEqual(p.tra_sa_in.get_lost(), 51)
+        self.assertEqual(p.tra_sa_in.get_err("lost"), 51)
 
         # a big hole in the seq number space
         pkts = [
@@ -997,7 +1025,7 @@ class IpsecTra4(object):
         ]
         self.send_and_expect(self.tra_if, pkts, self.tra_if)
 
-        self.assertEqual(p.tra_sa_in.get_lost(), 151)
+        self.assertEqual(p.tra_sa_in.get_err("lost"), 151)
 
     def verify_tra_basic4(self, count=1, payload_size=54):
         """ipsec v4 transport basic test"""
@@ -1036,8 +1064,8 @@ class IpsecTra4(object):
         self.assertEqual(
             pkts, count, "incorrect SA out counts: expected %d != %d" % (count, pkts)
         )
-        self.assertEqual(p.tra_sa_out.get_lost(), 0)
-        self.assertEqual(p.tra_sa_in.get_lost(), 0)
+        self.assertEqual(p.tra_sa_out.get_err("lost"), 0)
+        self.assertEqual(p.tra_sa_in.get_err("lost"), 0)
 
         self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
         self.assert_packet_counter_equal(self.tra4_decrypt_node_name[0], count)
diff --git a/test/test_ipsec_spd_fp_input.py b/test/test_ipsec_spd_fp_input.py
index bf00c1c26ab..d70623ef2ea 100644
--- a/test/test_ipsec_spd_fp_input.py
+++ b/test/test_ipsec_spd_fp_input.py
@@ -293,8 +293,8 @@ class IPSec4SpdTestCaseProtect(SpdFastPathInboundProtect):
             pkt_count,
             "incorrect SA out counts: expected %d != %d" % (pkt_count, pkts),
         )
-        self.assertEqual(p.tra_sa_out.get_lost(), 0)
-        self.assertEqual(p.tra_sa_in.get_lost(), 0)
+        self.assertEqual(p.tra_sa_out.get_err("lost"), 0)
+        self.assertEqual(p.tra_sa_in.get_err("lost"), 0)
 
 
 class IPSec4SpdTestCaseAddIPRange(SpdFastPathInbound):
@@ -876,8 +876,8 @@ class IPSec6SpdTestCaseProtect(SpdFastPathIPv6InboundProtect):
             pkt_count,
             "incorrect SA out counts: expected %d != %d" % (pkt_count, pkts),
         )
-        self.assertEqual(p.tra_sa_out.get_lost(), 0)
-        self.assertEqual(p.tra_sa_in.get_lost(), 0)
+        self.assertEqual(p.tra_sa_out.get_err("lost"), 0)
+        self.assertEqual(p.tra_sa_in.get_err("lost"), 0)
 
 
 if __name__ == "__main__":
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index 38d0dc3dde5..06b63cae759 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -1990,6 +1990,8 @@ class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests):
         self.send_and_assert_no_replies(self.tun_if, tx)
         node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0]
         self.assertEqual(1, self.statistics.get_err_counter(node_name))
+        err = p.tun_sa_in.get_err("unsup_payload")
+        self.assertEqual(err, 1)
 
 
 class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests):
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index f50d491c396..7a5a95a457a 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -358,8 +358,8 @@ class VppIpsecSA(VppObject):
             # +1 to skip main thread
             return c[worker + 1][self.stat_index]
 
-    def get_lost(self, worker=None):
-        c = self.test.statistics.get_counter("/net/ipsec/sa/lost")
+    def get_err(self, name, worker=None):
+        c = self.test.statistics.get_counter("/net/ipsec/sa/err/" + name)
         if worker is None:
             total = 0
             for t in c:
author	Arthur de Kerhor <arthurdekerhor@gmail.com>	2022-11-16 19:12:05 +0100
committer	Beno�t Ganne <bganne@cisco.com>	2023-03-23 08:58:55 +0000
commit	ad95b06181c354291f4433c5e550cb89c5122252 (patch)
tree	f40bc5447c51cbe5f4f5fc5ca5a8e54f72297268 /test
parent	f6ba56296c4034d299784b828a8ac1661adc74da (diff)