summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/plugins/dpdk/ipsec/esp_decrypt.c9
-rw-r--r--src/plugins/dpdk/ipsec/esp_encrypt.c7
-rw-r--r--src/vat/api_format.c7
-rw-r--r--src/vnet/ipsec/ah_decrypt.c10
-rw-r--r--src/vnet/ipsec/ah_encrypt.c9
-rw-r--r--src/vnet/ipsec/esp_decrypt.c4
-rw-r--r--src/vnet/ipsec/esp_encrypt.c8
-rw-r--r--src/vnet/ipsec/ikev2.c5
-rw-r--r--src/vnet/ipsec/ipsec.api8
-rw-r--r--src/vnet/ipsec/ipsec_api.c12
-rw-r--r--src/vnet/ipsec/ipsec_cli.c1
-rw-r--r--src/vnet/ipsec/ipsec_format.c3
-rw-r--r--src/vnet/ipsec/ipsec_sa.c14
-rw-r--r--src/vnet/ipsec/ipsec_sa.h10
-rw-r--r--test/template_ipsec.py36
-rw-r--r--test/test_ipsec_ah.py48
-rw-r--r--test/test_ipsec_esp.py48
-rw-r--r--test/vpp_ipsec.py7
18 files changed, 174 insertions, 72 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index cd35ee7576e..20040433420 100644
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -97,7 +97,7 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
vlib_node_runtime_t * node,
vlib_frame_t * from_frame, int is_ip6)
{
- u32 n_left_from, *from, *to_next, next_index;
+ u32 n_left_from, *from, *to_next, next_index, thread_index;
ipsec_main_t *im = &ipsec_main;
u32 thread_idx = vlib_get_thread_index ();
dpdk_crypto_main_t *dcm = &dpdk_crypto_main;
@@ -114,6 +114,7 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
+ thread_index = vm->thread_index;
ret = crypto_alloc_ops (numa, ops, n_left_from);
if (ret)
@@ -173,6 +174,8 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
CLIB_PREFETCH (op, op_len, STORE);
sa_index0 = vnet_buffer (b0)->ipsec.sad_index;
+ vlib_prefetch_combined_counter (&ipsec_sa_counters,
+ thread_index, sa_index0);
if (sa_index0 != last_sa_index)
{
@@ -266,7 +269,9 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
priv->next = DPDK_CRYPTO_INPUT_NEXT_DECRYPT4_POST;
/* FIXME multi-seg */
- sa0->total_data_size += b0->current_length;
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, b0->current_length);
res->ops[res->n_ops] = op;
res->bi[res->n_ops] = bi0;
diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c
index eea99eb8694..d29ca55ea2e 100644
--- a/src/plugins/dpdk/ipsec/esp_encrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_encrypt.c
@@ -112,7 +112,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
vlib_node_runtime_t * node,
vlib_frame_t * from_frame, int is_ip6)
{
- u32 n_left_from, *from, *to_next, next_index;
+ u32 n_left_from, *from, *to_next, next_index, thread_index;
ipsec_main_t *im = &ipsec_main;
u32 thread_idx = vlib_get_thread_index ();
dpdk_crypto_main_t *dcm = &dpdk_crypto_main;
@@ -129,6 +129,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
+ thread_index = vm->thread_index;
ret = crypto_alloc_ops (numa, ops, n_left_from);
if (ret)
@@ -280,7 +281,9 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
orig_sz = b0->current_length;
/* TODO multi-seg support - total_length_not_including_first_buffer */
- sa0->total_data_size += b0->current_length;
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, b0->current_length);
res->ops[res->n_ops] = op;
res->bi[res->n_ops] = bi0;
diff --git a/src/vat/api_format.c b/src/vat/api_format.c
index 1d93cc17648..daeec503856 100644
--- a/src/vat/api_format.c
+++ b/src/vat/api_format.c
@@ -15218,7 +15218,7 @@ vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp)
"crypto_key %U integ_alg %u integ_key %U flags %x "
"tunnel_src_addr %U tunnel_dst_addr %U "
"salt %u seq_outbound %lu last_seq_inbound %lu "
- "replay_window %lu total_data_size %lu\n",
+ "replay_window %lu\n",
ntohl (mp->entry.sad_id),
ntohl (mp->sw_if_index),
ntohl (mp->entry.spi),
@@ -15232,8 +15232,7 @@ vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp)
&mp->entry.tunnel_dst, ntohl (mp->salt),
clib_net_to_host_u64 (mp->seq_outbound),
clib_net_to_host_u64 (mp->last_seq_inbound),
- clib_net_to_host_u64 (mp->replay_window),
- clib_net_to_host_u64 (mp->total_data_size));
+ clib_net_to_host_u64 (mp->replay_window));
}
#define vl_api_ipsec_sa_details_t_endian vl_noop_handler
@@ -15302,8 +15301,6 @@ static void vl_api_ipsec_sa_details_t_handler_json
vat_json_object_add_address (node, &mp->entry.tunnel_dst);
vat_json_object_add_uint (node, "replay_window",
clib_net_to_host_u64 (mp->replay_window));
- vat_json_object_add_uint (node, "total_data_size",
- clib_net_to_host_u64 (mp->total_data_size));
}
static int
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index 7d2bf814fcc..629e7f031c4 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -81,7 +81,7 @@ ah_decrypt_inline (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * from_frame,
int is_ip6)
{
- u32 n_left_from, *from, next_index, *to_next;
+ u32 n_left_from, *from, next_index, *to_next, thread_index;
ipsec_main_t *im = &ipsec_main;
ipsec_proto_main_t *em = &ipsec_proto_main;
from = vlib_frame_vector_args (from_frame);
@@ -89,6 +89,7 @@ ah_decrypt_inline (vlib_main_t * vm,
int icv_size = 0;
next_index = node->cached_next_index;
+ thread_index = vm->thread_index;
while (n_left_from > 0)
{
@@ -131,6 +132,9 @@ ah_decrypt_inline (vlib_main_t * vm,
sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, sa_index0);
+ vlib_prefetch_combined_counter (&ipsec_sa_counters,
+ thread_index, sa_index0);
+
if (is_ip6)
{
ip6_ext_header_t *prev = NULL;
@@ -164,8 +168,10 @@ ah_decrypt_inline (vlib_main_t * vm,
}
}
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
- sa0->total_data_size += i_b0->current_length;
icv_size =
em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c
index 66286094682..5f6a0991be3 100644
--- a/src/vnet/ipsec/ah_encrypt.c
+++ b/src/vnet/ipsec/ah_encrypt.c
@@ -84,13 +84,14 @@ ah_encrypt_inline (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * from_frame,
int is_ip6)
{
- u32 n_left_from, *from, *to_next = 0, next_index;
+ u32 n_left_from, *from, *to_next = 0, next_index, thread_index;
int icv_size = 0;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
ipsec_main_t *im = &ipsec_main;
ipsec_proto_main_t *em = &ipsec_proto_main;
next_index = node->cached_next_index;
+ thread_index = vm->thread_index;
while (n_left_from > 0)
{
@@ -131,9 +132,9 @@ ah_encrypt_inline (vlib_main_t * vm,
AH_ENCRYPT_ERROR_SEQ_CYCLED, 1);
goto trace;
}
-
-
- sa0->total_data_size += i_b0->current_length;
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
ssize_t adv;
ih0 = vlib_buffer_get_current (i_b0);
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 5a3ccdcacd9..0cf31ffb000 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -193,7 +193,9 @@ esp_decrypt_inline (vlib_main_t * vm,
}
}
- sa0->total_data_size += i_b0->current_length;
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
{
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index e1690439c88..ffa02115858 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -182,6 +182,9 @@ esp_encrypt_inline (vlib_main_t * vm,
sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, sa_index0);
+ vlib_prefetch_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0);
+
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
clib_warning ("sequence number counter has cycled SPI %u",
@@ -195,8 +198,6 @@ esp_encrypt_inline (vlib_main_t * vm,
goto trace;
}
- sa0->total_data_size += i_b0->current_length;
-
/* grab free buffer */
last_empty_buffer = vec_len (empty_buffers) - 1;
o_bi0 = empty_buffers[last_empty_buffer];
@@ -330,6 +331,9 @@ esp_encrypt_inline (vlib_main_t * vm,
}
ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG);
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE))
{
diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c
index 3d5c0f766cf..d85feee4274 100644
--- a/src/vnet/ipsec/ikev2.c
+++ b/src/vnet/ipsec/ikev2.c
@@ -3376,6 +3376,7 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
ikev2_sa_t *fsa = 0;
ikev2_child_sa_t *fchild = 0;
f64 now = vlib_time_now (vm);
+ vlib_counter_t counts;
/* Search for the SA and child SA */
vec_foreach (tkm, km->per_thread_data)
@@ -3394,11 +3395,13 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
}));
/* *INDENT-ON* */
}
+ vlib_get_combined_counter (&ipsec_sa_counters,
+ ipsec_sa->stat_index, &counts);
if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
{
if (!fchild->is_expired
- && ipsec_sa->total_data_size > fsa->profile->lifetime_maxdata)
+ && counts.bytes > fsa->profile->lifetime_maxdata)
{
fchild->time_to_expiration = now;
}
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index ece0b024485..91d21d4dce9 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -293,13 +293,19 @@ typedef ipsec_sad_entry
@param context - sender context, to match reply w/ request
@param entry - Entry to add or delete
*/
-autoreply define ipsec_sad_entry_add_del
+define ipsec_sad_entry_add_del
{
u32 client_index;
u32 context;
u8 is_add;
vl_api_ipsec_sad_entry_t entry;
};
+define ipsec_sad_entry_add_del_reply
+{
+ u32 context;
+ i32 retval;
+ u32 stat_index;
+};
/** \brief IPsec: Update Security Association keys
@param client_index - opaque cookie to identify the sender
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 2d464b31290..a26f486d6ef 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -354,7 +354,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
ipsec_integ_alg_t integ_alg;
ipsec_protocol_t proto;
ipsec_sa_flags_t flags;
- u32 id, spi;
+ u32 id, spi, sa_index;
int rv;
#if WITH_LIBSSL > 0
@@ -390,7 +390,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
rv = ipsec_sa_add (id, spi, proto,
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
- 0, &tun_src, &tun_dst, NULL);
+ 0, &tun_src, &tun_dst, &sa_index);
else
rv = ipsec_sa_del (id);
@@ -399,7 +399,12 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
#endif
out:
- REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY);
+ /* *INDENT-OFF* */
+ REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
+ {
+ rmp->stat_index = htonl (sa_index);
+ });
+ /* *INDENT-ON* */
}
static void
@@ -708,7 +713,6 @@ send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg,
}
if (sa->use_anti_replay)
mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
- mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size);
vl_api_send_msg (reg, (u8 *) mp);
}
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 52a30a428d0..22fbcdf9599 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -594,6 +594,7 @@ clear_ipsec_counters_command_fn (vlib_main_t * vm,
vlib_cli_command_t * cmd)
{
vlib_clear_combined_counters (&ipsec_spd_policy_counters);
+ vlib_clear_combined_counters (&ipsec_sa_counters);
return (NULL);
}
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 04a2a0b5be1..dc66569702e 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -238,6 +238,7 @@ format_ipsec_sa (u8 * s, va_list * args)
{
u32 sai = va_arg (*args, u32);
ipsec_main_t *im = &ipsec_main;
+ vlib_counter_t counts;
u32 tx_table_id;
ipsec_sa_t *sa;
@@ -261,6 +262,8 @@ format_ipsec_sa (u8 * s, va_list * args)
s = format (s, "\n integrity alg %U%s%U",
format_ipsec_integ_alg, sa->integ_alg,
sa->integ_alg ? " key " : "", format_ipsec_key, &sa->integ_key);
+ vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
+ s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
if (sa->is_tunnel)
{
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index c4721c7afad..fc8520d5ebb 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -16,6 +16,16 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/fib/fib_table.h>
+/**
+ * @brief
+ * SA packet & bytes counters
+ */
+vlib_combined_counter_main_t ipsec_sa_counters = {
+ .name = "SA",
+ .stat_segment_name = "/net/ipsec/sa",
+};
+
+
static clib_error_t *
ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa,
u32 sa_index, int is_add)
@@ -106,8 +116,12 @@ ipsec_sa_add (u32 id,
fib_node_init (&sa->node, FIB_NODE_TYPE_IPSEC_SA);
sa_index = sa - im->sad;
+ vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
+ vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
+
sa->id = id;
sa->spi = spi;
+ sa->stat_index = sa_index;
sa->protocol = proto;
sa->crypto_alg = crypto_alg;
clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 2e39566bd63..2601f51038a 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -101,6 +101,7 @@ typedef struct
fib_node_t node;
u32 id;
u32 spi;
+ u32 stat_index;
ipsec_protocol_t protocol;
ipsec_crypto_alg_t crypto_alg;
@@ -131,11 +132,14 @@ typedef struct
u32 last_seq;
u32 last_seq_hi;
u64 replay_window;
-
- /* lifetime data */
- u64 total_data_size;
} ipsec_sa_t;
+/**
+ * @brief
+ * SA packet & bytes counters
+ */
+extern vlib_combined_counter_main_t ipsec_sa_counters;
+
extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
extern int ipsec_sa_add (u32 id,
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 77461d4397f..53b6cec1330 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -304,6 +304,15 @@ class IpsecTraTests(object):
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec"))
+ pkts = p.tra_sa_in.get_stats()['packets']
+ self.assertEqual(pkts, count,
+ "incorrect SA in counts: expected %d != %d" %
+ (count, pkts))
+ pkts = p.tra_sa_out.get_stats()['packets']
+ self.assertEqual(pkts, count,
+ "incorrect SA out counts: expected %d != %d" %
+ (count, pkts))
+
self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
self.assert_packet_counter_equal(self.tra4_decrypt_node_name, count)
@@ -333,6 +342,14 @@ class IpsecTraTests(object):
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec"))
+ pkts = p.tra_sa_in.get_stats()['packets']
+ self.assertEqual(pkts, count,
+ "incorrect SA in counts: expected %d != %d" %
+ (count, pkts))
+ pkts = p.tra_sa_out.get_stats()['packets']
+ self.assertEqual(pkts, count,
+ "incorrect SA out counts: expected %d != %d" %
+ (count, pkts))
self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count)
self.assert_packet_counter_equal(self.tra6_decrypt_node_name, count)
@@ -385,6 +402,17 @@ class IpsecTun4Tests(object):
self.assertEqual(pkts, count,
"incorrect SPD any policy: expected %d != %d" %
(count, pkts))
+
+ if (hasattr(p, "tun_sa_in")):
+ pkts = p.tun_sa_in.get_stats()['packets']
+ self.assertEqual(pkts, count,
+ "incorrect SA in counts: expected %d != %d" %
+ (count, pkts))
+ pkts = p.tun_sa_out.get_stats()['packets']
+ self.assertEqual(pkts, count,
+ "incorrect SA out counts: expected %d != %d" %
+ (count, pkts))
+
self.assert_packet_counter_equal(self.tun4_encrypt_node_name, count)
self.assert_packet_counter_equal(self.tun4_decrypt_node_name, count)
@@ -433,6 +461,14 @@ class IpsecTun6Tests(object):
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec"))
+ pkts = p.tun_sa_in.get_stats()['packets']
+ self.assertEqual(pkts, count,
+ "incorrect SA in counts: expected %d != %d" %
+ (count, pkts))
+ pkts = p.tun_sa_out.get_stats()['packets']
+ self.assertEqual(pkts, count,
+ "incorrect SA out counts: expected %d != %d" %
+ (count, pkts))
self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count)
self.assert_packet_counter_equal(self.tun6_decrypt_node_name, count)
diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py
index f8add0d3c9c..f99bb852983 100644
--- a/test/test_ipsec_ah.py
+++ b/test/test_ipsec_ah.py
@@ -86,18 +86,20 @@ class TemplateIpsecAh(TemplateIpsec):
addr_bcast = params.addr_bcast
e = VppEnum.vl_api_ipsec_spd_action_t
- VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_ah_protocol,
- self.tun_if.local_addr[addr_type],
- self.tun_if.remote_addr[addr_type]).add_vpp_config()
- VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_ah_protocol,
- self.tun_if.remote_addr[addr_type],
- self.tun_if.local_addr[addr_type]).add_vpp_config()
+ params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
+ auth_algo_vpp_id, auth_key,
+ crypt_algo_vpp_id, crypt_key,
+ self.vpp_ah_protocol,
+ self.tun_if.local_addr[addr_type],
+ self.tun_if.remote_addr[addr_type])
+ params.tun_sa_in.add_vpp_config()
+ params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
+ auth_algo_vpp_id, auth_key,
+ crypt_algo_vpp_id, crypt_key,
+ self.vpp_ah_protocol,
+ self.tun_if.remote_addr[addr_type],
+ self.tun_if.local_addr[addr_type])
+ params.tun_sa_out.add_vpp_config()
params.spd_policy_in_any = VppIpsecSpdEntry(self, self.tun_spd,
vpp_tun_sa_id,
@@ -161,16 +163,18 @@ class TemplateIpsecAh(TemplateIpsec):
IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
e = VppEnum.vl_api_ipsec_spd_action_t
- VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_ah_protocol,
- flags=flags).add_vpp_config()
- VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_ah_protocol,
- flags=flags).add_vpp_config()
+ params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
+ auth_algo_vpp_id, auth_key,
+ crypt_algo_vpp_id, crypt_key,
+ self.vpp_ah_protocol,
+ flags=flags)
+ params.tra_sa_in.add_vpp_config()
+ params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
+ auth_algo_vpp_id, auth_key,
+ crypt_algo_vpp_id, crypt_key,
+ self.vpp_ah_protocol,
+ flags=flags)
+ params.tra_sa_out.add_vpp_config()
VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
addr_any, addr_bcast,
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index ba67b60a08e..7a05f0d2183 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -97,18 +97,20 @@ class TemplateIpsecEsp(TemplateIpsec):
addr_bcast = params.addr_bcast
e = VppEnum.vl_api_ipsec_spd_action_t
- VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_esp_protocol,
- self.tun_if.local_addr[addr_type],
- self.tun_if.remote_addr[addr_type]).add_vpp_config()
- VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_esp_protocol,
- self.tun_if.remote_addr[addr_type],
- self.tun_if.local_addr[addr_type]).add_vpp_config()
+ params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
+ auth_algo_vpp_id, auth_key,
+ crypt_algo_vpp_id, crypt_key,
+ self.vpp_esp_protocol,
+ self.tun_if.local_addr[addr_type],
+ self.tun_if.remote_addr[addr_type])
+ params.tun_sa_in.add_vpp_config()
+ params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
+ auth_algo_vpp_id, auth_key,
+ crypt_algo_vpp_id, crypt_key,
+ self.vpp_esp_protocol,
+ self.tun_if.remote_addr[addr_type],
+ self.tun_if.local_addr[addr_type])
+ params.tun_sa_out.add_vpp_config()
params.spd_policy_in_any = VppIpsecSpdEntry(self, self.tun_spd,
scapy_tun_sa_id,
@@ -172,16 +174,18 @@ class TemplateIpsecEsp(TemplateIpsec):
IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
e = VppEnum.vl_api_ipsec_spd_action_t
- VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_esp_protocol,
- flags=flags).add_vpp_config()
- VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_esp_protocol,
- flags=flags).add_vpp_config()
+ params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
+ auth_algo_vpp_id, auth_key,
+ crypt_algo_vpp_id, crypt_key,
+ self.vpp_esp_protocol,
+ flags=flags)
+ params.tra_sa_in.add_vpp_config()
+ params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
+ auth_algo_vpp_id, auth_key,
+ crypt_algo_vpp_id, crypt_key,
+ self.vpp_esp_protocol,
+ flags=flags)
+ params.tra_sa_out.add_vpp_config()
VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
addr_any, addr_bcast,
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index 917574ee977..0241fdf02b6 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -213,7 +213,7 @@ class VppIpsecSA(VppObject):
self.tun_dst = ip_address(text_type(tun_dst))
def add_vpp_config(self):
- self.test.vapi.ipsec_sad_entry_add_del(
+ r = self.test.vapi.ipsec_sad_entry_add_del(
self.id,
self.spi,
self.integ_alg,
@@ -224,6 +224,7 @@ class VppIpsecSA(VppObject):
(self.tun_src if self.tun_src else []),
(self.tun_dst if self.tun_dst else []),
flags=self.flags)
+ self.stat_index = r.stat_index
self.test.registry.register(self, self.test.logger)
def remove_vpp_config(self):
@@ -252,3 +253,7 @@ class VppIpsecSA(VppObject):
if b.entry.sad_id == self.id:
return True
return False
+
+ def get_stats(self):
+ c = self.test.statistics.get_counter("/net/ipsec/sa")
+ return c[0][self.stat_index]