diff options
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r-- | src/vnet/ipsec/ipsec_if.c | 10 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_if_in.c | 2 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_input.c | 55 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_io.h | 12 |
4 files changed, 52 insertions, 27 deletions
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index 357d638d38b..519b6135b1b 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -109,7 +109,9 @@ ipsec_if_tx_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, hi0 = vnet_get_sup_hw_interface (vnm, sw_if_index0); t0 = pool_elt_at_index (im->tunnel_interfaces, hi0->dev_instance); vnet_buffer (b0)->ipsec.sad_index = t0->output_sa_index; - next0 = IPSEC_OUTPUT_NEXT_ESP4_ENCRYPT; + + /* 0, tx-node next[0] was added by vlib_node_add_next_with_slot */ + next0 = 0; len0 = vlib_buffer_length_in_chain (vm, b0); @@ -362,12 +364,12 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, t - im->tunnel_interfaces); hi = vnet_get_hw_interface (vnm, hw_if_index); + /* add esp4 as the next-node-index of this tx-node */ slot = vlib_node_add_next_with_slot - (vnm->vlib_main, hi->tx_node_index, im->esp4_encrypt_node_index, - IPSEC_OUTPUT_NEXT_ESP4_ENCRYPT); + (vnm->vlib_main, hi->tx_node_index, im->esp4_encrypt_node_index, 0); - ASSERT (slot == IPSEC_OUTPUT_NEXT_ESP4_ENCRYPT); + ASSERT (slot == 0); t->hw_if_index = hw_if_index; diff --git a/src/vnet/ipsec/ipsec_if_in.c b/src/vnet/ipsec/ipsec_if_in.c index 833f8485340..5834e3e6ad5 100644 --- a/src/vnet/ipsec/ipsec_if_in.c +++ b/src/vnet/ipsec/ipsec_if_in.c @@ -49,7 +49,7 @@ typedef struct u32 seq; } ipsec_if_input_trace_t; -u8 * +static u8 * format_ipsec_if_input_trace (u8 * s, va_list * args) { CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c index e3fd4aa551d..193b03ff0ae 100644 --- a/src/vnet/ipsec/ipsec_input.c +++ b/src/vnet/ipsec/ipsec_input.c @@ -24,9 +24,9 @@ #include <vnet/ipsec/esp.h> #include <vnet/ipsec/ah.h> -#define foreach_ipsec_input_error \ - _(RX_PKTS, "IPSEC pkts received") \ - _(DECRYPTION_FAILED, "IPSEC decryption failed") +#define foreach_ipsec_input_error \ +_(RX_PKTS, "IPSEC pkts received") \ +_(RX_MATCH_PKTS, "IPSEC pkts matched") typedef enum { @@ -169,6 +169,8 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, { u32 n_left_from, *from, next_index, *to_next, thread_index; ipsec_main_t *im = &ipsec_main; + u32 ipsec_unprocessed = 0; + u32 ipsec_matched = 0; from = vlib_frame_vector_args (from_frame); n_left_from = from_frame->n_vectors; @@ -241,6 +243,8 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, if (PREDICT_TRUE (p0 != NULL)) { + ipsec_matched += 1; + pi0 = p0 - im->policies; vlib_increment_combined_counter (&ipsec_spd_policy_counters, @@ -275,8 +279,7 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, tr->policy_index = pi0; } } - - if (PREDICT_TRUE (ip0->protocol == IP_PROTOCOL_IPSEC_AH)) + else if (ip0->protocol == IP_PROTOCOL_IPSEC_AH) { ah0 = (ah_header_t *) ((u8 *) ip0 + ip4_header_bytes (ip0)); p0 = ipsec_input_protect_policy_match (spd0, @@ -291,11 +294,14 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, if (PREDICT_TRUE (p0 != 0)) { + ipsec_matched += 1; + pi0 = p0 - im->policies; vlib_increment_combined_counter (&ipsec_spd_policy_counters, thread_index, pi0, 1, clib_net_to_host_u16 (ip0->length)); + vnet_buffer (b0)->ipsec.sad_index = p0->sa_index; vnet_buffer (b0)->ipsec.flags = 0; next0 = im->ah4_decrypt_next_index; @@ -322,6 +328,10 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, tr->policy_index = pi0; } } + else + { + ipsec_unprocessed += 1; + } vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, bi0, @@ -329,10 +339,14 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, } vlib_put_next_frame (vm, node, next_index, n_left_to_next); } + vlib_node_increment_counter (vm, ipsec4_input_node.index, IPSEC_INPUT_ERROR_RX_PKTS, - from_frame->n_vectors); + from_frame->n_vectors - ipsec_unprocessed); + vlib_node_increment_counter (vm, ipsec4_input_node.index, + IPSEC_INPUT_ERROR_RX_MATCH_PKTS, + ipsec_matched); return from_frame->n_vectors; } @@ -343,10 +357,8 @@ VLIB_REGISTER_NODE (ipsec4_input_node,static) = { .vector_size = sizeof (u32), .format_trace = format_ipsec_input_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ipsec_input_error_strings), .error_strings = ipsec_input_error_strings, - .n_next_nodes = IPSEC_INPUT_N_NEXT, .next_nodes = { #define _(s,n) [IPSEC_INPUT_NEXT_##s] = n, @@ -365,6 +377,8 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, { u32 n_left_from, *from, next_index, *to_next, thread_index; ipsec_main_t *im = &ipsec_main; + u32 ipsec_unprocessed = 0; + u32 ipsec_matched = 0; from = vlib_frame_vector_args (from_frame); n_left_from = from_frame->n_vectors; @@ -425,12 +439,15 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, if (PREDICT_TRUE (p0 != 0)) { + ipsec_matched += 1; + pi0 = p0 - im->policies; vlib_increment_combined_counter (&ipsec_spd_policy_counters, thread_index, pi0, 1, clib_net_to_host_u16 (ip0->payload_length) + header_size); + vnet_buffer (b0)->ipsec.sad_index = p0->sa_index; vnet_buffer (b0)->ipsec.flags = 0; next0 = im->esp6_decrypt_next_index; @@ -452,12 +469,14 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, if (PREDICT_TRUE (p0 != 0)) { + ipsec_matched += 1; pi0 = p0 - im->policies; vlib_increment_combined_counter (&ipsec_spd_policy_counters, thread_index, pi0, 1, clib_net_to_host_u16 (ip0->payload_length) + header_size); + vnet_buffer (b0)->ipsec.sad_index = p0->sa_index; vnet_buffer (b0)->ipsec.flags = 0; next0 = im->ah6_decrypt_next_index; @@ -468,6 +487,10 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, pi0 = ~0; } } + else + { + ipsec_unprocessed += 1; + } trace0: if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) && @@ -489,9 +512,14 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, } vlib_put_next_frame (vm, node, next_index, n_left_to_next); } + vlib_node_increment_counter (vm, ipsec6_input_node.index, IPSEC_INPUT_ERROR_RX_PKTS, - from_frame->n_vectors); + from_frame->n_vectors - ipsec_unprocessed); + + vlib_node_increment_counter (vm, ipsec6_input_node.index, + IPSEC_INPUT_ERROR_RX_MATCH_PKTS, + ipsec_matched); return from_frame->n_vectors; } @@ -503,11 +531,14 @@ VLIB_REGISTER_NODE (ipsec6_input_node,static) = { .vector_size = sizeof (u32), .format_trace = format_ipsec_input_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ipsec_input_error_strings), .error_strings = ipsec_input_error_strings, - - .sibling_of = "ipsec4-input-feature", + .n_next_nodes = IPSEC_INPUT_N_NEXT, + .next_nodes = { +#define _(s,n) [IPSEC_INPUT_NEXT_##s] = n, + foreach_ipsec_input_next +#undef _ + }, }; /* *INDENT-ON* */ diff --git a/src/vnet/ipsec/ipsec_io.h b/src/vnet/ipsec/ipsec_io.h index aa6fa8df7c7..c180a784eaa 100644 --- a/src/vnet/ipsec/ipsec_io.h +++ b/src/vnet/ipsec/ipsec_io.h @@ -18,11 +18,7 @@ #define IPSEC_FLAG_IPSEC_GRE_TUNNEL (1 << 0) #define foreach_ipsec_output_next \ - _ (DROP, "error-drop") \ - _ (ESP4_ENCRYPT, "esp4-encrypt") \ - _ (AH4_ENCRYPT, "ah4-encrypt") \ - _ (ESP6_ENCRYPT, "esp6-encrypt") \ - _ (AH6_ENCRYPT, "ah6-encrypt") + _ (DROP, "error-drop") #define _(v, s) IPSEC_OUTPUT_NEXT_##v, typedef enum @@ -33,11 +29,7 @@ typedef enum } ipsec_output_next_t; #define foreach_ipsec_input_next \ - _ (DROP, "error-drop") \ - _ (ESP4_DECRYPT, "esp4-decrypt") \ - _ (AH4_DECRYPT, "ah4-decrypt") \ - _ (ESP6_DECRYPT, "esp6-decrypt") \ - _ (AH6_DECRYPT, "ah6-decrypt") + _ (DROP, "error-drop") #define _(v, s) IPSEC_INPUT_NEXT_##v, typedef enum |