diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_decrypt.c | 9 | ||||
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_encrypt.c | 7 | ||||
-rw-r--r-- | src/vat/api_format.c | 7 | ||||
-rw-r--r-- | src/vnet/ipsec/ah_decrypt.c | 10 | ||||
-rw-r--r-- | src/vnet/ipsec/ah_encrypt.c | 9 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 4 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 8 | ||||
-rw-r--r-- | src/vnet/ipsec/ikev2.c | 5 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.api | 8 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 12 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 1 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_format.c | 3 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 14 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 10 |
14 files changed, 80 insertions, 27 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c index cd35ee7576e..20040433420 100644 --- a/src/plugins/dpdk/ipsec/esp_decrypt.c +++ b/src/plugins/dpdk/ipsec/esp_decrypt.c @@ -97,7 +97,7 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame, int is_ip6) { - u32 n_left_from, *from, *to_next, next_index; + u32 n_left_from, *from, *to_next, next_index, thread_index; ipsec_main_t *im = &ipsec_main; u32 thread_idx = vlib_get_thread_index (); dpdk_crypto_main_t *dcm = &dpdk_crypto_main; @@ -114,6 +114,7 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, from = vlib_frame_vector_args (from_frame); n_left_from = from_frame->n_vectors; + thread_index = vm->thread_index; ret = crypto_alloc_ops (numa, ops, n_left_from); if (ret) @@ -173,6 +174,8 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, CLIB_PREFETCH (op, op_len, STORE); sa_index0 = vnet_buffer (b0)->ipsec.sad_index; + vlib_prefetch_combined_counter (&ipsec_sa_counters, + thread_index, sa_index0); if (sa_index0 != last_sa_index) { @@ -266,7 +269,9 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, priv->next = DPDK_CRYPTO_INPUT_NEXT_DECRYPT4_POST; /* FIXME multi-seg */ - sa0->total_data_size += b0->current_length; + vlib_increment_combined_counter + (&ipsec_sa_counters, thread_index, sa_index0, + 1, b0->current_length); res->ops[res->n_ops] = op; res->bi[res->n_ops] = bi0; diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index eea99eb8694..d29ca55ea2e 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -112,7 +112,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame, int is_ip6) { - u32 n_left_from, *from, *to_next, next_index; + u32 n_left_from, *from, *to_next, next_index, thread_index; ipsec_main_t *im = &ipsec_main; u32 thread_idx = vlib_get_thread_index (); dpdk_crypto_main_t *dcm = &dpdk_crypto_main; @@ -129,6 +129,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, from = vlib_frame_vector_args (from_frame); n_left_from = from_frame->n_vectors; + thread_index = vm->thread_index; ret = crypto_alloc_ops (numa, ops, n_left_from); if (ret) @@ -280,7 +281,9 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, orig_sz = b0->current_length; /* TODO multi-seg support - total_length_not_including_first_buffer */ - sa0->total_data_size += b0->current_length; + vlib_increment_combined_counter + (&ipsec_sa_counters, thread_index, sa_index0, + 1, b0->current_length); res->ops[res->n_ops] = op; res->bi[res->n_ops] = bi0; diff --git a/src/vat/api_format.c b/src/vat/api_format.c index 1d93cc17648..daeec503856 100644 --- a/src/vat/api_format.c +++ b/src/vat/api_format.c @@ -15218,7 +15218,7 @@ vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp) "crypto_key %U integ_alg %u integ_key %U flags %x " "tunnel_src_addr %U tunnel_dst_addr %U " "salt %u seq_outbound %lu last_seq_inbound %lu " - "replay_window %lu total_data_size %lu\n", + "replay_window %lu\n", ntohl (mp->entry.sad_id), ntohl (mp->sw_if_index), ntohl (mp->entry.spi), @@ -15232,8 +15232,7 @@ vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp) &mp->entry.tunnel_dst, ntohl (mp->salt), clib_net_to_host_u64 (mp->seq_outbound), clib_net_to_host_u64 (mp->last_seq_inbound), - clib_net_to_host_u64 (mp->replay_window), - clib_net_to_host_u64 (mp->total_data_size)); + clib_net_to_host_u64 (mp->replay_window)); } #define vl_api_ipsec_sa_details_t_endian vl_noop_handler @@ -15302,8 +15301,6 @@ static void vl_api_ipsec_sa_details_t_handler_json vat_json_object_add_address (node, &mp->entry.tunnel_dst); vat_json_object_add_uint (node, "replay_window", clib_net_to_host_u64 (mp->replay_window)); - vat_json_object_add_uint (node, "total_data_size", - clib_net_to_host_u64 (mp->total_data_size)); } static int diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c index 7d2bf814fcc..629e7f031c4 100644 --- a/src/vnet/ipsec/ah_decrypt.c +++ b/src/vnet/ipsec/ah_decrypt.c @@ -81,7 +81,7 @@ ah_decrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame, int is_ip6) { - u32 n_left_from, *from, next_index, *to_next; + u32 n_left_from, *from, next_index, *to_next, thread_index; ipsec_main_t *im = &ipsec_main; ipsec_proto_main_t *em = &ipsec_proto_main; from = vlib_frame_vector_args (from_frame); @@ -89,6 +89,7 @@ ah_decrypt_inline (vlib_main_t * vm, int icv_size = 0; next_index = node->cached_next_index; + thread_index = vm->thread_index; while (n_left_from > 0) { @@ -131,6 +132,9 @@ ah_decrypt_inline (vlib_main_t * vm, sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index; sa0 = pool_elt_at_index (im->sad, sa_index0); + vlib_prefetch_combined_counter (&ipsec_sa_counters, + thread_index, sa_index0); + if (is_ip6) { ip6_ext_header_t *prev = NULL; @@ -164,8 +168,10 @@ ah_decrypt_inline (vlib_main_t * vm, } } + vlib_increment_combined_counter + (&ipsec_sa_counters, thread_index, sa_index0, + 1, i_b0->current_length); - sa0->total_data_size += i_b0->current_length; icv_size = em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size; if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)) diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c index 66286094682..5f6a0991be3 100644 --- a/src/vnet/ipsec/ah_encrypt.c +++ b/src/vnet/ipsec/ah_encrypt.c @@ -84,13 +84,14 @@ ah_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame, int is_ip6) { - u32 n_left_from, *from, *to_next = 0, next_index; + u32 n_left_from, *from, *to_next = 0, next_index, thread_index; int icv_size = 0; from = vlib_frame_vector_args (from_frame); n_left_from = from_frame->n_vectors; ipsec_main_t *im = &ipsec_main; ipsec_proto_main_t *em = &ipsec_proto_main; next_index = node->cached_next_index; + thread_index = vm->thread_index; while (n_left_from > 0) { @@ -131,9 +132,9 @@ ah_encrypt_inline (vlib_main_t * vm, AH_ENCRYPT_ERROR_SEQ_CYCLED, 1); goto trace; } - - - sa0->total_data_size += i_b0->current_length; + vlib_increment_combined_counter + (&ipsec_sa_counters, thread_index, sa_index0, + 1, i_b0->current_length); ssize_t adv; ih0 = vlib_buffer_get_current (i_b0); diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index 5a3ccdcacd9..0cf31ffb000 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -193,7 +193,9 @@ esp_decrypt_inline (vlib_main_t * vm, } } - sa0->total_data_size += i_b0->current_length; + vlib_increment_combined_counter + (&ipsec_sa_counters, thread_index, sa_index0, + 1, i_b0->current_length); if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)) { diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index e1690439c88..ffa02115858 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -182,6 +182,9 @@ esp_encrypt_inline (vlib_main_t * vm, sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index; sa0 = pool_elt_at_index (im->sad, sa_index0); + vlib_prefetch_combined_counter + (&ipsec_sa_counters, thread_index, sa_index0); + if (PREDICT_FALSE (esp_seq_advance (sa0))) { clib_warning ("sequence number counter has cycled SPI %u", @@ -195,8 +198,6 @@ esp_encrypt_inline (vlib_main_t * vm, goto trace; } - sa0->total_data_size += i_b0->current_length; - /* grab free buffer */ last_empty_buffer = vec_len (empty_buffers) - 1; o_bi0 = empty_buffers[last_empty_buffer]; @@ -330,6 +331,9 @@ esp_encrypt_inline (vlib_main_t * vm, } ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG); + vlib_increment_combined_counter + (&ipsec_sa_counters, thread_index, sa_index0, + 1, i_b0->current_length); if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE)) { diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c index 3d5c0f766cf..d85feee4274 100644 --- a/src/vnet/ipsec/ikev2.c +++ b/src/vnet/ipsec/ikev2.c @@ -3376,6 +3376,7 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa) ikev2_sa_t *fsa = 0; ikev2_child_sa_t *fchild = 0; f64 now = vlib_time_now (vm); + vlib_counter_t counts; /* Search for the SA and child SA */ vec_foreach (tkm, km->per_thread_data) @@ -3394,11 +3395,13 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa) })); /* *INDENT-ON* */ } + vlib_get_combined_counter (&ipsec_sa_counters, + ipsec_sa->stat_index, &counts); if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata) { if (!fchild->is_expired - && ipsec_sa->total_data_size > fsa->profile->lifetime_maxdata) + && counts.bytes > fsa->profile->lifetime_maxdata) { fchild->time_to_expiration = now; } diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index ece0b024485..91d21d4dce9 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -293,13 +293,19 @@ typedef ipsec_sad_entry @param context - sender context, to match reply w/ request @param entry - Entry to add or delete */ -autoreply define ipsec_sad_entry_add_del +define ipsec_sad_entry_add_del { u32 client_index; u32 context; u8 is_add; vl_api_ipsec_sad_entry_t entry; }; +define ipsec_sad_entry_add_del_reply +{ + u32 context; + i32 retval; + u32 stat_index; +}; /** \brief IPsec: Update Security Association keys @param client_index - opaque cookie to identify the sender diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 2d464b31290..a26f486d6ef 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -354,7 +354,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler ipsec_integ_alg_t integ_alg; ipsec_protocol_t proto; ipsec_sa_flags_t flags; - u32 id, spi; + u32 id, spi, sa_index; int rv; #if WITH_LIBSSL > 0 @@ -390,7 +390,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler rv = ipsec_sa_add (id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, - 0, &tun_src, &tun_dst, NULL); + 0, &tun_src, &tun_dst, &sa_index); else rv = ipsec_sa_del (id); @@ -399,7 +399,12 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler #endif out: - REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY); + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY, + { + rmp->stat_index = htonl (sa_index); + }); + /* *INDENT-ON* */ } static void @@ -708,7 +713,6 @@ send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg, } if (sa->use_anti_replay) mp->replay_window = clib_host_to_net_u64 (sa->replay_window); - mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size); vl_api_send_msg (reg, (u8 *) mp); } diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 52a30a428d0..22fbcdf9599 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -594,6 +594,7 @@ clear_ipsec_counters_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { vlib_clear_combined_counters (&ipsec_spd_policy_counters); + vlib_clear_combined_counters (&ipsec_sa_counters); return (NULL); } diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index 04a2a0b5be1..dc66569702e 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -238,6 +238,7 @@ format_ipsec_sa (u8 * s, va_list * args) { u32 sai = va_arg (*args, u32); ipsec_main_t *im = &ipsec_main; + vlib_counter_t counts; u32 tx_table_id; ipsec_sa_t *sa; @@ -261,6 +262,8 @@ format_ipsec_sa (u8 * s, va_list * args) s = format (s, "\n integrity alg %U%s%U", format_ipsec_integ_alg, sa->integ_alg, sa->integ_alg ? " key " : "", format_ipsec_key, &sa->integ_key); + vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts); + s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes); if (sa->is_tunnel) { diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index c4721c7afad..fc8520d5ebb 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -16,6 +16,16 @@ #include <vnet/ipsec/ipsec.h> #include <vnet/fib/fib_table.h> +/** + * @brief + * SA packet & bytes counters + */ +vlib_combined_counter_main_t ipsec_sa_counters = { + .name = "SA", + .stat_segment_name = "/net/ipsec/sa", +}; + + static clib_error_t * ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa, u32 sa_index, int is_add) @@ -106,8 +116,12 @@ ipsec_sa_add (u32 id, fib_node_init (&sa->node, FIB_NODE_TYPE_IPSEC_SA); sa_index = sa - im->sad; + vlib_validate_combined_counter (&ipsec_sa_counters, sa_index); + vlib_zero_combined_counter (&ipsec_sa_counters, sa_index); + sa->id = id; sa->spi = spi; + sa->stat_index = sa_index; sa->protocol = proto; sa->crypto_alg = crypto_alg; clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key)); diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 2e39566bd63..2601f51038a 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -101,6 +101,7 @@ typedef struct fib_node_t node; u32 id; u32 spi; + u32 stat_index; ipsec_protocol_t protocol; ipsec_crypto_alg_t crypto_alg; @@ -131,11 +132,14 @@ typedef struct u32 last_seq; u32 last_seq_hi; u64 replay_window; - - /* lifetime data */ - u64 total_data_size; } ipsec_sa_t; +/** + * @brief + * SA packet & bytes counters + */ +extern vlib_combined_counter_main_t ipsec_sa_counters; + extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len); extern int ipsec_sa_add (u32 id, |