ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipsec: Use .api declared error counters

Browse Source 
Type: improvement

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ica7de5a493389c6f53b7cf04e06939473a63d2b9
This commit is contained in:
Neale Ranns
2022-08-09 03:34:51 +00:00
committed by Beno�t Ganne
parent 13a74ae25d
commit 93688d7341
8 changed files with 348 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/vnet/ipsec/ah_decrypt.c
View File

@@ -23,6 +23,7 @@
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ah.h>
#include <vnet/ipsec/ipsec_io.h>
#include <vnet/ipsec/ipsec.api_enum.h>
#define foreach_ah_decrypt_next \
_(DROP, "error-drop") \
@@ -38,28 +39,6 @@ typedef enum
AH_DECRYPT_N_NEXT,
} ah_decrypt_next_t;
#define foreach_ah_decrypt_error \
_ (RX_PKTS, "AH pkts received") \
_ (DECRYPTION_FAILED, "AH decryption failed") \
_ (INTEG_ERROR, "Integrity check failed") \
_ (NO_TAIL_SPACE, "not enough buffer tail space (dropped)") \
_ (DROP_FRAGMENTS, "IP fragments drop") \
_ (REPLAY, "SA replayed packet")
typedef enum
{
#define _(sym,str) AH_DECRYPT_ERROR_##sym,
foreach_ah_decrypt_error
#undef _
AH_DECRYPT_N_ERROR,
} ah_decrypt_error_t;
static char *ah_decrypt_error_strings[] = {
#define _(sym,string) string,
foreach_ah_decrypt_error
#undef _
};
typedef struct
{
ipsec_integ_alg_t integ_alg;
@@ -443,8 +422,8 @@ VLIB_REGISTER_NODE (ah4_decrypt_node) = {
.format_trace = format_ah_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(ah_decrypt_error_strings),
.error_strings = ah_decrypt_error_strings,
.n_errors = AH_DECRYPT_N_ERROR,
.error_counters = ah_decrypt_error_counters,
.n_next_nodes = AH_DECRYPT_N_NEXT,
.next_nodes = {
@@ -470,8 +449,8 @@ VLIB_REGISTER_NODE (ah6_decrypt_node) = {
.format_trace = format_ah_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(ah_decrypt_error_strings),
.error_strings = ah_decrypt_error_strings,
.n_errors = AH_DECRYPT_N_ERROR,
.error_counters = ah_decrypt_error_counters,
.n_next_nodes = AH_DECRYPT_N_NEXT,
.next_nodes = {

28
src/vnet/ipsec/ah_encrypt.c
View File

@@ -22,6 +22,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ah.h>
#include <vnet/ipsec/ipsec.api_enum.h>
#include <vnet/tunnel/tunnel_dp.h>
#define foreach_ah_encrypt_next \
@@ -38,25 +39,6 @@ typedef enum
AH_ENCRYPT_N_NEXT,
} ah_encrypt_next_t;
#define foreach_ah_encrypt_error \
_ (RX_PKTS, "AH pkts received") \
_ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \
_ (SEQ_CYCLED, "sequence number cycled (packet dropped)")
typedef enum
{
#define _(sym,str) AH_ENCRYPT_ERROR_##sym,
foreach_ah_encrypt_error
#undef _
AH_ENCRYPT_N_ERROR,
} ah_encrypt_error_t;
static char *ah_encrypt_error_strings[] = {
#define _(sym,string) string,
foreach_ah_encrypt_error
#undef _
};
typedef struct
{
u32 sa_index;
@@ -462,8 +444,8 @@ VLIB_REGISTER_NODE (ah4_encrypt_node) = {
.format_trace = format_ah_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(ah_encrypt_error_strings),
.error_strings = ah_encrypt_error_strings,
.n_errors = AH_ENCRYPT_N_ERROR,
.error_counters = ah_encrypt_error_counters,
.n_next_nodes = AH_ENCRYPT_N_NEXT,
.next_nodes = {
@@ -488,8 +470,8 @@ VLIB_REGISTER_NODE (ah6_encrypt_node) = {
.format_trace = format_ah_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(ah_encrypt_error_strings),
.error_strings = ah_encrypt_error_strings,
.n_errors = AH_ENCRYPT_N_ERROR,
.error_counters = ah_encrypt_error_counters,
.n_next_nodes = AH_ENCRYPT_N_NEXT,
.next_nodes = {

64
src/vnet/ipsec/esp_decrypt.c
View File

@@ -23,6 +23,7 @@
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ipsec_io.h>
#include <vnet/ipsec/ipsec_tun.h>
#include <vnet/ipsec/ipsec.api_enum.h>
#include <vnet/gre/packet.h>
@@ -57,35 +58,6 @@ typedef enum
ESP_DECRYPT_POST_N_NEXT,
} esp_decrypt_post_next_t;
#define foreach_esp_decrypt_error \
_ (RX_PKTS, "ESP pkts received") \
_ (RX_POST_PKTS, "ESP-POST pkts received") \
_ (HANDOFF, "hand-off") \
_ (DECRYPTION_FAILED, "ESP decryption failed") \
_ (INTEG_ERROR, "Integrity check failed") \
_ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \
_ (REPLAY, "SA replayed packet") \
_ (RUNT, "undersized packet") \
_ (NO_BUFFERS, "no buffers (packet dropped)") \
_ (OVERSIZED_HEADER, "buffer with oversized header (dropped)") \
_ (NO_TAIL_SPACE, "no enough buffer tail space (dropped)") \
_ (TUN_NO_PROTO, "no tunnel protocol") \
_ (UNSUP_PAYLOAD, "unsupported payload")
typedef enum
{
#define _(sym,str) ESP_DECRYPT_ERROR_##sym,
foreach_esp_decrypt_error
#undef _
ESP_DECRYPT_N_ERROR,
} esp_decrypt_error_t;
static char *esp_decrypt_error_strings[] = {
#define _(sym,string) string,
foreach_esp_decrypt_error
#undef _
};
typedef struct
{
u32 seq;
@@ -96,6 +68,8 @@ typedef struct
ipsec_integ_alg_t integ_alg;
} esp_decrypt_trace_t;
typedef vl_counter_esp_decrypt_enum_t esp_decrypt_error_t;
/* The number of byres in the hisequence number */
#define N_HI_ESN_BYTES 4
@@ -1481,8 +1455,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_decrypt_error_strings),
.error_strings = esp_decrypt_error_strings,
.n_errors = ESP_DECRYPT_N_ERROR,
.error_counters = esp_decrypt_error_counters,
.n_next_nodes = ESP_DECRYPT_N_NEXT,
.next_nodes = {
@@ -1501,8 +1475,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_post_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_decrypt_error_strings),
.error_strings = esp_decrypt_error_strings,
.n_errors = ESP_DECRYPT_N_ERROR,
.error_counters = esp_decrypt_error_counters,
.sibling_of = "esp4-decrypt",
};
@@ -1513,8 +1487,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_decrypt_error_strings),
.error_strings = esp_decrypt_error_strings,
.n_errors = ESP_DECRYPT_N_ERROR,
.error_counters = esp_decrypt_error_counters,
.n_next_nodes = ESP_DECRYPT_N_NEXT,
.next_nodes = {
@@ -1533,8 +1507,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_post_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_decrypt_error_strings),
.error_strings = esp_decrypt_error_strings,
.n_errors = ESP_DECRYPT_N_ERROR,
.error_counters = esp_decrypt_error_counters,
.sibling_of = "esp6-decrypt",
};
@@ -1544,8 +1518,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_node) = {
.vector_size = sizeof (u32),
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_decrypt_error_strings),
.error_strings = esp_decrypt_error_strings,
.n_errors = ESP_DECRYPT_N_ERROR,
.error_counters = esp_decrypt_error_counters,
.n_next_nodes = ESP_DECRYPT_N_NEXT,
.next_nodes = {
[ESP_DECRYPT_NEXT_DROP] = "ip4-drop",
@@ -1563,8 +1537,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_post_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_decrypt_error_strings),
.error_strings = esp_decrypt_error_strings,
.n_errors = ESP_DECRYPT_N_ERROR,
.error_counters = esp_decrypt_error_counters,
.sibling_of = "esp4-decrypt-tun",
};
@@ -1574,8 +1548,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_node) = {
.vector_size = sizeof (u32),
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_decrypt_error_strings),
.error_strings = esp_decrypt_error_strings,
.n_errors = ESP_DECRYPT_N_ERROR,
.error_counters = esp_decrypt_error_counters,
.n_next_nodes = ESP_DECRYPT_N_NEXT,
.next_nodes = {
[ESP_DECRYPT_NEXT_DROP] = "ip6-drop",
@@ -1593,8 +1567,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_post_node) = {
.format_trace = format_esp_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_decrypt_error_strings),
.error_strings = esp_decrypt_error_strings,
.n_errors = ESP_DECRYPT_N_ERROR,
.error_counters = esp_decrypt_error_counters,
.sibling_of = "esp6-decrypt-tun",
};

68
src/vnet/ipsec/esp_encrypt.c
View File

@@ -23,6 +23,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ipsec_tun.h>
#include <vnet/ipsec/ipsec.api_enum.h>
#include <vnet/ipsec/esp.h>
#include <vnet/tunnel/tunnel_dp.h>
@@ -43,31 +44,6 @@ typedef enum
ESP_ENCRYPT_N_NEXT,
} esp_encrypt_next_t;
#define foreach_esp_encrypt_error \
_ (RX_PKTS, "ESP pkts received") \
_ (POST_RX_PKTS, "ESP-post pkts received") \
_ (HANDOFF, "Hand-off") \
_ (SEQ_CYCLED, "sequence number cycled (packet dropped)") \
_ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \
_ (CRYPTO_QUEUE_FULL, "crypto queue full (packet dropped)") \
_ (NO_BUFFERS, "no buffers (packet dropped)") \
_ (NO_PROTECTION, "no protecting SA (packet dropped)") \
_ (NO_ENCRYPTION, "no Encrypting SA (packet dropped)")
typedef enum
{
#define _(sym,str) ESP_ENCRYPT_ERROR_##sym,
foreach_esp_encrypt_error
#undef _
ESP_ENCRYPT_N_ERROR,
} esp_encrypt_error_t;
static char *esp_encrypt_error_strings[] = {
#define _(sym,string) string,
foreach_esp_encrypt_error
#undef _
};
typedef struct
{
u32 sa_index;
@@ -84,6 +60,8 @@ typedef struct
u32 next_index;
} esp_encrypt_post_trace_t;
typedef vl_counter_esp_encrypt_enum_t esp_encrypt_error_t;
/* packet trace format function */
static u8 *
format_esp_encrypt_trace (u8 * s, va_list * args)
@@ -1182,8 +1160,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_node) = {
.format_trace = format_esp_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN (esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = { [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop",
@@ -1211,8 +1189,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp4-encrypt",
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1232,8 +1210,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp4-encrypt",
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1252,8 +1230,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp4-encrypt",
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1272,8 +1250,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_node) = {
.format_trace = format_esp_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
@@ -1302,8 +1280,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp4-encrypt-tun",
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1322,8 +1300,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_node) = {
.format_trace = format_esp_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
@@ -1354,8 +1332,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp-mpls-encrypt-tun",
.n_errors = ARRAY_LEN (esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
};
/* *INDENT-ON* */
@@ -1372,8 +1350,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_node) = {
.format_trace = format_esp_encrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
@@ -1400,8 +1378,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_post_node) = {
.type = VLIB_NODE_TYPE_INTERNAL,
.sibling_of = "esp-mpls-encrypt-tun",
.n_errors = ARRAY_LEN (esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
.n_errors = ESP_ENCRYPT_N_ERROR,
.error_counters = esp_encrypt_error_counters,
};
#ifndef CLIB_MARCH_VARIANT

268
src/vnet/ipsec/ipsec.api
View File

@@ -505,6 +505,274 @@ autoreply define ipsec_set_async_mode {
bool async_enable;
};
counters esp_decrypt {
rx_pkts {
severity info;
type counter64;
units "packets";
description "ESP pkts received";
};
rx_post_pkts {
severity info;
type counter64;
units "packets";
description "ESP-POST pkts received";
};
handoff {
severity info;
type counter64;
units "packets";
description "hand-off";
};
decryption_failed {
severity error;
type counter64;
units "packets";
description "ESP decryption failed";
};
integ_error {
severity error;
type counter64;
units "packets";
description "integrity check failed";
};
crypto_engine_error {
severity error;
type counter64;
units "packets";
description "crypto engine error (packet dropped)";
};
replay {
severity error;
type counter64;
units "packets";
description "SA replayed packet";
};
runt {
severity error;
type counter64;
units "packets";
description "undersized packet";
};
no_buffers {
severity error;
type counter64;
units "packets";
description "no buffers (packet dropped)";
};
oversized_header {
severity error;
type counter64;
units "packets";
description "buffer with oversized header (dropped)";
};
no_tail_space {
severity error;
type counter64;
units "packets";
description "no enough buffer tail space (dropped)";
};
tun_no_proto {
severity error;
type counter64;
units "packets";
description "no tunnel protocol";
};
unsup_payload {
severity error;
type counter64;
units "packets";
description "unsupported payload";
};
};
counters esp_encrypt {
rx_pkts {
severity info;
type counter64;
units "packets";
description "ESP pkts received";
};
post_rx_pkts {
severity info;
type counter64;
units "packets";
description "ESP-post pkts received";
};
handoff {
severity info;
type counter64;
units "packets";
description "Hand-off";
};
seq_cycled {
severity error;
type counter64;
units "packets";
description "sequence number cycled (packet dropped)";
};
crypto_engine_error {
severity error;
type counter64;
units "packets";
description "crypto engine error (packet dropped)";
};
crypto_queue_full {
severity error;
type counter64;
units "packets";
description "crypto queue full (packet dropped)";
};
no_buffers {
severity error;
type counter64;
units "packets";
description "no buffers (packet dropped)";
};
no_protection {
severity error;
type counter64;
units "packets";
description "no protecting SA (packet dropped)";
};
no_encryption {
severity error;
type counter64;
units "packets";
description "no Encrypting SA (packet dropped)";
};
};
counters ah_encrypt {
rx_pkts {
severity info;
type counter64;
units "packets";
description "AH pkts received";
};
crypto_engine_error {
severity error;
type counter64;
units "packets";
description "crypto engine error (packet dropped)";
};
seq_cycled {
severity error;
type counter64;
units "packets";
description "sequence number cycled (packet dropped)";
};
};
counters ah_decrypt {
rx_pkts {
severity info;
type counter64;
units "packets";
description "AH pkts received";
};
decryption_failed {
severity error;
type counter64;
units "packets";
description "AH decryption failed";
};
integ_error {
severity error;
type counter64;
units "packets";
description "Integrity check failed";
};
no_tail_space {
severity error;
type counter64;
units "packets";
description "not enough buffer tail space (dropped)";
};
drop_fragments {
severity error;
type counter64;
units "packets";
description "IP fragments drop";
};
replay {
severity error;
type counter64;
units "packets";
description "SA replayed packet";
};
};
counters ipsec_tun {
rx {
severity info;
type counter64;
units "packets";
description "good packets received";
};
disabled {
severity error;
type counter64;
units "packets";
description "ipsec packets received on disabled interface";
};
no_tunnel {
severity error;
type counter64;
units "packets";
description "no matching tunnel";
};
tunnel_mismatch {
severity error;
type counter64;
units "packets";
description "SPI-tunnel mismatch";
};
nat_keepalive {
severity info;
type counter64;
units "packets";
description "NAT Keepalive";
};
too_short {
severity error;
type counter64;
units "packets";
description "Too Short";
};
spi_0 {
severity info;
type counter64;
units "packets";
description "SPI 0";
};
};
paths {
"/err/esp4-encrypt" "esp_encrypt";
"/err/esp4-encrypt-post" "esp_encrypt";
"/err/esp4-encrypt-tun" "esp_encrypt";
"/err/esp4-encrypt-tun-post" "esp_encrypt";
"/err/esp6-encrypt" "esp_encrypt";
"/err/esp6-encrypt-post" "esp_encrypt";
"/err/esp6-encrypt-tun" "esp_encrypt";
"/err/esp6-encrypt-tun-post" "esp_encrypt";
"/err/esp-mpls-encrypt-tun" "esp_encrypt";
"/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
"/err/esp4-decrypt" "esp_decrypt";
"/err/esp4-decrypt-post" "esp_decrypt";
"/err/esp4-decrypt-tun" "esp_decrypt";
"/err/esp4-decrypt-tun-post" "esp_decrypt";
"/err/esp6-decrypt" "esp_decrypt";
"/err/esp6-decrypt-post" "esp_decrypt";
"/err/esp6-decrypt-tun" "esp_decrypt";
"/err/esp6-decrypt-tun-post" "esp_decrypt";
"/err/ah4-encrypt" "ah_encrypt";
"/err/ah6-encrypt" "ah_encrypt";
"/err/ipsec4-tun-input" "ipsec_tun";
"/err/ipsec6-tun-input" "ipsec_tun";
};
/*
* Local Variables:
* eval: (c-set-style "gnu")

56
src/vnet/ipsec/ipsec_tun_in.c
View File

@@ -24,31 +24,10 @@
#include <vnet/ipsec/ipsec_io.h>
#include <vnet/ipsec/ipsec_punt.h>
#include <vnet/ipsec/ipsec_tun.h>
#include <vnet/ipsec/ipsec.api_enum.h>
#include <vnet/ip/ip4_input.h>
/* Statistics (not really errors) */
#define foreach_ipsec_tun_protect_input_error \
_(RX, "good packets received") \
_(DISABLED, "ipsec packets received on disabled interface") \
_(NO_TUNNEL, "no matching tunnel") \
_(TUNNEL_MISMATCH, "SPI-tunnel mismatch") \
_(NAT_KEEPALIVE, "NAT Keepalive") \
_(TOO_SHORT, "Too Short") \
_(SPI_0, "SPI 0")
static char *ipsec_tun_protect_input_error_strings[] = {
#define _(sym,string) string,
foreach_ipsec_tun_protect_input_error
#undef _
};
typedef enum
{
#define _(sym,str) IPSEC_TUN_PROTECT_INPUT_ERROR_##sym,
foreach_ipsec_tun_protect_input_error
#undef _
IPSEC_TUN_PROTECT_INPUT_N_ERROR,
} ipsec_tun_protect_input_error_t;
typedef vl_counter_ipsec_tun_enum_t ipsec_tun_protect_input_error_t;
typedef enum ipsec_tun_next_t_
{
@@ -93,14 +72,14 @@ ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node,
{
if (PREDICT_FALSE (0 == esp->spi))
{
b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_SPI_0];
b->error = node->errors[IPSEC_TUN_ERROR_SPI_0];
b->punt_reason = ipsec_punt_reason[(ip4->protocol == IP_PROTOCOL_UDP ?
IPSEC_PUNT_IP4_SPI_UDP_0 :
IPSEC_PUNT_IP4_NO_SUCH_TUNNEL)];
}
else
{
b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
b->error = node->errors[IPSEC_TUN_ERROR_NO_TUNNEL];
b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL];
}
return VNET_DEVICE_INPUT_NEXT_PUNT;
@@ -110,7 +89,7 @@ always_inline u16
ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node,
vlib_buffer_t * b, const esp_header_t * esp)
{
b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
b->error = node->errors[IPSEC_TUN_ERROR_NO_TUNNEL];
b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL];
return VNET_DEVICE_INPUT_NEXT_PUNT;
@@ -206,8 +185,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (clib_net_to_host_u16 (udp0->length) == 9 &&
esp0->spi_bytes[0] == 0xff)
{
b[0]->error =
node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NAT_KEEPALIVE];
b[0]->error = node->errors[IPSEC_TUN_ERROR_NAT_KEEPALIVE];
next[0] = VNET_DEVICE_INPUT_NEXT_IP4_DROP;
len0 = 0;
@@ -230,7 +208,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (len0 < sizeof (esp_header_t))
{
b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT];
b[0]->error = node->errors[IPSEC_TUN_ERROR_TOO_SHORT];
next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP :
VNET_DEVICE_INPUT_NEXT_IP4_DROP;
@@ -309,7 +287,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_increment_combined_counter
(drop_counter, thread_index, sw_if_index0, 1, len0);
n_disabled++;
b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED];
b[0]->error = node->errors[IPSEC_TUN_ERROR_DISABLED];
next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP :
VNET_DEVICE_INPUT_NEXT_IP4_DROP;
goto trace00;
@@ -377,12 +355,10 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
thread_index,
last_sw_if_index, n_packets, n_bytes);
vlib_node_increment_counter (vm, node->node_index,
IPSEC_TUN_PROTECT_INPUT_ERROR_RX,
from_frame->n_vectors - (n_disabled +
n_no_tunnel));
vlib_node_increment_counter (vm, node->node_index,
IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL,
vlib_node_increment_counter (vm, node->node_index, IPSEC_TUN_ERROR_RX,
from_frame->n_vectors -
(n_disabled + n_no_tunnel));
vlib_node_increment_counter (vm, node->node_index, IPSEC_TUN_ERROR_NO_TUNNEL,
n_no_tunnel);
vlib_buffer_enqueue_to_next (vm, node, from, nexts, from_frame->n_vectors);
@@ -403,8 +379,8 @@ VLIB_REGISTER_NODE (ipsec4_tun_input_node) = {
.vector_size = sizeof (u32),
.format_trace = format_ipsec_tun_protect_input_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings),
.error_strings = ipsec_tun_protect_input_error_strings,
.n_errors = IPSEC_TUN_N_ERROR,
.error_counters = ipsec_tun_error_counters,
.sibling_of = "device-input",
};
/* *INDENT-ON* */
@@ -422,8 +398,8 @@ VLIB_REGISTER_NODE (ipsec6_tun_input_node) = {
.vector_size = sizeof (u32),
.format_trace = format_ipsec_tun_protect_input_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings),
.error_strings = ipsec_tun_protect_input_error_strings,
.n_errors = IPSEC_TUN_N_ERROR,
.error_counters = ipsec_tun_error_counters,
.sibling_of = "device-input",
};
/* *INDENT-ON* */

30
test/template_ipsec.py
View File

@@ -330,12 +330,12 @@ class IpsecTra4(object):
"""verify methods for Transport v4"""
def get_replay_counts(self, p):
replay_node_name = "/err/%s/SA replayed packet" % self.tra4_decrypt_node_name[0]
replay_node_name = "/err/%s/replay" % self.tra4_decrypt_node_name[0]
count = self.statistics.get_err_counter(replay_node_name)
if p.async_mode:
replay_post_node_name = (
"/err/%s/SA replayed packet" % self.tra4_decrypt_node_name[p.async_mode]
"/err/%s/replay" % self.tra4_decrypt_node_name[p.async_mode]
)
count += self.statistics.get_err_counter(replay_post_node_name)
@@ -344,13 +344,11 @@ class IpsecTra4(object):
def get_hash_failed_counts(self, p):
if ESP == self.encryption_type and p.crypt_algo == "AES-GCM":
hash_failed_node_name = (
"/err/%s/ESP decryption failed"
% self.tra4_decrypt_node_name[p.async_mode]
"/err/%s/decryption_failed" % self.tra4_decrypt_node_name[p.async_mode]
)
else:
hash_failed_node_name = (
"/err/%s/Integrity check failed"
% self.tra4_decrypt_node_name[p.async_mode]
"/err/%s/integ_error" % self.tra4_decrypt_node_name[p.async_mode]
)
count = self.statistics.get_err_counter(hash_failed_node_name)
@@ -365,10 +363,7 @@ class IpsecTra4(object):
esn_on = p.vpp_tra_sa.esn_en
ar_on = p.flags & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
seq_cycle_node_name = (
"/err/%s/sequence number cycled (packet dropped)"
% self.tra4_encrypt_node_name
)
seq_cycle_node_name = "/err/%s/seq_cycled" % self.tra4_encrypt_node_name
replay_count = self.get_replay_counts(p)
hash_failed_count = self.get_hash_failed_counts(p)
seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
@@ -605,18 +600,13 @@ class IpsecTra4(object):
p = self.params[socket.AF_INET]
esn_en = p.vpp_tra_sa.esn_en
seq_cycle_node_name = (
"/err/%s/sequence number cycled (packet dropped)"
% self.tra4_encrypt_node_name
)
seq_cycle_node_name = "/err/%s/seq_cycled" % self.tra4_encrypt_node_name
replay_count = self.get_replay_counts(p)
hash_failed_count = self.get_hash_failed_counts(p)
seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
if ESP == self.encryption_type:
undersize_node_name = (
"/err/%s/undersized packet" % self.tra4_decrypt_node_name[0]
)
undersize_node_name = "/err/%s/runt" % self.tra4_decrypt_node_name[0]
undersize_count = self.statistics.get_err_counter(undersize_node_name)
#
@@ -1459,7 +1449,7 @@ class IpsecTun4(object):
)
self.send_and_assert_no_replies(self.tun_if, pkt * 31)
self.assert_error_counter_equal(
"/err/%s/NAT Keepalive" % self.tun4_input_node, 31
"/err/%s/nat_keepalive" % self.tun4_input_node, 31
)
pkt = (
@@ -1469,7 +1459,7 @@ class IpsecTun4(object):
/ Raw(b"\xfe")
)
self.send_and_assert_no_replies(self.tun_if, pkt * 31)
self.assert_error_counter_equal("/err/%s/Too Short" % self.tun4_input_node, 31)
self.assert_error_counter_equal("/err/%s/too_short" % self.tun4_input_node, 31)
pkt = (
Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac)
@@ -1479,7 +1469,7 @@ class IpsecTun4(object):
/ Padding(0 * 21)
)
self.send_and_assert_no_replies(self.tun_if, pkt * 31)
self.assert_error_counter_equal("/err/%s/Too Short" % self.tun4_input_node, 62)
self.assert_error_counter_equal("/err/%s/too_short" % self.tun4_input_node, 62)
class IpsecTun4Tests(IpsecTun4):

6
test/test_ipsec_tun_if_esp.py
View File

@@ -1842,7 +1842,7 @@ class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests):
dst=self.pg1.remote_ip6,
)
self.send_and_assert_no_replies(self.tun_if, tx)
node_name = "/err/%s/unsupported payload" % self.tun4_decrypt_node_name[0]
node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0]
self.assertEqual(1, self.statistics.get_err_counter(node_name))
@@ -2577,9 +2577,7 @@ class TestIpsec6TunProtect(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
# bounce the interface state
p.tun_if.admin_down()
self.verify_drop_tun_66(np, count=127)
node = (
"/err/ipsec6-tun-input/%s" % "ipsec packets received on disabled interface"
)
node = "/err/ipsec6-tun-input/disabled"
self.assertEqual(127, self.statistics.get_err_counter(node))
p.tun_if.admin_up()
self.verify_tun_66(np, count=127)