#include <vnet/udp/udp.h>
#include <dpdk/buffer.h>
#include <dpdk/ipsec/ipsec.h>
+#include <vnet/ipsec/ipsec_tun.h>
#include <dpdk/device/dpdk.h>
#include <dpdk/device/dpdk_priv.h>
#define foreach_esp_encrypt_error \
_(RX_PKTS, "ESP pkts received") \
_(SEQ_CYCLED, "Sequence number cycled") \
- _(ENQ_FAIL, "Enqueue failed to crypto device") \
- _(DISCARD, "Not enough crypto operations, discarding frame") \
+ _(ENQ_FAIL, "Enqueue encrypt failed (queue full)") \
+ _(DISCARD, "Not enough crypto operations") \
_(SESSION, "Failed to get crypto session") \
_(NOSUP, "Cipher/Auth not supported")
{
if (is_ip6)
vlib_node_increment_counter (vm, dpdk_esp6_encrypt_node.index,
- ESP_ENCRYPT_ERROR_DISCARD, 1);
+ ESP_ENCRYPT_ERROR_DISCARD, n_left_from);
else
vlib_node_increment_counter (vm, dpdk_esp4_encrypt_node.index,
- ESP_ENCRYPT_ERROR_DISCARD, 1);
+ ESP_ENCRYPT_ERROR_DISCARD, n_left_from);
/* Discard whole frame */
+ vlib_buffer_free (vm, from, n_left_from);
return n_left_from;
}
if (is_tun)
{
- u32 tmp;
/* we are on a ipsec tunnel's feature arc */
- sa_index0 = *(u32 *) vnet_feature_next_with_data (&tmp, b0,
- sizeof
- (sa_index0));
+ vnet_buffer (b0)->ipsec.sad_index =
+ sa_index0 = ipsec_tun_protect_get_sa_out
+ (vnet_buffer (b0)->ip.adj_index[VLIB_TX]);
}
else
sa_index0 = vnet_buffer (b0)->ipsec.sad_index;
if (PREDICT_FALSE (res_idx == (u16) ~ 0))
{
- clib_warning ("unsupported SA by thread index %u",
- thread_idx);
if (is_ip6)
vlib_node_increment_counter (vm,
dpdk_esp6_encrypt_node.index,
error = crypto_get_session (&session, sa_index0, res, cwm, 1);
if (PREDICT_FALSE (error || !session))
{
- clib_warning ("failed to get crypto session");
if (is_ip6)
vlib_node_increment_counter (vm,
dpdk_esp6_encrypt_node.index,
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
- clib_warning
- ("sequence number counter has cycled SPI %u (0x%08x)",
- sa0->spi, sa0->spi);
if (is_ip6)
vlib_node_increment_counter (vm,
dpdk_esp6_encrypt_node.index,
u8 *src = ((u8 *) ih0) - rewrite_len;
u8 *dst = vlib_buffer_get_current (b0);
oh0 = vlib_buffer_get_current (b0) + rewrite_len;
+ ouh0 = vlib_buffer_get_current (b0) + rewrite_len;
if (is_ip6)
{
tr->crypto_alg = sa0->crypto_alg;
tr->integ_alg = sa0->integ_alg;
u8 *p = vlib_buffer_get_current (b0);
- if (!ipsec_sa_is_set_IS_TUNNEL (sa0))
+ if (!ipsec_sa_is_set_IS_TUNNEL (sa0) && !is_tun)
p += vnet_buffer (b0)->ip.save_rewrite_length;
clib_memcpy_fast (tr->packet_data, p, sizeof (tr->packet_data));
}
[ESP_ENCRYPT_NEXT_DROP] = "error-drop",
}
};
-
-VNET_FEATURE_INIT (dpdk_esp4_encrypt_tun_feat_node, static) =
-{
- .arc_name = "ip4-output",
- .node_name = "dpdk-esp4-encrypt-tun",
- .runs_before = VNET_FEATURES ("adj-midchain-tx"),
-};
/* *INDENT-ON* */
VLIB_NODE_FN (dpdk_esp6_encrypt_tun_node) (vlib_main_t * vm,
[ESP_ENCRYPT_NEXT_DROP] = "error-drop",
}
};
-
-VNET_FEATURE_INIT (dpdk_esp6_encrypt_tun_feat_node, static) =
-{
- .arc_name = "ip6-output",
- .node_name = "dpdk-esp6-encrypt-tun",
- .runs_before = VNET_FEATURES ("adj-midchain-tx"),
-};
/* *INDENT-ON* */
/*