typedef struct
{
ipsec_integ_alg_t integ_alg;
+ u32 seq_num;
} ah_decrypt_trace_t;
/* packet trace format function */
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
ah_decrypt_trace_t *t = va_arg (*args, ah_decrypt_trace_t *);
- s = format (s, "ah: integrity %U", format_ipsec_integ_alg, t->integ_alg);
+ s = format (s, "ah: integrity %U seq-num %d",
+ format_ipsec_integ_alg, t->integ_alg, t->seq_num);
return s;
}
}
seq = clib_host_to_net_u32 (ah0->seq_no);
+
/* anti-replay check */
- //TODO UT remaining
if (sa0->use_anti_replay)
{
int rv = 0;
if (PREDICT_FALSE (rv))
{
- clib_warning ("anti-replay SPI %u seq %u", sa0->spi, seq);
- if (is_ip6)
- vlib_node_increment_counter (vm,
- ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_REPLAY, 1);
- else
- vlib_node_increment_counter (vm,
- ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_REPLAY, 1);
- to_next[0] = i_bi0;
- to_next += 1;
+ vlib_node_increment_counter (vm, node->node_index,
+ AH_DECRYPT_ERROR_REPLAY, 1);
goto trace;
}
}
if (PREDICT_FALSE (memcmp (digest, sig, icv_size)))
{
- if (is_ip6)
- vlib_node_increment_counter (vm,
- ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- else
- vlib_node_increment_counter (vm,
- ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- to_next[0] = i_bi0;
- to_next += 1;
+ vlib_node_increment_counter (vm, node->node_index,
+ AH_DECRYPT_ERROR_INTEG_ERROR,
+ 1);
goto trace;
}
- //TODO UT remaining
if (PREDICT_TRUE (sa0->use_anti_replay))
{
if (PREDICT_TRUE (sa0->use_esn))
next0 = AH_DECRYPT_NEXT_IP6_INPUT;
else
{
- clib_warning ("next header: 0x%x", ah0->nexthdr);
- if (is_ip6)
- vlib_node_increment_counter (vm,
- ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
- else
- vlib_node_increment_counter (vm,
- ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
+ vlib_node_increment_counter (vm, node->node_index,
+ AH_DECRYPT_ERROR_DECRYPTION_FAILED,
+ 1);
goto trace;
}
}
ah_decrypt_trace_t *tr =
vlib_add_trace (vm, node, i_b0, sizeof (*tr));
tr->integ_alg = sa0->integ_alg;
+ tr->seq_num = seq;
}
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, i_bi0, next0);
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
- if (is_ip6)
- vlib_node_increment_counter (vm, ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
- else
- vlib_node_increment_counter (vm, ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
+ vlib_node_increment_counter (vm, node->node_index, AH_DECRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
return from_frame->n_vectors;
}