#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ah.h>
#include <vnet/ipsec/ipsec_io.h>
+#include <vnet/ipsec/ipsec.api_enum.h>
#define foreach_ah_decrypt_next \
_(DROP, "error-drop") \
AH_DECRYPT_N_NEXT,
} ah_decrypt_next_t;
-#define foreach_ah_decrypt_error \
- _ (RX_PKTS, "AH pkts received") \
- _ (DECRYPTION_FAILED, "AH decryption failed") \
- _ (INTEG_ERROR, "Integrity check failed") \
- _ (NO_TAIL_SPACE, "not enough buffer tail space (dropped)") \
- _ (DROP_FRAGMENTS, "IP fragments drop") \
- _ (REPLAY, "SA replayed packet")
-
-typedef enum
-{
-#define _(sym,str) AH_DECRYPT_ERROR_##sym,
- foreach_ah_decrypt_error
-#undef _
- AH_DECRYPT_N_ERROR,
-} ah_decrypt_error_t;
-
-static char *ah_decrypt_error_strings[] = {
-#define _(sym,string) string,
- foreach_ah_decrypt_error
-#undef _
-};
-
typedef struct
{
ipsec_integ_alg_t integ_alg;
{
ip4_header_t *oh4;
ip6_header_t *oh6;
+ u64 n_lost = 0;
if (next[0] < AH_DECRYPT_N_NEXT)
goto trace;
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
{
- /* redo the anit-reply check. see esp_decrypt for details */
+ /* redo the anti-reply check. see esp_decrypt for details */
if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi,
true, NULL))
{
next[0] = AH_DECRYPT_NEXT_DROP;
goto trace;
}
- ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi);
+ n_lost = ipsec_sa_anti_replay_advance (sa0, thread_index, pd->seq,
+ pd->seq_hi);
+ vlib_prefetch_simple_counter (&ipsec_sa_lost_counters, thread_index,
+ pd->sa_index);
}
u16 ah_hdr_len = sizeof (ah_header_t) + pd->icv_size
}
}
+ if (PREDICT_FALSE (n_lost))
+ vlib_increment_simple_counter (&ipsec_sa_lost_counters, thread_index,
+ pd->sa_index, n_lost);
+
vnet_buffer (b[0])->sw_if_index[VLIB_TX] = (u32) ~ 0;
trace:
if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
.format_trace = format_ah_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ah_decrypt_error_strings),
- .error_strings = ah_decrypt_error_strings,
+ .n_errors = AH_DECRYPT_N_ERROR,
+ .error_counters = ah_decrypt_error_counters,
.n_next_nodes = AH_DECRYPT_N_NEXT,
.next_nodes = {
.format_trace = format_ah_decrypt_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ah_decrypt_error_strings),
- .error_strings = ah_decrypt_error_strings,
+ .n_errors = AH_DECRYPT_N_ERROR,
+ .error_counters = ah_decrypt_error_counters,
.n_next_nodes = AH_DECRYPT_N_NEXT,
.next_nodes = {