ipsec: Use .api declared error counters

[vpp.git] / src / vnet / ipsec / ah_decrypt.c
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c

index 182ed3d..c9209d6 100644 (file)
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -23,6 +23,7 @@
  #include <vnet/ipsec/esp.h>
  #include <vnet/ipsec/ah.h>
  #include <vnet/ipsec/ipsec_io.h>
+#include <vnet/ipsec/ipsec.api_enum.h>
  
  #define foreach_ah_decrypt_next                 \
    _(DROP, "error-drop")                         \
@@ -38,28 +39,6 @@ typedef enum
      AH_DECRYPT_N_NEXT,
  } ah_decrypt_next_t;
  
-#define foreach_ah_decrypt_error                \
-  _ (RX_PKTS, "AH pkts received")               \
-  _ (DECRYPTION_FAILED, "AH decryption failed") \
-  _ (INTEG_ERROR, "Integrity check failed")     \
-  _ (NO_TAIL_SPACE, "not enough buffer tail space (dropped)")     \
-  _ (DROP_FRAGMENTS, "IP fragments drop")       \
-  _ (REPLAY, "SA replayed packet")
-
-typedef enum
-{
-#define _(sym,str) AH_DECRYPT_ERROR_##sym,
-  foreach_ah_decrypt_error
-#undef _
-    AH_DECRYPT_N_ERROR,
-} ah_decrypt_error_t;
-
-static char *ah_decrypt_error_strings[] = {
-#define _(sym,string) string,
-  foreach_ah_decrypt_error
-#undef _
-};
-
  typedef struct
  {
    ipsec_integ_alg_t integ_alg;
@@ -315,6 +294,7 @@ ah_decrypt_inline (vlib_main_t * vm,
      {
        ip4_header_t *oh4;
        ip6_header_t *oh6;
+      u64 n_lost = 0;
  
        if (next[0] < AH_DECRYPT_N_NEXT)
         goto trace;
@@ -323,7 +303,7 @@ ah_decrypt_inline (vlib_main_t * vm,
  
        if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
         {
-         /* redo the anit-reply check. see esp_decrypt for details */
+         /* redo the anti-reply check. see esp_decrypt for details */
           if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi,
                                                    true, NULL))
             {
@@ -331,7 +311,10 @@ ah_decrypt_inline (vlib_main_t * vm,
               next[0] = AH_DECRYPT_NEXT_DROP;
               goto trace;
             }
-         ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi);
+         n_lost = ipsec_sa_anti_replay_advance (sa0, thread_index, pd->seq,
+                                                pd->seq_hi);
+         vlib_prefetch_simple_counter (&ipsec_sa_lost_counters, thread_index,
+                                       pd->sa_index);
         }
  
        u16 ah_hdr_len = sizeof (ah_header_t) + pd->icv_size
@@ -398,6 +381,10 @@ ah_decrypt_inline (vlib_main_t * vm,
             }
         }
  
+      if (PREDICT_FALSE (n_lost))
+       vlib_increment_simple_counter (&ipsec_sa_lost_counters, thread_index,
+                                      pd->sa_index, n_lost);
+
        vnet_buffer (b[0])->sw_if_index[VLIB_TX] = (u32) ~ 0;
      trace:
        if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
@@ -435,8 +422,8 @@ VLIB_REGISTER_NODE (ah4_decrypt_node) = {
    .format_trace = format_ah_decrypt_trace,
    .type = VLIB_NODE_TYPE_INTERNAL,
  
-  .n_errors = ARRAY_LEN(ah_decrypt_error_strings),
-  .error_strings = ah_decrypt_error_strings,
+  .n_errors = AH_DECRYPT_N_ERROR,
+  .error_counters = ah_decrypt_error_counters,
  
    .n_next_nodes = AH_DECRYPT_N_NEXT,
    .next_nodes = {
@@ -462,8 +449,8 @@ VLIB_REGISTER_NODE (ah6_decrypt_node) = {
    .format_trace = format_ah_decrypt_trace,
    .type = VLIB_NODE_TYPE_INTERNAL,
  
-  .n_errors = ARRAY_LEN(ah_decrypt_error_strings),
-  .error_strings = ah_decrypt_error_strings,
+  .n_errors = AH_DECRYPT_N_ERROR,
+  .error_counters = ah_decrypt_error_counters,
  
    .n_next_nodes = AH_DECRYPT_N_NEXT,
    .next_nodes = {