Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
ipsec: add per-SA error counters
[vpp.git] / src / vnet / ipsec / ipsec.h
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index fc7b6cd..5b51529 100644 (file)
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -30,6 +30,9 @@
 
 #include <vppinfra/bihash_24_16.h>
 
+#define IPSEC_FP_IP4_HASHES_POOL_SIZE 128
+#define IPSEC_FP_IP6_HASHES_POOL_SIZE 128
+
 typedef clib_error_t *(*add_del_sa_sess_cb_t) (u32 sa_index, u8 is_add);
 typedef clib_error_t *(*check_support_cb_t) (ipsec_sa_t * sa);
 typedef clib_error_t *(*enable_disable_cb_t) (int is_enable);
@@ -143,10 +146,16 @@ typedef struct
   ipsec_spd_t *spds;
   /* pool of policies */
   ipsec_policy_t *policies;
-
-  u32 ipv4_fp_spd_is_enabled;
-  u32 ipv6_fp_spd_is_enabled;
-
+  /* pool of bihash tables for ipv4 ipsec rules */
+  clib_bihash_16_8_t *fp_ip4_lookup_hashes_pool;
+  /* pool of bihash tables for ipv6 ipsec rules */
+  clib_bihash_40_8_t *fp_ip6_lookup_hashes_pool;
+
+  u32 fp_spd_ipv4_out_is_enabled;
+  u32 fp_spd_ipv4_in_is_enabled;
+  u32 fp_spd_ipv6_out_is_enabled;
+  u32 fp_spd_ipv6_in_is_enabled;
+  /* pool of fast path mask types */
   ipsec_fp_mask_type_entry_t *fp_mask_types;
   u32 fp_lookup_hash_buckets; /* number of buckets should be power of two */
 
@@ -338,6 +347,23 @@ ipsec_spinlock_unlock (i32 *lock)
   clib_atomic_release (lock);
 }
 
+/* Special case to drop or hand off packets for sync/async modes.
+ *
+ * Different than sync mode, async mode only enqueue drop or hand-off packets
+ * to next nodes.
+ */
+always_inline void
+ipsec_set_next_index (vlib_buffer_t *b, vlib_node_runtime_t *node,
+                     u32 thread_index, u32 err, u32 ipsec_sa_err, u16 index,
+                     u16 *nexts, u16 drop_next, u32 sa_index)
+{
+  nexts[index] = drop_next;
+  b->error = node->errors[err];
+  if (PREDICT_TRUE (ipsec_sa_err != ~0))
+    vlib_increment_simple_counter (&ipsec_sa_err_counters[ipsec_sa_err],
+                                  thread_index, sa_index, 1);
+}
+
 u32 ipsec_register_ah_backend (vlib_main_t * vm, ipsec_main_t * im,
                               const char *name,
                               const char *ah4_encrypt_node_name,
@@ -364,8 +390,8 @@ int ipsec_select_esp_backend (ipsec_main_t * im, u32 esp_backend_idx);
 clib_error_t *ipsec_rsc_in_use (ipsec_main_t * im);
 void ipsec_set_async_mode (u32 is_enabled);
 
-extern void ipsec_register_udp_port (u16 udp_port);
-extern void ipsec_unregister_udp_port (u16 udp_port);
+extern void ipsec_register_udp_port (u16 udp_port, u8 is_ip4);
+extern void ipsec_unregister_udp_port (u16 udp_port, u8 is_ip4);
 
 extern clib_error_t *ipsec_register_next_header (vlib_main_t *vm,
                                                 u8 next_header,
Vector Packet Processing