vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT])
{
p = pool_elt_at_index (im->policies, *i);
- s = pool_elt_at_index (im->sad, p->sa_index);
+ s = ipsec_sa_get (p->sa_index);
if (spi != s->spi)
continue;
vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT])
{
p = pool_elt_at_index (im->policies, *i);
- s = pool_elt_at_index (im->sad, p->sa_index);
+ s = ipsec_sa_get (p->sa_index);
if (spi != s->spi)
continue;
if (PREDICT_TRUE ((p0 != NULL)))
{
ipsec_bypassed += 1;
+
pi0 = p0 - im->policies;
+ vlib_increment_combined_counter (
+ &ipsec_spd_policy_counters, thread_index, pi0, 1,
+ clib_net_to_host_u16 (ip0->length));
+
goto trace0;
}
else
if (PREDICT_TRUE ((p0 != NULL)))
{
ipsec_dropped += 1;
+
pi0 = p0 - im->policies;
+ vlib_increment_combined_counter (
+ &ipsec_spd_policy_counters, thread_index, pi0, 1,
+ clib_net_to_host_u16 (ip0->length));
+
next[0] = IPSEC_INPUT_NEXT_DROP;
goto trace0;
}
p0 = 0;
pi0 = ~0;
};
+
+ /* Drop by default if no match on PROTECT, BYPASS or DISCARD */
+ ipsec_unprocessed += 1;
+ next[0] = IPSEC_INPUT_NEXT_DROP;
+
trace0:
if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) &&
PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
if (PREDICT_TRUE ((p0 != NULL)))
{
ipsec_bypassed += 1;
+
pi0 = p0 - im->policies;
+ vlib_increment_combined_counter (
+ &ipsec_spd_policy_counters, thread_index, pi0, 1,
+ clib_net_to_host_u16 (ip0->length));
+
goto trace1;
}
else
if (PREDICT_TRUE ((p0 != NULL)))
{
ipsec_dropped += 1;
+
pi0 = p0 - im->policies;
+ vlib_increment_combined_counter (
+ &ipsec_spd_policy_counters, thread_index, pi0, 1,
+ clib_net_to_host_u16 (ip0->length));
+
next[0] = IPSEC_INPUT_NEXT_DROP;
goto trace1;
}
p0 = 0;
pi0 = ~0;
};
+
+ /* Drop by default if no match on PROTECT, BYPASS or DISCARD */
+ ipsec_unprocessed += 1;
+ next[0] = IPSEC_INPUT_NEXT_DROP;
+
trace1:
if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) &&
PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
else
{
pi0 = ~0;
+ ipsec_unprocessed += 1;
+ next0 = IPSEC_INPUT_NEXT_DROP;
}
}
else if (ip0->protocol == IP_PROTOCOL_IPSEC_AH)
else
{
pi0 = ~0;
+ ipsec_unprocessed += 1;
+ next0 = IPSEC_INPUT_NEXT_DROP;
}
}
else