X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fesp_decrypt.c;h=2c1efa2f4bed0dd9e42c0dc6c8c62c4d2e070f20;hb=84e665848;hp=b700f2c993580cda214affc4f0163af41111afb2;hpb=5b8911020ee5512d76c8daccaa199878ed7cbc01;p=vpp.git diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index b700f2c9935..2c1efa2f4be 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -14,7 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - #include #include #include @@ -58,35 +57,6 @@ typedef enum ESP_DECRYPT_POST_N_NEXT, } esp_decrypt_post_next_t; -#define foreach_esp_decrypt_error \ - _ (RX_PKTS, "ESP pkts received") \ - _ (RX_POST_PKTS, "ESP-POST pkts received") \ - _ (HANDOFF, "hand-off") \ - _ (DECRYPTION_FAILED, "ESP decryption failed") \ - _ (INTEG_ERROR, "Integrity check failed") \ - _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \ - _ (REPLAY, "SA replayed packet") \ - _ (RUNT, "undersized packet") \ - _ (NO_BUFFERS, "no buffers (packet dropped)") \ - _ (OVERSIZED_HEADER, "buffer with oversized header (dropped)") \ - _ (NO_TAIL_SPACE, "no enough buffer tail space (dropped)") \ - _ (TUN_NO_PROTO, "no tunnel protocol") \ - _ (UNSUP_PAYLOAD, "unsupported payload") - -typedef enum -{ -#define _(sym,str) ESP_DECRYPT_ERROR_##sym, - foreach_esp_decrypt_error -#undef _ - ESP_DECRYPT_N_ERROR, -} esp_decrypt_error_t; - -static char *esp_decrypt_error_strings[] = { -#define _(sym,string) string, - foreach_esp_decrypt_error -#undef _ -}; - typedef struct { u32 seq; @@ -97,6 +67,8 @@ typedef struct ipsec_integ_alg_t integ_alg; } esp_decrypt_trace_t; +typedef vl_counter_esp_decrypt_enum_t esp_decrypt_error_t; + /* The number of byres in the hisequence number */ #define N_HI_ESN_BYTES 4 @@ -141,8 +113,9 @@ esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node, err = e; else err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR; - b[bi]->error = node->errors[err]; - nexts[bi] = ESP_DECRYPT_NEXT_DROP; + esp_decrypt_set_next_index (b[bi], node, vm->thread_index, err, bi, + nexts, ESP_DECRYPT_NEXT_DROP, + vnet_buffer (b[bi])->ipsec.sad_index); n_fail--; } op++; @@ -173,8 +146,9 @@ esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node, err = e; else err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR; - b[bi]->error = node->errors[err]; - nexts[bi] = ESP_DECRYPT_NEXT_DROP; + esp_decrypt_set_next_index (b[bi], node, vm->thread_index, err, bi, + nexts, ESP_DECRYPT_NEXT_DROP, + vnet_buffer (b[bi])->ipsec.sad_index); n_fail--; } op++; @@ -552,8 +526,9 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node, payload, pd->current_length, &op->digest, &op->n_chunks, 0) < 0) { - b->error = node->errors[ESP_DECRYPT_ERROR_NO_BUFFERS]; - next[0] = ESP_DECRYPT_NEXT_DROP; + esp_decrypt_set_next_index ( + b, node, vm->thread_index, ESP_DECRYPT_ERROR_NO_BUFFERS, 0, + next, ESP_DECRYPT_NEXT_DROP, pd->sa_index); return; } } @@ -587,6 +562,12 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node, op->aad_len = esp_aad_fill (op->aad, esp0, sa0, pd->seq_hi); op->tag = payload + len; op->tag_len = 16; + if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa0))) + { + /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */ + payload -= iv_sz; + len += iv_sz; + } } else { @@ -628,7 +609,7 @@ esp_decrypt_prepare_async_frame (vlib_main_t *vm, vlib_node_runtime_t *node, esp_decrypt_packet_data_t *async_pd = &(esp_post_data (b))->decrypt_data; esp_decrypt_packet_data2_t *async_pd2 = esp_post_data2 (b); u8 *tag = payload + len, *iv = payload + esp_sz, *aad = 0; - u32 key_index; + const u32 key_index = sa0->crypto_key_index; u32 crypto_len, integ_len = 0; i16 crypto_start_offset, integ_start_offset = 0; u8 flags = 0; @@ -636,7 +617,6 @@ esp_decrypt_prepare_async_frame (vlib_main_t *vm, vlib_node_runtime_t *node, if (!ipsec_sa_is_set_IS_AEAD (sa0)) { /* linked algs */ - key_index = sa0->linked_key_index; integ_start_offset = payload - b->data; integ_len = len; if (PREDICT_TRUE (sa0->integ_op_id != VNET_CRYPTO_OP_NONE)) @@ -689,8 +669,6 @@ esp_decrypt_prepare_async_frame (vlib_main_t *vm, vlib_node_runtime_t *node, else esp_insert_esn (vm, sa0, pd, pd2, &integ_len, &tag, &len, b, payload); } - else - key_index = sa0->crypto_key_index; out: /* crypto */ @@ -710,6 +688,12 @@ out: aad = (u8 *) nonce - sizeof (esp_aead_t); esp_aad_fill (aad, esp0, sa0, pd->seq_hi); tag = payload + len; + if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa0))) + { + /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */ + payload -= iv_sz; + len += iv_sz; + } } else { @@ -748,10 +732,12 @@ out: } static_always_inline void -esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node, - esp_decrypt_packet_data_t * pd, - esp_decrypt_packet_data2_t * pd2, vlib_buffer_t * b, - u16 * next, int is_ip6, int is_tun, int is_async) +esp_decrypt_post_crypto (vlib_main_t *vm, vlib_node_runtime_t *node, + const u16 *next_by_next_header, + const esp_decrypt_packet_data_t *pd, + const esp_decrypt_packet_data2_t *pd2, + vlib_buffer_t *b, u16 *next, int is_ip6, int is_tun, + int is_async) { ipsec_sa_t *sa0 = ipsec_sa_get (pd->sa_index); vlib_buffer_t *lb = b; @@ -785,12 +771,17 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node, if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi, true, NULL)) { - b->error = node->errors[ESP_DECRYPT_ERROR_REPLAY]; - next[0] = ESP_DECRYPT_NEXT_DROP; + esp_decrypt_set_next_index (b, node, vm->thread_index, + ESP_DECRYPT_ERROR_REPLAY, 0, next, + ESP_DECRYPT_NEXT_DROP, pd->sa_index); return; } - ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi); + u64 n_lost = + ipsec_sa_anti_replay_advance (sa0, vm->thread_index, pd->seq, pd->seq_hi); + + vlib_prefetch_simple_counter (&ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST], + vm->thread_index, pd->sa_index); if (pd->is_chain) { @@ -915,44 +906,51 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node, b->current_length = pd->current_length - adv; esp_remove_tail (vm, b, lb, tail); } - else + else if (is_tun && next_header == IP_PROTOCOL_GRE) { - if (is_tun && next_header == IP_PROTOCOL_GRE) - { - gre_header_t *gre; + gre_header_t *gre; - b->current_data = pd->current_data + adv; - b->current_length = pd->current_length - adv - tail; + b->current_data = pd->current_data + adv; + b->current_length = pd->current_length - adv - tail; - gre = vlib_buffer_get_current (b); + gre = vlib_buffer_get_current (b); - vlib_buffer_advance (b, sizeof (*gre)); + vlib_buffer_advance (b, sizeof (*gre)); - switch (clib_net_to_host_u16 (gre->protocol)) - { - case GRE_PROTOCOL_teb: - vnet_update_l2_len (b); - next[0] = ESP_DECRYPT_NEXT_L2_INPUT; - break; - case GRE_PROTOCOL_ip4: - next[0] = ESP_DECRYPT_NEXT_IP4_INPUT; - break; - case GRE_PROTOCOL_ip6: - next[0] = ESP_DECRYPT_NEXT_IP6_INPUT; - break; - default: - b->error = node->errors[ESP_DECRYPT_ERROR_UNSUP_PAYLOAD]; - next[0] = ESP_DECRYPT_NEXT_DROP; - break; - } - } - else + switch (clib_net_to_host_u16 (gre->protocol)) { - next[0] = ESP_DECRYPT_NEXT_DROP; - b->error = node->errors[ESP_DECRYPT_ERROR_UNSUP_PAYLOAD]; - return; + case GRE_PROTOCOL_teb: + vnet_update_l2_len (b); + next[0] = ESP_DECRYPT_NEXT_L2_INPUT; + break; + case GRE_PROTOCOL_ip4: + next[0] = ESP_DECRYPT_NEXT_IP4_INPUT; + break; + case GRE_PROTOCOL_ip6: + next[0] = ESP_DECRYPT_NEXT_IP6_INPUT; + break; + default: + esp_decrypt_set_next_index ( + b, node, vm->thread_index, ESP_DECRYPT_ERROR_UNSUP_PAYLOAD, 0, + next, ESP_DECRYPT_NEXT_DROP, pd->sa_index); + break; } } + else if ((next[0] = vec_elt (next_by_next_header, next_header)) != + (u16) ~0) + { + b->current_data = pd->current_data + adv; + b->current_length = pd->current_length - adv; + esp_remove_tail (vm, b, lb, tail); + } + else + { + esp_decrypt_set_next_index (b, node, vm->thread_index, + ESP_DECRYPT_ERROR_UNSUP_PAYLOAD, 0, next, + ESP_DECRYPT_NEXT_DROP, pd->sa_index); + return; + } + if (is_tun) { if (ipsec_sa_is_set_IS_PROTECT (sa0)) @@ -989,8 +987,10 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node, !ip46_address_is_equal_v4 (&itp->itp_tun.dst, &ip4->src_address)) { - next[0] = ESP_DECRYPT_NEXT_DROP; - b->error = node->errors[ESP_DECRYPT_ERROR_TUN_NO_PROTO]; + esp_decrypt_set_next_index ( + b, node, vm->thread_index, + ESP_DECRYPT_ERROR_TUN_NO_PROTO, 0, next, + ESP_DECRYPT_NEXT_DROP, pd->sa_index); } } else if (next_header == IP_PROTOCOL_IPV6) @@ -1004,13 +1004,19 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node, !ip46_address_is_equal_v6 (&itp->itp_tun.dst, &ip6->src_address)) { - next[0] = ESP_DECRYPT_NEXT_DROP; - b->error = node->errors[ESP_DECRYPT_ERROR_TUN_NO_PROTO]; + esp_decrypt_set_next_index ( + b, node, vm->thread_index, + ESP_DECRYPT_ERROR_TUN_NO_PROTO, 0, next, + ESP_DECRYPT_NEXT_DROP, pd->sa_index); } } } } } + + if (PREDICT_FALSE (n_lost)) + vlib_increment_simple_counter (&ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST], + vm->thread_index, pd->sa_index, n_lost); } always_inline uword @@ -1019,6 +1025,7 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, u16 async_next_node) { ipsec_main_t *im = &ipsec_main; + const u16 *next_by_next_header = im->next_header_registrations; u32 thread_index = vm->thread_index; u16 len; ipsec_per_thread_data_t *ptd = vec_elt_at_index (im->ptd, thread_index); @@ -1028,7 +1035,7 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_buffer_t *sync_bufs[VLIB_FRAME_SIZE]; u16 sync_nexts[VLIB_FRAME_SIZE], *sync_next = sync_nexts, n_sync = 0; u16 async_nexts[VLIB_FRAME_SIZE], *async_next = async_nexts; - u16 noop_nexts[VLIB_FRAME_SIZE], *noop_next = noop_nexts, n_noop = 0; + u16 noop_nexts[VLIB_FRAME_SIZE], n_noop = 0; u32 sync_bi[VLIB_FRAME_SIZE]; u32 noop_bi[VLIB_FRAME_SIZE]; esp_decrypt_packet_data_t pkt_data[VLIB_FRAME_SIZE], *pd = pkt_data; @@ -1068,17 +1075,18 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, u8 *p; vlib_prefetch_buffer_header (b[2], LOAD); p = vlib_buffer_get_current (b[1]); - CLIB_PREFETCH (p, CLIB_CACHE_LINE_BYTES, LOAD); + clib_prefetch_load (p); p -= CLIB_CACHE_LINE_BYTES; - CLIB_PREFETCH (p, CLIB_CACHE_LINE_BYTES, LOAD); + clib_prefetch_load (p); } u32 n_bufs = vlib_buffer_chain_linearize (vm, b[0]); if (n_bufs == 0) { err = ESP_DECRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - ESP_DECRYPT_NEXT_DROP); + esp_decrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, ESP_DECRYPT_NEXT_DROP, + vnet_buffer (b[0])->ipsec.sad_index); goto next; } @@ -1086,16 +1094,17 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { if (current_sa_pkts) vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, - current_sa_index, - current_sa_pkts, + current_sa_index, current_sa_pkts, current_sa_bytes); current_sa_bytes = current_sa_pkts = 0; current_sa_index = vnet_buffer (b[0])->ipsec.sad_index; + vlib_prefetch_combined_counter (&ipsec_sa_counters, thread_index, + current_sa_index); sa0 = ipsec_sa_get (current_sa_index); /* fetch the second cacheline ASAP */ - CLIB_PREFETCH (sa0->cacheline1, CLIB_CACHE_LINE_BYTES, LOAD); + clib_prefetch_load (sa0->cacheline1); cpd.icv_sz = sa0->integ_icv_size; cpd.iv_sz = sa0->crypto_iv_size; cpd.flags = sa0->flags; @@ -1103,7 +1112,7 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, is_async = im->async_mode | ipsec_sa_is_set_IS_ASYNC (sa0); } - if (PREDICT_FALSE (~0 == sa0->thread_index)) + if (PREDICT_FALSE ((u16) ~0 == sa0->thread_index)) { /* this is the first packet to use this SA, claim the SA * for this thread. this could happen simultaneously on @@ -1116,8 +1125,9 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { vnet_buffer (b[0])->ipsec.thread_index = sa0->thread_index; err = ESP_DECRYPT_ERROR_HANDOFF; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - ESP_DECRYPT_NEXT_HANDOFF); + esp_decrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, ESP_DECRYPT_NEXT_HANDOFF, + current_sa_index); goto next; } @@ -1155,16 +1165,18 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, &pd->seq_hi)) { err = ESP_DECRYPT_ERROR_REPLAY; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - ESP_DECRYPT_NEXT_DROP); + esp_decrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, ESP_DECRYPT_NEXT_DROP, + current_sa_index); goto next; } if (pd->current_length < cpd.icv_sz + esp_sz + cpd.iv_sz) { err = ESP_DECRYPT_ERROR_RUNT; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - ESP_DECRYPT_NEXT_DROP); + esp_decrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, ESP_DECRYPT_NEXT_DROP, + current_sa_index); goto next; } @@ -1183,6 +1195,15 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { async_frames[async_op] = vnet_crypto_async_get_frame (vm, async_op); + if (PREDICT_FALSE (!async_frames[async_op])) + { + err = ESP_DECRYPT_ERROR_NO_AVAIL_FRAME; + esp_decrypt_set_next_index ( + b[0], node, thread_index, err, n_noop, noop_nexts, + ESP_DECRYPT_NEXT_DROP, current_sa_index); + goto next; + } + /* Save the frame to the list we'll submit at the end */ vec_add1 (ptd->async_frames, async_frames[async_op]); } @@ -1193,21 +1214,21 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, async_next_node); if (ESP_DECRYPT_ERROR_RX_PKTS != err) { - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - ESP_DECRYPT_NEXT_DROP); + esp_decrypt_set_next_index ( + b[0], node, thread_index, err, n_noop, noop_nexts, + ESP_DECRYPT_NEXT_DROP, current_sa_index); } } else esp_decrypt_prepare_sync_op ( vm, node, ptd, &crypto_ops, &integ_ops, op, sa0, payload, len, - cpd.icv_sz, cpd.iv_sz, pd, pd2, b[0], sync_next, b - bufs); + cpd.icv_sz, cpd.iv_sz, pd, pd2, b[0], sync_next, n_sync); /* next */ next: if (ESP_DECRYPT_ERROR_RX_PKTS != err) { noop_bi[n_noop] = from[b - bufs]; n_noop++; - noop_next++; } else if (!is_async) { @@ -1245,7 +1266,8 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { n_noop += esp_async_recycle_failed_submit ( vm, *async_frame, node, ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR, - n_sync, noop_bi, noop_nexts, ESP_DECRYPT_NEXT_DROP); + IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR, n_noop, noop_bi, noop_nexts, + ESP_DECRYPT_NEXT_DROP, false); vnet_crypto_async_reset_frame (*async_frame); vnet_crypto_async_free_frame (vm, *async_frame); } @@ -1298,8 +1320,8 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, current_sa_index = vnet_buffer (b[0])->ipsec.sad_index; if (sync_next[0] >= ESP_DECRYPT_N_NEXT) - esp_decrypt_post_crypto (vm, node, pd, pd2, b[0], sync_next, is_ip6, - is_tun, 0); + esp_decrypt_post_crypto (vm, node, next_by_next_header, pd, pd2, b[0], + sync_next, is_ip6, is_tun, 0); /* trace: */ if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED)) @@ -1340,6 +1362,8 @@ esp_decrypt_post_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame, int is_ip6, int is_tun) { + const ipsec_main_t *im = &ipsec_main; + const u16 *next_by_next_header = im->next_header_registrations; u32 *from = vlib_frame_vector_args (from_frame); u32 n_left = from_frame->n_vectors; vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs; @@ -1357,13 +1381,13 @@ esp_decrypt_post_inline (vlib_main_t * vm, } if (!pd->is_chain) - esp_decrypt_post_crypto (vm, node, pd, 0, b[0], next, is_ip6, is_tun, - 1); + esp_decrypt_post_crypto (vm, node, next_by_next_header, pd, 0, b[0], + next, is_ip6, is_tun, 1); else { esp_decrypt_packet_data2_t *pd2 = esp_post_data2 (b[0]); - esp_decrypt_post_crypto (vm, node, pd, pd2, b[0], next, is_ip6, - is_tun, 1); + esp_decrypt_post_crypto (vm, node, next_by_next_header, pd, pd2, + b[0], next, is_ip6, is_tun, 1); } /*trace: */ @@ -1464,8 +1488,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .n_next_nodes = ESP_DECRYPT_N_NEXT, .next_nodes = { @@ -1484,8 +1508,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_post_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .sibling_of = "esp4-decrypt", }; @@ -1496,8 +1520,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .n_next_nodes = ESP_DECRYPT_N_NEXT, .next_nodes = { @@ -1516,8 +1540,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_post_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .sibling_of = "esp6-decrypt", }; @@ -1527,8 +1551,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_node) = { .vector_size = sizeof (u32), .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .n_next_nodes = ESP_DECRYPT_N_NEXT, .next_nodes = { [ESP_DECRYPT_NEXT_DROP] = "ip4-drop", @@ -1546,8 +1570,8 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_post_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .sibling_of = "esp4-decrypt-tun", }; @@ -1557,8 +1581,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_node) = { .vector_size = sizeof (u32), .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .n_next_nodes = ESP_DECRYPT_N_NEXT, .next_nodes = { [ESP_DECRYPT_NEXT_DROP] = "ip6-drop", @@ -1576,8 +1600,8 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_post_node) = { .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, + .n_errors = ESP_DECRYPT_N_ERROR, + .error_counters = esp_decrypt_error_counters, .sibling_of = "esp6-decrypt-tun", };