X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_if_in.c;h=b585c3d4dcf165e7570c8187d0479027630fdb24;hb=fb341b87a901ec3b2cb6ff08c1f6278afd0e8086;hp=63d463bd633d634034e544e1f37936eb242f8dd0;hpb=1ba5bc8d888d0164dd6e38857cbed09ab7ce1d8b;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec_if_in.c b/src/vnet/ipsec/ipsec_if_in.c
index 63d463bd633..b585c3d4dcf 100644
--- a/src/vnet/ipsec/ipsec_if_in.c
+++ b/src/vnet/ipsec/ipsec_if_in.c
@@ -22,12 +22,14 @@
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/ipsec/esp.h>
 #include <vnet/ipsec/ipsec_io.h>
+#include <vnet/ipsec/ipsec_punt.h>
 
 /* Statistics (not really errors) */
 #define foreach_ipsec_if_input_error				  \
 _(RX, "good packets received")					  \
 _(DISABLED, "ipsec packets received on disabled interface")       \
-_(NO_TUNNEL, "no matching tunnel")
+_(NO_TUNNEL, "no matching tunnel")                                \
+_(SPI_0, "SPI 0")
 
 static char *ipsec_if_input_error_strings[] = {
 #define _(sym,string) string,
@@ -61,6 +63,46 @@ format_ipsec_if_input_trace (u8 * s, va_list * args)
   return s;
 }
 
+always_inline u16
+ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node,
+			vlib_buffer_t * b,
+			const esp_header_t * esp,
+			const ip4_header_t * ip4, u16 offset)
+{
+  if (PREDICT_FALSE (0 == esp->spi))
+    {
+      b->error = node->errors[IPSEC_IF_INPUT_ERROR_SPI_0];
+      b->punt_reason =
+	ipsec_punt_reason[(ip4->protocol == IP_PROTOCOL_UDP ?
+			   IPSEC_PUNT_IP4_SPI_UDP_0 : IPSEC_PUNT_IP4_SPI_0)];
+    }
+  else
+    {
+      b->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL];
+      b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL];
+    }
+  vlib_buffer_advance (b, -offset);
+  return IPSEC_INPUT_NEXT_PUNT;
+}
+
+always_inline u16
+ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node,
+			vlib_buffer_t * b,
+			const esp_header_t * esp, u16 offset)
+{
+  if (PREDICT_FALSE (0 == esp->spi))
+    {
+      b->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL];
+      b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_SPI_0];
+    }
+  else
+    {
+      b->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL];
+      b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL];
+    }
+  vlib_buffer_advance (b, -offset);
+  return (IPSEC_INPUT_NEXT_PUNT);
+}
 
 always_inline uword
 ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
@@ -197,8 +239,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		}
 	      else
 		{
+		  next[0] =
+		    ipsec_ip6_if_no_tunnel (node, b[0], esp0, buf_adv0);
 		  n_no_tunnel++;
-		  next[0] = IPSEC_INPUT_NEXT_DROP;
 		  goto pkt1;
 		}
 	    }
@@ -224,8 +267,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		}
 	      else
 		{
+		  next[0] =
+		    ipsec_ip4_if_no_tunnel (node, b[0], esp0, ip40, buf_adv0);
 		  n_no_tunnel++;
-		  next[0] = IPSEC_INPUT_NEXT_DROP;
 		  goto pkt1;
 		}
 	    }
@@ -236,7 +280,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
       if (PREDICT_TRUE (t0->hw_if_index != ~0))
 	{
-	  vnet_buffer (b[0])->ipsec.flags = 0;
 	  sw_if_index0 = t0->sw_if_index;
 	  vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0;
 
@@ -245,6 +288,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      vlib_increment_combined_counter
 		(drop_counter, thread_index, sw_if_index0, 1, len0);
 	      n_disabled++;
+	      b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED];
 	      next[0] = IPSEC_INPUT_NEXT_DROP;
 	      goto pkt1;
 	    }
@@ -268,10 +312,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      n_bytes = len0;
 	    }
 	}
-      else
-	{
-	  vnet_buffer (b[0])->ipsec.flags = IPSEC_FLAG_IPSEC_GRE_TUNNEL;
-	}
 
     pkt1:
       if (is_ip6)
@@ -295,8 +335,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		}
 	      else
 		{
+		  next[1] =
+		    ipsec_ip6_if_no_tunnel (node, b[1], esp1, buf_adv1);
 		  n_no_tunnel++;
-		  next[1] = IPSEC_INPUT_NEXT_DROP;
 		  goto trace1;
 		}
 	    }
@@ -322,8 +363,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		}
 	      else
 		{
+		  next[1] =
+		    ipsec_ip4_if_no_tunnel (node, b[1], esp1, ip41, buf_adv1);
 		  n_no_tunnel++;
-		  next[1] = IPSEC_INPUT_NEXT_DROP;
 		  goto trace1;
 		}
 	    }
@@ -334,7 +376,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
       if (PREDICT_TRUE (t1->hw_if_index != ~0))
 	{
-	  vnet_buffer (b[1])->ipsec.flags = 0;
 	  sw_if_index1 = t1->sw_if_index;
 	  vnet_buffer (b[1])->sw_if_index[VLIB_RX] = sw_if_index1;
 
@@ -343,6 +384,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      vlib_increment_combined_counter
 		(drop_counter, thread_index, sw_if_index1, 1, len1);
 	      n_disabled++;
+	      b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED];
 	      next[1] = IPSEC_INPUT_NEXT_DROP;
 	      goto trace1;
 	    }
@@ -366,10 +408,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      n_bytes = len1;
 	    }
 	}
-      else
-	{
-	  vnet_buffer (b[1])->ipsec.flags = IPSEC_FLAG_IPSEC_GRE_TUNNEL;
-	}
 
     trace1:
       if (PREDICT_FALSE (is_trace))
@@ -460,8 +498,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		}
 	      else
 		{
+		  next[0] =
+		    ipsec_ip6_if_no_tunnel (node, b[0], esp0, buf_adv0);
 		  n_no_tunnel++;
-		  next[0] = IPSEC_INPUT_NEXT_DROP;
 		  goto trace00;
 		}
 	    }
@@ -487,8 +526,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		}
 	      else
 		{
+		  next[0] =
+		    ipsec_ip4_if_no_tunnel (node, b[0], esp0, ip40, buf_adv0);
 		  n_no_tunnel++;
-		  next[0] = IPSEC_INPUT_NEXT_DROP;
 		  goto trace00;
 		}
 	    }
@@ -499,7 +539,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
       if (PREDICT_TRUE (t0->hw_if_index != ~0))
 	{
-	  vnet_buffer (b[0])->ipsec.flags = 0;
 	  sw_if_index0 = t0->sw_if_index;
 	  vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0;
 
@@ -508,6 +547,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      vlib_increment_combined_counter
 		(drop_counter, thread_index, sw_if_index0, 1, len0);
 	      n_disabled++;
+	      b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED];
 	      next[0] = IPSEC_INPUT_NEXT_DROP;
 	      goto trace00;
 	    }
@@ -531,10 +571,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      n_bytes = len0;
 	    }
 	}
-      else
-	{
-	  vnet_buffer (b[0])->ipsec.flags = IPSEC_FLAG_IPSEC_GRE_TUNNEL;
-	}
 
     trace00:
       if (PREDICT_FALSE (is_trace))
@@ -563,11 +599,8 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
   vlib_node_increment_counter (vm, node->node_index,
 			       IPSEC_IF_INPUT_ERROR_RX,
-			       from_frame->n_vectors - n_disabled);
-  vlib_node_increment_counter (vm, node->node_index,
-			       IPSEC_IF_INPUT_ERROR_DISABLED, n_disabled);
-  vlib_node_increment_counter (vm, node->node_index,
-			       IPSEC_IF_INPUT_ERROR_NO_TUNNEL, n_no_tunnel);
+			       from_frame->n_vectors - (n_disabled +
+							n_no_tunnel));
 
   vlib_buffer_enqueue_to_next (vm, node, from, nexts, from_frame->n_vectors);