IPSEC-AH: fix packet drop

author Neale Ranns <nranns@cisco.com>

Fri, 30 Nov 2018 09:15:11 +0000 (09:15 +0000)

committer Damjan Marion <dmarion@me.com>

Fri, 30 Nov 2018 17:02:14 +0000 (17:02 +0000)
author Neale Ranns <nranns@cisco.com>
Fri, 30 Nov 2018 09:15:11 +0000 (09:15 +0000)
committer Damjan Marion <dmarion@me.com>
Fri, 30 Nov 2018 17:02:14 +0000 (17:02 +0000)
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c

index 34ea000..9b0c16e 100644 (file)
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -156,7 +156,6 @@ ah_decrypt_inline (vlib_main_t * vm,
  
               if (PREDICT_FALSE (rv))
                 {
-                 clib_warning ("anti-replay SPI %u seq %u", sa0->spi, seq);
                   if (is_ip6)
                     vlib_node_increment_counter (vm,
                                                  ah6_decrypt_node.index,
@@ -165,8 +164,6 @@ ah_decrypt_inline (vlib_main_t * vm,
                     vlib_node_increment_counter (vm,
                                                  ah4_decrypt_node.index,
                                                  AH_DECRYPT_ERROR_REPLAY, 1);
-                 to_next[0] = i_bi0;
-                 to_next += 1;
                   goto trace;
                 }
             }
@@ -223,8 +220,6 @@ ah_decrypt_inline (vlib_main_t * vm,
                                                  ah4_decrypt_node.index,
                                                  AH_DECRYPT_ERROR_INTEG_ERROR,
                                                  1);
-                 to_next[0] = i_bi0;
-                 to_next += 1;
                   goto trace;
                 }
  
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c

index 1b3e068..8ef160a 100644 (file)
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -190,7 +190,6 @@ esp_decrypt_inline (vlib_main_t * vm,
  
               if (PREDICT_FALSE (rv))
                 {
-                 clib_warning ("anti-replay SPI %u seq %u", sa0->spi, seq);
                   if (is_ip6)
                     vlib_node_increment_counter (vm,
                                                  esp6_decrypt_node.index,
@@ -330,7 +329,6 @@ esp_decrypt_inline (vlib_main_t * vm,
                     next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
                   else
                     {
-                     clib_warning ("next header: 0x%x", f0->next_header);
                       if (is_ip6)
                         vlib_node_increment_counter (vm,
                                                      esp6_decrypt_node.index,
author	Neale Ranns <nranns@cisco.com>
	Fri, 30 Nov 2018 09:15:11 +0000 (09:15 +0000)
committer	Damjan Marion <dmarion@me.com>
	Fri, 30 Nov 2018 17:02:14 +0000 (17:02 +0000)
src/vnet/ipsec/ah_decrypt.c		patch \| blob \| history
src/vnet/ipsec/esp_decrypt.c		patch \| blob \| history