Code Review / vpp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: b940fd4)
ipsec: increment SPD policy counters for bypass and discard actions in ipsec4_input_node 11/32611/3
authorZachary Leaf <zachary.leaf@arm.com>
Mon, 7 Jun 2021 08:01:07 +0000 (03:01 -0500)
committerNeale Ranns <neale@graphiant.com>
Tue, 29 Jun 2021 14:52:41 +0000 (14:52 +0000)
ipsec_spd_policy_counters are incremented only for matched inbound
PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have
SPD policy counters that should be incremented on match.

This fix increments the counters for inbound BYPASS and DISCARD actions.

Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49

src/vnet/ipsec/ipsec_input.c patch | blob | history

diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 15a0796..96bad28 100644 (file)
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -294,7 +294,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
          if (PREDICT_TRUE ((p0 != NULL)))
            {
              ipsec_bypassed += 1;
+
              pi0 = p0 - im->policies;
+             vlib_increment_combined_counter (
+               &ipsec_spd_policy_counters, thread_index, pi0, 1,
+               clib_net_to_host_u16 (ip0->length));
+
              goto trace0;
            }
          else
@@ -312,7 +317,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
          if (PREDICT_TRUE ((p0 != NULL)))
            {
              ipsec_dropped += 1;
+
              pi0 = p0 - im->policies;
+             vlib_increment_combined_counter (
+               &ipsec_spd_policy_counters, thread_index, pi0, 1,
+               clib_net_to_host_u16 (ip0->length));
+
              next[0] = IPSEC_INPUT_NEXT_DROP;
              goto trace0;
            }
@@ -380,7 +390,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
          if (PREDICT_TRUE ((p0 != NULL)))
            {
              ipsec_bypassed += 1;
+
              pi0 = p0 - im->policies;
+             vlib_increment_combined_counter (
+               &ipsec_spd_policy_counters, thread_index, pi0, 1,
+               clib_net_to_host_u16 (ip0->length));
+
              goto trace1;
            }
          else
@@ -398,7 +413,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
          if (PREDICT_TRUE ((p0 != NULL)))
            {
              ipsec_dropped += 1;
+
              pi0 = p0 - im->policies;
+             vlib_increment_combined_counter (
+               &ipsec_spd_policy_counters, thread_index, pi0, 1,
+               clib_net_to_host_u16 (ip0->length));
+
              next[0] = IPSEC_INPUT_NEXT_DROP;
              goto trace1;
            }
Vector Packet Processing