commit ad95b06181c354291f4433c5e550cb89c5122252
author Arthur de Kerhor <arthurdekerhor@gmail.com> Wed Nov 16 19:12:05 2022 +0100
committer Beno�t Ganne <bganne@cisco.com> Thu Mar 23 08:58:55 2023 +0000
tree f40bc5447c51cbe5f4f5fc5ca5a8e54f72297268
parent f6ba56296c4034d299784b828a8ac1661adc74da

ipsec: add per-SA error counters

Error counters are added on a per-node basis. In Ipsec, it is
useful to also track the errors that occured per SA.

Type: feature
Change-Id: Iabcdcb439f67ad3c6c202b36ffc44ab39abac1bc
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>

src/vnet/ipsec/esp_decrypt.c

diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 306fb7d..1bcc65c 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -23,7 +23,6 @@
 #include <vnet/ipsec/esp.h>
 #include <vnet/ipsec/ipsec_io.h>
 #include <vnet/ipsec/ipsec_tun.h>
-#include <vnet/ipsec/ipsec.api_enum.h>
 
 #include <vnet/gre/packet.h>
 
@@ -114,8 +113,9 @@
 	    err = e;
 	  else
 	    err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
-	  b[bi]->error = node->errors[err];
-	  nexts[bi] = ESP_DECRYPT_NEXT_DROP;
+	  esp_decrypt_set_next_index (b[bi], node, vm->thread_index, err, bi,
+				      nexts, ESP_DECRYPT_NEXT_DROP,
+				      vnet_buffer (b[bi])->ipsec.sad_index);
 	  n_fail--;
 	}
       op++;
@@ -146,8 +146,9 @@
 	    err = e;
 	  else
 	    err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
-	  b[bi]->error = node->errors[err];
-	  nexts[bi] = ESP_DECRYPT_NEXT_DROP;
+	  esp_decrypt_set_next_index (b[bi], node, vm->thread_index, err, bi,
+				      nexts, ESP_DECRYPT_NEXT_DROP,
+				      vnet_buffer (b[bi])->ipsec.sad_index);
 	  n_fail--;
 	}
       op++;
@@ -525,8 +526,9 @@
 				       payload, pd->current_length,
 				       &op->digest, &op->n_chunks, 0) < 0)
 	    {
-	      b->error = node->errors[ESP_DECRYPT_ERROR_NO_BUFFERS];
-	      next[0] = ESP_DECRYPT_NEXT_DROP;
+	      esp_decrypt_set_next_index (
+		b, node, vm->thread_index, ESP_DECRYPT_ERROR_NO_BUFFERS, 0,
+		next, ESP_DECRYPT_NEXT_DROP, pd->sa_index);
 	      return;
 	    }
 	}
@@ -721,7 +723,7 @@
 }
 
 static_always_inline void
-esp_decrypt_post_crypto (vlib_main_t *vm, const vlib_node_runtime_t *node,
+esp_decrypt_post_crypto (vlib_main_t *vm, vlib_node_runtime_t *node,
 			 const u16 *next_by_next_header,
 			 const esp_decrypt_packet_data_t *pd,
 			 const esp_decrypt_packet_data2_t *pd2,
@@ -760,16 +762,17 @@
   if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi, true,
 					   NULL))
     {
-      b->error = node->errors[ESP_DECRYPT_ERROR_REPLAY];
-      next[0] = ESP_DECRYPT_NEXT_DROP;
+      esp_decrypt_set_next_index (b, node, vm->thread_index,
+				  ESP_DECRYPT_ERROR_REPLAY, 0, next,
+				  ESP_DECRYPT_NEXT_DROP, pd->sa_index);
       return;
     }
 
   u64 n_lost =
     ipsec_sa_anti_replay_advance (sa0, vm->thread_index, pd->seq, pd->seq_hi);
 
-  vlib_prefetch_simple_counter (&ipsec_sa_lost_counters, vm->thread_index,
-				pd->sa_index);
+  vlib_prefetch_simple_counter (&ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST],
+				vm->thread_index, pd->sa_index);
 
   if (pd->is_chain)
     {
@@ -918,8 +921,9 @@
 	      next[0] = ESP_DECRYPT_NEXT_IP6_INPUT;
 	      break;
 	    default:
-	      b->error = node->errors[ESP_DECRYPT_ERROR_UNSUP_PAYLOAD];
-	      next[0] = ESP_DECRYPT_NEXT_DROP;
+	      esp_decrypt_set_next_index (
+		b, node, vm->thread_index, ESP_DECRYPT_ERROR_UNSUP_PAYLOAD, 0,
+		next, ESP_DECRYPT_NEXT_DROP, pd->sa_index);
 	      break;
 	    }
 	}
@@ -932,8 +936,9 @@
 	}
       else
 	{
-	  next[0] = ESP_DECRYPT_NEXT_DROP;
-	  b->error = node->errors[ESP_DECRYPT_ERROR_UNSUP_PAYLOAD];
+	  esp_decrypt_set_next_index (b, node, vm->thread_index,
+				      ESP_DECRYPT_ERROR_UNSUP_PAYLOAD, 0, next,
+				      ESP_DECRYPT_NEXT_DROP, pd->sa_index);
 	  return;
 	}
 
@@ -973,8 +978,10 @@
 		      !ip46_address_is_equal_v4 (&itp->itp_tun.dst,
 						 &ip4->src_address))
 		    {
-		      next[0] = ESP_DECRYPT_NEXT_DROP;
-		      b->error = node->errors[ESP_DECRYPT_ERROR_TUN_NO_PROTO];
+		      esp_decrypt_set_next_index (
+			b, node, vm->thread_index,
+			ESP_DECRYPT_ERROR_TUN_NO_PROTO, 0, next,
+			ESP_DECRYPT_NEXT_DROP, pd->sa_index);
 		    }
 		}
 	      else if (next_header == IP_PROTOCOL_IPV6)
@@ -988,8 +995,10 @@
 		      !ip46_address_is_equal_v6 (&itp->itp_tun.dst,
 						 &ip6->src_address))
 		    {
-		      next[0] = ESP_DECRYPT_NEXT_DROP;
-		      b->error = node->errors[ESP_DECRYPT_ERROR_TUN_NO_PROTO];
+		      esp_decrypt_set_next_index (
+			b, node, vm->thread_index,
+			ESP_DECRYPT_ERROR_TUN_NO_PROTO, 0, next,
+			ESP_DECRYPT_NEXT_DROP, pd->sa_index);
 		    }
 		}
 	    }
@@ -997,8 +1006,8 @@
     }
 
   if (PREDICT_FALSE (n_lost))
-    vlib_increment_simple_counter (&ipsec_sa_lost_counters, vm->thread_index,
-				   pd->sa_index, n_lost);
+    vlib_increment_simple_counter (&ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST],
+				   vm->thread_index, pd->sa_index, n_lost);
 }
 
 always_inline uword
@@ -1066,8 +1075,9 @@
       if (n_bufs == 0)
 	{
 	  err = ESP_DECRYPT_ERROR_NO_BUFFERS;
-	  esp_set_next_index (b[0], node, err, n_noop, noop_nexts,
-			      ESP_DECRYPT_NEXT_DROP);
+	  esp_decrypt_set_next_index (b[0], node, thread_index, err, n_noop,
+				      noop_nexts, ESP_DECRYPT_NEXT_DROP,
+				      vnet_buffer (b[0])->ipsec.sad_index);
 	  goto next;
 	}
 
@@ -1075,12 +1085,13 @@
 	{
 	  if (current_sa_pkts)
 	    vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
-					     current_sa_index,
-					     current_sa_pkts,
+					     current_sa_index, current_sa_pkts,
 					     current_sa_bytes);
 	  current_sa_bytes = current_sa_pkts = 0;
 
 	  current_sa_index = vnet_buffer (b[0])->ipsec.sad_index;
+	  vlib_prefetch_combined_counter (&ipsec_sa_counters, thread_index,
+					  current_sa_index);
 	  sa0 = ipsec_sa_get (current_sa_index);
 
 	  /* fetch the second cacheline ASAP */
@@ -1105,8 +1116,9 @@
 	{
 	  vnet_buffer (b[0])->ipsec.thread_index = sa0->thread_index;
 	  err = ESP_DECRYPT_ERROR_HANDOFF;
-	  esp_set_next_index (b[0], node, err, n_noop, noop_nexts,
-			      ESP_DECRYPT_NEXT_HANDOFF);
+	  esp_decrypt_set_next_index (b[0], node, thread_index, err, n_noop,
+				      noop_nexts, ESP_DECRYPT_NEXT_HANDOFF,
+				      current_sa_index);
 	  goto next;
 	}
 
@@ -1144,16 +1156,18 @@
 					       &pd->seq_hi))
 	{
 	  err = ESP_DECRYPT_ERROR_REPLAY;
-	  esp_set_next_index (b[0], node, err, n_noop, noop_nexts,
-			      ESP_DECRYPT_NEXT_DROP);
+	  esp_decrypt_set_next_index (b[0], node, thread_index, err, n_noop,
+				      noop_nexts, ESP_DECRYPT_NEXT_DROP,
+				      current_sa_index);
 	  goto next;
 	}
 
       if (pd->current_length < cpd.icv_sz + esp_sz + cpd.iv_sz)
 	{
 	  err = ESP_DECRYPT_ERROR_RUNT;
-	  esp_set_next_index (b[0], node, err, n_noop, noop_nexts,
-			      ESP_DECRYPT_NEXT_DROP);
+	  esp_decrypt_set_next_index (b[0], node, thread_index, err, n_noop,
+				      noop_nexts, ESP_DECRYPT_NEXT_DROP,
+				      current_sa_index);
 	  goto next;
 	}
 
@@ -1182,8 +1196,9 @@
 	    async_next_node);
 	  if (ESP_DECRYPT_ERROR_RX_PKTS != err)
 	    {
-	      esp_set_next_index (b[0], node, err, n_noop, noop_nexts,
-				  ESP_DECRYPT_NEXT_DROP);
+	      esp_decrypt_set_next_index (
+		b[0], node, thread_index, err, n_noop, noop_nexts,
+		ESP_DECRYPT_NEXT_DROP, current_sa_index);
 	    }
 	}
       else
@@ -1233,7 +1248,8 @@
 	{
 	  n_noop += esp_async_recycle_failed_submit (
 	    vm, *async_frame, node, ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR,
-	    n_noop, noop_bi, noop_nexts, ESP_DECRYPT_NEXT_DROP);
+	    IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR, n_noop, noop_bi, noop_nexts,
+	    ESP_DECRYPT_NEXT_DROP);
 	  vnet_crypto_async_reset_frame (*async_frame);
 	  vnet_crypto_async_free_frame (vm, *async_frame);
 	}