Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 520cde406797eb076591797fbf9978b959e6cf17 / . / src / vnet / ipsec / ipsec.api
blob: 56ad646d0017100feeaf581bcc25c281164bf2d4 [file] [log] [blame]
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]1/* Hey Emacs use -*- mode: C -*- */
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]2/*
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]17option version = "5.0.2";
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]18
Prashant Maheshwaridbf68c92019-11-14 12:42:59 +0530[diff] [blame]19import "vnet/ipsec/ipsec_types.api";
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]20import "vnet/interface_types.api";
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]21import "vnet/ip/ip_types.api";
22import "vnet/interface_types.api";
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]23import "vnet/tunnel/tunnel_types.api";
Dave Barach0d056e52017-09-28 15:11:16 -0400[diff] [blame]24
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]25/** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
30*/
31
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]32autoreply define ipsec_spd_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]33{
34 u32 client_index;
35 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]36 bool is_add;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]37 u32 spd_id;
38};
39
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]40/** \brief IPsec: Add/delete SPD from interface
41
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
47*/
48
49
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]50autoreply define ipsec_interface_add_del_spd
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]51{
52 u32 client_index;
53 u32 context;
54
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]55 bool is_add;
56 vl_api_interface_index_t sw_if_index;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]57 u32 spd_id;
58};
59
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]60/** \brief IPsec: Add/delete Security Policy Database entry
61
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
66*/
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]67define ipsec_spd_entry_add_del
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]68{
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]69 option deprecated;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]70 u32 client_index;
71 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]72 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]73 vl_api_ipsec_spd_entry_t entry;
74};
75
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]76/** \brief IPsec: Add/delete Security Policy Database entry v2
77
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
82*/
83define ipsec_spd_entry_add_del_v2
84{
85 u32 client_index;
86 u32 context;
87 bool is_add;
88 vl_api_ipsec_spd_entry_v2_t entry;
89};
90
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]91/** \brief IPsec: Reply Add/delete Security Policy Database entry
92
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
96*/
97define ipsec_spd_entry_add_del_reply
98{
Vratko Polak520cde42022-11-25 17:10:10 +0100[diff] [blame^]99 option deprecated;
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]100 u32 context;
101 i32 retval;
102 u32 stat_index;
103};
104
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]105/** \brief IPsec: Reply Add/delete Security Policy Database entry v2
106
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
110*/
111define ipsec_spd_entry_add_del_v2_reply
112{
113 u32 context;
114 i32 retval;
115 u32 stat_index;
116};
117
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]118/** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
121*/
122define ipsec_spds_dump {
123 u32 client_index;
124 u32 context;
125};
126
127/** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
131*/
132define ipsec_spds_details {
133 u32 context;
134 u32 spd_id;
135 u32 npolicies;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]136};
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]137
138/** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
143*/
144define ipsec_spd_dump {
145 u32 client_index;
146 u32 context;
147 u32 spd_id;
148 u32 sa_id;
149};
150
151/** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
156*/
157define ipsec_spd_details {
158 u32 context;
159 vl_api_ipsec_spd_entry_t entry;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]160};
161
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]162/** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]165 @param entry - Entry to add or delete
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]166 */
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]167define ipsec_sad_entry_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]168{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]169 option deprecated;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]170 u32 client_index;
171 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]172 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]173 vl_api_ipsec_sad_entry_t entry;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]174};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]175
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]176define ipsec_sad_entry_add_del_v2
177{
178 u32 client_index;
179 u32 context;
180 bool is_add;
181 vl_api_ipsec_sad_entry_v2_t entry;
182};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]183
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]184define ipsec_sad_entry_add_del_v3
185{
186 u32 client_index;
187 u32 context;
188 bool is_add;
189 vl_api_ipsec_sad_entry_v3_t entry;
190};
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]191define ipsec_sad_entry_add
192{
193 u32 client_index;
194 u32 context;
195 vl_api_ipsec_sad_entry_v3_t entry;
196};
197autoreply define ipsec_sad_entry_del
198{
199 u32 client_index;
200 u32 context;
201 u32 id;
202};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]203
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]204define ipsec_sad_entry_add_del_reply
205{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]206 option deprecated;
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]207 u32 context;
208 i32 retval;
209 u32 stat_index;
210};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]211
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]212define ipsec_sad_entry_add_del_v2_reply
213{
214 u32 context;
215 i32 retval;
216 u32 stat_index;
217};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]218
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]219define ipsec_sad_entry_add_del_v3_reply
220{
221 u32 context;
222 i32 retval;
223 u32 stat_index;
224};
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]225define ipsec_sad_entry_add_reply
226{
227 u32 context;
228 i32 retval;
229 u32 stat_index;
230};
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]231
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]232/** \brief Add or Update Protection for a tunnel with IPSEC
233
234 Tunnel protection directly associates an SA with all packets
235 ingress and egress on the tunnel. This could also be achieved by
236 assigning an SPD to the tunnel, but that would incur an unnessccary
237 SPD entry lookup.
238
239 For tunnels the ESP acts on the post-encapsulated packet. So if this
240 packet:
241 +---------+------+
242 | Payload | O-IP |
243 +---------+------+
244 where O-IP is the overlay IP addrees that was routed into the tunnel,
245 the resulting encapsulated packet will be:
246 +---------+------+------+
247 | Payload | O-IP | T-IP |
248 +---------+------+------+
249 where T-IP is the tunnel's src.dst IP addresses.
250 If the SAs used for protection are in transport mode then the ESP is
251 inserted before T-IP, i.e.:
252 +---------+------+-----+------+
253 | Payload | O-IP | ESP | T-IP |
254 +---------+------+-----+------+
255 If the SAs used for protection are in tunnel mode then another
256 encapsulation occurs, i.e.:
257 +---------+------+------+-----+------+
258 | Payload | O-IP | T-IP | ESP | C-IP |
259 +---------+------+------+-----+------+
260 where C-IP are the crypto endpoint IP addresses defined as the tunnel
261 endpoints in the SA.
262 The mode for the inbound and outbound SA must be the same.
263
264 @param client_index - opaque cookie to identify the sender
265 @param context - sender context, to match reply w/ request
266 @param sw_id_index - Tunnel interface to protect
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]267 @param nh - The peer/next-hop on the tunnel to which the traffic
268 should be protected. For a P2P interface set this to the
269 all 0s address.
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]270 @param sa_in - The ID [set] of inbound SAs
271 @param sa_out - The ID of outbound SA
272*/
273typedef ipsec_tunnel_protect
274{
275 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]276 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]277 u32 sa_out;
278 u8 n_sa_in;
279 u32 sa_in[n_sa_in];
280};
281
282autoreply define ipsec_tunnel_protect_update
283{
284 u32 client_index;
285 u32 context;
286
287 vl_api_ipsec_tunnel_protect_t tunnel;
288};
289
290autoreply define ipsec_tunnel_protect_del
291{
292 u32 client_index;
293 u32 context;
294
295 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]296 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]297};
298
Neale Ranns12989b52019-09-26 16:20:19 +0000[diff] [blame]299/**
300 * @brief Dump all tunnel protections
301 */
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]302define ipsec_tunnel_protect_dump
303{
304 u32 client_index;
305 u32 context;
306 vl_api_interface_index_t sw_if_index;
307};
308
309define ipsec_tunnel_protect_details
310{
311 u32 context;
312 vl_api_ipsec_tunnel_protect_t tun;
313};
314
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]315/** \brief IPsec: Get SPD interfaces
316 @param client_index - opaque cookie to identify the sender
317 @param context - sender context, to match reply w/ request
318 @param spd_index - SPD index
319 @param spd_index_valid - if 1 spd_index is used to filter
320 spd_index's, if 0 no filtering is done
321*/
322define ipsec_spd_interface_dump {
323 u32 client_index;
324 u32 context;
325 u32 spd_index;
326 u8 spd_index_valid;
327};
328
329/** \brief IPsec: SPD interface response
330 @param context - sender context which was passed in the request
331 @param spd_index - SPD index
332 @param sw_if_index - index of the interface
333*/
334define ipsec_spd_interface_details {
335 u32 context;
336 u32 spd_index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]337 vl_api_interface_index_t sw_if_index;
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]338};
339
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]340typedef ipsec_itf
341{
342 u32 user_instance [default=0xffffffff];
343 vl_api_tunnel_mode_t mode;
344 vl_api_interface_index_t sw_if_index;
345};
346
347/** \brief Create an IPSec interface
348 */
349define ipsec_itf_create {
350 u32 client_index;
351 u32 context;
352 vl_api_ipsec_itf_t itf;
353};
354
355/** \brief Add IPsec interface interface response
356 @param context - sender context, to match reply w/ request
357 @param retval - return status
358 @param sw_if_index - sw_if_index of new interface (for successful add)
359*/
360define ipsec_itf_create_reply
361{
362 u32 context;
363 i32 retval;
364 vl_api_interface_index_t sw_if_index;
365};
366
367autoreply define ipsec_itf_delete
368{
369 u32 client_index;
370 u32 context;
371 vl_api_interface_index_t sw_if_index;
372};
373
374define ipsec_itf_dump
375{
376 u32 client_index;
377 u32 context;
378 vl_api_interface_index_t sw_if_index;
379};
380
381define ipsec_itf_details
382{
383 u32 context;
384 vl_api_ipsec_itf_t itf;
385};
386
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]387/** \brief Dump IPsec security association
388 @param client_index - opaque cookie to identify the sender
389 @param context - sender context, to match reply w/ request
390 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
391*/
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]392define ipsec_sa_dump
393{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]394 option deprecated;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]395 u32 client_index;
396 u32 context;
397 u32 sa_id;
398};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]399define ipsec_sa_v2_dump
400{
401 u32 client_index;
402 u32 context;
403 u32 sa_id;
404};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]405define ipsec_sa_v3_dump
406{
407 u32 client_index;
408 u32 context;
409 u32 sa_id;
410};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]411
412/** \brief IPsec security association database response
413 @param context - sender context which was passed in the request
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]414 @param entry - The SA details
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]415 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]416 @param salt - 4 byte salt
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]417 @param seq - current sequence number for outbound
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]418 @param seq_hi - high 32 bits of ESN for outbound
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]419 @param last_seq - highest sequence number received inbound
420 @param last_seq_hi - high 32 bits of highest ESN received inbound
421 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]422 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]423*/
424define ipsec_sa_details {
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]425 option deprecated;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]426 u32 context;
Neale Ranns8d7c5022019-02-06 01:41:05 -0800[diff] [blame]427 vl_api_ipsec_sad_entry_t entry;
428
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]429 vl_api_interface_index_t sw_if_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]430 u32 salt;
431 u64 seq_outbound;
432 u64 last_seq_inbound;
433 u64 replay_window;
434
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]435 u32 stat_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]436};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]437define ipsec_sa_v2_details {
438 u32 context;
439 vl_api_ipsec_sad_entry_v2_t entry;
440
441 vl_api_interface_index_t sw_if_index;
442 u32 salt;
443 u64 seq_outbound;
444 u64 last_seq_inbound;
445 u64 replay_window;
446
447 u32 stat_index;
448};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]449define ipsec_sa_v3_details {
450 u32 context;
451 vl_api_ipsec_sad_entry_v3_t entry;
452
453 vl_api_interface_index_t sw_if_index;
454 u64 seq_outbound;
455 u64 last_seq_inbound;
456 u64 replay_window;
457
458 u32 stat_index;
459};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]460
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]461/** \brief Dump IPsec backends
462 @param client_index - opaque cookie to identify the sender
463 @param context - sender context, to match reply w/ request
464*/
465define ipsec_backend_dump {
466 u32 client_index;
467 u32 context;
468};
469
470/** \brief IPsec backend details
471 @param name - name of the backend
472 @param protocol - IPsec protocol (value from ipsec_protocol_t)
473 @param index - backend index
474 @param active - set to 1 if the backend is active, otherwise 0
475*/
476define ipsec_backend_details {
477 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]478 string name[128];
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]479 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]480 u8 index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]481 bool active;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]482};
483
484/** \brief Select IPsec backend
485 @param client_index - opaque cookie to identify the sender
486 @param context - sender context, to match reply w/ request
487 @param protocol - IPsec protocol (value from ipsec_protocol_t)
488 @param index - backend index
489*/
490autoreply define ipsec_select_backend {
491 u32 client_index;
492 u32 context;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]493 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]494 u8 index;
495};
496
Yulong Pei2e84d662020-08-14 18:21:08 +0800[diff] [blame]497
498/** \brief IPsec Set Async mode
499 @param client_index - opaque cookie to identify the sender
500 @param context - sender context, to match reply w/ request
501 @param async_enable - ipsec async mode on or off
502*/
503autoreply define ipsec_set_async_mode {
504 u32 client_index;
505 u32 context;
506 bool async_enable;
507};
508
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]509counters esp_decrypt {
510 rx_pkts {
511 severity info;
512 type counter64;
513 units "packets";
514 description "ESP pkts received";
515 };
516 rx_post_pkts {
517 severity info;
518 type counter64;
519 units "packets";
520 description "ESP-POST pkts received";
521 };
522 handoff {
523 severity info;
524 type counter64;
525 units "packets";
526 description "hand-off";
527 };
528 decryption_failed {
529 severity error;
530 type counter64;
531 units "packets";
532 description "ESP decryption failed";
533 };
534 integ_error {
535 severity error;
536 type counter64;
537 units "packets";
538 description "integrity check failed";
539 };
540 crypto_engine_error {
541 severity error;
542 type counter64;
543 units "packets";
544 description "crypto engine error (packet dropped)";
545 };
546 replay {
547 severity error;
548 type counter64;
549 units "packets";
550 description "SA replayed packet";
551 };
552 runt {
553 severity error;
554 type counter64;
555 units "packets";
556 description "undersized packet";
557 };
558 no_buffers {
559 severity error;
560 type counter64;
561 units "packets";
562 description "no buffers (packet dropped)";
563 };
564 oversized_header {
565 severity error;
566 type counter64;
567 units "packets";
568 description "buffer with oversized header (dropped)";
569 };
570 no_tail_space {
571 severity error;
572 type counter64;
573 units "packets";
574 description "no enough buffer tail space (dropped)";
575 };
576 tun_no_proto {
577 severity error;
578 type counter64;
579 units "packets";
580 description "no tunnel protocol";
581 };
582 unsup_payload {
583 severity error;
584 type counter64;
585 units "packets";
586 description "unsupported payload";
587 };
588};
589
590counters esp_encrypt {
591 rx_pkts {
592 severity info;
593 type counter64;
594 units "packets";
595 description "ESP pkts received";
596 };
597 post_rx_pkts {
598 severity info;
599 type counter64;
600 units "packets";
601 description "ESP-post pkts received";
602 };
603 handoff {
604 severity info;
605 type counter64;
606 units "packets";
607 description "Hand-off";
608 };
609 seq_cycled {
610 severity error;
611 type counter64;
612 units "packets";
613 description "sequence number cycled (packet dropped)";
614 };
615 crypto_engine_error {
616 severity error;
617 type counter64;
618 units "packets";
619 description "crypto engine error (packet dropped)";
620 };
621 crypto_queue_full {
622 severity error;
623 type counter64;
624 units "packets";
625 description "crypto queue full (packet dropped)";
626 };
627 no_buffers {
628 severity error;
629 type counter64;
630 units "packets";
631 description "no buffers (packet dropped)";
632 };
633 no_protection {
634 severity error;
635 type counter64;
636 units "packets";
637 description "no protecting SA (packet dropped)";
638 };
639 no_encryption {
640 severity error;
641 type counter64;
642 units "packets";
643 description "no Encrypting SA (packet dropped)";
644 };
645};
646
647counters ah_encrypt {
648 rx_pkts {
649 severity info;
650 type counter64;
651 units "packets";
652 description "AH pkts received";
653 };
654 crypto_engine_error {
655 severity error;
656 type counter64;
657 units "packets";
658 description "crypto engine error (packet dropped)";
659 };
660 seq_cycled {
661 severity error;
662 type counter64;
663 units "packets";
664 description "sequence number cycled (packet dropped)";
665 };
666};
667
668counters ah_decrypt {
669 rx_pkts {
670 severity info;
671 type counter64;
672 units "packets";
673 description "AH pkts received";
674 };
675 decryption_failed {
676 severity error;
677 type counter64;
678 units "packets";
679 description "AH decryption failed";
680 };
681 integ_error {
682 severity error;
683 type counter64;
684 units "packets";
685 description "Integrity check failed";
686 };
687 no_tail_space {
688 severity error;
689 type counter64;
690 units "packets";
691 description "not enough buffer tail space (dropped)";
692 };
693 drop_fragments {
694 severity error;
695 type counter64;
696 units "packets";
697 description "IP fragments drop";
698 };
699 replay {
700 severity error;
701 type counter64;
702 units "packets";
703 description "SA replayed packet";
704 };
705};
706
707counters ipsec_tun {
708 rx {
709 severity info;
710 type counter64;
711 units "packets";
712 description "good packets received";
713 };
714 disabled {
715 severity error;
716 type counter64;
717 units "packets";
718 description "ipsec packets received on disabled interface";
719 };
720 no_tunnel {
721 severity error;
722 type counter64;
723 units "packets";
724 description "no matching tunnel";
725 };
726 tunnel_mismatch {
727 severity error;
728 type counter64;
729 units "packets";
730 description "SPI-tunnel mismatch";
731 };
732 nat_keepalive {
733 severity info;
734 type counter64;
735 units "packets";
736 description "NAT Keepalive";
737 };
738 too_short {
739 severity error;
740 type counter64;
741 units "packets";
742 description "Too Short";
743 };
744 spi_0 {
745 severity info;
746 type counter64;
747 units "packets";
748 description "SPI 0";
749 };
750};
751
752paths {
753 "/err/esp4-encrypt" "esp_encrypt";
754 "/err/esp4-encrypt-post" "esp_encrypt";
755 "/err/esp4-encrypt-tun" "esp_encrypt";
756 "/err/esp4-encrypt-tun-post" "esp_encrypt";
757 "/err/esp6-encrypt" "esp_encrypt";
758 "/err/esp6-encrypt-post" "esp_encrypt";
759 "/err/esp6-encrypt-tun" "esp_encrypt";
760 "/err/esp6-encrypt-tun-post" "esp_encrypt";
761 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
762 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
763 "/err/esp4-decrypt" "esp_decrypt";
764 "/err/esp4-decrypt-post" "esp_decrypt";
765 "/err/esp4-decrypt-tun" "esp_decrypt";
766 "/err/esp4-decrypt-tun-post" "esp_decrypt";
767 "/err/esp6-decrypt" "esp_decrypt";
768 "/err/esp6-decrypt-post" "esp_decrypt";
769 "/err/esp6-decrypt-tun" "esp_decrypt";
770 "/err/esp6-decrypt-tun-post" "esp_decrypt";
771 "/err/ah4-encrypt" "ah_encrypt";
772 "/err/ah6-encrypt" "ah_encrypt";
773 "/err/ipsec4-tun-input" "ipsec_tun";
774 "/err/ipsec6-tun-input" "ipsec_tun";
775};
776
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]777/*
778 * Local Variables:
779 * eval: (c-set-style "gnu")
780 * End:
781 */