Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / d7c030d6065962b433416c679f3b568b096b49e2 / . / src / vnet / ipsec / ipsec.api
blob: 401564bd39be92659ee6b95d33eb04c7ec02ac85 [file] [log] [blame]
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]1/* Hey Emacs use -*- mode: C -*- */
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]2/*
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]17option version = "5.0.2";
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]18
Prashant Maheshwaridbf68c92019-11-14 12:42:59 +0530[diff] [blame]19import "vnet/ipsec/ipsec_types.api";
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]20import "vnet/interface_types.api";
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]21import "vnet/ip/ip_types.api";
22import "vnet/interface_types.api";
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]23import "vnet/tunnel/tunnel_types.api";
Dave Barach0d056e52017-09-28 15:11:16 -0400[diff] [blame]24
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]25/** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
30*/
31
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]32autoreply define ipsec_spd_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]33{
34 u32 client_index;
35 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]36 bool is_add;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]37 u32 spd_id;
38};
39
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]40/** \brief IPsec: Add/delete SPD from interface
41
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
47*/
48
49
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]50autoreply define ipsec_interface_add_del_spd
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]51{
52 u32 client_index;
53 u32 context;
54
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]55 bool is_add;
56 vl_api_interface_index_t sw_if_index;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]57 u32 spd_id;
58};
59
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]60/** \brief IPsec: Add/delete Security Policy Database entry
61
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
66*/
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]67define ipsec_spd_entry_add_del
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]68{
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]69 option deprecated;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]70 u32 client_index;
71 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]72 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]73 vl_api_ipsec_spd_entry_t entry;
74};
75
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]76/** \brief IPsec: Add/delete Security Policy Database entry v2
77
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
82*/
83define ipsec_spd_entry_add_del_v2
84{
85 u32 client_index;
86 u32 context;
87 bool is_add;
88 vl_api_ipsec_spd_entry_v2_t entry;
89};
90
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]91/** \brief IPsec: Reply Add/delete Security Policy Database entry
92
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
96*/
97define ipsec_spd_entry_add_del_reply
98{
99 u32 context;
100 i32 retval;
101 u32 stat_index;
102};
103
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]104/** \brief IPsec: Reply Add/delete Security Policy Database entry v2
105
106 @param context - sender context, to match reply w/ request
107 @param retval - success/fail rutrun code
108 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
109*/
110define ipsec_spd_entry_add_del_v2_reply
111{
112 u32 context;
113 i32 retval;
114 u32 stat_index;
115};
116
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]117/** \brief Dump IPsec all SPD IDs
118 @param client_index - opaque cookie to identify the sender
119 @param context - sender context, to match reply w/ request
120*/
121define ipsec_spds_dump {
122 u32 client_index;
123 u32 context;
124};
125
126/** \brief Dump IPsec all SPD IDs response
127 @param client_index - opaque cookie to identify the sender
128 @param spd_id - SPD instance id (control plane allocated)
129 @param npolicies - number of policies in SPD
130*/
131define ipsec_spds_details {
132 u32 context;
133 u32 spd_id;
134 u32 npolicies;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]135};
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]136
137/** \brief Dump ipsec policy database data
138 @param client_index - opaque cookie to identify the sender
139 @param context - sender context, to match reply w/ request
140 @param spd_id - SPD instance id
141 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
142*/
143define ipsec_spd_dump {
144 u32 client_index;
145 u32 context;
146 u32 spd_id;
147 u32 sa_id;
148};
149
150/** \brief IPsec policy database response
151 @param context - sender context which was passed in the request
152 €param entry - The SPD entry.
153 @param bytes - byte count of packets matching this policy
154 @param packets - count of packets matching this policy
155*/
156define ipsec_spd_details {
157 u32 context;
158 vl_api_ipsec_spd_entry_t entry;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]159};
160
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]161/** \brief IPsec: Add/delete Security Association Database entry
162 @param client_index - opaque cookie to identify the sender
163 @param context - sender context, to match reply w/ request
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]164 @param entry - Entry to add or delete
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]165 */
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]166define ipsec_sad_entry_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]167{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]168 option deprecated;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]169 u32 client_index;
170 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]171 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]172 vl_api_ipsec_sad_entry_t entry;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]173};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]174
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]175define ipsec_sad_entry_add_del_v2
176{
177 u32 client_index;
178 u32 context;
179 bool is_add;
180 vl_api_ipsec_sad_entry_v2_t entry;
181};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]182
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]183define ipsec_sad_entry_add_del_v3
184{
185 u32 client_index;
186 u32 context;
187 bool is_add;
188 vl_api_ipsec_sad_entry_v3_t entry;
189};
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]190define ipsec_sad_entry_add
191{
192 u32 client_index;
193 u32 context;
194 vl_api_ipsec_sad_entry_v3_t entry;
195};
196autoreply define ipsec_sad_entry_del
197{
198 u32 client_index;
199 u32 context;
200 u32 id;
201};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]202
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]203define ipsec_sad_entry_add_del_reply
204{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]205 option deprecated;
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]206 u32 context;
207 i32 retval;
208 u32 stat_index;
209};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]210
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]211define ipsec_sad_entry_add_del_v2_reply
212{
213 u32 context;
214 i32 retval;
215 u32 stat_index;
216};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]217
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]218define ipsec_sad_entry_add_del_v3_reply
219{
220 u32 context;
221 i32 retval;
222 u32 stat_index;
223};
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]224define ipsec_sad_entry_add_reply
225{
226 u32 context;
227 i32 retval;
228 u32 stat_index;
229};
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]230
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]231/** \brief Add or Update Protection for a tunnel with IPSEC
232
233 Tunnel protection directly associates an SA with all packets
234 ingress and egress on the tunnel. This could also be achieved by
235 assigning an SPD to the tunnel, but that would incur an unnessccary
236 SPD entry lookup.
237
238 For tunnels the ESP acts on the post-encapsulated packet. So if this
239 packet:
240 +---------+------+
241 | Payload | O-IP |
242 +---------+------+
243 where O-IP is the overlay IP addrees that was routed into the tunnel,
244 the resulting encapsulated packet will be:
245 +---------+------+------+
246 | Payload | O-IP | T-IP |
247 +---------+------+------+
248 where T-IP is the tunnel's src.dst IP addresses.
249 If the SAs used for protection are in transport mode then the ESP is
250 inserted before T-IP, i.e.:
251 +---------+------+-----+------+
252 | Payload | O-IP | ESP | T-IP |
253 +---------+------+-----+------+
254 If the SAs used for protection are in tunnel mode then another
255 encapsulation occurs, i.e.:
256 +---------+------+------+-----+------+
257 | Payload | O-IP | T-IP | ESP | C-IP |
258 +---------+------+------+-----+------+
259 where C-IP are the crypto endpoint IP addresses defined as the tunnel
260 endpoints in the SA.
261 The mode for the inbound and outbound SA must be the same.
262
263 @param client_index - opaque cookie to identify the sender
264 @param context - sender context, to match reply w/ request
265 @param sw_id_index - Tunnel interface to protect
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]266 @param nh - The peer/next-hop on the tunnel to which the traffic
267 should be protected. For a P2P interface set this to the
268 all 0s address.
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]269 @param sa_in - The ID [set] of inbound SAs
270 @param sa_out - The ID of outbound SA
271*/
272typedef ipsec_tunnel_protect
273{
274 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]275 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]276 u32 sa_out;
277 u8 n_sa_in;
278 u32 sa_in[n_sa_in];
279};
280
281autoreply define ipsec_tunnel_protect_update
282{
283 u32 client_index;
284 u32 context;
285
286 vl_api_ipsec_tunnel_protect_t tunnel;
287};
288
289autoreply define ipsec_tunnel_protect_del
290{
291 u32 client_index;
292 u32 context;
293
294 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]295 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]296};
297
Neale Ranns12989b52019-09-26 16:20:19 +0000[diff] [blame]298/**
299 * @brief Dump all tunnel protections
300 */
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]301define ipsec_tunnel_protect_dump
302{
303 u32 client_index;
304 u32 context;
305 vl_api_interface_index_t sw_if_index;
306};
307
308define ipsec_tunnel_protect_details
309{
310 u32 context;
311 vl_api_ipsec_tunnel_protect_t tun;
312};
313
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]314/** \brief IPsec: Get SPD interfaces
315 @param client_index - opaque cookie to identify the sender
316 @param context - sender context, to match reply w/ request
317 @param spd_index - SPD index
318 @param spd_index_valid - if 1 spd_index is used to filter
319 spd_index's, if 0 no filtering is done
320*/
321define ipsec_spd_interface_dump {
322 u32 client_index;
323 u32 context;
324 u32 spd_index;
325 u8 spd_index_valid;
326};
327
328/** \brief IPsec: SPD interface response
329 @param context - sender context which was passed in the request
330 @param spd_index - SPD index
331 @param sw_if_index - index of the interface
332*/
333define ipsec_spd_interface_details {
334 u32 context;
335 u32 spd_index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]336 vl_api_interface_index_t sw_if_index;
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]337};
338
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]339typedef ipsec_itf
340{
341 u32 user_instance [default=0xffffffff];
342 vl_api_tunnel_mode_t mode;
343 vl_api_interface_index_t sw_if_index;
344};
345
346/** \brief Create an IPSec interface
347 */
348define ipsec_itf_create {
349 u32 client_index;
350 u32 context;
351 vl_api_ipsec_itf_t itf;
352};
353
354/** \brief Add IPsec interface interface response
355 @param context - sender context, to match reply w/ request
356 @param retval - return status
357 @param sw_if_index - sw_if_index of new interface (for successful add)
358*/
359define ipsec_itf_create_reply
360{
361 u32 context;
362 i32 retval;
363 vl_api_interface_index_t sw_if_index;
364};
365
366autoreply define ipsec_itf_delete
367{
368 u32 client_index;
369 u32 context;
370 vl_api_interface_index_t sw_if_index;
371};
372
373define ipsec_itf_dump
374{
375 u32 client_index;
376 u32 context;
377 vl_api_interface_index_t sw_if_index;
378};
379
380define ipsec_itf_details
381{
382 u32 context;
383 vl_api_ipsec_itf_t itf;
384};
385
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]386/** \brief Dump IPsec security association
387 @param client_index - opaque cookie to identify the sender
388 @param context - sender context, to match reply w/ request
389 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
390*/
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]391define ipsec_sa_dump
392{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]393 option deprecated;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]394 u32 client_index;
395 u32 context;
396 u32 sa_id;
397};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]398define ipsec_sa_v2_dump
399{
400 u32 client_index;
401 u32 context;
402 u32 sa_id;
403};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]404define ipsec_sa_v3_dump
405{
406 u32 client_index;
407 u32 context;
408 u32 sa_id;
409};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]410
411/** \brief IPsec security association database response
412 @param context - sender context which was passed in the request
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]413 @param entry - The SA details
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]414 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]415 @param salt - 4 byte salt
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]416 @param seq - current sequence number for outbound
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]417 @param seq_hi - high 32 bits of ESN for outbound
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]418 @param last_seq - highest sequence number received inbound
419 @param last_seq_hi - high 32 bits of highest ESN received inbound
420 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]421 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]422*/
423define ipsec_sa_details {
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]424 option deprecated;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]425 u32 context;
Neale Ranns8d7c5022019-02-06 01:41:05 -0800[diff] [blame]426 vl_api_ipsec_sad_entry_t entry;
427
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]428 vl_api_interface_index_t sw_if_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]429 u32 salt;
430 u64 seq_outbound;
431 u64 last_seq_inbound;
432 u64 replay_window;
433
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]434 u32 stat_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]435};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]436define ipsec_sa_v2_details {
437 u32 context;
438 vl_api_ipsec_sad_entry_v2_t entry;
439
440 vl_api_interface_index_t sw_if_index;
441 u32 salt;
442 u64 seq_outbound;
443 u64 last_seq_inbound;
444 u64 replay_window;
445
446 u32 stat_index;
447};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]448define ipsec_sa_v3_details {
449 u32 context;
450 vl_api_ipsec_sad_entry_v3_t entry;
451
452 vl_api_interface_index_t sw_if_index;
453 u64 seq_outbound;
454 u64 last_seq_inbound;
455 u64 replay_window;
456
457 u32 stat_index;
458};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]459
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]460/** \brief Dump IPsec backends
461 @param client_index - opaque cookie to identify the sender
462 @param context - sender context, to match reply w/ request
463*/
464define ipsec_backend_dump {
465 u32 client_index;
466 u32 context;
467};
468
469/** \brief IPsec backend details
470 @param name - name of the backend
471 @param protocol - IPsec protocol (value from ipsec_protocol_t)
472 @param index - backend index
473 @param active - set to 1 if the backend is active, otherwise 0
474*/
475define ipsec_backend_details {
476 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]477 string name[128];
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]478 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]479 u8 index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]480 bool active;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]481};
482
483/** \brief Select IPsec backend
484 @param client_index - opaque cookie to identify the sender
485 @param context - sender context, to match reply w/ request
486 @param protocol - IPsec protocol (value from ipsec_protocol_t)
487 @param index - backend index
488*/
489autoreply define ipsec_select_backend {
490 u32 client_index;
491 u32 context;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]492 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]493 u8 index;
494};
495
Yulong Pei2e84d662020-08-14 18:21:08 +0800[diff] [blame]496
497/** \brief IPsec Set Async mode
498 @param client_index - opaque cookie to identify the sender
499 @param context - sender context, to match reply w/ request
500 @param async_enable - ipsec async mode on or off
501*/
502autoreply define ipsec_set_async_mode {
503 u32 client_index;
504 u32 context;
505 bool async_enable;
506};
507
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]508counters esp_decrypt {
509 rx_pkts {
510 severity info;
511 type counter64;
512 units "packets";
513 description "ESP pkts received";
514 };
515 rx_post_pkts {
516 severity info;
517 type counter64;
518 units "packets";
519 description "ESP-POST pkts received";
520 };
521 handoff {
522 severity info;
523 type counter64;
524 units "packets";
525 description "hand-off";
526 };
527 decryption_failed {
528 severity error;
529 type counter64;
530 units "packets";
531 description "ESP decryption failed";
532 };
533 integ_error {
534 severity error;
535 type counter64;
536 units "packets";
537 description "integrity check failed";
538 };
539 crypto_engine_error {
540 severity error;
541 type counter64;
542 units "packets";
543 description "crypto engine error (packet dropped)";
544 };
545 replay {
546 severity error;
547 type counter64;
548 units "packets";
549 description "SA replayed packet";
550 };
551 runt {
552 severity error;
553 type counter64;
554 units "packets";
555 description "undersized packet";
556 };
557 no_buffers {
558 severity error;
559 type counter64;
560 units "packets";
561 description "no buffers (packet dropped)";
562 };
563 oversized_header {
564 severity error;
565 type counter64;
566 units "packets";
567 description "buffer with oversized header (dropped)";
568 };
569 no_tail_space {
570 severity error;
571 type counter64;
572 units "packets";
573 description "no enough buffer tail space (dropped)";
574 };
575 tun_no_proto {
576 severity error;
577 type counter64;
578 units "packets";
579 description "no tunnel protocol";
580 };
581 unsup_payload {
582 severity error;
583 type counter64;
584 units "packets";
585 description "unsupported payload";
586 };
587};
588
589counters esp_encrypt {
590 rx_pkts {
591 severity info;
592 type counter64;
593 units "packets";
594 description "ESP pkts received";
595 };
596 post_rx_pkts {
597 severity info;
598 type counter64;
599 units "packets";
600 description "ESP-post pkts received";
601 };
602 handoff {
603 severity info;
604 type counter64;
605 units "packets";
606 description "Hand-off";
607 };
608 seq_cycled {
609 severity error;
610 type counter64;
611 units "packets";
612 description "sequence number cycled (packet dropped)";
613 };
614 crypto_engine_error {
615 severity error;
616 type counter64;
617 units "packets";
618 description "crypto engine error (packet dropped)";
619 };
620 crypto_queue_full {
621 severity error;
622 type counter64;
623 units "packets";
624 description "crypto queue full (packet dropped)";
625 };
626 no_buffers {
627 severity error;
628 type counter64;
629 units "packets";
630 description "no buffers (packet dropped)";
631 };
632 no_protection {
633 severity error;
634 type counter64;
635 units "packets";
636 description "no protecting SA (packet dropped)";
637 };
638 no_encryption {
639 severity error;
640 type counter64;
641 units "packets";
642 description "no Encrypting SA (packet dropped)";
643 };
644};
645
646counters ah_encrypt {
647 rx_pkts {
648 severity info;
649 type counter64;
650 units "packets";
651 description "AH pkts received";
652 };
653 crypto_engine_error {
654 severity error;
655 type counter64;
656 units "packets";
657 description "crypto engine error (packet dropped)";
658 };
659 seq_cycled {
660 severity error;
661 type counter64;
662 units "packets";
663 description "sequence number cycled (packet dropped)";
664 };
665};
666
667counters ah_decrypt {
668 rx_pkts {
669 severity info;
670 type counter64;
671 units "packets";
672 description "AH pkts received";
673 };
674 decryption_failed {
675 severity error;
676 type counter64;
677 units "packets";
678 description "AH decryption failed";
679 };
680 integ_error {
681 severity error;
682 type counter64;
683 units "packets";
684 description "Integrity check failed";
685 };
686 no_tail_space {
687 severity error;
688 type counter64;
689 units "packets";
690 description "not enough buffer tail space (dropped)";
691 };
692 drop_fragments {
693 severity error;
694 type counter64;
695 units "packets";
696 description "IP fragments drop";
697 };
698 replay {
699 severity error;
700 type counter64;
701 units "packets";
702 description "SA replayed packet";
703 };
704};
705
706counters ipsec_tun {
707 rx {
708 severity info;
709 type counter64;
710 units "packets";
711 description "good packets received";
712 };
713 disabled {
714 severity error;
715 type counter64;
716 units "packets";
717 description "ipsec packets received on disabled interface";
718 };
719 no_tunnel {
720 severity error;
721 type counter64;
722 units "packets";
723 description "no matching tunnel";
724 };
725 tunnel_mismatch {
726 severity error;
727 type counter64;
728 units "packets";
729 description "SPI-tunnel mismatch";
730 };
731 nat_keepalive {
732 severity info;
733 type counter64;
734 units "packets";
735 description "NAT Keepalive";
736 };
737 too_short {
738 severity error;
739 type counter64;
740 units "packets";
741 description "Too Short";
742 };
743 spi_0 {
744 severity info;
745 type counter64;
746 units "packets";
747 description "SPI 0";
748 };
749};
750
751paths {
752 "/err/esp4-encrypt" "esp_encrypt";
753 "/err/esp4-encrypt-post" "esp_encrypt";
754 "/err/esp4-encrypt-tun" "esp_encrypt";
755 "/err/esp4-encrypt-tun-post" "esp_encrypt";
756 "/err/esp6-encrypt" "esp_encrypt";
757 "/err/esp6-encrypt-post" "esp_encrypt";
758 "/err/esp6-encrypt-tun" "esp_encrypt";
759 "/err/esp6-encrypt-tun-post" "esp_encrypt";
760 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
761 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
762 "/err/esp4-decrypt" "esp_decrypt";
763 "/err/esp4-decrypt-post" "esp_decrypt";
764 "/err/esp4-decrypt-tun" "esp_decrypt";
765 "/err/esp4-decrypt-tun-post" "esp_decrypt";
766 "/err/esp6-decrypt" "esp_decrypt";
767 "/err/esp6-decrypt-post" "esp_decrypt";
768 "/err/esp6-decrypt-tun" "esp_decrypt";
769 "/err/esp6-decrypt-tun-post" "esp_decrypt";
770 "/err/ah4-encrypt" "ah_encrypt";
771 "/err/ah6-encrypt" "ah_encrypt";
772 "/err/ipsec4-tun-input" "ipsec_tun";
773 "/err/ipsec6-tun-input" "ipsec_tun";
774};
775
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]776/*
777 * Local Variables:
778 * eval: (c-set-style "gnu")
779 * End:
780 */