30 #define foreach_ipsec_tun_protect_input_error \ 31 _(RX, "good packets received") \ 32 _(DISABLED, "ipsec packets received on disabled interface") \ 33 _(NO_TUNNEL, "no matching tunnel") \ 34 _(TUNNEL_MISMATCH, "SPI-tunnel mismatch") \ 35 _(NAT_KEEPALIVE, "NAT Keepalive") \ 36 _(TOO_SHORT, "Too Short") \ 40 #define _(sym,string) string, 47 #define _(sym,str) IPSEC_TUN_PROTECT_INPUT_ERROR_##sym, 55 #define _(v, s) IPSEC_TUN_PROTECT_NEXT_##v, 82 s =
format (s,
"IPSec: %U seq %u",
85 s =
format (s,
"IPSec: %U seq %u",
97 b->
error = node->
errors[IPSEC_TUN_PROTECT_INPUT_ERROR_SPI_0];
99 IPSEC_PUNT_IP4_SPI_UDP_0 :
100 IPSEC_PUNT_IP4_NO_SUCH_TUNNEL)];
104 b->
error = node->
errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
107 return IPSEC_INPUT_NEXT_PUNT;
114 b->
error = node->
errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
117 return (IPSEC_INPUT_NEXT_PUNT);
131 u32 n_left_from, *from;
144 u64 n_bytes = 0, n_packets = 0;
145 u32 n_disabled = 0, n_no_tunnel = 0;
147 u32 last_sw_if_index = ~0;
151 ipsec4_tunnel_key_t last_key4;
152 ipsec6_tunnel_key_t last_key6;
159 clib_memset (&last_key6, 0xff,
sizeof (last_key6));
161 last_key4.as_u64 = ~0;
166 while (n_left_from > 0)
168 u32 sw_if_index0, len0, hdr_sz0;
170 ipsec4_tunnel_key_t key40;
171 ipsec6_tunnel_key_t key60;
189 if (ip40->
protocol == IP_PROTOCOL_UDP)
213 node->
errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NAT_KEEPALIVE];
216 node->
errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT];
218 next[0] = IPSEC_INPUT_NEXT_DROP;
225 key60.spi = esp0->
spi;
227 if (memcmp (&key60, &last_key6,
sizeof (last_key6)) == 0)
251 key40.spi = esp0->
spi;
253 if (key40.as_u64 == last_key4.as_u64)
264 last_key4.
as_u64 = key40.as_u64;
286 (drop_counter, thread_index, sw_if_index0, 1, len0);
288 b[0]->
error = node->
errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED];
289 next[0] = IPSEC_INPUT_NEXT_DROP;
304 (rx_counter, thread_index, last_sw_if_index,
308 last_sw_if_index = sw_if_index0;
326 [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
327 next[0] = IPSEC_INPUT_NEXT_DROP;
341 [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
342 next[0] = IPSEC_INPUT_NEXT_DROP;
370 if (b[0]->
flags & VLIB_BUFFER_IS_TRACED)
381 sizeof (*esp0) ? clib_host_to_net_u32 (esp0->
seq) : ~0;
395 last_sw_if_index, n_packets, n_bytes);
399 IPSEC_TUN_PROTECT_INPUT_ERROR_RX,
418 .name =
"ipsec4-tun-input",
419 .vector_size =
sizeof (
u32),
426 [IPSEC_TUN_PROTECT_NEXT_DROP] =
"ip4-drop",
427 [IPSEC_TUN_PROTECT_NEXT_PUNT] =
"punt-dispatch",
443 .name =
"ipsec6-tun-input",
444 .vector_size =
sizeof (
u32),
451 [IPSEC_TUN_PROTECT_NEXT_DROP] =
"ip6-drop",
452 [IPSEC_TUN_PROTECT_NEXT_PUNT] =
"punt-dispatch",
static u16 ipsec_ip6_if_no_tunnel(vlib_node_runtime_t *node, vlib_buffer_t *b, const esp_header_t *esp)
uword * tun6_protect_by_key
static void vlib_increment_combined_counter(vlib_combined_counter_main_t *cm, u32 thread_index, u32 index, u64 n_packets, u64 n_bytes)
Increment a combined counter.
ipsec_tun_protect_input_error_t
vnet_interface_main_t interface_main
#define clib_memcpy_fast(a, b, c)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
#define VLIB_NODE_FN(node)
vlib_error_t * errors
Vector of errors for this node.
static uword vlib_buffer_length_in_chain(vlib_main_t *vm, vlib_buffer_t *b)
Get length in bytes of the buffer chain.
static u16 ipsec_ip4_if_no_tunnel(vlib_node_runtime_t *node, vlib_buffer_t *b, const esp_header_t *esp, const ip4_header_t *ip4)
#define clib_memcpy(d, s, n)
vlib_combined_counter_main_t * combined_sw_if_counters
u32 esp4_decrypt_next_index
vlib_node_registration_t ipsec4_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_tun_input_node)
vl_api_fib_path_type_t type
vlib_error_t error
Error code for buffers to be enqueued to error handler.
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static_always_inline int ip46_address_is_equal_v6(const ip46_address_t *ip46, const ip6_address_t *ip6)
u32 node_index
Node index.
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
vlib_punt_reason_t ipsec_punt_reason[IPSEC_PUNT_N_REASONS]
#define VLIB_REGISTER_NODE(x,...)
static_always_inline void vlib_buffer_enqueue_to_next(vlib_main_t *vm, vlib_node_runtime_t *node, u32 *buffers, u16 *nexts, uword count)
enum ipsec_tun_next_t_ ipsec_tun_next_t
ipsec_tun_protect_t * ipsec_protect_pool
Pool of tunnel protection objects.
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
static uword ipsec_tun_protect_input_inline(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *from_frame, int is_ip6)
static char * ipsec_tun_protect_input_error_strings[]
static uword vnet_sw_interface_is_admin_up(vnet_main_t *vnm, u32 sw_if_index)
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
static_always_inline void clib_memset_u16(void *p, u16 val, uword count)
VLIB buffer representation.
#define foreach_ipsec_tun_protect_input_error
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
ipsec_protect_flags_t itp_flags
vlib_node_registration_t ipsec6_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_tun_input_node)
A collection of combined counters.
#define hash_get_mem(h, key)
static_always_inline int ip46_address_is_equal_v4(const ip46_address_t *ip46, const ip4_address_t *ip4)
u16 flags
Copy of main node flags.
static int ip4_header_bytes(const ip4_header_t *i)
static_always_inline void vlib_get_buffers(vlib_main_t *vm, u32 *bi, vlib_buffer_t **b, int count)
Translate array of buffer indices into buffer pointers.
#define VLIB_NODE_FLAG_TRACE
static u8 * format_ipsec_tun_protect_input_trace(u8 *s, va_list *args)
#define foreach_ipsec_input_next
uword * tun4_protect_by_key