28 #define foreach_ipsec_if_input_error \ 29 _(RX, "good packets received") \ 30 _(DISABLED, "ipsec packets received on disabled interface") \ 31 _(NO_TUNNEL, "no matching tunnel") \ 32 _(NAT_KEEPALIVE, "NAT Keepalive") \ 33 _(TOO_SHORT, "Too Short") \ 37 #define _(sym,string) string, 44 #define _(sym,str) IPSEC_IF_INPUT_ERROR_##sym, 70 s =
format (s,
"IPSec: %U seq %u",
73 s =
format (s,
"IPSec: %U seq %u",
86 b->
error = node->
errors[IPSEC_IF_INPUT_ERROR_SPI_0];
89 IPSEC_PUNT_IP4_SPI_UDP_0 :
90 IPSEC_PUNT_IP4_NO_SUCH_TUNNEL)];
94 b->
error = node->
errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL];
98 return IPSEC_INPUT_NEXT_PUNT;
106 b->
error = node->
errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL];
110 return (IPSEC_INPUT_NEXT_PUNT);
124 u32 n_left_from, *from;
137 u64 n_bytes = 0, n_packets = 0;
138 u32 n_disabled = 0, n_no_tunnel = 0;
140 u32 last_sw_if_index = ~0;
141 u32 last_tunnel_id = ~0;
142 ipsec4_tunnel_key_t last_key4;
143 ipsec6_tunnel_key_t last_key6;
149 clib_memset (&last_key6, 0xff,
sizeof (last_key6));
151 last_key4.as_u64 = ~0;
156 while (n_left_from >= 2)
158 u32 sw_if_index0, sw_if_index1;
163 u16 buf_adv0, buf_adv1;
164 u16 buf_rewind0, buf_rewind1;
167 ipsec4_tunnel_key_t key40, key41;
168 ipsec6_tunnel_key_t key60, key61;
170 if (n_left_from >= 4)
195 if (ip40->
protocol == IP_PROTOCOL_UDP)
209 if (ip41->
protocol == IP_PROTOCOL_UDP)
235 b[0]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
237 b[0]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
239 next[0] = IPSEC_INPUT_NEXT_DROP;
246 key60.spi = esp0->
spi;
248 if (memcmp (&key60, &last_key6,
sizeof (last_key6)) == 0)
250 tid0 = last_tunnel_id;
259 last_tunnel_id = tid0;
274 key40.spi = esp0->
spi;
276 if (key40.as_u64 == last_key4.as_u64)
278 tid0 = last_tunnel_id;
287 last_tunnel_id = tid0;
288 last_key4.as_u64 = key40.as_u64;
312 (drop_counter, thread_index, sw_if_index0, 1, len0);
314 b[0]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_DISABLED];
315 next[0] = IPSEC_INPUT_NEXT_DROP;
329 (rx_counter, thread_index, last_sw_if_index,
333 last_sw_if_index = sw_if_index0;
344 b[1]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
346 b[1]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
348 next[1] = IPSEC_INPUT_NEXT_DROP;
355 key61.spi = esp1->
spi;
357 if (memcmp (&key61, &last_key6,
sizeof (last_key6)) == 0)
359 tid1 = last_tunnel_id;
368 last_tunnel_id = tid1;
383 key41.spi = esp1->
spi;
385 if (key41.as_u64 == last_key4.as_u64)
387 tid1 = last_tunnel_id;
396 last_tunnel_id = tid1;
397 last_key4.as_u64 = key41.as_u64;
421 (drop_counter, thread_index, sw_if_index1, 1, len1);
423 b[1]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_DISABLED];
424 next[1] = IPSEC_INPUT_NEXT_DROP;
438 (rx_counter, thread_index, last_sw_if_index,
442 last_sw_if_index = sw_if_index1;
451 if (b[0]->
flags & VLIB_BUFFER_IS_TRACED)
462 sizeof (*esp0) ? clib_host_to_net_u32 (esp0->
seq) : ~0;
464 if (b[1]->
flags & VLIB_BUFFER_IS_TRACED)
475 sizeof (*esp1) ? clib_host_to_net_u32 (esp1->
seq) : ~0;
484 while (n_left_from > 0)
491 u16 buf_adv0, buf_rewind0;
494 ipsec4_tunnel_key_t key40;
495 ipsec6_tunnel_key_t key60;
509 if (ip40->
protocol == IP_PROTOCOL_UDP)
532 b[0]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
534 b[0]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
536 next[0] = IPSEC_INPUT_NEXT_DROP;
543 key60.spi = esp0->
spi;
545 if (memcmp (&key60, &last_key6,
sizeof (last_key6)) == 0)
547 tid0 = last_tunnel_id;
556 last_tunnel_id = tid0;
571 key40.spi = esp0->
spi;
573 if (key40.as_u64 == last_key4.as_u64)
575 tid0 = last_tunnel_id;
584 last_tunnel_id = tid0;
585 last_key4.as_u64 = key40.as_u64;
609 (drop_counter, thread_index, sw_if_index0, 1, len0);
611 b[0]->
error = node->
errors[IPSEC_IF_INPUT_ERROR_DISABLED];
612 next[0] = IPSEC_INPUT_NEXT_DROP;
626 (rx_counter, thread_index, last_sw_if_index,
630 last_sw_if_index = sw_if_index0;
639 if (b[0]->
flags & VLIB_BUFFER_IS_TRACED)
650 sizeof (*esp0) ? clib_host_to_net_u32 (esp0->
seq) : ~0;
664 last_sw_if_index, n_packets, n_bytes);
668 IPSEC_IF_INPUT_ERROR_RX,
686 .name =
"ipsec4-if-input",
687 .vector_size =
sizeof (
u32),
692 .sibling_of =
"ipsec4-input-feature",
705 .name =
"ipsec6-if-input",
706 .vector_size =
sizeof (
u32),
711 .sibling_of =
"ipsec6-input-feature",
ipsec_tunnel_if_t * tunnel_interfaces
static void vlib_increment_combined_counter(vlib_combined_counter_main_t *cm, u32 thread_index, u32 index, u64 n_packets, u64 n_bytes)
Increment a combined counter.
vlib_node_registration_t ipsec4_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_if_input_node)
uword * ipsec4_if_pool_index_by_key
vnet_interface_main_t interface_main
#define foreach_ipsec_if_input_error
#define clib_memcpy_fast(a, b, c)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
static u8 * format_ipsec_if_input_trace(u8 *s, va_list *args)
#define VLIB_NODE_FN(node)
vlib_error_t * errors
Vector of errors for this node.
static u16 ipsec_ip4_if_no_tunnel(vlib_node_runtime_t *node, vlib_buffer_t *b, const esp_header_t *esp, const ip4_header_t *ip4, u16 offset)
static uword vlib_buffer_length_in_chain(vlib_main_t *vm, vlib_buffer_t *b)
Get length in bytes of the buffer chain.
#define clib_memcpy(d, s, n)
uword * ipsec6_if_pool_index_by_key
vlib_combined_counter_main_t * combined_sw_if_counters
u32 esp4_decrypt_next_index
vl_api_fib_path_type_t type
vlib_error_t error
Error code for buffers to be enqueued to error handler.
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static u16 ipsec_ip6_if_no_tunnel(vlib_node_runtime_t *node, vlib_buffer_t *b, const esp_header_t *esp, u16 offset)
u32 node_index
Node index.
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
vlib_punt_reason_t ipsec_punt_reason[IPSEC_PUNT_N_REASONS]
#define VLIB_REGISTER_NODE(x,...)
#define CLIB_PREFETCH(addr, size, type)
static_always_inline void vlib_buffer_enqueue_to_next(vlib_main_t *vm, vlib_node_runtime_t *node, u32 *buffers, u16 *nexts, uword count)
vlib_node_registration_t ipsec6_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_if_input_node)
static char * ipsec_if_input_error_strings[]
vnet_hw_interface_flags_t flags
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
static_always_inline void clib_memset_u16(void *p, u16 val, uword count)
template key/value backing page structure
VLIB buffer representation.
static uword ipsec_if_input_inline(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *from_frame, int is_ip6)
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
A collection of combined counters.
#define hash_get_mem(h, key)
u16 flags
Copy of main node flags.
static int ip4_header_bytes(const ip4_header_t *i)
static_always_inline void vlib_get_buffers(vlib_main_t *vm, u32 *bi, vlib_buffer_t **b, int count)
Translate array of buffer indices into buffer pointers.
#define VLIB_NODE_FLAG_TRACE
#define CLIB_CACHE_LINE_BYTES