Skip to content

Commit

Permalink
net/mlx5e: Connect mlx5 IPsec statistics with XFRM core
Browse files Browse the repository at this point in the history 
Fill integrity, replay and bad trailer counters.

As an example, after simulating replay window attack with 5 packets:
[leonro@c ~]$ grep XfrmInStateSeqError /proc/net/xfrm_stat
XfrmInStateSeqError     	5
[leonro@c ~]$ sudo ip -s x s
<...>
	stats:
	  replay-window 0 replay 5 failed 0

Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
  • Loading branch information
Leon Romanovsky authored and Saeed Mahameed committed Feb 6, 2024
1 parent f9f221c commit 6fb7f94
Showing 1 changed file with 20 additions and 2 deletions.
22 changes: 20 additions & 2 deletions drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -988,19 +988,37 @@ static void mlx5e_xfrm_update_stats(struct xfrm_state *x)
{
struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule;
struct net *net = dev_net(x->xso.dev);
u64 packets, bytes, lastuse;

lockdep_assert(lockdep_is_held(&x->lock) ||
lockdep_is_held(&dev_net(x->xso.real_dev)->xfrm.xfrm_cfg_mutex) ||
lockdep_is_held(&dev_net(x->xso.real_dev)->xfrm.xfrm_state_lock));

if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ ||
x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
return;

if (sa_entry->attrs.dir == XFRM_DEV_OFFLOAD_IN) {
mlx5_fc_query_cached(ipsec_rule->auth.fc, &bytes, &packets, &lastuse);
x->stats.integrity_failed += packets;
XFRM_ADD_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR, packets);

mlx5_fc_query_cached(ipsec_rule->trailer.fc, &bytes, &packets, &lastuse);
XFRM_ADD_STATS(net, LINUX_MIB_XFRMINHDRERROR, packets);
}

if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
return;

mlx5_fc_query_cached(ipsec_rule->fc, &bytes, &packets, &lastuse);
x->curlft.packets += packets;
x->curlft.bytes += bytes;

if (sa_entry->attrs.dir == XFRM_DEV_OFFLOAD_IN) {
mlx5_fc_query_cached(ipsec_rule->replay.fc, &bytes, &packets, &lastuse);
x->stats.replay += packets;
XFRM_ADD_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR, packets);
}
}

static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
Expand Down

0 comments on commit 6fb7f94

Please sign in to comment.