Skip to content

Commit 91ec9bd

Browse files
Clayton Yagerdavem330
Clayton Yager
authored and
davem330
committed
macsec: Fix traffic counters/statistics
OutOctetsProtected, OutOctetsEncrypted, InOctetsValidated, and InOctetsDecrypted were incrementing by the total number of octets in frames instead of by the number of octets of User Data in frames. The Controlled Port statistics ifOutOctets and ifInOctets were incrementing by the total number of octets instead of the number of octets of the MSDUs plus octets of the destination and source MAC addresses. The Controlled Port statistics ifInDiscards and ifInErrors were not incrementing each time the counters they aggregate were. The Controlled Port statistic ifInErrors was not included in the output of macsec_get_stats64 so the value was not present in ip commands output. The ReceiveSA counters InPktsNotValid, InPktsNotUsingSA, and InPktsUnusedSA were not incrementing. Signed-off-by: Clayton Yager <Clayton_Yager@selinc.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent a3e7b29 commit 91ec9bd

File tree

1 file changed

+49
-9
lines changed

1 file changed

+49
-9
lines changed

drivers/net/macsec.c

Lines changed: 49 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,19 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
162162
return sa;
163163
}
164164

165+
static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc)
166+
{
167+
struct macsec_rx_sa *sa = NULL;
168+
int an;
169+
170+
for (an = 0; an < MACSEC_NUM_AN; an++) {
171+
sa = macsec_rxsa_get(rx_sc->sa[an]);
172+
if (sa)
173+
break;
174+
}
175+
return sa;
176+
}
177+
165178
static void free_rx_sc_rcu(struct rcu_head *head)
166179
{
167180
struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
@@ -500,18 +513,28 @@ static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev)
500513
skb->protocol = eth_hdr(skb)->h_proto;
501514
}
502515

516+
static unsigned int macsec_msdu_len(struct sk_buff *skb)
517+
{
518+
struct macsec_dev *macsec = macsec_priv(skb->dev);
519+
struct macsec_secy *secy = &macsec->secy;
520+
bool sci_present = macsec_skb_cb(skb)->has_sci;
521+
522+
return skb->len - macsec_hdr_len(sci_present) - secy->icv_len;
523+
}
524+
503525
static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc,
504526
struct macsec_tx_sa *tx_sa)
505527
{
528+
unsigned int msdu_len = macsec_msdu_len(skb);
506529
struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats);
507530

508531
u64_stats_update_begin(&txsc_stats->syncp);
509532
if (tx_sc->encrypt) {
510-
txsc_stats->stats.OutOctetsEncrypted += skb->len;
533+
txsc_stats->stats.OutOctetsEncrypted += msdu_len;
511534
txsc_stats->stats.OutPktsEncrypted++;
512535
this_cpu_inc(tx_sa->stats->OutPktsEncrypted);
513536
} else {
514-
txsc_stats->stats.OutOctetsProtected += skb->len;
537+
txsc_stats->stats.OutOctetsProtected += msdu_len;
515538
txsc_stats->stats.OutPktsProtected++;
516539
this_cpu_inc(tx_sa->stats->OutPktsProtected);
517540
}
@@ -541,9 +564,10 @@ static void macsec_encrypt_done(struct crypto_async_request *base, int err)
541564
aead_request_free(macsec_skb_cb(skb)->req);
542565

543566
rcu_read_lock_bh();
544-
macsec_encrypt_finish(skb, dev);
545567
macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
546-
len = skb->len;
568+
/* packet is encrypted/protected so tx_bytes must be calculated */
569+
len = macsec_msdu_len(skb) + 2 * ETH_ALEN;
570+
macsec_encrypt_finish(skb, dev);
547571
ret = dev_queue_xmit(skb);
548572
count_tx(dev, ret, len);
549573
rcu_read_unlock_bh();
@@ -702,6 +726,7 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
702726

703727
macsec_skb_cb(skb)->req = req;
704728
macsec_skb_cb(skb)->tx_sa = tx_sa;
729+
macsec_skb_cb(skb)->has_sci = sci_present;
705730
aead_request_set_callback(req, 0, macsec_encrypt_done, skb);
706731

707732
dev_hold(skb->dev);
@@ -743,15 +768,17 @@ static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u
743768
u64_stats_update_begin(&rxsc_stats->syncp);
744769
rxsc_stats->stats.InPktsLate++;
745770
u64_stats_update_end(&rxsc_stats->syncp);
771+
secy->netdev->stats.rx_dropped++;
746772
return false;
747773
}
748774

749775
if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) {
776+
unsigned int msdu_len = macsec_msdu_len(skb);
750777
u64_stats_update_begin(&rxsc_stats->syncp);
751778
if (hdr->tci_an & MACSEC_TCI_E)
752-
rxsc_stats->stats.InOctetsDecrypted += skb->len;
779+
rxsc_stats->stats.InOctetsDecrypted += msdu_len;
753780
else
754-
rxsc_stats->stats.InOctetsValidated += skb->len;
781+
rxsc_stats->stats.InOctetsValidated += msdu_len;
755782
u64_stats_update_end(&rxsc_stats->syncp);
756783
}
757784

@@ -764,6 +791,8 @@ static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u
764791
u64_stats_update_begin(&rxsc_stats->syncp);
765792
rxsc_stats->stats.InPktsNotValid++;
766793
u64_stats_update_end(&rxsc_stats->syncp);
794+
this_cpu_inc(rx_sa->stats->InPktsNotValid);
795+
secy->netdev->stats.rx_errors++;
767796
return false;
768797
}
769798

@@ -856,9 +885,9 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err)
856885

857886
macsec_finalize_skb(skb, macsec->secy.icv_len,
858887
macsec_extra_len(macsec_skb_cb(skb)->has_sci));
888+
len = skb->len;
859889
macsec_reset_skb(skb, macsec->secy.netdev);
860890

861-
len = skb->len;
862891
if (gro_cells_receive(&macsec->gro_cells, skb) == NET_RX_SUCCESS)
863892
count_rx(dev, len);
864893

@@ -1049,6 +1078,7 @@ static enum rx_handler_result handle_not_macsec(struct sk_buff *skb)
10491078
u64_stats_update_begin(&secy_stats->syncp);
10501079
secy_stats->stats.InPktsNoTag++;
10511080
u64_stats_update_end(&secy_stats->syncp);
1081+
macsec->secy.netdev->stats.rx_dropped++;
10521082
continue;
10531083
}
10541084

@@ -1158,6 +1188,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
11581188
u64_stats_update_begin(&secy_stats->syncp);
11591189
secy_stats->stats.InPktsBadTag++;
11601190
u64_stats_update_end(&secy_stats->syncp);
1191+
secy->netdev->stats.rx_errors++;
11611192
goto drop_nosa;
11621193
}
11631194

@@ -1168,11 +1199,15 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
11681199
/* If validateFrames is Strict or the C bit in the
11691200
* SecTAG is set, discard
11701201
*/
1202+
struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc);
11711203
if (hdr->tci_an & MACSEC_TCI_C ||
11721204
secy->validate_frames == MACSEC_VALIDATE_STRICT) {
11731205
u64_stats_update_begin(&rxsc_stats->syncp);
11741206
rxsc_stats->stats.InPktsNotUsingSA++;
11751207
u64_stats_update_end(&rxsc_stats->syncp);
1208+
secy->netdev->stats.rx_errors++;
1209+
if (active_rx_sa)
1210+
this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA);
11761211
goto drop_nosa;
11771212
}
11781213

@@ -1182,6 +1217,8 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
11821217
u64_stats_update_begin(&rxsc_stats->syncp);
11831218
rxsc_stats->stats.InPktsUnusedSA++;
11841219
u64_stats_update_end(&rxsc_stats->syncp);
1220+
if (active_rx_sa)
1221+
this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA);
11851222
goto deliver;
11861223
}
11871224

@@ -1202,6 +1239,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
12021239
u64_stats_update_begin(&rxsc_stats->syncp);
12031240
rxsc_stats->stats.InPktsLate++;
12041241
u64_stats_update_end(&rxsc_stats->syncp);
1242+
macsec->secy.netdev->stats.rx_dropped++;
12051243
goto drop;
12061244
}
12071245
}
@@ -1230,14 +1268,14 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
12301268
deliver:
12311269
macsec_finalize_skb(skb, secy->icv_len,
12321270
macsec_extra_len(macsec_skb_cb(skb)->has_sci));
1271+
len = skb->len;
12331272
macsec_reset_skb(skb, secy->netdev);
12341273

12351274
if (rx_sa)
12361275
macsec_rxsa_put(rx_sa);
12371276
macsec_rxsc_put(rx_sc);
12381277

12391278
skb_orphan(skb);
1240-
len = skb->len;
12411279
ret = gro_cells_receive(&macsec->gro_cells, skb);
12421280
if (ret == NET_RX_SUCCESS)
12431281
count_rx(dev, len);
@@ -1279,6 +1317,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
12791317
u64_stats_update_begin(&secy_stats->syncp);
12801318
secy_stats->stats.InPktsNoSCI++;
12811319
u64_stats_update_end(&secy_stats->syncp);
1320+
macsec->secy.netdev->stats.rx_errors++;
12821321
continue;
12831322
}
12841323

@@ -3404,6 +3443,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
34043443
return NETDEV_TX_OK;
34053444
}
34063445

3446+
len = skb->len;
34073447
skb = macsec_encrypt(skb, dev);
34083448
if (IS_ERR(skb)) {
34093449
if (PTR_ERR(skb) != -EINPROGRESS)
@@ -3414,7 +3454,6 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
34143454
macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
34153455

34163456
macsec_encrypt_finish(skb, dev);
3417-
len = skb->len;
34183457
ret = dev_queue_xmit(skb);
34193458
count_tx(dev, ret, len);
34203459
return ret;
@@ -3662,6 +3701,7 @@ static void macsec_get_stats64(struct net_device *dev,
36623701

36633702
s->rx_dropped = dev->stats.rx_dropped;
36643703
s->tx_dropped = dev->stats.tx_dropped;
3704+
s->rx_errors = dev->stats.rx_errors;
36653705
}
36663706

36673707
static int macsec_get_iflink(const struct net_device *dev)

0 commit comments

Comments
 (0)