bsd.own.mk: rename GCC_NO_* to CC_WNO_*

Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.

GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH

Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.

remove unused

introduce some common variables for use in GCC warning disables:

GCC_NO_FORMAT_TRUNCATION -Wno-format-truncation (GCC 7/8)
GCC_NO_STRINGOP_TRUNCATION -Wno-stringop-truncation (GCC 8)
GCC_NO_STRINGOP_OVERFLOW -Wno-stringop-overflow (GCC 8)
GCC_NO_CAST_FUNCTION_TYPE -Wno-cast-function-type (GCC 8)

use these to turn off warnings for most GCC-8 complaints. many
of these are false positives, most of the real bugs are already
commited, or are yet to come.


we plan to introduce versions of (some?) of these that use the
"-Wno-error=" form, which still displays the warnings but does
not make it an error, and all of the above will be re-considered
as either being "fix me" (warning still displayed) or "warning
is wrong."

netstat: Add indirection of symbols to remove clash with sanitizers

Add indirection and symbol renaming under MKSANITIZER for the linked in
version of sysctlbyname, sysctlgetmibinfo and sysctlnametomib.

branches: 1.45.4; 1.45.6;
use librumpres

for 64 bit mips platforms where we built userland largely as n32 by
default, build a handful of tools as n64 so they work properly.

unfortunately, they're also static as dynamic n64 has a problem.

of these tools pstat is probably the lowest hanging fruit to convert
to sysctl. systat would be close were it not for the netstat screen,
which includes netstat itself.

the rest are difficult to perhaps foolish.


the upside is that netstat, pmap and fstat all work properly now.

branches: 1.43.2;
Format-string related warnings work fine now with both GCC 4.8 and
Clang.

Fix rump.{netstat,route} shows host's interface names in link local addresses

Interface names of IPv6 link local addresses are resolved
by getnameinfo(3). So we need to rump-ify it as well as
if_indextoname and getifaddrs.

print the timer flags.

use the common code from route.c

branches: 1.39.8;
Retire OSI network stack. OK core@

branches: 1.38.2;
remove KAME IPSEC, replaced by FAST_IPSEC

split the ipsec.c source file into the pfkey part which is shared
with FAST_IPSEC and KAME specific IPSEC statistics

branches: 1.36.2;
document non-literal format strings

Default to -Wno-sign-compare -Wno-pointer-sign for clang.
Push -Wno-array-bounds down to the cases that depend on it.
Selectively disable warnings for 3rd party software or non-trivial
issues to be reviewed later to get clang -Werror to build most of the
tree.

Reduces the resources demanded by TCP sessions in TIME_WAIT-state using
methods called Vestigial Time-Wait (VTW) and Maximum Segment Lifetime
Truncation (MSLT).

MSLT and VTW were contributed by Coyote Point Systems, Inc.

Even after a TCP session enters the TIME_WAIT state, its corresponding
socket and protocol control blocks (PCBs) stick around until the TCP
Maximum Segment Lifetime (MSL) expires. On a host whose workload
necessarily creates and closes down many TCP sockets, the sockets & PCBs
for TCP sessions in TIME_WAIT state amount to many megabytes of dead
weight in RAM.

Maximum Segment Lifetimes Truncation (MSLT) assigns each TCP session to
a class based on the nearness of the peer. Corresponding to each class
is an MSL, and a session uses the MSL of its class. The classes are
loopback (local host equals remote host), local (local host and remote
host are on the same link/subnet), and remote (local host and remote
host communicate via one or more gateways). Classes corresponding to
nearer peers have lower MSLs by default: 2 seconds for loopback, 10
seconds for local, 60 seconds for remote. Loopback and local sessions
expire more quickly when MSLT is used.

Vestigial Time-Wait (VTW) replaces a TIME_WAIT session's PCB/socket
dead weight with a compact representation of the session, called a
"vestigial PCB". VTW data structures are designed to be very fast and
memory-efficient: for fast insertion and lookup of vestigial PCBs,
the PCBs are stored in a hash table that is designed to minimize the
number of cacheline visits per lookup/insertion. The memory both
for vestigial PCBs and for elements of the PCB hashtable come from
fixed-size pools, and linked data structures exploit this to conserve
memory by representing references with a narrow index/offset from the
start of a pool instead of a pointer. When space for new vestigial PCBs
runs out, VTW makes room by discarding old vestigial PCBs, oldest first.
VTW cooperates with MSLT.

It may help to think of VTW as a "FIN cache" by analogy to the SYN
cache.

A 2.8-GHz Pentium 4 running a test workload that creates TIME_WAIT
sessions as fast as it can is approximately 17% idle when VTW is active
versus 0% idle when VTW is inactive. It has 103 megabytes more free RAM
when VTW is active (approximately 64k vestigial PCBs are created) than
when it is inactive.

Pull pfsync_stats() out of inet.c and into pfsync.c so that inet.c does
not have to #include PF header files that pollute the global namespace
by #defining v4 and v6 (sheesh).

branches: 1.32.2;
Deal with crunch the standard way.

Make this build with CRUNCHEDPROG defined, and default to the sysctl()
method of fetching information. Apparently we can't simply not define
the prog_ops struct in this program.

Add netstat rump client. For now, it always sets -X, i.e. will
use only sysctl and no kvm (implementing /dev/mem for a rump kernel
would probably not be hard, but still a non-zero effort).

Note: since there is absolutely no network activity in a fresh rump
kernel, rump.netstat usually displays exactly nothing when invoked
without parameters. Arguments like -r, -bi, -p icmp etc. produce
more stuff.

Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry. RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros. Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.

Conditionalize XNS support. No longer enabled.

Make netstat use sysctl when dumping routing tables/stats.
Heavily based on similar code from Claudio Jeker (at OpenBSD).

While here, fix inet/inet6 sysctl stuff commited previously to
actually work, and some other nits to make netstat more sysctl
friendly.

One step closer to losing setgid kmem on this one...

branches: 1.25.2;
Added bpf.c.

Only compile in IPv6 support if ${USE_INET6} != "no"

MKINET6 is for providing IPv6 infrastructure.
USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6).

Redo net.inet.* sysctl subtree for fast-ipsec from scratch.
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl, for
netstat -p ipsec.

New kernel files:
sys/netipsec/Makefile (new file; install *_var.h includes)
sys/netipsec/ipsec_var.h (new 64-bit mib counter struct)

Changed kernel files:
sys/Makefile (recurse into sys/netipsec/)
sys/netinet/in.h (fake IP_PROTO name for fast_ipsec
sysctl subtree.)
sys/netipsec/ipsec.h (minimal userspace inclusion)
sys/netipsec/ipsec_osdep.h (minimal userspace inclusion)
sys/netipsec/ipsec_netbsd.c (redo sysctl subtree from scratch)
sys/netipsec/key*.c (fix broken net.key subtree)

sys/netipsec/ah_var.h (increase all counters to 64 bits)
sys/netipsec/esp_var.h (increase all counters to 64 bits)
sys/netipsec/ipip_var.h (increase all counters to 64 bits)
sys/netipsec/ipcomp_var.h (increase all counters to 64 bits)

sys/netipsec/ipsec.c (add #include netipsec/ipsec_var.h)
sys/netipsec/ipsec_mbuf.c (add #include netipsec/ipsec_var.h)
sys/netipsec/ipsec_output.c (add #include netipsec/ipsec_var.h)

sys/netinet/raw_ip.c (add #include netipsec/ipsec_var.h)
sys/netinet/tcp_input.c (add #include netipsec/ipsec_var.h)
sys/netinet/udp_usrreq.c (add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
usr.bin/netstat/fast_ipsec.c (print fast-ipsec counters)

Changed files:
usr.bin/netstat/Makefile (add fast_ipsec.c)
usr.bin/netstat/netstat.h (declarations for fast_ipsec.c)
usr.bin/netstat/main.c (call KAME-vs-fast-ipsec dispatcher)

branches: 1.22.2;
use proper #ifdef to determine behavior (__KAME__)

makefile delint. use NETBSDSRCDIR as appropriate

revise IPsec, pfkey, IPv6 multicast and IPv6 statistics. (sync with kame)

per-interface statistics.
bring in and enable KAME scopeid hack.
lots of cleanups.
(sync with latest KAME)

branches: 1.18.4;
Revert previous, as it merely worked around a recent bug in make(1) which
is now fixed.

make sure to use files in ${.CURDIR} before ${.CURDIR}/../../sys/netiso.
(namely iso.c)

merge SRCS into one.

make netstat IPv6-ready.

Back out the .PATH.c changes. The .depend problem (and others)
will be fixed using the new .NOPATH make feature instead.

Use .PATH.c: ...

- netatalk additions
- printf format fixes
- minor prototype cleanups

New-style RCS ids.

Re-enable some ugly ISO code.

do not need -I/sys

Use ${DESTDIR}/sys in CFLAGS.

Clean up import.

needs -lkvm, not -lutil

Incorporate changes for IP mcast and IGMP from cmaeda@cs.washington.edu.

-I/sys --> -I${DESTDIR}/sys, to support cross-compilation.

Add RCS identifiers.

Reenable NS and ISO code.

branches: 1.1.1;
after 0.2.2 "stable" patches applied

KNF. No functional change.

KNF. No functional change.

netstat: strengthen against kernel changes

netstat uses sysctlbyname to get counter data from the kernel.
sysctlbyname fails with ENOMEM if actual counter data in the kernel is
larger than a passed buffer. netstat just skips showing counters of a
category if sysctlbyname fails, so if we added new counters of the
category to the kernel, nestat shows nothing for the category.

Fortunately sysctlbyname fills data as much as possible even if a passed
buffer is short. So we can allow netstat to show the filled data anyway
if sysctlbyname fails with ENOMEM.

Note that this backcompat mechanism works only if new counters are
appended, and doesn't work if new counters are inserted into the middle
or counters are moved.

Avoid global scope for variables only used locally

netstat: Add indirection of symbols to remove clash with sanitizers

Add indirection and symbol renaming under MKSANITIZER for the linked in
version of sysctlbyname, sysctlgetmibinfo and sysctlnametomib.

branches: 1.16.8; 1.16.16; 1.16.18;
Drop assignment from uninitialized and otherwise unused variable.

branches: 1.15.4;
- avoid pointer gymnastics
- remove unused variables

branches: 1.14.6; 1.14.12;
Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

branches: 1.13.8;
net.atalk, not net.at.

Note which things are not available by KVM, and print a nice message
stating so if someone specifically asks for it.

Make DDP stats per-cpu. While here, bump the counters to 64-bit and
make them available by sysctl.

branches: 1.10.20;
snprintf returns int, not size_t. CID 691.
From bjh21.

Added #include <kvm.h> since netstat.h, which is included too, needs it.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.

snprintf length audit. from openbsd

More format string cleanup by sommerfeld.

branches: 1.5.2; 1.5.10;
Apply (slightly modified) patch from 5543 to fix -s behaviour for netatalk.

- KNF
- use err(3)
- sprintf/strcpy -> snprintf/strncpy
- change route.c:domask() to take a size_t of the buffer passed.

fix up .Nm usage, getopt returns -1 not EOF

branches: 1.2.2;
PR/3660: Dave Huang: Fix formatting misalignments in appletalk
PR/3659: Dave Huang: Fix PCB reporting in appletalk

- netatalk additions
- printf format fixes
- minor prototype cleanups

Rename local bpf_* functions to nsbpf_* to avoid conflicts with
new libpcap bpf_* functions

netstat/bpf.c: Don't print garbage for stale pid

KNF. No functional change.

netstat: strengthen against kernel changes

netstat uses sysctlbyname to get counter data from the kernel.
sysctlbyname fails with ENOMEM if actual counter data in the kernel is
larger than a passed buffer. netstat just skips showing counters of a
category if sysctlbyname fails, so if we added new counters of the
category to the kernel, nestat shows nothing for the category.

Fortunately sysctlbyname fills data as much as possible even if a passed
buffer is short. So we can allow netstat to show the filled data anyway
if sysctlbyname fails with ENOMEM.

Note that this backcompat mechanism works only if new counters are
appended, and doesn't work if new counters are inserted into the middle
or counters are moved.

netstat: Add indirection of symbols to remove clash with sanitizers

Add indirection and symbol renaming under MKSANITIZER for the linked in
version of sysctlbyname, sysctlgetmibinfo and sysctlnametomib.

branches: 1.13.2; 1.13.4;
Fix a bug that BPF_D_OUT isn't printed correctly.

Implement the BPF direction filter (BIOC[GS]DIRECTION). It provides backward
compatibility with BIOC[GS]SEESENT ioctl. The userland interface is the same
as FreeBSD.

This change also fixes a bug that the direction is misunderstand on some
environment by passing the direction to bpf_mtap*() instead of checking
m->m_pkthdr.rcvif.

branches: 1.11.22; 1.11.28;
Fix memory leak.

branches: 1.10.6; 1.10.8; 1.10.12;
Add netstat rump client. For now, it always sets -X, i.e. will
use only sysctl and no kvm (implementing /dev/mem for a rump kernel
would probably not be hard, but still a non-zero effort).

Note: since there is absolutely no network activity in a fresh rump
kernel, rump.netstat usually displays exactly nothing when invoked
without parameters. Arguments like -r, -bi, -p icmp etc. produce
more stuff.

Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

branches: 1.8.6; 1.8.8;
Remove clause 3 and 4 from TNF licenses

Note which things are not available by KVM, and print a nice message
stating so if someone specifically asks for it.

branches: 1.6.16;
PR/31347: Geoff C. Wing: netstat err message is ambiguous about cause
Applied patch, thanks!

Convert 3 printf() calls into one puts().

Place the sysctl code under an if block and print an error message if the
user tries to fetch information via kvm.

Discussed with Elad Efrat.

Request process information using sysctl(3) and not kvm(3) since bpf(4)
statistics and peers are only available using the former.

Fix printing formats.

Implemented the userland part of the BPF statistics and BPF peers,
net.bpf.stats and net.bpf.peers sysctls respectively. netstat(1) now
has an additional syntax:
netstat [-s] [-B] [-I Interface]

Only the super user can see a list of BPF peers with the following command:
# netstat -B
Active BPF peers
PID Int Recv Drop Capt Flags Bufsize Comm
4941 lo0 0 0 0 I--S- 262144 tcpdump
252 ex0 19668 0 5 I-RS- 32768 dhclient

And every user can see the BPF statistics with:
$ netstat -s -B
bpf:
19669 total packets received
5 total packets captured
0 total packets dropped

This idea came from FreeBSD (Christian S.J. Peron) but, currently, they
doen't have a userland utility in the base system to read the sysctls.

Reviewed by: christos@

KNF. No functional change.

netstat: Add indirection of symbols to remove clash with sanitizers

Add indirection and symbol renaming under MKSANITIZER for the linked in
version of sysctlbyname, sysctlgetmibinfo and sysctlnametomib.

branches: 1.22.6; 1.22.8;
Tweak outputs of netstat -s for IPsec

- Get rid of "Fast"
- Use ipsec and ipsec6 for titles to clarify protocol
- Indent outputs of sub protocols

Original outputs were organized like this:

(Fast) IPsec:
IPsec ah:
IPsec esp:
IPsec ipip:
IPsec ipcomp:
(Fast) IPsec:
IPsec ah:
IPsec esp:
IPsec ipip:
IPsec ipcomp:

New outputs are organized like this:

ipsec:
ah:
esp:
ipip:
ipcomp:
ipsec6:
ah:
esp:
ipip:
ipcomp:

branches: 1.21.4;
Redo the statistics through an indirection array and put the definitions
of the arrays in pfkeyv2.h so that they are next to the index definitions.
Remove "bogus" comment about compressing the statistics which is now fixed.

branches: 1.20.10; 1.20.14;
PR/47744: Frank Kardel: netstat -s stops output prematurely when ipsec is not
compiled.
If the first sysctl fails return silently.
XXX: pullup-6

branches: 1.19.2;
remove KAME IPSEC, replaced by FAST_IPSEC

more IPSEC header cleanup: don't install unneeded headers to userland,
and remove some differences berween KAME and FAST_IPSEC

branches: 1.17.4;
pull in AES-GCM/GMAC support from OpenBSD
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.

copy AES-XCBC-MAC support from KAME IPSEC to FAST_IPSEC
For this to fit, an API change in cryptosoft was adopted from OpenBSD
(addition of a "Setkey" method to hashes) which was done for GCM/GMAC
support there, so it might be useful in the future anyway.
tested against KAME IPSEC
AFAICT, FAST_IPSEC now supports as much as KAME.

report aes-ctr statistic counter by name

decode camellia-cbc in stats histogram

fix some labels for ipcomp counters which didn't make sense at all

Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

branches: 1.11.8;
Note which things are not available by KVM, and print a nice message
stating so if someone specifically asks for it.

Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and
netstat_sysctl().

branches: 1.9.4;
Report the new ipcomp stats under FAST_IPSEC : ipcomps_minlen and
ipcomps_uselesscomp

Report ipsecstats.ips_spdcache_miss under FAST_IPSEC correctly.

branches: 1.7.12;
Added #include <kvm.h> since netstat.h, which is included too, needs it.

Rework sys/netipsec/ipsec_netbsd.c to present a more consistent tree.

Rework usr.bin/netstat/fast_ipsec.c to find the stats nodes under the
new names (Kame uses the name stats so we use different ones), as well
as setting slen appropriately between calls to sysctlbyname(), and
providing forward compatibility when actually retrieving stats via
sysctlbyname().

And correct a spelling error.

Fix two stupid bugs I introduced with stats for fast-ipsec:

1. Pass the caller-supplied protocol name down through ipsec_switch().

2. Remove my poor attempt to print fast-ipsec stats automagically for
`netstat -s'. The previous code would print (fast)IPsec per-protocol
stats even for 'netstat', which is just wrong.

A better fix would be to enumerate the sub-"protocols" under IPsec;
but first lets fix the broken behaviour now, for a pullup to 2.0.

Temporary hack to fix ipsec stats lossage. Atatat, are you listening?

branches: 1.3.2;
Forgotten $ for NetBSD key.

Use int_fmtio.h and PRUx formats for longs.

Redo net.inet.* sysctl subtree for fast-ipsec from scratch.
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl, for
netstat -p ipsec.

New kernel files:
sys/netipsec/Makefile (new file; install *_var.h includes)
sys/netipsec/ipsec_var.h (new 64-bit mib counter struct)

Changed kernel files:
sys/Makefile (recurse into sys/netipsec/)
sys/netinet/in.h (fake IP_PROTO name for fast_ipsec
sysctl subtree.)
sys/netipsec/ipsec.h (minimal userspace inclusion)
sys/netipsec/ipsec_osdep.h (minimal userspace inclusion)
sys/netipsec/ipsec_netbsd.c (redo sysctl subtree from scratch)
sys/netipsec/key*.c (fix broken net.key subtree)

sys/netipsec/ah_var.h (increase all counters to 64 bits)
sys/netipsec/esp_var.h (increase all counters to 64 bits)
sys/netipsec/ipip_var.h (increase all counters to 64 bits)
sys/netipsec/ipcomp_var.h (increase all counters to 64 bits)

sys/netipsec/ipsec.c (add #include netipsec/ipsec_var.h)
sys/netipsec/ipsec_mbuf.c (add #include netipsec/ipsec_var.h)
sys/netipsec/ipsec_output.c (add #include netipsec/ipsec_var.h)

sys/netinet/raw_ip.c (add #include netipsec/ipsec_var.h)
sys/netinet/tcp_input.c (add #include netipsec/ipsec_var.h)
sys/netinet/udp_usrreq.c (add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
usr.bin/netstat/fast_ipsec.c (print fast-ipsec counters)

Changed files:
usr.bin/netstat/Makefile (add fast_ipsec.c)
usr.bin/netstat/netstat.h (declarations for fast_ipsec.c)
usr.bin/netstat/main.c (call KAME-vs-fast-ipsec dispatcher)

Clean up deleted files.

kill lots of off_t's.

Add RCS identifiers.

after 0.2.2 "stable" patches applied

if not given an interface to monitor by default, pick the one
with the most bytes in/out the first time and keep using it.

in addition to picking the most likely intersting interface,
this actually fixes a bug where interfaces coming/going in
the middle of eg, "netstat -b -w 1", may end up showing the
data for another interface on any output line (including the
the header declaring the interface!)

branches: 1.108.2;
Use warn() instead of warnx() and simplify.

netstat/if.c: Fix error message with "-w" option.

Now ifq_drops is 64bit unsigned integer.

No description in src/doc/CHANGES?

Make ifq_drops in struct ifqueue and struct ifaltq 64 bit.

s/u_quad_t/uint64_t/. No functional change.

Print oqdrops correctly in continuous display mode using with kvm.

Fix printing current output drop packet count in continuous display mode.

G.C. No functional change.

Print oqdrops correctly.

Get if_data correctly when kvm is used.

KNF. No functional change.

KNF. No functional change.

Use NULL instead of 0.

Update for per-cpu interface statistics.

branches: 1.95.2;
Print iqdrops, too. This change also fixes a bug that Odrops prints
iqdrops when kvm read failed.

branches: 1.94.4; 1.94.10; 1.94.12;
Remove mkludge stuffs

For unknown reasons, IPv6 multicast addresses are linked to a first
IPv6 address assigned to an interface. Due to the design, when removing
a first address having multicast addresses, we need to save them to
somewhere and later restore them once a new IPv6 address is activated.
mkludge stuffs support the operations.

This change links multicast addresses to an interface directly and
throws the kludge away.

Note that as usual some obsolete member variables remain for kvm(3)
users. And also sysctl net.inet6.multicast_kludge remains to avoid
breaking old ifmcstat.

TODO: currently ifnet has a list of in6_multi but obviously the list
should be protocol independent. Provide a common structure (if_multi
or something) to handle in6_multi and in_multi together as well as
ifaddr does for in_ifaddr and in6_ifaddr.

re-do the previous to avoid malloc/free on the same size every iteration.

with this, or the previous, 'netstat -b 1' no longer leaks memory in
-current (or any older release using sysctl for this.)

sprinkle free

branches: 1.91.2;
Fix showing multicast addresses of !IFF_UP interfaces

netstat appends '*' to the name of an interface without IFF_UP, so
if_nametoindex which is used in mc_print fails. mc_print needs just
an interface index so pass it instead of a tweaked interface name.

Fix "sidewaysintpr", the thing that prints interface statistics in a
loop, to use signals properly. There are two copies of this code; one
uses kvm and the other uses sysctls. One copy had been updated to use
sigset_t and sigsuspend; the other was using vintage sigpause(). Sync
up the code so both use sigpause. Also, use sig_atomic_t, and block
SIGALRM when not waiting for it to avoid a small and unlikely but real
race.

Since the non-modernized copy of the code *had* for some been
modernized to use setitimer instead of just alarm(), propagate that
change to the other copy.

These copies could share more logic than they do.

branches: 1.89.2;
more XXX removal.

XXX: removal

remove __P

dedup

use sysctl to print multicast addresses

fix sysctl based interface printing, and annotate where we should add the
missing multicast printing code.

PR/50872: David Binderman: Use logical and instead of arithmetic

query the window size and use it instead of assuming 24 lines.
now the header isn't re-printed a lot of times in tall windows.

adjust to the netname4 prototype.

use the common code from route.c

branches: 1.79.4;
use correct function and symbolic constants

use new scopeid functions

- avoid pointer gymnastics
- remove unused variables

Retire OSI network stack. OK core@

Line up total numbers again (for -b case and -X case).

branches: 1.74.2;
Use C89 function definitions

branches: 1.73.2;
PR/44889: Yamamoto Takashi: netstat -d option is broken (from Elad)

branches: 1.72.2;
Use __dead

Use RT_ROUNDUP() and friends from sys/route.h instead of homegrown
variants.

branches: 1.70.2;
Add netstat rump client. For now, it always sets -X, i.e. will
use only sysctl and no kvm (implementing /dev/mem for a rump kernel
would probably not be hard, but still a non-zero effort).

Note: since there is absolutely no network activity in a fresh rump
kernel, rump.netstat usually displays exactly nothing when invoked
without parameters. Arguments like -r, -bi, -p icmp etc. produce
more stuff.

Line up total numbers again.

Add -h, which makes output of bytes counts "humanized" (e.g. -bih)

(netstat had -h some 15 years ago, but since then it has been just
a fancy way of calling usage())

protecting sockaddr_in6 with -DINET6

Use PRIu64 for printf'ing stuff. Fixes build breakage on part-amd64
introduced in rev 1.64 (and reverts a partial fix provided in rev 1.65)

Put some unsigned long long casts (as was in the original printing code).

Should fix build breakage noticed by pgoyette@ on current-users@:

http://mail-index.netbsd.org/current-users/2009/09/13/msg010554.html

(sorry, don't have an amd64 anymore!)

Checkin work in progress to make netstat use sysctl rather than kvm(3).

This commit mostly adds code written by Claudio Jeker for OpenBSD to
support sysctl in the interface printing parts (-i, -I, -w). The port has
been ported to NetBSD with tiny adjustments -- of course all bugs etc.
are mine.

Also add and document a -X flag to force sysctl usage. The documentation
notes this flag may be removed at any time and its presence should not be
relied on.

Some misc. comments/#ifdef changes/code snippet moves as well.

Please note that no functionality should change as the routing and
interface printing code is still not fully supported.

Mailing list reference:

http://mail-index.netbsd.org/tech-userlevel/2009/09/09/msg002604.html

Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

branches: 1.62.8;
netns is no longer in the tree; completely purge it from netstat(1).

branches: 1.61.16;
Conditionalize XNS support. No longer enabled.

Make netstat use sysctl when dumping routing tables/stats.
Heavily based on similar code from Claudio Jeker (at OpenBSD).

While here, fix inet/inet6 sysctl stuff commited previously to
actually work, and some other nits to make netstat more sysctl
friendly.

One step closer to losing setgid kmem on this one...

branches: 1.59.2;
Added #include <kvm.h> since netstat.h, which is included too, needs it.

NI_WITHSCOPEID was not picked up by IETF standardization process.

Use itimerval() instead of alarm() for interval displaying. This increases
accuracy on interval stats also on fast machines.

correct strange indentation

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.

use proper #ifdef to determine behavior (__KAME__)

make char array bigger where it seems too small and may overrun.

use macro to determine link-local multicast addr

identify kame scopeid hack with KAME_SCOPEID

make an auto const variable static.

Use getnameinfo() for printing link-layer addresses in netstat -i, rather
than doing it ourselves.

pedant changes for strcpy/sprintf.

convert to use getprogname()

Print out IEEE1394 addresses with : . Add a hack to limit the address
to 8 bytes.

More format string cleanup by sommerfeld.

more stats. from kame

Allocate one more byte for the asterisk after the name of interface.

Make gcc 2.96 (and maybe earlier) happier. Include <stdlib.h>,<string.>,
etc. as appropriate to get exit,srncmp,abs,abort,etc.
Add -I${.CURDIR} to a few Makefiles

with -inv flag, do not truncate name of the interface (like "strip0").

branches: 1.40.4;
Define members previously defined as u_long in struct iftot as u_quad_t.
Since these members are used to hold members defined now as u_quad_t
in struct if_data, u_long is quite not enough actually.
Without this, one night ttcp easily makes netstat to produce wrong output
like this:
enami@annex-2f-floor-244% netstat -ibw 1 -I tlp0
tlp0 in tlp0 out total in total out
bytes bytes bytes bytes
176333740607 176914940420 240082591 821282404
176093659136 176093659136 0 0
176093659136 176093659136 0 0

use NI_WITHSCOPEID when printing multicast group with -inav.

print IPv6 scopeid on -inv. with -in, scopeid is omitted due to insufficient
width.

better sync with #ifdef notdef part (in -i for AF_INET).

don't truncate IPv4 entries on -i (with -v). it is mainly for
"Network" column (13 digits, it will be 18 digits in maximum).

print IPv6 multicast group on -ia (-iav will avoid truncation)

per-interface statistics.
bring in and enable KAME scopeid hack.
lots of cleanups.
(sync with latest KAME)

Change printf formats for 64bit counters.

branches: 1.32.4;
make netstat IPv6-ready.

branches: 1.31.2;
Make the damned columns line up.

#ifndef SMALL changes. saves 30k on the sparc

Add { and } to shut up egcs. Reformat the more questionable code.

- KNF
- use err(3)
- sprintf/strcpy -> snprintf/strncpy
- change route.c:domask() to take a size_t of the buffer passed.

Partial fix for PR kern/5435 -- changed netstat to use unsigned counters
instead of signed. The rest of the fix will have to wait for 64-bit counters.

Add support for a '-b' option to provide byte counts in and out,
instead of just packet counts. On the byte screens, errors and
collisions are not shown, since they are more packet count related.

branches: 1.25.2;
fix up .Nm usage, getopt returns -1 not EOF

branches: 1.24.2;
PR/3660: Dave Huang: Fix formatting misalignments in appletalk
PR/3659: Dave Huang: Fix PCB reporting in appletalk

more column alignment fixes

PR/3451: Anders Hjalmarsson: Column alignment fixes after the netatalk addition.

- netatalk additions
- printf format fixes
- minor prototype cleanups

Print Ethernet and FDDI addresses in the same format as ether_ntoa().
From Matt Thomas <matt@3am-software.com>

Fix missing `)' in the sideways view of interfaces (i.e. netstat -w 1).
Bug pointed out by Chris G. Demetriou.

bump MAXIF (the maximum number of interfaces for which information is kept,
for 'netstat -w <delay>') to 100, from 10. 10 was definitely not sufficient
for many hosts; 100 should be for most if not all. This code really should
dynamically allocate the information structures, based on the number of
interfaces in the kernel, account for interfaces that are added or removed,
etc., but given its current structure that would require substantial changes.

if doing 'netstat -I <intf> -w <delay>', and netstat can't find an
interface of the given name, print an error message and exit.
This whole section of code needs to be re-thought, if interfaces
can be dynamically added or removed.

branches: 1.16.4;
Kill a couple of unnecessary calls to strlen().

Update for the changes to struct ifnet. While I'm here, fix a couple
of long-standing bugs:

- Actually deal with the fact that the kernel ifnet list is
a TAILQ; it just happened to work before.

- Use kvm_openfiles() instead of kvm_open(). The code passed
arguments to kvm_open() as if it were kvm_openfiles(), but
apparently went unnoticed since the prototypes are the same.
Amusing bit: there were XXX's in the code which seemed to
apologize for a verbose libkvm, when it happened to be a
bug in netstat!

Implement change done in revision 1.12 (for PR #1473 & duplicates) in a
slightly different way. This widens the Address field instead of the
Ipkts field because Address is the one that may be too big.

New-style RCS ids.

Change formatting so that columns line up; PR #1473 + several duplicates

Remove an extra htonl().

Update to match kernel changes.

Align link address under `Address' header.

Clean up import.

kill lots of off_t's.

clean up, for off_t... ugliest 'cleaning' possible, i think...

netname() takes a struct in_addr, not an int. Breaks on sparc.
fix from Chuck Cranor <chuck@maria.wustl.edu>

fix to print netstat unit number right; from Greenman

Add RCS identifiers.

Included Havard Eidnes' latest changes.

branches: 1.1.1;
after 0.2.2 "stable" patches applied

Adjust userland commands for struct inpcb separation

Only kvm users are affected.

Adjust userland commands for struct inpcb integration

Only kvm users are affected.

s/u_quad_t/uint64_t/. No functional change.

KNF. No functional change.

KNF. No functional change.

netstat(1): convert malloc(x * y) and realloc(x * y) to reallocarr

netstat: strengthen against kernel changes

netstat uses sysctlbyname to get counter data from the kernel.
sysctlbyname fails with ENOMEM if actual counter data in the kernel is
larger than a passed buffer. netstat just skips showing counters of a
category if sysctlbyname fails, so if we added new counters of the
category to the kernel, nestat shows nothing for the category.

Fortunately sysctlbyname fills data as much as possible even if a passed
buffer is short. So we can allow netstat to show the filled data anyway
if sysctlbyname fails with ENOMEM.

Note that this backcompat mechanism works only if new counters are
appended, and doesn't work if new counters are inserted into the middle
or counters are moved.

netstat: support new packet counters

add missing {IP,IP6}_STAT_NOIPSEC to netstat.

netstat: Add indirection of symbols to remove clash with sanitizers

Add indirection and symbol renaming under MKSANITIZER for the linked in
version of sysctlbyname, sysctlgetmibinfo and sysctlnametomib.

branches: 1.109.2;
Show the number of packets dropped by pfil

branches: 1.108.2;
Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.107.6; 1.107.12;
in getpcblist_sysctl() if sysctlnametomib() fails, return NULL and
set *len = 0, rather than bailing. now "netstat" doesn't give up
early on kernels without INET6.

branches: 1.106.2;
Allocate the right size for pcb blocks.
XXX: pullup-7!

print the timer flags.

branches: 1.104.4;
Update for new pcb tailq's.
While here fix ipv6 pcb printing by making tcp6_dump with tcp.
XXX: Merge the inet and the inet6 code. It is silly to need to specify
-p tcp6 to print a tcp6 pcb, we already know what it is.

Not all pointers are 64bit - use uintptr_t instead of uint64_t.

Don't use -P as a kmem printer, verify that the address points to a pcb first!

branches: 1.101.2; 1.101.6; 1.101.8; 1.101.14;
use the names from the include files.

branches: 1.100.2;
PR/43968 -- add 'segqlen' of TCPCB to 'netstat -P'.

OK by wiz@

Suppress whitespace at EOL to fix lib/librumphijack/t_tcpip.

use getmicrouptime(9) rather than microtime(9) for TIME_WAIT duration
calculation, because this doesn't get confused by system time changes,
and uses less CPU cycles
reviewed by dyoung

Do not display expired or reclaimed vestigial TIME_WAIT entries.

Reduces the resources demanded by TCP sessions in TIME_WAIT-state using
methods called Vestigial Time-Wait (VTW) and Maximum Segment Lifetime
Truncation (MSLT).

MSLT and VTW were contributed by Coyote Point Systems, Inc.

Even after a TCP session enters the TIME_WAIT state, its corresponding
socket and protocol control blocks (PCBs) stick around until the TCP
Maximum Segment Lifetime (MSL) expires. On a host whose workload
necessarily creates and closes down many TCP sockets, the sockets & PCBs
for TCP sessions in TIME_WAIT state amount to many megabytes of dead
weight in RAM.

Maximum Segment Lifetimes Truncation (MSLT) assigns each TCP session to
a class based on the nearness of the peer. Corresponding to each class
is an MSL, and a session uses the MSL of its class. The classes are
loopback (local host equals remote host), local (local host and remote
host are on the same link/subnet), and remote (local host and remote
host communicate via one or more gateways). Classes corresponding to
nearer peers have lower MSLs by default: 2 seconds for loopback, 10
seconds for local, 60 seconds for remote. Loopback and local sessions
expire more quickly when MSLT is used.

Vestigial Time-Wait (VTW) replaces a TIME_WAIT session's PCB/socket
dead weight with a compact representation of the session, called a
"vestigial PCB". VTW data structures are designed to be very fast and
memory-efficient: for fast insertion and lookup of vestigial PCBs,
the PCBs are stored in a hash table that is designed to minimize the
number of cacheline visits per lookup/insertion. The memory both
for vestigial PCBs and for elements of the PCB hashtable come from
fixed-size pools, and linked data structures exploit this to conserve
memory by representing references with a narrow index/offset from the
start of a pool instead of a pointer. When space for new vestigial PCBs
runs out, VTW makes room by discarding old vestigial PCBs, oldest first.
VTW cooperates with MSLT.

It may help to think of VTW as a "FIN cache" by analogy to the SYN
cache.

A 2.8-GHz Pentium 4 running a test workload that creates TIME_WAIT
sessions as fast as it can is approximately 17% idle when VTW is active
versus 0% idle when VTW is inactive. It has 103 megabytes more free RAM
when VTW is active (approximately 64k vestigial PCBs are created) than
when it is inactive.

Use __arraycount() and PRIu64. Delete unnecessary casts to unsigned
long long.

Pull pfsync_stats() out of inet.c and into pfsync.c so that inet.c does
not have to #include PF header files that pollute the global namespace
by #defining v4 and v6 (sheesh).

branches: 1.93.2;
Add netstat rump client. For now, it always sets -X, i.e. will
use only sysctl and no kvm (implementing /dev/mem for a rump kernel
would probably not be hard, but still a non-zero effort).

Note: since there is absolutely no network activity in a fresh rump
kernel, rump.netstat usually displays exactly nothing when invoked
without parameters. Arguments like -r, -bi, -p icmp etc. produce
more stuff.

PR/42243: Yasuoka Masahiko: Add support for "net.inet.icmp.bmcastecho" support.
Print the current status.

Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

Make netstat handle -a properly; that is, don't show unconnected
listener sockets unless -a was given. (It was checking the local
address instead of the remote address for being INADDR_ANY or
equivalent.)

PR 38093 from Dieter Roelants; I adjusted the patch a little.

This needs pullups for both -4 and -5.

branches: 1.88.6; 1.88.8;
Note which things are not available by KVM, and print a nice message
stating so if someone specifically asks for it.

branches: 1.87.2;
Make IGMP stats per-cpu.

Make ARP stats per-cpu.

Make CARP status per-cpu.

Use ANSI function decls throughout.

Change TCP stats from a structure to an array of uint64_t's.

Note: This is ABI-compatible with the old tcpstat structure; old netstat
binaries will continue to work properly.

Change IP stats from a structure to an array of uint64_t's.

Note: This is ABI-compatible with the old ipstat structure; old netstat
binaries will continue to work properly.

fix build problem introduced in 1.79

Change UDP stats from a structure to an array of uint64_t's.

Note: This is ABI-compatible with the old icmpstat structure; old netstat
binaries will continue to work properly.

Change ICMP stats from a structure to an array of uint64_t's.

Note: This is ABI-compatible with the old icmpstat structure; old netstat
binaries will continue to work properly.

Make netstat build again. I don't see why it has any business dumping
the raw contents of tcpcb but that's another story.

branches: 1.77.2;
PR/31347: Geoff C. Wing: netstat err message is ambiguous about cause
Applied patch, thanks!

Import of TCP ECN algorithm for congestion control.
Both available for IPv4 and IPv6.
Basic implementation test results are available at
http://netbsd-soc.sourceforge.net/projects/ecn/testresults.html.

Work sponsored by the Google Summer of Code project 2006.
Special thanks to Kentaro Kurahone, Allen Briggs and Matt Thomas for their
help, comments and support during the project.

Revert previous.

Adapt to ECN.

It's not an error if we can't print CARP stats, it just means it's not built
in.

Make netstat use sysctl when dumping routing tables/stats.
Heavily based on similar code from Claudio Jeker (at OpenBSD).

While here, fix inet/inet6 sysctl stuff commited previously to
actually work, and some other nits to make netstat more sysctl
friendly.

One step closer to losing setgid kmem on this one...

check if malloc(3) failed

ok joerg@

branches: 1.70.2;
Use PRIu64 to format uint64_t quantities, instead of %llu, in
newly-introduced code.

XXX more %llu cleanup is needed throughout netstat code.

Integrate Common Address Redundancy Procotol (CARP) from OpenBSD

'pseudo-device carp'

Thanks to: joerg@ christos@ riz@ and others who tested
Ok: core@

Use PRIxPTR when printing a pointer.

Replace usage of caddr_t with intptr_t, to allow this to build cleanly
on both 32- and 64-bit archs.

Use sysctl to read live kernel PF_INET PCBs.

Use sysctl to fetch IP, ICMP, TCP, and UDP statistics.

Added #include <kvm.h> since netstat.h, which is included too, needs it.

Make it compile on ports where u_quad_t is not printf-format-compatible
with unsigned long long.

IPv4 PIM support, from the submission of Pavlin Radoslavov on tech-net@

print stat for TCP MD5 signature

Print ips_rcvmemdrop and ips_nogif.

synchronize w/ inpcb/in6pcb change

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.

As a temporary workaround, apply the fix from PR#20390, thereby
cooperating with the callout code in working around the race
condition caused by the TCP code's use of the callout facility.

Instead of unconditionally releasing memory in tcp_close() and
SYN_CACHE_PUT(), check whether any of the related callout handlers
are about to be invoked (but have not yet done callout_ack()), and
if so, just mark the associated data structure (tcpcb or syn cache
entry) as "dead", and test for this (and release storage) in the
callout handler functions.

strlcpy

it's not necessary to limit the service name artificially to 8 characters
in inet*print() - only first 'width' characters of the 'host.service'
string would be printed anyway, so allow full service name if string would fit

Update for callout changes, and show TCP timers in relative, rather
than absolute ticks.

Test CALLOUT_PENDING, not CALLOUT_ACTIVE.

path MTU discovery blackhole detection.
PR 12790 (sorry for not committing it for a long time)

branches: 1.51.2;
if not -n and the local socket doesn't have INP_ANONPORT set, always try
to determine the symbolic name of the foreign port.

previously the foreign port would be displayed numerically in this case if
the local & foreign ports were different. this particular behaviour was
added in rev 1.28 when I added INP_ANONPORT support from FreeBSD, and for
the life of me I can't fathom the rationale for it ;-|

Fix a printf format/argument cast.

tcp_dump(): Also print the address of the in6pcb.

Update for TCP timer changes.

Update for field name changes in struct tcpcb.

add `-s' that prints port numbers symbolically but addresses numerically

pedant changes for strcpy/sprintf.

add few icmp type names.
http://www.isi.edu/in-notes/iana/assignments/icmp-parameters

increase ipstat.ips_badaddr if the packet fails to pass address checks.

count successful path MTU changes. good for debugging.
(there could be some discussion on when to increase the counter...)

Add kernel counters for arp events, displayable with netstat -s -f arp

Backout part of rev 1.29 which doesn't match with the log message.

revise IPsec, pfkey, IPv6 multicast and IPv6 statistics. (sync with kame)

Change printf formats for 64bit counters.

branches: 1.37.4;
make netstat IPv6-ready.

Print SYN,ACK retransmission statistics.

branches: 1.35.2;
rework so that `-A -n' won't truncate the `ipaddr.port' fields, by displaying
an abbreviated state column in that case (to fit in 80 columns)

Add { and } to shut up egcs. Reformat the more questionable code.

Fix bogon in length argument to snprintf when formatting port number

- KNF
- use err(3)
- sprintf/strcpy -> snprintf/strncpy
- change route.c:domask() to take a size_t of the buffer passed.

- use an array MAXHOSTNAMELEN+1 size to hold hostnames
- ensure hostname from gethostname() is nul-terminated in all cases
- minor KNF
- use MAXHOSTNAMELEN over various other values/defines
- be safe will buffers that hold hostnames

Add an option to dump the contents of a PCB at the specified address, and
implement this for TCP.

Add support for printing fast forwarded packets.

if INP_ANONPORT is set in the pcb, don't getservbyport the local port,
as the service name is irrelevent. from freebsd

Print the connections dropped due to excessive persist timeouts.

Nuke "delayed window updates" statistic.

Print window updates delayed (piggybacked on delayed ACKs).

Report connections drained due to memory shortage.

fix up .Nm usage, getopt returns -1 not EOF

Pull SYN_cache_branch down onto the main line.

branches: 1.21.2;
PR/3660: Dave Huang: Fix formatting misalignments in appletalk
PR/3659: Dave Huang: Fix PCB reporting in appletalk

- netatalk additions
- printf format fixes
- minor prototype cleanups

errors not generated 'cuz old message was icmp -> [EWW!]
errors not generated because old message was icmp

Add the `toolong' count to the IP stats display.

use %lu, not %u. This covers more than my original %d -> %u change...

Netstat -s should use %u for u_long parameters... Closes bin/2817 by me

branches: 1.15.4;
Update to match kernel.

branches: 1.14.2;
New-style RCS ids.

update for new network structures

Update to match kernel changes.

print out number of malformed fragments dropped

a couple of these need <sys/queue.h>

Clean up import.

kill lots of off_t's.

clean up, for off_t... ugliest 'cleaning' possible, i think...

Incorporate changes for IP mcast and IGMP from cmaeda@cs.washington.edu.

Add RCS identifiers.

get rid of select.h inclusion, and clean up headers *more*.

fix for new select & clean up headers

print out more of the gathered udp stats (actually all of them)

branches: 1.1.1;
after 0.2.2 "stable" patches applied

Adjust userland commands for struct inpcb separation

Only kvm users are affected.

Adjust userland commands for struct inpcb integration

Only kvm users are affected.

s/u_quad_t/uint64_t/. No functional change.

KNF. No functional change.

KNF. No functional change.

netstat(1): convert malloc(x * y) and realloc(x * y) to reallocarr

usr.bin: remove unnecessary lint comment CONSTCOND

Since 2021-01-31, lint no longer warns about 'do ... while (0)'.

No functional change.

netstat: strengthen against kernel changes

netstat uses sysctlbyname to get counter data from the kernel.
sysctlbyname fails with ENOMEM if actual counter data in the kernel is
larger than a passed buffer. netstat just skips showing counters of a
category if sysctlbyname fails, so if we added new counters of the
category to the kernel, nestat shows nothing for the category.

Fortunately sysctlbyname fills data as much as possible even if a passed
buffer is short. So we can allow netstat to show the filled data anyway
if sysctlbyname fails with ENOMEM.

Note that this backcompat mechanism works only if new counters are
appended, and doesn't work if new counters are inserted into the middle
or counters are moved.

netstat: support new packet counters

add missing {IP,IP6}_STAT_NOIPSEC to netstat.

sockb is only used locally, so move it into the function

netstat: Add indirection of symbols to remove clash with sanitizers

Add indirection and symbol renaming under MKSANITIZER for the linked in
version of sysctlbyname, sysctlgetmibinfo and sysctlnametomib.

branches: 1.72.2;
Show the number of packets dropped by pfil

branches: 1.71.2;
Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.70.2;
Add names of a few more ICMPv6 messages, from RFC6275 (Mobile IPv6)
and RFC4286 (Multicast Router Discovery.) and as shown in the IANA
parameters page available at:
https://www.ietf.org/assignments/icmpv6-parameters/icmpv6-parameters.txt

Also make the array be explicitly 256 entries long, one for each possible
code, which will detect attempts to insert names without deleting the
place holder (and mean a good solid NULL de-ref if too many place holders
are deleted, rather than just random results.)

branches: 1.69.6;
Print previously missing fields from a TCP6 PCB.

branches: 1.68.2;
Allocate the right size for pcb blocks.
XXX: pullup-7!

print the timer flags.

branches: 1.66.4;
Update for new pcb tailq's.
While here fix ipv6 pcb printing by making tcp6_dump with tcp.
XXX: Merge the inet and the inet6 code. It is silly to need to specify
-p tcp6 to print a tcp6 pcb, we already know what it is.

use correct function and symbolic constants

use new scopeid functions

- avoid pointer gymnastics
- remove unused variables

Not all pointers are 64bit - use uintptr_t instead of uint64_t.

Don't use -P as a kmem printer, verify that the address points to a pcb first!

Retire OSI network stack. OK core@

branches: 1.59.4; 1.59.6; 1.59.10; 1.59.12; 1.59.16;
RA flood mitigation via a limit on accepted routes:
- introduce a limit for the routes accepted via IPv6 Router Advertisement:
a common 2 interface client will have 6, the default limit is 100 and
can be adjusted via sysctl
- report the current number of routes installed via RA via sysctl
- count discarded route additions. Note that one RA message is two routes.
This is at present only across all interfaces even though per-interface
would be more useful, since the per-interface structure complies to RFC2466
- bump kernel version due to the previous change
- adjust netstat to use the new value (with netstat -p icmp6)

Suppress whitespace at EOL to fix lib/librumphijack/t_tcpip.

use getmicrouptime(9) rather than microtime(9) for TIME_WAIT duration
calculation, because this doesn't get confused by system time changes,
and uses less CPU cycles
reviewed by dyoung

Don't use type qualifier 'register'.

Do not display expired or reclaimed vestigial TIME_WAIT entries.

Reduces the resources demanded by TCP sessions in TIME_WAIT-state using
methods called Vestigial Time-Wait (VTW) and Maximum Segment Lifetime
Truncation (MSLT).

MSLT and VTW were contributed by Coyote Point Systems, Inc.

Even after a TCP session enters the TIME_WAIT state, its corresponding
socket and protocol control blocks (PCBs) stick around until the TCP
Maximum Segment Lifetime (MSL) expires. On a host whose workload
necessarily creates and closes down many TCP sockets, the sockets & PCBs
for TCP sessions in TIME_WAIT state amount to many megabytes of dead
weight in RAM.

Maximum Segment Lifetimes Truncation (MSLT) assigns each TCP session to
a class based on the nearness of the peer. Corresponding to each class
is an MSL, and a session uses the MSL of its class. The classes are
loopback (local host equals remote host), local (local host and remote
host are on the same link/subnet), and remote (local host and remote
host communicate via one or more gateways). Classes corresponding to
nearer peers have lower MSLs by default: 2 seconds for loopback, 10
seconds for local, 60 seconds for remote. Loopback and local sessions
expire more quickly when MSLT is used.

Vestigial Time-Wait (VTW) replaces a TIME_WAIT session's PCB/socket
dead weight with a compact representation of the session, called a
"vestigial PCB". VTW data structures are designed to be very fast and
memory-efficient: for fast insertion and lookup of vestigial PCBs,
the PCBs are stored in a hash table that is designed to minimize the
number of cacheline visits per lookup/insertion. The memory both
for vestigial PCBs and for elements of the PCB hashtable come from
fixed-size pools, and linked data structures exploit this to conserve
memory by representing references with a narrow index/offset from the
start of a pool instead of a pointer. When space for new vestigial PCBs
runs out, VTW makes room by discarding old vestigial PCBs, oldest first.
VTW cooperates with MSLT.

It may help to think of VTW as a "FIN cache" by analogy to the SYN
cache.

A 2.8-GHz Pentium 4 running a test workload that creates TIME_WAIT
sessions as fast as it can is approximately 17% idle when VTW is active
versus 0% idle when VTW is inactive. It has 103 megabytes more free RAM
when VTW is active (approximately 64k vestigial PCBs are created) than
when it is inactive.

Add netstat rump client. For now, it always sets -X, i.e. will
use only sysctl and no kvm (implementing /dev/mem for a rump kernel
would probably not be hard, but still a non-zero effort).

Note: since there is absolutely no network activity in a fresh rump
kernel, rump.netstat usually displays exactly nothing when invoked
without parameters. Arguments like -r, -bi, -p icmp etc. produce
more stuff.

Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

Make netstat handle -a properly; that is, don't show unconnected
listener sockets unless -a was given. (It was checking the local
address instead of the remote address for being INADDR_ANY or
equivalent.)

PR 38093 from Dieter Roelants; I adjusted the patch a little.

This needs pullups for both -4 and -5.

branches: 1.50.6; 1.50.8;
Note which things are not available by KVM, and print a nice message
stating so if someone specifically asks for it.

branches: 1.49.2;
Make pim6 stats per-cpu.

Make raw6 stats per-cpu.

Use ANSI function decls throughout.

Make udp6 stats per-cpu.

Change IPv6 stats from a structure to an array of uint64_t's.

Note: This is ABI-compatible with the old ip6stat structure; old netstat
binaries will continue to work properly.

Change ICMP6 stats from a structure to an array of uint64_t's.

Note: This is ABI-compatible with the old icmp6stat structure; old netstat
binaries will continue to work properly.

Fix more -combine fallout. (mismatched definitions)

branches: 1.42.4;
Add new IPv6 Fast Forward statistics

Remove duplicate #includes
From Slava Semushin <slava.semushin@gmail.com>, via private mail

branches: 1.40.2;
PR/31347: Geoff C. Wing: netstat err message is ambiguous about cause
Applied patch, thanks!

Don't print an error if kernel doesn't have INET6 support.
By Jukka Salmi on current-users.

Make netstat use sysctl when dumping routing tables/stats.
Heavily based on similar code from Claudio Jeker (at OpenBSD).

While here, fix inet/inet6 sysctl stuff commited previously to
actually work, and some other nits to make netstat more sysctl
friendly.

One step closer to losing setgid kmem on this one...

check if malloc(3) failed

ok joerg@

branches: 1.36.2;
Use net.inet6.{ip6,udp6,pim6,raw6}.stats for live systems.

Reviewed by Elad Efrat.

Use net.inet6.tcp6.pcblist, net.inet6.tcp6.stats (not implemented yet) and
net.inet6.icmp6.stats if we are gathering information from a live system.

Reviewed by Elad Efrat.

Added #include <kvm.h> since netstat.h, which is included too, needs it.

print the proper pointer for the pcb address. otherwise, all the udp6
pcb addresses are the same as unrelated udp pcb addresses.

NI_WITHSCOPEID was not picked up by IETF standardization process.

handle KAME scopeid hack for multicast addr. Matthias Drochner

fix PR bin/22739 (netstat -nlv -f inet6 weird)

synchronize w/ inpcb/in6pcb change

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.

use proper #ifdef to determine behavior (__KAME__)

it's not necessary to limit the service name artificially to 8 characters
in inet*print() - only first 'width' characters of the 'host.service'
string would be printed anyway, so allow full service name if string would fit

fix typo, from sm@resistor.net in misc/18816.

use strchr, not index

print rip6stat. sync with kame

Make the PCB address printing look like the IPv4 version.

typo

add `-s' that prints port numbers symbolically but addresses numerically

pedant changes for strcpy/sprintf.

add sctp (maybe we should add it to /etc/protocols instead?)

during ip6/icmp6 inbound packet processing, do not call log() nor printf() in
normal operation (/var can get filled up by flodding bogus packets).
sysctl net.inet6.icmp6.nd6_debug will turn on diagnostic messages.
(#define ND6_DEBUG will turn it on by default)

improve stats in ND6 code.

lots of synchronziation with kame (including comments and cometic ones).

try to lookup /etc/protocols for histogram

typo in -s message

count path MTU changes.

More format string cleanup by sommerfeld.

Fix netstat -ss handling for a bunch of ISO cases, so that
zero values are not printed.
"tp:" still needs some work, though.

do not print m_pulldown statistics. it is too experimental and
belongs to kame tree only (not for *bsd tree).

more stats. from kame

branches: 1.9.2;
print # of packets filtered by icmp6 rate limitation

branches: 1.8.2;
s/icmp/icmp6/ in message

revise IPsec, pfkey, IPv6 multicast and IPv6 statistics. (sync with kame)

Make this compile on the Alpha again.

per-interface statistics.
bring in and enable KAME scopeid hack.
lots of cleanups.
(sync with latest KAME)

Change printf formats for 64bit counters.

branches: 1.3.4;
do not include netinet/in6_systm.h, which has been empty for a while.

add NetBSD RCS ID.

make netstat IPv6-ready.

remove KAME IPSEC, replaced by FAST_IPSEC

split the ipsec.c source file into the pfkey part which is shared
with FAST_IPSEC and KAME specific IPSEC statistics

branches: 1.15.6;
Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

branches: 1.14.8;
Note which things are not available by KVM, and print a nice message
stating so if someone specifically asks for it.

PF_KEY stats for IPSEC and FAST_IPSEC are now per-CPU.

Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and
netstat_sysctl().

branches: 1.11.20;
Added #include <kvm.h> since netstat.h, which is included too, needs it.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.

support new algorithms

support hmac-sha2.

make char array bigger where it seems too small and may overrun.

KNF

pfkey statistics was presented in wrong direction.

present SPD cache lookup stats. sync with kame

be ready for rijndael

sync with net/pfkeyv2.h change. do not assume SADB_[EAC]ALG numbers are
continuous. sync with kame.

branches: 1.1.4;
revise IPsec, pfkey, IPv6 multicast and IPv6 statistics. (sync with kame)

Retire OSI network stack. OK core@

branches: 1.33.2;
Use C89 function definitions

branches: 1.32.6;
Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

Make netstat handle -a properly; that is, don't show unconnected
listener sockets unless -a was given. (It was checking the local
address instead of the remote address for being INADDR_ANY or
equivalent.)

PR 38093 from Dieter Roelants; I adjusted the patch a little.

This needs pullups for both -4 and -5.

branches: 1.30.6; 1.30.8;
don't include <cons_pcb.h> as it is unnecessary

branches: 1.29.2;
- Define _KERNEL for sys/types.h in unix.c.
- caddr_t -> char * in a couple of places.

branches: 1.28.2;
Fix more -combine fallout. (mismatched definitions)

branches: 1.27.4;
Make this compile after TSEL() const poisoning
OK'd by dyoung@

branches: 1.26.4;
be quiet if symbol not in namelist, nothing cares

branches: 1.25.2;
Coverity CID 2336: Fix memory leak.

Added #include <kvm.h> since netstat.h, which is included too, needs it.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.

add `-s' that prints port numbers symbolically but addresses numerically

PR/12517: Izumi Tsutsui: Don't use paddr_t in netstat; change to u_long

More format string cleanup by sommerfeld.

Rewrite tprintstat() so that netstat -ss functionality works
correctly for the "tp:" case (family iso). To avoid serious code
space bloat, stats are now table-driven.

A side-effect is that the mbuf chain statistics have been slightly re-ordered
to follow the 3 lines of EOT stats (still under Miscellaneous) rather
than sandwiched between "dec bits" and the EOTs.

-Wall friendly

Fix netstat -ss handling for a bunch of ISO cases, so that
zero values are not printed.
"tp:" still needs some work, though.

branches: 1.16.2; 1.16.10;
- KNF
- use err(3)
- sprintf/strcpy -> snprintf/strncpy
- change route.c:domask() to take a size_t of the buffer passed.

s/_offsetof/offsetof and include stddef.h to reflect recent
change in sys/netiso/iso.h.

fix up .Nm usage, getopt returns -1 not EOF

- netatalk additions
- printf format fixes
- minor prototype cleanups

New-style RCS ids.

a couple of these need <sys/queue.h>

Re-enable some ugly ISO code.

Clean up import.

kill lots of off_t's.

clean up, for off_t... ugliest 'cleaning' possible, i think...

moved useful contents of netiso/tp_astring.c down

Don't generate two warnings if OSI isn't configured in the kernel.

Add RCS identifiers.

get rid of select.h inclusion, and clean up headers *more*.

fix for new select & clean up headers

branches: 1.1.1;
after 0.2.2 "stable" patches applied

Rename local bpf_* functions to nsbpf_* to avoid conflicts with
new libpcap bpf_* functions

Make ifq_drops in struct ifqueue and struct ifaltq 64 bit.

KNF. No functional change.

KNF. No functional change.

Remove Network ATM soft intr queue reporting, we don't have that in the
kernel anymore.

Avoid common symbol definitions.

branches: 1.99.8; 1.99.18;
remove soft interrupt queues that don't exist anymore.

remove __P

use sysctl to print multicast addresses

Use sysctl for interface printing (-i), leave on for multicast address printing
(-ia) and comment in the code where this is missing?
XXX: should that be an ioctl or sysctl? provide getifmultiaddrs() via the
routing socket? I guess since this is just for netstat a simple sysctl or
ioctl would suffice. I lean towards sysctl.

PR/47704: Takahiro HAYASHI: Fix -L flag

fix A,v,T with route display.

use the common code from route.c

Fix a bug introduced in rev. 1.62; it fails to negate (a && b).

branches: 1.91.2;
netstat(1) and ifmcstat(8): ifnet was renamed to ifnet_list, PR/48850.

use the same for the route metrics part, both in the sysctl and kmem paths.
From Takahiro HAYASHI

The sysctl code does not support verbose route printing that prints the
internal route statistics. Restore the old kmem route printing code that
was not just used for post-mortem displays. Reported by kardel@, test by
netstat -nrvf inet

branches: 1.88.2;
Update for new pcb tailq's.
While here fix ipv6 pcb printing by making tcp6_dump with tcp.
XXX: Merge the inet and the inet6 code. It is silly to need to specify
-p tcp6 to print a tcp6 pcb, we already know what it is.

Make the -f option accept multiple address families.
Bump man page date.

Don't use -P as a kmem printer, verify that the address points to a pcb first!

Retire OSI network stack. OK core@

Use sysctl based code netstat -r. Remove support for post-mortem
analysis.

branches: 1.83.2;
remove KAME IPSEC, replaced by FAST_IPSEC

Use C89 function definitions

branches: 1.81.2; 1.81.4; 1.81.8; 1.81.10;
Use __dead

Use errx() to display kvm_openfiles error message, the provided buffer
already has it.

Always try to open kmem, do not always set use_sysctl to 1, and do not
fail if opening kmem fails unless !use_sysctl. Fixes netstat(1) options
such as -s.

Reduces the resources demanded by TCP sessions in TIME_WAIT-state using
methods called Vestigial Time-Wait (VTW) and Maximum Segment Lifetime
Truncation (MSLT).

MSLT and VTW were contributed by Coyote Point Systems, Inc.

Even after a TCP session enters the TIME_WAIT state, its corresponding
socket and protocol control blocks (PCBs) stick around until the TCP
Maximum Segment Lifetime (MSL) expires. On a host whose workload
necessarily creates and closes down many TCP sockets, the sockets & PCBs
for TCP sessions in TIME_WAIT state amount to many megabytes of dead
weight in RAM.

Maximum Segment Lifetimes Truncation (MSLT) assigns each TCP session to
a class based on the nearness of the peer. Corresponding to each class
is an MSL, and a session uses the MSL of its class. The classes are
loopback (local host equals remote host), local (local host and remote
host are on the same link/subnet), and remote (local host and remote
host communicate via one or more gateways). Classes corresponding to
nearer peers have lower MSLs by default: 2 seconds for loopback, 10
seconds for local, 60 seconds for remote. Loopback and local sessions
expire more quickly when MSLT is used.

Vestigial Time-Wait (VTW) replaces a TIME_WAIT session's PCB/socket
dead weight with a compact representation of the session, called a
"vestigial PCB". VTW data structures are designed to be very fast and
memory-efficient: for fast insertion and lookup of vestigial PCBs,
the PCBs are stored in a hash table that is designed to minimize the
number of cacheline visits per lookup/insertion. The memory both
for vestigial PCBs and for elements of the PCB hashtable come from
fixed-size pools, and linked data structures exploit this to conserve
memory by representing references with a narrow index/offset from the
start of a pool instead of a pointer. When space for new vestigial PCBs
runs out, VTW makes room by discarding old vestigial PCBs, oldest first.
VTW cooperates with MSLT.

It may help to think of VTW as a "FIN cache" by analogy to the SYN
cache.

A 2.8-GHz Pentium 4 running a test workload that creates TIME_WAIT
sessions as fast as it can is approximately 17% idle when VTW is active
versus 0% idle when VTW is inactive. It has 103 megabytes more free RAM
when VTW is active (approximately 64k vestigial PCBs are created) than
when it is inactive.

Add netstat rump client. For now, it always sets -X, i.e. will
use only sysctl and no kvm (implementing /dev/mem for a rump kernel
would probably not be hard, but still a non-zero effort).

Note: since there is absolutely no network activity in a fresh rump
kernel, rump.netstat usually displays exactly nothing when invoked
without parameters. Arguments like -r, -bi, -p icmp etc. produce
more stuff.

Add mpls into family address list

Add -T flag, that shows tags in route output

Add -h, which makes output of bytes counts "humanized" (e.g. -bih)

(netstat had -h some 15 years ago, but since then it has been just
a fancy way of calling usage())

Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

Checkin work in progress to make netstat use sysctl rather than kvm(3).

This commit mostly adds code written by Claudio Jeker for OpenBSD to
support sysctl in the interface printing parts (-i, -I, -w). The port has
been ported to NetBSD with tiny adjustments -- of course all bugs etc.
are mine.

Also add and document a -X flag to force sysctl usage. The documentation
notes this flag may be removed at any time and its presence should not be
relied on.

Some misc. comments/#ifdef changes/code snippet moves as well.

Please note that no functionality should change as the routing and
interface printing code is still not fully supported.

Mailing list reference:

http://mail-index.netbsd.org/tech-userlevel/2009/09/09/msg002604.html

Fix many WARNS=4 issues (-Wshadow -Wcast-qual -Wsign-compare).
Fix probable bug with numeric printing of anon ports when using sysctl.

branches: 1.70.2; 1.70.4; 1.70.6; 1.70.12;
Remove the \n and tabs from the __COPYRIGHT() strings.
Tweak to use a consistent format.

branches: 1.69.2;
Make note of a few things no longer available via kvm.

netns is no longer in the tree; completely purge it from netstat(1).

Make DDP stats per-cpu. While here, bump the counters to 64-bit and
make them available by sysctl.

PF_KEY stats for IPSEC and FAST_IPSEC are now per-CPU.

branches: 1.65.2;
ARP and IGMP stats are now available by sysctl.

Fall back to kvm interface for protocols that do not yet
offer a sysctl interface. Fixes PR bin/36210.

branches: 1.63.2;
PR/35056: Keiichi Shima: netstat does not compile in crunched environment

Patch applied, thanks!

Refactor code a bit so we only use kmem when we really need it.

Good intentions are still intentions. If we can't open kvm, but we still
have sysctl, it's still not enough for -P. A groveler is a groveler is
a groveler.

On a different note, this code needs a rewrite.

- Back to using kvm if we have access to it, since the sysctl stats do not
yet support all the fields we need.
- Don't core-dump if we could not open the kvm file.

Conditionalize XNS support. No longer enabled.

well, the || needed to be an && and the operand order needed to be changed.
XXX: There are still things like interface printing that need kvm.

Fix another && || confusion, from Kurt Schreiner, thanks!

Don't use || if you need &&.

branches: 1.55.2;
another netstat fix, Kurt Schreiner. thanx!

fix logic; from Kurt Schreiner

Make netstat use sysctl when dumping routing tables/stats.
Heavily based on similar code from Claudio Jeker (at OpenBSD).

While here, fix inet/inet6 sysctl stuff commited previously to
actually work, and some other nits to make netstat more sysctl
friendly.

One step closer to losing setgid kmem on this one...

branches: 1.52.2;
Integrate Common Address Redundancy Procotol (CARP) from OpenBSD

'pseudo-device carp'

Thanks to: joerg@ christos@ riz@ and others who tested
Ok: core@

make bpf stats #ifndef SMALL,
fixes build of x_netstat

Request process information using sysctl(3) and not kvm(3) since bpf(4)
statistics and peers are only available using the former.

Implemented the userland part of the BPF statistics and BPF peers,
net.bpf.stats and net.bpf.peers sysctls respectively. netstat(1) now
has an additional syntax:
netstat [-s] [-B] [-I Interface]

Only the super user can see a list of BPF peers with the following command:
# netstat -B
Active BPF peers
PID Int Recv Drop Capt Flags Bufsize Comm
4941 lo0 0 0 0 I--S- 262144 tcpdump
252 ex0 19668 0 5 I-RS- 32768 dhclient

And every user can see the BPF statistics with:
$ netstat -s -B
bpf:
19669 total packets received
5 total packets captured
0 total packets dropped

This idea came from FreeBSD (Christian S.J. Peron) but, currently, they
doen't have a userland utility in the base system to read the sysctls.

Reviewed by: christos@

Add (unsigned char) cast to ctype functions

IPv4 PIM support, from the submission of Pavlin Radoslavov on tech-net@

Fix two stupid bugs I introduced with stats for fast-ipsec:

1. Pass the caller-supplied protocol name down through ipsec_switch().

2. Remove my poor attempt to print fast-ipsec stats automagically for
`netstat -s'. The previous code would print (fast)IPsec per-protocol
stats even for 'netstat', which is just wrong.

A better fix would be to enumerate the sub-"protocols" under IPsec;
but first lets fix the broken behaviour now, for a pullup to 2.0.

Temporary hack to fix ipsec stats lossage. Atatat, are you listening?

Redo net.inet.* sysctl subtree for fast-ipsec from scratch.
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl, for
netstat -p ipsec.

New kernel files:
sys/netipsec/Makefile (new file; install *_var.h includes)
sys/netipsec/ipsec_var.h (new 64-bit mib counter struct)

Changed kernel files:
sys/Makefile (recurse into sys/netipsec/)
sys/netinet/in.h (fake IP_PROTO name for fast_ipsec
sysctl subtree.)
sys/netipsec/ipsec.h (minimal userspace inclusion)
sys/netipsec/ipsec_osdep.h (minimal userspace inclusion)
sys/netipsec/ipsec_netbsd.c (redo sysctl subtree from scratch)
sys/netipsec/key*.c (fix broken net.key subtree)

sys/netipsec/ah_var.h (increase all counters to 64 bits)
sys/netipsec/esp_var.h (increase all counters to 64 bits)
sys/netipsec/ipip_var.h (increase all counters to 64 bits)
sys/netipsec/ipcomp_var.h (increase all counters to 64 bits)

sys/netipsec/ipsec.c (add #include netipsec/ipsec_var.h)
sys/netipsec/ipsec_mbuf.c (add #include netipsec/ipsec_var.h)
sys/netipsec/ipsec_output.c (add #include netipsec/ipsec_var.h)

sys/netinet/raw_ip.c (add #include netipsec/ipsec_var.h)
sys/netinet/tcp_input.c (add #include netipsec/ipsec_var.h)
sys/netinet/udp_usrreq.c (add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
usr.bin/netstat/fast_ipsec.c (print fast-ipsec counters)

Changed files:
usr.bin/netstat/Makefile (add fast_ipsec.c)
usr.bin/netstat/netstat.h (declarations for fast_ipsec.c)
usr.bin/netstat/main.c (call KAME-vs-fast-ipsec dispatcher)

branches: 1.43.2;
synchronize w/ inpcb/in6pcb change

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.

clear errno before strto(u)l() if we're going to test it for ERANGE afterwards

Add MBUFTRACE kernel option.
Do a little mbuf rework while here. Change all uses of MGET*(*, M_WAIT, *)
to m_get*(M_WAIT, *). These are not performance critical and making them
call m_get saves considerable space. Add m_clget analogue of MCLGET and
make corresponding change for M_WAIT uses.
Modify netinet, gem, fxp, tulip, nfs to support MBUFTRACE.
Begin to change netstat to use sysctl.

Update for callout changes, and show TCP timers in relative, rather
than absolute ticks.

Add more software intrq.

Introduce -q flag to print some information (like number of packets dropped
due to queue full) about software interrupt queues such as ipintrq.

Sync SYNOPSIS and usage() with reality.

err/errx/warn/warnx do not need \n at the end

print rip6stat. sync with kame

add `-s' that prints port numbers symbolically but addresses numerically

convert to use getprogname()

more fix to "pfkey printed twice" problem. PR 11323 from ura.

don't print pfkey statistics twice. from uep

Add kernel counters for arp events, displayable with netstat -s -f arp

more stats. from kame

branches: 1.27.4;
Don't declare 'extern opt*' getopt variables.

revise IPsec, pfkey, IPv6 multicast and IPv6 statistics. (sync with kame)

per-interface statistics.
bring in and enable KAME scopeid hack.
lots of cleanups.
(sync with latest KAME)

branches: 1.24.4;
Add -L option. netstat -r -L behaves like 4.3BSD netstat -r, that is, it
does not show route table entries pointing to link level addresses (ARP
entries or IPv6 neighbour discovery entries).

make netstat IPv6-ready.

There is no -h flag. From OpenBSD.

fix PR7057: division by zero if no mbufs allocated
fix PR7059 (partial): mbuf cluster counts were based on counters which
are no longer maintained.
(full fix will involve renaming the now-unused fields in mclstat in mbuf.h)

fix dumping of pcbs

Added a verbose flag for route display that will show
the various route metrics.

#ifndef SMALL changes. saves 30k on the sparc

use AF_LOCAL instead of AF_UNIX. support -f local as synonym for -f unix

- KNF
- use err(3)
- sprintf/strcpy -> snprintf/strncpy
- change route.c:domask() to take a size_t of the buffer passed.

- change setgid kmem programs (that lend themselves to this) so setegid(getgid())
and the top, and then set the effective gid back to kmem around the call to
kvm_openfiles(). this reduces the time group kmem is available.
- for those above that also allow this, setgid(getgid()) after the call to
kvm_openfiles() to fully revoke priviledges.
- some KNF
- use err(3) over fprintf(3) in some places

Add an option to dump the contents of a PCB at the specified address, and
implement this for TCP.

Add support for a '-b' option to provide byte counts in and out,
instead of just packet counts. On the byte screens, errors and
collisions are not shown, since they are more packet count related.

branches: 1.12.2;
fix up .Nm usage, getopt returns -1 not EOF

- netatalk additions
- printf format fixes
- minor prototype cleanups

Add compiled-in MCLBYTES and MSIZE to conf/param.c, as 'mclbytes" and "msize".

Add code to netstat to use libkvm to for kernel variables "mclbytes"
and "msize', and if found, use those for netstat -m rather than
compiled-in defaults.

Update for the changes to struct ifnet. While I'm here, fix a couple
of long-standing bugs:

- Actually deal with the fact that the kernel ifnet list is
a TAILQ; it just happened to work before.

- Use kvm_openfiles() instead of kvm_open(). The code passed
arguments to kvm_open() as if it were kvm_openfiles(), but
apparently went unnoticed since the prototypes are the same.
Amusing bit: there were XXX's in the code which seemed to
apologize for a verbose libkvm, when it happened to be a
bug in netstat!

New-style RCS ids.