fast_ipsec.c revision 1.17.4.1
1 /* $NetBSD: fast_ipsec.c,v 1.17.4.1 2012/04/17 00:09:37 yamt Exp $ */ 2 /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ 3 4 /*- 5 * Copyright (c) 2003, 2004 Jonathan Stone 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 * $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ 31 */ 32 33 #include <sys/cdefs.h> 34 #ifndef lint 35 #ifdef __NetBSD__ 36 __RCSID("$NetBSD: fast_ipsec.c,v 1.17.4.1 2012/04/17 00:09:37 yamt Exp $"); 37 #endif 38 #endif /* not lint*/ 39 40 /* Kernel headers required, but not included, by netstat.h */ 41 #include <sys/types.h> 42 #include <sys/socket.h> 43 44 /* Kernel headers for sysctl(3). */ 45 #include <sys/param.h> 46 #include <sys/sysctl.h> 47 48 /* Kernel headers for FAST_IPSEC statistics */ 49 #include <net/pfkeyv2.h> 50 #include <netipsec/esp_var.h> 51 #include <netipsec/ah_var.h> 52 #include <netipsec/ipip_var.h> 53 #include <netipsec/ipcomp_var.h> 54 #include <netipsec/ipsec_var.h> 55 56 #include <machine/int_fmtio.h> 57 58 #include <kvm.h> 59 #include <err.h> 60 #include <errno.h> 61 #include <stdio.h> 62 #include <string.h> 63 64 #include "netstat.h" 65 66 /* 67 * Table-driven mapping from SADB algorithm codes to string names. 68 */ 69 struct alg { 70 int a; 71 const char *name; 72 }; 73 static const struct alg aalgs[] = { 74 { SADB_AALG_NONE, "none", }, 75 { SADB_AALG_MD5HMAC, "hmac-md5", }, 76 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 77 { SADB_X_AALG_MD5, "md5", }, 78 { SADB_X_AALG_SHA, "sha", }, 79 { SADB_X_AALG_NULL, "null", }, 80 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 81 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 82 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 83 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, 84 { SADB_X_AALG_AES128GMAC, "aes-128-gmac", }, 85 { SADB_X_AALG_AES192GMAC, "aes-192-gmac", }, 86 { SADB_X_AALG_AES256GMAC, "aes-256-gmac", }, 87 }; 88 static const struct alg espalgs[] = { 89 { SADB_EALG_NONE, "none", }, 90 { SADB_EALG_DESCBC, "des-cbc", }, 91 { SADB_EALG_3DESCBC, "3des-cbc", }, 92 { SADB_EALG_NULL, "null", }, 93 { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, 94 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, 95 { SADB_X_EALG_RIJNDAELCBC, "aes-cbc", }, 96 { SADB_X_EALG_CAMELLIACBC, "camellia-cbc", }, 97 { SADB_X_EALG_AESCTR, "aes-ctr", }, 98 { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, 99 { SADB_X_EALG_AESGMAC, "aes-gmac", }, 100 }; 101 static const struct alg ipcompalgs[] = { 102 { SADB_X_CALG_NONE, "none", }, 103 { SADB_X_CALG_OUI, "oui", }, 104 { SADB_X_CALG_DEFLATE, "deflate", }, 105 { SADB_X_CALG_LZS, "lzs", }, 106 }; 107 #define N(a) (sizeof(a)/sizeof(a[0])) 108 109 static const char* 110 algname(int a, const struct alg algs[], int nalgs) 111 { 112 static char buf[80]; 113 int i; 114 115 for (i = 0; i < nalgs; i++) 116 if (algs[i].a == a) 117 return algs[i].name; 118 snprintf(buf, sizeof(buf), "alg#%u", a); 119 return buf; 120 } 121 122 /* 123 * Print the fast_ipsec statistics. 124 * Since NetBSD's netstat(1) seems not to find us for "netstat -s", 125 * but does(?) find KAME, be prepared to be called explicitly from 126 * netstat's main program for "netstat -s"; but silently do nothing 127 * if that happens when we are running on KAME IPsec. 128 */ 129 void 130 fast_ipsec_stats(u_long off, const char *name) 131 { 132 uint64_t ipsecstats[IPSEC_NSTATS]; 133 uint64_t ahstats[AH_NSTATS]; 134 uint64_t espstats[ESP_NSTATS]; 135 uint64_t ipcs[IPCOMP_NSTATS]; 136 uint64_t ipips[IPIP_NSTATS]; 137 int status; 138 size_t slen; 139 int i; 140 141 if (! use_sysctl) { 142 warnx("IPsec stats not available via KVM."); 143 return; 144 } 145 146 memset(ipsecstats, 0, sizeof(ipsecstats)); 147 memset(ahstats, 0, sizeof(ahstats)); 148 memset(espstats, 0, sizeof(espstats)); 149 memset(ipcs, 0, sizeof(ipcs)); 150 memset(ipips, 0, sizeof(ipips)); 151 152 slen = sizeof(ipsecstats); 153 status = sysctlbyname("net.inet.ipsec.ipsecstats", ipsecstats, &slen, 154 NULL, 0); 155 if (status < 0 && errno != ENOMEM) 156 err(1, "net.inet.ipsec.ipsecstats"); 157 158 slen = sizeof (ahstats); 159 status = sysctlbyname("net.inet.ah.ah_stats", ahstats, &slen, NULL, 0); 160 if (status < 0 && errno != ENOMEM) 161 err(1, "net.inet.ah.ah_stats"); 162 163 slen = sizeof (espstats); 164 status = sysctlbyname("net.inet.esp.esp_stats", espstats, &slen, NULL, 0); 165 if (status < 0 && errno != ENOMEM) 166 err(1, "net.inet.esp.esp_stats"); 167 168 slen = sizeof(ipcs); 169 status = sysctlbyname("net.inet.ipcomp.ipcomp_stats", ipcs, &slen, NULL, 0); 170 if (status < 0 && errno != ENOMEM) 171 err(1, "net.inet.ipcomp.ipcomp_stats"); 172 173 slen = sizeof(ipips); 174 status = sysctlbyname("net.inet.ipip.ipip_stats", ipips, &slen, NULL, 0); 175 if (status < 0 && errno != ENOMEM) 176 err(1, "net.inet.ipip.ipip_stats"); 177 178 printf("(Fast) IPsec:\n"); 179 180 #define STAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" " fmt "\n", x) 181 if (ipsecstats[IPSEC_STAT_IN_POLVIO]+ipsecstats[IPSEC_STAT_OUT_POLVIO]) 182 printf("\t%"PRIu64" policy violations: %"PRIu64" input %"PRIu64" output\n", 183 ipsecstats[IPSEC_STAT_IN_POLVIO] + ipsecstats[IPSEC_STAT_OUT_POLVIO], 184 ipsecstats[IPSEC_STAT_IN_POLVIO], ipsecstats[IPSEC_STAT_OUT_POLVIO]); 185 STAT(ipsecstats[IPSEC_STAT_OUT_NOSA], "no SA found (output)"); 186 STAT(ipsecstats[IPSEC_STAT_OUT_NOMEM], "no memory available (output)"); 187 STAT(ipsecstats[IPSEC_STAT_OUT_NOROUTE], "no route available (output)"); 188 STAT(ipsecstats[IPSEC_STAT_OUT_INVAL], "generic errors (output)"); 189 STAT(ipsecstats[IPSEC_STAT_OUT_BUNDLESA], "bundled SA processed (output)"); 190 STAT(ipsecstats[IPSEC_STAT_SPDCACHELOOKUP], "SPD cache lookups"); 191 STAT(ipsecstats[IPSEC_STAT_SPDCACHEMISS], "SPD cache misses"); 192 #undef STAT 193 printf("\n"); 194 195 printf("IPsec ah:\n"); 196 #define AHSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" ah " fmt "\n", x) 197 AHSTAT(ahstats[AH_STAT_INPUT], "input packets processed"); 198 AHSTAT(ahstats[AH_STAT_OUTPUT], "output packets processed"); 199 AHSTAT(ahstats[AH_STAT_HDROPS], "headers too short"); 200 AHSTAT(ahstats[AH_STAT_NOPF], "headers for unsupported address family"); 201 AHSTAT(ahstats[AH_STAT_NOTDB], "packets with no SA"); 202 AHSTAT(ahstats[AH_STAT_BADKCR], "packets dropped by crypto returning NULL mbuf"); 203 AHSTAT(ahstats[AH_STAT_BADAUTH], "packets with bad authentication"); 204 AHSTAT(ahstats[AH_STAT_NOXFORM], "packets with no xform"); 205 AHSTAT(ahstats[AH_STAT_QFULL], "packets dropped due to queue full"); 206 AHSTAT(ahstats[AH_STAT_WRAP], "packets dropped for replay counter wrap"); 207 AHSTAT(ahstats[AH_STAT_REPLAY], "packets dropped for possible replay"); 208 AHSTAT(ahstats[AH_STAT_BADAUTHL],"packets dropped for bad authenticator length"); 209 AHSTAT(ahstats[AH_STAT_INVALID], "packets with an invalid SA"); 210 AHSTAT(ahstats[AH_STAT_TOOBIG], "packets too big"); 211 AHSTAT(ahstats[AH_STAT_PDROPS], "packets blocked due to policy"); 212 AHSTAT(ahstats[AH_STAT_CRYPTO], "failed crypto requests"); 213 AHSTAT(ahstats[AH_STAT_TUNNEL], "tunnel sanity check failures"); 214 215 printf("\tah histogram:\n"); 216 for (i = 0; i < AH_ALG_MAX; i++) 217 if (ahstats[AH_STAT_HIST + i]) 218 printf("\t\tah packets with %s: %"PRIu64"\n" 219 , algname(i, aalgs, N(aalgs)) 220 , ahstats[AH_STAT_HIST + i] 221 ); 222 AHSTAT(ahstats[AH_STAT_IBYTES], "bytes received"); 223 AHSTAT(ahstats[AH_STAT_OBYTES], "bytes transmitted"); 224 #undef AHSTAT 225 printf("\n"); 226 227 printf("IPsec esp:\n"); 228 #define ESPSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" esp " fmt "\n", x) 229 ESPSTAT(espstats[ESP_STAT_INPUT],"input packets processed"); 230 ESPSTAT(espstats[ESP_STAT_OUTPUT],"output packets processed"); 231 ESPSTAT(espstats[ESP_STAT_HDROPS],"headers too short"); 232 ESPSTAT(espstats[ESP_STAT_NOPF], "headers for unsupported address family"); 233 ESPSTAT(espstats[ESP_STAT_NOTDB],"packets with no SA"); 234 ESPSTAT(espstats[ESP_STAT_BADKCR],"packets dropped by crypto returning NULL mbuf"); 235 ESPSTAT(espstats[ESP_STAT_QFULL],"packets dropped due to queue full"); 236 ESPSTAT(espstats[ESP_STAT_NOXFORM],"packets with no xform"); 237 ESPSTAT(espstats[ESP_STAT_BADILEN],"packets with bad ilen"); 238 ESPSTAT(espstats[ESP_STAT_BADENC],"packets with bad encryption"); 239 ESPSTAT(espstats[ESP_STAT_BADAUTH],"packets with bad authentication"); 240 ESPSTAT(espstats[ESP_STAT_WRAP], "packets dropped for replay counter wrap"); 241 ESPSTAT(espstats[ESP_STAT_REPLAY],"packets dropped for possible replay"); 242 ESPSTAT(espstats[ESP_STAT_INVALID],"packets with an invalid SA"); 243 ESPSTAT(espstats[ESP_STAT_TOOBIG],"packets too big"); 244 ESPSTAT(espstats[ESP_STAT_PDROPS],"packets blocked due to policy"); 245 ESPSTAT(espstats[ESP_STAT_CRYPTO],"failed crypto requests"); 246 ESPSTAT(espstats[ESP_STAT_TUNNEL],"tunnel sanity check failures"); 247 printf("\tesp histogram:\n"); 248 for (i = 0; i < ESP_ALG_MAX; i++) 249 if (espstats[ESP_STAT_HIST + i]) 250 printf("\t\tesp packets with %s: %"PRIu64"\n" 251 , algname(i, espalgs, N(espalgs)) 252 , espstats[ESP_STAT_HIST + i] 253 ); 254 ESPSTAT(espstats[ESP_STAT_IBYTES], "bytes received"); 255 ESPSTAT(espstats[ESP_STAT_OBYTES], "bytes transmitted"); 256 #undef ESPSTAT 257 printf("IPsec ipip:\n"); 258 259 #define IPIPSTAT(x,fmt) \ 260 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipip " fmt "\n", x) 261 IPIPSTAT(ipips[IPIP_STAT_IPACKETS],"total input packets"); 262 IPIPSTAT(ipips[IPIP_STAT_OPACKETS],"total output packets"); 263 IPIPSTAT(ipips[IPIP_STAT_HDROPS],"packets too short for header length"); 264 IPIPSTAT(ipips[IPIP_STAT_QFULL],"packets dropped due to queue full"); 265 IPIPSTAT(ipips[IPIP_STAT_PDROPS],"packets blocked due to policy"); 266 IPIPSTAT(ipips[IPIP_STAT_SPOOF],"IP spoofing attempts"); 267 IPIPSTAT(ipips[IPIP_STAT_FAMILY],"protocol family mismatched"); 268 IPIPSTAT(ipips[IPIP_STAT_UNSPEC],"missing tunnel-endpoint address"); 269 IPIPSTAT(ipips[IPIP_STAT_IBYTES],"input bytes received"); 270 IPIPSTAT(ipips[IPIP_STAT_OBYTES],"output bytes processed"); 271 #undef IPIPSTAT 272 273 printf("IPsec ipcomp:\n"); 274 #define IPCOMP(x,fmt) \ 275 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipcomp " fmt "\n", x) 276 277 IPCOMP(ipcs[IPCOMP_STAT_HDROPS],"packets too short for header length"); 278 IPCOMP(ipcs[IPCOMP_STAT_NOPF], "protocol family not supported"); 279 IPCOMP(ipcs[IPCOMP_STAT_NOTDB], "packets with no SA"); 280 IPCOMP(ipcs[IPCOMP_STAT_BADKCR],"packets dropped by crypto returning NULL mbuf"); 281 IPCOMP(ipcs[IPCOMP_STAT_QFULL], "queue full"); 282 IPCOMP(ipcs[IPCOMP_STAT_NOXFORM],"no support for transform"); 283 IPCOMP(ipcs[IPCOMP_STAT_WRAP], "packets dropped for replay counter wrap"); 284 IPCOMP(ipcs[IPCOMP_STAT_INPUT], "input IPcomp packets"); 285 IPCOMP(ipcs[IPCOMP_STAT_OUTPUT],"output IPcomp packets"); 286 IPCOMP(ipcs[IPCOMP_STAT_INVALID],"packets with an invalid SA"); 287 IPCOMP(ipcs[IPCOMP_STAT_TOOBIG],"packets decompressed as too big"); 288 IPCOMP(ipcs[IPCOMP_STAT_MINLEN], "packets too short to be compressed"); 289 IPCOMP(ipcs[IPCOMP_STAT_USELESS],"packet for which compression was useless"); 290 IPCOMP(ipcs[IPCOMP_STAT_PDROPS],"packets blocked due to policy"); 291 IPCOMP(ipcs[IPCOMP_STAT_CRYPTO],"failed crypto requests"); 292 293 printf("\tIPcomp histogram:\n"); 294 for (i = 0; i < IPCOMP_ALG_MAX; i++) 295 if (ipcs[IPCOMP_STAT_HIST + i]) 296 printf("\t\tIPcomp packets with %s: %"PRIu64"\n" 297 , algname(i, ipcompalgs, N(ipcompalgs)) 298 , ipcs[IPCOMP_STAT_HIST + i] 299 ); 300 IPCOMP(ipcs[IPCOMP_STAT_IBYTES],"input bytes"); 301 IPCOMP(ipcs[IPCOMP_STAT_OBYTES],"output bytes"); 302 #undef IPCOMP 303 } 304
Indexes created Wed Sep 24 14:09:57 GMT 2025