fast_ipsec.c revision 1.21.4.2
1 /* $NetBSD: fast_ipsec.c,v 1.21.4.2 2022/09/12 14:29:19 martin Exp $ */ 2 /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ 3 4 /*- 5 * Copyright (c) 2003, 2004 Jonathan Stone 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 * $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ 31 */ 32 33 #include <sys/cdefs.h> 34 #ifndef lint 35 #ifdef __NetBSD__ 36 __RCSID("$NetBSD: fast_ipsec.c,v 1.21.4.2 2022/09/12 14:29:19 martin Exp $"); 37 #endif 38 #endif /* not lint*/ 39 40 /* Kernel headers required, but not included, by netstat.h */ 41 #include <sys/types.h> 42 #include <sys/socket.h> 43 44 /* Kernel headers for sysctl(3). */ 45 #include <sys/param.h> 46 #include <sys/sysctl.h> 47 48 /* Kernel headers for FAST_IPSEC statistics */ 49 #include <net/pfkeyv2.h> 50 #include <netipsec/esp_var.h> 51 #include <netipsec/ah_var.h> 52 #include <netipsec/ipip_var.h> 53 #include <netipsec/ipcomp_var.h> 54 #include <netipsec/ipsec_var.h> 55 56 #include <machine/int_fmtio.h> 57 58 #include <kvm.h> 59 #include <err.h> 60 #include <errno.h> 61 #include <stdio.h> 62 #include <string.h> 63 64 #include "netstat.h" 65 66 /* 67 * Table-driven mapping from SADB algorithm codes to string names. 68 */ 69 struct alg { 70 int a; 71 const char *name; 72 }; 73 74 static const char *ahalgs[] = { AH_ALG_STR }; 75 static const char *espalgs[] = { ESP_ALG_STR }; 76 static const char *ipcompalgs[] = { IPCOMP_ALG_STR }; 77 78 static const char * 79 algname(size_t a, const char *algs[], size_t nalgs) 80 { 81 static char buf[80]; 82 83 if (a < nalgs) 84 return algs[a]; 85 snprintf(buf, sizeof(buf), "alg#%zu", a); 86 return buf; 87 } 88 89 /* 90 * Print the fast_ipsec statistics. 91 * Since NetBSD's netstat(1) seems not to find us for "netstat -s", 92 * but does(?) find KAME, be prepared to be called explicitly from 93 * netstat's main program for "netstat -s"; but silently do nothing 94 * if that happens when we are running on KAME IPsec. 95 */ 96 void 97 fast_ipsec_stats(u_long off, const char *name) 98 { 99 uint64_t ipsecstats[IPSEC_NSTATS]; 100 uint64_t ahstats[AH_NSTATS]; 101 uint64_t espstats[ESP_NSTATS]; 102 uint64_t ipcs[IPCOMP_NSTATS]; 103 uint64_t ipips[IPIP_NSTATS]; 104 int status; 105 size_t slen, i; 106 107 if (! use_sysctl) { 108 warnx("IPsec stats not available via KVM."); 109 return; 110 } 111 112 memset(ipsecstats, 0, sizeof(ipsecstats)); 113 memset(ahstats, 0, sizeof(ahstats)); 114 memset(espstats, 0, sizeof(espstats)); 115 memset(ipcs, 0, sizeof(ipcs)); 116 memset(ipips, 0, sizeof(ipips)); 117 118 slen = sizeof(ipsecstats); 119 status = sysctlbyname("net.inet.ipsec.ipsecstats", ipsecstats, &slen, 120 NULL, 0); 121 if (status < 0) { 122 if (errno == ENOENT) 123 return; 124 if (errno != ENOMEM) 125 err(1, "net.inet.ipsec.ipsecstats"); 126 } 127 128 slen = sizeof (ahstats); 129 status = sysctlbyname("net.inet.ah.ah_stats", ahstats, &slen, NULL, 0); 130 if (status < 0 && errno != ENOMEM) 131 err(1, "net.inet.ah.ah_stats"); 132 133 slen = sizeof (espstats); 134 status = sysctlbyname("net.inet.esp.esp_stats", espstats, &slen, NULL, 0); 135 if (status < 0 && errno != ENOMEM) 136 err(1, "net.inet.esp.esp_stats"); 137 138 slen = sizeof(ipcs); 139 status = sysctlbyname("net.inet.ipcomp.ipcomp_stats", ipcs, &slen, NULL, 0); 140 if (status < 0 && errno != ENOMEM) 141 err(1, "net.inet.ipcomp.ipcomp_stats"); 142 143 slen = sizeof(ipips); 144 status = sysctlbyname("net.inet.ipip.ipip_stats", ipips, &slen, NULL, 0); 145 if (status < 0 && errno != ENOMEM) 146 err(1, "net.inet.ipip.ipip_stats"); 147 148 printf("%s:\n", name); 149 150 #define STAT(x, fmt) \ 151 if (ipsecstats[x] || sflag <= 1) \ 152 printf("\t%"PRIu64" " fmt "\n", ipsecstats[x]) 153 154 if (ipsecstats[IPSEC_STAT_IN_POLVIO]+ipsecstats[IPSEC_STAT_OUT_POLVIO]) 155 printf("\t%"PRIu64" policy violations: %"PRIu64" input %" 156 PRIu64" output\n", 157 ipsecstats[IPSEC_STAT_IN_POLVIO] + ipsecstats[IPSEC_STAT_OUT_POLVIO], 158 ipsecstats[IPSEC_STAT_IN_POLVIO], ipsecstats[IPSEC_STAT_OUT_POLVIO]); 159 STAT(IPSEC_STAT_OUT_NOSA, "no SA found (output)"); 160 STAT(IPSEC_STAT_OUT_NOMEM, "no memory available (output)"); 161 STAT(IPSEC_STAT_OUT_NOROUTE, "no route available (output)"); 162 STAT(IPSEC_STAT_OUT_INVAL, "generic errors (output)"); 163 STAT(IPSEC_STAT_OUT_BUNDLESA, "bundled SA processed (output)"); 164 STAT(IPSEC_STAT_SPDCACHELOOKUP, "SPD cache lookups"); 165 STAT(IPSEC_STAT_SPDCACHEMISS, "SPD cache misses"); 166 #undef STAT 167 168 printf("\tah:\n"); 169 #define AHSTAT(x, fmt) \ 170 if (ahstats[x] || sflag <= 1) \ 171 printf("\t\t%"PRIu64" ah " fmt "\n", ahstats[x]) 172 173 AHSTAT(AH_STAT_INPUT, "input packets processed"); 174 AHSTAT(AH_STAT_OUTPUT, "output packets processed"); 175 AHSTAT(AH_STAT_HDROPS, "headers too short"); 176 AHSTAT(AH_STAT_NOPF, "headers for unsupported address family"); 177 AHSTAT(AH_STAT_NOTDB, "packets with no SA"); 178 AHSTAT(AH_STAT_BADKCR, 179 "packets dropped by crypto returning NULL mbuf"); 180 AHSTAT(AH_STAT_BADAUTH, "packets with bad authentication"); 181 AHSTAT(AH_STAT_NOXFORM, "packets with no xform"); 182 AHSTAT(AH_STAT_QFULL, "packets dropped due to queue full"); 183 AHSTAT(AH_STAT_WRAP, "packets dropped for replay counter wrap"); 184 AHSTAT(AH_STAT_REPLAY, "packets dropped for possible replay"); 185 AHSTAT(AH_STAT_BADAUTHL, 186 "packets dropped for bad authenticator length"); 187 AHSTAT(AH_STAT_INVALID, "packets with an invalid SA"); 188 AHSTAT(AH_STAT_TOOBIG, "packets too big"); 189 AHSTAT(AH_STAT_PDROPS, "packets blocked due to policy"); 190 AHSTAT(AH_STAT_CRYPTO, "failed crypto requests"); 191 AHSTAT(AH_STAT_TUNNEL, "tunnel sanity check failures"); 192 193 printf("\tah histogram:\n"); 194 for (i = 0; i < AH_ALG_MAX; i++) 195 if (ahstats[AH_STAT_HIST + i]) 196 printf("\t\tah packets with %s: %"PRIu64"\n", 197 algname(i, ahalgs, __arraycount(ahalgs)), 198 ahstats[AH_STAT_HIST + i]); 199 AHSTAT(AH_STAT_IBYTES, "bytes received"); 200 AHSTAT(AH_STAT_OBYTES, "bytes transmitted"); 201 #undef AHSTAT 202 203 printf("\tesp:\n"); 204 #define ESPSTAT(x, fmt) \ 205 if (espstats[x] || sflag <= 1) \ 206 printf("\t\t%"PRIu64" esp " fmt "\n", espstats[x]) 207 208 ESPSTAT(ESP_STAT_INPUT, "input packets processed"); 209 ESPSTAT(ESP_STAT_OUTPUT, "output packets processed"); 210 ESPSTAT(ESP_STAT_HDROPS, "headers too short"); 211 ESPSTAT(ESP_STAT_NOPF, "headers for unsupported address family"); 212 ESPSTAT(ESP_STAT_NOTDB, "packets with no SA"); 213 ESPSTAT(ESP_STAT_BADKCR, 214 "packets dropped by crypto returning NULL mbuf"); 215 ESPSTAT(ESP_STAT_QFULL, "packets dropped due to queue full"); 216 ESPSTAT(ESP_STAT_NOXFORM, "packets with no xform"); 217 ESPSTAT(ESP_STAT_BADILEN, "packets with bad ilen"); 218 ESPSTAT(ESP_STAT_BADENC, "packets with bad encryption"); 219 ESPSTAT(ESP_STAT_BADAUTH, "packets with bad authentication"); 220 ESPSTAT(ESP_STAT_WRAP, "packets dropped for replay counter wrap"); 221 ESPSTAT(ESP_STAT_REPLAY, "packets dropped for possible replay"); 222 ESPSTAT(ESP_STAT_INVALID, "packets with an invalid SA"); 223 ESPSTAT(ESP_STAT_TOOBIG, "packets too big"); 224 ESPSTAT(ESP_STAT_PDROPS, "packets blocked due to policy"); 225 ESPSTAT(ESP_STAT_CRYPTO, "failed crypto requests"); 226 ESPSTAT(ESP_STAT_TUNNEL, "tunnel sanity check failures"); 227 printf("\tesp histogram:\n"); 228 for (i = 0; i < ESP_ALG_MAX; i++) 229 if (espstats[ESP_STAT_HIST + i]) 230 printf("\t\tesp packets with %s: %"PRIu64"\n", 231 algname(i, espalgs, __arraycount(espalgs)), 232 espstats[ESP_STAT_HIST + i]); 233 ESPSTAT(ESP_STAT_IBYTES, "bytes received"); 234 ESPSTAT(ESP_STAT_OBYTES, "bytes transmitted"); 235 #undef ESPSTAT 236 printf("\tipip:\n"); 237 238 #define IPIPSTAT(x, fmt) \ 239 if (ipips[x] || sflag <= 1) \ 240 printf("\t\t%"PRIu64" ipip " fmt "\n", ipips[x]) 241 242 IPIPSTAT(IPIP_STAT_IPACKETS, "total input packets"); 243 IPIPSTAT(IPIP_STAT_OPACKETS, "total output packets"); 244 IPIPSTAT(IPIP_STAT_HDROPS, "packets too short for header length"); 245 IPIPSTAT(IPIP_STAT_QFULL, "packets dropped due to queue full"); 246 IPIPSTAT(IPIP_STAT_PDROPS, "packets blocked due to policy"); 247 IPIPSTAT(IPIP_STAT_SPOOF, "IP spoofing attempts"); 248 IPIPSTAT(IPIP_STAT_FAMILY, "protocol family mismatched"); 249 IPIPSTAT(IPIP_STAT_UNSPEC, "missing tunnel-endpoint address"); 250 IPIPSTAT(IPIP_STAT_IBYTES, "input bytes received"); 251 IPIPSTAT(IPIP_STAT_OBYTES, "output bytes processed"); 252 #undef IPIPSTAT 253 254 printf("\tipcomp:\n"); 255 #define IPCOMP(x, fmt) \ 256 if (ipcs[x] || sflag <= 1) \ 257 printf("\t\t%"PRIu64" ipcomp " fmt "\n", ipcs[x]) 258 259 IPCOMP(IPCOMP_STAT_HDROPS, "packets too short for header length"); 260 IPCOMP(IPCOMP_STAT_NOPF, "protocol family not supported"); 261 IPCOMP(IPCOMP_STAT_NOTDB, "packets with no SA"); 262 IPCOMP(IPCOMP_STAT_BADKCR, 263 "packets dropped by crypto returning NULL mbuf"); 264 IPCOMP(IPCOMP_STAT_QFULL, "queue full"); 265 IPCOMP(IPCOMP_STAT_NOXFORM, "no support for transform"); 266 IPCOMP(IPCOMP_STAT_WRAP, "packets dropped for replay counter wrap"); 267 IPCOMP(IPCOMP_STAT_INPUT, "input IPcomp packets"); 268 IPCOMP(IPCOMP_STAT_OUTPUT, "output IPcomp packets"); 269 IPCOMP(IPCOMP_STAT_INVALID, "packets with an invalid SA"); 270 IPCOMP(IPCOMP_STAT_TOOBIG, "packets decompressed as too big"); 271 IPCOMP(IPCOMP_STAT_MINLEN, "packets too short to be compressed"); 272 IPCOMP(IPCOMP_STAT_USELESS,"packet for which compression was useless"); 273 IPCOMP(IPCOMP_STAT_PDROPS, "packets blocked due to policy"); 274 IPCOMP(IPCOMP_STAT_CRYPTO, "failed crypto requests"); 275 276 printf("\tipcomp histogram:\n"); 277 for (i = 0; i < IPCOMP_ALG_MAX; i++) 278 if (ipcs[IPCOMP_STAT_HIST + i]) 279 printf("\t\tIPcomp packets with %s: %"PRIu64"\n", 280 algname(i, ipcompalgs, __arraycount(ipcompalgs)), 281 ipcs[IPCOMP_STAT_HIST + i]); 282 IPCOMP(IPCOMP_STAT_IBYTES, "input bytes"); 283 IPCOMP(IPCOMP_STAT_OBYTES, "output bytes"); 284 #undef IPCOMP 285 } 286
Indexes created Wed Sep 24 14:09:57 GMT 2025