1 /* $NetBSD: fast_ipsec.c,v 1.6 2004/07/17 16:36:39 atatat Exp $ */ 2 /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ 3 4 /*- 5 * Copyright (c) 2003, 2004 Jonathan Stone 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 * $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ 31 */ 32 33 #include <sys/cdefs.h> 34 #ifndef lint 35 #ifdef __NetBSD__ 36 __RCSID("$NetBSD: fast_ipsec.c,v 1.6 2004/07/17 16:36:39 atatat Exp $"); 37 #endif 38 #endif /* not lint*/ 39 40 /* Kernel headers required, but not included, by netstat.h */ 41 #include <sys/types.h> 42 #include <sys/socket.h> 43 44 /* Kernel headers for sysctl(3). */ 45 #include <sys/param.h> 46 #include <sys/sysctl.h> 47 48 /* Kernel headers for FAST_IPSEC statistics */ 49 #include <net/pfkeyv2.h> 50 #include <netipsec/esp_var.h> 51 #include <netipsec/ah_var.h> 52 #include <netipsec/ipip_var.h> 53 #include <netipsec/ipcomp_var.h> 54 #include <netipsec/ipsec_var.h> 55 #include <netipsec/keydb.h> 56 57 #include <machine/int_fmtio.h> 58 59 #include <err.h> 60 #include <errno.h> 61 #include <stdio.h> 62 #include <string.h> 63 64 #include "netstat.h" 65 66 /* 67 * Cache the check to see if we have fast_ipsec so that we don't 68 * have to go to the kernel repeatedly. 69 */ 70 static int 71 have_fast_ipsec(void) 72 { 73 static int haveit = -1; 74 75 if (haveit == -1) { 76 if (sysctlbyname("net.inet.ipsec.ipsecstats", NULL, NULL, 77 NULL, 0) == -1) 78 haveit = 0; 79 else 80 haveit = 1; 81 } 82 83 return (haveit); 84 } 85 86 /* 87 * Dispatch between fetching and printing (KAME) IPsec statistics, 88 * and FAST_IPSEC statistics, so the rest of netstat need not know 89 * about the vagaries of the two implementations. 90 */ 91 void 92 ipsec_switch(u_long off, char * name) 93 { 94 95 if (have_fast_ipsec()) 96 return fast_ipsec_stats(off, name); 97 98 return ipsec_stats(off, name); 99 } 100 101 102 /* 103 * Table-driven mapping from SADB algorithm codes to string names. 104 */ 105 struct alg { 106 int a; 107 const char *name; 108 }; 109 static const struct alg aalgs[] = { 110 { SADB_AALG_NONE, "none", }, 111 { SADB_AALG_MD5HMAC, "hmac-md5", }, 112 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 113 { SADB_X_AALG_MD5, "md5", }, 114 { SADB_X_AALG_SHA, "sha", }, 115 { SADB_X_AALG_NULL, "null", }, 116 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 117 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 118 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 119 }; 120 static const struct alg espalgs[] = { 121 { SADB_EALG_NONE, "none", }, 122 { SADB_EALG_DESCBC, "des-cbc", }, 123 { SADB_EALG_3DESCBC, "3des-cbc", }, 124 { SADB_EALG_NULL, "null", }, 125 { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, 126 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, 127 { SADB_X_EALG_RIJNDAELCBC, "aes-cbc", }, 128 }; 129 static const struct alg ipcompalgs[] = { 130 { SADB_X_CALG_NONE, "none", }, 131 { SADB_X_CALG_OUI, "oui", }, 132 { SADB_X_CALG_DEFLATE, "deflate", }, 133 { SADB_X_CALG_LZS, "lzs", }, 134 }; 135 #define N(a) (sizeof(a)/sizeof(a[0])) 136 137 static const char* 138 algname(int a, const struct alg algs[], int nalgs) 139 { 140 static char buf[80]; 141 int i; 142 143 for (i = 0; i < nalgs; i++) 144 if (algs[i].a == a) 145 return algs[i].name; 146 snprintf(buf, sizeof(buf), "alg#%u", a); 147 return buf; 148 } 149 150 /* 151 * Print the fast_ipsec statistics. 152 * Since NetBSD's netstat(1) seems not to find us for "netstat -s", 153 * but does(?) find KAME, be prepared to be called explicitly from 154 * netstat's main program for "netstat -s"; but silently do nothing 155 * if that happens when we are running on KAME IPsec. 156 */ 157 void 158 fast_ipsec_stats(u_long off, char *name) 159 { 160 struct newipsecstat ipsecstats; 161 struct ahstat ahstats; 162 struct espstat espstats; 163 struct ipcompstat ipcs; 164 struct ipipstat ipips; 165 int status; 166 size_t slen; 167 int i; 168 169 memset(&ipsecstats, 0, sizeof(ipsecstats)); 170 memset(&ahstats, 0, sizeof(ahstats)); 171 memset(&espstats, 0, sizeof(espstats)); 172 memset(&ipcs, 0, sizeof(ipcs)); 173 memset(&ipips, 0, sizeof(ipips)); 174 175 /* silence check */ 176 if (!have_fast_ipsec()) 177 return; 178 179 slen = sizeof(ipsecstats); 180 status = sysctlbyname("net.inet.ipsec.ipsecstats", &ipsecstats, &slen, 181 NULL, 0); 182 if (status < 0 && errno != ENOMEM) 183 err(1, "net.inet.ipsec.ipsecstats"); 184 185 slen = sizeof (ahstats); 186 status = sysctlbyname("net.inet.ah.ah_stats", &ahstats, &slen, NULL, 0); 187 if (status < 0 && errno != ENOMEM) 188 err(1, "net.inet.ah.ah_stats"); 189 190 slen = sizeof (espstats); 191 status = sysctlbyname("net.inet.esp.esp_stats", &espstats, &slen, NULL, 0); 192 if (status < 0 && errno != ENOMEM) 193 err(1, "net.inet.esp.esp_stats"); 194 195 slen = sizeof(ipcs); 196 status = sysctlbyname("net.inet.ipcomp.ipcomp_stats", &ipcs, &slen, NULL, 0); 197 if (status < 0 && errno != ENOMEM) 198 err(1, "net.inet.ipcomp.ipcomp_stats"); 199 200 slen = sizeof(ipips); 201 status = sysctlbyname("net.inet.ipip.ipip_stats", &ipips, &slen, NULL, 0); 202 if (status < 0 && errno != ENOMEM) 203 err(1, "net.inet.ipip.ipip_stats"); 204 205 printf("(Fast) IPsec:\n"); 206 207 #define STAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" " fmt "\n", x) 208 if (ipsecstats.ips_in_polvio+ipsecstats.ips_out_polvio) 209 printf("\t%"PRIu64" policy violations: %"PRIu64" input %"PRIu64" output\n", 210 ipsecstats.ips_in_polvio + ipsecstats.ips_out_polvio, 211 ipsecstats.ips_in_polvio, ipsecstats.ips_out_polvio); 212 STAT(ipsecstats.ips_out_nosa, "no SA found (output)"); 213 STAT(ipsecstats.ips_out_nomem, "no memory available (output)"); 214 STAT(ipsecstats.ips_out_noroute, "no route available (output)"); 215 STAT(ipsecstats.ips_out_inval, "generic errors (output)"); 216 STAT(ipsecstats.ips_out_bundlesa, "bundled SA processed (output)"); 217 STAT(ipsecstats.ips_spdcache_lookup, "SPD cache lookups"); 218 STAT(ipsecstats.ips_spdcache_lookup, "SPD cache misses"); 219 #undef STAT 220 printf("\n"); 221 222 printf("IPsec ah:\n"); 223 #define AHSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" ah " fmt "\n", x) 224 AHSTAT(ahstats.ahs_input, "input packets processed"); 225 AHSTAT(ahstats.ahs_output, "output packets processed"); 226 AHSTAT(ahstats.ahs_hdrops, "headers too short"); 227 AHSTAT(ahstats.ahs_nopf, "headers for unsupported address family"); 228 AHSTAT(ahstats.ahs_notdb, "packets with no SA"); 229 AHSTAT(ahstats.ahs_badkcr, "packets dropped by crypto returning NULL mbuf"); 230 AHSTAT(ahstats.ahs_badauth, "packets with bad authentication"); 231 AHSTAT(ahstats.ahs_noxform, "packets with no xform"); 232 AHSTAT(ahstats.ahs_qfull, "packets dropped due to queue full"); 233 AHSTAT(ahstats.ahs_wrap, "packets dropped for replay counter wrap"); 234 AHSTAT(ahstats.ahs_replay, "packets dropped for possible replay"); 235 AHSTAT(ahstats.ahs_badauthl,"packets dropped for bad authenticator length"); 236 AHSTAT(ahstats.ahs_invalid, "packets with an invalid SA"); 237 AHSTAT(ahstats.ahs_toobig, "packets too big"); 238 AHSTAT(ahstats.ahs_pdrops, "packets blocked due to policy"); 239 AHSTAT(ahstats.ahs_crypto, "failed crypto requests"); 240 AHSTAT(ahstats.ahs_tunnel, "tunnel sanity check failures"); 241 242 printf("\tah histogram:\n"); 243 for (i = 0; i < AH_ALG_MAX; i++) 244 if (ahstats.ahs_hist[i]) 245 printf("\t\tah packets with %s: %"PRIu64"\n" 246 , algname(i, aalgs, N(aalgs)) 247 , ahstats.ahs_hist[i] 248 ); 249 AHSTAT(ahstats.ahs_ibytes, "bytes received"); 250 AHSTAT(ahstats.ahs_obytes, "bytes transmitted"); 251 #undef AHSTAT 252 printf("\n"); 253 254 printf("IPsec esp:\n"); 255 #define ESPSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" esp " fmt "\n", x) 256 ESPSTAT(espstats.esps_input, "input packets processed"); 257 ESPSTAT(espstats.esps_output, "output packets processed"); 258 ESPSTAT(espstats.esps_hdrops, "headers too short"); 259 ESPSTAT(espstats.esps_nopf, "headers for unsupported address family"); 260 ESPSTAT(espstats.esps_notdb, "packets with no SA"); 261 ESPSTAT(espstats.esps_badkcr, "packets dropped by crypto returning NULL mbuf"); 262 ESPSTAT(espstats.esps_qfull, "packets dropped due to queue full"); 263 ESPSTAT(espstats.esps_noxform, "packets with no xform"); 264 ESPSTAT(espstats.esps_badilen, "packets with bad ilen"); 265 ESPSTAT(espstats.esps_badenc, "packets with bad encryption"); 266 ESPSTAT(espstats.esps_badauth, "packets with bad authentication"); 267 ESPSTAT(espstats.esps_wrap, "packets dropped for replay counter wrap"); 268 ESPSTAT(espstats.esps_replay, "packets dropped for possible replay"); 269 ESPSTAT(espstats.esps_invalid, "packets with an invalid SA"); 270 ESPSTAT(espstats.esps_toobig, "packets too big"); 271 ESPSTAT(espstats.esps_pdrops, "packets blocked due to policy"); 272 ESPSTAT(espstats.esps_crypto, "failed crypto requests"); 273 ESPSTAT(espstats.esps_tunnel, "tunnel sanity check failures"); 274 printf("\tesp histogram:\n"); 275 for (i = 0; i < ESP_ALG_MAX; i++) 276 if (espstats.esps_hist[i]) 277 printf("\t\tesp packets with %s: %"PRIu64"\n" 278 , algname(i, espalgs, N(espalgs)) 279 , espstats.esps_hist[i] 280 ); 281 ESPSTAT(espstats.esps_ibytes, "bytes received"); 282 ESPSTAT(espstats.esps_obytes, "bytes transmitted"); 283 #undef ESPSTAT 284 printf("IPsec ipip:\n"); 285 286 #define IPIPSTAT(x,fmt) \ 287 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipip " fmt "\n", x) 288 IPIPSTAT(ipips.ipips_ipackets, "total input packets"); 289 IPIPSTAT(ipips.ipips_opackets, "total output packets"); 290 IPIPSTAT(ipips.ipips_hdrops, "packets too short for header length"); 291 IPIPSTAT(ipips.ipips_qfull, "packets dropped due to queue full"); 292 IPIPSTAT(ipips.ipips_pdrops, "packets blocked due to policy"); 293 IPIPSTAT(ipips.ipips_spoof, "IP spoofing attempts"); 294 IPIPSTAT(ipips.ipips_family, "protocol family mismatched"); 295 IPIPSTAT(ipips.ipips_unspec, "missing tunnel-endpoint address"); 296 IPIPSTAT(ipips.ipips_ibytes, "input bytes received"); 297 IPIPSTAT(ipips.ipips_obytes, "output bytes processed"); 298 #undef IPIPSTAT 299 300 printf("IPsec ipcomp:\n"); 301 #define IPCOMP(x,fmt) \ 302 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipcomp " fmt "\n", x) 303 304 IPCOMP(ipcs.ipcomps_hdrops, "packets too short for header length"); 305 IPCOMP(ipcs.ipcomps_nopf, "protocol family not supported"); 306 IPCOMP(ipcs.ipcomps_notdb, "not db"); 307 IPCOMP(ipcs.ipcomps_badkcr, "packets dropped by crypto returning NULL mbuf"); 308 IPCOMP(ipcs.ipcomps_qfull, "queue full"); 309 IPCOMP(ipcs.ipcomps_noxform, "no support for transform"); 310 IPCOMP(ipcs.ipcomps_wrap, "packets dropped for replay counter wrap"); 311 IPCOMP(ipcs.ipcomps_input, "input IPcomp packets"); 312 IPCOMP(ipcs.ipcomps_output, "output IPcomp packets"); 313 IPCOMP(ipcs.ipcomps_invalid, "specified an invalid TDB"); 314 IPCOMP(ipcs.ipcomps_toobig, "packets decompressed as too big"); 315 IPCOMP(ipcs.ipcomps_pdrops, "packets blocked due to policy"); 316 IPCOMP(ipcs.ipcomps_crypto, "failed crypto requests"); 317 318 printf("\tIPcomp histogram:\n"); 319 for (i = 0; i < IPCOMP_ALG_MAX; i++) 320 if (ipcs.ipcomps_hist[i]) 321 printf("\t\tIPcomp packets with %s: %"PRIu64"\n" 322 , algname(i, ipcompalgs, N(ipcompalgs)) 323 , ipcs.ipcomps_hist[i] 324 ); 325 IPCOMP(ipcs.ipcomps_ibytes, "input bytes"); 326 IPCOMP(ipcs.ipcomps_obytes, "output bytes"); 327 #undef IPCOMP 328 } 329