1 /* $NetBSD: fast_ipsec.c,v 1.23 2019/08/18 04:14:40 kamil Exp $ */ 2 /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ 3 4 /*- 5 * Copyright (c) 2003, 2004 Jonathan Stone 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 * $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ 31 */ 32 33 #include <sys/cdefs.h> 34 #ifndef lint 35 #ifdef __NetBSD__ 36 __RCSID("$NetBSD: fast_ipsec.c,v 1.23 2019/08/18 04:14:40 kamil Exp $"); 37 #endif 38 #endif /* not lint*/ 39 40 /* Kernel headers required, but not included, by netstat.h */ 41 #include <sys/types.h> 42 #include <sys/socket.h> 43 44 /* Kernel headers for sysctl(3). */ 45 #include <sys/param.h> 46 #include <sys/sysctl.h> 47 48 /* Kernel headers for FAST_IPSEC statistics */ 49 #include <net/pfkeyv2.h> 50 #include <netipsec/esp_var.h> 51 #include <netipsec/ah_var.h> 52 #include <netipsec/ipip_var.h> 53 #include <netipsec/ipcomp_var.h> 54 #include <netipsec/ipsec_var.h> 55 56 #include <machine/int_fmtio.h> 57 58 #include <kvm.h> 59 #include <err.h> 60 #include <errno.h> 61 #include <stdio.h> 62 #include <string.h> 63 64 #include "netstat.h" 65 #include "prog_ops.h" 66 67 /* 68 * Table-driven mapping from SADB algorithm codes to string names. 69 */ 70 struct alg { 71 int a; 72 const char *name; 73 }; 74 75 static const char *ahalgs[] = { AH_ALG_STR }; 76 static const char *espalgs[] = { ESP_ALG_STR }; 77 static const char *ipcompalgs[] = { IPCOMP_ALG_STR }; 78 79 static const char * 80 algname(size_t a, const char *algs[], size_t nalgs) 81 { 82 static char buf[80]; 83 84 if (a < nalgs) 85 return algs[a]; 86 snprintf(buf, sizeof(buf), "alg#%zu", a); 87 return buf; 88 } 89 90 /* 91 * Print the fast_ipsec statistics. 92 * Since NetBSD's netstat(1) seems not to find us for "netstat -s", 93 * but does(?) find KAME, be prepared to be called explicitly from 94 * netstat's main program for "netstat -s"; but silently do nothing 95 * if that happens when we are running on KAME IPsec. 96 */ 97 void 98 fast_ipsec_stats(u_long off, const char *name) 99 { 100 uint64_t ipsecstats[IPSEC_NSTATS]; 101 uint64_t ahstats[AH_NSTATS]; 102 uint64_t espstats[ESP_NSTATS]; 103 uint64_t ipcs[IPCOMP_NSTATS]; 104 uint64_t ipips[IPIP_NSTATS]; 105 int status; 106 size_t slen, i; 107 108 if (! use_sysctl) { 109 warnx("IPsec stats not available via KVM."); 110 return; 111 } 112 113 memset(ipsecstats, 0, sizeof(ipsecstats)); 114 memset(ahstats, 0, sizeof(ahstats)); 115 memset(espstats, 0, sizeof(espstats)); 116 memset(ipcs, 0, sizeof(ipcs)); 117 memset(ipips, 0, sizeof(ipips)); 118 119 slen = sizeof(ipsecstats); 120 status = prog_sysctlbyname("net.inet.ipsec.ipsecstats", ipsecstats, &slen, 121 NULL, 0); 122 if (status < 0) { 123 if (errno == ENOENT) 124 return; 125 if (errno != ENOMEM) 126 err(1, "net.inet.ipsec.ipsecstats"); 127 } 128 129 slen = sizeof (ahstats); 130 status = prog_sysctlbyname("net.inet.ah.ah_stats", ahstats, &slen, NULL, 0); 131 if (status < 0 && errno != ENOMEM) 132 err(1, "net.inet.ah.ah_stats"); 133 134 slen = sizeof (espstats); 135 status = prog_sysctlbyname("net.inet.esp.esp_stats", espstats, &slen, NULL, 0); 136 if (status < 0 && errno != ENOMEM) 137 err(1, "net.inet.esp.esp_stats"); 138 139 slen = sizeof(ipcs); 140 status = prog_sysctlbyname("net.inet.ipcomp.ipcomp_stats", ipcs, &slen, NULL, 0); 141 if (status < 0 && errno != ENOMEM) 142 err(1, "net.inet.ipcomp.ipcomp_stats"); 143 144 slen = sizeof(ipips); 145 status = prog_sysctlbyname("net.inet.ipip.ipip_stats", ipips, &slen, NULL, 0); 146 if (status < 0 && errno != ENOMEM) 147 err(1, "net.inet.ipip.ipip_stats"); 148 149 printf("%s:\n", name); 150 151 #define STAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" " fmt "\n", x) 152 if (ipsecstats[IPSEC_STAT_IN_POLVIO]+ipsecstats[IPSEC_STAT_OUT_POLVIO]) 153 printf("\t%"PRIu64" policy violations: %"PRIu64" input %"PRIu64" output\n", 154 ipsecstats[IPSEC_STAT_IN_POLVIO] + ipsecstats[IPSEC_STAT_OUT_POLVIO], 155 ipsecstats[IPSEC_STAT_IN_POLVIO], ipsecstats[IPSEC_STAT_OUT_POLVIO]); 156 STAT(ipsecstats[IPSEC_STAT_OUT_NOSA], "no SA found (output)"); 157 STAT(ipsecstats[IPSEC_STAT_OUT_NOMEM], "no memory available (output)"); 158 STAT(ipsecstats[IPSEC_STAT_OUT_NOROUTE], "no route available (output)"); 159 STAT(ipsecstats[IPSEC_STAT_OUT_INVAL], "generic errors (output)"); 160 STAT(ipsecstats[IPSEC_STAT_OUT_BUNDLESA], "bundled SA processed (output)"); 161 STAT(ipsecstats[IPSEC_STAT_SPDCACHELOOKUP], "SPD cache lookups"); 162 STAT(ipsecstats[IPSEC_STAT_SPDCACHEMISS], "SPD cache misses"); 163 #undef STAT 164 165 printf("\tah:\n"); 166 #define AHSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t\t%"PRIu64" ah " fmt "\n", x) 167 AHSTAT(ahstats[AH_STAT_INPUT], "input packets processed"); 168 AHSTAT(ahstats[AH_STAT_OUTPUT], "output packets processed"); 169 AHSTAT(ahstats[AH_STAT_HDROPS], "headers too short"); 170 AHSTAT(ahstats[AH_STAT_NOPF], "headers for unsupported address family"); 171 AHSTAT(ahstats[AH_STAT_NOTDB], "packets with no SA"); 172 AHSTAT(ahstats[AH_STAT_BADKCR], "packets dropped by crypto returning NULL mbuf"); 173 AHSTAT(ahstats[AH_STAT_BADAUTH], "packets with bad authentication"); 174 AHSTAT(ahstats[AH_STAT_NOXFORM], "packets with no xform"); 175 AHSTAT(ahstats[AH_STAT_QFULL], "packets dropped due to queue full"); 176 AHSTAT(ahstats[AH_STAT_WRAP], "packets dropped for replay counter wrap"); 177 AHSTAT(ahstats[AH_STAT_REPLAY], "packets dropped for possible replay"); 178 AHSTAT(ahstats[AH_STAT_BADAUTHL],"packets dropped for bad authenticator length"); 179 AHSTAT(ahstats[AH_STAT_INVALID], "packets with an invalid SA"); 180 AHSTAT(ahstats[AH_STAT_TOOBIG], "packets too big"); 181 AHSTAT(ahstats[AH_STAT_PDROPS], "packets blocked due to policy"); 182 AHSTAT(ahstats[AH_STAT_CRYPTO], "failed crypto requests"); 183 AHSTAT(ahstats[AH_STAT_TUNNEL], "tunnel sanity check failures"); 184 185 printf("\tah histogram:\n"); 186 for (i = 0; i < AH_ALG_MAX; i++) 187 if (ahstats[AH_STAT_HIST + i]) 188 printf("\t\tah packets with %s: %"PRIu64"\n" 189 , algname(i, ahalgs, __arraycount(ahalgs)) 190 , ahstats[AH_STAT_HIST + i] 191 ); 192 AHSTAT(ahstats[AH_STAT_IBYTES], "bytes received"); 193 AHSTAT(ahstats[AH_STAT_OBYTES], "bytes transmitted"); 194 #undef AHSTAT 195 196 printf("\tesp:\n"); 197 #define ESPSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t\t%"PRIu64" esp " fmt "\n", x) 198 ESPSTAT(espstats[ESP_STAT_INPUT],"input packets processed"); 199 ESPSTAT(espstats[ESP_STAT_OUTPUT],"output packets processed"); 200 ESPSTAT(espstats[ESP_STAT_HDROPS],"headers too short"); 201 ESPSTAT(espstats[ESP_STAT_NOPF], "headers for unsupported address family"); 202 ESPSTAT(espstats[ESP_STAT_NOTDB],"packets with no SA"); 203 ESPSTAT(espstats[ESP_STAT_BADKCR],"packets dropped by crypto returning NULL mbuf"); 204 ESPSTAT(espstats[ESP_STAT_QFULL],"packets dropped due to queue full"); 205 ESPSTAT(espstats[ESP_STAT_NOXFORM],"packets with no xform"); 206 ESPSTAT(espstats[ESP_STAT_BADILEN],"packets with bad ilen"); 207 ESPSTAT(espstats[ESP_STAT_BADENC],"packets with bad encryption"); 208 ESPSTAT(espstats[ESP_STAT_BADAUTH],"packets with bad authentication"); 209 ESPSTAT(espstats[ESP_STAT_WRAP], "packets dropped for replay counter wrap"); 210 ESPSTAT(espstats[ESP_STAT_REPLAY],"packets dropped for possible replay"); 211 ESPSTAT(espstats[ESP_STAT_INVALID],"packets with an invalid SA"); 212 ESPSTAT(espstats[ESP_STAT_TOOBIG],"packets too big"); 213 ESPSTAT(espstats[ESP_STAT_PDROPS],"packets blocked due to policy"); 214 ESPSTAT(espstats[ESP_STAT_CRYPTO],"failed crypto requests"); 215 ESPSTAT(espstats[ESP_STAT_TUNNEL],"tunnel sanity check failures"); 216 printf("\tesp histogram:\n"); 217 for (i = 0; i < ESP_ALG_MAX; i++) 218 if (espstats[ESP_STAT_HIST + i]) 219 printf("\t\tesp packets with %s: %"PRIu64"\n" 220 , algname(i, espalgs, __arraycount(espalgs)) 221 , espstats[ESP_STAT_HIST + i] 222 ); 223 ESPSTAT(espstats[ESP_STAT_IBYTES], "bytes received"); 224 ESPSTAT(espstats[ESP_STAT_OBYTES], "bytes transmitted"); 225 #undef ESPSTAT 226 printf("\tipip:\n"); 227 228 #define IPIPSTAT(x,fmt) \ 229 if ((x) || sflag <= 1) printf("\t\t%"PRIu64" ipip " fmt "\n", x) 230 IPIPSTAT(ipips[IPIP_STAT_IPACKETS],"total input packets"); 231 IPIPSTAT(ipips[IPIP_STAT_OPACKETS],"total output packets"); 232 IPIPSTAT(ipips[IPIP_STAT_HDROPS],"packets too short for header length"); 233 IPIPSTAT(ipips[IPIP_STAT_QFULL],"packets dropped due to queue full"); 234 IPIPSTAT(ipips[IPIP_STAT_PDROPS],"packets blocked due to policy"); 235 IPIPSTAT(ipips[IPIP_STAT_SPOOF],"IP spoofing attempts"); 236 IPIPSTAT(ipips[IPIP_STAT_FAMILY],"protocol family mismatched"); 237 IPIPSTAT(ipips[IPIP_STAT_UNSPEC],"missing tunnel-endpoint address"); 238 IPIPSTAT(ipips[IPIP_STAT_IBYTES],"input bytes received"); 239 IPIPSTAT(ipips[IPIP_STAT_OBYTES],"output bytes processed"); 240 #undef IPIPSTAT 241 242 printf("\tipcomp:\n"); 243 #define IPCOMP(x,fmt) \ 244 if ((x) || sflag <= 1) printf("\t\t%"PRIu64" ipcomp " fmt "\n", x) 245 246 IPCOMP(ipcs[IPCOMP_STAT_HDROPS],"packets too short for header length"); 247 IPCOMP(ipcs[IPCOMP_STAT_NOPF], "protocol family not supported"); 248 IPCOMP(ipcs[IPCOMP_STAT_NOTDB], "packets with no SA"); 249 IPCOMP(ipcs[IPCOMP_STAT_BADKCR],"packets dropped by crypto returning NULL mbuf"); 250 IPCOMP(ipcs[IPCOMP_STAT_QFULL], "queue full"); 251 IPCOMP(ipcs[IPCOMP_STAT_NOXFORM],"no support for transform"); 252 IPCOMP(ipcs[IPCOMP_STAT_WRAP], "packets dropped for replay counter wrap"); 253 IPCOMP(ipcs[IPCOMP_STAT_INPUT], "input IPcomp packets"); 254 IPCOMP(ipcs[IPCOMP_STAT_OUTPUT],"output IPcomp packets"); 255 IPCOMP(ipcs[IPCOMP_STAT_INVALID],"packets with an invalid SA"); 256 IPCOMP(ipcs[IPCOMP_STAT_TOOBIG],"packets decompressed as too big"); 257 IPCOMP(ipcs[IPCOMP_STAT_MINLEN], "packets too short to be compressed"); 258 IPCOMP(ipcs[IPCOMP_STAT_USELESS],"packet for which compression was useless"); 259 IPCOMP(ipcs[IPCOMP_STAT_PDROPS],"packets blocked due to policy"); 260 IPCOMP(ipcs[IPCOMP_STAT_CRYPTO],"failed crypto requests"); 261 262 printf("\tipcomp histogram:\n"); 263 for (i = 0; i < IPCOMP_ALG_MAX; i++) 264 if (ipcs[IPCOMP_STAT_HIST + i]) 265 printf("\t\tIPcomp packets with %s: %"PRIu64"\n" 266 , algname(i, ipcompalgs, __arraycount(ipcompalgs)) 267 , ipcs[IPCOMP_STAT_HIST + i] 268 ); 269 IPCOMP(ipcs[IPCOMP_STAT_IBYTES],"input bytes"); 270 IPCOMP(ipcs[IPCOMP_STAT_OBYTES],"output bytes"); 271 #undef IPCOMP 272 } 273