/* $NetBSD: fast_ipsec.c,v 1.22.8.2 2022/09/12 14:23:41 martin Exp $ */ /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ /*- * Copyright (c) 2003, 2004 Jonathan Stone * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ #include #ifndef lint #ifdef __NetBSD__ __RCSID("$NetBSD: fast_ipsec.c,v 1.22.8.2 2022/09/12 14:23:41 martin Exp $"); #endif #endif /* not lint*/ /* Kernel headers required, but not included, by netstat.h */ #include #include /* Kernel headers for sysctl(3). */ #include #include /* Kernel headers for FAST_IPSEC statistics */ #include #include #include #include #include #include #include #include #include #include #include #include #include "netstat.h" #include "prog_ops.h" /* * Table-driven mapping from SADB algorithm codes to string names. */ struct alg { int a; const char *name; }; static const char *ahalgs[] = { AH_ALG_STR }; static const char *espalgs[] = { ESP_ALG_STR }; static const char *ipcompalgs[] = { IPCOMP_ALG_STR }; static const char * algname(size_t a, const char *algs[], size_t nalgs) { static char buf[80]; if (a < nalgs) return algs[a]; snprintf(buf, sizeof(buf), "alg#%zu", a); return buf; } /* * Print the fast_ipsec statistics. * Since NetBSD's netstat(1) seems not to find us for "netstat -s", * but does(?) find KAME, be prepared to be called explicitly from * netstat's main program for "netstat -s"; but silently do nothing * if that happens when we are running on KAME IPsec. */ void fast_ipsec_stats(u_long off, const char *name) { uint64_t ipsecstats[IPSEC_NSTATS]; uint64_t ahstats[AH_NSTATS]; uint64_t espstats[ESP_NSTATS]; uint64_t ipcs[IPCOMP_NSTATS]; uint64_t ipips[IPIP_NSTATS]; int status; size_t slen, i; if (! use_sysctl) { warnx("IPsec stats not available via KVM."); return; } memset(ipsecstats, 0, sizeof(ipsecstats)); memset(ahstats, 0, sizeof(ahstats)); memset(espstats, 0, sizeof(espstats)); memset(ipcs, 0, sizeof(ipcs)); memset(ipips, 0, sizeof(ipips)); slen = sizeof(ipsecstats); status = prog_sysctlbyname("net.inet.ipsec.ipsecstats", ipsecstats, &slen, NULL, 0); if (status < 0) { if (errno == ENOENT) return; if (errno != ENOMEM) err(1, "net.inet.ipsec.ipsecstats"); } slen = sizeof (ahstats); status = prog_sysctlbyname("net.inet.ah.ah_stats", ahstats, &slen, NULL, 0); if (status < 0 && errno != ENOMEM) err(1, "net.inet.ah.ah_stats"); slen = sizeof (espstats); status = prog_sysctlbyname("net.inet.esp.esp_stats", espstats, &slen, NULL, 0); if (status < 0 && errno != ENOMEM) err(1, "net.inet.esp.esp_stats"); slen = sizeof(ipcs); status = prog_sysctlbyname("net.inet.ipcomp.ipcomp_stats", ipcs, &slen, NULL, 0); if (status < 0 && errno != ENOMEM) err(1, "net.inet.ipcomp.ipcomp_stats"); slen = sizeof(ipips); status = prog_sysctlbyname("net.inet.ipip.ipip_stats", ipips, &slen, NULL, 0); if (status < 0 && errno != ENOMEM) err(1, "net.inet.ipip.ipip_stats"); printf("%s:\n", name); #define STAT(x, fmt) \ if (ipsecstats[x] || sflag <= 1) \ printf("\t%"PRIu64" " fmt "\n", ipsecstats[x]) if (ipsecstats[IPSEC_STAT_IN_POLVIO]+ipsecstats[IPSEC_STAT_OUT_POLVIO]) printf("\t%"PRIu64" policy violations: %"PRIu64" input %" PRIu64" output\n", ipsecstats[IPSEC_STAT_IN_POLVIO] + ipsecstats[IPSEC_STAT_OUT_POLVIO], ipsecstats[IPSEC_STAT_IN_POLVIO], ipsecstats[IPSEC_STAT_OUT_POLVIO]); STAT(IPSEC_STAT_OUT_NOSA, "no SA found (output)"); STAT(IPSEC_STAT_OUT_NOMEM, "no memory available (output)"); STAT(IPSEC_STAT_OUT_NOROUTE, "no route available (output)"); STAT(IPSEC_STAT_OUT_INVAL, "generic errors (output)"); STAT(IPSEC_STAT_OUT_BUNDLESA, "bundled SA processed (output)"); STAT(IPSEC_STAT_SPDCACHELOOKUP, "SPD cache lookups"); STAT(IPSEC_STAT_SPDCACHEMISS, "SPD cache misses"); #undef STAT printf("\tah:\n"); #define AHSTAT(x, fmt) \ if (ahstats[x] || sflag <= 1) \ printf("\t\t%"PRIu64" ah " fmt "\n", ahstats[x]) AHSTAT(AH_STAT_INPUT, "input packets processed"); AHSTAT(AH_STAT_OUTPUT, "output packets processed"); AHSTAT(AH_STAT_HDROPS, "headers too short"); AHSTAT(AH_STAT_NOPF, "headers for unsupported address family"); AHSTAT(AH_STAT_NOTDB, "packets with no SA"); AHSTAT(AH_STAT_BADKCR, "packets dropped by crypto returning NULL mbuf"); AHSTAT(AH_STAT_BADAUTH, "packets with bad authentication"); AHSTAT(AH_STAT_NOXFORM, "packets with no xform"); AHSTAT(AH_STAT_QFULL, "packets dropped due to queue full"); AHSTAT(AH_STAT_WRAP, "packets dropped for replay counter wrap"); AHSTAT(AH_STAT_REPLAY, "packets dropped for possible replay"); AHSTAT(AH_STAT_BADAUTHL, "packets dropped for bad authenticator length"); AHSTAT(AH_STAT_INVALID, "packets with an invalid SA"); AHSTAT(AH_STAT_TOOBIG, "packets too big"); AHSTAT(AH_STAT_PDROPS, "packets blocked due to policy"); AHSTAT(AH_STAT_CRYPTO, "failed crypto requests"); AHSTAT(AH_STAT_TUNNEL, "tunnel sanity check failures"); printf("\tah histogram:\n"); for (i = 0; i < AH_ALG_MAX; i++) if (ahstats[AH_STAT_HIST + i]) printf("\t\tah packets with %s: %"PRIu64"\n", algname(i, ahalgs, __arraycount(ahalgs)), ahstats[AH_STAT_HIST + i]); AHSTAT(AH_STAT_IBYTES, "bytes received"); AHSTAT(AH_STAT_OBYTES, "bytes transmitted"); #undef AHSTAT printf("\tesp:\n"); #define ESPSTAT(x, fmt) \ if (espstats[x] || sflag <= 1) \ printf("\t\t%"PRIu64" esp " fmt "\n", espstats[x]) ESPSTAT(ESP_STAT_INPUT, "input packets processed"); ESPSTAT(ESP_STAT_OUTPUT, "output packets processed"); ESPSTAT(ESP_STAT_HDROPS, "headers too short"); ESPSTAT(ESP_STAT_NOPF, "headers for unsupported address family"); ESPSTAT(ESP_STAT_NOTDB, "packets with no SA"); ESPSTAT(ESP_STAT_BADKCR, "packets dropped by crypto returning NULL mbuf"); ESPSTAT(ESP_STAT_QFULL, "packets dropped due to queue full"); ESPSTAT(ESP_STAT_NOXFORM, "packets with no xform"); ESPSTAT(ESP_STAT_BADILEN, "packets with bad ilen"); ESPSTAT(ESP_STAT_BADENC, "packets with bad encryption"); ESPSTAT(ESP_STAT_BADAUTH, "packets with bad authentication"); ESPSTAT(ESP_STAT_WRAP, "packets dropped for replay counter wrap"); ESPSTAT(ESP_STAT_REPLAY, "packets dropped for possible replay"); ESPSTAT(ESP_STAT_INVALID, "packets with an invalid SA"); ESPSTAT(ESP_STAT_TOOBIG, "packets too big"); ESPSTAT(ESP_STAT_PDROPS, "packets blocked due to policy"); ESPSTAT(ESP_STAT_CRYPTO, "failed crypto requests"); ESPSTAT(ESP_STAT_TUNNEL, "tunnel sanity check failures"); printf("\tesp histogram:\n"); for (i = 0; i < ESP_ALG_MAX; i++) if (espstats[ESP_STAT_HIST + i]) printf("\t\tesp packets with %s: %"PRIu64"\n", algname(i, espalgs, __arraycount(espalgs)), espstats[ESP_STAT_HIST + i]); ESPSTAT(ESP_STAT_IBYTES, "bytes received"); ESPSTAT(ESP_STAT_OBYTES, "bytes transmitted"); #undef ESPSTAT printf("\tipip:\n"); #define IPIPSTAT(x, fmt) \ if (ipips[x] || sflag <= 1) \ printf("\t\t%"PRIu64" ipip " fmt "\n", ipips[x]) IPIPSTAT(IPIP_STAT_IPACKETS, "total input packets"); IPIPSTAT(IPIP_STAT_OPACKETS, "total output packets"); IPIPSTAT(IPIP_STAT_HDROPS, "packets too short for header length"); IPIPSTAT(IPIP_STAT_QFULL, "packets dropped due to queue full"); IPIPSTAT(IPIP_STAT_PDROPS, "packets blocked due to policy"); IPIPSTAT(IPIP_STAT_SPOOF, "IP spoofing attempts"); IPIPSTAT(IPIP_STAT_FAMILY, "protocol family mismatched"); IPIPSTAT(IPIP_STAT_UNSPEC, "missing tunnel-endpoint address"); IPIPSTAT(IPIP_STAT_IBYTES, "input bytes received"); IPIPSTAT(IPIP_STAT_OBYTES, "output bytes processed"); #undef IPIPSTAT printf("\tipcomp:\n"); #define IPCOMP(x, fmt) \ if (ipcs[x] || sflag <= 1) \ printf("\t\t%"PRIu64" ipcomp " fmt "\n", ipcs[x]) IPCOMP(IPCOMP_STAT_HDROPS, "packets too short for header length"); IPCOMP(IPCOMP_STAT_NOPF, "protocol family not supported"); IPCOMP(IPCOMP_STAT_NOTDB, "packets with no SA"); IPCOMP(IPCOMP_STAT_BADKCR, "packets dropped by crypto returning NULL mbuf"); IPCOMP(IPCOMP_STAT_QFULL, "queue full"); IPCOMP(IPCOMP_STAT_NOXFORM, "no support for transform"); IPCOMP(IPCOMP_STAT_WRAP, "packets dropped for replay counter wrap"); IPCOMP(IPCOMP_STAT_INPUT, "input IPcomp packets"); IPCOMP(IPCOMP_STAT_OUTPUT, "output IPcomp packets"); IPCOMP(IPCOMP_STAT_INVALID, "packets with an invalid SA"); IPCOMP(IPCOMP_STAT_TOOBIG, "packets decompressed as too big"); IPCOMP(IPCOMP_STAT_MINLEN, "packets too short to be compressed"); IPCOMP(IPCOMP_STAT_USELESS,"packet for which compression was useless"); IPCOMP(IPCOMP_STAT_PDROPS, "packets blocked due to policy"); IPCOMP(IPCOMP_STAT_CRYPTO, "failed crypto requests"); printf("\tipcomp histogram:\n"); for (i = 0; i < IPCOMP_ALG_MAX; i++) if (ipcs[IPCOMP_STAT_HIST + i]) printf("\t\tIPcomp packets with %s: %"PRIu64"\n", algname(i, ipcompalgs, __arraycount(ipcompalgs)), ipcs[IPCOMP_STAT_HIST + i]); IPCOMP(IPCOMP_STAT_IBYTES, "input bytes"); IPCOMP(IPCOMP_STAT_OBYTES, "output bytes"); #undef IPCOMP }