1 /* $KAME: ipsec.c,v 1.33 2003/07/25 09:54:32 itojun Exp $ */
2
3 /*-
4 * Copyright (c) 2005 NTT Multimedia Communications Laboratories, Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28 /*-
29 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
30 * All rights reserved.
31 *
32 * Redistribution and use in source and binary forms, with or without
33 * modification, are permitted provided that the following conditions
34 * are met:
35 * 1. Redistributions of source code must retain the above copyright
36 * notice, this list of conditions and the following disclaimer.
37 * 2. Redistributions in binary form must reproduce the above copyright
38 * notice, this list of conditions and the following disclaimer in the
39 * documentation and/or other materials provided with the distribution.
40 * 3. Neither the name of the project nor the names of its contributors
41 * may be used to endorse or promote products derived from this software
42 * without specific prior written permission.
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
45 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
47 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
48 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
49 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
50 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
51 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
52 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
53 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
54 * SUCH DAMAGE.
55 */
56 /*-
57 * Copyright (c) 1983, 1988, 1993
58 * The Regents of the University of California. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 * 1. Redistributions of source code must retain the above copyright
64 * notice, this list of conditions and the following disclaimer.
65 * 2. Redistributions in binary form must reproduce the above copyright
66 * notice, this list of conditions and the following disclaimer in the
67 * documentation and/or other materials provided with the distribution.
68 * 4. Neither the name of the University nor the names of its contributors
69 * may be used to endorse or promote products derived from this software
70 * without specific prior written permission.
71 *
72 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
73 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
74 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
75 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
76 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
77 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
78 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
79 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
80 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
81 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
82 * SUCH DAMAGE.
83 */
84
85 #if 0
86 #ifndef lint
87 static char sccsid[] = "@(#)inet.c 8.5 (Berkeley) 5/24/95";
88 #endif /* not lint */
89 #endif
90
91 #include <sys/cdefs.h>
92 __FBSDID("$FreeBSD$");
93
94 #include <sys/param.h>
95 #include <sys/queue.h>
96 #include <sys/socket.h>
97 #include <sys/socketvar.h>
98
99 #include <netinet/in.h>
100
101 #ifdef IPSEC
102 #include <netipsec/ipsec.h>
103 #include <netipsec/ah_var.h>
104 #include <netipsec/esp_var.h>
105 #include <netipsec/ipcomp_var.h>
106 #endif
107
108 #include <stdint.h>
109 #include <stdio.h>
110 #include <stdbool.h>
111 #include <string.h>
112 #include <unistd.h>
113 #include <libxo/xo.h>
114 #include "netstat.h"
115
116 #ifdef IPSEC
117 struct val2str {
118 int val;
119 const char *str;
120 };
121
122 static struct val2str ipsec_ahnames[] = {
123 { SADB_AALG_NONE, "none", },
124 { SADB_AALG_MD5HMAC, "hmac-md5", },
125 { SADB_AALG_SHA1HMAC, "hmac-sha1", },
126 { SADB_X_AALG_MD5, "keyed-md5", },
127 { SADB_X_AALG_SHA, "keyed-sha1", },
128 { SADB_X_AALG_NULL, "null", },
129 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
130 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
131 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
132 { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", },
133 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", },
134 { SADB_X_AALG_TCP_MD5, "tcp-md5", },
135 { SADB_X_AALG_AES128GMAC, "aes-gmac-128", },
136 { SADB_X_AALG_AES192GMAC, "aes-gmac-192", },
137 { SADB_X_AALG_AES256GMAC, "aes-gmac-256", },
138 { -1, NULL },
139 };
140
141 static struct val2str ipsec_espnames[] = {
142 { SADB_EALG_NONE, "none", },
143 { SADB_EALG_DESCBC, "des-cbc", },
144 { SADB_EALG_3DESCBC, "3des-cbc", },
145 { SADB_EALG_NULL, "null", },
146 { SADB_X_EALG_CAST128CBC, "cast128-cbc", },
147 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
148 { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
149 { SADB_X_EALG_CAMELLIACBC, "camellia-cbc", },
150 { SADB_X_EALG_AESCTR, "aes-ctr", },
151 { SADB_X_EALG_AESGCM16, "aes-gcm-16", },
152 { SADB_X_EALG_AESGMAC, "aes-gmac", },
153 { -1, NULL },
154 };
155
156 static struct val2str ipsec_compnames[] = {
157 { SADB_X_CALG_NONE, "none", },
158 { SADB_X_CALG_OUI, "oui", },
159 { SADB_X_CALG_DEFLATE, "deflate", },
160 { SADB_X_CALG_LZS, "lzs", },
161 { -1, NULL },
162 };
163
164 static void print_ipsecstats(const struct ipsecstat *ipsecstat);
165
166 static void
print_ipsecstats(const struct ipsecstat * ipsecstat)167 print_ipsecstats(const struct ipsecstat *ipsecstat)
168 {
169 xo_open_container("ipsec-statistics");
170
171 #define p(f, m) if (ipsecstat->f || sflag <= 1) \
172 xo_emit(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f))
173
174 p(ips_in_polvio, "\t{:dropped-policy-violation/%ju} "
175 "{N:/inbound packet%s violated process security policy}\n");
176 p(ips_in_nomem, "\t{:dropped-no-memory/%ju} "
177 "{N:/inbound packet%s failed due to insufficient memory}\n");
178 p(ips_in_inval, "\t{:dropped-invalid/%ju} "
179 "{N:/invalid inbound packet%s}\n");
180 p(ips_out_polvio, "\t{:discarded-policy-violation/%ju} "
181 "{N:/outbound packet%s violated process security policy}\n");
182 p(ips_out_nosa, "\t{:discarded-no-sa/%ju} "
183 "{N:/outbound packet%s with no SA available}\n");
184 p(ips_out_nomem, "\t{:discarded-no-memory/%ju} "
185 "{N:/outbound packet%s failed due to insufficient memory}\n");
186 p(ips_out_noroute, "\t{:discarded-no-route/%ju} "
187 "{N:/outbound packet%s with no route available}\n");
188 p(ips_out_inval, "\t{:discarded-invalid/%ju} "
189 "{N:/invalid outbound packet%s}\n");
190 p(ips_out_bundlesa, "\t{:send-bundled-sa/%ju} "
191 "{N:/outbound packet%s with bundled SAs}\n");
192 p(ips_mbcoalesced, "\t{:mbufs-coalesced-during-clone/%ju} "
193 "{N:/mbuf%s coalesced during clone}\n");
194 p(ips_clcoalesced, "\t{:clusters-coalesced-during-clone/%ju} "
195 "{N:/cluster%s coalesced during clone}\n");
196 p(ips_clcopied, "\t{:clusters-copied-during-clone/%ju} "
197 "{N:/cluster%s copied during clone}\n");
198 p(ips_mbinserted, "\t{:mbufs-inserted/%ju} "
199 "{N:/mbuf%s inserted during makespace}\n");
200 #undef p
201 xo_close_container("ipsec-statistics");
202 }
203
204 void
ipsec_stats(u_long off,const char * name,int af1 __unused,int proto __unused)205 ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused)
206 {
207 struct ipsecstat ipsecstat;
208
209 if (strcmp(name, "ipsec6") == 0) {
210 if (fetch_stats("net.inet6.ipsec6.ipsecstats", off,&ipsecstat,
211 sizeof(ipsecstat), kread_counters) != 0)
212 return;
213 } else {
214 if (fetch_stats("net.inet.ipsec.ipsecstats", off, &ipsecstat,
215 sizeof(ipsecstat), kread_counters) != 0)
216 return;
217 }
218
219 xo_emit("{T:/%s}:\n", name);
220
221 print_ipsecstats(&ipsecstat);
222 }
223
224
225 static void print_ahstats(const struct ahstat *ahstat);
226 static void print_espstats(const struct espstat *espstat);
227 static void print_ipcompstats(const struct ipcompstat *ipcompstat);
228
229 /*
230 * Dump IPSEC statistics structure.
231 */
232 static void
ipsec_hist_new(const uint64_t * hist,size_t histmax,const struct val2str * name,const char * title,const char * cname)233 ipsec_hist_new(const uint64_t *hist, size_t histmax,
234 const struct val2str *name, const char *title, const char *cname)
235 {
236 int first;
237 size_t proto;
238 const struct val2str *p;
239
240 first = 1;
241 for (proto = 0; proto < histmax; proto++) {
242 if (hist[proto] <= 0)
243 continue;
244 if (first) {
245 xo_open_list(cname);
246 xo_emit("\t{T:/%s histogram}:\n", title);
247 first = 0;
248 }
249 xo_open_instance(cname);
250 for (p = name; p && p->str; p++) {
251 if (p->val == (int)proto)
252 break;
253 }
254 if (p && p->str) {
255 xo_emit("\t\t{k:name}: {:count/%ju}\n", p->str,
256 (uintmax_t)hist[proto]);
257 } else {
258 xo_emit("\t\t#{k:name/%lu}: {:count/%ju}\n",
259 (unsigned long)proto, (uintmax_t)hist[proto]);
260 }
261 xo_close_instance(cname);
262 }
263 if (!first)
264 xo_close_list(cname);
265 }
266
267 static void
print_ahstats(const struct ahstat * ahstat)268 print_ahstats(const struct ahstat *ahstat)
269 {
270 xo_open_container("ah-statictics");
271
272 #define p(f, n, m) if (ahstat->f || sflag <= 1) \
273 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \
274 (uintmax_t)ahstat->f, plural(ahstat->f))
275 #define hist(f, n, t, c) \
276 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c))
277
278 p(ahs_hdrops, "dropped-short-header",
279 "packet%s shorter than header shows");
280 p(ahs_nopf, "dropped-bad-protocol",
281 "packet%s dropped; protocol family not supported");
282 p(ahs_notdb, "dropped-no-tdb", "packet%s dropped; no TDB");
283 p(ahs_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR");
284 p(ahs_qfull, "dropped-queue-full", "packet%s dropped; queue full");
285 p(ahs_noxform, "dropped-no-transform",
286 "packet%s dropped; no transform");
287 p(ahs_wrap, "replay-counter-wraps", "replay counter wrap%s");
288 p(ahs_badauth, "dropped-bad-auth",
289 "packet%s dropped; bad authentication detected");
290 p(ahs_badauthl, "dropped-bad-auth-level",
291 "packet%s dropped; bad authentication length");
292 p(ahs_replay, "possile-replay-detected",
293 "possible replay packet%s detected");
294 p(ahs_input, "received-packets", "packet%s in");
295 p(ahs_output, "send-packets", "packet%s out");
296 p(ahs_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB");
297 p(ahs_ibytes, "received-bytes", "byte%s in");
298 p(ahs_obytes, "send-bytes", "byte%s out");
299 p(ahs_toobig, "dropped-too-large",
300 "packet%s dropped; larger than IP_MAXPACKET");
301 p(ahs_pdrops, "dropped-policy-violation",
302 "packet%s blocked due to policy");
303 p(ahs_crypto, "crypto-failures", "crypto processing failure%s");
304 p(ahs_tunnel, "tunnel-failures", "tunnel sanity check failure%s");
305 hist(ahstat->ahs_hist, ipsec_ahnames,
306 "AH output", "ah-output-histogram");
307
308 #undef p
309 #undef hist
310 xo_close_container("ah-statictics");
311 }
312
313 void
ah_stats(u_long off,const char * name,int family __unused,int proto __unused)314 ah_stats(u_long off, const char *name, int family __unused, int proto __unused)
315 {
316 struct ahstat ahstat;
317
318 if (fetch_stats("net.inet.ah.stats", off, &ahstat,
319 sizeof(ahstat), kread_counters) != 0)
320 return;
321
322 xo_emit("{T:/%s}:\n", name);
323
324 print_ahstats(&ahstat);
325 }
326
327 static void
print_espstats(const struct espstat * espstat)328 print_espstats(const struct espstat *espstat)
329 {
330 xo_open_container("esp-statictics");
331 #define p(f, n, m) if (espstat->f || sflag <= 1) \
332 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \
333 (uintmax_t)espstat->f, plural(espstat->f))
334 #define hist(f, n, t, c) \
335 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c));
336
337 p(esps_hdrops, "dropped-short-header",
338 "packet%s shorter than header shows");
339 p(esps_nopf, "dropped-bad-protocol",
340 "packet%s dropped; protocol family not supported");
341 p(esps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB");
342 p(esps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR");
343 p(esps_qfull, "dropped-queue-full", "packet%s dropped; queue full");
344 p(esps_noxform, "dropped-no-transform",
345 "packet%s dropped; no transform");
346 p(esps_badilen, "dropped-bad-length", "packet%s dropped; bad ilen");
347 p(esps_wrap, "replay-counter-wraps", "replay counter wrap%s");
348 p(esps_badenc, "dropped-bad-crypto",
349 "packet%s dropped; bad encryption detected");
350 p(esps_badauth, "dropped-bad-auth",
351 "packet%s dropped; bad authentication detected");
352 p(esps_replay, "possible-replay-detected",
353 "possible replay packet%s detected");
354 p(esps_input, "received-packets", "packet%s in");
355 p(esps_output, "sent-packets", "packet%s out");
356 p(esps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB");
357 p(esps_ibytes, "receieve-bytes", "byte%s in");
358 p(esps_obytes, "sent-bytes", "byte%s out");
359 p(esps_toobig, "dropped-too-large",
360 "packet%s dropped; larger than IP_MAXPACKET");
361 p(esps_pdrops, "dropped-policy-violation",
362 "packet%s blocked due to policy");
363 p(esps_crypto, "crypto-failures", "crypto processing failure%s");
364 p(esps_tunnel, "tunnel-failures", "tunnel sanity check failure%s");
365 hist(espstat->esps_hist, ipsec_espnames,
366 "ESP output", "esp-output-histogram");
367
368 #undef p
369 #undef hist
370 xo_close_container("esp-statictics");
371 }
372
373 void
esp_stats(u_long off,const char * name,int family __unused,int proto __unused)374 esp_stats(u_long off, const char *name, int family __unused, int proto __unused)
375 {
376 struct espstat espstat;
377
378 if (fetch_stats("net.inet.esp.stats", off, &espstat,
379 sizeof(espstat), kread_counters) != 0)
380 return;
381
382 xo_emit("{T:/%s}:\n", name);
383
384 print_espstats(&espstat);
385 }
386
387 static void
print_ipcompstats(const struct ipcompstat * ipcompstat)388 print_ipcompstats(const struct ipcompstat *ipcompstat)
389 {
390 xo_open_container("ipcomp-statictics");
391
392 #define p(f, n, m) if (ipcompstat->f || sflag <= 1) \
393 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \
394 (uintmax_t)ipcompstat->f, plural(ipcompstat->f))
395 #define hist(f, n, t, c) \
396 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c));
397
398 p(ipcomps_hdrops, "dropped-short-header",
399 "packet%s shorter than header shows");
400 p(ipcomps_nopf, "dropped-bad-protocol",
401 "packet%s dropped; protocol family not supported");
402 p(ipcomps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB");
403 p(ipcomps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR");
404 p(ipcomps_qfull, "dropped-queue-full", "packet%s dropped; queue full");
405 p(ipcomps_noxform, "dropped-no-transform",
406 "packet%s dropped; no transform");
407 p(ipcomps_wrap, "replay-counter-wraps", "replay counter wrap%s");
408 p(ipcomps_input, "receieve-packets", "packet%s in");
409 p(ipcomps_output, "sent-packets", "packet%s out");
410 p(ipcomps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB");
411 p(ipcomps_ibytes, "receieved-bytes", "byte%s in");
412 p(ipcomps_obytes, "sent-bytes", "byte%s out");
413 p(ipcomps_toobig, "dropped-too-large",
414 "packet%s dropped; larger than IP_MAXPACKET");
415 p(ipcomps_pdrops, "dropped-policy-violation",
416 "packet%s blocked due to policy");
417 p(ipcomps_crypto, "crypto-failure", "crypto processing failure%s");
418 hist(ipcompstat->ipcomps_hist, ipsec_compnames,
419 "COMP output", "comp-output-histogram");
420 p(ipcomps_threshold, "sent-uncompressed-small-packets",
421 "packet%s sent uncompressed; size < compr. algo. threshold");
422 p(ipcomps_uncompr, "sent-uncompressed-useless-packets",
423 "packet%s sent uncompressed; compression was useless");
424
425 #undef p
426 #undef hist
427 xo_close_container("ipcomp-statictics");
428 }
429
430 void
ipcomp_stats(u_long off,const char * name,int family __unused,int proto __unused)431 ipcomp_stats(u_long off, const char *name, int family __unused,
432 int proto __unused)
433 {
434 struct ipcompstat ipcompstat;
435
436 if (fetch_stats("net.inet.ipcomp.stats", off, &ipcompstat,
437 sizeof(ipcompstat), kread_counters) != 0)
438 return;
439
440 xo_emit("{T:/%s}:\n", name);
441
442 print_ipcompstats(&ipcompstat);
443 }
444
445 #endif /*IPSEC*/
446