1 /* $FreeBSD$ */ 2 /* $KAME: ipsec.c,v 1.33 2003/07/25 09:54:32 itojun Exp $ */ 3 4 /* 5 * Copyright (c) 2005 NTT Multimedia Communications Laboratories, Inc. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 /* 31 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 32 * All rights reserved. 33 * 34 * Redistribution and use in source and binary forms, with or without 35 * modification, are permitted provided that the following conditions 36 * are met: 37 * 1. Redistributions of source code must retain the above copyright 38 * notice, this list of conditions and the following disclaimer. 39 * 2. Redistributions in binary form must reproduce the above copyright 40 * notice, this list of conditions and the following disclaimer in the 41 * documentation and/or other materials provided with the distribution. 42 * 3. Neither the name of the project nor the names of its contributors 43 * may be used to endorse or promote products derived from this software 44 * without specific prior written permission. 45 * 46 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 47 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 50 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56 * SUCH DAMAGE. 57 */ 58 59 /* 60 * Copyright (c) 1983, 1988, 1993 61 * The Regents of the University of California. All rights reserved. 62 * 63 * Redistribution and use in source and binary forms, with or without 64 * modification, are permitted provided that the following conditions 65 * are met: 66 * 1. Redistributions of source code must retain the above copyright 67 * notice, this list of conditions and the following disclaimer. 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in the 70 * documentation and/or other materials provided with the distribution. 71 * 3. All advertising materials mentioning features or use of this software 72 * must display the following acknowledgement: 73 * This product includes software developed by the University of 74 * California, Berkeley and its contributors. 75 * 4. Neither the name of the University nor the names of its contributors 76 * may be used to endorse or promote products derived from this software 77 * without specific prior written permission. 78 * 79 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 80 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 81 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 82 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 83 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 84 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 85 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 86 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 87 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 88 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 89 * SUCH DAMAGE. 90 */ 91 92 #if 0 93 #ifndef lint 94 static char sccsid[] = "@(#)inet.c 8.5 (Berkeley) 5/24/95"; 95 #endif /* not lint */ 96 #endif 97 98 #include <sys/cdefs.h> 99 __FBSDID("$FreeBSD$"); 100 101 #include <sys/param.h> 102 #include <sys/queue.h> 103 #include <sys/socket.h> 104 #include <sys/socketvar.h> 105 106 #include <netinet/in.h> 107 108 #ifdef IPSEC 109 #include <netipsec/ipsec.h> 110 #include <netipsec/ah_var.h> 111 #include <netipsec/esp_var.h> 112 #include <netipsec/ipcomp_var.h> 113 #endif 114 115 #include <stdint.h> 116 #include <stdio.h> 117 #include <string.h> 118 #include <unistd.h> 119 #include "netstat.h" 120 121 #ifdef IPSEC 122 struct val2str { 123 int val; 124 const char *str; 125 }; 126 127 static struct val2str ipsec_ahnames[] = { 128 { SADB_AALG_NONE, "none", }, 129 { SADB_AALG_MD5HMAC, "hmac-md5", }, 130 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 131 { SADB_X_AALG_MD5, "md5", }, 132 { SADB_X_AALG_SHA, "sha", }, 133 { SADB_X_AALG_NULL, "null", }, 134 #ifdef SADB_X_AALG_SHA2_256 135 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 136 #endif 137 #ifdef SADB_X_AALG_SHA2_384 138 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 139 #endif 140 #ifdef SADB_X_AALG_SHA2_512 141 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 142 #endif 143 #ifdef SADB_X_AALG_RIPEMD160HMAC 144 { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", }, 145 #endif 146 #ifdef SADB_X_AALG_AES_XCBC_MAC 147 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, 148 #endif 149 { -1, NULL }, 150 }; 151 152 static struct val2str ipsec_espnames[] = { 153 { SADB_EALG_NONE, "none", }, 154 { SADB_EALG_DESCBC, "des-cbc", }, 155 { SADB_EALG_3DESCBC, "3des-cbc", }, 156 { SADB_EALG_NULL, "null", }, 157 { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, 158 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, 159 #ifdef SADB_X_EALG_RIJNDAELCBC 160 { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, 161 #endif 162 #ifdef SADB_X_EALG_AESCTR 163 { SADB_X_EALG_AESCTR, "aes-ctr", }, 164 #endif 165 { -1, NULL }, 166 }; 167 168 static struct val2str ipsec_compnames[] = { 169 { SADB_X_CALG_NONE, "none", }, 170 { SADB_X_CALG_OUI, "oui", }, 171 { SADB_X_CALG_DEFLATE, "deflate", }, 172 { SADB_X_CALG_LZS, "lzs", }, 173 { -1, NULL }, 174 }; 175 176 static void ipsec_hist(const u_quad_t *hist, size_t histmax, 177 const struct val2str *name, const char *title); 178 static void print_ipsecstats(const struct ipsecstat *ipsecstat); 179 180 181 /* 182 * Dump IPSEC statistics structure. 183 */ 184 static void 185 ipsec_hist(const u_quad_t *hist, size_t histmax, const struct val2str *name, 186 const char *title) 187 { 188 int first; 189 size_t proto; 190 const struct val2str *p; 191 192 first = 1; 193 for (proto = 0; proto < histmax; proto++) { 194 if (hist[proto] <= 0) 195 continue; 196 if (first) { 197 printf("\t%s histogram:\n", title); 198 first = 0; 199 } 200 for (p = name; p && p->str; p++) { 201 if (p->val == (int)proto) 202 break; 203 } 204 if (p && p->str) { 205 printf("\t\t%s: %ju\n", p->str, (uintmax_t)hist[proto]); 206 } else { 207 printf("\t\t#%ld: %ju\n", (long)proto, 208 (uintmax_t)hist[proto]); 209 } 210 } 211 } 212 213 static void 214 print_ipsecstats(const struct ipsecstat *ipsecstat) 215 { 216 #define p(f, m) if (ipsecstat->f || sflag <= 1) \ 217 printf(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f)) 218 #define pes(f, m) if (ipsecstat->f || sflag <= 1) \ 219 printf(m, (uintmax_t)ipsecstat->f, plurales(ipsecstat->f)) 220 #define hist(f, n, t) \ 221 ipsec_hist((f), sizeof(f)/sizeof(f[0]), (n), (t)); 222 223 p(in_success, "\t%ju inbound packet%s processed successfully\n"); 224 p(in_polvio, "\t%ju inbound packet%s violated process security " 225 "policy\n"); 226 p(in_nosa, "\t%ju inbound packet%s with no SA available\n"); 227 p(in_inval, "\t%ju invalid inbound packet%s\n"); 228 p(in_nomem, "\t%ju inbound packet%s failed due to insufficient memory\n"); 229 p(in_badspi, "\t%ju inbound packet%s failed getting SPI\n"); 230 p(in_ahreplay, "\t%ju inbound packet%s failed on AH replay check\n"); 231 p(in_espreplay, "\t%ju inbound packet%s failed on ESP replay check\n"); 232 p(in_ahauthsucc, "\t%ju inbound packet%s considered authentic\n"); 233 p(in_ahauthfail, "\t%ju inbound packet%s failed on authentication\n"); 234 hist(ipsecstat->in_ahhist, ipsec_ahnames, "AH input"); 235 hist(ipsecstat->in_esphist, ipsec_espnames, "ESP input"); 236 hist(ipsecstat->in_comphist, ipsec_compnames, "IPComp input"); 237 238 p(out_success, "\t%ju outbound packet%s processed successfully\n"); 239 p(out_polvio, "\t%ju outbound packet%s violated process security " 240 "policy\n"); 241 p(out_nosa, "\t%ju outbound packet%s with no SA available\n"); 242 p(out_inval, "\t%ju invalid outbound packet%s\n"); 243 p(out_nomem, "\t%ju outbound packet%s failed due to insufficient memory\n"); 244 p(out_noroute, "\t%ju outbound packet%s with no route\n"); 245 hist(ipsecstat->out_ahhist, ipsec_ahnames, "AH output"); 246 hist(ipsecstat->out_esphist, ipsec_espnames, "ESP output"); 247 hist(ipsecstat->out_comphist, ipsec_compnames, "IPComp output"); 248 p(spdcachelookup, "\t%ju SPD cache lookup%s\n"); 249 pes(spdcachemiss, "\t%ju SPD cache miss%s\n"); 250 #undef pes 251 #undef hist 252 p(ips_in_polvio, "\t%ju inbound packet%s violated process " 253 "security policy\n"); 254 p(ips_out_polvio, "\t%ju outbound packet%s violated process " 255 "security policy\n"); 256 p(ips_out_nosa, "\t%ju outbound packet%s with no SA available\n"); 257 p(ips_out_nomem, "\t%ju outbound packet%s failed due to " 258 "insufficient memory\n"); 259 p(ips_out_noroute, "\t%ju outbound packet%s with no route " 260 "available\n"); 261 p(ips_out_inval, "\t%ju invalid outbound packet%s\n"); 262 p(ips_out_bundlesa, "\t%ju outbound packet%s with bundled SAs\n"); 263 p(ips_mbcoalesced, "\t%ju mbuf%s coalesced during clone\n"); 264 p(ips_clcoalesced, "\t%ju cluster%s coalesced during clone\n"); 265 p(ips_clcopied, "\t%ju cluster%s copied during clone\n"); 266 p(ips_mbinserted, "\t%ju mbuf%s inserted during makespace\n"); 267 #undef p 268 } 269 270 void 271 ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused) 272 { 273 struct ipsecstat ipsecstat; 274 275 if (off == 0) 276 return; 277 printf ("%s:\n", name); 278 kread(off, (char *)&ipsecstat, sizeof(ipsecstat)); 279 280 print_ipsecstats(&ipsecstat); 281 } 282 283 284 static void ipsec_hist_new(const u_int32_t *hist, size_t histmax, 285 const struct val2str *name, const char *title); 286 static void print_ahstats(const struct ahstat *ahstat); 287 static void print_espstats(const struct espstat *espstat); 288 static void print_ipcompstats(const struct ipcompstat *ipcompstat); 289 290 /* 291 * Dump IPSEC statistics structure. 292 */ 293 static void 294 ipsec_hist_new(const u_int32_t *hist, size_t histmax, 295 const struct val2str *name, const char *title) 296 { 297 int first; 298 size_t proto; 299 const struct val2str *p; 300 301 first = 1; 302 for (proto = 0; proto < histmax; proto++) { 303 if (hist[proto] <= 0) 304 continue; 305 if (first) { 306 printf("\t%s histogram:\n", title); 307 first = 0; 308 } 309 for (p = name; p && p->str; p++) { 310 if (p->val == (int)proto) 311 break; 312 } 313 if (p && p->str) { 314 printf("\t\t%s: %u\n", p->str, hist[proto]); 315 } else { 316 printf("\t\t#%lu: %u\n", (unsigned long)proto, 317 hist[proto]); 318 } 319 } 320 } 321 322 static void 323 print_ahstats(const struct ahstat *ahstat) 324 { 325 #define p32(f, m) if (ahstat->f || sflag <= 1) \ 326 printf("\t%u" m, (unsigned int)ahstat->f, plural(ahstat->f)) 327 #define p64(f, m) if (ahstat->f || sflag <= 1) \ 328 printf("\t%ju" m, (uintmax_t)ahstat->f, plural(ahstat->f)) 329 #define hist(f, n, t) \ 330 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t)); 331 332 p32(ahs_hdrops, " packet%s shorter than header shows\n"); 333 p32(ahs_nopf, " packet%s dropped; protocol family not supported\n"); 334 p32(ahs_notdb, " packet%s dropped; no TDB\n"); 335 p32(ahs_badkcr, " packet%s dropped; bad KCR\n"); 336 p32(ahs_qfull, " packet%s dropped; queue full\n"); 337 p32(ahs_noxform, " packet%s dropped; no transform\n"); 338 p32(ahs_wrap, " replay counter wrap%s\n"); 339 p32(ahs_badauth, " packet%s dropped; bad authentication detected\n"); 340 p32(ahs_badauthl, " packet%s dropped; bad authentication length\n"); 341 p32(ahs_replay, " possible replay packet%s detected\n"); 342 p32(ahs_input, " packet%s in\n"); 343 p32(ahs_output, " packet%s out\n"); 344 p32(ahs_invalid, " packet%s dropped; invalid TDB\n"); 345 p64(ahs_ibytes, " byte%s in\n"); 346 p64(ahs_obytes, " byte%s out\n"); 347 p32(ahs_toobig, " packet%s dropped; larger than IP_MAXPACKET\n"); 348 p32(ahs_pdrops, " packet%s blocked due to policy\n"); 349 p32(ahs_crypto, " crypto processing failure%s\n"); 350 p32(ahs_tunnel, " tunnel sanity check failure%s\n"); 351 hist(ahstat->ahs_hist, ipsec_ahnames, "AH output"); 352 353 #undef p32 354 #undef p64 355 #undef hist 356 } 357 358 void 359 ah_stats(u_long off, const char *name, int family __unused, int proto __unused) 360 { 361 struct ahstat ahstat; 362 363 if (off == 0) 364 return; 365 printf ("%s:\n", name); 366 kread(off, (char *)&ahstat, sizeof(ahstat)); 367 368 print_ahstats(&ahstat); 369 } 370 371 static void 372 print_espstats(const struct espstat *espstat) 373 { 374 #define p32(f, m) if (espstat->f || sflag <= 1) \ 375 printf("\t%u" m, (unsigned int)espstat->f, plural(espstat->f)) 376 #define p64(f, m) if (espstat->f || sflag <= 1) \ 377 printf("\t%ju" m, (uintmax_t)espstat->f, plural(espstat->f)) 378 #define hist(f, n, t) \ 379 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t)); 380 381 p32(esps_hdrops, " packet%s shorter than header shows\n"); 382 p32(esps_nopf, " packet%s dropped; protocol family not supported\n"); 383 p32(esps_notdb, " packet%s dropped; no TDB\n"); 384 p32(esps_badkcr, " packet%s dropped; bad KCR\n"); 385 p32(esps_qfull, " packet%s dropped; queue full\n"); 386 p32(esps_noxform, " packet%s dropped; no transform\n"); 387 p32(esps_badilen, " packet%s dropped; bad ilen\n"); 388 p32(esps_wrap, " replay counter wrap%s\n"); 389 p32(esps_badenc, " packet%s dropped; bad encryption detected\n"); 390 p32(esps_badauth, " packet%s dropped; bad authentication detected\n"); 391 p32(esps_replay, " possible replay packet%s detected\n"); 392 p32(esps_input, " packet%s in\n"); 393 p32(esps_output, " packet%s out\n"); 394 p32(esps_invalid, " packet%s dropped; invalid TDB\n"); 395 p64(esps_ibytes, " byte%s in\n"); 396 p64(esps_obytes, " byte%s out\n"); 397 p32(esps_toobig, " packet%s dropped; larger than IP_MAXPACKET\n"); 398 p32(esps_pdrops, " packet%s blocked due to policy\n"); 399 p32(esps_crypto, " crypto processing failure%s\n"); 400 p32(esps_tunnel, " tunnel sanity check failure%s\n"); 401 hist(espstat->esps_hist, ipsec_espnames, "ESP output"); 402 403 #undef p32 404 #undef p64 405 #undef hist 406 } 407 408 void 409 esp_stats(u_long off, const char *name, int family __unused, int proto __unused) 410 { 411 struct espstat espstat; 412 413 if (off == 0) 414 return; 415 printf ("%s:\n", name); 416 kread(off, (char *)&espstat, sizeof(espstat)); 417 418 print_espstats(&espstat); 419 } 420 421 static void 422 print_ipcompstats(const struct ipcompstat *ipcompstat) 423 { 424 #define p32(f, m) if (ipcompstat->f || sflag <= 1) \ 425 printf("\t%u" m, (unsigned int)ipcompstat->f, plural(ipcompstat->f)) 426 #define p64(f, m) if (ipcompstat->f || sflag <= 1) \ 427 printf("\t%ju" m, (uintmax_t)ipcompstat->f, plural(ipcompstat->f)) 428 #define hist(f, n, t) \ 429 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t)); 430 431 p32(ipcomps_hdrops, " packet%s shorter than header shows\n"); 432 p32(ipcomps_nopf, " packet%s dropped; protocol family not supported\n"); 433 p32(ipcomps_notdb, " packet%s dropped; no TDB\n"); 434 p32(ipcomps_badkcr, " packet%s dropped; bad KCR\n"); 435 p32(ipcomps_qfull, " packet%s dropped; queue full\n"); 436 p32(ipcomps_noxform, " packet%s dropped; no transform\n"); 437 p32(ipcomps_wrap, " replay counter wrap%s\n"); 438 p32(ipcomps_input, " packet%s in\n"); 439 p32(ipcomps_output, " packet%s out\n"); 440 p32(ipcomps_invalid, " packet%s dropped; invalid TDB\n"); 441 p64(ipcomps_ibytes, " byte%s in\n"); 442 p64(ipcomps_obytes, " byte%s out\n"); 443 p32(ipcomps_toobig, " packet%s dropped; larger than IP_MAXPACKET\n"); 444 p32(ipcomps_pdrops, " packet%s blocked due to policy\n"); 445 p32(ipcomps_crypto, " crypto processing failure%s\n"); 446 hist(ipcompstat->ipcomps_hist, ipsec_compnames, "COMP output"); 447 448 #undef p32 449 #undef p64 450 #undef hist 451 } 452 453 void 454 ipcomp_stats(u_long off, const char *name, int family __unused, 455 int proto __unused) 456 { 457 struct ipcompstat ipcompstat; 458 459 if (off == 0) 460 return; 461 printf ("%s:\n", name); 462 kread(off, (char *)&ipcompstat, sizeof(ipcompstat)); 463 464 print_ipcompstats(&ipcompstat); 465 } 466 467 #endif /*IPSEC*/ 468