1 /* $KAME: ipsec.c,v 1.33 2003/07/25 09:54:32 itojun Exp $ */ 2 3 /*- 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 * Copyright (c) 2005 NTT Multimedia Communications Laboratories, Inc. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 /*- 31 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 32 * All rights reserved. 33 * 34 * Redistribution and use in source and binary forms, with or without 35 * modification, are permitted provided that the following conditions 36 * are met: 37 * 1. Redistributions of source code must retain the above copyright 38 * notice, this list of conditions and the following disclaimer. 39 * 2. Redistributions in binary form must reproduce the above copyright 40 * notice, this list of conditions and the following disclaimer in the 41 * documentation and/or other materials provided with the distribution. 42 * 3. Neither the name of the project nor the names of its contributors 43 * may be used to endorse or promote products derived from this software 44 * without specific prior written permission. 45 * 46 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 47 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 50 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56 * SUCH DAMAGE. 57 */ 58 /*- 59 * Copyright (c) 1983, 1988, 1993 60 * The Regents of the University of California. All rights reserved. 61 * 62 * Redistribution and use in source and binary forms, with or without 63 * modification, are permitted provided that the following conditions 64 * are met: 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in the 69 * documentation and/or other materials provided with the distribution. 70 * 3. Neither the name of the University nor the names of its contributors 71 * may be used to endorse or promote products derived from this software 72 * without specific prior written permission. 73 * 74 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 75 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 76 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 77 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 78 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 79 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 80 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 81 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 82 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 83 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 84 * SUCH DAMAGE. 85 */ 86 87 #if 0 88 #endif 89 90 #include <sys/cdefs.h> 91 #include <sys/param.h> 92 #include <sys/queue.h> 93 #include <sys/socket.h> 94 #include <sys/socketvar.h> 95 96 #include <netinet/in.h> 97 98 #ifdef IPSEC 99 #include <netipsec/ipsec.h> 100 #include <netipsec/ah_var.h> 101 #include <netipsec/esp_var.h> 102 #include <netipsec/ipcomp_var.h> 103 #endif 104 105 #include <stdint.h> 106 #include <stdio.h> 107 #include <stdbool.h> 108 #include <string.h> 109 #include <unistd.h> 110 #include <libxo/xo.h> 111 #include "netstat.h" 112 113 #ifdef IPSEC 114 struct val2str { 115 int val; 116 const char *str; 117 }; 118 119 static struct val2str ipsec_ahnames[] = { 120 { SADB_AALG_NONE, "none", }, 121 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 122 { SADB_X_AALG_NULL, "null", }, 123 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 124 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 125 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 126 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, 127 { SADB_X_AALG_TCP_MD5, "tcp-md5", }, 128 { SADB_X_AALG_AES128GMAC, "aes-gmac-128", }, 129 { SADB_X_AALG_AES192GMAC, "aes-gmac-192", }, 130 { SADB_X_AALG_AES256GMAC, "aes-gmac-256", }, 131 { -1, NULL }, 132 }; 133 134 static struct val2str ipsec_espnames[] = { 135 { SADB_EALG_NONE, "none", }, 136 { SADB_EALG_NULL, "null", }, 137 { SADB_X_EALG_AESCBC, "aes-cbc", }, 138 { SADB_X_EALG_AESCTR, "aes-ctr", }, 139 { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, 140 { SADB_X_EALG_AESGMAC, "aes-gmac", }, 141 { -1, NULL }, 142 }; 143 144 static struct val2str ipsec_compnames[] = { 145 { SADB_X_CALG_NONE, "none", }, 146 { SADB_X_CALG_OUI, "oui", }, 147 { SADB_X_CALG_DEFLATE, "deflate", }, 148 { SADB_X_CALG_LZS, "lzs", }, 149 { -1, NULL }, 150 }; 151 152 static void 153 print_ipsecstats(const char *tag, const struct ipsecstat *ipsecstat) 154 { 155 xo_open_container(tag); 156 157 #define p(f, m) if (ipsecstat->f || sflag <= 1) \ 158 xo_emit(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f)) 159 #define p2(f, m) if (ipsecstat->f || sflag <= 1) \ 160 xo_emit(m, (uintmax_t)ipsecstat->f, plurales(ipsecstat->f)) 161 162 p(ips_in_polvio, "\t{:dropped-policy-violation/%ju} " 163 "{N:/inbound packet%s violated process security policy}\n"); 164 p(ips_in_nomem, "\t{:dropped-no-memory/%ju} " 165 "{N:/inbound packet%s failed due to insufficient memory}\n"); 166 p(ips_in_inval, "\t{:dropped-invalid/%ju} " 167 "{N:/invalid inbound packet%s}\n"); 168 p(ips_out_polvio, "\t{:discarded-policy-violation/%ju} " 169 "{N:/outbound packet%s violated process security policy}\n"); 170 p(ips_out_nosa, "\t{:discarded-no-sa/%ju} " 171 "{N:/outbound packet%s with no SA available}\n"); 172 p(ips_out_nomem, "\t{:discarded-no-memory/%ju} " 173 "{N:/outbound packet%s failed due to insufficient memory}\n"); 174 p(ips_out_noroute, "\t{:discarded-no-route/%ju} " 175 "{N:/outbound packet%s with no route available}\n"); 176 p(ips_out_inval, "\t{:discarded-invalid/%ju} " 177 "{N:/invalid outbound packet%s}\n"); 178 p(ips_out_bundlesa, "\t{:send-bundled-sa/%ju} " 179 "{N:/outbound packet%s with bundled SAs}\n"); 180 p(ips_spdcache_hits, "\t{:spdcache-hits/%ju} " 181 "{N:/spd cache hit%s}\n"); 182 p2(ips_spdcache_misses, "\t{:spdcache-misses/%ju} " 183 "{N:/spd cache miss%s}\n"); 184 p(ips_clcopied, "\t{:clusters-copied-during-clone/%ju} " 185 "{N:/cluster%s copied during clone}\n"); 186 p(ips_mbinserted, "\t{:mbufs-inserted/%ju} " 187 "{N:/mbuf%s inserted during makespace}\n"); 188 #undef p2 189 #undef p 190 xo_close_container(tag); 191 } 192 193 void 194 ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused) 195 { 196 struct ipsecstat ipsecstat; 197 const char *tag; 198 199 if (strcmp(name, "ipsec6") == 0) { 200 if (fetch_stats("net.inet6.ipsec6.ipsecstats", off,&ipsecstat, 201 sizeof(ipsecstat), kread_counters) != 0) 202 return; 203 tag = "ipsec6-statistics"; 204 } else { 205 if (fetch_stats("net.inet.ipsec.ipsecstats", off, &ipsecstat, 206 sizeof(ipsecstat), kread_counters) != 0) 207 return; 208 tag = "ipsec-statistics"; 209 } 210 211 xo_emit("{T:/%s}:\n", name); 212 213 print_ipsecstats(tag, &ipsecstat); 214 } 215 216 217 static void print_ahstats(const struct ahstat *ahstat); 218 static void print_espstats(const struct espstat *espstat); 219 static void print_ipcompstats(const struct ipcompstat *ipcompstat); 220 221 /* 222 * Dump IPSEC statistics structure. 223 */ 224 static void 225 ipsec_hist_new(const uint64_t *hist, size_t histmax, 226 const struct val2str *name, const char *title, const char *cname) 227 { 228 int first; 229 size_t proto; 230 const struct val2str *p; 231 232 first = 1; 233 for (proto = 0; proto < histmax; proto++) { 234 if (hist[proto] <= 0) 235 continue; 236 if (first) { 237 xo_open_list(cname); 238 xo_emit("\t{T:/%s histogram}:\n", title); 239 first = 0; 240 } 241 xo_open_instance(cname); 242 for (p = name; p && p->str; p++) { 243 if (p->val == (int)proto) 244 break; 245 } 246 if (p && p->str) { 247 xo_emit("\t\t{k:name}: {:count/%ju}\n", p->str, 248 (uintmax_t)hist[proto]); 249 } else { 250 xo_emit("\t\t#{k:name/%lu}: {:count/%ju}\n", 251 (unsigned long)proto, (uintmax_t)hist[proto]); 252 } 253 xo_close_instance(cname); 254 } 255 if (!first) 256 xo_close_list(cname); 257 } 258 259 static void 260 print_ahstats(const struct ahstat *ahstat) 261 { 262 xo_open_container("ah-statictics"); 263 264 #define p(f, n, m) if (ahstat->f || sflag <= 1) \ 265 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 266 (uintmax_t)ahstat->f, plural(ahstat->f)) 267 #define hist(f, n, t, c) \ 268 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)) 269 270 p(ahs_hdrops, "dropped-short-header", 271 "packet%s shorter than header shows"); 272 p(ahs_nopf, "dropped-bad-protocol", 273 "packet%s dropped; protocol family not supported"); 274 p(ahs_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 275 p(ahs_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 276 p(ahs_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 277 p(ahs_noxform, "dropped-no-transform", 278 "packet%s dropped; no transform"); 279 p(ahs_wrap, "replay-counter-wraps", "replay counter wrap%s"); 280 p(ahs_badauth, "dropped-bad-auth", 281 "packet%s dropped; bad authentication detected"); 282 p(ahs_badauthl, "dropped-bad-auth-level", 283 "packet%s dropped; bad authentication length"); 284 p(ahs_replay, "possile-replay-detected", 285 "possible replay packet%s detected"); 286 p(ahs_input, "received-packets", "packet%s in"); 287 p(ahs_output, "send-packets", "packet%s out"); 288 p(ahs_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 289 p(ahs_ibytes, "received-bytes", "byte%s in"); 290 p(ahs_obytes, "send-bytes", "byte%s out"); 291 p(ahs_toobig, "dropped-too-large", 292 "packet%s dropped; larger than IP_MAXPACKET"); 293 p(ahs_pdrops, "dropped-policy-violation", 294 "packet%s blocked due to policy"); 295 p(ahs_crypto, "crypto-failures", "crypto processing failure%s"); 296 p(ahs_tunnel, "tunnel-failures", "tunnel sanity check failure%s"); 297 hist(ahstat->ahs_hist, ipsec_ahnames, 298 "AH output", "ah-output-histogram"); 299 300 #undef p 301 #undef hist 302 xo_close_container("ah-statictics"); 303 } 304 305 void 306 ah_stats(u_long off, const char *name, int family __unused, int proto __unused) 307 { 308 struct ahstat ahstat; 309 310 if (fetch_stats("net.inet.ah.stats", off, &ahstat, 311 sizeof(ahstat), kread_counters) != 0) 312 return; 313 314 xo_emit("{T:/%s}:\n", name); 315 316 print_ahstats(&ahstat); 317 } 318 319 static void 320 print_espstats(const struct espstat *espstat) 321 { 322 xo_open_container("esp-statictics"); 323 #define p(f, n, m) if (espstat->f || sflag <= 1) \ 324 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 325 (uintmax_t)espstat->f, plural(espstat->f)) 326 #define hist(f, n, t, c) \ 327 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)); 328 329 p(esps_hdrops, "dropped-short-header", 330 "packet%s shorter than header shows"); 331 p(esps_nopf, "dropped-bad-protocol", 332 "packet%s dropped; protocol family not supported"); 333 p(esps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 334 p(esps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 335 p(esps_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 336 p(esps_noxform, "dropped-no-transform", 337 "packet%s dropped; no transform"); 338 p(esps_badilen, "dropped-bad-length", "packet%s dropped; bad ilen"); 339 p(esps_wrap, "replay-counter-wraps", "replay counter wrap%s"); 340 p(esps_badenc, "dropped-bad-crypto", 341 "packet%s dropped; bad encryption detected"); 342 p(esps_badauth, "dropped-bad-auth", 343 "packet%s dropped; bad authentication detected"); 344 p(esps_replay, "possible-replay-detected", 345 "possible replay packet%s detected"); 346 p(esps_input, "received-packets", "packet%s in"); 347 p(esps_output, "sent-packets", "packet%s out"); 348 p(esps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 349 p(esps_ibytes, "receive-bytes", "byte%s in"); 350 p(esps_obytes, "sent-bytes", "byte%s out"); 351 p(esps_toobig, "dropped-too-large", 352 "packet%s dropped; larger than IP_MAXPACKET"); 353 p(esps_pdrops, "dropped-policy-violation", 354 "packet%s blocked due to policy"); 355 p(esps_crypto, "crypto-failures", "crypto processing failure%s"); 356 p(esps_tunnel, "tunnel-failures", "tunnel sanity check failure%s"); 357 hist(espstat->esps_hist, ipsec_espnames, 358 "ESP output", "esp-output-histogram"); 359 360 #undef p 361 #undef hist 362 xo_close_container("esp-statictics"); 363 } 364 365 void 366 esp_stats(u_long off, const char *name, int family __unused, int proto __unused) 367 { 368 struct espstat espstat; 369 370 if (fetch_stats("net.inet.esp.stats", off, &espstat, 371 sizeof(espstat), kread_counters) != 0) 372 return; 373 374 xo_emit("{T:/%s}:\n", name); 375 376 print_espstats(&espstat); 377 } 378 379 static void 380 print_ipcompstats(const struct ipcompstat *ipcompstat) 381 { 382 xo_open_container("ipcomp-statictics"); 383 384 #define p(f, n, m) if (ipcompstat->f || sflag <= 1) \ 385 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 386 (uintmax_t)ipcompstat->f, plural(ipcompstat->f)) 387 #define hist(f, n, t, c) \ 388 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)); 389 390 p(ipcomps_hdrops, "dropped-short-header", 391 "packet%s shorter than header shows"); 392 p(ipcomps_nopf, "dropped-bad-protocol", 393 "packet%s dropped; protocol family not supported"); 394 p(ipcomps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 395 p(ipcomps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 396 p(ipcomps_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 397 p(ipcomps_noxform, "dropped-no-transform", 398 "packet%s dropped; no transform"); 399 p(ipcomps_wrap, "replay-counter-wraps", "replay counter wrap%s"); 400 p(ipcomps_input, "receive-packets", "packet%s in"); 401 p(ipcomps_output, "sent-packets", "packet%s out"); 402 p(ipcomps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 403 p(ipcomps_ibytes, "received-bytes", "byte%s in"); 404 p(ipcomps_obytes, "sent-bytes", "byte%s out"); 405 p(ipcomps_toobig, "dropped-too-large", 406 "packet%s dropped; larger than IP_MAXPACKET"); 407 p(ipcomps_pdrops, "dropped-policy-violation", 408 "packet%s blocked due to policy"); 409 p(ipcomps_crypto, "crypto-failure", "crypto processing failure%s"); 410 hist(ipcompstat->ipcomps_hist, ipsec_compnames, 411 "COMP output", "comp-output-histogram"); 412 p(ipcomps_threshold, "sent-uncompressed-small-packets", 413 "packet%s sent uncompressed; size < compr. algo. threshold"); 414 p(ipcomps_uncompr, "sent-uncompressed-useless-packets", 415 "packet%s sent uncompressed; compression was useless"); 416 417 #undef p 418 #undef hist 419 xo_close_container("ipcomp-statictics"); 420 } 421 422 void 423 ipcomp_stats(u_long off, const char *name, int family __unused, 424 int proto __unused) 425 { 426 struct ipcompstat ipcompstat; 427 428 if (fetch_stats("net.inet.ipcomp.stats", off, &ipcompstat, 429 sizeof(ipcompstat), kread_counters) != 0) 430 return; 431 432 xo_emit("{T:/%s}:\n", name); 433 434 print_ipcompstats(&ipcompstat); 435 } 436 437 #endif /*IPSEC*/ 438