1 /* $FreeBSD$ */ 2 /* $KAME: ipsec.c,v 1.33 2003/07/25 09:54:32 itojun Exp $ */ 3 4 /* 5 * Copyright (c) 2005 NTT Multimedia Communications Laboratories, Inc. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 /* 31 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 32 * All rights reserved. 33 * 34 * Redistribution and use in source and binary forms, with or without 35 * modification, are permitted provided that the following conditions 36 * are met: 37 * 1. Redistributions of source code must retain the above copyright 38 * notice, this list of conditions and the following disclaimer. 39 * 2. Redistributions in binary form must reproduce the above copyright 40 * notice, this list of conditions and the following disclaimer in the 41 * documentation and/or other materials provided with the distribution. 42 * 3. Neither the name of the project nor the names of its contributors 43 * may be used to endorse or promote products derived from this software 44 * without specific prior written permission. 45 * 46 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 47 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 50 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56 * SUCH DAMAGE. 57 */ 58 59 /* 60 * Copyright (c) 1983, 1988, 1993 61 * The Regents of the University of California. All rights reserved. 62 * 63 * Redistribution and use in source and binary forms, with or without 64 * modification, are permitted provided that the following conditions 65 * are met: 66 * 1. Redistributions of source code must retain the above copyright 67 * notice, this list of conditions and the following disclaimer. 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in the 70 * documentation and/or other materials provided with the distribution. 71 * 3. All advertising materials mentioning features or use of this software 72 * must display the following acknowledgement: 73 * This product includes software developed by the University of 74 * California, Berkeley and its contributors. 75 * 4. Neither the name of the University nor the names of its contributors 76 * may be used to endorse or promote products derived from this software 77 * without specific prior written permission. 78 * 79 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 80 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 81 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 82 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 83 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 84 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 85 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 86 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 87 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 88 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 89 * SUCH DAMAGE. 90 */ 91 92 #if 0 93 #ifndef lint 94 static char sccsid[] = "@(#)inet.c 8.5 (Berkeley) 5/24/95"; 95 #endif /* not lint */ 96 #endif 97 98 #include <sys/cdefs.h> 99 __FBSDID("$FreeBSD$"); 100 101 #include <sys/param.h> 102 #include <sys/queue.h> 103 #include <sys/socket.h> 104 105 #include <netinet/in.h> 106 107 #if defined(IPSEC) && !defined(FAST_IPSEC) 108 #include <netinet6/ipsec.h> 109 #endif 110 111 #ifdef FAST_IPSEC 112 #include <netipsec/ipsec.h> 113 #include <netipsec/ah_var.h> 114 #include <netipsec/esp_var.h> 115 #include <netipsec/ipcomp_var.h> 116 #endif 117 118 #include <stdio.h> 119 #include <string.h> 120 #include <unistd.h> 121 #include "netstat.h" 122 123 #ifdef IPSEC 124 struct val2str { 125 int val; 126 const char *str; 127 }; 128 129 static struct val2str ipsec_ahnames[] = { 130 { SADB_AALG_NONE, "none", }, 131 { SADB_AALG_MD5HMAC, "hmac-md5", }, 132 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 133 { SADB_X_AALG_MD5, "md5", }, 134 { SADB_X_AALG_SHA, "sha", }, 135 { SADB_X_AALG_NULL, "null", }, 136 #ifdef SADB_X_AALG_SHA2_256 137 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 138 #endif 139 #ifdef SADB_X_AALG_SHA2_384 140 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 141 #endif 142 #ifdef SADB_X_AALG_SHA2_512 143 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 144 #endif 145 #ifdef SADB_X_AALG_RIPEMD160HMAC 146 { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", }, 147 #endif 148 #ifdef SADB_X_AALG_AES_XCBC_MAC 149 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, 150 #endif 151 { -1, NULL }, 152 }; 153 154 static struct val2str ipsec_espnames[] = { 155 { SADB_EALG_NONE, "none", }, 156 { SADB_EALG_DESCBC, "des-cbc", }, 157 { SADB_EALG_3DESCBC, "3des-cbc", }, 158 { SADB_EALG_NULL, "null", }, 159 { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, 160 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, 161 #ifdef SADB_X_EALG_RIJNDAELCBC 162 { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, 163 #endif 164 #ifdef SADB_X_EALG_AESCTR 165 { SADB_X_EALG_AESCTR, "aes-ctr", }, 166 #endif 167 { -1, NULL }, 168 }; 169 170 static struct val2str ipsec_compnames[] = { 171 { SADB_X_CALG_NONE, "none", }, 172 { SADB_X_CALG_OUI, "oui", }, 173 { SADB_X_CALG_DEFLATE, "deflate", }, 174 { SADB_X_CALG_LZS, "lzs", }, 175 { -1, NULL }, 176 }; 177 178 static void ipsec_hist(const u_quad_t *hist, size_t histmax, 179 const struct val2str *name, const char *title); 180 static void print_ipsecstats(const struct ipsecstat *ipsecstat); 181 182 183 /* 184 * Dump IPSEC statistics structure. 185 */ 186 static void 187 ipsec_hist(const u_quad_t *hist, size_t histmax, const struct val2str *name, 188 const char *title) 189 { 190 int first; 191 size_t proto; 192 const struct val2str *p; 193 194 first = 1; 195 for (proto = 0; proto < histmax; proto++) { 196 if (hist[proto] <= 0) 197 continue; 198 if (first) { 199 printf("\t%s histogram:\n", title); 200 first = 0; 201 } 202 for (p = name; p && p->str; p++) { 203 if (p->val == (int)proto) 204 break; 205 } 206 if (p && p->str) { 207 printf("\t\t%s: %llu\n", p->str, (unsigned long long)hist[proto]); 208 } else { 209 printf("\t\t#%ld: %llu\n", (long)proto, 210 (unsigned long long)hist[proto]); 211 } 212 } 213 } 214 215 static void 216 print_ipsecstats(const struct ipsecstat *ipsecstat) 217 { 218 #define p(f, m) if (ipsecstat->f || sflag <= 1) \ 219 printf(m, (unsigned long long)ipsecstat->f, plural(ipsecstat->f)) 220 #define pes(f, m) if (ipsecstat->f || sflag <= 1) \ 221 printf(m, (unsigned long long)ipsecstat->f, plurales(ipsecstat->f)) 222 #define hist(f, n, t) \ 223 ipsec_hist((f), sizeof(f)/sizeof(f[0]), (n), (t)); 224 225 p(in_success, "\t%llu inbound packet%s processed successfully\n"); 226 p(in_polvio, "\t%llu inbound packet%s violated process security " 227 "policy\n"); 228 p(in_nosa, "\t%llu inbound packet%s with no SA available\n"); 229 p(in_inval, "\t%llu invalid inbound packet%s\n"); 230 p(in_nomem, "\t%llu inbound packet%s failed due to insufficient memory\n"); 231 p(in_badspi, "\t%llu inbound packet%s failed getting SPI\n"); 232 p(in_ahreplay, "\t%llu inbound packet%s failed on AH replay check\n"); 233 p(in_espreplay, "\t%llu inbound packet%s failed on ESP replay check\n"); 234 p(in_ahauthsucc, "\t%llu inbound packet%s considered authentic\n"); 235 p(in_ahauthfail, "\t%llu inbound packet%s failed on authentication\n"); 236 hist(ipsecstat->in_ahhist, ipsec_ahnames, "AH input"); 237 hist(ipsecstat->in_esphist, ipsec_espnames, "ESP input"); 238 hist(ipsecstat->in_comphist, ipsec_compnames, "IPComp input"); 239 240 p(out_success, "\t%llu outbound packet%s processed successfully\n"); 241 p(out_polvio, "\t%llu outbound packet%s violated process security " 242 "policy\n"); 243 p(out_nosa, "\t%llu outbound packet%s with no SA available\n"); 244 p(out_inval, "\t%llu invalid outbound packet%s\n"); 245 p(out_nomem, "\t%llu outbound packet%s failed due to insufficient memory\n"); 246 p(out_noroute, "\t%llu outbound packet%s with no route\n"); 247 hist(ipsecstat->out_ahhist, ipsec_ahnames, "AH output"); 248 hist(ipsecstat->out_esphist, ipsec_espnames, "ESP output"); 249 hist(ipsecstat->out_comphist, ipsec_compnames, "IPComp output"); 250 p(spdcachelookup, "\t%llu SPD cache lookup%s\n"); 251 pes(spdcachemiss, "\t%llu SPD cache miss%s\n"); 252 #undef p 253 #undef pes 254 #undef hist 255 } 256 257 void 258 ipsec_stats(u_long off, const char *name, int af1 __unused) 259 { 260 struct ipsecstat ipsecstat; 261 262 if (off == 0) 263 return; 264 printf ("%s:\n", name); 265 kread(off, (char *)&ipsecstat, sizeof(ipsecstat)); 266 267 print_ipsecstats(&ipsecstat); 268 } 269 270 271 #ifdef FAST_IPSEC 272 273 static void ipsec_hist_new(const u_int32_t *hist, size_t histmax, 274 const struct val2str *name, const char *title); 275 static void print_newipsecstats(const struct newipsecstat *newipsecstat); 276 static void print_ahstats(const struct ahstat *ahstat); 277 static void print_espstats(const struct espstat *espstat); 278 static void print_ipcompstats(const struct ipcompstat *ipcompstat); 279 280 /* 281 * Dump IPSEC statistics structure. 282 */ 283 static void 284 ipsec_hist_new(const u_int32_t *hist, size_t histmax, 285 const struct val2str *name, const char *title) 286 { 287 int first; 288 size_t proto; 289 const struct val2str *p; 290 291 first = 1; 292 for (proto = 0; proto < histmax; proto++) { 293 if (hist[proto] <= 0) 294 continue; 295 if (first) { 296 printf("\t%s histogram:\n", title); 297 first = 0; 298 } 299 for (p = name; p && p->str; p++) { 300 if (p->val == (int)proto) 301 break; 302 } 303 if (p && p->str) { 304 printf("\t\t%s: %u\n", p->str, hist[proto]); 305 } else { 306 printf("\t\t#%lu: %u\n", (unsigned long)proto, 307 hist[proto]); 308 } 309 } 310 } 311 312 static void 313 print_newipsecstats(const struct newipsecstat *newipsecstat) 314 { 315 #define p(f, m) if (newipsecstat->f || sflag <= 1) \ 316 printf(m, newipsecstat->f, plural(newipsecstat->f)) 317 318 p(ips_in_polvio, "\t%u inbound packet%s violated process " 319 "security policy\n"); 320 p(ips_out_polvio, "\t%u outbound packet%s violated process " 321 "security policy\n"); 322 p(ips_out_nosa, "\t%u outbound packet%s with no SA available\n"); 323 p(ips_out_nomem, "\t%u outbound packet%s failed due to " 324 "insufficient memory\n"); 325 p(ips_out_noroute, "\t%u outbound packet%s with no route " 326 "available\n"); 327 p(ips_out_inval, "\t%u invalid outbound packet%s\n"); 328 p(ips_out_bundlesa, "\t%u outbound packet%s with bundled SAs\n"); 329 p(ips_mbcoalesced, "\t%u mbuf%s coalesced during clone\n"); 330 p(ips_clcoalesced, "\t%u cluster%s coalesced during clone\n"); 331 p(ips_clcopied, "\t%u cluster%s copied during clone\n"); 332 p(ips_mbinserted, "\t%u mbuf%s inserted during makespace\n"); 333 #undef p 334 } 335 336 void 337 ipsec_stats_new(u_long off, const char *name, int af __unused) 338 { 339 struct newipsecstat newipsecstat; 340 341 if (off == 0) 342 return; 343 printf ("%s:\n", name); 344 kread(off, (char *)&newipsecstat, sizeof(newipsecstat)); 345 346 print_newipsecstats(&newipsecstat); 347 } 348 349 static void 350 print_ahstats(const struct ahstat *ahstat) 351 { 352 #define p32(f, m) if (ahstat->f || sflag <= 1) \ 353 printf("\t%u" m, (unsigned int)ahstat->f, plural(ahstat->f)) 354 #define p64(f, m) if (ahstat->f || sflag <= 1) \ 355 printf("\t%llu" m, (unsigned long long)ahstat->f, plural(ahstat->f)) 356 #define hist(f, n, t) \ 357 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t)); 358 359 p32(ahs_hdrops, " packet%s shorter than header shows\n"); 360 p32(ahs_nopf, " packet%s dropped; protocol family not supported\n"); 361 p32(ahs_notdb, " packet%s dropped; no TDB\n"); 362 p32(ahs_badkcr, " packet%s dropped; bad KCR\n"); 363 p32(ahs_qfull, " packet%s dropped; queue full\n"); 364 p32(ahs_noxform, " packet%s dropped; no transform\n"); 365 p32(ahs_wrap, " replay counter wrap%s\n"); 366 p32(ahs_badauth, " packet%s dropped; bad authentication detected\n"); 367 p32(ahs_badauthl, " packet%s dropped; bad authentication length\n"); 368 p32(ahs_replay, " possible replay packet%s detected\n"); 369 p32(ahs_input, " packet%s in\n"); 370 p32(ahs_output, " packet%s out\n"); 371 p32(ahs_invalid, " packet%s dropped; invalid TDB\n"); 372 p64(ahs_ibytes, " byte%s in\n"); 373 p64(ahs_obytes, " byte%s out\n"); 374 p32(ahs_toobig, " packet%s dropped; larger than IP_MAXPACKET\n"); 375 p32(ahs_pdrops, " packet%s blocked due to policy\n"); 376 p32(ahs_crypto, " crypto processing failure%s\n"); 377 p32(ahs_tunnel, " tunnel sanity check failure%s\n"); 378 hist(ahstat->ahs_hist, ipsec_ahnames, "AH output"); 379 380 #undef p32 381 #undef p64 382 #undef hist 383 } 384 385 void 386 ah_stats(u_long off, const char *name, int af __unused) 387 { 388 struct ahstat ahstat; 389 390 if (off == 0) 391 return; 392 printf ("%s:\n", name); 393 kread(off, (char *)&ahstat, sizeof(ahstat)); 394 395 print_ahstats(&ahstat); 396 } 397 398 static void 399 print_espstats(const struct espstat *espstat) 400 { 401 #define p32(f, m) if (espstat->f || sflag <= 1) \ 402 printf("\t%u" m, (unsigned int)espstat->f, plural(espstat->f)) 403 #define p64(f, m) if (espstat->f || sflag <= 1) \ 404 printf("\t%llu" m, (unsigned long long)espstat->f, plural(espstat->f)) 405 #define hist(f, n, t) \ 406 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t)); 407 408 p32(esps_hdrops, " packet%s shorter than header shows\n"); 409 p32(esps_nopf, " packet%s dropped; protocol family not supported\n"); 410 p32(esps_notdb, " packet%s dropped; no TDB\n"); 411 p32(esps_badkcr, " packet%s dropped; bad KCR\n"); 412 p32(esps_qfull, " packet%s dropped; queue full\n"); 413 p32(esps_noxform, " packet%s dropped; no transform\n"); 414 p32(esps_badilen, " packet%s dropped; bad ilen\n"); 415 p32(esps_wrap, " replay counter wrap%s\n"); 416 p32(esps_badenc, " packet%s dropped; bad encryption detected\n"); 417 p32(esps_badauth, " packet%s dropped; bad authentication detected\n"); 418 p32(esps_replay, " possible replay packet%s detected\n"); 419 p32(esps_input, " packet%s in\n"); 420 p32(esps_output, " packet%s out\n"); 421 p32(esps_invalid, " packet%s dropped; invalid TDB\n"); 422 p64(esps_ibytes, " byte%s in\n"); 423 p64(esps_obytes, " byte%s out\n"); 424 p32(esps_toobig, " packet%s dropped; larger than IP_MAXPACKET\n"); 425 p32(esps_pdrops, " packet%s blocked due to policy\n"); 426 p32(esps_crypto, " crypto processing failure%s\n"); 427 p32(esps_tunnel, " tunnel sanity check failure%s\n"); 428 hist(espstat->esps_hist, ipsec_espnames, "ESP output"); 429 430 #undef p32 431 #undef p64 432 #undef hist 433 } 434 435 void 436 esp_stats(u_long off, const char *name, int af __unused) 437 { 438 struct espstat espstat; 439 440 if (off == 0) 441 return; 442 printf ("%s:\n", name); 443 kread(off, (char *)&espstat, sizeof(espstat)); 444 445 print_espstats(&espstat); 446 } 447 448 static void 449 print_ipcompstats(const struct ipcompstat *ipcompstat) 450 { 451 #define p32(f, m) if (ipcompstat->f || sflag <= 1) \ 452 printf("\t%u" m, (unsigned int)ipcompstat->f, plural(ipcompstat->f)) 453 #define p64(f, m) if (ipcompstat->f || sflag <= 1) \ 454 printf("\t%llu" m, (unsigned long long)ipcompstat->f, plural(ipcompstat->f)) 455 #define hist(f, n, t) \ 456 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t)); 457 458 p32(ipcomps_hdrops, " packet%s shorter than header shows\n"); 459 p32(ipcomps_nopf, " packet%s dropped; protocol family not supported\n"); 460 p32(ipcomps_notdb, " packet%s dropped; no TDB\n"); 461 p32(ipcomps_badkcr, " packet%s dropped; bad KCR\n"); 462 p32(ipcomps_qfull, " packet%s dropped; queue full\n"); 463 p32(ipcomps_noxform, " packet%s dropped; no transform\n"); 464 p32(ipcomps_wrap, " replay counter wrap%s\n"); 465 p32(ipcomps_input, " packet%s in\n"); 466 p32(ipcomps_output, " packet%s out\n"); 467 p32(ipcomps_invalid, " packet%s dropped; invalid TDB\n"); 468 p64(ipcomps_ibytes, " byte%s in\n"); 469 p64(ipcomps_obytes, " byte%s out\n"); 470 p32(ipcomps_toobig, " packet%s dropped; larger than IP_MAXPACKET\n"); 471 p32(ipcomps_pdrops, " packet%s blocked due to policy\n"); 472 p32(ipcomps_crypto, " crypto processing failure%s\n"); 473 hist(ipcompstat->ipcomps_hist, ipsec_compnames, "COMP output"); 474 475 #undef p32 476 #undef p64 477 #undef hist 478 } 479 480 void 481 ipcomp_stats(u_long off, const char *name, int af __unused) 482 { 483 struct ipcompstat ipcompstat; 484 485 if (off == 0) 486 return; 487 printf ("%s:\n", name); 488 kread(off, (char *)&ipcompstat, sizeof(ipcompstat)); 489 490 print_ipcompstats(&ipcompstat); 491 } 492 493 #endif /* FAST_IPSEC */ 494 #endif /*IPSEC*/ 495