xref: /illumos-gate/usr/src/uts/common/inet/ip/ipdrop.c (revision 16f0fd39d0c84c014919d701f87f5fc48be58d31)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/strsun.h>
29 #include <sys/sunddi.h>
30 #include <sys/kstat.h>
31 #include <sys/kmem.h>
32 #include <sys/sdt.h>
33 #include <net/pfkeyv2.h>
34 #include <inet/common.h>
35 #include <inet/ip.h>
36 #include <inet/ip6.h>
37 #include <inet/ipsec_impl.h>
38 #include <inet/ipdrop.h>
39 
40 /*
41  * Packet drop facility.
42  */
43 
44 /*
45  * Initialize drop facility kstats.
46  */
47 void
48 ip_drop_init(ipsec_stack_t *ipss)
49 {
50 	ipss->ipsec_ip_drop_kstat = kstat_create_netstack("ip", 0, "ipdrop",
51 	    "net", KSTAT_TYPE_NAMED,
52 	    sizeof (struct ip_dropstats) / sizeof (kstat_named_t),
53 	    KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid);
54 
55 	if (ipss->ipsec_ip_drop_kstat == NULL ||
56 	    ipss->ipsec_ip_drop_kstat->ks_data == NULL)
57 		return;
58 
59 	/*
60 	 * Note: here ipss->ipsec_ip_drop_types is initialized, however,
61 	 * if the previous kstat_create_netstack failed, it will remain
62 	 * NULL. Note this is done for all stack instances, so it *could*
63 	 * be NULL. Hence a non-NULL checking is added where
64 	 * ipss->ipsec_ip_drop_types is used. This checking is hidden in
65 	 * the DROPPER macro.
66 	 */
67 	ipss->ipsec_ip_drop_types = ipss->ipsec_ip_drop_kstat->ks_data;
68 
69 	/* TCP IPsec drop statistics. */
70 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_clear,
71 	    "tcp_clear", KSTAT_DATA_UINT64);
72 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_secure,
73 	    "tcp_secure", KSTAT_DATA_UINT64);
74 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_mismatch,
75 	    "tcp_mismatch", KSTAT_DATA_UINT64);
76 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_ipsec_alloc,
77 	    "tcp_ipsec_alloc", KSTAT_DATA_UINT64);
78 
79 	/* SADB-specific drop statistics. */
80 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_timeout,
81 	    "sadb_inlarval_timeout", KSTAT_DATA_UINT64);
82 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_replace,
83 	    "sadb_inlarval_replace", KSTAT_DATA_UINT64);
84 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inidle_overflow,
85 	    "sadb_inidle_overflow", KSTAT_DATA_UINT64);
86 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inidle_timeout,
87 	    "sadb_inidle_timeout", KSTAT_DATA_UINT64);
88 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_nomem,
89 	    "sadb_acquire_nomem", KSTAT_DATA_UINT64);
90 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_toofull,
91 	    "sadb_acquire_toofull", KSTAT_DATA_UINT64);
92 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_timeout,
93 	    "sadb_acquire_timeout", KSTAT_DATA_UINT64);
94 
95 	/* SPD drop statistics. */
96 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ahesp_diffid,
97 	    "spd_ahesp_diffid", KSTAT_DATA_UINT64);
98 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_loopback_mismatch,
99 	    "spd_loopback_mismatch", KSTAT_DATA_UINT64);
100 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_explicit,
101 	    "spd_explicit", KSTAT_DATA_UINT64);
102 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_secure,
103 	    "spd_got_secure", KSTAT_DATA_UINT64);
104 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_clear,
105 	    "spd_got_clear", KSTAT_DATA_UINT64);
106 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_ahalg,
107 	    "spd_bad_ahalg", KSTAT_DATA_UINT64);
108 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_ah,
109 	    "spd_got_ah", KSTAT_DATA_UINT64);
110 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espealg,
111 	    "spd_bad_espealg", KSTAT_DATA_UINT64);
112 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espaalg,
113 	    "spd_bad_espaalg", KSTAT_DATA_UINT64);
114 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_esp,
115 	    "spd_got_esp", KSTAT_DATA_UINT64);
116 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_selfencap,
117 	    "spd_got_selfencap", KSTAT_DATA_UINT64);
118 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_selfencap,
119 	    "spd_bad_selfencap", KSTAT_DATA_UINT64);
120 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_nomem,
121 	    "spd_nomem", KSTAT_DATA_UINT64);
122 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_badid,
123 	    "spd_ah_badid", KSTAT_DATA_UINT64);
124 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_innermismatch,
125 	    "spd_ah_innermismatch", KSTAT_DATA_UINT64);
126 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_innermismatch,
127 	    "spd_esp_innermismatch", KSTAT_DATA_UINT64);
128 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_badid,
129 	    "spd_esp_badid", KSTAT_DATA_UINT64);
130 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_no_policy,
131 	    "spd_no_policy", KSTAT_DATA_UINT64);
132 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_packet,
133 	    "spd_malformed_packet", KSTAT_DATA_UINT64);
134 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_frag,
135 	    "spd_malformed_frag", KSTAT_DATA_UINT64);
136 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_overlap_frag,
137 	    "spd_overlap_frag", KSTAT_DATA_UINT64);
138 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_evil_frag,
139 	    "spd_evil_frag", KSTAT_DATA_UINT64);
140 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_max_frags,
141 	    "spd_max_frags", KSTAT_DATA_UINT64);
142 
143 	/* ESP-specific drop statistics. */
144 
145 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nomem,
146 	    "esp_nomem", KSTAT_DATA_UINT64);
147 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_no_sa,
148 	    "esp_no_sa", KSTAT_DATA_UINT64);
149 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_early_replay,
150 	    "esp_early_replay", KSTAT_DATA_UINT64);
151 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_replay,
152 	    "esp_replay", KSTAT_DATA_UINT64);
153 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bytes_expire,
154 	    "esp_bytes_expire", KSTAT_DATA_UINT64);
155 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padlen,
156 	    "esp_bad_padlen", KSTAT_DATA_UINT64);
157 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padding,
158 	    "esp_bad_padding", KSTAT_DATA_UINT64);
159 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_auth,
160 	    "esp_bad_auth", KSTAT_DATA_UINT64);
161 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_crypto_failed,
162 	    "esp_crypto_failed", KSTAT_DATA_UINT64);
163 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_icmp,
164 	    "esp_icmp", KSTAT_DATA_UINT64);
165 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ipsec,
166 	    "esp_nat_t_ipsec", KSTAT_DATA_UINT64);
167 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ka,
168 	    "esp_nat_t_ka", KSTAT_DATA_UINT64);
169 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_iv_wrap,
170 	    "esp_iv_wrap", KSTAT_DATA_UINT64);
171 
172 	/* AH-specific drop statistics. */
173 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_nomem,
174 	    "ah_nomem", KSTAT_DATA_UINT64);
175 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v6_hdrs,
176 	    "ah_bad_v6_hdrs", KSTAT_DATA_UINT64);
177 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v4_opts,
178 	    "ah_bad_v4_opts", KSTAT_DATA_UINT64);
179 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_no_sa,
180 	    "ah_no_sa", KSTAT_DATA_UINT64);
181 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_length,
182 	    "ah_bad_length", KSTAT_DATA_UINT64);
183 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_auth,
184 	    "ah_bad_auth", KSTAT_DATA_UINT64);
185 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_crypto_failed,
186 	    "ah_crypto_failed", KSTAT_DATA_UINT64);
187 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_early_replay,
188 	    "ah_early_replay", KSTAT_DATA_UINT64);
189 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_replay,
190 	    "ah_replay", KSTAT_DATA_UINT64);
191 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bytes_expire,
192 	    "ah_bytes_expire", KSTAT_DATA_UINT64);
193 
194 	/* IP-specific drop statistics. */
195 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ip_ipsec_not_loaded,
196 	    "ip_ipsec_not_loaded", KSTAT_DATA_UINT64);
197 
198 	kstat_install(ipss->ipsec_ip_drop_kstat);
199 }
200 
201 void
202 ip_drop_destroy(ipsec_stack_t *ipss)
203 {
204 	kstat_delete_netstack(ipss->ipsec_ip_drop_kstat,
205 	    ipss->ipsec_netstack->netstack_stackid);
206 	ipss->ipsec_ip_drop_kstat = NULL;
207 	ipss->ipsec_ip_drop_types = NULL;
208 }
209 
210 /*
211  * Register a packet dropper.
212  */
213 void
214 ip_drop_register(ipdropper_t *ipd, char *name)
215 {
216 	if (ipd->ipd_name != NULL) {
217 		cmn_err(CE_WARN,
218 		    "ip_drop_register: ipdropper %s already registered with %s",
219 		    name, ipd->ipd_name);
220 		return;
221 	}
222 
223 	/* Assume that name is reasonable in length.  This isn't user-land. */
224 	ipd->ipd_name = kmem_alloc(strlen(name) + 1, KM_SLEEP);
225 	(void) strcpy(ipd->ipd_name, name);
226 }
227 
228 /*
229  * Un-register a packet dropper.
230  */
231 void
232 ip_drop_unregister(ipdropper_t *ipd)
233 {
234 	if (ipd->ipd_name == NULL) {
235 		cmn_err(CE_WARN,
236 		    "ip_drop_unregister: not registered (%p)\n",
237 		    (void *)ipd);
238 		return;
239 	}
240 	kmem_free(ipd->ipd_name, strlen(ipd->ipd_name) + 1);
241 
242 	ipd->ipd_name = NULL;
243 }
244 
245 /*
246  * Actually drop a packet.  Many things could happen here, but at the least,
247  * the packet will be freemsg()ed.
248  */
249 void
250 ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *ill,
251     struct kstat_named *counter, ipdropper_t *who_called)
252 {
253 	char *str;
254 
255 	if (mp == NULL) {
256 		/*
257 		 * Return immediately - NULL packets should not affect any
258 		 * statistics.
259 		 */
260 		return;
261 	}
262 
263 	ASSERT(mp->b_datap->db_type == M_DATA);
264 
265 	/* Increment the bean counter, if available. */
266 	if (counter != NULL) {
267 		switch (counter->data_type) {
268 		case KSTAT_DATA_INT32:
269 			counter->value.i32++;
270 			break;
271 		case KSTAT_DATA_UINT32:
272 			counter->value.ui32++;
273 			break;
274 		case KSTAT_DATA_INT64:
275 			counter->value.i64++;
276 			break;
277 		case KSTAT_DATA_UINT64:
278 			counter->value.ui64++;
279 			break;
280 		/* Other types we can't handle for now. */
281 		}
282 	}
283 
284 	if (counter != NULL)
285 		str = counter->name;
286 	else if (who_called != NULL)
287 		str = who_called->ipd_name;
288 	else
289 		str = "Unspecified IPsec drop";
290 
291 	if (inbound)
292 		ip_drop_input(str, mp, ill);
293 	else
294 		ip_drop_output(str, mp, ill);
295 
296 	/* TODO: queue the packet onto a snoop-friendly queue. */
297 
298 	/*
299 	 * ASSERT this isn't a b_next linked mblk chain where a
300 	 * chained dropper should be used instead
301 	 */
302 	ASSERT(mp->b_prev == NULL && mp->b_next == NULL);
303 	freemsg(mp);
304 }
305 
306 /*
307  * This is just a convinient place for dtrace to see dropped packets
308  */
309 /*ARGSUSED*/
310 void
311 ip_drop_input(char *str, mblk_t *mp, ill_t *ill)
312 {
313 	if (mp == NULL)
314 		return;
315 
316 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
317 		ipha_t *ipha = (ipha_t *)mp->b_rptr;
318 
319 		DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
320 		    ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha,
321 		    ip6_t *, NULL, int, 0);
322 	} else {
323 		ip6_t *ip6h = (ip6_t *)mp->b_rptr;
324 
325 		DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
326 		    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL,
327 		    ip6_t *, ip6h, int, 0);
328 	}
329 }
330 
331 /*ARGSUSED*/
332 void
333 ip_drop_output(char *str, mblk_t *mp, ill_t *ill)
334 {
335 	if (mp == NULL)
336 		return;
337 
338 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
339 		ipha_t *ipha = (ipha_t *)mp->b_rptr;
340 
341 		DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
342 		    ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha,
343 		    ip6_t *, NULL, int, 0);
344 	} else {
345 		ip6_t *ip6h = (ip6_t *)mp->b_rptr;
346 
347 		DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
348 		    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL,
349 		    ip6_t *, ip6h, int, 0);
350 	}
351 }
352