1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/strsun.h> 31 #include <sys/sunddi.h> 32 #include <sys/kstat.h> 33 #include <sys/kmem.h> 34 #include <net/pfkeyv2.h> 35 #include <inet/common.h> 36 #include <inet/ip.h> 37 #include <inet/ip6.h> 38 #include <inet/ipsec_info.h> 39 #include <inet/ipdrop.h> 40 41 /* 42 * Packet drop facility. 43 */ 44 45 kstat_t *ip_drop_kstat; 46 struct ip_dropstats *ip_drop_types; 47 48 /* 49 * Initialize drop facility kstats. 50 */ 51 void 52 ip_drop_init(void) 53 { 54 ip_drop_kstat = kstat_create("ip", 0, "ipdrop", "net", 55 KSTAT_TYPE_NAMED, sizeof (*ip_drop_types) / sizeof (kstat_named_t), 56 KSTAT_FLAG_PERSISTENT); 57 58 if (ip_drop_kstat == NULL) 59 return; 60 61 ip_drop_types = ip_drop_kstat->ks_data; 62 63 /* TCP IPsec drop statistics. */ 64 kstat_named_init(&ipdrops_tcp_clear, "tcp_clear", KSTAT_DATA_UINT64); 65 kstat_named_init(&ipdrops_tcp_secure, "tcp_secure", KSTAT_DATA_UINT64); 66 kstat_named_init(&ipdrops_tcp_mismatch, "tcp_mismatch", 67 KSTAT_DATA_UINT64); 68 kstat_named_init(&ipdrops_tcp_ipsec_alloc, "tcp_ipsec_alloc", 69 KSTAT_DATA_UINT64); 70 71 /* SADB-specific drop statistics. */ 72 kstat_named_init(&ipdrops_sadb_inlarval_timeout, 73 "sadb_inlarval_timeout", KSTAT_DATA_UINT64); 74 kstat_named_init(&ipdrops_sadb_inlarval_replace, 75 "sadb_inlarval_replace", KSTAT_DATA_UINT64); 76 kstat_named_init(&ipdrops_sadb_acquire_nomem, 77 "sadb_acquire_nomem", KSTAT_DATA_UINT64); 78 kstat_named_init(&ipdrops_sadb_acquire_toofull, 79 "sadb_acquire_toofull", KSTAT_DATA_UINT64); 80 kstat_named_init(&ipdrops_sadb_acquire_timeout, 81 "sadb_acquire_timeout", KSTAT_DATA_UINT64); 82 83 /* SPD drop statistics. */ 84 kstat_named_init(&ipdrops_spd_ahesp_diffid, "spd_ahesp_diffid", 85 KSTAT_DATA_UINT64); 86 kstat_named_init(&ipdrops_spd_loopback_mismatch, 87 "spd_loopback_mismatch", KSTAT_DATA_UINT64); 88 kstat_named_init(&ipdrops_spd_explicit, "spd_explicit", 89 KSTAT_DATA_UINT64); 90 kstat_named_init(&ipdrops_spd_got_secure, "spd_got_secure", 91 KSTAT_DATA_UINT64); 92 kstat_named_init(&ipdrops_spd_got_clear, "spd_got_clear", 93 KSTAT_DATA_UINT64); 94 kstat_named_init(&ipdrops_spd_bad_ahalg, "spd_bad_ahalg", 95 KSTAT_DATA_UINT64); 96 kstat_named_init(&ipdrops_spd_got_ah, "spd_got_ah", KSTAT_DATA_UINT64); 97 kstat_named_init(&ipdrops_spd_bad_espealg, "spd_bad_espealg", 98 KSTAT_DATA_UINT64); 99 kstat_named_init(&ipdrops_spd_bad_espaalg, "spd_bad_espaalg", 100 KSTAT_DATA_UINT64); 101 kstat_named_init(&ipdrops_spd_got_esp, "spd_got_esp", 102 KSTAT_DATA_UINT64); 103 kstat_named_init(&ipdrops_spd_got_selfencap, "spd_got_selfencap", 104 KSTAT_DATA_UINT64); 105 kstat_named_init(&ipdrops_spd_bad_selfencap, "spd_bad_selfencap", 106 KSTAT_DATA_UINT64); 107 kstat_named_init(&ipdrops_spd_nomem, "spd_nomem", KSTAT_DATA_UINT64); 108 kstat_named_init(&ipdrops_spd_ah_badid, "spd_ah_badid", 109 KSTAT_DATA_UINT64); 110 kstat_named_init(&ipdrops_spd_esp_badid, "spd_esp_badid", 111 KSTAT_DATA_UINT64); 112 kstat_named_init(&ipdrops_spd_ah_innermismatch, 113 "spd_ah_innermismatch", KSTAT_DATA_UINT64); 114 kstat_named_init(&ipdrops_spd_esp_innermismatch, 115 "spd_esp_innermismatch", KSTAT_DATA_UINT64); 116 kstat_named_init(&ipdrops_spd_no_policy, "spd_no_policy", 117 KSTAT_DATA_UINT64); 118 kstat_named_init(&ipdrops_spd_malformed_packet, "spd_malformed_packet", 119 KSTAT_DATA_UINT64); 120 kstat_named_init(&ipdrops_spd_malformed_frag, "spd_malformed_frag", 121 KSTAT_DATA_UINT64); 122 kstat_named_init(&ipdrops_spd_overlap_frag, "spd_overlap_frag", 123 KSTAT_DATA_UINT64); 124 kstat_named_init(&ipdrops_spd_evil_frag, "spd_evil_frag", 125 KSTAT_DATA_UINT64); 126 kstat_named_init(&ipdrops_spd_max_frags, "spd_max_frags", 127 KSTAT_DATA_UINT64); 128 129 /* ESP-specific drop statistics. */ 130 131 kstat_named_init(&ipdrops_esp_nomem, "esp_nomem", KSTAT_DATA_UINT64); 132 kstat_named_init(&ipdrops_esp_no_sa, "esp_no_sa", KSTAT_DATA_UINT64); 133 kstat_named_init(&ipdrops_esp_early_replay, "esp_early_replay", 134 KSTAT_DATA_UINT64); 135 kstat_named_init(&ipdrops_esp_replay, "esp_replay", KSTAT_DATA_UINT64); 136 kstat_named_init(&ipdrops_esp_bytes_expire, "esp_bytes_expire", 137 KSTAT_DATA_UINT64); 138 kstat_named_init(&ipdrops_esp_bad_padlen, "esp_bad_padlen", 139 KSTAT_DATA_UINT64); 140 kstat_named_init(&ipdrops_esp_bad_padding, "esp_bad_padding", 141 KSTAT_DATA_UINT64); 142 kstat_named_init(&ipdrops_esp_bad_auth, "esp_bad_auth", 143 KSTAT_DATA_UINT64); 144 kstat_named_init(&ipdrops_esp_crypto_failed, "esp_crypto_failed", 145 KSTAT_DATA_UINT64); 146 kstat_named_init(&ipdrops_esp_icmp, "esp_icmp", KSTAT_DATA_UINT64); 147 148 /* AH-specific drop statistics. */ 149 kstat_named_init(&ipdrops_ah_nomem, "ah_nomem", KSTAT_DATA_UINT64); 150 kstat_named_init(&ipdrops_ah_bad_v6_hdrs, "ah_bad_v6_hdrs", 151 KSTAT_DATA_UINT64); 152 kstat_named_init(&ipdrops_ah_bad_v4_opts, "ah_bad_v4_opts", 153 KSTAT_DATA_UINT64); 154 kstat_named_init(&ipdrops_ah_no_sa, "ah_no_sa", KSTAT_DATA_UINT64); 155 kstat_named_init(&ipdrops_ah_bad_length, "ah_bad_length", 156 KSTAT_DATA_UINT64); 157 kstat_named_init(&ipdrops_ah_bad_auth, "ah_bad_auth", 158 KSTAT_DATA_UINT64); 159 kstat_named_init(&ipdrops_ah_crypto_failed, "ah_crypto_failed", 160 KSTAT_DATA_UINT64); 161 kstat_named_init(&ipdrops_ah_early_replay, "ah_early_replay", 162 KSTAT_DATA_UINT64); 163 kstat_named_init(&ipdrops_ah_replay, "ah_replay", KSTAT_DATA_UINT64); 164 kstat_named_init(&ipdrops_ah_bytes_expire, "ah_bytes_expire", 165 KSTAT_DATA_UINT64); 166 167 /* IP-specific drop statistics. */ 168 kstat_named_init(&ipdrops_ip_ipsec_not_loaded, "ip_ipsec_not_loaded", 169 KSTAT_DATA_UINT64); 170 171 kstat_install(ip_drop_kstat); 172 } 173 174 void 175 ip_drop_destroy(void) 176 { 177 kstat_delete(ip_drop_kstat); 178 } 179 180 /* 181 * Register a packet dropper. 182 */ 183 void 184 ip_drop_register(ipdropper_t *ipd, char *name) 185 { 186 if (ipd->ipd_name != NULL) { 187 cmn_err(CE_WARN, 188 "ip_drop_register: ipdropper %s already registered with %s", 189 name, ipd->ipd_name); 190 return; 191 } 192 193 /* Assume that name is reasonable in length. This isn't user-land. */ 194 ipd->ipd_name = kmem_alloc(strlen(name) + 1, KM_SLEEP); 195 (void) strcpy(ipd->ipd_name, name); 196 } 197 198 /* 199 * Un-register a packet dropper. 200 */ 201 void 202 ip_drop_unregister(ipdropper_t *ipd) 203 { 204 kmem_free(ipd->ipd_name, strlen(ipd->ipd_name) + 1); 205 206 ipd->ipd_name = NULL; 207 } 208 209 /* 210 * Actually drop a packet. Many things could happen here, but at the least, 211 * the packet will be freemsg()ed. 212 */ 213 /* ARGSUSED */ 214 void 215 ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *arriving, 216 ire_t *outbound_ire, struct kstat_named *counter, ipdropper_t *who_called) 217 { 218 mblk_t *ipsec_mp = NULL; 219 ipsec_in_t *ii = NULL; 220 ipsec_out_t *io = NULL; 221 ipsec_info_t *in; 222 uint8_t vers; 223 224 if (mp == NULL) { 225 /* 226 * Return immediately - NULL packets should not affect any 227 * statistics. 228 */ 229 return; 230 } 231 232 if (DB_TYPE(mp) == M_CTL) { 233 in = (ipsec_info_t *)mp->b_rptr; 234 235 if (in->ipsec_info_type == IPSEC_IN) 236 ii = (ipsec_in_t *)in; 237 else if (in->ipsec_info_type == IPSEC_OUT) 238 io = (ipsec_out_t *)in; 239 240 /* See if this is an ICMP packet (check for v4/v6). */ 241 vers = (*mp->b_rptr) >> 4; 242 if (vers != IPV4_VERSION && vers != IPV6_VERSION) { 243 /* 244 * If not, it's some other sort of M_CTL to be freed. 245 * For now, treat it like an ordinary packet. 246 */ 247 ipsec_mp = mp; 248 mp = mp->b_cont; 249 } 250 } 251 252 /* Reality checks */ 253 if (inbound && io != NULL) 254 cmn_err(CE_WARN, 255 "ip_drop_packet: inbound packet with IPSEC_OUT"); 256 257 if (outbound_ire != NULL && ii != NULL) 258 cmn_err(CE_WARN, 259 "ip_drop_packet: outbound packet with IPSEC_IN"); 260 261 /* At this point, mp always points to the data. */ 262 /* 263 * Can't make the assertion yet - It could be an inbound ICMP 264 * message, which is M_CTL but with data in it. 265 */ 266 /* ASSERT(mp->b_datap->db_type == M_DATA); */ 267 268 /* Increment the bean counter, if available. */ 269 if (counter != NULL) { 270 switch (counter->data_type) { 271 case KSTAT_DATA_INT32: 272 counter->value.i32++; 273 break; 274 case KSTAT_DATA_UINT32: 275 counter->value.ui32++; 276 break; 277 case KSTAT_DATA_INT64: 278 counter->value.i64++; 279 break; 280 case KSTAT_DATA_UINT64: 281 counter->value.ui64++; 282 break; 283 /* Other types we can't handle for now. */ 284 } 285 286 /* TODO? Copy out kstat name for use in logging. */ 287 } 288 289 /* TODO: log the packet details if logging is called for. */ 290 /* TODO: queue the packet onto a snoop-friendly queue. */ 291 292 /* If I haven't queued the packet or some such nonsense, free it. */ 293 if (ipsec_mp != NULL) 294 freeb(ipsec_mp); 295 /* 296 * ASSERT this isn't a b_next linked mblk chain where a 297 * chained dropper should be used instead 298 */ 299 ASSERT(mp->b_prev == NULL && mp->b_next == NULL); 300 freemsg(mp); 301 } 302