src - OpenBSD base system

diff options


context:
space:
mode:

author	Alexander Bluhm <bluhm@cvs.openbsd.org>	2017-02-07 18:18:17 +0000
committer	Alexander Bluhm <bluhm@cvs.openbsd.org>	2017-02-07 18:18:17 +0000
commit	05f3dca89fa5efb05cb505f36f6fd86d294bf974 (patch)
tree	1f0d8d688ea325857b21abc08e3850feb0ea3526 /sys/netinet
parent	7db541e2bea9889d4866f7688c0b8ac8b7f114b0 (diff)

IPsec packets could be dropped unaccounted if output after crypto

failed. Add a counter for that case. OK dhill@

Diffstat (limited to 'sys/netinet')

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

sys/netinet/ip_ipcomp.c

-rw-r--r--

sys/netinet/ip_ipcomp.h

6 files changed, 20 insertions, 20 deletions

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index d67711fad7a..86f41e5ce1a 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ah.c,v 1.127 2017/02/07 17:25:46 patrick Exp $ */

+/* $OpenBSD: ip_ah.c,v 1.128 2017/02/07 18:18:16 bluhm Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -1247,8 +1247,8 @@ ah_output_cb(struct cryptop *crp)

/* No longer needed. */

crypto_freereq(crp);

- ipsp_process_done(m, tdb);

- /* XXX missing error counter if ipsp_process_done() drops packet */

+ if (ipsp_process_done(m, tdb))

+ ahstat.ahs_outfail++;

NET_UNLOCK(s);

baddone:

diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h
index c920cc19dc2..61ce7afa4fc 100644
--- a/sys/netinet/ip_ah.h
+++ b/sys/netinet/ip_ah.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ah.h,v 1.33 2010/01/10 12:43:07 markus Exp $ */

+/* $OpenBSD: ip_ah.h,v 1.34 2017/02/07 18:18:16 bluhm Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -38,8 +38,7 @@

#ifndef _NETINET_IP_AH_H_

#define _NETINET_IP_AH_H_

-struct ahstat

+struct ahstat {

u_int32_t ahs_hdrops; /* Packet shorter than header shows */

u_int32_t ahs_nopf; /* Protocol family not supported */

u_int32_t ahs_notdb;

@@ -58,10 +57,10 @@ struct ahstat

u_int32_t ahs_toobig; /* Packet got larger than IP_MAXPACKET */

u_int32_t ahs_pdrops; /* Packet blocked due to policy */

u_int32_t ahs_crypto; /* Crypto processing failure */

+ u_int32_t ahs_outfail; /* Packet output failure */

};

-struct ah

+struct ah {

u_int8_t ah_nh;

u_int8_t ah_hl;

u_int16_t ah_rv;

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 0f8d3928eaf..f2567a662a0 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_esp.c,v 1.145 2017/02/07 17:25:46 patrick Exp $ */

+/* $OpenBSD: ip_esp.c,v 1.146 2017/02/07 18:18:16 bluhm Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -1088,8 +1088,8 @@ esp_output_cb(struct cryptop *crp)

crypto_freereq(crp);

/* Call the IPsec input callback. */

- ipsp_process_done(m, tdb);

- /* XXX missing error counter if ipsp_process_done() drops packet */

+ if (ipsp_process_done(m, tdb))

+ espstat.esps_outfail++;

NET_UNLOCK(s);

return;

diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h
index 22e186319ca..3ff93422939 100644
--- a/sys/netinet/ip_esp.h
+++ b/sys/netinet/ip_esp.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_esp.h,v 1.43 2016/09/02 09:39:32 vgross Exp $ */

+/* $OpenBSD: ip_esp.h,v 1.44 2017/02/07 18:18:16 bluhm Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -38,8 +38,7 @@

#ifndef _NETINET_IP_ESP_H_

#define _NETINET_IP_ESP_H_

-struct espstat

+struct espstat {

u_int32_t esps_hdrops; /* Packet shorter than header shows */

u_int32_t esps_nopf; /* Protocol family not supported */

u_int32_t esps_notdb;

@@ -63,6 +62,7 @@ struct espstat

u_int32_t esps_udpencout; /* Output ESP-in-UDP packets */

u_int32_t esps_udpinval; /* Invalid input ESP-in-UDP packets */

u_int32_t esps_udpneeded; /* Trying to use a ESP-in-UDP TDB */

+ u_int32_t esps_outfail; /* Packet output failure */

};

diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c
index d4dc26c48bc..6ffdd22ce62 100644
--- a/sys/netinet/ip_ipcomp.c
+++ b/sys/netinet/ip_ipcomp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ipcomp.c,v 1.52 2017/02/07 17:25:46 patrick Exp $ */

+/* $OpenBSD: ip_ipcomp.c,v 1.53 2017/02/07 18:18:16 bluhm Exp $ */

@@ -579,8 +579,8 @@ ipcomp_output_cb(struct cryptop *crp)

if (rlen < crp->crp_olen) {

/* Compression was useless, we have lost time. */

crypto_freereq(crp);

- ipsp_process_done(m, tdb);

- /* XXX missing counter if ipsp_process_done() drops packet */

+ if (ipsp_process_done(m, tdb))

+ ipcompstat.ipcomps_outfail++;

NET_UNLOCK(s);

return;

}

@@ -628,8 +628,8 @@ ipcomp_output_cb(struct cryptop *crp)

/* Release the crypto descriptor. */

crypto_freereq(crp);

- ipsp_process_done(m, tdb);

- /* XXX missing error counter if ipsp_process_done() drops packet */

+ if (ipsp_process_done(m, tdb))

+ ipcompstat.ipcomps_outfail++;

NET_UNLOCK(s);

return;

diff --git a/sys/netinet/ip_ipcomp.h b/sys/netinet/ip_ipcomp.h
index 76596ebdadd..0ebd45d2edc 100644
--- a/sys/netinet/ip_ipcomp.h
+++ b/sys/netinet/ip_ipcomp.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ipcomp.h,v 1.7 2007/12/14 18:33:41 deraadt Exp $ */

+/* $OpenBSD: ip_ipcomp.h,v 1.8 2017/02/07 18:18:16 bluhm Exp $ */

@@ -51,6 +51,7 @@ struct ipcompstat {

u_int32_t ipcomps_pdrops; /* Packet blocked due to policy */

u_int32_t ipcomps_crypto; /* "Crypto" processing failure */

u_int32_t ipcomps_minlen; /* packets too short for compress */

+ u_int32_t ipcomps_outfail; /* Packet output failure */

};

/* IPCOMP header */