diff options
| -rw-r--r-- | sys/netinet/ip_ah.c | 88 | ||||
| -rw-r--r-- | sys/netinet/ip_ah.h | 46 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 70 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.h | 52 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ipcomp.c | 48 | ||||
| -rw-r--r-- | sys/netinet/ip_ipcomp.h | 45 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 3 | ||||
| -rw-r--r-- | sys/netinet/ipsec_input.c | 176 | ||||
| -rw-r--r-- | sys/netinet/ipsec_output.c | 6 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 4 |
11 files changed, 347 insertions, 197 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 5d1831a73b9..517443ad625 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.132 2017/11/06 15:12:43 mpi Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.133 2017/11/08 16:29:20 visa Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -80,8 +80,6 @@ void ah_output_cb(struct cryptop *); void ah_input_cb(struct cryptop *); int ah_massage_headers(struct mbuf **, int, int, int, int); -struct ahstat ahstat; - unsigned char ipseczeroes[IPSEC_ZEROES_SIZE]; /* zeroes! */ @@ -216,7 +214,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) *m0 = m = m_pullup(m, skip); if (m == NULL) { DPRINTF(("%s: m_pullup() failed\n", __func__)); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); return ENOBUFS; } @@ -238,7 +236,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) DPRINTF(("%s: illegal IPv4 option length for" " option %d\n", __func__, ptr[off])); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return EINVAL; } @@ -263,7 +261,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) " length for option %d\n", __func__, ptr[off])); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return EINVAL; } @@ -279,7 +277,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) " length for option %d\n", __func__, ptr[off])); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return EINVAL; } @@ -305,7 +303,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) DPRINTF(("%s: illegal IPv4 option" " length for option %d\n", __func__, ptr[off])); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return EINVAL; } @@ -322,7 +320,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) DPRINTF(("%s: malformed IPv4 options header\n", __func__)); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return EINVAL; } @@ -338,7 +336,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) /* We don't do IPv6 Jumbograms. */ if (ip6.ip6_plen == 0) { DPRINTF(("%s: unsupported IPv6 jumbogram", __func__)); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return EMSGSIZE; } @@ -365,7 +363,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) if (ptr == NULL) { DPRINTF(("%s: failed to allocate memory" " for IPv6 headers\n", __func__)); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return ENOBUFS; } @@ -409,7 +407,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) /* Sanity check. */ if (count > off + ((ip6e->ip6e_len + 1) << 3)) { - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); /* Free, if we allocated. */ @@ -430,7 +428,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) /* Sanity check. */ if (count > skip - sizeof(struct ip6_hdr)) { - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); /* Free, if we allocated. */ @@ -500,7 +498,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) __func__, off)); if (alloc) free(ptr, M_XDATA, 0); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return EINVAL; } @@ -559,14 +557,14 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_wrap++; + ahstat_inc(ahs_wrap); return ENOBUFS; case 2: m_freem(m); DPRINTF(("%s: old packet received in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_replay++; + ahstat_inc(ahs_replay); return ENOBUFS; case 3: m_freem(m); @@ -574,7 +572,7 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) "%s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_replay++; + ahstat_inc(ahs_replay); return ENOBUFS; default: m_freem(m); @@ -582,7 +580,7 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) "checkreplaywindow() in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_replay++; + ahstat_inc(ahs_replay); return ENOBUFS; } } @@ -594,7 +592,7 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_badauthl++; + ahstat_inc(ahs_badauthl); m_freem(m); return EACCES; } @@ -602,7 +600,7 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Update the counters. */ tdb->tdb_cur_bytes += (m->m_pkthdr.len - skip - hl * sizeof(u_int32_t)); - ahstat.ahs_ibytes += (m->m_pkthdr.len - skip - hl * sizeof(u_int32_t)); + ahstat_add(ahs_ibytes, m->m_pkthdr.len - skip - hl * sizeof(u_int32_t)); /* Hard expiration. */ if (tdb->tdb_flags & TDBF_BYTES && @@ -626,7 +624,7 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) m_freem(m); DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - ahstat.ahs_crypto++; + ahstat_inc(ahs_crypto); return ENOBUFS; } @@ -654,7 +652,7 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) m_freem(m); crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ahstat.ahs_crypto++; + ahstat_inc(ahs_crypto); return ENOBUFS; } @@ -722,7 +720,7 @@ ah_input_cb(struct cryptop *crp) /* Shouldn't happen... */ free(tc, M_XDATA, 0); crypto_freereq(crp); - ahstat.ahs_crypto++; + ahstat_inc(ahs_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); return; } @@ -732,7 +730,7 @@ ah_input_cb(struct cryptop *crp) tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); if (tdb == NULL) { free(tc, M_XDATA, 0); - ahstat.ahs_notdb++; + ahstat_inc(ahs_notdb); DPRINTF(("%s: TDB is expired while in crypto", __func__)); goto baddone; } @@ -750,7 +748,7 @@ ah_input_cb(struct cryptop *crp) return; } free(tc, M_XDATA, 0); - ahstat.ahs_noxform++; + ahstat_inc(ahs_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); goto baddone; } else { @@ -773,7 +771,7 @@ ah_input_cb(struct cryptop *crp) __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_badauth++; + ahstat_inc(ahs_badauth); goto baddone; } @@ -801,27 +799,27 @@ ah_input_cb(struct cryptop *crp) DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_wrap++; + ahstat_inc(ahs_wrap); goto baddone; case 2: DPRINTF(("%s: old packet received in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_replay++; + ahstat_inc(ahs_replay); goto baddone; case 3: DPRINTF(("%s): duplicate packet received in " "SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_replay++; + ahstat_inc(ahs_replay); goto baddone; default: DPRINTF(("%s: bogus value from " "checkreplaywindow() in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ahstat.ahs_replay++; + ahstat_inc(ahs_replay); goto baddone; } } @@ -829,8 +827,8 @@ ah_input_cb(struct cryptop *crp) /* Record the beginning of the AH header. */ m1 = m_getptr(m, skip, &roff); if (m1 == NULL) { - ahstat.ahs_hdrops++; NET_UNLOCK(); + ahstat_inc(ahs_hdrops); m_freem(m); DPRINTF(("%s: bad mbuf chain for packet in SA %s/%08x\n", @@ -951,7 +949,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, } #endif - ahstat.ahs_output++; + ahstat_inc(ahs_output); /* * Check for replay counter wrap-around in automatic (not @@ -962,7 +960,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - ahstat.ahs_wrap++; + ahstat_inc(ahs_wrap); return EINVAL; } @@ -977,7 +975,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - ahstat.ahs_toobig++; + ahstat_inc(ahs_toobig); return EMSGSIZE; } break; @@ -990,7 +988,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - ahstat.ahs_toobig++; + ahstat_inc(ahs_toobig); return EMSGSIZE; } break; @@ -1002,13 +1000,13 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - ahstat.ahs_nopf++; + ahstat_inc(ahs_nopf); return EPFNOSUPPORT; } /* Update the counters. */ tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; - ahstat.ahs_obytes += m->m_pkthdr.len - skip; + ahstat_add(ahs_obytes, m->m_pkthdr.len - skip); /* Hard expiration. */ if (tdb->tdb_flags & TDBF_BYTES && @@ -1038,7 +1036,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT); if (n == NULL) { - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freem(m); return ENOBUFS; } @@ -1055,7 +1053,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ntohl(tdb->tdb_spi))); m_freem(m); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); return ENOBUFS; } @@ -1086,7 +1084,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, m_freem(m); DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - ahstat.ahs_crypto++; + ahstat_inc(ahs_crypto); return ENOBUFS; } @@ -1115,7 +1113,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, m_freem(m); crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ahstat.ahs_crypto++; + ahstat_inc(ahs_crypto); return ENOBUFS; } @@ -1203,7 +1201,7 @@ ah_output_cb(struct cryptop *crp) /* Shouldn't happen... */ free(tc, M_XDATA, 0); crypto_freereq(crp); - ahstat.ahs_crypto++; + ahstat_inc(ahs_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); return; } @@ -1213,7 +1211,7 @@ ah_output_cb(struct cryptop *crp) tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); if (tdb == NULL) { free(tc, M_XDATA, 0); - ahstat.ahs_notdb++; + ahstat_inc(ahs_notdb); DPRINTF(("%s: TDB is expired while in crypto\n", __func__)); goto baddone; } @@ -1229,7 +1227,7 @@ ah_output_cb(struct cryptop *crp) return; } free(tc, M_XDATA, 0); - ahstat.ahs_noxform++; + ahstat_inc(ahs_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); goto baddone; } @@ -1246,7 +1244,7 @@ ah_output_cb(struct cryptop *crp) crypto_freereq(crp); if (ipsp_process_done(m, tdb)) - ahstat.ahs_outfail++; + ahstat_inc(ahs_outfail); NET_UNLOCK(); return; diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h index c3dd6cfd795..9a9e1cbc600 100644 --- a/sys/netinet/ip_ah.h +++ b/sys/netinet/ip_ah.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.h,v 1.35 2017/11/07 16:51:23 visa Exp $ */ +/* $OpenBSD: ip_ah.h,v 1.36 2017/11/08 16:29:20 visa Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -92,7 +92,49 @@ struct ah { } #ifdef _KERNEL + +#include <sys/percpu.h> + +enum ahstat_counters { + ahs_hdrops, /* Packet shorter than header shows */ + ahs_nopf, /* Protocol family not supported */ + ahs_notdb, + ahs_badkcr, + ahs_badauth, + ahs_noxform, + ahs_qfull, + ahs_wrap, + ahs_replay, + ahs_badauthl, /* Bad authenticator length */ + ahs_input, /* Input AH packets */ + ahs_output, /* Output AH packets */ + ahs_invalid, /* Trying to use an invalid TDB */ + ahs_ibytes, /* Input bytes */ + ahs_obytes, /* Output bytes */ + ahs_toobig, /* Packet got larger than + * IP_MAXPACKET */ + ahs_pdrops, /* Packet blocked due to policy */ + ahs_crypto, /* Crypto processing failure */ + ahs_outfail, /* Packet output failure */ + + ahs_ncounters +}; + +extern struct cpumem *ahcounters; + +static inline void +ahstat_inc(enum ahstat_counters c) +{ + counters_inc(ahcounters, c); +} + +static inline void +ahstat_add(enum ahstat_counters c, uint64_t v) +{ + counters_add(ahcounters, c, v); +} + extern int ah_enable; -extern struct ahstat ahstat; + #endif /* _KERNEL */ #endif /* _NETINET_IP_AH_H_ */ diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index a34201245f6..da62fb80714 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.151 2017/11/06 15:12:43 mpi Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.152 2017/11/08 16:29:20 visa Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -78,8 +78,6 @@ void esp_input_cb(struct cryptop *); #define DPRINTF(x) #endif -struct espstat espstat; - /* * esp_attach() is called from the transformation initialization code. */ @@ -353,7 +351,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) plen = m->m_pkthdr.len - (skip + hlen + alen); if (plen <= 0) { DPRINTF(("%s: invalid payload length\n", __func__)); - espstat.esps_badilen++; + espstat_inc(esps_badilen); m_freem(m); return EINVAL; } @@ -368,7 +366,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) " octets, SA %s/%08x\n", __func__, plen, espx->blocksize, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_badilen++; + espstat_inc(esps_badilen); m_freem(m); return EINVAL; } @@ -389,7 +387,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_wrap++; + espstat_inc(esps_wrap); return EACCES; case 2: m_freem(m); @@ -397,7 +395,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_replay++; + espstat_inc(esps_replay); return EACCES; case 3: m_freem(m); @@ -405,7 +403,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) " in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_replay++; + espstat_inc(esps_replay); return EACCES; default: m_freem(m); @@ -414,14 +412,14 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_replay++; + espstat_inc(esps_replay); return EACCES; } } /* Update the counters */ tdb->tdb_cur_bytes += m->m_pkthdr.len - skip - hlen - alen; - espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen; + espstat_add(esps_ibytes, m->m_pkthdr.len - skip - hlen - alen); /* Hard expiration */ if ((tdb->tdb_flags & TDBF_BYTES) && @@ -444,7 +442,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) if (crp == NULL) { m_freem(m); DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - espstat.esps_crypto++; + espstat_inc(esps_crypto); return ENOBUFS; } @@ -457,7 +455,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) m_freem(m); crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - espstat.esps_crypto++; + espstat_inc(esps_crypto); return ENOBUFS; } @@ -552,7 +550,7 @@ esp_input_cb(struct cryptop *crp) /* Shouldn't happen... */ free(tc, M_XDATA, 0); crypto_freereq(crp); - espstat.esps_crypto++; + espstat_inc(esps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); return; } @@ -562,7 +560,7 @@ esp_input_cb(struct cryptop *crp) tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); if (tdb == NULL) { free(tc, M_XDATA, 0); - espstat.esps_notdb++; + espstat_inc(esps_notdb); DPRINTF(("%s: TDB is expired while in crypto", __func__)); goto baddone; } @@ -580,7 +578,7 @@ esp_input_cb(struct cryptop *crp) return; } free(tc, M_XDATA, 0); - espstat.esps_noxform++; + espstat_inc(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); goto baddone; } @@ -600,7 +598,7 @@ esp_input_cb(struct cryptop *crp) "failed for packet in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_badauth++; + espstat_inc(esps_badauth); goto baddone; } @@ -627,28 +625,28 @@ esp_input_cb(struct cryptop *crp) __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_wrap++; + espstat_inc(esps_wrap); goto baddone; case 2: DPRINTF(("%s: old packet received in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_replay++; + espstat_inc(esps_replay); goto baddone; case 3: DPRINTF(("%s: duplicate packet received" " in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_replay++; + espstat_inc(esps_replay); goto baddone; default: DPRINTF(("%s: bogus value from" " checkreplaywindow() in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_replay++; + espstat_inc(esps_replay); goto baddone; } } @@ -662,7 +660,7 @@ esp_input_cb(struct cryptop *crp) /* Find beginning of ESP header */ m1 = m_getptr(m, skip, &roff); if (m1 == NULL) { - espstat.esps_hdrops++; + espstat_inc(esps_hdrops); NET_UNLOCK(); DPRINTF(("%s: bad mbuf chain, SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), @@ -720,7 +718,7 @@ esp_input_cb(struct cryptop *crp) /* Verify pad length */ if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { - espstat.esps_badilen++; + espstat_inc(esps_badilen); NET_UNLOCK(); DPRINTF(("%s: invalid padding length %d for packet in " "SA %s/%08x\n", __func__, lastthree[1], @@ -732,7 +730,7 @@ esp_input_cb(struct cryptop *crp) /* Verify correct decryption by checking the last padding bytes */ if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { - espstat.esps_badenc++; + espstat_inc(esps_badenc); NET_UNLOCK(); DPRINTF(("%s: decryption failed for packet in SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, @@ -816,7 +814,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; alen = esph ? esph->authsize : 0; - espstat.esps_output++; + espstat_inc(esps_output); switch (tdb->tdb_dst.sa.sa_family) { case AF_INET: @@ -827,7 +825,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - espstat.esps_toobig++; + espstat_inc(esps_toobig); return EMSGSIZE; } break; @@ -840,7 +838,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - espstat.esps_toobig++; + espstat_inc(esps_toobig); return EMSGSIZE; } break; @@ -852,13 +850,13 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - espstat.esps_nopf++; + espstat_inc(esps_nopf); return EPFNOSUPPORT; } /* Update the counters. */ tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; - espstat.esps_obytes += m->m_pkthdr.len - skip; + espstat_add(esps_obytes, m->m_pkthdr.len - skip); /* Hard byte expiration. */ if (tdb->tdb_flags & TDBF_BYTES && @@ -891,7 +889,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, DPRINTF(("%s: bad mbuf chain, SA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_hdrops++; + espstat_inc(esps_hdrops); m_freem(m); return ENOBUFS; } @@ -907,7 +905,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - espstat.esps_hdrops++; + espstat_inc(esps_hdrops); return ENOBUFS; } @@ -955,7 +953,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, m_freem(m); DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - espstat.esps_crypto++; + espstat_inc(esps_crypto); return ENOBUFS; } @@ -987,7 +985,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, m_freem(m); crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - espstat.esps_crypto++; + espstat_inc(esps_crypto); return ENOBUFS; } @@ -1050,7 +1048,7 @@ esp_output_cb(struct cryptop *crp) /* Shouldn't happen... */ free(tc, M_XDATA, 0); crypto_freereq(crp); - espstat.esps_crypto++; + espstat_inc(esps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); return; } @@ -1061,7 +1059,7 @@ esp_output_cb(struct cryptop *crp) tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); if (tdb == NULL) { free(tc, M_XDATA, 0); - espstat.esps_notdb++; + espstat_inc(esps_notdb); DPRINTF(("%s: TDB is expired while in crypto\n", __func__)); goto baddone; } @@ -1077,7 +1075,7 @@ esp_output_cb(struct cryptop *crp) return; } free(tc, M_XDATA, 0); - espstat.esps_noxform++; + espstat_inc(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); goto baddone; } @@ -1088,7 +1086,7 @@ esp_output_cb(struct cryptop *crp) /* Call the IPsec input callback. */ if (ipsp_process_done(m, tdb)) - espstat.esps_outfail++; + espstat_inc(esps_outfail); NET_UNLOCK(); return; diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h index 7a4f15eefaf..ea3158e19fc 100644 --- a/sys/netinet/ip_esp.h +++ b/sys/netinet/ip_esp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.h,v 1.45 2017/11/07 16:51:23 visa Exp $ */ +/* $OpenBSD: ip_esp.h,v 1.46 2017/11/08 16:29:20 visa Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -93,9 +93,57 @@ struct espstat { } #ifdef _KERNEL + +#include <sys/percpu.h> + +enum espstat_counters { + esps_hdrops, /* Packet shorter than header shows */ + esps_nopf, /* Protocol family not supported */ + esps_notdb, + esps_badkcr, + esps_qfull, + esps_noxform, + esps_badilen, + esps_wrap, /* Replay counter wrapped around */ + esps_badenc, /* Bad encryption detected */ + esps_badauth, /* Only valid for transformsx + * with auth */ + esps_replay, /* Possible packet replay detected */ + esps_input, /* Input ESP packets */ + esps_output, /* Output ESP packets */ + esps_invalid, /* Trying to use an invalid TDB */ + esps_ibytes, /* Input bytes */ + esps_obytes, /* Output bytes */ + esps_toobig, /* Packet got larger than + * IP_MAXPACKET */ + esps_pdrops, /* Packet blocked due to policy */ + esps_crypto, /* Crypto processing failure */ + esps_udpencin, /* Input ESP-in-UDP packets */ + esps_udpencout, /* Output ESP-in-UDP packets */ + esps_udpinval, /* Invalid input ESP-in-UDP packets */ + esps_udpneeded, /* Trying to use a ESP-in-UDP TDB */ + esps_outfail, /* Packet output failure */ + + esps_ncounters +}; + +extern struct cpumem *espcounters; + +static inline void +espstat_inc(enum espstat_counters c) +{ + counters_inc(espcounters, c); +} + +static inline void +espstat_add(enum espstat_counters c, uint64_t v) +{ + counters_add(espcounters, c, v); +} + extern int esp_enable; extern int udpencap_enable; extern int udpencap_port; -extern struct espstat espstat; + #endif /* _KERNEL */ #endif /* _NETINET_IP_ESP_H_ */ diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 1b7c323d88f..bb6940a7a07 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.329 2017/11/05 13:19:59 florian Exp $ */ +/* $OpenBSD: ip_input.c,v 1.330 2017/11/08 16:29:20 visa Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -216,6 +216,10 @@ ip_init(void) strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); mq_init(&ipsend_mq, 64, IPL_SOFTNET); + +#ifdef IPSEC + ipsec_init(); +#endif } /* diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index 0e8efbabe4e..9038e8d5420 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.58 2017/11/06 15:12:43 mpi Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.59 2017/11/08 16:29:20 visa Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -65,8 +65,6 @@ void ipcomp_input_cb(struct cryptop *); #define DPRINTF(x) #endif -struct ipcompstat ipcompstat; - /* * ipcomp_attach() is called from the transformation code */ @@ -146,7 +144,7 @@ ipcomp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) if (crp == NULL) { m_freem(m); DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - ipcompstat.ipcomps_crypto++; + ipcompstat_inc(ipcomps_crypto); return ENOBUFS; } /* Get IPsec-specific opaque pointer */ @@ -155,7 +153,7 @@ ipcomp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) m_freem(m); crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ipcompstat.ipcomps_crypto++; + ipcompstat_inc(ipcomps_crypto); return ENOBUFS; } crdc = &crp->crp_desc[0]; @@ -212,7 +210,7 @@ ipcomp_input_cb(struct cryptop *crp) /* Shouldn't happen... */ free(tc, M_XDATA, 0); crypto_freereq(crp); - ipcompstat.ipcomps_crypto++; + ipcompstat_inc(ipcomps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); return; } @@ -222,14 +220,14 @@ ipcomp_input_cb(struct cryptop *crp) tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); if (tdb == NULL) { free(tc, M_XDATA, 0); - ipcompstat.ipcomps_notdb++; + ipcompstat_inc(ipcomps_notdb); DPRINTF(("%s: TDB expired while in crypto", __func__)); goto baddone; } /* update the counters */ tdb->tdb_cur_bytes += m->m_pkthdr.len - (skip + hlen); - ipcompstat.ipcomps_ibytes += m->m_pkthdr.len - (skip + hlen); + ipcompstat_add(ipcomps_ibytes, m->m_pkthdr.len - (skip + hlen)); /* Hard expiration */ if ((tdb->tdb_flags & TDBF_BYTES) && @@ -257,7 +255,7 @@ ipcomp_input_cb(struct cryptop *crp) return; } free(tc, M_XDATA, 0); - ipcompstat.ipcomps_noxform++; + ipcompstat_inc(ipcomps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); goto baddone; @@ -277,7 +275,7 @@ ipcomp_input_cb(struct cryptop *crp) /* Find the beginning of the IPCOMP header */ m1 = m_getptr(m, skip, &roff); if (m1 == NULL) { - ipcompstat.ipcomps_hdrops++; + ipcompstat_inc(ipcomps_hdrops); DPRINTF(("%s: bad mbuf chain, IPCA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); @@ -381,7 +379,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, #endif hlen = IPCOMP_HLENGTH; - ipcompstat.ipcomps_output++; + ipcompstat_inc(ipcomps_output); switch (tdb->tdb_dst.sa.sa_family) { case AF_INET: @@ -395,7 +393,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - ipcompstat.ipcomps_toobig++; + ipcompstat_inc(ipcomps_toobig); return EMSGSIZE; } break; @@ -408,7 +406,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - ipcompstat.ipcomps_toobig++; + ipcompstat_inc(ipcomps_toobig); return EMSGSIZE; } break; @@ -420,14 +418,14 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); - ipcompstat.ipcomps_nopf++; + ipcompstat_inc(ipcomps_nopf); return EPFNOSUPPORT; } /* Update the counters */ tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; - ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; + ipcompstat_add(ipcomps_obytes, m->m_pkthdr.len - skip); /* Hard byte expiration */ if ((tdb->tdb_flags & TDBF_BYTES) && @@ -458,7 +456,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, DPRINTF(("%s: bad mbuf chain, IPCA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ipcompstat.ipcomps_hdrops++; + ipcompstat_inc(ipcomps_hdrops); m_freem(m); return ENOBUFS; } @@ -473,7 +471,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, if (crp == NULL) { m_freem(m); DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - ipcompstat.ipcomps_crypto++; + ipcompstat_inc(ipcomps_crypto); return ENOBUFS; } crdc = &crp->crp_desc[0]; @@ -493,7 +491,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, m_freem(m); crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ipcompstat.ipcomps_crypto++; + ipcompstat_inc(ipcomps_crypto); return ENOBUFS; } @@ -543,7 +541,7 @@ ipcomp_output_cb(struct cryptop *crp) /* Shouldn't happen... */ free(tc, M_XDATA, 0); crypto_freereq(crp); - ipcompstat.ipcomps_crypto++; + ipcompstat_inc(ipcomps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); return; } @@ -553,7 +551,7 @@ ipcomp_output_cb(struct cryptop *crp) tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); if (tdb == NULL) { free(tc, M_XDATA, 0); - ipcompstat.ipcomps_notdb++; + ipcompstat_inc(ipcomps_notdb); DPRINTF(("%s: TDB expired while in crypto\n", __func__)); goto baddone; } @@ -569,7 +567,7 @@ ipcomp_output_cb(struct cryptop *crp) return; } free(tc, M_XDATA, 0); - ipcompstat.ipcomps_noxform++; + ipcompstat_inc(ipcomps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); goto baddone; } @@ -580,7 +578,7 @@ ipcomp_output_cb(struct cryptop *crp) /* Compression was useless, we have lost time. */ crypto_freereq(crp); if (ipsp_process_done(m, tdb)) - ipcompstat.ipcomps_outfail++; + ipcompstat_inc(ipcomps_outfail); NET_UNLOCK(); return; } @@ -591,7 +589,7 @@ ipcomp_output_cb(struct cryptop *crp) DPRINTF(("%s: failed to inject IPCOMP header for " "IPCA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ipcompstat.ipcomps_wrap++; + ipcompstat_inc(ipcomps_wrap); goto baddone; } @@ -620,7 +618,7 @@ ipcomp_output_cb(struct cryptop *crp) __func__, tdb->tdb_dst.sa.sa_family, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); - ipcompstat.ipcomps_nopf++; + ipcompstat_inc(ipcomps_nopf); goto baddone; break; } @@ -629,7 +627,7 @@ ipcomp_output_cb(struct cryptop *crp) crypto_freereq(crp); if (ipsp_process_done(m, tdb)) - ipcompstat.ipcomps_outfail++; + ipcompstat_inc(ipcomps_outfail); NET_UNLOCK(); return; diff --git a/sys/netinet/ip_ipcomp.h b/sys/netinet/ip_ipcomp.h index 730e8712a70..0a9aab1d357 100644 --- a/sys/netinet/ip_ipcomp.h +++ b/sys/netinet/ip_ipcomp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.h,v 1.9 2017/11/07 16:51:23 visa Exp $ */ +/* $OpenBSD: ip_ipcomp.h,v 1.10 2017/11/08 16:29:20 visa Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -85,7 +85,48 @@ struct ipcomp { } #ifdef _KERNEL + +#include <sys/percpu.h> + +enum ipcomp_counters { + ipcomps_hdrops, /* Packet shorter than header shows */ + ipcomps_nopf, /* Protocol family not supported */ + ipcomps_notdb, + ipcomps_badkcr, + ipcomps_qfull, + ipcomps_noxform, + ipcomps_wrap, + ipcomps_input, /* Input IPcomp packets */ + ipcomps_output, /* Output IPcomp packets */ + ipcomps_invalid, /* Trying to use an invalid + * TDB */ + ipcomps_ibytes, /* Input bytes */ + ipcomps_obytes, /* Output bytes */ + ipcomps_toobig, /* Packet got larger than + * IP_MAXPACKET */ + ipcomps_pdrops, /* Packet blocked due to policy */ + ipcomps_crypto, /* "Crypto" processing failure */ + ipcomps_minlen, /* packets too short for compress */ + ipcomps_outfail, /* Packet output failure */ + + ipcomps_ncounters +}; + +extern struct cpumem *ipcompcounters; + +static inline void +ipcompstat_inc(enum ipcomp_counters c) +{ + counters_inc(ipcompcounters, c); +} + +static inline void +ipcompstat_add(enum ipcomp_counters c, uint64_t v) +{ + counters_add(ipcompcounters, c, v); +} + extern int ipcomp_enable; -extern struct ipcompstat ipcompstat; + #endif /* _KERNEL */ #endif /* _NETINET_IP_IPCOMP_H_ */ diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index e67b7088a2b..e60cd229525 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.185 2017/10/27 08:27:14 mpi Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.186 2017/11/08 16:29:20 visa Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -548,6 +548,7 @@ struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *); struct ipsec_ids *ipsp_ids_lookup(u_int32_t); void ipsp_ids_free(struct ipsec_ids *); +void ipsec_init(void); int ipsec_common_input(struct mbuf *, int, int, int, int, int); void ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int); int ipsec_delete_policy(struct ipsec_policy *); diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index a58abc3a98e..0596f3b1138 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.158 2017/11/06 15:12:43 mpi Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.159 2017/11/08 16:29:20 visa Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -96,6 +96,22 @@ int *espctl_vars[ESPCTL_MAXID] = ESPCTL_VARS; int *ahctl_vars[AHCTL_MAXID] = AHCTL_VARS; int *ipcompctl_vars[IPCOMPCTL_MAXID] = IPCOMPCTL_VARS; +struct cpumem *espcounters; +struct cpumem *ahcounters; +struct cpumem *ipcompcounters; + +int esp_sysctl_espstat(void *, size_t *, void *); +int ah_sysctl_ahstat(void *, size_t *, void *); +int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); + +void +ipsec_init(void) +{ + espcounters = counters_alloc(esps_ncounters); + ahcounters = counters_alloc(ahs_ncounters); + ipcompcounters = counters_alloc(ipcomps_ncounters); +} + /* * ipsec_common_input() gets called when we receive an IPsec-protected packet * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate @@ -106,8 +122,14 @@ int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, int udpencap) { -#define IPSEC_ISTAT(x,y,z) (sproto == IPPROTO_ESP ? (x)++ : \ - sproto == IPPROTO_AH ? (y)++ : (z)++) +#define IPSEC_ISTAT(x,y,z) do { \ + if (sproto == IPPROTO_ESP) \ + espstat_inc(x); \ + else if (sproto == IPPROTO_AH) \ + ahstat_inc(y); \ + else \ + ipcompstat_inc(z); \ +} while (0) union sockaddr_union dst_address; struct tdb *tdbp; @@ -121,13 +143,11 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, NET_ASSERT_LOCKED(); - IPSEC_ISTAT(espstat.esps_input, ahstat.ahs_input, - ipcompstat.ipcomps_input); + IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); if (m == NULL) { DPRINTF(("%s: NULL packet received\n", __func__)); - IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); return EINVAL; } @@ -150,23 +170,21 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, DPRINTF(("%s: unsupported protocol family %d\n", __func__, af)); m_freem(m); - IPSEC_ISTAT(espstat.esps_nopf, ahstat.ahs_nopf, - ipcompstat.ipcomps_nopf); + IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); return EPFNOSUPPORT; } return 0; } if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { m_freem(m); - ipcompstat.ipcomps_pdrops++; + ipcompstat_inc(ipcomps_pdrops); DPRINTF(("%s: repeated decompression\n", __func__)); return EINVAL; } if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { m_freem(m); - IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); DPRINTF(("%s: packet too small\n", __func__)); return EINVAL; } @@ -221,8 +239,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, default: DPRINTF(("%s: unsupported protocol family %d\n", __func__, af)); m_freem(m); - IPSEC_ISTAT(espstat.esps_nopf, ahstat.ahs_nopf, - ipcompstat.ipcomps_nopf); + IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); return EPFNOSUPPORT; } @@ -233,8 +250,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi))); m_freem(m); - IPSEC_ISTAT(espstat.esps_notdb, ahstat.ahs_notdb, - ipcompstat.ipcomps_notdb); + IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); return ENOENT; } @@ -243,8 +259,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); - IPSEC_ISTAT(espstat.esps_invalid, ahstat.ahs_invalid, - ipcompstat.ipcomps_invalid); + IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); return EINVAL; } @@ -253,7 +268,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); - espstat.esps_udpinval++; + espstat_inc(esps_udpinval); return EINVAL; } @@ -262,7 +277,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); - espstat.esps_udpneeded++; + espstat_inc(esps_udpneeded); return EINVAL; } @@ -271,8 +286,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); - IPSEC_ISTAT(espstat.esps_noxform, ahstat.ahs_noxform, - ipcompstat.ipcomps_noxform); + IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); return ENXIO; } @@ -285,9 +299,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops); return EACCES; } @@ -348,8 +360,7 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) /* Sanity check */ if (m == NULL) { /* The called routine will print a message if necessary */ - IPSEC_ISTAT(espstat.esps_badkcr, ahstat.ahs_badkcr, - ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(esps_badkcr, ahs_badkcr, ipcomps_badkcr); return; } @@ -359,8 +370,7 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) DPRINTF(("%s: processing failed for SA %s/%08x\n", __func__, ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); - IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); return; } @@ -374,9 +384,8 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) if (prot == IPPROTO_IPIP) { if (m->m_pkthdr.len - skip < sizeof(struct ip)) { m_freem(m); - IPSEC_ISTAT(espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, + ipcomps_hdrops); return; } /* ipn will now contain the inner IPv4 header */ @@ -389,9 +398,8 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) if (prot == IPPROTO_IPV6) { if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { m_freem(m); - IPSEC_ISTAT(espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, + ipcomps_hdrops); return; } /* ip6n will now contain the inner IPv6 header. */ @@ -412,8 +420,7 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) __func__, ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); - IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); return; } @@ -427,9 +434,8 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) if (prot == IPPROTO_IPIP) { if (m->m_pkthdr.len - skip < sizeof(struct ip)) { m_freem(m); - IPSEC_ISTAT(espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, + ipcomps_hdrops); return; } /* ipn will now contain the inner IPv4 header */ @@ -440,9 +446,8 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) if (prot == IPPROTO_IPV6) { if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { m_freem(m); - IPSEC_ISTAT(espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, + ipcomps_hdrops); return; } /* ip6n will now contain the inner IPv6 header. */ @@ -465,9 +470,8 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) case IPPROTO_UDP: if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { m_freem(m); - IPSEC_ISTAT(espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, + ipcomps_hdrops); return; } cksum = 0; @@ -485,9 +489,8 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) case IPPROTO_TCP: if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { m_freem(m); - IPSEC_ISTAT(espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, + ipcomps_hdrops); return; } cksum = 0; @@ -517,8 +520,7 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) if (mtag == NULL) { m_freem(m); DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); return; } @@ -621,13 +623,7 @@ esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, switch (name[0]) { case ESPCTL_STATS: - if (newp != NULL) - return (EPERM); - NET_LOCK(); - error = sysctl_struct(oldp, oldlenp, newp, newlen, - &espstat, sizeof(espstat)); - NET_UNLOCK(); - return (error); + return (esp_sysctl_espstat(oldp, oldlenp, newp)); default: if (name[0] < ESPCTL_MAXID) { NET_LOCK(); @@ -641,6 +637,18 @@ esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, } int +esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) +{ + struct espstat espstat; + + CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); + memset(&espstat, 0, sizeof espstat); + counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters); + return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, + sizeof(espstat))); +} + +int ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen) { @@ -652,13 +660,7 @@ ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, switch (name[0]) { case AHCTL_STATS: - if (newp != NULL) - return (EPERM); - NET_LOCK(); - error = sysctl_struct(oldp, oldlenp, newp, newlen, - &ahstat, sizeof(ahstat)); - NET_UNLOCK(); - return (error); + return ah_sysctl_ahstat(oldp, oldlenp, newp); default: if (name[0] < AHCTL_MAXID) { NET_LOCK(); @@ -672,6 +674,17 @@ ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, } int +ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) +{ + struct ahstat ahstat; + + CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); + memset(&ahstat, 0, sizeof ahstat); + counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters); + return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); +} + +int ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen) { @@ -683,13 +696,7 @@ ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, switch (name[0]) { case IPCOMPCTL_STATS: - if (newp != NULL) - return (EPERM); - NET_LOCK(); - error = sysctl_struct(oldp, oldlenp, newp, newlen, - &ipcompstat, sizeof(ipcompstat)); - NET_UNLOCK(); - return (error); + return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); default: if (name[0] < IPCOMPCTL_MAXID) { NET_LOCK(); @@ -702,6 +709,19 @@ ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, } } +int +ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) +{ + struct ipcompstat ipcompstat; + + CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); + memset(&ipcompstat, 0, sizeof ipcompstat); + counters_read(ipcompcounters, (uint64_t *)&ipcompstat, + ipcomps_ncounters); + return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, + sizeof(ipcompstat))); +} + /* IPv4 AH wrapper. */ int ah4_input(struct mbuf **mp, int *offp, int proto, int af) @@ -876,7 +896,7 @@ ah6_input(struct mbuf **mp, int *offp, int proto, int af) if (*offp < sizeof(struct ip6_hdr)) { DPRINTF(("%s: bad offset\n", __func__)); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freemp(mp); return IPPROTO_DONE; } else if (*offp == sizeof(struct ip6_hdr)) { @@ -906,7 +926,7 @@ ah6_input(struct mbuf **mp, int *offp, int proto, int af) /* Malformed packet check */ if (protoff + l != *offp) { DPRINTF(("%s: bad packet header chain\n", __func__)); - ahstat.ahs_hdrops++; + ahstat_inc(ahs_hdrops); m_freemp(mp); return IPPROTO_DONE; } @@ -926,7 +946,7 @@ esp6_input(struct mbuf **mp, int *offp, int proto, int af) if (*offp < sizeof(struct ip6_hdr)) { DPRINTF(("%s: bad offset\n", __func__)); - espstat.esps_hdrops++; + espstat_inc(esps_hdrops); m_freemp(mp); return IPPROTO_DONE; } else if (*offp == sizeof(struct ip6_hdr)) { @@ -956,7 +976,7 @@ esp6_input(struct mbuf **mp, int *offp, int proto, int af) /* Malformed packet check */ if (protoff + l != *offp) { DPRINTF(("%s: bad packet header chain\n", __func__)); - espstat.esps_hdrops++; + espstat_inc(esps_hdrops); m_freemp(mp); return IPPROTO_DONE; } @@ -977,7 +997,7 @@ ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) if (*offp < sizeof(struct ip6_hdr)) { DPRINTF(("%s: bad offset\n", __func__)); - ipcompstat.ipcomps_hdrops++; + ipcompstat_inc(ipcomps_hdrops); m_freemp(mp); return IPPROTO_DONE; } else if (*offp == sizeof(struct ip6_hdr)) { @@ -1006,7 +1026,7 @@ ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) /* Malformed packet check */ if (protoff + l != *offp) { DPRINTF(("%s: bad packet header chain\n", __func__)); - ipcompstat.ipcomps_hdrops++; + ipcompstat_inc(ipcomps_hdrops); m_freemp(mp); return IPPROTO_DONE; } diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index c7e93081e4b..ab65bf4f92b 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.69 2017/11/06 15:12:43 mpi Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.70 2017/11/08 16:29:20 visa Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -346,7 +346,7 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) if (tdb->tdb_sproto == IPPROTO_IPCOMP) { if ((m->m_pkthdr.len - hlen) < tdb->tdb_compalgxform->minlen) { /* No need to compress, leave the packet untouched */ - ipcompstat.ipcomps_minlen++; + ipcompstat_inc(ipcomps_minlen); return ipsp_process_done(m, tdb); } } @@ -414,7 +414,7 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb) if (tdb->tdb_dst.sa.sa_family == AF_INET6) m->m_pkthdr.csum_flags |= M_UDP_CSUM_OUT; #endif /* INET6 */ - espstat.esps_udpencout++; + espstat_inc(esps_udpencout); } switch (tdb->tdb_dst.sa.sa_family) { diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index f49f800fca8..509c949b2d8 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.242 2017/11/02 14:01:18 florian Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.243 2017/11/08 16:29:20 visa Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -300,7 +300,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af) m_adj(m, sizeof(struct udphdr)); skip -= sizeof(struct udphdr); - espstat.esps_udpencin++; + espstat_inc(esps_udpencin); protoff = af == AF_INET ? offsetof(struct ip, ip_p) : offsetof(struct ip6_hdr, ip6_nxt); ipsec_common_input(m, skip, protoff, |