1 /* $KAME: ipsec.c,v 1.33 2003/07/25 09:54:32 itojun Exp $ */ 2 3 /*- 4 * Copyright (c) 2005 NTT Multimedia Communications Laboratories, Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 /*- 29 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 30 * All rights reserved. 31 * 32 * Redistribution and use in source and binary forms, with or without 33 * modification, are permitted provided that the following conditions 34 * are met: 35 * 1. Redistributions of source code must retain the above copyright 36 * notice, this list of conditions and the following disclaimer. 37 * 2. Redistributions in binary form must reproduce the above copyright 38 * notice, this list of conditions and the following disclaimer in the 39 * documentation and/or other materials provided with the distribution. 40 * 3. Neither the name of the project nor the names of its contributors 41 * may be used to endorse or promote products derived from this software 42 * without specific prior written permission. 43 * 44 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 45 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 47 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 48 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 49 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 50 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 51 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 52 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 53 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 54 * SUCH DAMAGE. 55 */ 56 /*- 57 * Copyright (c) 1983, 1988, 1993 58 * The Regents of the University of California. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 1. Redistributions of source code must retain the above copyright 64 * notice, this list of conditions and the following disclaimer. 65 * 2. Redistributions in binary form must reproduce the above copyright 66 * notice, this list of conditions and the following disclaimer in the 67 * documentation and/or other materials provided with the distribution. 68 * 3. Neither the name of the University nor the names of its contributors 69 * may be used to endorse or promote products derived from this software 70 * without specific prior written permission. 71 * 72 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 73 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 74 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 75 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 76 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 77 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 78 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 79 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 80 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 81 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 82 * SUCH DAMAGE. 83 */ 84 85 #if 0 86 #ifndef lint 87 static char sccsid[] = "@(#)inet.c 8.5 (Berkeley) 5/24/95"; 88 #endif /* not lint */ 89 #endif 90 91 #include <sys/cdefs.h> 92 __FBSDID("$FreeBSD$"); 93 94 #include <sys/param.h> 95 #include <sys/queue.h> 96 #include <sys/socket.h> 97 #include <sys/socketvar.h> 98 99 #include <netinet/in.h> 100 101 #ifdef IPSEC 102 #include <netipsec/ipsec.h> 103 #include <netipsec/ah_var.h> 104 #include <netipsec/esp_var.h> 105 #include <netipsec/ipcomp_var.h> 106 #endif 107 108 #include <stdint.h> 109 #include <stdio.h> 110 #include <stdbool.h> 111 #include <string.h> 112 #include <unistd.h> 113 #include <libxo/xo.h> 114 #include "netstat.h" 115 116 #ifdef IPSEC 117 struct val2str { 118 int val; 119 const char *str; 120 }; 121 122 static struct val2str ipsec_ahnames[] = { 123 { SADB_AALG_NONE, "none", }, 124 { SADB_AALG_MD5HMAC, "hmac-md5", }, 125 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 126 { SADB_X_AALG_MD5, "md5", }, 127 { SADB_X_AALG_SHA, "sha", }, 128 { SADB_X_AALG_NULL, "null", }, 129 #ifdef SADB_X_AALG_SHA2_256 130 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 131 #endif 132 #ifdef SADB_X_AALG_SHA2_384 133 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 134 #endif 135 #ifdef SADB_X_AALG_SHA2_512 136 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 137 #endif 138 #ifdef SADB_X_AALG_RIPEMD160HMAC 139 { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", }, 140 #endif 141 #ifdef SADB_X_AALG_AES_XCBC_MAC 142 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, 143 #endif 144 { -1, NULL }, 145 }; 146 147 static struct val2str ipsec_espnames[] = { 148 { SADB_EALG_NONE, "none", }, 149 { SADB_EALG_DESCBC, "des-cbc", }, 150 { SADB_EALG_3DESCBC, "3des-cbc", }, 151 { SADB_EALG_NULL, "null", }, 152 { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, 153 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, 154 #ifdef SADB_X_EALG_RIJNDAELCBC 155 { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, 156 #endif 157 #ifdef SADB_X_EALG_AESCTR 158 { SADB_X_EALG_AESCTR, "aes-ctr", }, 159 #endif 160 #ifdef SADB_X_EALG_AESGCM16 161 { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, 162 #endif 163 { -1, NULL }, 164 }; 165 166 static struct val2str ipsec_compnames[] = { 167 { SADB_X_CALG_NONE, "none", }, 168 { SADB_X_CALG_OUI, "oui", }, 169 { SADB_X_CALG_DEFLATE, "deflate", }, 170 { SADB_X_CALG_LZS, "lzs", }, 171 { -1, NULL }, 172 }; 173 174 static void print_ipsecstats(const struct ipsecstat *ipsecstat); 175 176 static void 177 print_ipsecstats(const struct ipsecstat *ipsecstat) 178 { 179 xo_open_container("ipsec-statistics"); 180 181 #define p(f, m) if (ipsecstat->f || sflag <= 1) \ 182 xo_emit(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f)) 183 184 p(ips_in_polvio, "\t{:dropped-policy-violation/%ju} " 185 "{N:/inbound packet%s violated process security policy}\n"); 186 p(ips_in_nomem, "\t{:dropped-no-memory/%ju} " 187 "{N:/inbound packet%s failed due to insufficient memory}\n"); 188 p(ips_in_inval, "\t{:dropped-invalid/%ju} " 189 "{N:/invalid inbound packet%s}\n"); 190 p(ips_out_polvio, "\t{:discarded-policy-violation/%ju} " 191 "{N:/outbound packet%s violated process security policy}\n"); 192 p(ips_out_nosa, "\t{:discarded-no-sa/%ju} " 193 "{N:/outbound packet%s with no SA available}\n"); 194 p(ips_out_nomem, "\t{:discarded-no-memory/%ju} " 195 "{N:/outbound packet%s failed due to insufficient memory}\n"); 196 p(ips_out_noroute, "\t{:discarded-no-route/%ju} " 197 "{N:/outbound packet%s with no route available}\n"); 198 p(ips_out_inval, "\t{:discarded-invalid/%ju} " 199 "{N:/invalid outbound packet%s}\n"); 200 p(ips_out_bundlesa, "\t{:send-bundled-sa/%ju} " 201 "{N:/outbound packet%s with bundled SAs}\n"); 202 p(ips_mbcoalesced, "\t{:mbufs-coalesced-during-clone/%ju} " 203 "{N:/mbuf%s coalesced during clone}\n"); 204 p(ips_clcoalesced, "\t{:clusters-coalesced-during-clone/%ju} " 205 "{N:/cluster%s coalesced during clone}\n"); 206 p(ips_clcopied, "\t{:clusters-copied-during-clone/%ju} " 207 "{N:/cluster%s copied during clone}\n"); 208 p(ips_mbinserted, "\t{:mbufs-inserted/%ju} " 209 "{N:/mbuf%s inserted during makespace}\n"); 210 #undef p 211 xo_close_container("ipsec-statistics"); 212 } 213 214 void 215 ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused) 216 { 217 struct ipsecstat ipsecstat; 218 219 if (strcmp(name, "ipsec6") == 0) { 220 if (fetch_stats("net.inet6.ipsec6.ipsecstats", off,&ipsecstat, 221 sizeof(ipsecstat), kread_counters) != 0) 222 return; 223 } else { 224 if (fetch_stats("net.inet.ipsec.ipsecstats", off, &ipsecstat, 225 sizeof(ipsecstat), kread_counters) != 0) 226 return; 227 } 228 229 xo_emit("{T:/%s}:\n", name); 230 231 print_ipsecstats(&ipsecstat); 232 } 233 234 235 static void print_ahstats(const struct ahstat *ahstat); 236 static void print_espstats(const struct espstat *espstat); 237 static void print_ipcompstats(const struct ipcompstat *ipcompstat); 238 239 /* 240 * Dump IPSEC statistics structure. 241 */ 242 static void 243 ipsec_hist_new(const uint64_t *hist, size_t histmax, 244 const struct val2str *name, const char *title, const char *cname) 245 { 246 int first; 247 size_t proto; 248 const struct val2str *p; 249 250 first = 1; 251 for (proto = 0; proto < histmax; proto++) { 252 if (hist[proto] <= 0) 253 continue; 254 if (first) { 255 xo_open_list(cname); 256 xo_emit("\t{T:/%s histogram}:\n", title); 257 first = 0; 258 } 259 xo_open_instance(cname); 260 for (p = name; p && p->str; p++) { 261 if (p->val == (int)proto) 262 break; 263 } 264 if (p && p->str) { 265 xo_emit("\t\t{k:name}: {:count/%ju}\n", p->str, 266 (uintmax_t)hist[proto]); 267 } else { 268 xo_emit("\t\t#{k:name/%lu}: {:count/%ju}\n", 269 (unsigned long)proto, (uintmax_t)hist[proto]); 270 } 271 xo_close_instance(cname); 272 } 273 if (!first) 274 xo_close_list(cname); 275 } 276 277 static void 278 print_ahstats(const struct ahstat *ahstat) 279 { 280 xo_open_container("ah-statictics"); 281 282 #define p(f, n, m) if (ahstat->f || sflag <= 1) \ 283 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 284 (uintmax_t)ahstat->f, plural(ahstat->f)) 285 #define hist(f, n, t, c) \ 286 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)) 287 288 p(ahs_hdrops, "dropped-short-header", 289 "packet%s shorter than header shows"); 290 p(ahs_nopf, "dropped-bad-protocol", 291 "packet%s dropped; protocol family not supported"); 292 p(ahs_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 293 p(ahs_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 294 p(ahs_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 295 p(ahs_noxform, "dropped-no-transform", 296 "packet%s dropped; no transform"); 297 p(ahs_wrap, "replay-counter-wraps", "replay counter wrap%s"); 298 p(ahs_badauth, "dropped-bad-auth", 299 "packet%s dropped; bad authentication detected"); 300 p(ahs_badauthl, "dropped-bad-auth-level", 301 "packet%s dropped; bad authentication length"); 302 p(ahs_replay, "possile-replay-detected", 303 "possible replay packet%s detected"); 304 p(ahs_input, "received-packets", "packet%s in"); 305 p(ahs_output, "send-packets", "packet%s out"); 306 p(ahs_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 307 p(ahs_ibytes, "received-bytes", "byte%s in"); 308 p(ahs_obytes, "send-bytes", "byte%s out"); 309 p(ahs_toobig, "dropped-too-large", 310 "packet%s dropped; larger than IP_MAXPACKET"); 311 p(ahs_pdrops, "dropped-policy-violation", 312 "packet%s blocked due to policy"); 313 p(ahs_crypto, "crypto-failures", "crypto processing failure%s"); 314 p(ahs_tunnel, "tunnel-failures", "tunnel sanity check failure%s"); 315 hist(ahstat->ahs_hist, ipsec_ahnames, 316 "AH output", "ah-output-histogram"); 317 318 #undef p 319 #undef hist 320 xo_close_container("ah-statictics"); 321 } 322 323 void 324 ah_stats(u_long off, const char *name, int family __unused, int proto __unused) 325 { 326 struct ahstat ahstat; 327 328 if (fetch_stats("net.inet.ah.stats", off, &ahstat, 329 sizeof(ahstat), kread_counters) != 0) 330 return; 331 332 xo_emit("{T:/%s}:\n", name); 333 334 print_ahstats(&ahstat); 335 } 336 337 static void 338 print_espstats(const struct espstat *espstat) 339 { 340 xo_open_container("esp-statictics"); 341 #define p(f, n, m) if (espstat->f || sflag <= 1) \ 342 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 343 (uintmax_t)espstat->f, plural(espstat->f)) 344 #define hist(f, n, t, c) \ 345 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)); 346 347 p(esps_hdrops, "dropped-short-header", 348 "packet%s shorter than header shows"); 349 p(esps_nopf, "dropped-bad-protocol", 350 "packet%s dropped; protocol family not supported"); 351 p(esps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 352 p(esps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 353 p(esps_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 354 p(esps_noxform, "dropped-no-transform", 355 "packet%s dropped; no transform"); 356 p(esps_badilen, "dropped-bad-length", "packet%s dropped; bad ilen"); 357 p(esps_wrap, "replay-counter-wraps", "replay counter wrap%s"); 358 p(esps_badenc, "dropped-bad-crypto", 359 "packet%s dropped; bad encryption detected"); 360 p(esps_badauth, "dropped-bad-auth", 361 "packet%s dropped; bad authentication detected"); 362 p(esps_replay, "possible-replay-detected", 363 "possible replay packet%s detected"); 364 p(esps_input, "received-packets", "packet%s in"); 365 p(esps_output, "sent-packets", "packet%s out"); 366 p(esps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 367 p(esps_ibytes, "receieve-bytes", "byte%s in"); 368 p(esps_obytes, "sent-bytes", "byte%s out"); 369 p(esps_toobig, "dropped-too-large", 370 "packet%s dropped; larger than IP_MAXPACKET"); 371 p(esps_pdrops, "dropped-policy-violation", 372 "packet%s blocked due to policy"); 373 p(esps_crypto, "crypto-failures", "crypto processing failure%s"); 374 p(esps_tunnel, "tunnel-failures", "tunnel sanity check failure%s"); 375 hist(espstat->esps_hist, ipsec_espnames, 376 "ESP output", "esp-output-histogram"); 377 378 #undef p 379 #undef hist 380 xo_close_container("esp-statictics"); 381 } 382 383 void 384 esp_stats(u_long off, const char *name, int family __unused, int proto __unused) 385 { 386 struct espstat espstat; 387 388 if (fetch_stats("net.inet.esp.stats", off, &espstat, 389 sizeof(espstat), kread_counters) != 0) 390 return; 391 392 xo_emit("{T:/%s}:\n", name); 393 394 print_espstats(&espstat); 395 } 396 397 static void 398 print_ipcompstats(const struct ipcompstat *ipcompstat) 399 { 400 xo_open_container("ipcomp-statictics"); 401 402 #define p(f, n, m) if (ipcompstat->f || sflag <= 1) \ 403 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 404 (uintmax_t)ipcompstat->f, plural(ipcompstat->f)) 405 #define hist(f, n, t, c) \ 406 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)); 407 408 p(ipcomps_hdrops, "dropped-short-header", 409 "packet%s shorter than header shows"); 410 p(ipcomps_nopf, "dropped-bad-protocol", 411 "packet%s dropped; protocol family not supported"); 412 p(ipcomps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 413 p(ipcomps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 414 p(ipcomps_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 415 p(ipcomps_noxform, "dropped-no-transform", 416 "packet%s dropped; no transform"); 417 p(ipcomps_wrap, "replay-counter-wraps", "replay counter wrap%s"); 418 p(ipcomps_input, "receieve-packets", "packet%s in"); 419 p(ipcomps_output, "sent-packets", "packet%s out"); 420 p(ipcomps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 421 p(ipcomps_ibytes, "receieved-bytes", "byte%s in"); 422 p(ipcomps_obytes, "sent-bytes", "byte%s out"); 423 p(ipcomps_toobig, "dropped-too-large", 424 "packet%s dropped; larger than IP_MAXPACKET"); 425 p(ipcomps_pdrops, "dropped-policy-violation", 426 "packet%s blocked due to policy"); 427 p(ipcomps_crypto, "crypto-failure", "crypto processing failure%s"); 428 hist(ipcompstat->ipcomps_hist, ipsec_compnames, 429 "COMP output", "comp-output-histogram"); 430 p(ipcomps_threshold, "sent-uncompressed-small-packets", 431 "packet%s sent uncompressed; size < compr. algo. threshold"); 432 p(ipcomps_uncompr, "sent-uncompressed-useless-packets", 433 "packet%s sent uncompressed; compression was useless"); 434 435 #undef p 436 #undef hist 437 xo_close_container("ipcomp-statictics"); 438 } 439 440 void 441 ipcomp_stats(u_long off, const char *name, int family __unused, 442 int proto __unused) 443 { 444 struct ipcompstat ipcompstat; 445 446 if (fetch_stats("net.inet.ipcomp.stats", off, &ipcompstat, 447 sizeof(ipcompstat), kread_counters) != 0) 448 return; 449 450 xo_emit("{T:/%s}:\n", name); 451 452 print_ipcompstats(&ipcompstat); 453 } 454 455 #endif /*IPSEC*/ 456