1 /* $KAME: ipsec.c,v 1.33 2003/07/25 09:54:32 itojun Exp $ */ 2 3 /*- 4 * Copyright (c) 2005 NTT Multimedia Communications Laboratories, Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 /*- 29 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 30 * All rights reserved. 31 * 32 * Redistribution and use in source and binary forms, with or without 33 * modification, are permitted provided that the following conditions 34 * are met: 35 * 1. Redistributions of source code must retain the above copyright 36 * notice, this list of conditions and the following disclaimer. 37 * 2. Redistributions in binary form must reproduce the above copyright 38 * notice, this list of conditions and the following disclaimer in the 39 * documentation and/or other materials provided with the distribution. 40 * 3. Neither the name of the project nor the names of its contributors 41 * may be used to endorse or promote products derived from this software 42 * without specific prior written permission. 43 * 44 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 45 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 47 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 48 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 49 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 50 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 51 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 52 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 53 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 54 * SUCH DAMAGE. 55 */ 56 /*- 57 * Copyright (c) 1983, 1988, 1993 58 * The Regents of the University of California. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 1. Redistributions of source code must retain the above copyright 64 * notice, this list of conditions and the following disclaimer. 65 * 2. Redistributions in binary form must reproduce the above copyright 66 * notice, this list of conditions and the following disclaimer in the 67 * documentation and/or other materials provided with the distribution. 68 * 3. Neither the name of the University nor the names of its contributors 69 * may be used to endorse or promote products derived from this software 70 * without specific prior written permission. 71 * 72 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 73 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 74 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 75 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 76 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 77 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 78 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 79 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 80 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 81 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 82 * SUCH DAMAGE. 83 */ 84 85 #if 0 86 #ifndef lint 87 static char sccsid[] = "@(#)inet.c 8.5 (Berkeley) 5/24/95"; 88 #endif /* not lint */ 89 #endif 90 91 #include <sys/cdefs.h> 92 __FBSDID("$FreeBSD$"); 93 94 #include <sys/param.h> 95 #include <sys/queue.h> 96 #include <sys/socket.h> 97 #include <sys/socketvar.h> 98 99 #include <netinet/in.h> 100 101 #ifdef IPSEC 102 #include <netipsec/ipsec.h> 103 #include <netipsec/ah_var.h> 104 #include <netipsec/esp_var.h> 105 #include <netipsec/ipcomp_var.h> 106 #endif 107 108 #include <stdint.h> 109 #include <stdio.h> 110 #include <stdbool.h> 111 #include <string.h> 112 #include <unistd.h> 113 #include <libxo/xo.h> 114 #include "netstat.h" 115 116 #ifdef IPSEC 117 struct val2str { 118 int val; 119 const char *str; 120 }; 121 122 static struct val2str ipsec_ahnames[] = { 123 { SADB_AALG_NONE, "none", }, 124 { SADB_AALG_MD5HMAC, "hmac-md5", }, 125 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 126 { SADB_X_AALG_MD5, "md5", }, 127 { SADB_X_AALG_SHA, "sha", }, 128 { SADB_X_AALG_NULL, "null", }, 129 #ifdef SADB_X_AALG_SHA2_256 130 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 131 #endif 132 #ifdef SADB_X_AALG_SHA2_384 133 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 134 #endif 135 #ifdef SADB_X_AALG_SHA2_512 136 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 137 #endif 138 #ifdef SADB_X_AALG_RIPEMD160HMAC 139 { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", }, 140 #endif 141 #ifdef SADB_X_AALG_AES_XCBC_MAC 142 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, 143 #endif 144 #ifdef SADB_X_AALG_AES128GMAC 145 { SADB_X_AALG_AES128GMAC, "aes-gmac-128", }, 146 #endif 147 #ifdef SADB_X_AALG_AES192GMAC 148 { SADB_X_AALG_AES192GMAC, "aes-gmac-192", }, 149 #endif 150 #ifdef SADB_X_AALG_AES256GMAC 151 { SADB_X_AALG_AES256GMAC, "aes-gmac-256", }, 152 #endif 153 { -1, NULL }, 154 }; 155 156 static struct val2str ipsec_espnames[] = { 157 { SADB_EALG_NONE, "none", }, 158 { SADB_EALG_DESCBC, "des-cbc", }, 159 { SADB_EALG_3DESCBC, "3des-cbc", }, 160 { SADB_EALG_NULL, "null", }, 161 { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, 162 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, 163 #ifdef SADB_X_EALG_RIJNDAELCBC 164 { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, 165 #endif 166 #ifdef SADB_X_EALG_AESCTR 167 { SADB_X_EALG_AESCTR, "aes-ctr", }, 168 #endif 169 #ifdef SADB_X_EALG_AESGCM16 170 { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, 171 #endif 172 { -1, NULL }, 173 }; 174 175 static struct val2str ipsec_compnames[] = { 176 { SADB_X_CALG_NONE, "none", }, 177 { SADB_X_CALG_OUI, "oui", }, 178 { SADB_X_CALG_DEFLATE, "deflate", }, 179 { SADB_X_CALG_LZS, "lzs", }, 180 { -1, NULL }, 181 }; 182 183 static void print_ipsecstats(const struct ipsecstat *ipsecstat); 184 185 static void 186 print_ipsecstats(const struct ipsecstat *ipsecstat) 187 { 188 xo_open_container("ipsec-statistics"); 189 190 #define p(f, m) if (ipsecstat->f || sflag <= 1) \ 191 xo_emit(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f)) 192 193 p(ips_in_polvio, "\t{:dropped-policy-violation/%ju} " 194 "{N:/inbound packet%s violated process security policy}\n"); 195 p(ips_in_nomem, "\t{:dropped-no-memory/%ju} " 196 "{N:/inbound packet%s failed due to insufficient memory}\n"); 197 p(ips_in_inval, "\t{:dropped-invalid/%ju} " 198 "{N:/invalid inbound packet%s}\n"); 199 p(ips_out_polvio, "\t{:discarded-policy-violation/%ju} " 200 "{N:/outbound packet%s violated process security policy}\n"); 201 p(ips_out_nosa, "\t{:discarded-no-sa/%ju} " 202 "{N:/outbound packet%s with no SA available}\n"); 203 p(ips_out_nomem, "\t{:discarded-no-memory/%ju} " 204 "{N:/outbound packet%s failed due to insufficient memory}\n"); 205 p(ips_out_noroute, "\t{:discarded-no-route/%ju} " 206 "{N:/outbound packet%s with no route available}\n"); 207 p(ips_out_inval, "\t{:discarded-invalid/%ju} " 208 "{N:/invalid outbound packet%s}\n"); 209 p(ips_out_bundlesa, "\t{:send-bundled-sa/%ju} " 210 "{N:/outbound packet%s with bundled SAs}\n"); 211 p(ips_mbcoalesced, "\t{:mbufs-coalesced-during-clone/%ju} " 212 "{N:/mbuf%s coalesced during clone}\n"); 213 p(ips_clcoalesced, "\t{:clusters-coalesced-during-clone/%ju} " 214 "{N:/cluster%s coalesced during clone}\n"); 215 p(ips_clcopied, "\t{:clusters-copied-during-clone/%ju} " 216 "{N:/cluster%s copied during clone}\n"); 217 p(ips_mbinserted, "\t{:mbufs-inserted/%ju} " 218 "{N:/mbuf%s inserted during makespace}\n"); 219 #undef p 220 xo_close_container("ipsec-statistics"); 221 } 222 223 void 224 ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused) 225 { 226 struct ipsecstat ipsecstat; 227 228 if (strcmp(name, "ipsec6") == 0) { 229 if (fetch_stats("net.inet6.ipsec6.ipsecstats", off,&ipsecstat, 230 sizeof(ipsecstat), kread_counters) != 0) 231 return; 232 } else { 233 if (fetch_stats("net.inet.ipsec.ipsecstats", off, &ipsecstat, 234 sizeof(ipsecstat), kread_counters) != 0) 235 return; 236 } 237 238 xo_emit("{T:/%s}:\n", name); 239 240 print_ipsecstats(&ipsecstat); 241 } 242 243 244 static void print_ahstats(const struct ahstat *ahstat); 245 static void print_espstats(const struct espstat *espstat); 246 static void print_ipcompstats(const struct ipcompstat *ipcompstat); 247 248 /* 249 * Dump IPSEC statistics structure. 250 */ 251 static void 252 ipsec_hist_new(const uint64_t *hist, size_t histmax, 253 const struct val2str *name, const char *title, const char *cname) 254 { 255 int first; 256 size_t proto; 257 const struct val2str *p; 258 259 first = 1; 260 for (proto = 0; proto < histmax; proto++) { 261 if (hist[proto] <= 0) 262 continue; 263 if (first) { 264 xo_open_list(cname); 265 xo_emit("\t{T:/%s histogram}:\n", title); 266 first = 0; 267 } 268 xo_open_instance(cname); 269 for (p = name; p && p->str; p++) { 270 if (p->val == (int)proto) 271 break; 272 } 273 if (p && p->str) { 274 xo_emit("\t\t{k:name}: {:count/%ju}\n", p->str, 275 (uintmax_t)hist[proto]); 276 } else { 277 xo_emit("\t\t#{k:name/%lu}: {:count/%ju}\n", 278 (unsigned long)proto, (uintmax_t)hist[proto]); 279 } 280 xo_close_instance(cname); 281 } 282 if (!first) 283 xo_close_list(cname); 284 } 285 286 static void 287 print_ahstats(const struct ahstat *ahstat) 288 { 289 xo_open_container("ah-statictics"); 290 291 #define p(f, n, m) if (ahstat->f || sflag <= 1) \ 292 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 293 (uintmax_t)ahstat->f, plural(ahstat->f)) 294 #define hist(f, n, t, c) \ 295 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)) 296 297 p(ahs_hdrops, "dropped-short-header", 298 "packet%s shorter than header shows"); 299 p(ahs_nopf, "dropped-bad-protocol", 300 "packet%s dropped; protocol family not supported"); 301 p(ahs_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 302 p(ahs_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 303 p(ahs_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 304 p(ahs_noxform, "dropped-no-transform", 305 "packet%s dropped; no transform"); 306 p(ahs_wrap, "replay-counter-wraps", "replay counter wrap%s"); 307 p(ahs_badauth, "dropped-bad-auth", 308 "packet%s dropped; bad authentication detected"); 309 p(ahs_badauthl, "dropped-bad-auth-level", 310 "packet%s dropped; bad authentication length"); 311 p(ahs_replay, "possile-replay-detected", 312 "possible replay packet%s detected"); 313 p(ahs_input, "received-packets", "packet%s in"); 314 p(ahs_output, "send-packets", "packet%s out"); 315 p(ahs_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 316 p(ahs_ibytes, "received-bytes", "byte%s in"); 317 p(ahs_obytes, "send-bytes", "byte%s out"); 318 p(ahs_toobig, "dropped-too-large", 319 "packet%s dropped; larger than IP_MAXPACKET"); 320 p(ahs_pdrops, "dropped-policy-violation", 321 "packet%s blocked due to policy"); 322 p(ahs_crypto, "crypto-failures", "crypto processing failure%s"); 323 p(ahs_tunnel, "tunnel-failures", "tunnel sanity check failure%s"); 324 hist(ahstat->ahs_hist, ipsec_ahnames, 325 "AH output", "ah-output-histogram"); 326 327 #undef p 328 #undef hist 329 xo_close_container("ah-statictics"); 330 } 331 332 void 333 ah_stats(u_long off, const char *name, int family __unused, int proto __unused) 334 { 335 struct ahstat ahstat; 336 337 if (fetch_stats("net.inet.ah.stats", off, &ahstat, 338 sizeof(ahstat), kread_counters) != 0) 339 return; 340 341 xo_emit("{T:/%s}:\n", name); 342 343 print_ahstats(&ahstat); 344 } 345 346 static void 347 print_espstats(const struct espstat *espstat) 348 { 349 xo_open_container("esp-statictics"); 350 #define p(f, n, m) if (espstat->f || sflag <= 1) \ 351 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 352 (uintmax_t)espstat->f, plural(espstat->f)) 353 #define hist(f, n, t, c) \ 354 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)); 355 356 p(esps_hdrops, "dropped-short-header", 357 "packet%s shorter than header shows"); 358 p(esps_nopf, "dropped-bad-protocol", 359 "packet%s dropped; protocol family not supported"); 360 p(esps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 361 p(esps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 362 p(esps_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 363 p(esps_noxform, "dropped-no-transform", 364 "packet%s dropped; no transform"); 365 p(esps_badilen, "dropped-bad-length", "packet%s dropped; bad ilen"); 366 p(esps_wrap, "replay-counter-wraps", "replay counter wrap%s"); 367 p(esps_badenc, "dropped-bad-crypto", 368 "packet%s dropped; bad encryption detected"); 369 p(esps_badauth, "dropped-bad-auth", 370 "packet%s dropped; bad authentication detected"); 371 p(esps_replay, "possible-replay-detected", 372 "possible replay packet%s detected"); 373 p(esps_input, "received-packets", "packet%s in"); 374 p(esps_output, "sent-packets", "packet%s out"); 375 p(esps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 376 p(esps_ibytes, "receieve-bytes", "byte%s in"); 377 p(esps_obytes, "sent-bytes", "byte%s out"); 378 p(esps_toobig, "dropped-too-large", 379 "packet%s dropped; larger than IP_MAXPACKET"); 380 p(esps_pdrops, "dropped-policy-violation", 381 "packet%s blocked due to policy"); 382 p(esps_crypto, "crypto-failures", "crypto processing failure%s"); 383 p(esps_tunnel, "tunnel-failures", "tunnel sanity check failure%s"); 384 hist(espstat->esps_hist, ipsec_espnames, 385 "ESP output", "esp-output-histogram"); 386 387 #undef p 388 #undef hist 389 xo_close_container("esp-statictics"); 390 } 391 392 void 393 esp_stats(u_long off, const char *name, int family __unused, int proto __unused) 394 { 395 struct espstat espstat; 396 397 if (fetch_stats("net.inet.esp.stats", off, &espstat, 398 sizeof(espstat), kread_counters) != 0) 399 return; 400 401 xo_emit("{T:/%s}:\n", name); 402 403 print_espstats(&espstat); 404 } 405 406 static void 407 print_ipcompstats(const struct ipcompstat *ipcompstat) 408 { 409 xo_open_container("ipcomp-statictics"); 410 411 #define p(f, n, m) if (ipcompstat->f || sflag <= 1) \ 412 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 413 (uintmax_t)ipcompstat->f, plural(ipcompstat->f)) 414 #define hist(f, n, t, c) \ 415 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)); 416 417 p(ipcomps_hdrops, "dropped-short-header", 418 "packet%s shorter than header shows"); 419 p(ipcomps_nopf, "dropped-bad-protocol", 420 "packet%s dropped; protocol family not supported"); 421 p(ipcomps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 422 p(ipcomps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 423 p(ipcomps_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 424 p(ipcomps_noxform, "dropped-no-transform", 425 "packet%s dropped; no transform"); 426 p(ipcomps_wrap, "replay-counter-wraps", "replay counter wrap%s"); 427 p(ipcomps_input, "receieve-packets", "packet%s in"); 428 p(ipcomps_output, "sent-packets", "packet%s out"); 429 p(ipcomps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 430 p(ipcomps_ibytes, "receieved-bytes", "byte%s in"); 431 p(ipcomps_obytes, "sent-bytes", "byte%s out"); 432 p(ipcomps_toobig, "dropped-too-large", 433 "packet%s dropped; larger than IP_MAXPACKET"); 434 p(ipcomps_pdrops, "dropped-policy-violation", 435 "packet%s blocked due to policy"); 436 p(ipcomps_crypto, "crypto-failure", "crypto processing failure%s"); 437 hist(ipcompstat->ipcomps_hist, ipsec_compnames, 438 "COMP output", "comp-output-histogram"); 439 p(ipcomps_threshold, "sent-uncompressed-small-packets", 440 "packet%s sent uncompressed; size < compr. algo. threshold"); 441 p(ipcomps_uncompr, "sent-uncompressed-useless-packets", 442 "packet%s sent uncompressed; compression was useless"); 443 444 #undef p 445 #undef hist 446 xo_close_container("ipcomp-statictics"); 447 } 448 449 void 450 ipcomp_stats(u_long off, const char *name, int family __unused, 451 int proto __unused) 452 { 453 struct ipcompstat ipcompstat; 454 455 if (fetch_stats("net.inet.ipcomp.stats", off, &ipcompstat, 456 sizeof(ipcompstat), kread_counters) != 0) 457 return; 458 459 xo_emit("{T:/%s}:\n", name); 460 461 print_ipcompstats(&ipcompstat); 462 } 463 464 #endif /*IPSEC*/ 465