ipsec.c revision 330897
1/* $KAME: ipsec.c,v 1.33 2003/07/25 09:54:32 itojun Exp $ */ 2 3/*- 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 * Copyright (c) 2005 NTT Multimedia Communications Laboratories, Inc. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30/*- 31 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 32 * All rights reserved. 33 * 34 * Redistribution and use in source and binary forms, with or without 35 * modification, are permitted provided that the following conditions 36 * are met: 37 * 1. Redistributions of source code must retain the above copyright 38 * notice, this list of conditions and the following disclaimer. 39 * 2. Redistributions in binary form must reproduce the above copyright 40 * notice, this list of conditions and the following disclaimer in the 41 * documentation and/or other materials provided with the distribution. 42 * 3. Neither the name of the project nor the names of its contributors 43 * may be used to endorse or promote products derived from this software 44 * without specific prior written permission. 45 * 46 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 47 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 50 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56 * SUCH DAMAGE. 57 */ 58/*- 59 * Copyright (c) 1983, 1988, 1993 60 * The Regents of the University of California. All rights reserved. 61 * 62 * Redistribution and use in source and binary forms, with or without 63 * modification, are permitted provided that the following conditions 64 * are met: 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in the 69 * documentation and/or other materials provided with the distribution. 70 * 4. Neither the name of the University nor the names of its contributors 71 * may be used to endorse or promote products derived from this software 72 * without specific prior written permission. 73 * 74 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 75 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 76 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 77 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 78 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 79 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 80 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 81 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 82 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 83 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 84 * SUCH DAMAGE. 85 */ 86 87#if 0 88#ifndef lint 89static char sccsid[] = "@(#)inet.c 8.5 (Berkeley) 5/24/95"; 90#endif /* not lint */ 91#endif 92 93#include <sys/cdefs.h> 94__FBSDID("$FreeBSD: stable/11/usr.bin/netstat/ipsec.c 330897 2018-03-14 03:19:51Z eadler $"); 95 96#include <sys/param.h> 97#include <sys/queue.h> 98#include <sys/socket.h> 99#include <sys/socketvar.h> 100 101#include <netinet/in.h> 102 103#ifdef IPSEC 104#include <netipsec/ipsec.h> 105#include <netipsec/ah_var.h> 106#include <netipsec/esp_var.h> 107#include <netipsec/ipcomp_var.h> 108#endif 109 110#include <stdint.h> 111#include <stdio.h> 112#include <stdbool.h> 113#include <string.h> 114#include <unistd.h> 115#include <libxo/xo.h> 116#include "netstat.h" 117 118#ifdef IPSEC 119struct val2str { 120 int val; 121 const char *str; 122}; 123 124static struct val2str ipsec_ahnames[] = { 125 { SADB_AALG_NONE, "none", }, 126 { SADB_AALG_MD5HMAC, "hmac-md5", }, 127 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 128 { SADB_X_AALG_MD5, "md5", }, 129 { SADB_X_AALG_SHA, "sha", }, 130 { SADB_X_AALG_NULL, "null", }, 131#ifdef SADB_X_AALG_SHA2_256 132 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 133#endif 134#ifdef SADB_X_AALG_SHA2_384 135 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 136#endif 137#ifdef SADB_X_AALG_SHA2_512 138 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 139#endif 140#ifdef SADB_X_AALG_RIPEMD160HMAC 141 { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", }, 142#endif 143#ifdef SADB_X_AALG_AES_XCBC_MAC 144 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, 145#endif 146#ifdef SADB_X_AALG_AES128GMAC 147 { SADB_X_AALG_AES128GMAC, "aes-gmac-128", }, 148#endif 149#ifdef SADB_X_AALG_AES192GMAC 150 { SADB_X_AALG_AES192GMAC, "aes-gmac-192", }, 151#endif 152#ifdef SADB_X_AALG_AES256GMAC 153 { SADB_X_AALG_AES256GMAC, "aes-gmac-256", }, 154#endif 155 { -1, NULL }, 156}; 157 158static struct val2str ipsec_espnames[] = { 159 { SADB_EALG_NONE, "none", }, 160 { SADB_EALG_DESCBC, "des-cbc", }, 161 { SADB_EALG_3DESCBC, "3des-cbc", }, 162 { SADB_EALG_NULL, "null", }, 163 { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, 164 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, 165#ifdef SADB_X_EALG_RIJNDAELCBC 166 { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, 167#endif 168#ifdef SADB_X_EALG_AESCTR 169 { SADB_X_EALG_AESCTR, "aes-ctr", }, 170#endif 171#ifdef SADB_X_EALG_AESGCM16 172 { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, 173#endif 174 { -1, NULL }, 175}; 176 177static struct val2str ipsec_compnames[] = { 178 { SADB_X_CALG_NONE, "none", }, 179 { SADB_X_CALG_OUI, "oui", }, 180 { SADB_X_CALG_DEFLATE, "deflate", }, 181 { SADB_X_CALG_LZS, "lzs", }, 182 { -1, NULL }, 183}; 184 185static void print_ipsecstats(const struct ipsecstat *ipsecstat); 186 187static void 188print_ipsecstats(const struct ipsecstat *ipsecstat) 189{ 190 xo_open_container("ipsec-statistics"); 191 192#define p(f, m) if (ipsecstat->f || sflag <= 1) \ 193 xo_emit(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f)) 194 195 p(ips_in_polvio, "\t{:dropped-policy-violation/%ju} " 196 "{N:/inbound packet%s violated process security policy}\n"); 197 p(ips_in_nomem, "\t{:dropped-no-memory/%ju} " 198 "{N:/inbound packet%s failed due to insufficient memory}\n"); 199 p(ips_in_inval, "\t{:dropped-invalid/%ju} " 200 "{N:/invalid inbound packet%s}\n"); 201 p(ips_out_polvio, "\t{:discarded-policy-violation/%ju} " 202 "{N:/outbound packet%s violated process security policy}\n"); 203 p(ips_out_nosa, "\t{:discarded-no-sa/%ju} " 204 "{N:/outbound packet%s with no SA available}\n"); 205 p(ips_out_nomem, "\t{:discarded-no-memory/%ju} " 206 "{N:/outbound packet%s failed due to insufficient memory}\n"); 207 p(ips_out_noroute, "\t{:discarded-no-route/%ju} " 208 "{N:/outbound packet%s with no route available}\n"); 209 p(ips_out_inval, "\t{:discarded-invalid/%ju} " 210 "{N:/invalid outbound packet%s}\n"); 211 p(ips_out_bundlesa, "\t{:send-bundled-sa/%ju} " 212 "{N:/outbound packet%s with bundled SAs}\n"); 213 p(ips_mbcoalesced, "\t{:mbufs-coalesced-during-clone/%ju} " 214 "{N:/mbuf%s coalesced during clone}\n"); 215 p(ips_clcoalesced, "\t{:clusters-coalesced-during-clone/%ju} " 216 "{N:/cluster%s coalesced during clone}\n"); 217 p(ips_clcopied, "\t{:clusters-copied-during-clone/%ju} " 218 "{N:/cluster%s copied during clone}\n"); 219 p(ips_mbinserted, "\t{:mbufs-inserted/%ju} " 220 "{N:/mbuf%s inserted during makespace}\n"); 221#undef p 222 xo_close_container("ipsec-statistics"); 223} 224 225void 226ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused) 227{ 228 struct ipsecstat ipsecstat; 229 230 if (strcmp(name, "ipsec6") == 0) { 231 if (fetch_stats("net.inet6.ipsec6.ipsecstats", off,&ipsecstat, 232 sizeof(ipsecstat), kread_counters) != 0) 233 return; 234 } else { 235 if (fetch_stats("net.inet.ipsec.ipsecstats", off, &ipsecstat, 236 sizeof(ipsecstat), kread_counters) != 0) 237 return; 238 } 239 240 xo_emit("{T:/%s}:\n", name); 241 242 print_ipsecstats(&ipsecstat); 243} 244 245 246static void print_ahstats(const struct ahstat *ahstat); 247static void print_espstats(const struct espstat *espstat); 248static void print_ipcompstats(const struct ipcompstat *ipcompstat); 249 250/* 251 * Dump IPSEC statistics structure. 252 */ 253static void 254ipsec_hist_new(const uint64_t *hist, size_t histmax, 255 const struct val2str *name, const char *title, const char *cname) 256{ 257 int first; 258 size_t proto; 259 const struct val2str *p; 260 261 first = 1; 262 for (proto = 0; proto < histmax; proto++) { 263 if (hist[proto] <= 0) 264 continue; 265 if (first) { 266 xo_open_list(cname); 267 xo_emit("\t{T:/%s histogram}:\n", title); 268 first = 0; 269 } 270 xo_open_instance(cname); 271 for (p = name; p && p->str; p++) { 272 if (p->val == (int)proto) 273 break; 274 } 275 if (p && p->str) { 276 xo_emit("\t\t{k:name}: {:count/%ju}\n", p->str, 277 (uintmax_t)hist[proto]); 278 } else { 279 xo_emit("\t\t#{k:name/%lu}: {:count/%ju}\n", 280 (unsigned long)proto, (uintmax_t)hist[proto]); 281 } 282 xo_close_instance(cname); 283 } 284 if (!first) 285 xo_close_list(cname); 286} 287 288static void 289print_ahstats(const struct ahstat *ahstat) 290{ 291 xo_open_container("ah-statictics"); 292 293#define p(f, n, m) if (ahstat->f || sflag <= 1) \ 294 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 295 (uintmax_t)ahstat->f, plural(ahstat->f)) 296#define hist(f, n, t, c) \ 297 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)) 298 299 p(ahs_hdrops, "dropped-short-header", 300 "packet%s shorter than header shows"); 301 p(ahs_nopf, "dropped-bad-protocol", 302 "packet%s dropped; protocol family not supported"); 303 p(ahs_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 304 p(ahs_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 305 p(ahs_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 306 p(ahs_noxform, "dropped-no-transform", 307 "packet%s dropped; no transform"); 308 p(ahs_wrap, "replay-counter-wraps", "replay counter wrap%s"); 309 p(ahs_badauth, "dropped-bad-auth", 310 "packet%s dropped; bad authentication detected"); 311 p(ahs_badauthl, "dropped-bad-auth-level", 312 "packet%s dropped; bad authentication length"); 313 p(ahs_replay, "possile-replay-detected", 314 "possible replay packet%s detected"); 315 p(ahs_input, "received-packets", "packet%s in"); 316 p(ahs_output, "send-packets", "packet%s out"); 317 p(ahs_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 318 p(ahs_ibytes, "received-bytes", "byte%s in"); 319 p(ahs_obytes, "send-bytes", "byte%s out"); 320 p(ahs_toobig, "dropped-too-large", 321 "packet%s dropped; larger than IP_MAXPACKET"); 322 p(ahs_pdrops, "dropped-policy-violation", 323 "packet%s blocked due to policy"); 324 p(ahs_crypto, "crypto-failures", "crypto processing failure%s"); 325 p(ahs_tunnel, "tunnel-failures", "tunnel sanity check failure%s"); 326 hist(ahstat->ahs_hist, ipsec_ahnames, 327 "AH output", "ah-output-histogram"); 328 329#undef p 330#undef hist 331 xo_close_container("ah-statictics"); 332} 333 334void 335ah_stats(u_long off, const char *name, int family __unused, int proto __unused) 336{ 337 struct ahstat ahstat; 338 339 if (fetch_stats("net.inet.ah.stats", off, &ahstat, 340 sizeof(ahstat), kread_counters) != 0) 341 return; 342 343 xo_emit("{T:/%s}:\n", name); 344 345 print_ahstats(&ahstat); 346} 347 348static void 349print_espstats(const struct espstat *espstat) 350{ 351 xo_open_container("esp-statictics"); 352#define p(f, n, m) if (espstat->f || sflag <= 1) \ 353 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 354 (uintmax_t)espstat->f, plural(espstat->f)) 355#define hist(f, n, t, c) \ 356 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)); 357 358 p(esps_hdrops, "dropped-short-header", 359 "packet%s shorter than header shows"); 360 p(esps_nopf, "dropped-bad-protocol", 361 "packet%s dropped; protocol family not supported"); 362 p(esps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 363 p(esps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 364 p(esps_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 365 p(esps_noxform, "dropped-no-transform", 366 "packet%s dropped; no transform"); 367 p(esps_badilen, "dropped-bad-length", "packet%s dropped; bad ilen"); 368 p(esps_wrap, "replay-counter-wraps", "replay counter wrap%s"); 369 p(esps_badenc, "dropped-bad-crypto", 370 "packet%s dropped; bad encryption detected"); 371 p(esps_badauth, "dropped-bad-auth", 372 "packet%s dropped; bad authentication detected"); 373 p(esps_replay, "possible-replay-detected", 374 "possible replay packet%s detected"); 375 p(esps_input, "received-packets", "packet%s in"); 376 p(esps_output, "sent-packets", "packet%s out"); 377 p(esps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 378 p(esps_ibytes, "receieve-bytes", "byte%s in"); 379 p(esps_obytes, "sent-bytes", "byte%s out"); 380 p(esps_toobig, "dropped-too-large", 381 "packet%s dropped; larger than IP_MAXPACKET"); 382 p(esps_pdrops, "dropped-policy-violation", 383 "packet%s blocked due to policy"); 384 p(esps_crypto, "crypto-failures", "crypto processing failure%s"); 385 p(esps_tunnel, "tunnel-failures", "tunnel sanity check failure%s"); 386 hist(espstat->esps_hist, ipsec_espnames, 387 "ESP output", "esp-output-histogram"); 388 389#undef p 390#undef hist 391 xo_close_container("esp-statictics"); 392} 393 394void 395esp_stats(u_long off, const char *name, int family __unused, int proto __unused) 396{ 397 struct espstat espstat; 398 399 if (fetch_stats("net.inet.esp.stats", off, &espstat, 400 sizeof(espstat), kread_counters) != 0) 401 return; 402 403 xo_emit("{T:/%s}:\n", name); 404 405 print_espstats(&espstat); 406} 407 408static void 409print_ipcompstats(const struct ipcompstat *ipcompstat) 410{ 411 xo_open_container("ipcomp-statictics"); 412 413#define p(f, n, m) if (ipcompstat->f || sflag <= 1) \ 414 xo_emit("\t{:" n "/%ju} {N:/" m "}\n", \ 415 (uintmax_t)ipcompstat->f, plural(ipcompstat->f)) 416#define hist(f, n, t, c) \ 417 ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c)); 418 419 p(ipcomps_hdrops, "dropped-short-header", 420 "packet%s shorter than header shows"); 421 p(ipcomps_nopf, "dropped-bad-protocol", 422 "packet%s dropped; protocol family not supported"); 423 p(ipcomps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB"); 424 p(ipcomps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR"); 425 p(ipcomps_qfull, "dropped-queue-full", "packet%s dropped; queue full"); 426 p(ipcomps_noxform, "dropped-no-transform", 427 "packet%s dropped; no transform"); 428 p(ipcomps_wrap, "replay-counter-wraps", "replay counter wrap%s"); 429 p(ipcomps_input, "receieve-packets", "packet%s in"); 430 p(ipcomps_output, "sent-packets", "packet%s out"); 431 p(ipcomps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB"); 432 p(ipcomps_ibytes, "receieved-bytes", "byte%s in"); 433 p(ipcomps_obytes, "sent-bytes", "byte%s out"); 434 p(ipcomps_toobig, "dropped-too-large", 435 "packet%s dropped; larger than IP_MAXPACKET"); 436 p(ipcomps_pdrops, "dropped-policy-violation", 437 "packet%s blocked due to policy"); 438 p(ipcomps_crypto, "crypto-failure", "crypto processing failure%s"); 439 hist(ipcompstat->ipcomps_hist, ipsec_compnames, 440 "COMP output", "comp-output-histogram"); 441 p(ipcomps_threshold, "sent-uncompressed-small-packets", 442 "packet%s sent uncompressed; size < compr. algo. threshold"); 443 p(ipcomps_uncompr, "sent-uncompressed-useless-packets", 444 "packet%s sent uncompressed; compression was useless"); 445 446#undef p 447#undef hist 448 xo_close_container("ipcomp-statictics"); 449} 450 451void 452ipcomp_stats(u_long off, const char *name, int family __unused, 453 int proto __unused) 454{ 455 struct ipcompstat ipcompstat; 456 457 if (fetch_stats("net.inet.ipcomp.stats", off, &ipcompstat, 458 sizeof(ipcompstat), kread_counters) != 0) 459 return; 460 461 xo_emit("{T:/%s}:\n", name); 462 463 print_ipcompstats(&ipcompstat); 464} 465 466#endif /*IPSEC*/ 467