ipsec.c revision 330897 
1/*	$KAME: ipsec.c,v 1.33 2003/07/25 09:54:32 itojun Exp $	*/
2
3/*-
4 * SPDX-License-Identifier: BSD-3-Clause
5 *
6 * Copyright (c) 2005 NTT Multimedia Communications Laboratories, Inc.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30/*-
31 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
32 * All rights reserved.
33 *
34 * Redistribution and use in source and binary forms, with or without
35 * modification, are permitted provided that the following conditions
36 * are met:
37 * 1. Redistributions of source code must retain the above copyright
38 *    notice, this list of conditions and the following disclaimer.
39 * 2. Redistributions in binary form must reproduce the above copyright
40 *    notice, this list of conditions and the following disclaimer in the
41 *    documentation and/or other materials provided with the distribution.
42 * 3. Neither the name of the project nor the names of its contributors
43 *    may be used to endorse or promote products derived from this software
44 *    without specific prior written permission.
45 *
46 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
47 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
49 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
50 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
51 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
52 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
54 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
55 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
56 * SUCH DAMAGE.
57 */
58/*-
59 * Copyright (c) 1983, 1988, 1993
60 *	The Regents of the University of California.  All rights reserved.
61 *
62 * Redistribution and use in source and binary forms, with or without
63 * modification, are permitted provided that the following conditions
64 * are met:
65 * 1. Redistributions of source code must retain the above copyright
66 *    notice, this list of conditions and the following disclaimer.
67 * 2. Redistributions in binary form must reproduce the above copyright
68 *    notice, this list of conditions and the following disclaimer in the
69 *    documentation and/or other materials provided with the distribution.
70 * 4. Neither the name of the University nor the names of its contributors
71 *    may be used to endorse or promote products derived from this software
72 *    without specific prior written permission.
73 *
74 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
75 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
76 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
77 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
78 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
79 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
80 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
81 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
82 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
83 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
84 * SUCH DAMAGE.
85 */
86
87#if 0
88#ifndef lint
89static char sccsid[] = "@(#)inet.c	8.5 (Berkeley) 5/24/95";
90#endif /* not lint */
91#endif
92
93#include <sys/cdefs.h>
94__FBSDID("$FreeBSD: stable/11/usr.bin/netstat/ipsec.c 330897 2018-03-14 03:19:51Z eadler $");
95
96#include <sys/param.h>
97#include <sys/queue.h>
98#include <sys/socket.h>
99#include <sys/socketvar.h>
100
101#include <netinet/in.h>
102
103#ifdef IPSEC
104#include <netipsec/ipsec.h>
105#include <netipsec/ah_var.h>
106#include <netipsec/esp_var.h>
107#include <netipsec/ipcomp_var.h>
108#endif
109
110#include <stdint.h>
111#include <stdio.h>
112#include <stdbool.h>
113#include <string.h>
114#include <unistd.h>
115#include <libxo/xo.h>
116#include "netstat.h"
117
118#ifdef IPSEC
119struct val2str {
120	int val;
121	const char *str;
122};
123
124static struct val2str ipsec_ahnames[] = {
125	{ SADB_AALG_NONE, "none", },
126	{ SADB_AALG_MD5HMAC, "hmac-md5", },
127	{ SADB_AALG_SHA1HMAC, "hmac-sha1", },
128	{ SADB_X_AALG_MD5, "md5", },
129	{ SADB_X_AALG_SHA, "sha", },
130	{ SADB_X_AALG_NULL, "null", },
131#ifdef SADB_X_AALG_SHA2_256
132	{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
133#endif
134#ifdef SADB_X_AALG_SHA2_384
135	{ SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
136#endif
137#ifdef SADB_X_AALG_SHA2_512
138	{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
139#endif
140#ifdef SADB_X_AALG_RIPEMD160HMAC
141	{ SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", },
142#endif
143#ifdef SADB_X_AALG_AES_XCBC_MAC
144	{ SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", },
145#endif
146#ifdef SADB_X_AALG_AES128GMAC
147	{ SADB_X_AALG_AES128GMAC, "aes-gmac-128", },
148#endif
149#ifdef SADB_X_AALG_AES192GMAC
150	{ SADB_X_AALG_AES192GMAC, "aes-gmac-192", },
151#endif
152#ifdef SADB_X_AALG_AES256GMAC
153	{ SADB_X_AALG_AES256GMAC, "aes-gmac-256", },
154#endif
155	{ -1, NULL },
156};
157
158static struct val2str ipsec_espnames[] = {
159	{ SADB_EALG_NONE, "none", },
160	{ SADB_EALG_DESCBC, "des-cbc", },
161	{ SADB_EALG_3DESCBC, "3des-cbc", },
162	{ SADB_EALG_NULL, "null", },
163	{ SADB_X_EALG_CAST128CBC, "cast128-cbc", },
164	{ SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
165#ifdef SADB_X_EALG_RIJNDAELCBC
166	{ SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
167#endif
168#ifdef SADB_X_EALG_AESCTR
169	{ SADB_X_EALG_AESCTR, "aes-ctr", },
170#endif
171#ifdef SADB_X_EALG_AESGCM16
172	{ SADB_X_EALG_AESGCM16, "aes-gcm-16", },
173#endif
174	{ -1, NULL },
175};
176
177static struct val2str ipsec_compnames[] = {
178	{ SADB_X_CALG_NONE, "none", },
179	{ SADB_X_CALG_OUI, "oui", },
180	{ SADB_X_CALG_DEFLATE, "deflate", },
181	{ SADB_X_CALG_LZS, "lzs", },
182	{ -1, NULL },
183};
184
185static void print_ipsecstats(const struct ipsecstat *ipsecstat);
186
187static void
188print_ipsecstats(const struct ipsecstat *ipsecstat)
189{
190	xo_open_container("ipsec-statistics");
191
192#define	p(f, m) if (ipsecstat->f || sflag <= 1) \
193	xo_emit(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f))
194
195	p(ips_in_polvio, "\t{:dropped-policy-violation/%ju} "
196	    "{N:/inbound packet%s violated process security policy}\n");
197	p(ips_in_nomem, "\t{:dropped-no-memory/%ju} "
198	    "{N:/inbound packet%s failed due to insufficient memory}\n");
199	p(ips_in_inval, "\t{:dropped-invalid/%ju} "
200	    "{N:/invalid inbound packet%s}\n");
201	p(ips_out_polvio, "\t{:discarded-policy-violation/%ju} "
202	    "{N:/outbound packet%s violated process security policy}\n");
203	p(ips_out_nosa, "\t{:discarded-no-sa/%ju} "
204	    "{N:/outbound packet%s with no SA available}\n");
205	p(ips_out_nomem, "\t{:discarded-no-memory/%ju} "
206	    "{N:/outbound packet%s failed due to insufficient memory}\n");
207	p(ips_out_noroute, "\t{:discarded-no-route/%ju} "
208	    "{N:/outbound packet%s with no route available}\n");
209	p(ips_out_inval, "\t{:discarded-invalid/%ju} "
210	    "{N:/invalid outbound packet%s}\n");
211	p(ips_out_bundlesa, "\t{:send-bundled-sa/%ju} "
212	    "{N:/outbound packet%s with bundled SAs}\n");
213	p(ips_mbcoalesced, "\t{:mbufs-coalesced-during-clone/%ju} "
214	    "{N:/mbuf%s coalesced during clone}\n");
215	p(ips_clcoalesced, "\t{:clusters-coalesced-during-clone/%ju} "
216	    "{N:/cluster%s coalesced during clone}\n");
217	p(ips_clcopied, "\t{:clusters-copied-during-clone/%ju} "
218	    "{N:/cluster%s copied during clone}\n");
219	p(ips_mbinserted, "\t{:mbufs-inserted/%ju} "
220	    "{N:/mbuf%s inserted during makespace}\n");
221#undef p
222	xo_close_container("ipsec-statistics");
223}
224
225void
226ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused)
227{
228	struct ipsecstat ipsecstat;
229
230	if (strcmp(name, "ipsec6") == 0) {
231		if (fetch_stats("net.inet6.ipsec6.ipsecstats", off,&ipsecstat,
232				sizeof(ipsecstat), kread_counters) != 0)
233			return;
234	} else {
235		if (fetch_stats("net.inet.ipsec.ipsecstats", off, &ipsecstat,
236				sizeof(ipsecstat), kread_counters) != 0)
237			return;
238	}
239
240	xo_emit("{T:/%s}:\n", name);
241
242	print_ipsecstats(&ipsecstat);
243}
244
245
246static void print_ahstats(const struct ahstat *ahstat);
247static void print_espstats(const struct espstat *espstat);
248static void print_ipcompstats(const struct ipcompstat *ipcompstat);
249
250/*
251 * Dump IPSEC statistics structure.
252 */
253static void
254ipsec_hist_new(const uint64_t *hist, size_t histmax,
255    const struct val2str *name, const char *title, const char *cname)
256{
257	int first;
258	size_t proto;
259	const struct val2str *p;
260
261	first = 1;
262	for (proto = 0; proto < histmax; proto++) {
263		if (hist[proto] <= 0)
264			continue;
265		if (first) {
266			xo_open_list(cname);
267			xo_emit("\t{T:/%s histogram}:\n", title);
268			first = 0;
269		}
270		xo_open_instance(cname);
271		for (p = name; p && p->str; p++) {
272			if (p->val == (int)proto)
273				break;
274		}
275		if (p && p->str) {
276			xo_emit("\t\t{k:name}: {:count/%ju}\n", p->str,
277			    (uintmax_t)hist[proto]);
278		} else {
279			xo_emit("\t\t#{k:name/%lu}: {:count/%ju}\n",
280			    (unsigned long)proto, (uintmax_t)hist[proto]);
281		}
282		xo_close_instance(cname);
283	}
284	if (!first)
285		xo_close_list(cname);
286}
287
288static void
289print_ahstats(const struct ahstat *ahstat)
290{
291	xo_open_container("ah-statictics");
292
293#define	p(f, n, m) if (ahstat->f || sflag <= 1) \
294	xo_emit("\t{:" n "/%ju} {N:/" m "}\n",	\
295	    (uintmax_t)ahstat->f, plural(ahstat->f))
296#define	hist(f, n, t, c) \
297	ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c))
298
299	p(ahs_hdrops, "dropped-short-header",
300	    "packet%s shorter than header shows");
301	p(ahs_nopf, "dropped-bad-protocol",
302	    "packet%s dropped; protocol family not supported");
303	p(ahs_notdb, "dropped-no-tdb", "packet%s dropped; no TDB");
304	p(ahs_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR");
305	p(ahs_qfull, "dropped-queue-full", "packet%s dropped; queue full");
306	p(ahs_noxform, "dropped-no-transform",
307	    "packet%s dropped; no transform");
308	p(ahs_wrap, "replay-counter-wraps", "replay counter wrap%s");
309	p(ahs_badauth, "dropped-bad-auth",
310	    "packet%s dropped; bad authentication detected");
311	p(ahs_badauthl, "dropped-bad-auth-level",
312	    "packet%s dropped; bad authentication length");
313	p(ahs_replay, "possile-replay-detected",
314	    "possible replay packet%s detected");
315	p(ahs_input, "received-packets", "packet%s in");
316	p(ahs_output, "send-packets", "packet%s out");
317	p(ahs_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB");
318	p(ahs_ibytes, "received-bytes", "byte%s in");
319	p(ahs_obytes, "send-bytes", "byte%s out");
320	p(ahs_toobig, "dropped-too-large",
321	    "packet%s dropped; larger than IP_MAXPACKET");
322	p(ahs_pdrops, "dropped-policy-violation",
323	    "packet%s blocked due to policy");
324	p(ahs_crypto, "crypto-failures", "crypto processing failure%s");
325	p(ahs_tunnel, "tunnel-failures", "tunnel sanity check failure%s");
326	hist(ahstat->ahs_hist, ipsec_ahnames,
327	    "AH output", "ah-output-histogram");
328
329#undef p
330#undef hist
331	xo_close_container("ah-statictics");
332}
333
334void
335ah_stats(u_long off, const char *name, int family __unused, int proto __unused)
336{
337	struct ahstat ahstat;
338
339	if (fetch_stats("net.inet.ah.stats", off, &ahstat,
340	    sizeof(ahstat), kread_counters) != 0)
341		return;
342
343	xo_emit("{T:/%s}:\n", name);
344
345	print_ahstats(&ahstat);
346}
347
348static void
349print_espstats(const struct espstat *espstat)
350{
351	xo_open_container("esp-statictics");
352#define	p(f, n, m) if (espstat->f || sflag <= 1)	\
353	xo_emit("\t{:" n "/%ju} {N:/" m "}\n",		\
354	    (uintmax_t)espstat->f, plural(espstat->f))
355#define	hist(f, n, t, c) \
356	ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c));
357
358	p(esps_hdrops, "dropped-short-header",
359	    "packet%s shorter than header shows");
360	p(esps_nopf, "dropped-bad-protocol",
361	    "packet%s dropped; protocol family not supported");
362	p(esps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB");
363	p(esps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR");
364	p(esps_qfull, "dropped-queue-full", "packet%s dropped; queue full");
365	p(esps_noxform, "dropped-no-transform",
366	    "packet%s dropped; no transform");
367	p(esps_badilen, "dropped-bad-length", "packet%s dropped; bad ilen");
368	p(esps_wrap, "replay-counter-wraps", "replay counter wrap%s");
369	p(esps_badenc, "dropped-bad-crypto",
370	    "packet%s dropped; bad encryption detected");
371	p(esps_badauth, "dropped-bad-auth",
372	    "packet%s dropped; bad authentication detected");
373	p(esps_replay, "possible-replay-detected",
374	    "possible replay packet%s detected");
375	p(esps_input, "received-packets", "packet%s in");
376	p(esps_output, "sent-packets", "packet%s out");
377	p(esps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB");
378	p(esps_ibytes, "receieve-bytes", "byte%s in");
379	p(esps_obytes, "sent-bytes", "byte%s out");
380	p(esps_toobig, "dropped-too-large",
381	    "packet%s dropped; larger than IP_MAXPACKET");
382	p(esps_pdrops, "dropped-policy-violation",
383	    "packet%s blocked due to policy");
384	p(esps_crypto, "crypto-failures", "crypto processing failure%s");
385	p(esps_tunnel, "tunnel-failures", "tunnel sanity check failure%s");
386	hist(espstat->esps_hist, ipsec_espnames,
387	    "ESP output", "esp-output-histogram");
388
389#undef p
390#undef hist
391	xo_close_container("esp-statictics");
392}
393
394void
395esp_stats(u_long off, const char *name, int family __unused, int proto __unused)
396{
397	struct espstat espstat;
398
399	if (fetch_stats("net.inet.esp.stats", off, &espstat,
400	    sizeof(espstat), kread_counters) != 0)
401		return;
402
403	xo_emit("{T:/%s}:\n", name);
404
405	print_espstats(&espstat);
406}
407
408static void
409print_ipcompstats(const struct ipcompstat *ipcompstat)
410{
411	xo_open_container("ipcomp-statictics");
412
413#define	p(f, n, m) if (ipcompstat->f || sflag <= 1)	\
414	xo_emit("\t{:" n "/%ju} {N:/" m "}\n",		\
415	    (uintmax_t)ipcompstat->f, plural(ipcompstat->f))
416#define	hist(f, n, t, c) \
417	ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t), (c));
418
419	p(ipcomps_hdrops, "dropped-short-header",
420	    "packet%s shorter than header shows");
421	p(ipcomps_nopf, "dropped-bad-protocol",
422	    "packet%s dropped; protocol family not supported");
423	p(ipcomps_notdb, "dropped-no-tdb", "packet%s dropped; no TDB");
424	p(ipcomps_badkcr, "dropped-bad-kcr", "packet%s dropped; bad KCR");
425	p(ipcomps_qfull, "dropped-queue-full", "packet%s dropped; queue full");
426	p(ipcomps_noxform, "dropped-no-transform",
427	    "packet%s dropped; no transform");
428	p(ipcomps_wrap, "replay-counter-wraps", "replay counter wrap%s");
429	p(ipcomps_input, "receieve-packets", "packet%s in");
430	p(ipcomps_output, "sent-packets", "packet%s out");
431	p(ipcomps_invalid, "dropped-bad-tdb", "packet%s dropped; invalid TDB");
432	p(ipcomps_ibytes, "receieved-bytes", "byte%s in");
433	p(ipcomps_obytes, "sent-bytes", "byte%s out");
434	p(ipcomps_toobig, "dropped-too-large",
435	    "packet%s dropped; larger than IP_MAXPACKET");
436	p(ipcomps_pdrops, "dropped-policy-violation",
437	    "packet%s blocked due to policy");
438	p(ipcomps_crypto, "crypto-failure", "crypto processing failure%s");
439	hist(ipcompstat->ipcomps_hist, ipsec_compnames,
440	    "COMP output", "comp-output-histogram");
441	p(ipcomps_threshold, "sent-uncompressed-small-packets",
442	    "packet%s sent uncompressed; size < compr. algo. threshold");
443	p(ipcomps_uncompr, "sent-uncompressed-useless-packets",
444	    "packet%s sent uncompressed; compression was useless");
445
446#undef p
447#undef hist
448	xo_close_container("ipcomp-statictics");
449}
450
451void
452ipcomp_stats(u_long off, const char *name, int family __unused,
453    int proto __unused)
454{
455	struct ipcompstat ipcompstat;
456
457	if (fetch_stats("net.inet.ipcomp.stats", off, &ipcompstat,
458	    sizeof(ipcompstat), kread_counters) != 0)
459		return;
460
461	xo_emit("{T:/%s}:\n", name);
462
463	print_ipcompstats(&ipcompstat);
464}
465
466#endif /*IPSEC*/
467