1/* $NetBSD: fast_ipsec.c,v 1.17 2011/05/26 21:50:03 drochner Exp $ */ 2/* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ 3 4/*- 5 * Copyright (c) 2003, 2004 Jonathan Stone 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 * $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ 31 */ 32 33#include <sys/cdefs.h> 34#ifndef lint 35#ifdef __NetBSD__ 36__RCSID("$NetBSD: fast_ipsec.c,v 1.17 2011/05/26 21:50:03 drochner Exp $"); 37#endif 38#endif /* not lint*/ 39 40/* Kernel headers required, but not included, by netstat.h */ 41#include <sys/types.h> 42#include <sys/socket.h> 43 44/* Kernel headers for sysctl(3). */ 45#include <sys/param.h> 46#include <sys/sysctl.h> 47 48/* Kernel headers for FAST_IPSEC statistics */ 49#include <net/pfkeyv2.h> 50#include <netipsec/esp_var.h> 51#include <netipsec/ah_var.h> 52#include <netipsec/ipip_var.h> 53#include <netipsec/ipcomp_var.h> 54#include <netipsec/ipsec_var.h> 55 56#include <machine/int_fmtio.h> 57 58#include <kvm.h> 59#include <err.h> 60#include <errno.h> 61#include <stdio.h> 62#include <string.h> 63 64#include "netstat.h" 65 66/* 67 * Cache the check to see if we have fast_ipsec so that we don't 68 * have to go to the kernel repeatedly. 69 */ 70static int 71have_fast_ipsec(void) 72{ 73 static int haveit = -1; 74 75 if (haveit == -1) { 76 if (sysctlbyname("net.inet.ipsec.ipsecstats", NULL, NULL, 77 NULL, 0) == -1) 78 haveit = 0; 79 else 80 haveit = 1; 81 } 82 83 return (haveit); 84} 85 86/* 87 * Dispatch between fetching and printing (KAME) IPsec statistics, 88 * and FAST_IPSEC statistics, so the rest of netstat need not know 89 * about the vagaries of the two implementations. 90 */ 91void 92ipsec_switch(u_long off, const char * name) 93{ 94 95 if (have_fast_ipsec()) 96 return fast_ipsec_stats(off, name); 97 98 return ipsec_stats(off, name); 99} 100 101 102/* 103 * Table-driven mapping from SADB algorithm codes to string names. 104 */ 105struct alg { 106 int a; 107 const char *name; 108}; 109static const struct alg aalgs[] = { 110 { SADB_AALG_NONE, "none", }, 111 { SADB_AALG_MD5HMAC, "hmac-md5", }, 112 { SADB_AALG_SHA1HMAC, "hmac-sha1", }, 113 { SADB_X_AALG_MD5, "md5", }, 114 { SADB_X_AALG_SHA, "sha", }, 115 { SADB_X_AALG_NULL, "null", }, 116 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, 117 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, 118 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, 119 { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, 120 { SADB_X_AALG_AES128GMAC, "aes-128-gmac", }, 121 { SADB_X_AALG_AES192GMAC, "aes-192-gmac", }, 122 { SADB_X_AALG_AES256GMAC, "aes-256-gmac", }, 123}; 124static const struct alg espalgs[] = { 125 { SADB_EALG_NONE, "none", }, 126 { SADB_EALG_DESCBC, "des-cbc", }, 127 { SADB_EALG_3DESCBC, "3des-cbc", }, 128 { SADB_EALG_NULL, "null", }, 129 { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, 130 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, 131 { SADB_X_EALG_RIJNDAELCBC, "aes-cbc", }, 132 { SADB_X_EALG_CAMELLIACBC, "camellia-cbc", }, 133 { SADB_X_EALG_AESCTR, "aes-ctr", }, 134 { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, 135 { SADB_X_EALG_AESGMAC, "aes-gmac", }, 136}; 137static const struct alg ipcompalgs[] = { 138 { SADB_X_CALG_NONE, "none", }, 139 { SADB_X_CALG_OUI, "oui", }, 140 { SADB_X_CALG_DEFLATE, "deflate", }, 141 { SADB_X_CALG_LZS, "lzs", }, 142}; 143#define N(a) (sizeof(a)/sizeof(a[0])) 144 145static const char* 146algname(int a, const struct alg algs[], int nalgs) 147{ 148 static char buf[80]; 149 int i; 150 151 for (i = 0; i < nalgs; i++) 152 if (algs[i].a == a) 153 return algs[i].name; 154 snprintf(buf, sizeof(buf), "alg#%u", a); 155 return buf; 156} 157 158/* 159 * Print the fast_ipsec statistics. 160 * Since NetBSD's netstat(1) seems not to find us for "netstat -s", 161 * but does(?) find KAME, be prepared to be called explicitly from 162 * netstat's main program for "netstat -s"; but silently do nothing 163 * if that happens when we are running on KAME IPsec. 164 */ 165void 166fast_ipsec_stats(u_long off, const char *name) 167{ 168 uint64_t ipsecstats[IPSEC_NSTATS]; 169 uint64_t ahstats[AH_NSTATS]; 170 uint64_t espstats[ESP_NSTATS]; 171 uint64_t ipcs[IPCOMP_NSTATS]; 172 uint64_t ipips[IPIP_NSTATS]; 173 int status; 174 size_t slen; 175 int i; 176 177 if (! use_sysctl) { 178 warnx("IPsec stats not available via KVM."); 179 return; 180 } 181 182 memset(ipsecstats, 0, sizeof(ipsecstats)); 183 memset(ahstats, 0, sizeof(ahstats)); 184 memset(espstats, 0, sizeof(espstats)); 185 memset(ipcs, 0, sizeof(ipcs)); 186 memset(ipips, 0, sizeof(ipips)); 187 188 /* silence check */ 189 if (!have_fast_ipsec()) 190 return; 191 192 slen = sizeof(ipsecstats); 193 status = sysctlbyname("net.inet.ipsec.ipsecstats", ipsecstats, &slen, 194 NULL, 0); 195 if (status < 0 && errno != ENOMEM) 196 err(1, "net.inet.ipsec.ipsecstats"); 197 198 slen = sizeof (ahstats); 199 status = sysctlbyname("net.inet.ah.ah_stats", ahstats, &slen, NULL, 0); 200 if (status < 0 && errno != ENOMEM) 201 err(1, "net.inet.ah.ah_stats"); 202 203 slen = sizeof (espstats); 204 status = sysctlbyname("net.inet.esp.esp_stats", espstats, &slen, NULL, 0); 205 if (status < 0 && errno != ENOMEM) 206 err(1, "net.inet.esp.esp_stats"); 207 208 slen = sizeof(ipcs); 209 status = sysctlbyname("net.inet.ipcomp.ipcomp_stats", ipcs, &slen, NULL, 0); 210 if (status < 0 && errno != ENOMEM) 211 err(1, "net.inet.ipcomp.ipcomp_stats"); 212 213 slen = sizeof(ipips); 214 status = sysctlbyname("net.inet.ipip.ipip_stats", ipips, &slen, NULL, 0); 215 if (status < 0 && errno != ENOMEM) 216 err(1, "net.inet.ipip.ipip_stats"); 217 218 printf("(Fast) IPsec:\n"); 219 220#define STAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" " fmt "\n", x) 221 if (ipsecstats[IPSEC_STAT_IN_POLVIO]+ipsecstats[IPSEC_STAT_OUT_POLVIO]) 222 printf("\t%"PRIu64" policy violations: %"PRIu64" input %"PRIu64" output\n", 223 ipsecstats[IPSEC_STAT_IN_POLVIO] + ipsecstats[IPSEC_STAT_OUT_POLVIO], 224 ipsecstats[IPSEC_STAT_IN_POLVIO], ipsecstats[IPSEC_STAT_OUT_POLVIO]); 225 STAT(ipsecstats[IPSEC_STAT_OUT_NOSA], "no SA found (output)"); 226 STAT(ipsecstats[IPSEC_STAT_OUT_NOMEM], "no memory available (output)"); 227 STAT(ipsecstats[IPSEC_STAT_OUT_NOROUTE], "no route available (output)"); 228 STAT(ipsecstats[IPSEC_STAT_OUT_INVAL], "generic errors (output)"); 229 STAT(ipsecstats[IPSEC_STAT_OUT_BUNDLESA], "bundled SA processed (output)"); 230 STAT(ipsecstats[IPSEC_STAT_SPDCACHELOOKUP], "SPD cache lookups"); 231 STAT(ipsecstats[IPSEC_STAT_SPDCACHEMISS], "SPD cache misses"); 232#undef STAT 233 printf("\n"); 234 235 printf("IPsec ah:\n"); 236#define AHSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" ah " fmt "\n", x) 237 AHSTAT(ahstats[AH_STAT_INPUT], "input packets processed"); 238 AHSTAT(ahstats[AH_STAT_OUTPUT], "output packets processed"); 239 AHSTAT(ahstats[AH_STAT_HDROPS], "headers too short"); 240 AHSTAT(ahstats[AH_STAT_NOPF], "headers for unsupported address family"); 241 AHSTAT(ahstats[AH_STAT_NOTDB], "packets with no SA"); 242 AHSTAT(ahstats[AH_STAT_BADKCR], "packets dropped by crypto returning NULL mbuf"); 243 AHSTAT(ahstats[AH_STAT_BADAUTH], "packets with bad authentication"); 244 AHSTAT(ahstats[AH_STAT_NOXFORM], "packets with no xform"); 245 AHSTAT(ahstats[AH_STAT_QFULL], "packets dropped due to queue full"); 246 AHSTAT(ahstats[AH_STAT_WRAP], "packets dropped for replay counter wrap"); 247 AHSTAT(ahstats[AH_STAT_REPLAY], "packets dropped for possible replay"); 248 AHSTAT(ahstats[AH_STAT_BADAUTHL],"packets dropped for bad authenticator length"); 249 AHSTAT(ahstats[AH_STAT_INVALID], "packets with an invalid SA"); 250 AHSTAT(ahstats[AH_STAT_TOOBIG], "packets too big"); 251 AHSTAT(ahstats[AH_STAT_PDROPS], "packets blocked due to policy"); 252 AHSTAT(ahstats[AH_STAT_CRYPTO], "failed crypto requests"); 253 AHSTAT(ahstats[AH_STAT_TUNNEL], "tunnel sanity check failures"); 254 255 printf("\tah histogram:\n"); 256 for (i = 0; i < AH_ALG_MAX; i++) 257 if (ahstats[AH_STAT_HIST + i]) 258 printf("\t\tah packets with %s: %"PRIu64"\n" 259 , algname(i, aalgs, N(aalgs)) 260 , ahstats[AH_STAT_HIST + i] 261 ); 262 AHSTAT(ahstats[AH_STAT_IBYTES], "bytes received"); 263 AHSTAT(ahstats[AH_STAT_OBYTES], "bytes transmitted"); 264#undef AHSTAT 265 printf("\n"); 266 267 printf("IPsec esp:\n"); 268#define ESPSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" esp " fmt "\n", x) 269 ESPSTAT(espstats[ESP_STAT_INPUT],"input packets processed"); 270 ESPSTAT(espstats[ESP_STAT_OUTPUT],"output packets processed"); 271 ESPSTAT(espstats[ESP_STAT_HDROPS],"headers too short"); 272 ESPSTAT(espstats[ESP_STAT_NOPF], "headers for unsupported address family"); 273 ESPSTAT(espstats[ESP_STAT_NOTDB],"packets with no SA"); 274 ESPSTAT(espstats[ESP_STAT_BADKCR],"packets dropped by crypto returning NULL mbuf"); 275 ESPSTAT(espstats[ESP_STAT_QFULL],"packets dropped due to queue full"); 276 ESPSTAT(espstats[ESP_STAT_NOXFORM],"packets with no xform"); 277 ESPSTAT(espstats[ESP_STAT_BADILEN],"packets with bad ilen"); 278 ESPSTAT(espstats[ESP_STAT_BADENC],"packets with bad encryption"); 279 ESPSTAT(espstats[ESP_STAT_BADAUTH],"packets with bad authentication"); 280 ESPSTAT(espstats[ESP_STAT_WRAP], "packets dropped for replay counter wrap"); 281 ESPSTAT(espstats[ESP_STAT_REPLAY],"packets dropped for possible replay"); 282 ESPSTAT(espstats[ESP_STAT_INVALID],"packets with an invalid SA"); 283 ESPSTAT(espstats[ESP_STAT_TOOBIG],"packets too big"); 284 ESPSTAT(espstats[ESP_STAT_PDROPS],"packets blocked due to policy"); 285 ESPSTAT(espstats[ESP_STAT_CRYPTO],"failed crypto requests"); 286 ESPSTAT(espstats[ESP_STAT_TUNNEL],"tunnel sanity check failures"); 287 printf("\tesp histogram:\n"); 288 for (i = 0; i < ESP_ALG_MAX; i++) 289 if (espstats[ESP_STAT_HIST + i]) 290 printf("\t\tesp packets with %s: %"PRIu64"\n" 291 , algname(i, espalgs, N(espalgs)) 292 , espstats[ESP_STAT_HIST + i] 293 ); 294 ESPSTAT(espstats[ESP_STAT_IBYTES], "bytes received"); 295 ESPSTAT(espstats[ESP_STAT_OBYTES], "bytes transmitted"); 296#undef ESPSTAT 297 printf("IPsec ipip:\n"); 298 299#define IPIPSTAT(x,fmt) \ 300 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipip " fmt "\n", x) 301 IPIPSTAT(ipips[IPIP_STAT_IPACKETS],"total input packets"); 302 IPIPSTAT(ipips[IPIP_STAT_OPACKETS],"total output packets"); 303 IPIPSTAT(ipips[IPIP_STAT_HDROPS],"packets too short for header length"); 304 IPIPSTAT(ipips[IPIP_STAT_QFULL],"packets dropped due to queue full"); 305 IPIPSTAT(ipips[IPIP_STAT_PDROPS],"packets blocked due to policy"); 306 IPIPSTAT(ipips[IPIP_STAT_SPOOF],"IP spoofing attempts"); 307 IPIPSTAT(ipips[IPIP_STAT_FAMILY],"protocol family mismatched"); 308 IPIPSTAT(ipips[IPIP_STAT_UNSPEC],"missing tunnel-endpoint address"); 309 IPIPSTAT(ipips[IPIP_STAT_IBYTES],"input bytes received"); 310 IPIPSTAT(ipips[IPIP_STAT_OBYTES],"output bytes processed"); 311#undef IPIPSTAT 312 313 printf("IPsec ipcomp:\n"); 314#define IPCOMP(x,fmt) \ 315 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipcomp " fmt "\n", x) 316 317 IPCOMP(ipcs[IPCOMP_STAT_HDROPS],"packets too short for header length"); 318 IPCOMP(ipcs[IPCOMP_STAT_NOPF], "protocol family not supported"); 319 IPCOMP(ipcs[IPCOMP_STAT_NOTDB], "packets with no SA"); 320 IPCOMP(ipcs[IPCOMP_STAT_BADKCR],"packets dropped by crypto returning NULL mbuf"); 321 IPCOMP(ipcs[IPCOMP_STAT_QFULL], "queue full"); 322 IPCOMP(ipcs[IPCOMP_STAT_NOXFORM],"no support for transform"); 323 IPCOMP(ipcs[IPCOMP_STAT_WRAP], "packets dropped for replay counter wrap"); 324 IPCOMP(ipcs[IPCOMP_STAT_INPUT], "input IPcomp packets"); 325 IPCOMP(ipcs[IPCOMP_STAT_OUTPUT],"output IPcomp packets"); 326 IPCOMP(ipcs[IPCOMP_STAT_INVALID],"packets with an invalid SA"); 327 IPCOMP(ipcs[IPCOMP_STAT_TOOBIG],"packets decompressed as too big"); 328 IPCOMP(ipcs[IPCOMP_STAT_MINLEN], "packets too short to be compressed"); 329 IPCOMP(ipcs[IPCOMP_STAT_USELESS],"packet for which compression was useless"); 330 IPCOMP(ipcs[IPCOMP_STAT_PDROPS],"packets blocked due to policy"); 331 IPCOMP(ipcs[IPCOMP_STAT_CRYPTO],"failed crypto requests"); 332 333 printf("\tIPcomp histogram:\n"); 334 for (i = 0; i < IPCOMP_ALG_MAX; i++) 335 if (ipcs[IPCOMP_STAT_HIST + i]) 336 printf("\t\tIPcomp packets with %s: %"PRIu64"\n" 337 , algname(i, ipcompalgs, N(ipcompalgs)) 338 , ipcs[IPCOMP_STAT_HIST + i] 339 ); 340 IPCOMP(ipcs[IPCOMP_STAT_IBYTES],"input bytes"); 341 IPCOMP(ipcs[IPCOMP_STAT_OBYTES],"output bytes"); 342#undef IPCOMP 343} 344