1 /* $FreeBSD: src/usr.bin/netstat/ipsec.c,v 1.1.2.3 2001/08/10 09:07:09 ru Exp $ */
2 /* $DragonFly: src/usr.bin/netstat/ipsec.c,v 1.2 2003/06/17 04:29:30 dillon Exp $ */
3 /* $NetBSD: inet.c,v 1.35.2.1 1999/04/29 14:57:08 perry Exp $ */
4 /* $KAME: ipsec.c,v 1.25 2001/03/12 09:04:39 itojun Exp $ */
7 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the project nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * @(#)inet.c 8.5 (Berkeley) 5/24/95
35 * $FreeBSD: src/usr.bin/netstat/ipsec.c,v 1.1.2.3 2001/08/10 09:07:09 ru Exp $
39 * Copyright (c) 1983, 1988, 1993
40 * The Regents of the University of California. All rights reserved.
42 * Redistribution and use in source and binary forms, with or without
43 * modification, are permitted provided that the following conditions
45 * 1. Redistributions of source code must retain the above copyright
46 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in the
49 * documentation and/or other materials provided with the distribution.
50 * 3. All advertising materials mentioning features or use of this software
51 * must display the following acknowledgement:
52 * This product includes software developed by the University of
53 * California, Berkeley and its contributors.
54 * 4. Neither the name of the University nor the names of its contributors
55 * may be used to endorse or promote products derived from this software
56 * without specific prior written permission.
58 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
59 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
60 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
61 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
62 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
63 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
64 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
65 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
66 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
67 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
71 #include <sys/cdefs.h>
73 #include <sys/param.h>
74 #include <sys/queue.h>
75 #include <sys/socket.h>
77 #include <netinet/in.h>
80 #include <netinet6/ipsec.h>
81 #include <netkey/keysock.h>
91 * - bsdi[34] uses PLURAL(), not plural().
92 * - freebsd2 can't print "unsigned long long" properly.
95 * XXX see PORTABILITY for the twist
98 #define CAST unsigned long long
106 static struct val2str ipsec_ahnames
[] = {
107 { SADB_AALG_NONE
, "none", },
108 { SADB_AALG_MD5HMAC
, "hmac-md5", },
109 { SADB_AALG_SHA1HMAC
, "hmac-sha1", },
110 { SADB_X_AALG_MD5
, "md5", },
111 { SADB_X_AALG_SHA
, "sha", },
112 { SADB_X_AALG_NULL
, "null", },
113 #ifdef SADB_X_AALG_SHA2_256
114 { SADB_X_AALG_SHA2_256
, "hmac-sha2-256", },
116 #ifdef SADB_X_AALG_SHA2_384
117 { SADB_X_AALG_SHA2_384
, "hmac-sha2-384", },
119 #ifdef SADB_X_AALG_SHA2_512
120 { SADB_X_AALG_SHA2_512
, "hmac-sha2-512", },
125 static struct val2str ipsec_espnames
[] = {
126 { SADB_EALG_NONE
, "none", },
127 { SADB_EALG_DESCBC
, "des-cbc", },
128 { SADB_EALG_3DESCBC
, "3des-cbc", },
129 { SADB_EALG_NULL
, "null", },
130 #ifdef SADB_X_EALG_RC5CBC
131 { SADB_X_EALG_RC5CBC
, "rc5-cbc", },
133 { SADB_X_EALG_CAST128CBC
, "cast128-cbc", },
134 { SADB_X_EALG_BLOWFISHCBC
, "blowfish-cbc", },
135 #ifdef SADB_X_EALG_RIJNDAELCBC
136 { SADB_X_EALG_RIJNDAELCBC
, "rijndael-cbc", },
141 static struct val2str ipsec_compnames
[] = {
142 { SADB_X_CALG_NONE
, "none", },
143 { SADB_X_CALG_OUI
, "oui", },
144 { SADB_X_CALG_DEFLATE
, "deflate", },
145 { SADB_X_CALG_LZS
, "lzs", },
149 static const char *pfkey_msgtypenames
[] = {
150 "reserved", "getspi", "update", "add", "delete",
151 "get", "acquire", "register", "expire", "flush",
152 "dump", "x_promisc", "x_pchange", "x_spdupdate", "x_spdadd",
153 "x_spddelete", "x_spdget", "x_spdacquire", "x_spddump", "x_spdflush",
154 "x_spdsetidx", "x_spdexpire", "x_spddelete2"
157 static struct ipsecstat ipsecstat
;
159 static void print_ipsecstats (void);
160 static const char *pfkey_msgtype_names (int);
161 static void ipsec_hist (const u_quad_t
*, size_t, const struct val2str
*,
165 * Dump IPSEC statistics structure.
168 ipsec_hist(const u_quad_t
*hist
,
170 const struct val2str
*name
,
175 const struct val2str
*p
;
178 for (proto
= 0; proto
< histmax
; proto
++) {
179 if (hist
[proto
] <= 0)
182 printf("\t%s histogram:\n", title
);
185 for (p
= name
; p
&& p
->str
; p
++) {
186 if (p
->val
== (int)proto
)
190 printf("\t\t%s: " LLU
"\n", p
->str
, (CAST
)hist
[proto
]);
192 printf("\t\t#%ld: " LLU
"\n", (long)proto
,
199 print_ipsecstats(void)
201 #define p(f, m) if (ipsecstat.f || sflag <= 1) \
202 printf(m, (CAST)ipsecstat.f, plural(ipsecstat.f))
203 #define hist(f, n, t) \
204 ipsec_hist((f), sizeof(f)/sizeof(f[0]), (n), (t));
206 p(in_success
, "\t" LLU
" inbound packet%s processed successfully\n");
207 p(in_polvio
, "\t" LLU
" inbound packet%s violated process security "
209 p(in_nosa
, "\t" LLU
" inbound packet%s with no SA available\n");
210 p(in_inval
, "\t" LLU
" invalid inbound packet%s\n");
211 p(in_nomem
, "\t" LLU
" inbound packet%s failed due to insufficient memory\n");
212 p(in_badspi
, "\t" LLU
" inbound packet%s failed getting SPI\n");
213 p(in_ahreplay
, "\t" LLU
" inbound packet%s failed on AH replay check\n");
214 p(in_espreplay
, "\t" LLU
" inbound packet%s failed on ESP replay check\n");
215 p(in_ahauthsucc
, "\t" LLU
" inbound packet%s considered authentic\n");
216 p(in_ahauthfail
, "\t" LLU
" inbound packet%s failed on authentication\n");
217 hist(ipsecstat
.in_ahhist
, ipsec_ahnames
, "AH input");
218 hist(ipsecstat
.in_esphist
, ipsec_espnames
, "ESP input");
219 hist(ipsecstat
.in_comphist
, ipsec_compnames
, "IPComp input");
221 p(out_success
, "\t" LLU
" outbound packet%s processed successfully\n");
222 p(out_polvio
, "\t" LLU
" outbound packet%s violated process security "
224 p(out_nosa
, "\t" LLU
" outbound packet%s with no SA available\n");
225 p(out_inval
, "\t" LLU
" invalid outbound packet%s\n");
226 p(out_nomem
, "\t" LLU
" outbound packet%s failed due to insufficient memory\n");
227 p(out_noroute
, "\t" LLU
" outbound packet%s with no route\n");
228 hist(ipsecstat
.out_ahhist
, ipsec_ahnames
, "AH output");
229 hist(ipsecstat
.out_esphist
, ipsec_espnames
, "ESP output");
230 hist(ipsecstat
.out_comphist
, ipsec_compnames
, "IPComp output");
236 ipsec_stats(u_long off __unused
, char *name
, int af __unused
)
240 printf ("%s:\n", name
);
241 kread(off
, (char *)&ipsecstat
, sizeof (ipsecstat
));
247 pfkey_msgtype_names(int x
)
250 sizeof(pfkey_msgtypenames
)/sizeof(pfkey_msgtypenames
[0]);
253 if (x
< max
&& pfkey_msgtypenames
[x
])
254 return pfkey_msgtypenames
[x
];
255 snprintf(buf
, sizeof(buf
), "#%d", x
);
260 pfkey_stats(u_long off __unused
, char *name
, int af __unused
)
262 struct pfkeystat pfkeystat
;
263 unsigned first
, type
;
267 printf ("%s:\n", name
);
268 kread(off
, (char *)&pfkeystat
, sizeof(pfkeystat
));
270 #define p(f, m) if (pfkeystat.f || sflag <= 1) \
271 printf(m, (CAST)pfkeystat.f, plural(pfkeystat.f))
273 /* kernel -> userland */
274 p(out_total
, "\t" LLU
" request%s sent to userland\n");
275 p(out_bytes
, "\t" LLU
" byte%s sent to userland\n");
276 for (first
= 1, type
= 0;
277 type
< sizeof(pfkeystat
.out_msgtype
)/sizeof(pfkeystat
.out_msgtype
[0]);
279 if (pfkeystat
.out_msgtype
[type
] <= 0)
282 printf("\thistogram by message type:\n");
285 printf("\t\t%s: " LLU
"\n", pfkey_msgtype_names(type
),
286 (CAST
)pfkeystat
.out_msgtype
[type
]);
288 p(out_invlen
, "\t" LLU
" message%s with invalid length field\n");
289 p(out_invver
, "\t" LLU
" message%s with invalid version field\n");
290 p(out_invmsgtype
, "\t" LLU
" message%s with invalid message type field\n");
291 p(out_tooshort
, "\t" LLU
" message%s too short\n");
292 p(out_nomem
, "\t" LLU
" message%s with memory allocation failure\n");
293 p(out_dupext
, "\t" LLU
" message%s with duplicate extension\n");
294 p(out_invexttype
, "\t" LLU
" message%s with invalid extension type\n");
295 p(out_invsatype
, "\t" LLU
" message%s with invalid sa type\n");
296 p(out_invaddr
, "\t" LLU
" message%s with invalid address extension\n");
298 /* userland -> kernel */
299 p(in_total
, "\t" LLU
" request%s sent from userland\n");
300 p(in_bytes
, "\t" LLU
" byte%s sent from userland\n");
301 for (first
= 1, type
= 0;
302 type
< sizeof(pfkeystat
.in_msgtype
)/sizeof(pfkeystat
.in_msgtype
[0]);
304 if (pfkeystat
.in_msgtype
[type
] <= 0)
307 printf("\thistogram by message type:\n");
310 printf("\t\t%s: " LLU
"\n", pfkey_msgtype_names(type
),
311 (CAST
)pfkeystat
.in_msgtype
[type
]);
313 p(in_msgtarget
[KEY_SENDUP_ONE
],
314 "\t" LLU
" message%s toward single socket\n");
315 p(in_msgtarget
[KEY_SENDUP_ALL
],
316 "\t" LLU
" message%s toward all sockets\n");
317 p(in_msgtarget
[KEY_SENDUP_REGISTERED
],
318 "\t" LLU
" message%s toward registered sockets\n");
319 p(in_nomem
, "\t" LLU
" message%s with memory allocation failure\n");