search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge from vendor branch PKGSRC:
[netbsd-mini2440.git] / usr.bin / netstat / fast_ipsec.c
blob5c54d559dbf84e512600a88ed2cd5c48cfb10f7c
1 /* $NetBSD: fast_ipsec.c,v 1.11 2008/04/24 04:09:27 thorpej Exp $ */
2 /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */
3
4 /*-
5 * Copyright (c) 2003, 2004 Jonathan Stone
6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 *
30 * $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $
31 */
32
33 #include <sys/cdefs.h>
34 #ifndef lint
35 #ifdef __NetBSD__
36 __RCSID("$NetBSD: fast_ipsec.c,v 1.11 2008/04/24 04:09:27 thorpej Exp $");
37 #endif
38 #endif /* not lint*/
39
40 /* Kernel headers required, but not included, by netstat.h */
41 #include <sys/types.h>
42 #include <sys/socket.h>
43
44 /* Kernel headers for sysctl(3). */
45 #include <sys/param.h>
46 #include <sys/sysctl.h>
47
48 /* Kernel headers for FAST_IPSEC statistics */
49 #include <net/pfkeyv2.h>
50 #include <netipsec/esp_var.h>
51 #include <netipsec/ah_var.h>
52 #include <netipsec/ipip_var.h>
53 #include <netipsec/ipcomp_var.h>
54 #include <netipsec/ipsec_var.h>
55 #include <netipsec/keydb.h>
56
57 #include <machine/int_fmtio.h>
58
59 #include <kvm.h>
60 #include <err.h>
61 #include <errno.h>
62 #include <stdio.h>
63 #include <string.h>
64
65 #include "netstat.h"
66
67 /*
68 * Cache the check to see if we have fast_ipsec so that we don't
69 * have to go to the kernel repeatedly.
70 */
71 static int
72 have_fast_ipsec(void)
73 {
74 static int haveit = -1;
75
76 if (haveit == -1) {
77 if (sysctlbyname("net.inet.ipsec.ipsecstats", NULL, NULL,
78 NULL, 0) == -1)
79 haveit = 0;
80 else
81 haveit = 1;
82 }
83
84 return (haveit);
85 }
86
87 /*
88 * Dispatch between fetching and printing (KAME) IPsec statistics,
89 * and FAST_IPSEC statistics, so the rest of netstat need not know
90 * about the vagaries of the two implementations.
91 */
92 void
93 ipsec_switch(u_long off, const char * name)
94 {
95
96 if (have_fast_ipsec())
97 return fast_ipsec_stats(off, name);
98
99 return ipsec_stats(off, name);
100 }
101
102
103 /*
104 * Table-driven mapping from SADB algorithm codes to string names.
105 */
106 struct alg {
107 int a;
108 const char *name;
109 };
110 static const struct alg aalgs[] = {
111 { SADB_AALG_NONE, "none", },
112 { SADB_AALG_MD5HMAC, "hmac-md5", },
113 { SADB_AALG_SHA1HMAC, "hmac-sha1", },
114 { SADB_X_AALG_MD5, "md5", },
115 { SADB_X_AALG_SHA, "sha", },
116 { SADB_X_AALG_NULL, "null", },
117 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
118 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
119 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
120 };
121 static const struct alg espalgs[] = {
122 { SADB_EALG_NONE, "none", },
123 { SADB_EALG_DESCBC, "des-cbc", },
124 { SADB_EALG_3DESCBC, "3des-cbc", },
125 { SADB_EALG_NULL, "null", },
126 { SADB_X_EALG_CAST128CBC, "cast128-cbc", },
127 { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
128 { SADB_X_EALG_RIJNDAELCBC, "aes-cbc", },
129 };
130 static const struct alg ipcompalgs[] = {
131 { SADB_X_CALG_NONE, "none", },
132 { SADB_X_CALG_OUI, "oui", },
133 { SADB_X_CALG_DEFLATE, "deflate", },
134 { SADB_X_CALG_LZS, "lzs", },
135 };
136 #define N(a) (sizeof(a)/sizeof(a[0]))
137
138 static const char*
139 algname(int a, const struct alg algs[], int nalgs)
140 {
141 static char buf[80];
142 int i;
143
144 for (i = 0; i < nalgs; i++)
145 if (algs[i].a == a)
146 return algs[i].name;
147 snprintf(buf, sizeof(buf), "alg#%u", a);
148 return buf;
149 }
150
151 /*
152 * Print the fast_ipsec statistics.
153 * Since NetBSD's netstat(1) seems not to find us for "netstat -s",
154 * but does(?) find KAME, be prepared to be called explicitly from
155 * netstat's main program for "netstat -s"; but silently do nothing
156 * if that happens when we are running on KAME IPsec.
157 */
158 void
159 fast_ipsec_stats(u_long off, const char *name)
160 {
161 uint64_t ipsecstats[IPSEC_NSTATS];
162 uint64_t ahstats[AH_NSTATS];
163 uint64_t espstats[ESP_NSTATS];
164 uint64_t ipcs[IPCOMP_NSTATS];
165 uint64_t ipips[IPIP_NSTATS];
166 int status;
167 size_t slen;
168 int i;
169
170 if (! use_sysctl) {
171 warnx("IPsec stats not available via KVM.");
172 return;
173 }
174
175 memset(ipsecstats, 0, sizeof(ipsecstats));
176 memset(ahstats, 0, sizeof(ahstats));
177 memset(espstats, 0, sizeof(espstats));
178 memset(ipcs, 0, sizeof(ipcs));
179 memset(ipips, 0, sizeof(ipips));
180
181 /* silence check */
182 if (!have_fast_ipsec())
183 return;
184
185 slen = sizeof(ipsecstats);
186 status = sysctlbyname("net.inet.ipsec.ipsecstats", ipsecstats, &slen,
187 NULL, 0);
188 if (status < 0 && errno != ENOMEM)
189 err(1, "net.inet.ipsec.ipsecstats");
190
191 slen = sizeof (ahstats);
192 status = sysctlbyname("net.inet.ah.ah_stats", ahstats, &slen, NULL, 0);
193 if (status < 0 && errno != ENOMEM)
194 err(1, "net.inet.ah.ah_stats");
195
196 slen = sizeof (espstats);
197 status = sysctlbyname("net.inet.esp.esp_stats", espstats, &slen, NULL, 0);
198 if (status < 0 && errno != ENOMEM)
199 err(1, "net.inet.esp.esp_stats");
200
201 slen = sizeof(ipcs);
202 status = sysctlbyname("net.inet.ipcomp.ipcomp_stats", ipcs, &slen, NULL, 0);
203 if (status < 0 && errno != ENOMEM)
204 err(1, "net.inet.ipcomp.ipcomp_stats");
205
206 slen = sizeof(ipips);
207 status = sysctlbyname("net.inet.ipip.ipip_stats", ipips, &slen, NULL, 0);
208 if (status < 0 && errno != ENOMEM)
209 err(1, "net.inet.ipip.ipip_stats");
210
211 printf("(Fast) IPsec:\n");
212
213 #define STAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" " fmt "\n", x)
214 if (ipsecstats[IPSEC_STAT_IN_POLVIO]+ipsecstats[IPSEC_STAT_OUT_POLVIO])
215 printf("\t%"PRIu64" policy violations: %"PRIu64" input %"PRIu64" output\n",
216 ipsecstats[IPSEC_STAT_IN_POLVIO] + ipsecstats[IPSEC_STAT_OUT_POLVIO],
217 ipsecstats[IPSEC_STAT_IN_POLVIO], ipsecstats[IPSEC_STAT_OUT_POLVIO]);
218 STAT(ipsecstats[IPSEC_STAT_OUT_NOSA], "no SA found (output)");
219 STAT(ipsecstats[IPSEC_STAT_OUT_NOMEM], "no memory available (output)");
220 STAT(ipsecstats[IPSEC_STAT_OUT_NOROUTE], "no route available (output)");
221 STAT(ipsecstats[IPSEC_STAT_OUT_INVAL], "generic errors (output)");
222 STAT(ipsecstats[IPSEC_STAT_OUT_BUNDLESA], "bundled SA processed (output)");
223 STAT(ipsecstats[IPSEC_STAT_SPDCACHELOOKUP], "SPD cache lookups");
224 STAT(ipsecstats[IPSEC_STAT_SPDCACHEMISS], "SPD cache misses");
225 #undef STAT
226 printf("\n");
227
228 printf("IPsec ah:\n");
229 #define AHSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" ah " fmt "\n", x)
230 AHSTAT(ahstats[AH_STAT_INPUT], "input packets processed");
231 AHSTAT(ahstats[AH_STAT_OUTPUT], "output packets processed");
232 AHSTAT(ahstats[AH_STAT_HDROPS], "headers too short");
233 AHSTAT(ahstats[AH_STAT_NOPF], "headers for unsupported address family");
234 AHSTAT(ahstats[AH_STAT_NOTDB], "packets with no SA");
235 AHSTAT(ahstats[AH_STAT_BADKCR], "packets dropped by crypto returning NULL mbuf");
236 AHSTAT(ahstats[AH_STAT_BADAUTH], "packets with bad authentication");
237 AHSTAT(ahstats[AH_STAT_NOXFORM], "packets with no xform");
238 AHSTAT(ahstats[AH_STAT_QFULL], "packets dropped due to queue full");
239 AHSTAT(ahstats[AH_STAT_WRAP], "packets dropped for replay counter wrap");
240 AHSTAT(ahstats[AH_STAT_REPLAY], "packets dropped for possible replay");
241 AHSTAT(ahstats[AH_STAT_BADAUTHL],"packets dropped for bad authenticator length");
242 AHSTAT(ahstats[AH_STAT_INVALID], "packets with an invalid SA");
243 AHSTAT(ahstats[AH_STAT_TOOBIG], "packets too big");
244 AHSTAT(ahstats[AH_STAT_PDROPS], "packets blocked due to policy");
245 AHSTAT(ahstats[AH_STAT_CRYPTO], "failed crypto requests");
246 AHSTAT(ahstats[AH_STAT_TUNNEL], "tunnel sanity check failures");
247
248 printf("\tah histogram:\n");
249 for (i = 0; i < AH_ALG_MAX; i++)
250 if (ahstats[AH_STAT_HIST + i])
251 printf("\t\tah packets with %s: %"PRIu64"\n"
252 , algname(i, aalgs, N(aalgs))
253 , ahstats[AH_STAT_HIST + i]
254 );
255 AHSTAT(ahstats[AH_STAT_IBYTES], "bytes received");
256 AHSTAT(ahstats[AH_STAT_OBYTES], "bytes transmitted");
257 #undef AHSTAT
258 printf("\n");
259
260 printf("IPsec esp:\n");
261 #define ESPSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" esp " fmt "\n", x)
262 ESPSTAT(espstats[ESP_STAT_INPUT],"input packets processed");
263 ESPSTAT(espstats[ESP_STAT_OUTPUT],"output packets processed");
264 ESPSTAT(espstats[ESP_STAT_HDROPS],"headers too short");
265 ESPSTAT(espstats[ESP_STAT_NOPF], "headers for unsupported address family");
266 ESPSTAT(espstats[ESP_STAT_NOTDB],"packets with no SA");
267 ESPSTAT(espstats[ESP_STAT_BADKCR],"packets dropped by crypto returning NULL mbuf");
268 ESPSTAT(espstats[ESP_STAT_QFULL],"packets dropped due to queue full");
269 ESPSTAT(espstats[ESP_STAT_NOXFORM],"packets with no xform");
270 ESPSTAT(espstats[ESP_STAT_BADILEN],"packets with bad ilen");
271 ESPSTAT(espstats[ESP_STAT_BADENC],"packets with bad encryption");
272 ESPSTAT(espstats[ESP_STAT_BADAUTH],"packets with bad authentication");
273 ESPSTAT(espstats[ESP_STAT_WRAP], "packets dropped for replay counter wrap");
274 ESPSTAT(espstats[ESP_STAT_REPLAY],"packets dropped for possible replay");
275 ESPSTAT(espstats[ESP_STAT_INVALID],"packets with an invalid SA");
276 ESPSTAT(espstats[ESP_STAT_TOOBIG],"packets too big");
277 ESPSTAT(espstats[ESP_STAT_PDROPS],"packets blocked due to policy");
278 ESPSTAT(espstats[ESP_STAT_CRYPTO],"failed crypto requests");
279 ESPSTAT(espstats[ESP_STAT_TUNNEL],"tunnel sanity check failures");
280 printf("\tesp histogram:\n");
281 for (i = 0; i < ESP_ALG_MAX; i++)
282 if (espstats[ESP_STAT_HIST + i])
283 printf("\t\tesp packets with %s: %"PRIu64"\n"
284 , algname(i, espalgs, N(espalgs))
285 , espstats[ESP_STAT_HIST + i]
286 );
287 ESPSTAT(espstats[ESP_STAT_IBYTES], "bytes received");
288 ESPSTAT(espstats[ESP_STAT_OBYTES], "bytes transmitted");
289 #undef ESPSTAT
290 printf("IPsec ipip:\n");
291
292 #define IPIPSTAT(x,fmt) \
293 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipip " fmt "\n", x)
294 IPIPSTAT(ipips[IPIP_STAT_IPACKETS],"total input packets");
295 IPIPSTAT(ipips[IPIP_STAT_OPACKETS],"total output packets");
296 IPIPSTAT(ipips[IPIP_STAT_HDROPS],"packets too short for header length");
297 IPIPSTAT(ipips[IPIP_STAT_QFULL],"packets dropped due to queue full");
298 IPIPSTAT(ipips[IPIP_STAT_PDROPS],"packets blocked due to policy");
299 IPIPSTAT(ipips[IPIP_STAT_SPOOF],"IP spoofing attempts");
300 IPIPSTAT(ipips[IPIP_STAT_FAMILY],"protocol family mismatched");
301 IPIPSTAT(ipips[IPIP_STAT_UNSPEC],"missing tunnel-endpoint address");
302 IPIPSTAT(ipips[IPIP_STAT_IBYTES],"input bytes received");
303 IPIPSTAT(ipips[IPIP_STAT_OBYTES],"output bytes processed");
304 #undef IPIPSTAT
305
306 printf("IPsec ipcomp:\n");
307 #define IPCOMP(x,fmt) \
308 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipcomp " fmt "\n", x)
309
310 IPCOMP(ipcs[IPCOMP_STAT_HDROPS],"packets too short for header length");
311 IPCOMP(ipcs[IPCOMP_STAT_NOPF], "protocol family not supported");
312 IPCOMP(ipcs[IPCOMP_STAT_NOTDB], "not db");
313 IPCOMP(ipcs[IPCOMP_STAT_BADKCR],"packets dropped by crypto returning NULL mbuf");
314 IPCOMP(ipcs[IPCOMP_STAT_QFULL], "queue full");
315 IPCOMP(ipcs[IPCOMP_STAT_NOXFORM],"no support for transform");
316 IPCOMP(ipcs[IPCOMP_STAT_WRAP], "packets dropped for replay counter wrap");
317 IPCOMP(ipcs[IPCOMP_STAT_INPUT], "input IPcomp packets");
318 IPCOMP(ipcs[IPCOMP_STAT_OUTPUT],"output IPcomp packets");
319 IPCOMP(ipcs[IPCOMP_STAT_INVALID],"specified an invalid TDB");
320 IPCOMP(ipcs[IPCOMP_STAT_TOOBIG],"packets decompressed as too big");
321 IPCOMP(ipcs[IPCOMP_STAT_MINLEN], "packets too short to be compressed");
322 IPCOMP(ipcs[IPCOMP_STAT_USELESS],"packet for which compression was useless");
323 IPCOMP(ipcs[IPCOMP_STAT_PDROPS],"packets blocked due to policy");
324 IPCOMP(ipcs[IPCOMP_STAT_CRYPTO],"failed crypto requests");
325
326 printf("\tIPcomp histogram:\n");
327 for (i = 0; i < IPCOMP_ALG_MAX; i++)
328 if (ipcs[IPCOMP_STAT_HIST + i])
329 printf("\t\tIPcomp packets with %s: %"PRIu64"\n"
330 , algname(i, ipcompalgs, N(ipcompalgs))
331 , ipcs[IPCOMP_STAT_HIST + i]
332 );
333 IPCOMP(ipcs[IPCOMP_STAT_IBYTES],"input bytes");
334 IPCOMP(ipcs[IPCOMP_STAT_OBYTES],"output bytes");
335 #undef IPCOMP
336 }
NetBSD on the FriendlyARM MINI2440