d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use corresponding macros to update statistics for AH, ESP, IPIP, IPCOMP,

Browse Source 
PFKEY.

MFC after:	2 weeks
This commit is contained in:
Andrey V. Elsukov 2013-06-20 11:44:16 +00:00
parent 6659296cb0
commit a04d64d875
13 changed files with 194 additions and 202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/netipsec/ah_var.h
View File

@ -75,6 +75,8 @@ VNET_DECLARE(int, ah_enable);
VNET_DECLARE(int, ah_cleartos);
VNET_DECLARE(struct ahstat, ahstat);
#define AHSTAT_ADD(name, val) V_ahstat.name += (val)
#define AHSTAT_INC(name) AHSTAT_ADD(name, 1)
#define V_ah_enable VNET(ah_enable)
#define V_ah_cleartos VNET(ah_cleartos)
#define V_ahstat VNET(ahstat)

2
sys/netipsec/esp_var.h
View File

@ -75,6 +75,8 @@ struct espstat {
VNET_DECLARE(int, esp_enable);
VNET_DECLARE(struct espstat, espstat);
#define ESPSTAT_ADD(name, val) V_espstat.name += (val)
#define ESPSTAT_INC(name) ESPSTAT_ADD(name, 1)
#define V_esp_enable VNET(esp_enable)
#define V_espstat VNET(espstat)
#endif /* _KERNEL */

2
sys/netipsec/ipcomp_var.h
View File

@ -68,6 +68,8 @@ struct ipcompstat {
VNET_DECLARE(int, ipcomp_enable);
VNET_DECLARE(struct ipcompstat, ipcompstat);
#define IPCOMPSTAT_ADD(name, val) V_ipcompstat.name += (val)
#define IPCOMPSTAT_INC(name) IPCOMPSTAT_ADD(name, 1)
#define V_ipcomp_enable VNET(ipcomp_enable)
#define V_ipcompstat VNET(ipcompstat)
#endif /* _KERNEL */

2
sys/netipsec/ipip_var.h
View File

@ -62,6 +62,8 @@ struct ipipstat
VNET_DECLARE(int, ipip_allow);
VNET_DECLARE(struct ipipstat, ipipstat);
#define IPIPSTAT_ADD(name, val) V_ipipstat.name += (val)
#define IPIPSTAT_INC(name) IPIPSTAT_ADD(name, 1)
#define V_ipip_allow VNET(ipip_allow)
#define V_ipipstat VNET(ipipstat)
#endif /* _KERNEL */

84
sys/netipsec/ipsec_input.c
View File

@ -99,8 +99,14 @@
#endif
#define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \
(p) == IPPROTO_AH ? (y)++ : (z)++)
#define IPSEC_ISTAT(proto, name) do { \
if ((proto) == IPPROTO_ESP) \
ESPSTAT_INC(esps_##name); \
else if ((proto) == IPPROTO_AH) \
AHSTAT_INC(ahs_##name); \
else \
IPCOMPSTAT_INC(ipcomps_##name); \
} while (0)
#ifdef INET
static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
@ -125,8 +131,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
#endif
#endif
IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,
V_ipcompstat.ipcomps_input);
IPSEC_ISTAT(sproto, input);
IPSEC_ASSERT(m != NULL, ("null packet"));
@ -138,15 +143,13 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
(sproto == IPPROTO_AH && !V_ah_enable) ||
(sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
m_freem(m);
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
V_ipcompstat.ipcomps_pdrops);
IPSEC_ISTAT(sproto, pdrops);
return EOPNOTSUPP;
}
if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
m_freem(m);
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
DPRINTF(("%s: packet too small\n", __func__));
return EINVAL;
}
@ -197,8 +200,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
default:
DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
m_freem(m);
IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf,
V_ipcompstat.ipcomps_nopf);
IPSEC_ISTAT(sproto, nopf);
return EPFNOSUPPORT;
}
@ -208,8 +210,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb,
V_ipcompstat.ipcomps_notdb);
IPSEC_ISTAT(sproto, notdb);
m_freem(m);
return ENOENT;
}
@ -218,8 +219,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform,
V_ipcompstat.ipcomps_noxform);
IPSEC_ISTAT(sproto, noxform);
KEY_FREESAV(&sav);
m_freem(m);
return ENXIO;
@ -321,8 +321,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
V_ipcompstat.ipcomps_badkcr);
IPSEC_ISTAT(sproto, badkcr);
KEY_FREESAV(&sav);
return EINVAL;
}
@ -336,8 +335,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
DPRINTF(("%s: processing failed for SA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
error = ENOBUFS;
goto bad;
}
@ -357,9 +355,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
struct ip ipn;
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
error = EINVAL;
goto bad;
}
@ -388,9 +384,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
ipsp_address(saidx->dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
V_ahstat.ahs_pdrops,
V_ipcompstat.ipcomps_pdrops);
IPSEC_ISTAT(sproto, pdrops);
error = EACCES;
goto bad;
}
@ -401,9 +395,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
struct ip6_hdr ip6n;
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
error = EINVAL;
goto bad;
}
@ -430,9 +422,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
V_ahstat.ahs_pdrops,
V_ipcompstat.ipcomps_pdrops);
IPSEC_ISTAT(sproto, pdrops);
error = EACCES;
goto bad;
}
@ -453,8 +443,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
error = ENOMEM;
goto bad;
}
@ -494,9 +483,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
* Re-dispatch via software interrupt.
*/
if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) {
IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull,
V_ipcompstat.ipcomps_qfull);
IPSEC_ISTAT(sproto, qfull);
DPRINTF(("%s: queue full; proto %u packet dropped\n",
__func__, sproto));
return error;
@ -548,9 +535,7 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
if (protoff + l != *offp) {
DPRINTF(("%s: bad packet header chain, protoff %u, "
"l %u, off %u\n", __func__, protoff, l, *offp));
IPSEC_ISTAT(proto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(proto, hdrops);
m_freem(*mp);
*mp = NULL;
return IPPROTO_DONE;
@ -595,8 +580,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
V_ipcompstat.ipcomps_badkcr);
IPSEC_ISTAT(sproto, badkcr);
error = EINVAL;
goto bad;
}
@ -609,8 +593,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
error = EACCES;
goto bad;
}
@ -628,9 +611,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
struct ip ipn;
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
error = EINVAL;
goto bad;
}
@ -655,8 +636,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTATsproto, (V_espstat.esps_pdrops,
V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops);
IPSEC_ISTAT(sproto, pdrops);
error = EACCES;
goto bad;
}
@ -668,9 +648,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
struct ip6_hdr ip6n;
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
error = EINVAL;
goto bad;
}
@ -697,8 +675,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops);
IPSEC_ISTAT(sproto, pdrops);
error = EACCES;
goto bad;
}
@ -718,8 +695,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops);
IPSEC_ISTAT(sproto, hdrops);
error = ENOMEM;
goto bad;
}

16
sys/netipsec/ipsec_output.c
View File

@ -276,8 +276,14 @@ ipsec_nextisr(
int *error
)
{
#define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \
isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
#define IPSEC_OSTAT(name) do { \
if (isr->saidx.proto == IPPROTO_ESP) \
ESPSTAT_INC(esps_##name); \
else if (isr->saidx.proto == IPPROTO_AH)\
AHSTAT_INC(ahs_##name); \
else \
IPCOMPSTAT_INC(ipcomps_##name); \
} while (0)
struct secasvar *sav;
IPSECREQUEST_LOCK_ASSERT(isr);
@ -385,8 +391,7 @@ again:
(isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
DPRINTF(("%s: IPsec outbound packet dropped due"
" to policy (check your sysctls)\n", __func__));
IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
V_ipcompstat.ipcomps_pdrops);
IPSEC_OSTAT(pdrops);
*error = EHOSTUNREACH;
goto bad;
}
@ -397,8 +402,7 @@ again:
*/
if (sav->tdb_xform == NULL) {
DPRINTF(("%s: no transform for SA\n", __func__));
IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform,
V_ipcompstat.ipcomps_noxform);
IPSEC_OSTAT(noxform);
*error = EHOSTUNREACH;
goto bad;
}

38
sys/netipsec/key.c
View File

@ -7316,7 +7316,7 @@ key_parse(m, so)
if ((m->m_flags & M_PKTHDR) == 0 ||
m->m_pkthdr.len != m->m_pkthdr.len) {
ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__));
V_pfkeystat.out_invlen++;
PFKEYSTAT_INC(out_invlen);
error = EINVAL;
goto senderror;
}
@ -7324,7 +7324,7 @@ key_parse(m, so)
if (msg->sadb_msg_version != PF_KEY_V2) {
ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n",
__func__, msg->sadb_msg_version));
V_pfkeystat.out_invver++;
PFKEYSTAT_INC(out_invver);
error = EINVAL;
goto senderror;
}
@ -7332,7 +7332,7 @@ key_parse(m, so)
if (msg->sadb_msg_type > SADB_MAX) {
ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
__func__, msg->sadb_msg_type));
V_pfkeystat.out_invmsgtype++;
PFKEYSTAT_INC(out_invmsgtype);
error = EINVAL;
goto senderror;
}
@ -7385,7 +7385,7 @@ key_parse(m, so)
ipseclog((LOG_DEBUG, "%s: must specify satype "
"when msg type=%u.\n", __func__,
msg->sadb_msg_type));
V_pfkeystat.out_invsatype++;
PFKEYSTAT_INC(out_invsatype);
error = EINVAL;
goto senderror;
}
@ -7405,7 +7405,7 @@ key_parse(m, so)
case SADB_X_SPDDELETE2:
ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n",
__func__, msg->sadb_msg_type));
V_pfkeystat.out_invsatype++;
PFKEYSTAT_INC(out_invsatype);
error = EINVAL;
goto senderror;
}
@ -7416,7 +7416,7 @@ key_parse(m, so)
case SADB_SATYPE_MIP:
ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n",
__func__, msg->sadb_msg_satype));
V_pfkeystat.out_invsatype++;
PFKEYSTAT_INC(out_invsatype);
error = EOPNOTSUPP;
goto senderror;
case 1: /* XXX: What does it do? */
@ -7426,7 +7426,7 @@ key_parse(m, so)
default:
ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
__func__, msg->sadb_msg_satype));
V_pfkeystat.out_invsatype++;
PFKEYSTAT_INC(out_invsatype);
error = EINVAL;
goto senderror;
}
@ -7444,7 +7444,7 @@ key_parse(m, so)
if (src0->sadb_address_proto != dst0->sadb_address_proto) {
ipseclog((LOG_DEBUG, "%s: upper layer protocol "
"mismatched.\n", __func__));
V_pfkeystat.out_invaddr++;
PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@ -7454,7 +7454,7 @@ key_parse(m, so)
PFKEY_ADDR_SADDR(dst0)->sa_family) {
ipseclog((LOG_DEBUG, "%s: address family mismatched.\n",
__func__));
V_pfkeystat.out_invaddr++;
PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@ -7462,7 +7462,7 @@ key_parse(m, so)
PFKEY_ADDR_SADDR(dst0)->sa_len) {
ipseclog((LOG_DEBUG, "%s: address struct size "
"mismatched.\n", __func__));
V_pfkeystat.out_invaddr++;
PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@ -7471,7 +7471,7 @@ key_parse(m, so)
case AF_INET:
if (PFKEY_ADDR_SADDR(src0)->sa_len !=
sizeof(struct sockaddr_in)) {
V_pfkeystat.out_invaddr++;
PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@ -7479,7 +7479,7 @@ key_parse(m, so)
case AF_INET6:
if (PFKEY_ADDR_SADDR(src0)->sa_len !=
sizeof(struct sockaddr_in6)) {
V_pfkeystat.out_invaddr++;
PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@ -7487,7 +7487,7 @@ key_parse(m, so)
default:
ipseclog((LOG_DEBUG, "%s: unsupported address family\n",
__func__));
V_pfkeystat.out_invaddr++;
PFKEYSTAT_INC(out_invaddr);
error = EAFNOSUPPORT;
goto senderror;
}
@ -7509,7 +7509,7 @@ key_parse(m, so)
dst0->sadb_address_prefixlen > plen) {
ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n",
__func__));
V_pfkeystat.out_invaddr++;
PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@ -7522,7 +7522,7 @@ key_parse(m, so)
if (msg->sadb_msg_type >= sizeof(key_typesw)/sizeof(key_typesw[0]) ||
key_typesw[msg->sadb_msg_type] == NULL) {
V_pfkeystat.out_invmsgtype++;
PFKEYSTAT_INC(out_invmsgtype);
error = EINVAL;
goto senderror;
}
@ -7624,7 +7624,7 @@ key_align(m, mhp)
ipseclog((LOG_DEBUG, "%s: duplicate ext_type "
"%u\n", __func__, ext->sadb_ext_type));
m_freem(m);
V_pfkeystat.out_dupext++;
PFKEYSTAT_INC(out_dupext);
return EINVAL;
}
break;
@ -7632,7 +7632,7 @@ key_align(m, mhp)
ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n",
__func__, ext->sadb_ext_type));
m_freem(m);
V_pfkeystat.out_invexttype++;
PFKEYSTAT_INC(out_invexttype);
return EINVAL;
}
@ -7640,7 +7640,7 @@ key_align(m, mhp)
if (key_validate_ext(ext, extlen)) {
m_freem(m);
V_pfkeystat.out_invlen++;
PFKEYSTAT_INC(out_invlen);
return EINVAL;
}
@ -7658,7 +7658,7 @@ key_align(m, mhp)
if (off != end) {
m_freem(m);
V_pfkeystat.out_invlen++;
PFKEYSTAT_INC(out_invlen);
return EINVAL;
}

48
sys/netipsec/keysock.c
View File

@ -91,19 +91,19 @@ key_output(struct mbuf *m, struct socket *so)
if (m == 0)
panic("%s: NULL pointer was passed.\n", __func__);
V_pfkeystat.out_total++;
V_pfkeystat.out_bytes += m->m_pkthdr.len;
PFKEYSTAT_INC(out_total);
PFKEYSTAT_ADD(out_bytes, m->m_pkthdr.len);
len = m->m_pkthdr.len;
if (len < sizeof(struct sadb_msg)) {
V_pfkeystat.out_tooshort++;
PFKEYSTAT_INC(out_tooshort);
error = EINVAL;
goto end;
}
if (m->m_len < sizeof(struct sadb_msg)) {
if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) {
V_pfkeystat.out_nomem++;
PFKEYSTAT_INC(out_nomem);
error = ENOBUFS;
goto end;
}
@ -114,9 +114,9 @@ key_output(struct mbuf *m, struct socket *so)
KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m));
msg = mtod(m, struct sadb_msg *);
V_pfkeystat.out_msgtype[msg->sadb_msg_type]++;
PFKEYSTAT_INC(out_msgtype[msg->sadb_msg_type]);
if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) {
V_pfkeystat.out_invlen++;
PFKEYSTAT_INC(out_invlen);
error = EINVAL;
goto end;
}
@ -147,7 +147,7 @@ key_sendup0(rp, m, promisc)
if (m && m->m_len < sizeof(struct sadb_msg))
m = m_pullup(m, sizeof(struct sadb_msg));
if (!m) {
V_pfkeystat.in_nomem++;
PFKEYSTAT_INC(in_nomem);
m_freem(m);
return ENOBUFS;
}
@ -160,12 +160,12 @@ key_sendup0(rp, m, promisc)
pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
/* pid and seq? */
V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
PFKEYSTAT_INC(in_msgtype[pmsg->sadb_msg_type]);
}
if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src,
m, NULL)) {
V_pfkeystat.in_nomem++;
PFKEYSTAT_INC(in_nomem);
m_freem(m);
error = ENOBUFS;
} else
@ -197,9 +197,9 @@ key_sendup(so, msg, len, target)
* we increment statistics here, just in case we have ENOBUFS
* in this function.
*/
V_pfkeystat.in_total++;
V_pfkeystat.in_bytes += len;
V_pfkeystat.in_msgtype[msg->sadb_msg_type]++;
PFKEYSTAT_INC(in_total);
PFKEYSTAT_ADD(in_bytes, len);
PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]);
/*
* Get mbuf chain whenever possible (not clusters),
@ -216,14 +216,14 @@ key_sendup(so, msg, len, target)
if (tlen == len) {
MGETHDR(n, M_NOWAIT, MT_DATA);
if (n == NULL) {
V_pfkeystat.in_nomem++;
PFKEYSTAT_INC(in_nomem);
return ENOBUFS;
}
n->m_len = MHLEN;
} else {
MGET(n, M_NOWAIT, MT_DATA);
if (n == NULL) {
V_pfkeystat.in_nomem++;
PFKEYSTAT_INC(in_nomem);
return ENOBUFS;
}
n->m_len = MLEN;
@ -233,7 +233,7 @@ key_sendup(so, msg, len, target)
if ((n->m_flags & M_EXT) == 0) {
m_free(n);
m_freem(m);
V_pfkeystat.in_nomem++;
PFKEYSTAT_INC(in_nomem);
return ENOBUFS;
}
n->m_len = MCLBYTES;
@ -256,9 +256,9 @@ key_sendup(so, msg, len, target)
m_copyback(m, 0, len, (caddr_t)msg);
/* avoid duplicated statistics */
V_pfkeystat.in_total--;
V_pfkeystat.in_bytes -= len;
V_pfkeystat.in_msgtype[msg->sadb_msg_type]--;
PFKEYSTAT_ADD(in_total, -1);
PFKEYSTAT_ADD(in_bytes, -len);
PFKEYSTAT_ADD(in_msgtype[msg->sadb_msg_type], -1);
return key_sendup_mbuf(so, m, target);
}
@ -281,19 +281,19 @@ key_sendup_mbuf(so, m, target)
if (so == NULL && target == KEY_SENDUP_ONE)
panic("%s: NULL pointer was passed.\n", __func__);
V_pfkeystat.in_total++;
V_pfkeystat.in_bytes += m->m_pkthdr.len;
PFKEYSTAT_INC(in_total);
PFKEYSTAT_ADD(in_bytes, m->m_pkthdr.len);
if (m->m_len < sizeof(struct sadb_msg)) {
m = m_pullup(m, sizeof(struct sadb_msg));
if (m == NULL) {
V_pfkeystat.in_nomem++;
PFKEYSTAT_INC(in_nomem);
return ENOBUFS;
}
}
if (m->m_len >= sizeof(struct sadb_msg)) {
struct sadb_msg *msg;
msg = mtod(m, struct sadb_msg *);
V_pfkeystat.in_msgtype[msg->sadb_msg_type]++;
PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]);
}
mtx_lock(&rawcb_mtx);
LIST_FOREACH(rp, &V_rawcb_list, list)
@ -338,14 +338,14 @@ key_sendup_mbuf(so, m, target)
sendup++;
break;
}
V_pfkeystat.in_msgtarget[target]++;
PFKEYSTAT_INC(in_msgtarget[target]);
if (!sendup)
continue;
if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) {
m_freem(m);
V_pfkeystat.in_nomem++;
PFKEYSTAT_INC(in_nomem);
mtx_unlock(&rawcb_mtx);
return ENOBUFS;
}

2
sys/netipsec/keysock.h
View File

@ -70,6 +70,8 @@ struct keycb {
};
VNET_DECLARE(struct pfkeystat, pfkeystat);
#define PFKEYSTAT_ADD(name, val) V_pfkeystat.name += (val)
#define PFKEYSTAT_INC(name) PFKEYSTAT_ADD(name, 1)
#define V_pfkeystat VNET(pfkeystat)
extern int key_output(struct mbuf *m, struct socket *so);

52
sys/netipsec/xform_ah.c
View File

@ -583,14 +583,14 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
if (ah == NULL) {
DPRINTF(("ah_input: cannot pullup header\n"));
V_ahstat.ahs_hdrops++; /*XXX*/
AHSTAT_INC(ahs_hdrops); /*XXX*/
m_freem(m);
return ENOBUFS;
}
/* Check replay window, if applicable. */
if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
V_ahstat.ahs_replay++;
AHSTAT_INC(ahs_replay);
DPRINTF(("%s: packet replay failure: %s\n", __func__,
ipsec_logsastr(sav)));
m_freem(m);
@ -607,17 +607,17 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
hl, (u_long) (authsize + rplen - sizeof (struct ah)),
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
V_ahstat.ahs_badauthl++;
AHSTAT_INC(ahs_badauthl);
m_freem(m);
return EACCES;
}
V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
/* Get crypto descriptors. */
crp = crypto_getreq(1);
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
V_ahstat.ahs_crypto++;
AHSTAT_INC(ahs_crypto);
m_freem(m);
return ENOBUFS;
}
@ -657,7 +657,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
}
if (tc == NULL) {
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
V_ahstat.ahs_crypto++;
AHSTAT_INC(ahs_crypto);
crypto_freereq(crp);
m_freem(m);
return ENOBUFS;
@ -681,7 +681,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
skip, ahx->type, 0);
if (error != 0) {
/* NB: mbuf is free'd by ah_massage_headers */
V_ahstat.ahs_hdrops++;
AHSTAT_INC(ahs_hdrops);
free(tc, M_XDATA);
crypto_freereq(crp);
return error;
@ -760,19 +760,19 @@ ah_input_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN)
return (crypto_dispatch(crp));
V_ahstat.ahs_noxform++;
AHSTAT_INC(ahs_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
} else {
V_ahstat.ahs_hist[sav->alg_auth]++;
AHSTAT_INC(ahs_hist[sav->alg_auth]);
crypto_freereq(crp); /* No longer needed. */
crp = NULL;
}
/* Shouldn't happen... */
if (m == NULL) {
V_ahstat.ahs_crypto++;
AHSTAT_INC(ahs_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
@ -798,7 +798,7 @@ ah_input_cb(struct cryptop *crp)
"in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
V_ahstat.ahs_badauth++;
AHSTAT_INC(ahs_badauth);
error = EACCES;
goto bad;
}
@ -829,7 +829,7 @@ ah_input_cb(struct cryptop *crp)
m_copydata(m, skip + offsetof(struct newah, ah_seq),
sizeof (seq), (caddr_t) &seq);
if (ipsec_updatereplay(ntohl(seq), sav)) {
V_ahstat.ahs_replay++;
AHSTAT_INC(ahs_replay);
error = ENOBUFS; /*XXX as above*/
goto bad;
}
@ -843,7 +843,7 @@ ah_input_cb(struct cryptop *crp)
DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
V_ahstat.ahs_hdrops++;
AHSTAT_INC(ahs_hdrops);
goto bad;
}
@ -904,7 +904,7 @@ ah_output(
ahx = sav->tdb_authalgxform;
IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
V_ahstat.ahs_output++;
AHSTAT_INC(ahs_output);
/* Figure out header size. */
rplen = HDRSIZE(sav);
@ -927,7 +927,7 @@ ah_output(
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
V_ahstat.ahs_nopf++;
AHSTAT_INC(ahs_nopf);
error = EPFNOSUPPORT;
goto bad;
}
@ -938,20 +938,20 @@ ah_output(
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi),
rplen + authsize + m->m_pkthdr.len, maxpacketsize));
V_ahstat.ahs_toobig++;
AHSTAT_INC(ahs_toobig);
error = EMSGSIZE;
goto bad;
}
/* Update the counters. */
V_ahstat.ahs_obytes += m->m_pkthdr.len - skip;
AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
V_ahstat.ahs_hdrops++;
AHSTAT_INC(ahs_hdrops);
error = ENOBUFS;
goto bad;
}
@ -964,7 +964,7 @@ ah_output(
rplen + authsize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
V_ahstat.ahs_hdrops++; /*XXX differs from openbsd */
AHSTAT_INC(ahs_hdrops); /*XXX differs from openbsd */
error = ENOBUFS;
goto bad;
}
@ -992,7 +992,7 @@ ah_output(
__func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
V_ahstat.ahs_wrap++;
AHSTAT_INC(ahs_wrap);
error = EINVAL;
goto bad;
}
@ -1009,7 +1009,7 @@ ah_output(
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
V_ahstat.ahs_crypto++;
AHSTAT_INC(ahs_crypto);
error = ENOBUFS;
goto bad;
}
@ -1031,7 +1031,7 @@ ah_output(
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
V_ahstat.ahs_crypto++;
AHSTAT_INC(ahs_crypto);
error = ENOBUFS;
goto bad;
}
@ -1135,7 +1135,7 @@ ah_output_cb(struct cryptop *crp)
sav = tc->tc_sav;
/* With the isr lock released SA pointer can be updated. */
if (sav != isr->sav) {
V_ahstat.ahs_notdb++;
AHSTAT_INC(ahs_notdb);
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
@ -1151,7 +1151,7 @@ ah_output_cb(struct cryptop *crp)
return (crypto_dispatch(crp));
}
V_ahstat.ahs_noxform++;
AHSTAT_INC(ahs_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@ -1159,12 +1159,12 @@ ah_output_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
V_ahstat.ahs_crypto++;
AHSTAT_INC(ahs_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
V_ahstat.ahs_hist[sav->alg_auth]++;
AHSTAT_INC(ahs_hist[sav->alg_auth]);
/*
* Copy original headers (with the new protocol number) back

56
sys/netipsec/xform_esp.c
View File

@ -279,7 +279,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if ( (skip&3) || (m->m_pkthdr.len&3) ){
DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
__func__, skip, m->m_pkthdr.len));
V_espstat.esps_badilen++;
ESPSTAT_INC(esps_badilen);
m_freem(m);
return EINVAL;
}
@ -325,7 +325,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
plen, espx->blocksize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
V_espstat.esps_badilen++;
ESPSTAT_INC(esps_badilen);
m_freem(m);
return EINVAL;
}
@ -336,13 +336,13 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav))); /*XXX*/
V_espstat.esps_replay++;
ESPSTAT_INC(esps_replay);
m_freem(m);
return ENOBUFS; /*XXX*/
}
/* Update the counters */
V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen);
ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
/* Find out if we've already done crypto */
for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
@ -361,7 +361,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
V_espstat.esps_crypto++;
ESPSTAT_INC(esps_crypto);
m_freem(m);
return ENOBUFS;
}
@ -376,7 +376,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
V_espstat.esps_crypto++;
ESPSTAT_INC(esps_crypto);
m_freem(m);
return ENOBUFS;
}
@ -492,7 +492,7 @@ esp_input_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN)
return (crypto_dispatch(crp));
V_espstat.esps_noxform++;
ESPSTAT_INC(esps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@ -500,12 +500,12 @@ esp_input_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
V_espstat.esps_crypto++;
ESPSTAT_INC(esps_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
V_espstat.esps_hist[sav->alg_enc]++;
ESPSTAT_INC(esps_hist[sav->alg_enc]);
/* If authentication was performed, check now. */
if (esph != NULL) {
@ -524,7 +524,7 @@ esp_input_cb(struct cryptop *crp)
* the verification for us. Otherwise we need to
* check the authentication calculation.
*/
V_ahstat.ahs_hist[sav->alg_auth]++;
AHSTAT_INC(ahs_hist[sav->alg_auth]);
if (mtag == NULL) {
/* Copy the authenticator from the packet */
m_copydata(m, m->m_pkthdr.len - alen,
@ -539,7 +539,7 @@ esp_input_cb(struct cryptop *crp)
__func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
V_espstat.esps_badauth++;
ESPSTAT_INC(esps_badauth);
error = EACCES;
goto bad;
}
@ -569,7 +569,7 @@ esp_input_cb(struct cryptop *crp)
if (ipsec_updatereplay(ntohl(seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav)));
V_espstat.esps_replay++;
ESPSTAT_INC(esps_replay);
error = ENOBUFS;
goto bad;
}
@ -584,7 +584,7 @@ esp_input_cb(struct cryptop *crp)
/* Remove the ESP header and IV from the mbuf. */
error = m_striphdr(m, skip, hlen);
if (error) {
V_espstat.esps_hdrops++;
ESPSTAT_INC(esps_hdrops);
DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -596,7 +596,7 @@ esp_input_cb(struct cryptop *crp)
/* Verify pad length */
if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
V_espstat.esps_badilen++;
ESPSTAT_INC(esps_badilen);
DPRINTF(("%s: invalid padding length %d for %u byte packet "
"in SA %s/%08lx\n", __func__,
lastthree[1], m->m_pkthdr.len - skip,
@ -609,7 +609,7 @@ esp_input_cb(struct cryptop *crp)
/* Verify correct decryption by checking the last padding bytes */
if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
V_espstat.esps_badenc++;
ESPSTAT_INC(esps_badenc);
DPRINTF(("%s: decryption failed for packet in "
"SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
@ -716,7 +716,7 @@ esp_output(
else
alen = 0;
V_espstat.esps_output++;
ESPSTAT_INC(esps_output);
saidx = &sav->sah->saidx;
/* Check for maximum packet size violations. */
@ -736,7 +736,7 @@ esp_output(
"family %d, SA %s/%08lx\n", __func__,
saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
V_espstat.esps_nopf++;
ESPSTAT_INC(esps_nopf);
error = EPFNOSUPPORT;
goto bad;
}
@ -745,19 +745,19 @@ esp_output(
"(len %u, max len %u)\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
skip + hlen + rlen + padding + alen, maxpacketsize));
V_espstat.esps_toobig++;
ESPSTAT_INC(esps_toobig);
error = EMSGSIZE;
goto bad;
}
/* Update the counters. */
V_espstat.esps_obytes += m->m_pkthdr.len - skip;
ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip);
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
V_espstat.esps_hdrops++;
ESPSTAT_INC(esps_hdrops);
error = ENOBUFS;
goto bad;
}
@ -768,7 +768,7 @@ esp_output(
DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n",
__func__, hlen, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
V_espstat.esps_hdrops++; /* XXX diffs from openbsd */
ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */
error = ENOBUFS;
goto bad;
}
@ -832,7 +832,7 @@ esp_output(
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
V_espstat.esps_crypto++;
ESPSTAT_INC(esps_crypto);
error = ENOBUFS;
goto bad;
}
@ -861,7 +861,7 @@ esp_output(
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
V_espstat.esps_crypto++;
ESPSTAT_INC(esps_crypto);
error = ENOBUFS;
goto bad;
}
@ -922,7 +922,7 @@ esp_output_cb(struct cryptop *crp)
sav = tc->tc_sav;
/* With the isr lock released SA pointer can be updated. */
if (sav != isr->sav) {
V_espstat.esps_notdb++;
ESPSTAT_INC(esps_notdb);
DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n",
__func__, ipsec_address(&tc->tc_dst),
(u_long) ntohl(tc->tc_spi), tc->tc_proto));
@ -941,7 +941,7 @@ esp_output_cb(struct cryptop *crp)
return (crypto_dispatch(crp));
}
V_espstat.esps_noxform++;
ESPSTAT_INC(esps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@ -949,14 +949,14 @@ esp_output_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
V_espstat.esps_crypto++;
ESPSTAT_INC(esps_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
V_espstat.esps_hist[sav->alg_enc]++;
ESPSTAT_INC(esps_hist[sav->alg_enc]);
if (sav->tdb_authalgxform != NULL)
V_ahstat.ahs_hist[sav->alg_auth]++;
AHSTAT_INC(ahs_hist[sav->alg_auth]);
/* Release crypto descriptors. */
free(tc, M_XDATA);

49
sys/netipsec/xform_ipcomp.c
View File

@ -152,7 +152,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
* compression it means someone is playing tricks on us.
*/
if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
V_ipcompstat.ipcomps_hdrops++; /*XXX*/
IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/
DPRINTF(("%s: m_pullup failed\n", __func__));
return (ENOBUFS);
}
@ -160,7 +160,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
ipcomp = (struct ipcomp *)addr;
if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
m_freem(m);
V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */
IPCOMPSTAT_INC(ipcomps_pdrops); /* XXX have our own stats? */
DPRINTF(("%s: recursive compression detected\n", __func__));
return (EINVAL);
}
@ -170,7 +170,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (crp == NULL) {
m_freem(m);
DPRINTF(("%s: no crypto descriptors\n", __func__));
V_ipcompstat.ipcomps_crypto++;
IPCOMPSTAT_INC(ipcomps_crypto);
return ENOBUFS;
}
/* Get IPsec-specific opaque pointer */
@ -179,7 +179,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
m_freem(m);
crypto_freereq(crp);
DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__));
V_ipcompstat.ipcomps_crypto++;
IPCOMPSTAT_INC(ipcomps_crypto);
return ENOBUFS;
}
crdc = crp->crp_desc;
@ -256,19 +256,19 @@ ipcomp_input_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN) {
return crypto_dispatch(crp);
}
V_ipcompstat.ipcomps_noxform++;
IPCOMPSTAT_INC(ipcomps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
/* Shouldn't happen... */
if (m == NULL) {
V_ipcompstat.ipcomps_crypto++;
IPCOMPSTAT_INC(ipcomps_crypto);
DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
error = EINVAL;
goto bad;
}
V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
clen = crp->crp_olen; /* Length of data after processing */
@ -280,7 +280,7 @@ ipcomp_input_cb(struct cryptop *crp)
m->m_pkthdr.len = clen + hlen + skip;
if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
V_ipcompstat.ipcomps_hdrops++; /*XXX*/
IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/
DPRINTF(("%s: m_pullup failed\n", __func__));
error = EINVAL; /*XXX*/
goto bad;
@ -293,7 +293,7 @@ ipcomp_input_cb(struct cryptop *crp)
/* Remove the IPCOMP header */
error = m_striphdr(m, skip, hlen);
if (error) {
V_ipcompstat.ipcomps_hdrops++;
IPCOMPSTAT_INC(ipcomps_hdrops);
DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -364,12 +364,12 @@ ipcomp_output(
* See RFC 3173, 2.2. Non-Expansion Policy.
*/
if (m->m_pkthdr.len <= ipcompx->minlen) {
V_ipcompstat.ipcomps_threshold++;
IPCOMPSTAT_INC(ipcomps_threshold);
return ipsec_process_done(m, isr);
}
ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */
V_ipcompstat.ipcomps_output++;
IPCOMPSTAT_INC(ipcomps_output);
/* Check for maximum packet size violations. */
switch (sav->sah->saidx.dst.sa.sa_family) {
@ -384,7 +384,7 @@ ipcomp_output(
break;
#endif /* INET6 */
default:
V_ipcompstat.ipcomps_nopf++;
IPCOMPSTAT_INC(ipcomps_nopf);
DPRINTF(("%s: unknown/unsupported protocol family %d, "
"IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
@ -394,7 +394,7 @@ ipcomp_output(
goto bad;
}
if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
V_ipcompstat.ipcomps_toobig++;
IPCOMPSTAT_INC(ipcomps_toobig);
DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
@ -405,11 +405,11 @@ ipcomp_output(
}
/* Update the counters */
V_ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip;
IPCOMPSTAT_ADD(ipcomps_obytes, m->m_pkthdr.len - skip);
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
V_ipcompstat.ipcomps_hdrops++;
IPCOMPSTAT_INC(ipcomps_hdrops);
DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -422,7 +422,7 @@ ipcomp_output(
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {
V_ipcompstat.ipcomps_crypto++;
IPCOMPSTAT_INC(ipcomps_crypto);
DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
error = ENOBUFS;
goto bad;
@ -442,7 +442,7 @@ ipcomp_output(
tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
V_ipcompstat.ipcomps_crypto++;
IPCOMPSTAT_INC(ipcomps_crypto);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
crypto_freereq(crp);
error = ENOBUFS;
@ -495,7 +495,7 @@ ipcomp_output_cb(struct cryptop *crp)
sav = tc->tc_sav;
/* With the isr lock released SA pointer can be updated. */
if (sav != isr->sav) {
V_ipcompstat.ipcomps_notdb++;
IPCOMPSTAT_INC(ipcomps_notdb);
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
@ -511,19 +511,19 @@ ipcomp_output_cb(struct cryptop *crp)
IPSECREQUEST_UNLOCK(isr);
return crypto_dispatch(crp);
}
V_ipcompstat.ipcomps_noxform++;
IPCOMPSTAT_INC(ipcomps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
/* Shouldn't happen... */
if (m == NULL) {
V_ipcompstat.ipcomps_crypto++;
IPCOMPSTAT_INC(ipcomps_crypto);
DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
if (crp->crp_ilen - skip > crp->crp_olen) {
struct mbuf *mo;
@ -534,7 +534,7 @@ ipcomp_output_cb(struct cryptop *crp)
/* Compression helped, inject IPCOMP header. */
mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
if (mo == NULL) {
V_ipcompstat.ipcomps_wrap++;
IPCOMPSTAT_INC(ipcomps_wrap);
DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -579,7 +579,7 @@ ipcomp_output_cb(struct cryptop *crp)
break;
#endif /* INET6 */
default:
V_ipcompstat.ipcomps_nopf++;
IPCOMPSTAT_INC(ipcomps_nopf);
DPRINTF(("%s: unknown/unsupported protocol "
"family %d, IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
@ -590,7 +590,7 @@ ipcomp_output_cb(struct cryptop *crp)
}
} else {
/* Compression was useless, we have lost time. */
V_ipcompstat.ipcomps_uncompr++;
IPCOMPSTAT_INC(ipcomps_uncompr);
DPRINTF(("%s: compressions was useless %d - %d <= %d\n",
__func__, crp->crp_ilen, skip, crp->crp_olen));
/* XXX remember state to not compress the next couple
@ -636,6 +636,7 @@ static void
vnet_ipcomp_attach(const void *unused __unused)
{
/* XXX */
V_ipcompstat.version = IPCOMPSTAT_VERSION;
}

43
sys/netipsec/xform_ipip.c
View File

@ -115,7 +115,7 @@ ip4_input6(struct mbuf **m, int *offp, int proto)
/* If we do not accept IP-in-IP explicitly, drop. */
if (!V_ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) {
DPRINTF(("%s: dropped due to policy\n", __func__));
V_ipipstat.ipips_pdrops++;
IPIPSTAT_INC(ipips_pdrops);
m_freem(*m);
return IPPROTO_DONE;
}
@ -136,7 +136,7 @@ ip4_input(struct mbuf *m, int off)
/* If we do not accept IP-in-IP explicitly, drop. */
if (!V_ipip_allow && (m->m_flags & M_IPSEC) == 0) {
DPRINTF(("%s: dropped due to policy\n", __func__));
V_ipipstat.ipips_pdrops++;
IPIPSTAT_INC(ipips_pdrops);
m_freem(m);
return;
}
@ -172,7 +172,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
u_int8_t v;
int hlen;
V_ipipstat.ipips_ipackets++;
IPIPSTAT_INC(ipips_ipackets);
m_copydata(m, 0, 1, &v);
@ -188,7 +188,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
break;
#endif
default:
V_ipipstat.ipips_family++;
IPIPSTAT_INC(ipips_family);
m_freem(m);
return /* EAFNOSUPPORT */;
}
@ -197,7 +197,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
if (m->m_len < hlen) {
if ((m = m_pullup(m, hlen)) == NULL) {
DPRINTF(("%s: m_pullup (1) failed\n", __func__));
V_ipipstat.ipips_hdrops++;
IPIPSTAT_INC(ipips_hdrops);
return;
}
}
@ -234,7 +234,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
/* Sanity check */
if (m->m_pkthdr.len < sizeof(struct ip)) {
V_ipipstat.ipips_hdrops++;
IPIPSTAT_INC(ipips_hdrops);
m_freem(m);
return;
}
@ -254,7 +254,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
break;
#endif
default:
V_ipipstat.ipips_family++;
IPIPSTAT_INC(ipips_family);
m_freem(m);
return; /* EAFNOSUPPORT */
}
@ -265,7 +265,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
if (m->m_len < hlen) {
if ((m = m_pullup(m, hlen)) == NULL) {
DPRINTF(("%s: m_pullup (2) failed\n", __func__));
V_ipipstat.ipips_hdrops++;
IPIPSTAT_INC(ipips_hdrops);
return;
}
}
@ -316,7 +316,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
if (sin->sin_addr.s_addr ==
ipo->ip_src.s_addr) {
V_ipipstat.ipips_spoof++;
IPIPSTAT_INC(ipips_spoof);
m_freem(m);
IFNET_RUNLOCK_NOSLEEP();
return;
@ -333,7 +333,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
sin6 = (struct sockaddr_in6 *) ifa->ifa_addr;
if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) {
V_ipipstat.ipips_spoof++;
IPIPSTAT_INC(ipips_spoof);
m_freem(m);
IFNET_RUNLOCK_NOSLEEP();
return;
@ -347,7 +347,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
}
/* Statistics */
V_ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen;
IPIPSTAT_ADD(ipips_ibytes, m->m_pkthdr.len - iphlen);
#ifdef DEV_ENC
switch (v >> 4) {
@ -393,7 +393,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
}
if (netisr_queue(isr, m)) { /* (0) on success. */
V_ipipstat.ipips_qfull++;
IPIPSTAT_INC(ipips_qfull);
DPRINTF(("%s: packet dropped because of full queue\n",
__func__));
}
@ -442,7 +442,7 @@ ipip_output(
"address in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
V_ipipstat.ipips_unspec++;
IPIPSTAT_INC(ipips_unspec);
error = EINVAL;
goto bad;
}
@ -450,7 +450,7 @@ ipip_output(
M_PREPEND(m, sizeof(struct ip), M_NOWAIT);
if (m == 0) {
DPRINTF(("%s: M_PREPEND failed\n", __func__));
V_ipipstat.ipips_hdrops++;
IPIPSTAT_INC(ipips_hdrops);
error = ENOBUFS;
goto bad;
}
@ -522,7 +522,7 @@ ipip_output(
"address in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
V_ipipstat.ipips_unspec++;
IPIPSTAT_INC(ipips_unspec);
error = ENOBUFS;
goto bad;
}
@ -537,7 +537,7 @@ ipip_output(
M_PREPEND(m, sizeof(struct ip6_hdr), M_NOWAIT);
if (m == 0) {
DPRINTF(("%s: M_PREPEND failed\n", __func__));
V_ipipstat.ipips_hdrops++;
IPIPSTAT_INC(ipips_hdrops);
error = ENOBUFS;
goto bad;
}
@ -591,12 +591,12 @@ ipip_output(
nofamily:
DPRINTF(("%s: unsupported protocol family %u\n", __func__,
saidx->dst.sa.sa_family));
V_ipipstat.ipips_family++;
IPIPSTAT_INC(ipips_family);
error = EAFNOSUPPORT; /* XXX diffs from openbsd */
goto bad;
}
V_ipipstat.ipips_opackets++;
IPIPSTAT_INC(ipips_opackets);
*mp = m;
#ifdef INET
@ -606,7 +606,8 @@ nofamily:
tdb->tdb_cur_bytes +=
m->m_pkthdr.len - sizeof(struct ip);
#endif
V_ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip);
IPIPSTAT_ADD(ipips_obytes,
m->m_pkthdr.len - sizeof(struct ip));
}
#endif /* INET */
@ -617,8 +618,8 @@ nofamily:
tdb->tdb_cur_bytes +=
m->m_pkthdr.len - sizeof(struct ip6_hdr);
#endif
V_ipipstat.ipips_obytes +=
m->m_pkthdr.len - sizeof(struct ip6_hdr);
IPIPSTAT_ADD(ipips_obytes,
m->m_pkthdr.len - sizeof(struct ip6_hdr));
}
#endif /* INET6 */