Use IPSECSTAT_INC() and IPSEC6STAT_INC() macros for ipsec statistics
accounting. MFC after: 2 weeks
This commit is contained in:
ae
parent
10da02bc8d
commit
1e4c88cc8b
@ -950,12 +950,12 @@ findpcb:
|
|||||||
#ifdef IPSEC
|
#ifdef IPSEC
|
||||||
#ifdef INET6
|
#ifdef INET6
|
||||||
if (isipv6 && ipsec6_in_reject(m, inp)) {
|
if (isipv6 && ipsec6_in_reject(m, inp)) {
|
||||||
V_ipsec6stat.in_polvio++;
|
IPSEC6STAT_INC(in_polvio);
|
||||||
goto dropunlock;
|
goto dropunlock;
|
||||||
} else
|
} else
|
||||||
#endif /* INET6 */
|
#endif /* INET6 */
|
||||||
if (ipsec4_in_reject(m, inp) != 0) {
|
if (ipsec4_in_reject(m, inp) != 0) {
|
||||||
V_ipsec4stat.in_polvio++;
|
IPSECSTAT_INC(in_polvio);
|
||||||
goto dropunlock;
|
goto dropunlock;
|
||||||
}
|
}
|
||||||
#endif /* IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|||||||
@ -279,7 +279,7 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
|
|||||||
/* Check AH/ESP integrity. */
|
/* Check AH/ESP integrity. */
|
||||||
if (ipsec4_in_reject(n, inp)) {
|
if (ipsec4_in_reject(n, inp)) {
|
||||||
m_freem(n);
|
m_freem(n);
|
||||||
V_ipsec4stat.in_polvio++;
|
IPSECSTAT_INC(in_polvio);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#ifdef IPSEC_NAT_T
|
#ifdef IPSEC_NAT_T
|
||||||
@ -1291,7 +1291,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off)
|
|||||||
if (minlen > m->m_pkthdr.len)
|
if (minlen > m->m_pkthdr.len)
|
||||||
minlen = m->m_pkthdr.len;
|
minlen = m->m_pkthdr.len;
|
||||||
if ((m = m_pullup(m, minlen)) == NULL) {
|
if ((m = m_pullup(m, minlen)) == NULL) {
|
||||||
V_ipsec4stat.in_inval++;
|
IPSECSTAT_INC(in_inval);
|
||||||
return (NULL); /* Bypass caller processing. */
|
return (NULL); /* Bypass caller processing. */
|
||||||
}
|
}
|
||||||
data = mtod(m, caddr_t); /* Points to ip header. */
|
data = mtod(m, caddr_t); /* Points to ip header. */
|
||||||
@ -1331,7 +1331,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off)
|
|||||||
uint32_t spi;
|
uint32_t spi;
|
||||||
|
|
||||||
if (payload <= sizeof(struct esp)) {
|
if (payload <= sizeof(struct esp)) {
|
||||||
V_ipsec4stat.in_inval++;
|
IPSECSTAT_INC(in_inval);
|
||||||
m_freem(m);
|
m_freem(m);
|
||||||
return (NULL); /* Discard. */
|
return (NULL); /* Discard. */
|
||||||
}
|
}
|
||||||
@ -1352,7 +1352,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off)
|
|||||||
tag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS,
|
tag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS,
|
||||||
2 * sizeof(uint16_t), M_NOWAIT);
|
2 * sizeof(uint16_t), M_NOWAIT);
|
||||||
if (tag == NULL) {
|
if (tag == NULL) {
|
||||||
V_ipsec4stat.in_nomem++;
|
IPSECSTAT_INC(in_nomem);
|
||||||
m_freem(m);
|
m_freem(m);
|
||||||
return (NULL); /* Discard. */
|
return (NULL); /* Discard. */
|
||||||
}
|
}
|
||||||
|
|||||||
@ -120,7 +120,7 @@ ip6_forward(struct mbuf *m, int srcrt)
|
|||||||
* before forwarding packet actually.
|
* before forwarding packet actually.
|
||||||
*/
|
*/
|
||||||
if (ipsec6_in_reject(m, NULL)) {
|
if (ipsec6_in_reject(m, NULL)) {
|
||||||
V_ipsec6stat.in_polvio++;
|
IPSEC6STAT_INC(in_polvio);
|
||||||
m_freem(m);
|
m_freem(m);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -182,7 +182,7 @@ ip6_forward(struct mbuf *m, int srcrt)
|
|||||||
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
|
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
|
||||||
IP_FORWARDING, &error);
|
IP_FORWARDING, &error);
|
||||||
if (sp == NULL) {
|
if (sp == NULL) {
|
||||||
V_ipsec6stat.out_inval++;
|
IPSEC6STAT_INC(out_inval);
|
||||||
IP6STAT_INC(ip6s_cantforward);
|
IP6STAT_INC(ip6s_cantforward);
|
||||||
if (mcopy) {
|
if (mcopy) {
|
||||||
#if 0
|
#if 0
|
||||||
@ -203,7 +203,7 @@ ip6_forward(struct mbuf *m, int srcrt)
|
|||||||
/*
|
/*
|
||||||
* This packet is just discarded.
|
* This packet is just discarded.
|
||||||
*/
|
*/
|
||||||
V_ipsec6stat.out_polvio++;
|
IPSEC6STAT_INC(out_polvio);
|
||||||
IP6STAT_INC(ip6s_cantforward);
|
IP6STAT_INC(ip6s_cantforward);
|
||||||
KEY_FREESP(&sp);
|
KEY_FREESP(&sp);
|
||||||
if (mcopy) {
|
if (mcopy) {
|
||||||
|
|||||||
@ -263,7 +263,7 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
|
|||||||
*/
|
*/
|
||||||
if (n && ipsec6_in_reject(n, last)) {
|
if (n && ipsec6_in_reject(n, last)) {
|
||||||
m_freem(n);
|
m_freem(n);
|
||||||
V_ipsec6stat.in_polvio++;
|
IPSEC6STAT_INC(in_polvio);
|
||||||
/* Do not inject data into pcb. */
|
/* Do not inject data into pcb. */
|
||||||
} else
|
} else
|
||||||
#endif /* IPSEC */
|
#endif /* IPSEC */
|
||||||
@ -295,7 +295,7 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
|
|||||||
*/
|
*/
|
||||||
if ((last != NULL) && ipsec6_in_reject(m, last)) {
|
if ((last != NULL) && ipsec6_in_reject(m, last)) {
|
||||||
m_freem(m);
|
m_freem(m);
|
||||||
V_ipsec6stat.in_polvio++;
|
IPSEC6STAT_INC(in_polvio);
|
||||||
IP6STAT_DEC(ip6s_delivered);
|
IP6STAT_DEC(ip6s_delivered);
|
||||||
/* Do not inject data into pcb. */
|
/* Do not inject data into pcb. */
|
||||||
INP_RUNLOCK(last);
|
INP_RUNLOCK(last);
|
||||||
|
|||||||
@ -141,7 +141,7 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off,
|
|||||||
/* Check AH/ESP integrity. */
|
/* Check AH/ESP integrity. */
|
||||||
if (ipsec6_in_reject(n, inp)) {
|
if (ipsec6_in_reject(n, inp)) {
|
||||||
m_freem(n);
|
m_freem(n);
|
||||||
V_ipsec6stat.in_polvio++;
|
IPSEC6STAT_INC(in_polvio);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#endif /* IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|||||||
@ -454,7 +454,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
|
|||||||
sp = ipsec_getpolicybysock(m, dir, inp, error);
|
sp = ipsec_getpolicybysock(m, dir, inp, error);
|
||||||
if (sp == NULL) {
|
if (sp == NULL) {
|
||||||
IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
|
IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
|
||||||
V_ipsec4stat.ips_out_inval++;
|
IPSECSTAT_INC(ips_out_inval);
|
||||||
return (NULL);
|
return (NULL);
|
||||||
}
|
}
|
||||||
IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
|
IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
|
||||||
@ -464,7 +464,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
|
|||||||
printf("%s: invalid policy %u\n", __func__, sp->policy);
|
printf("%s: invalid policy %u\n", __func__, sp->policy);
|
||||||
/* FALLTHROUGH */
|
/* FALLTHROUGH */
|
||||||
case IPSEC_POLICY_DISCARD:
|
case IPSEC_POLICY_DISCARD:
|
||||||
V_ipsec4stat.ips_out_polvio++;
|
IPSECSTAT_INC(ips_out_polvio);
|
||||||
*error = -EINVAL; /* Packet is discarded by caller. */
|
*error = -EINVAL; /* Packet is discarded by caller. */
|
||||||
break;
|
break;
|
||||||
case IPSEC_POLICY_BYPASS:
|
case IPSEC_POLICY_BYPASS:
|
||||||
@ -1314,7 +1314,7 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
|
|||||||
|
|
||||||
result = ipsec46_in_reject(m, inp);
|
result = ipsec46_in_reject(m, inp);
|
||||||
if (result)
|
if (result)
|
||||||
V_ipsec4stat.ips_in_polvio++;
|
IPSECSTAT_INC(ips_in_polvio);
|
||||||
|
|
||||||
return (result);
|
return (result);
|
||||||
}
|
}
|
||||||
@ -1332,7 +1332,7 @@ ipsec6_in_reject(struct mbuf *m, struct inpcb *inp)
|
|||||||
|
|
||||||
result = ipsec46_in_reject(m, inp);
|
result = ipsec46_in_reject(m, inp);
|
||||||
if (result)
|
if (result)
|
||||||
V_ipsec6stat.ips_in_polvio++;
|
IPSEC6STAT_INC(ips_in_polvio);
|
||||||
|
|
||||||
return (result);
|
return (result);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -359,6 +359,7 @@ VNET_DECLARE(int, ip4_ipsec_ecn);
|
|||||||
VNET_DECLARE(int, ip4_esp_randpad);
|
VNET_DECLARE(int, ip4_esp_randpad);
|
||||||
VNET_DECLARE(int, crypto_support);
|
VNET_DECLARE(int, crypto_support);
|
||||||
|
|
||||||
|
#define IPSECSTAT_INC(name) V_ipsec4stat.name += 1
|
||||||
#define V_ipsec4stat VNET(ipsec4stat)
|
#define V_ipsec4stat VNET(ipsec4stat)
|
||||||
#define V_ip4_def_policy VNET(ip4_def_policy)
|
#define V_ip4_def_policy VNET(ip4_def_policy)
|
||||||
#define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev)
|
#define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev)
|
||||||
|
|||||||
@ -48,6 +48,7 @@ VNET_DECLARE(int, ip6_ah_trans_deflev);
|
|||||||
VNET_DECLARE(int, ip6_ah_net_deflev);
|
VNET_DECLARE(int, ip6_ah_net_deflev);
|
||||||
VNET_DECLARE(int, ip6_ipsec_ecn);
|
VNET_DECLARE(int, ip6_ipsec_ecn);
|
||||||
|
|
||||||
|
#define IPSEC6STAT_INC(name) V_ipsec6stat.name += 1
|
||||||
#define V_ipsec6stat VNET(ipsec6stat)
|
#define V_ipsec6stat VNET(ipsec6stat)
|
||||||
#define V_ip6_esp_trans_deflev VNET(ip6_esp_trans_deflev)
|
#define V_ip6_esp_trans_deflev VNET(ip6_esp_trans_deflev)
|
||||||
#define V_ip6_esp_net_deflev VNET(ip6_esp_net_deflev)
|
#define V_ip6_esp_net_deflev VNET(ip6_esp_net_deflev)
|
||||||
|
|||||||
@ -135,7 +135,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
|
|||||||
m = n; /* header is at front ... */
|
m = n; /* header is at front ... */
|
||||||
*off = 0; /* ... of new mbuf */
|
*off = 0; /* ... of new mbuf */
|
||||||
}
|
}
|
||||||
V_ipsec4stat.ips_mbinserted++;
|
IPSECSTAT_INC(ips_mbinserted);
|
||||||
} else {
|
} else {
|
||||||
/*
|
/*
|
||||||
* Copy the remainder to the back of the mbuf
|
* Copy the remainder to the back of the mbuf
|
||||||
@ -241,7 +241,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
|
|||||||
/* Remove the header and associated data from the mbuf. */
|
/* Remove the header and associated data from the mbuf. */
|
||||||
if (roff == 0) {
|
if (roff == 0) {
|
||||||
/* The header was at the beginning of the mbuf */
|
/* The header was at the beginning of the mbuf */
|
||||||
V_ipsec4stat.ips_input_front++;
|
IPSECSTAT_INC(ips_input_front);
|
||||||
m_adj(m1, hlen);
|
m_adj(m1, hlen);
|
||||||
if ((m1->m_flags & M_PKTHDR) == 0)
|
if ((m1->m_flags & M_PKTHDR) == 0)
|
||||||
m->m_pkthdr.len -= hlen;
|
m->m_pkthdr.len -= hlen;
|
||||||
@ -253,7 +253,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
|
|||||||
* so first let's remove the remainder of the header from
|
* so first let's remove the remainder of the header from
|
||||||
* the beginning of the remainder of the mbuf chain, if any.
|
* the beginning of the remainder of the mbuf chain, if any.
|
||||||
*/
|
*/
|
||||||
V_ipsec4stat.ips_input_end++;
|
IPSECSTAT_INC(ips_input_end);
|
||||||
if (roff + hlen > m1->m_len) {
|
if (roff + hlen > m1->m_len) {
|
||||||
/* Adjust the next mbuf by the remainder */
|
/* Adjust the next mbuf by the remainder */
|
||||||
m_adj(m1->m_next, roff + hlen - m1->m_len);
|
m_adj(m1->m_next, roff + hlen - m1->m_len);
|
||||||
@ -278,7 +278,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
|
|||||||
* The header lies in the "middle" of the mbuf; copy
|
* The header lies in the "middle" of the mbuf; copy
|
||||||
* the remainder of the mbuf down over the header.
|
* the remainder of the mbuf down over the header.
|
||||||
*/
|
*/
|
||||||
V_ipsec4stat.ips_input_middle++;
|
IPSECSTAT_INC(ips_input_middle);
|
||||||
bcopy(mtod(m1, u_char *) + roff + hlen,
|
bcopy(mtod(m1, u_char *) + roff + hlen,
|
||||||
mtod(m1, u_char *) + roff,
|
mtod(m1, u_char *) + roff,
|
||||||
m1->m_len - (roff + hlen));
|
m1->m_len - (roff + hlen));
|
||||||
|
|||||||
@ -164,7 +164,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
|
|||||||
* doing further processing.
|
* doing further processing.
|
||||||
*/
|
*/
|
||||||
if (isr->next) {
|
if (isr->next) {
|
||||||
V_ipsec4stat.ips_out_bundlesa++;
|
IPSECSTAT_INC(ips_out_bundlesa);
|
||||||
/* XXX-BZ currently only support same AF bundles. */
|
/* XXX-BZ currently only support same AF bundles. */
|
||||||
switch (saidx->dst.sa.sa_family) {
|
switch (saidx->dst.sa.sa_family) {
|
||||||
#ifdef INET
|
#ifdef INET
|
||||||
@ -356,7 +356,7 @@ again:
|
|||||||
* this packet because it is responsibility for
|
* this packet because it is responsibility for
|
||||||
* upper layer to retransmit the packet.
|
* upper layer to retransmit the packet.
|
||||||
*/
|
*/
|
||||||
V_ipsec4stat.ips_out_nosa++;
|
IPSECSTAT_INC(ips_out_nosa);
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
sav = isr->sav;
|
sav = isr->sav;
|
||||||
@ -827,14 +827,14 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
|
|||||||
ipseclog((LOG_ERR, "%s: family mismatched between "
|
ipseclog((LOG_ERR, "%s: family mismatched between "
|
||||||
"inner and outer, spi=%u\n", __func__,
|
"inner and outer, spi=%u\n", __func__,
|
||||||
ntohl(isr->sav->spi)));
|
ntohl(isr->sav->spi)));
|
||||||
V_ipsec6stat.ips_out_inval++;
|
IPSEC6STAT_INC(ips_out_inval);
|
||||||
error = EAFNOSUPPORT;
|
error = EAFNOSUPPORT;
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
|
|
||||||
m = ipsec6_splithdr(m);
|
m = ipsec6_splithdr(m);
|
||||||
if (!m) {
|
if (!m) {
|
||||||
V_ipsec6stat.ips_out_nomem++;
|
IPSEC6STAT_INC(ips_out_nomem);
|
||||||
error = ENOMEM;
|
error = ENOMEM;
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
@ -864,7 +864,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
|
|||||||
}
|
}
|
||||||
if (state->ro->ro_rt == NULL) {
|
if (state->ro->ro_rt == NULL) {
|
||||||
IP6STAT_INC(ip6s_noroute);
|
IP6STAT_INC(ip6s_noroute);
|
||||||
V_ipsec6stat.ips_out_noroute++;
|
IPSEC6STAT_INC(ips_out_noroute);
|
||||||
error = EHOSTUNREACH;
|
error = EHOSTUNREACH;
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
@ -876,7 +876,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
|
|||||||
|
|
||||||
m = ipsec6_splithdr(m);
|
m = ipsec6_splithdr(m);
|
||||||
if (!m) {
|
if (!m) {
|
||||||
V_ipsec6stat.ips_out_nomem++;
|
IPSEC6STAT_INC(ips_out_nomem);
|
||||||
error = ENOMEM;
|
error = ENOMEM;
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user