1 /* $NetBSD: fast_ipsec.c,v 1.20 2013/04/15 21:20:39 christos Exp $ */
2 /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */
5 * Copyright (c) 2003, 2004 Jonathan Stone
6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $
33 #include <sys/cdefs.h>
36 __RCSID("$NetBSD: fast_ipsec.c,v 1.20 2013/04/15 21:20:39 christos Exp $");
40 /* Kernel headers required, but not included, by netstat.h */
41 #include <sys/types.h>
42 #include <sys/socket.h>
44 /* Kernel headers for sysctl(3). */
45 #include <sys/param.h>
46 #include <sys/sysctl.h>
48 /* Kernel headers for FAST_IPSEC statistics */
49 #include <net/pfkeyv2.h>
50 #include <netipsec/esp_var.h>
51 #include <netipsec/ah_var.h>
52 #include <netipsec/ipip_var.h>
53 #include <netipsec/ipcomp_var.h>
54 #include <netipsec/ipsec_var.h>
56 #include <machine/int_fmtio.h>
67 * Table-driven mapping from SADB algorithm codes to string names.
73 static const struct alg aalgs
[] = {
74 { SADB_AALG_NONE
, "none", },
75 { SADB_AALG_MD5HMAC
, "hmac-md5", },
76 { SADB_AALG_SHA1HMAC
, "hmac-sha1", },
77 { SADB_X_AALG_MD5
, "md5", },
78 { SADB_X_AALG_SHA
, "sha", },
79 { SADB_X_AALG_NULL
, "null", },
80 { SADB_X_AALG_SHA2_256
, "hmac-sha2-256", },
81 { SADB_X_AALG_SHA2_384
, "hmac-sha2-384", },
82 { SADB_X_AALG_SHA2_512
, "hmac-sha2-512", },
83 { SADB_X_AALG_AES_XCBC_MAC
, "aes-xcbc-mac", },
84 { SADB_X_AALG_AES128GMAC
, "aes-128-gmac", },
85 { SADB_X_AALG_AES192GMAC
, "aes-192-gmac", },
86 { SADB_X_AALG_AES256GMAC
, "aes-256-gmac", },
88 static const struct alg espalgs
[] = {
89 { SADB_EALG_NONE
, "none", },
90 { SADB_EALG_DESCBC
, "des-cbc", },
91 { SADB_EALG_3DESCBC
, "3des-cbc", },
92 { SADB_EALG_NULL
, "null", },
93 { SADB_X_EALG_CAST128CBC
, "cast128-cbc", },
94 { SADB_X_EALG_BLOWFISHCBC
, "blowfish-cbc", },
95 { SADB_X_EALG_RIJNDAELCBC
, "aes-cbc", },
96 { SADB_X_EALG_CAMELLIACBC
, "camellia-cbc", },
97 { SADB_X_EALG_AESCTR
, "aes-ctr", },
98 { SADB_X_EALG_AESGCM16
, "aes-gcm-16", },
99 { SADB_X_EALG_AESGMAC
, "aes-gmac", },
101 static const struct alg ipcompalgs
[] = {
102 { SADB_X_CALG_NONE
, "none", },
103 { SADB_X_CALG_OUI
, "oui", },
104 { SADB_X_CALG_DEFLATE
, "deflate", },
105 { SADB_X_CALG_LZS
, "lzs", },
107 #define N(a) (sizeof(a)/sizeof(a[0]))
110 algname(int a
, const struct alg algs
[], int nalgs
)
115 for (i
= 0; i
< nalgs
; i
++)
118 snprintf(buf
, sizeof(buf
), "alg#%u", a
);
123 * Print the fast_ipsec statistics.
124 * Since NetBSD's netstat(1) seems not to find us for "netstat -s",
125 * but does(?) find KAME, be prepared to be called explicitly from
126 * netstat's main program for "netstat -s"; but silently do nothing
127 * if that happens when we are running on KAME IPsec.
130 fast_ipsec_stats(u_long off
, const char *name
)
132 uint64_t ipsecstats
[IPSEC_NSTATS
];
133 uint64_t ahstats
[AH_NSTATS
];
134 uint64_t espstats
[ESP_NSTATS
];
135 uint64_t ipcs
[IPCOMP_NSTATS
];
136 uint64_t ipips
[IPIP_NSTATS
];
142 warnx("IPsec stats not available via KVM.");
146 memset(ipsecstats
, 0, sizeof(ipsecstats
));
147 memset(ahstats
, 0, sizeof(ahstats
));
148 memset(espstats
, 0, sizeof(espstats
));
149 memset(ipcs
, 0, sizeof(ipcs
));
150 memset(ipips
, 0, sizeof(ipips
));
152 slen
= sizeof(ipsecstats
);
153 status
= sysctlbyname("net.inet.ipsec.ipsecstats", ipsecstats
, &slen
,
159 err(1, "net.inet.ipsec.ipsecstats");
162 slen
= sizeof (ahstats
);
163 status
= sysctlbyname("net.inet.ah.ah_stats", ahstats
, &slen
, NULL
, 0);
164 if (status
< 0 && errno
!= ENOMEM
)
165 err(1, "net.inet.ah.ah_stats");
167 slen
= sizeof (espstats
);
168 status
= sysctlbyname("net.inet.esp.esp_stats", espstats
, &slen
, NULL
, 0);
169 if (status
< 0 && errno
!= ENOMEM
)
170 err(1, "net.inet.esp.esp_stats");
173 status
= sysctlbyname("net.inet.ipcomp.ipcomp_stats", ipcs
, &slen
, NULL
, 0);
174 if (status
< 0 && errno
!= ENOMEM
)
175 err(1, "net.inet.ipcomp.ipcomp_stats");
177 slen
= sizeof(ipips
);
178 status
= sysctlbyname("net.inet.ipip.ipip_stats", ipips
, &slen
, NULL
, 0);
179 if (status
< 0 && errno
!= ENOMEM
)
180 err(1, "net.inet.ipip.ipip_stats");
182 printf("(Fast) IPsec:\n");
184 #define STAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" " fmt "\n", x)
185 if (ipsecstats
[IPSEC_STAT_IN_POLVIO
]+ipsecstats
[IPSEC_STAT_OUT_POLVIO
])
186 printf("\t%"PRIu64
" policy violations: %"PRIu64
" input %"PRIu64
" output\n",
187 ipsecstats
[IPSEC_STAT_IN_POLVIO
] + ipsecstats
[IPSEC_STAT_OUT_POLVIO
],
188 ipsecstats
[IPSEC_STAT_IN_POLVIO
], ipsecstats
[IPSEC_STAT_OUT_POLVIO
]);
189 STAT(ipsecstats
[IPSEC_STAT_OUT_NOSA
], "no SA found (output)");
190 STAT(ipsecstats
[IPSEC_STAT_OUT_NOMEM
], "no memory available (output)");
191 STAT(ipsecstats
[IPSEC_STAT_OUT_NOROUTE
], "no route available (output)");
192 STAT(ipsecstats
[IPSEC_STAT_OUT_INVAL
], "generic errors (output)");
193 STAT(ipsecstats
[IPSEC_STAT_OUT_BUNDLESA
], "bundled SA processed (output)");
194 STAT(ipsecstats
[IPSEC_STAT_SPDCACHELOOKUP
], "SPD cache lookups");
195 STAT(ipsecstats
[IPSEC_STAT_SPDCACHEMISS
], "SPD cache misses");
199 printf("IPsec ah:\n");
200 #define AHSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" ah " fmt "\n", x)
201 AHSTAT(ahstats
[AH_STAT_INPUT
], "input packets processed");
202 AHSTAT(ahstats
[AH_STAT_OUTPUT
], "output packets processed");
203 AHSTAT(ahstats
[AH_STAT_HDROPS
], "headers too short");
204 AHSTAT(ahstats
[AH_STAT_NOPF
], "headers for unsupported address family");
205 AHSTAT(ahstats
[AH_STAT_NOTDB
], "packets with no SA");
206 AHSTAT(ahstats
[AH_STAT_BADKCR
], "packets dropped by crypto returning NULL mbuf");
207 AHSTAT(ahstats
[AH_STAT_BADAUTH
], "packets with bad authentication");
208 AHSTAT(ahstats
[AH_STAT_NOXFORM
], "packets with no xform");
209 AHSTAT(ahstats
[AH_STAT_QFULL
], "packets dropped due to queue full");
210 AHSTAT(ahstats
[AH_STAT_WRAP
], "packets dropped for replay counter wrap");
211 AHSTAT(ahstats
[AH_STAT_REPLAY
], "packets dropped for possible replay");
212 AHSTAT(ahstats
[AH_STAT_BADAUTHL
],"packets dropped for bad authenticator length");
213 AHSTAT(ahstats
[AH_STAT_INVALID
], "packets with an invalid SA");
214 AHSTAT(ahstats
[AH_STAT_TOOBIG
], "packets too big");
215 AHSTAT(ahstats
[AH_STAT_PDROPS
], "packets blocked due to policy");
216 AHSTAT(ahstats
[AH_STAT_CRYPTO
], "failed crypto requests");
217 AHSTAT(ahstats
[AH_STAT_TUNNEL
], "tunnel sanity check failures");
219 printf("\tah histogram:\n");
220 for (i
= 0; i
< AH_ALG_MAX
; i
++)
221 if (ahstats
[AH_STAT_HIST
+ i
])
222 printf("\t\tah packets with %s: %"PRIu64
"\n"
223 , algname(i
, aalgs
, N(aalgs
))
224 , ahstats
[AH_STAT_HIST
+ i
]
226 AHSTAT(ahstats
[AH_STAT_IBYTES
], "bytes received");
227 AHSTAT(ahstats
[AH_STAT_OBYTES
], "bytes transmitted");
231 printf("IPsec esp:\n");
232 #define ESPSTAT(x,fmt) if ((x) || sflag <= 1) printf("\t%"PRIu64" esp " fmt "\n", x)
233 ESPSTAT(espstats
[ESP_STAT_INPUT
],"input packets processed");
234 ESPSTAT(espstats
[ESP_STAT_OUTPUT
],"output packets processed");
235 ESPSTAT(espstats
[ESP_STAT_HDROPS
],"headers too short");
236 ESPSTAT(espstats
[ESP_STAT_NOPF
], "headers for unsupported address family");
237 ESPSTAT(espstats
[ESP_STAT_NOTDB
],"packets with no SA");
238 ESPSTAT(espstats
[ESP_STAT_BADKCR
],"packets dropped by crypto returning NULL mbuf");
239 ESPSTAT(espstats
[ESP_STAT_QFULL
],"packets dropped due to queue full");
240 ESPSTAT(espstats
[ESP_STAT_NOXFORM
],"packets with no xform");
241 ESPSTAT(espstats
[ESP_STAT_BADILEN
],"packets with bad ilen");
242 ESPSTAT(espstats
[ESP_STAT_BADENC
],"packets with bad encryption");
243 ESPSTAT(espstats
[ESP_STAT_BADAUTH
],"packets with bad authentication");
244 ESPSTAT(espstats
[ESP_STAT_WRAP
], "packets dropped for replay counter wrap");
245 ESPSTAT(espstats
[ESP_STAT_REPLAY
],"packets dropped for possible replay");
246 ESPSTAT(espstats
[ESP_STAT_INVALID
],"packets with an invalid SA");
247 ESPSTAT(espstats
[ESP_STAT_TOOBIG
],"packets too big");
248 ESPSTAT(espstats
[ESP_STAT_PDROPS
],"packets blocked due to policy");
249 ESPSTAT(espstats
[ESP_STAT_CRYPTO
],"failed crypto requests");
250 ESPSTAT(espstats
[ESP_STAT_TUNNEL
],"tunnel sanity check failures");
251 printf("\tesp histogram:\n");
252 for (i
= 0; i
< ESP_ALG_MAX
; i
++)
253 if (espstats
[ESP_STAT_HIST
+ i
])
254 printf("\t\tesp packets with %s: %"PRIu64
"\n"
255 , algname(i
, espalgs
, N(espalgs
))
256 , espstats
[ESP_STAT_HIST
+ i
]
258 ESPSTAT(espstats
[ESP_STAT_IBYTES
], "bytes received");
259 ESPSTAT(espstats
[ESP_STAT_OBYTES
], "bytes transmitted");
261 printf("IPsec ipip:\n");
263 #define IPIPSTAT(x,fmt) \
264 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipip " fmt "\n", x)
265 IPIPSTAT(ipips
[IPIP_STAT_IPACKETS
],"total input packets");
266 IPIPSTAT(ipips
[IPIP_STAT_OPACKETS
],"total output packets");
267 IPIPSTAT(ipips
[IPIP_STAT_HDROPS
],"packets too short for header length");
268 IPIPSTAT(ipips
[IPIP_STAT_QFULL
],"packets dropped due to queue full");
269 IPIPSTAT(ipips
[IPIP_STAT_PDROPS
],"packets blocked due to policy");
270 IPIPSTAT(ipips
[IPIP_STAT_SPOOF
],"IP spoofing attempts");
271 IPIPSTAT(ipips
[IPIP_STAT_FAMILY
],"protocol family mismatched");
272 IPIPSTAT(ipips
[IPIP_STAT_UNSPEC
],"missing tunnel-endpoint address");
273 IPIPSTAT(ipips
[IPIP_STAT_IBYTES
],"input bytes received");
274 IPIPSTAT(ipips
[IPIP_STAT_OBYTES
],"output bytes processed");
277 printf("IPsec ipcomp:\n");
278 #define IPCOMP(x,fmt) \
279 if ((x) || sflag <= 1) printf("\t%"PRIu64" ipcomp " fmt "\n", x)
281 IPCOMP(ipcs
[IPCOMP_STAT_HDROPS
],"packets too short for header length");
282 IPCOMP(ipcs
[IPCOMP_STAT_NOPF
], "protocol family not supported");
283 IPCOMP(ipcs
[IPCOMP_STAT_NOTDB
], "packets with no SA");
284 IPCOMP(ipcs
[IPCOMP_STAT_BADKCR
],"packets dropped by crypto returning NULL mbuf");
285 IPCOMP(ipcs
[IPCOMP_STAT_QFULL
], "queue full");
286 IPCOMP(ipcs
[IPCOMP_STAT_NOXFORM
],"no support for transform");
287 IPCOMP(ipcs
[IPCOMP_STAT_WRAP
], "packets dropped for replay counter wrap");
288 IPCOMP(ipcs
[IPCOMP_STAT_INPUT
], "input IPcomp packets");
289 IPCOMP(ipcs
[IPCOMP_STAT_OUTPUT
],"output IPcomp packets");
290 IPCOMP(ipcs
[IPCOMP_STAT_INVALID
],"packets with an invalid SA");
291 IPCOMP(ipcs
[IPCOMP_STAT_TOOBIG
],"packets decompressed as too big");
292 IPCOMP(ipcs
[IPCOMP_STAT_MINLEN
], "packets too short to be compressed");
293 IPCOMP(ipcs
[IPCOMP_STAT_USELESS
],"packet for which compression was useless");
294 IPCOMP(ipcs
[IPCOMP_STAT_PDROPS
],"packets blocked due to policy");
295 IPCOMP(ipcs
[IPCOMP_STAT_CRYPTO
],"failed crypto requests");
297 printf("\tIPcomp histogram:\n");
298 for (i
= 0; i
< IPCOMP_ALG_MAX
; i
++)
299 if (ipcs
[IPCOMP_STAT_HIST
+ i
])
300 printf("\t\tIPcomp packets with %s: %"PRIu64
"\n"
301 , algname(i
, ipcompalgs
, N(ipcompalgs
))
302 , ipcs
[IPCOMP_STAT_HIST
+ i
]
304 IPCOMP(ipcs
[IPCOMP_STAT_IBYTES
],"input bytes");
305 IPCOMP(ipcs
[IPCOMP_STAT_OBYTES
],"output bytes");