From owner-p4-projects@FreeBSD.ORG Fri Jul 31 00:01:42 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id ED2E410656D1; Fri, 31 Jul 2009 00:01:41 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA7601065672 for ; Fri, 31 Jul 2009 00:01:40 +0000 (UTC) (envelope-from pgj@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id D7F588FC13 for ; Fri, 31 Jul 2009 00:01:40 +0000 (UTC) (envelope-from pgj@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n6V01ek6050066 for ; Fri, 31 Jul 2009 00:01:40 GMT (envelope-from pgj@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n6V01est050064 for perforce@freebsd.org; Fri, 31 Jul 2009 00:01:40 GMT (envelope-from pgj@FreeBSD.org) Date: Fri, 31 Jul 2009 00:01:40 GMT Message-Id: <200907310001.n6V01est050064@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to pgj@FreeBSD.org using -f From: Gabor Pali To: Perforce Change Reviews Cc: Subject: PERFORCE change 166848 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 00:01:43 -0000 http://perforce.freebsd.org/chv.cgi?CH=166848 Change 166848 by pgj@petymeg-current on 2009/07/31 00:01:20 Add support for IPsec statistics. Affected files ... .. //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat.h#53 edit .. //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_internal.h#50 edit .. //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_stat.c#20 edit .. //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_util.c#58 edit .. //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/extern.h#30 edit .. //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/ipsec.c#6 edit .. //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/main.c#38 edit Differences ... ==== //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat.h#53 (text+ko) ==== @@ -35,6 +35,8 @@ #ifdef IPSEC #include #include +#include +#include #endif #define NETSTAT_MAXCALLER 16 @@ -93,6 +95,9 @@ #define NETSTAT_ESP_HIST_MAX ESP_ALG_MAX #define NETSTAT_AH_HIST_MAX AH_ALG_MAX #define NETSTAT_IPCOMP_HIST_MAX IPCOMP_ALG_MAX +#define NETSTAT_IPSEC_ESP_HIST_MAX 256 +#define NETSTAT_IPSEC_AH_HIST_MAX 256 +#define NETSTAT_IPSEC_IPCOMP_HIST_MAX 256 /* Enum for TCP states: */ @@ -161,6 +166,7 @@ stat_ESP, stat_AH, stat_IPcomp, + stat_IPsec, #endif stat_MAX, stat_Invalid, @@ -1025,5 +1031,48 @@ u_int32_t netstat_ipcomps_get_pdrops(const struct ipcomp_stat *); u_int32_t netstat_ipcomps_get_crypto(const struct ipcomp_stat *); u_int32_t netstat_ipcomps_get_hist(const struct ipcomp_stat *, int); + +const struct ipsec_stat *netstat_get_ipsecstats(const struct stat_type *); + +u_int64_t netstat_ipsecs_get_in_success(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_polvio(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_nosa(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_inval(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_nomem(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_badspi(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_ahreplay(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_espreplay(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_ahauthsucc(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_ahauthfail(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_espauthsucc(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_espauthfail(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_in_esphist(const struct ipsec_stat *, int); +u_int64_t netstat_ipsecs_get_in_ahhist(const struct ipsec_stat *, int); +u_int64_t netstat_ipsecs_get_in_comphist(const struct ipsec_stat *, int); +u_int64_t netstat_ipsecs_get_out_success(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_out_polvio(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_out_nosa(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_out_inval(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_out_nomem(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_out_noroute(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_out_esphist(const struct ipsec_stat *, int); +u_int64_t netstat_ipsecs_get_out_ahhist(const struct ipsec_stat *, int); +u_int64_t netstat_ipsecs_get_out_comphist(const struct ipsec_stat *, int); +u_int64_t netstat_ipsecs_get_spdcachelookup(const struct ipsec_stat *); +u_int64_t netstat_ipsecs_get_spdcachemiss(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_in_polvio(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_out_polvio(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_out_nosa(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_out_nomem(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_out_noroute(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_out_inval(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_out_bundlesa(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_mbcoalesced(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_clcoalesced(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_clcopied(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_mbinserted(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_input_front(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_input_middle(const struct ipsec_stat *); +u_int32_t netstat_ipsecs_get_ips_input_end(const struct ipsec_stat *); #endif /* !IPSEC */ #endif /* !_NETSTAT_H_ */ ==== //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_internal.h#50 (text+ko) ==== @@ -70,6 +70,7 @@ #include #include #include +#include #endif #include "netstat.h" @@ -390,6 +391,10 @@ struct ipcomp_stat { struct ipcompstat s; }; + +struct ipsec_stat { + struct ipsecstat s; +}; #endif /* Timestamp type. */ ==== //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_stat.c#20 (text+ko) ==== @@ -91,6 +91,7 @@ { ESPSTAT_VERSION, "net.inet.esp.stats", "_espstat" }, { AHSTAT_VERSION, "net.inet.ah.stats", "_ahstat" }, { IPCOMPSTAT_VERSION, "net.inet.ipcomp.stats", "_ipcompstat" }, + { IPSECSTAT_VERSION, "net.inet.ipsec.ipsecstats", "_ipsec4stat" }, #endif }; ==== //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_util.c#58 (text+ko) ==== @@ -2002,6 +2002,60 @@ #undef IPCOMP_ACC #undef IPCOMP_ACC64 #undef IPCOMP_ACCA + +#define IPSEC_ACC(field) \ + STATS_ACCX(u_int64_t,ipsec,field,field) + +#define IPSEC_ACC32(field) \ + STATS_ACCX(u_int32_t,ipsec,field,field) + +#define IPSEC_ACCA(field,size) \ + STATS_ACCXA(u_int64_t,ipsec,field,field,size) + +STATS_GET(ipsec,IPsec); +IPSEC_ACC(in_success); +IPSEC_ACC(in_polvio); +IPSEC_ACC(in_nosa); +IPSEC_ACC(in_inval); +IPSEC_ACC(in_nomem); +IPSEC_ACC(in_badspi); +IPSEC_ACC(in_ahreplay); +IPSEC_ACC(in_espreplay); +IPSEC_ACC(in_ahauthsucc); +IPSEC_ACC(in_ahauthfail); +IPSEC_ACC(in_espauthsucc); +IPSEC_ACC(in_espauthfail); +IPSEC_ACCA(in_esphist,256); +IPSEC_ACCA(in_ahhist,256); +IPSEC_ACCA(in_comphist,256); +IPSEC_ACC(out_success); +IPSEC_ACC(out_polvio); +IPSEC_ACC(out_nosa); +IPSEC_ACC(out_inval); +IPSEC_ACC(out_nomem); +IPSEC_ACC(out_noroute); +IPSEC_ACCA(out_esphist,256); +IPSEC_ACCA(out_ahhist,256); +IPSEC_ACCA(out_comphist,256); +IPSEC_ACC(spdcachelookup); +IPSEC_ACC(spdcachemiss); +IPSEC_ACC32(ips_in_polvio); +IPSEC_ACC32(ips_out_polvio); +IPSEC_ACC32(ips_out_nosa); +IPSEC_ACC32(ips_out_nomem); +IPSEC_ACC32(ips_out_noroute); +IPSEC_ACC32(ips_out_inval); +IPSEC_ACC32(ips_out_bundlesa); +IPSEC_ACC32(ips_mbcoalesced); +IPSEC_ACC32(ips_clcoalesced); +IPSEC_ACC32(ips_clcopied); +IPSEC_ACC32(ips_mbinserted); +IPSEC_ACC32(ips_input_front); +IPSEC_ACC32(ips_input_middle); +IPSEC_ACC32(ips_input_end); +#undef IPSEC_ACC +#undef IPSEC_ACC32 +#undef IPSEC_ACCA #endif /* !IPSEC */ static const char *icmpnames[ICMP_MAXTYPE + 1] = { ==== //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/extern.h#30 (text+ko) ==== @@ -87,7 +87,7 @@ void carp_stats(const struct stat_type *); void pfsync_stats(const struct stat_type *); #ifdef IPSEC -void ipsec_stats(u_long, const char *, int, int); +void ipsec_stats(const struct stat_type *); void esp_stats(const struct stat_type *); void ah_stats(const struct stat_type *); void ipcomp_stats(const struct stat_type *); ==== //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/ipsec.c#6 (text+ko) ==== @@ -27,6 +27,7 @@ */ /*- * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. + * Copyright (c) 2009 Gabor Pali * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -95,125 +96,23 @@ #include __FBSDID("$FreeBSD: src/usr.bin/netstat/ipsec.c,v 1.18 2008/01/02 23:26:11 obrien Exp $"); -#include -#include -#include -#include - -#include -#include -#include -#include -#include +#include -#include #include -#include -#include #include #include "extern.h" -struct val2str { - int val; - const char *str; -}; - -static struct val2str ipsec_ahnames[] = { - { SADB_AALG_NONE, "none", }, - { SADB_AALG_MD5HMAC, "hmac-md5", }, - { SADB_AALG_SHA1HMAC, "hmac-sha1", }, - { SADB_X_AALG_MD5, "md5", }, - { SADB_X_AALG_SHA, "sha", }, - { SADB_X_AALG_NULL, "null", }, -#ifdef SADB_X_AALG_SHA2_256 - { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, -#endif -#ifdef SADB_X_AALG_SHA2_384 - { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, -#endif -#ifdef SADB_X_AALG_SHA2_512 - { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, -#endif -#ifdef SADB_X_AALG_RIPEMD160HMAC - { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", }, -#endif -#ifdef SADB_X_AALG_AES_XCBC_MAC - { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, -#endif - { -1, NULL }, -}; - -static struct val2str ipsec_espnames[] = { - { SADB_EALG_NONE, "none", }, - { SADB_EALG_DESCBC, "des-cbc", }, - { SADB_EALG_3DESCBC, "3des-cbc", }, - { SADB_EALG_NULL, "null", }, - { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, - { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, -#ifdef SADB_X_EALG_RIJNDAELCBC - { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, -#endif -#ifdef SADB_X_EALG_AESCTR - { SADB_X_EALG_AESCTR, "aes-ctr", }, -#endif - { -1, NULL }, -}; - -static struct val2str ipsec_compnames[] = { - { SADB_X_CALG_NONE, "none", }, - { SADB_X_CALG_OUI, "oui", }, - { SADB_X_CALG_DEFLATE, "deflate", }, - { SADB_X_CALG_LZS, "lzs", }, - { -1, NULL }, -}; - -static void ipsec_hist(const u_quad_t *hist, size_t histmax, - const struct val2str *name, const char *title); -static void print_ipsecstats(const struct ipsecstat *ipsecstat); - - -/* - * Dump IPSEC statistics structure. - */ -static void -ipsec_hist(const u_quad_t *hist, size_t histmax, const struct val2str *name, - const char *title) +void +ipsec_stats(const struct stat_type *sttp) { - int first; - size_t proto; - const struct val2str *p; + const struct ipsec_stat *s; + int first, proto; - first = 1; - for (proto = 0; proto < histmax; proto++) { - if (hist[proto] <= 0) - continue; - if (first) { - printf("\t%s histogram:\n", title); - first = 0; - } - for (p = name; p && p->str; p++) { - if (p->val == (int)proto) - break; - } - if (p && p->str) { - printf("\t\t%s: %ju\n", p->str, (uintmax_t)hist[proto]); - } else { - printf("\t\t#%ld: %ju\n", (long)proto, - (uintmax_t)hist[proto]); - } - } -} - -static void -print_ipsecstats(const struct ipsecstat *ipsecstat) -{ -#define p(f, m) if (ipsecstat->f || sflag <= 1) \ - printf(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f)) -#define pes(f, m) if (ipsecstat->f || sflag <= 1) \ - printf(m, (uintmax_t)ipsecstat->f, plurales(ipsecstat->f)) -#define hist(f, n, t) \ - ipsec_hist((f), sizeof(f)/sizeof(f[0]), (n), (t)); - + s = netstat_get_ipsecstats(sttp); +#define p(f, m) if (netstat_ipsecs_get_##f(s) || sflag <= 1) \ + printf(m, (uintmax_t)netstat_ipsecs_get_##f(s), plural(netstat_ipsecs_get_##f(s))) +#define pes(f, m) if (netstat_ipsecs_get_##f(s) || sflag <= 1) \ + printf(m, netstat_ipsecs_get_##f(s), plurales(netstat_ipsecs_get_##f(s))) p(in_success, "\t%ju inbound packet%s processed successfully\n"); p(in_polvio, "\t%ju inbound packet%s violated process security " "policy\n"); @@ -225,10 +124,39 @@ p(in_espreplay, "\t%ju inbound packet%s failed on ESP replay check\n"); p(in_ahauthsucc, "\t%ju inbound packet%s considered authentic\n"); p(in_ahauthfail, "\t%ju inbound packet%s failed on authentication\n"); - hist(ipsecstat->in_ahhist, ipsec_ahnames, "AH input"); - hist(ipsecstat->in_esphist, ipsec_espnames, "ESP input"); - hist(ipsecstat->in_comphist, ipsec_compnames, "IPComp input"); - + first = 1; + for (proto = 0; proto < NETSTAT_IPSEC_AH_HIST_MAX; proto++) { + if (netstat_ipsecs_get_in_ahhist(s, proto) == 0) + continue; + if (first != 0) { + printf("\tAH input histogram:\n"); + first = 0; + } + printf("\t\t%s: %ju\n", netstat_ipsec_ahname(proto), + netstat_ipsecs_get_in_ahhist(s, proto)); + } + first = 1; + for (proto = 0; proto < NETSTAT_IPSEC_ESP_HIST_MAX; proto++) { + if (netstat_ipsecs_get_in_esphist(s, proto) == 0) + continue; + if (first != 0) { + printf("\tESP input histogram:\n"); + first = 0; + } + printf("\t\t%s: %ju\n", netstat_ipsec_espname(proto), + netstat_ipsecs_get_in_esphist(s, proto)); + } + first = 1; + for (proto = 0; proto < NETSTAT_IPSEC_IPCOMP_HIST_MAX; proto++) { + if (netstat_ipsecs_get_in_comphist(s, proto) == 0) + continue; + if (first != 0) { + printf("\tIPcomp input histogram:\n"); + first = 0; + } + printf("\t\t%s: %ju\n", netstat_ipsec_ipcompname(proto), + netstat_ipsecs_get_in_comphist(s, proto)); + } p(out_success, "\t%ju outbound packet%s processed successfully\n"); p(out_polvio, "\t%ju outbound packet%s violated process security " "policy\n"); @@ -236,13 +164,42 @@ p(out_inval, "\t%ju invalid outbound packet%s\n"); p(out_nomem, "\t%ju outbound packet%s failed due to insufficient memory\n"); p(out_noroute, "\t%ju outbound packet%s with no route\n"); - hist(ipsecstat->out_ahhist, ipsec_ahnames, "AH output"); - hist(ipsecstat->out_esphist, ipsec_espnames, "ESP output"); - hist(ipsecstat->out_comphist, ipsec_compnames, "IPComp output"); + first = 1; + for (proto = 0; proto < NETSTAT_IPSEC_AH_HIST_MAX; proto++) { + if (netstat_ipsecs_get_out_ahhist(s, proto) == 0) + continue; + if (first != 0) { + printf("\tAH output histogram:\n"); + first = 0; + } + printf("\t\t%s: %ju\n", netstat_ipsec_ahname(proto), + netstat_ipsecs_get_out_ahhist(s, proto)); + } + first = 1; + for (proto = 0; proto < NETSTAT_IPSEC_ESP_HIST_MAX; proto++) { + if (netstat_ipsecs_get_out_esphist(s, proto) == 0) + continue; + if (first != 0) { + printf("\tESP output histogram:\n"); + first = 0; + } + printf("\t\t%s: %ju\n", netstat_ipsec_espname(proto), + netstat_ipsecs_get_out_esphist(s, proto)); + } + first = 1; + for (proto = 0; proto < NETSTAT_IPSEC_IPCOMP_HIST_MAX; proto++) { + if (netstat_ipsecs_get_out_comphist(s, proto) == 0) + continue; + if (first != 0) { + printf("\tIPcomp output histogram:\n"); + first = 0; + } + printf("\t\t%s: %ju\n", netstat_ipsec_ipcompname(proto), + netstat_ipsecs_get_out_comphist(s, proto)); + } p(spdcachelookup, "\t%ju SPD cache lookup%s\n"); pes(spdcachemiss, "\t%ju SPD cache miss%s\n"); #undef pes -#undef hist p(ips_in_polvio, "\t%ju inbound packet%s violated process " "security policy\n"); p(ips_out_polvio, "\t%ju outbound packet%s violated process " @@ -262,19 +219,6 @@ } void -ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused) -{ - struct ipsecstat ipsecstat; - - if (off == 0) - return; - printf ("%s:\n", name); - kread(off, (char *)&ipsecstat, sizeof(ipsecstat)); - - print_ipsecstats(&ipsecstat); -} - -void ah_stats(const struct stat_type *sttp) { const struct ah_stat *s; ==== //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/main.c#38 (text+ko) ==== @@ -95,19 +95,15 @@ { .n_name = "_ngsocklist"}, #define N_IP6STAT 8 { .n_name = "_ip6stat" }, -#define N_IPSECSTAT 9 - { .n_name = "_ipsec4stat" }, -#define N_IPSEC6STAT 10 - { .n_name = "_ipsec6stat" }, -#define N_MRT6STAT 11 +#define N_MRT6STAT 9 { .n_name = "_mrt6stat" }, -#define N_MF6CTABLE 12 +#define N_MF6CTABLE 10 { .n_name = "_mf6ctable" }, -#define N_MIF6TABLE 13 +#define N_MIF6TABLE 11 { .n_name = "_mif6table" }, -#define N_RTTRASH 14 +#define N_RTTRASH 12 { .n_name = "_rttrash" }, -#define N_MFCTABLESIZE 15 +#define N_MFCTABLESIZE 13 { .n_name = "_mfctablesize" }, { .n_name = NULL }, }; @@ -144,8 +140,8 @@ { 0, 0, 1, NULL, igmp_stats, stat_IGMP, NULL, NULL, "igmp", 1, IPPROTO_IGMP }, #ifdef IPSEC - { -1, N_IPSECSTAT, 1, NULL, NULL, stat_MAX, /* keep as compat */ - ipsec_stats, NULL, "ipsec", 0, 0}, + { -1, 0, 1, NULL, ipsec_stats, stat_IPsec, /* keep as compat */ + NULL, NULL, "ipsec", 0, 0}, { -1, 0, 1, NULL, ah_stats, stat_AH, NULL, NULL, "ah", 0, 0}, { -1, 0, 1, NULL, esp_stats, stat_ESP, @@ -174,8 +170,8 @@ { 0, 0, 1, NULL, icmp6_stats, stat_ICMP6, NULL, icmp6_ifstats, "icmp6", 1, IPPROTO_ICMPV6 }, #ifdef IPSEC - { -1, N_IPSEC6STAT, 1, NULL, NULL, stat_MAX, - ipsec_stats, NULL, "ipsec6", 0, 0 }, + { -1, 0, 1, NULL, ipsec_stats, stat_IPsec, + NULL, NULL, "ipsec6", 0, 0 }, #endif #ifdef notyet { -1, 0, 1, NULL, pim6_stats, stat_PIM6,