From owner-svn-src-head@FreeBSD.ORG Tue Jul 23 14:14:26 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C63F1347; Tue, 23 Jul 2013 14:14:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B609F20CD; Tue, 23 Jul 2013 14:14:26 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r6NEEQS2035684; Tue, 23 Jul 2013 14:14:26 GMT (envelope-from ae@svn.freebsd.org) Received: (from ae@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r6NEEP5l035673; Tue, 23 Jul 2013 14:14:25 GMT (envelope-from ae@svn.freebsd.org) Message-Id: <201307231414.r6NEEP5l035673@svn.freebsd.org> From: "Andrey V. Elsukov" Date: Tue, 23 Jul 2013 14:14:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r253571 - in head: sys/netinet sys/netinet6 sys/netipsec usr.bin/netstat X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jul 2013 14:14:27 -0000 Author: ae Date: Tue Jul 23 14:14:24 2013 New Revision: 253571 URL: http://svnweb.freebsd.org/changeset/base/253571 Log: Remove the large part of struct ipsecstat. Only few fields of this structure is used, but they already have equal fields in the struct newipsecstat, that was introduced with FAST_IPSEC and then was merged together with old ipsecstat structure. This fixes kernel stack overflow on some architectures after migration ipsecstat to PCPU counters. Reported by: Taku YAMAMOTO, Maciej Milewski Modified: head/sys/netinet/sctp_input.c head/sys/netinet/tcp_input.c head/sys/netinet/udp_usrreq.c head/sys/netinet6/ip6_forward.c head/sys/netinet6/raw_ip6.c head/sys/netinet6/udp6_usrreq.c head/sys/netipsec/ipsec.h head/usr.bin/netstat/ipsec.c Modified: head/sys/netinet/sctp_input.c ============================================================================== --- head/sys/netinet/sctp_input.c Tue Jul 23 14:02:38 2013 (r253570) +++ head/sys/netinet/sctp_input.c Tue Jul 23 14:14:24 2013 (r253571) @@ -5705,7 +5705,7 @@ sctp_common_input_processing(struct mbuf #ifdef INET case AF_INET: if (ipsec4_in_reject(m, &inp->ip_inp.inp)) { - IPSECSTAT_INC(in_polvio); + IPSECSTAT_INC(ips_in_polvio); SCTP_STAT_INCR(sctps_hdrops); goto out; } @@ -5714,7 +5714,7 @@ sctp_common_input_processing(struct mbuf #ifdef INET6 case AF_INET6: if (ipsec6_in_reject(m, &inp->ip_inp.inp)) { - IPSEC6STAT_INC(in_polvio); + IPSEC6STAT_INC(ips_in_polvio); SCTP_STAT_INCR(sctps_hdrops); goto out; } Modified: head/sys/netinet/tcp_input.c ============================================================================== --- head/sys/netinet/tcp_input.c Tue Jul 23 14:02:38 2013 (r253570) +++ head/sys/netinet/tcp_input.c Tue Jul 23 14:14:24 2013 (r253571) @@ -899,12 +899,12 @@ findpcb: #ifdef IPSEC #ifdef INET6 if (isipv6 && ipsec6_in_reject(m, inp)) { - IPSEC6STAT_INC(in_polvio); + IPSEC6STAT_INC(ips_in_polvio); goto dropunlock; } else #endif /* INET6 */ if (ipsec4_in_reject(m, inp) != 0) { - IPSECSTAT_INC(in_polvio); + IPSECSTAT_INC(ips_in_polvio); goto dropunlock; } #endif /* IPSEC */ Modified: head/sys/netinet/udp_usrreq.c ============================================================================== --- head/sys/netinet/udp_usrreq.c Tue Jul 23 14:02:38 2013 (r253570) +++ head/sys/netinet/udp_usrreq.c Tue Jul 23 14:14:24 2013 (r253571) @@ -282,7 +282,7 @@ udp_append(struct inpcb *inp, struct ip /* Check AH/ESP integrity. */ if (ipsec4_in_reject(n, inp)) { m_freem(n); - IPSECSTAT_INC(in_polvio); + IPSECSTAT_INC(ips_in_polvio); return; } #ifdef IPSEC_NAT_T @@ -1294,7 +1294,7 @@ udp4_espdecap(struct inpcb *inp, struct if (minlen > m->m_pkthdr.len) minlen = m->m_pkthdr.len; if ((m = m_pullup(m, minlen)) == NULL) { - IPSECSTAT_INC(in_inval); + IPSECSTAT_INC(ips_in_inval); return (NULL); /* Bypass caller processing. */ } data = mtod(m, caddr_t); /* Points to ip header. */ @@ -1334,7 +1334,7 @@ udp4_espdecap(struct inpcb *inp, struct uint32_t spi; if (payload <= sizeof(struct esp)) { - IPSECSTAT_INC(in_inval); + IPSECSTAT_INC(ips_in_inval); m_freem(m); return (NULL); /* Discard. */ } @@ -1355,7 +1355,7 @@ udp4_espdecap(struct inpcb *inp, struct tag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS, 2 * sizeof(uint16_t), M_NOWAIT); if (tag == NULL) { - IPSECSTAT_INC(in_nomem); + IPSECSTAT_INC(ips_in_nomem); m_freem(m); return (NULL); /* Discard. */ } Modified: head/sys/netinet6/ip6_forward.c ============================================================================== --- head/sys/netinet6/ip6_forward.c Tue Jul 23 14:02:38 2013 (r253570) +++ head/sys/netinet6/ip6_forward.c Tue Jul 23 14:14:24 2013 (r253571) @@ -120,7 +120,7 @@ ip6_forward(struct mbuf *m, int srcrt) * before forwarding packet actually. */ if (ipsec6_in_reject(m, NULL)) { - IPSEC6STAT_INC(in_polvio); + IPSEC6STAT_INC(ips_in_polvio); m_freem(m); return; } @@ -182,7 +182,7 @@ ip6_forward(struct mbuf *m, int srcrt) sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &error); if (sp == NULL) { - IPSEC6STAT_INC(out_inval); + IPSEC6STAT_INC(ips_out_inval); IP6STAT_INC(ip6s_cantforward); if (mcopy) { #if 0 @@ -203,7 +203,7 @@ ip6_forward(struct mbuf *m, int srcrt) /* * This packet is just discarded. */ - IPSEC6STAT_INC(out_polvio); + IPSEC6STAT_INC(ips_out_polvio); IP6STAT_INC(ip6s_cantforward); KEY_FREESP(&sp); if (mcopy) { Modified: head/sys/netinet6/raw_ip6.c ============================================================================== --- head/sys/netinet6/raw_ip6.c Tue Jul 23 14:02:38 2013 (r253570) +++ head/sys/netinet6/raw_ip6.c Tue Jul 23 14:14:24 2013 (r253571) @@ -269,7 +269,7 @@ rip6_input(struct mbuf **mp, int *offp, */ if (n && ipsec6_in_reject(n, last)) { m_freem(n); - IPSEC6STAT_INC(in_polvio); + IPSEC6STAT_INC(ips_in_polvio); /* Do not inject data into pcb. */ } else #endif /* IPSEC */ @@ -301,7 +301,7 @@ rip6_input(struct mbuf **mp, int *offp, */ if ((last != NULL) && ipsec6_in_reject(m, last)) { m_freem(m); - IPSEC6STAT_INC(in_polvio); + IPSEC6STAT_INC(ips_in_polvio); IP6STAT_DEC(ip6s_delivered); /* Do not inject data into pcb. */ INP_RUNLOCK(last); Modified: head/sys/netinet6/udp6_usrreq.c ============================================================================== --- head/sys/netinet6/udp6_usrreq.c Tue Jul 23 14:02:38 2013 (r253570) +++ head/sys/netinet6/udp6_usrreq.c Tue Jul 23 14:14:24 2013 (r253571) @@ -141,7 +141,7 @@ udp6_append(struct inpcb *inp, struct mb /* Check AH/ESP integrity. */ if (ipsec6_in_reject(n, inp)) { m_freem(n); - IPSEC6STAT_INC(in_polvio); + IPSEC6STAT_INC(ips_in_polvio); return; } #endif /* IPSEC */ Modified: head/sys/netipsec/ipsec.h ============================================================================== --- head/sys/netipsec/ipsec.h Tue Jul 23 14:02:38 2013 (r253570) +++ head/sys/netipsec/ipsec.h Tue Jul 23 14:14:24 2013 (r253571) @@ -217,43 +217,17 @@ struct secspacq { /* statistics for ipsec processing */ struct ipsecstat { - uint64_t in_success; /* succeeded inbound process */ - uint64_t in_polvio; - /* security policy violation for inbound process */ - uint64_t in_nosa; /* inbound SA is unavailable */ - uint64_t in_inval; /* inbound processing failed due to EINVAL */ - uint64_t in_nomem; /* inbound processing failed due to ENOBUFS */ - uint64_t in_badspi; /* failed getting a SPI */ - uint64_t in_ahreplay; /* AH replay check failed */ - uint64_t in_espreplay; /* ESP replay check failed */ - uint64_t in_ahauthsucc; /* AH authentication success */ - uint64_t in_ahauthfail; /* AH authentication failure */ - uint64_t in_espauthsucc; /* ESP authentication success */ - uint64_t in_espauthfail; /* ESP authentication failure */ - uint64_t in_esphist[256]; - uint64_t in_ahhist[256]; - uint64_t in_comphist[256]; - uint64_t out_success; /* succeeded outbound process */ - uint64_t out_polvio; - /* security policy violation for outbound process */ - uint64_t out_nosa; /* outbound SA is unavailable */ - uint64_t out_inval; /* outbound process failed due to EINVAL */ - uint64_t out_nomem; /* inbound processing failed due to ENOBUFS */ - uint64_t out_noroute; /* there is no route */ - uint64_t out_esphist[256]; - uint64_t out_ahhist[256]; - uint64_t out_comphist[256]; - - uint64_t spdcachelookup; - uint64_t spdcachemiss; - uint64_t ips_in_polvio; /* input: sec policy violation */ + uint64_t ips_in_nomem; /* input: no memory available */ + uint64_t ips_in_inval; /* input: generic error */ + uint64_t ips_out_polvio; /* output: sec policy violation */ uint64_t ips_out_nosa; /* output: SA unavailable */ uint64_t ips_out_nomem; /* output: no memory available */ uint64_t ips_out_noroute; /* output: no route available */ uint64_t ips_out_inval; /* output: generic error */ uint64_t ips_out_bundlesa; /* output: bundled SA processed */ + uint64_t ips_mbcoalesced; /* mbufs coalesced during clone */ uint64_t ips_clcoalesced; /* clusters coalesced during clone */ uint64_t ips_clcopied; /* clusters copied during clone */ Modified: head/usr.bin/netstat/ipsec.c ============================================================================== --- head/usr.bin/netstat/ipsec.c Tue Jul 23 14:02:38 2013 (r253570) +++ head/usr.bin/netstat/ipsec.c Tue Jul 23 14:14:24 2013 (r253571) @@ -166,84 +166,18 @@ static struct val2str ipsec_compnames[] { -1, NULL }, }; -static void ipsec_hist(const u_quad_t *hist, size_t histmax, - const struct val2str *name, const char *title); static void print_ipsecstats(const struct ipsecstat *ipsecstat); - -/* - * Dump IPSEC statistics structure. - */ -static void -ipsec_hist(const u_quad_t *hist, size_t histmax, const struct val2str *name, - const char *title) -{ - int first; - size_t proto; - const struct val2str *p; - - first = 1; - for (proto = 0; proto < histmax; proto++) { - if (hist[proto] <= 0) - continue; - if (first) { - printf("\t%s histogram:\n", title); - first = 0; - } - for (p = name; p && p->str; p++) { - if (p->val == (int)proto) - break; - } - if (p && p->str) { - printf("\t\t%s: %ju\n", p->str, (uintmax_t)hist[proto]); - } else { - printf("\t\t#%ld: %ju\n", (long)proto, - (uintmax_t)hist[proto]); - } - } -} - static void print_ipsecstats(const struct ipsecstat *ipsecstat) { #define p(f, m) if (ipsecstat->f || sflag <= 1) \ printf(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f)) -#define pes(f, m) if (ipsecstat->f || sflag <= 1) \ - printf(m, (uintmax_t)ipsecstat->f, plurales(ipsecstat->f)) -#define hist(f, n, t) \ - ipsec_hist((f), sizeof(f)/sizeof(f[0]), (n), (t)); - - p(in_success, "\t%ju inbound packet%s processed successfully\n"); - p(in_polvio, "\t%ju inbound packet%s violated process security " - "policy\n"); - p(in_nosa, "\t%ju inbound packet%s with no SA available\n"); - p(in_inval, "\t%ju invalid inbound packet%s\n"); - p(in_nomem, "\t%ju inbound packet%s failed due to insufficient memory\n"); - p(in_badspi, "\t%ju inbound packet%s failed getting SPI\n"); - p(in_ahreplay, "\t%ju inbound packet%s failed on AH replay check\n"); - p(in_espreplay, "\t%ju inbound packet%s failed on ESP replay check\n"); - p(in_ahauthsucc, "\t%ju inbound packet%s considered authentic\n"); - p(in_ahauthfail, "\t%ju inbound packet%s failed on authentication\n"); - hist(ipsecstat->in_ahhist, ipsec_ahnames, "AH input"); - hist(ipsecstat->in_esphist, ipsec_espnames, "ESP input"); - hist(ipsecstat->in_comphist, ipsec_compnames, "IPComp input"); - - p(out_success, "\t%ju outbound packet%s processed successfully\n"); - p(out_polvio, "\t%ju outbound packet%s violated process security " - "policy\n"); - p(out_nosa, "\t%ju outbound packet%s with no SA available\n"); - p(out_inval, "\t%ju invalid outbound packet%s\n"); - p(out_nomem, "\t%ju outbound packet%s failed due to insufficient memory\n"); - p(out_noroute, "\t%ju outbound packet%s with no route\n"); - hist(ipsecstat->out_ahhist, ipsec_ahnames, "AH output"); - hist(ipsecstat->out_esphist, ipsec_espnames, "ESP output"); - hist(ipsecstat->out_comphist, ipsec_compnames, "IPComp output"); - p(spdcachelookup, "\t%ju SPD cache lookup%s\n"); - pes(spdcachemiss, "\t%ju SPD cache miss%s\n"); -#undef pes -#undef hist p(ips_in_polvio, "\t%ju inbound packet%s violated process " "security policy\n"); + p(ips_in_nomem, "\t%ju inbound packet%s failed due to " + "insufficient memory\n"); + p(ips_in_inval, "\t%ju invalid inbound packet%s\n"); p(ips_out_polvio, "\t%ju outbound packet%s violated process " "security policy\n"); p(ips_out_nosa, "\t%ju outbound packet%s with no SA available\n");