PERFORCE change 166848 for review
Gabor Pali
pgj at FreeBSD.org
Fri Jul 31 00:01:43 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=166848
Change 166848 by pgj at petymeg-current on 2009/07/31 00:01:20
Add support for IPsec statistics.
Affected files ...
.. //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat.h#53 edit
.. //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_internal.h#50 edit
.. //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_stat.c#20 edit
.. //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_util.c#58 edit
.. //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/extern.h#30 edit
.. //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/ipsec.c#6 edit
.. //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/main.c#38 edit
Differences ...
==== //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat.h#53 (text+ko) ====
@@ -35,6 +35,8 @@
#ifdef IPSEC
#include <netipsec/keysock.h>
#include <netipsec/esp_var.h>
+#include <netipsec/ah_var.h>
+#include <netipsec/ipcomp_var.h>
#endif
#define NETSTAT_MAXCALLER 16
@@ -93,6 +95,9 @@
#define NETSTAT_ESP_HIST_MAX ESP_ALG_MAX
#define NETSTAT_AH_HIST_MAX AH_ALG_MAX
#define NETSTAT_IPCOMP_HIST_MAX IPCOMP_ALG_MAX
+#define NETSTAT_IPSEC_ESP_HIST_MAX 256
+#define NETSTAT_IPSEC_AH_HIST_MAX 256
+#define NETSTAT_IPSEC_IPCOMP_HIST_MAX 256
/* Enum for TCP states: */
@@ -161,6 +166,7 @@
stat_ESP,
stat_AH,
stat_IPcomp,
+ stat_IPsec,
#endif
stat_MAX,
stat_Invalid,
@@ -1025,5 +1031,48 @@
u_int32_t netstat_ipcomps_get_pdrops(const struct ipcomp_stat *);
u_int32_t netstat_ipcomps_get_crypto(const struct ipcomp_stat *);
u_int32_t netstat_ipcomps_get_hist(const struct ipcomp_stat *, int);
+
+const struct ipsec_stat *netstat_get_ipsecstats(const struct stat_type *);
+
+u_int64_t netstat_ipsecs_get_in_success(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_polvio(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_nosa(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_inval(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_nomem(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_badspi(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_ahreplay(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_espreplay(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_ahauthsucc(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_ahauthfail(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_espauthsucc(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_espauthfail(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_in_esphist(const struct ipsec_stat *, int);
+u_int64_t netstat_ipsecs_get_in_ahhist(const struct ipsec_stat *, int);
+u_int64_t netstat_ipsecs_get_in_comphist(const struct ipsec_stat *, int);
+u_int64_t netstat_ipsecs_get_out_success(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_out_polvio(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_out_nosa(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_out_inval(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_out_nomem(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_out_noroute(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_out_esphist(const struct ipsec_stat *, int);
+u_int64_t netstat_ipsecs_get_out_ahhist(const struct ipsec_stat *, int);
+u_int64_t netstat_ipsecs_get_out_comphist(const struct ipsec_stat *, int);
+u_int64_t netstat_ipsecs_get_spdcachelookup(const struct ipsec_stat *);
+u_int64_t netstat_ipsecs_get_spdcachemiss(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_in_polvio(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_out_polvio(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_out_nosa(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_out_nomem(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_out_noroute(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_out_inval(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_out_bundlesa(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_mbcoalesced(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_clcoalesced(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_clcopied(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_mbinserted(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_input_front(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_input_middle(const struct ipsec_stat *);
+u_int32_t netstat_ipsecs_get_ips_input_end(const struct ipsec_stat *);
#endif /* !IPSEC */
#endif /* !_NETSTAT_H_ */
==== //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_internal.h#50 (text+ko) ====
@@ -70,6 +70,7 @@
#include <netipsec/esp_var.h>
#include <netipsec/ah_var.h>
#include <netipsec/ipcomp_var.h>
+#include <netipsec/ipsec.h>
#endif
#include "netstat.h"
@@ -390,6 +391,10 @@
struct ipcomp_stat {
struct ipcompstat s;
};
+
+struct ipsec_stat {
+ struct ipsecstat s;
+};
#endif
/* Timestamp type. */
==== //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_stat.c#20 (text+ko) ====
@@ -91,6 +91,7 @@
{ ESPSTAT_VERSION, "net.inet.esp.stats", "_espstat" },
{ AHSTAT_VERSION, "net.inet.ah.stats", "_ahstat" },
{ IPCOMPSTAT_VERSION, "net.inet.ipcomp.stats", "_ipcompstat" },
+ { IPSECSTAT_VERSION, "net.inet.ipsec.ipsecstats", "_ipsec4stat" },
#endif
};
==== //depot/projects/soc2009/pgj_libstat/src/lib/libnetstat/netstat_util.c#58 (text+ko) ====
@@ -2002,6 +2002,60 @@
#undef IPCOMP_ACC
#undef IPCOMP_ACC64
#undef IPCOMP_ACCA
+
+#define IPSEC_ACC(field) \
+ STATS_ACCX(u_int64_t,ipsec,field,field)
+
+#define IPSEC_ACC32(field) \
+ STATS_ACCX(u_int32_t,ipsec,field,field)
+
+#define IPSEC_ACCA(field,size) \
+ STATS_ACCXA(u_int64_t,ipsec,field,field,size)
+
+STATS_GET(ipsec,IPsec);
+IPSEC_ACC(in_success);
+IPSEC_ACC(in_polvio);
+IPSEC_ACC(in_nosa);
+IPSEC_ACC(in_inval);
+IPSEC_ACC(in_nomem);
+IPSEC_ACC(in_badspi);
+IPSEC_ACC(in_ahreplay);
+IPSEC_ACC(in_espreplay);
+IPSEC_ACC(in_ahauthsucc);
+IPSEC_ACC(in_ahauthfail);
+IPSEC_ACC(in_espauthsucc);
+IPSEC_ACC(in_espauthfail);
+IPSEC_ACCA(in_esphist,256);
+IPSEC_ACCA(in_ahhist,256);
+IPSEC_ACCA(in_comphist,256);
+IPSEC_ACC(out_success);
+IPSEC_ACC(out_polvio);
+IPSEC_ACC(out_nosa);
+IPSEC_ACC(out_inval);
+IPSEC_ACC(out_nomem);
+IPSEC_ACC(out_noroute);
+IPSEC_ACCA(out_esphist,256);
+IPSEC_ACCA(out_ahhist,256);
+IPSEC_ACCA(out_comphist,256);
+IPSEC_ACC(spdcachelookup);
+IPSEC_ACC(spdcachemiss);
+IPSEC_ACC32(ips_in_polvio);
+IPSEC_ACC32(ips_out_polvio);
+IPSEC_ACC32(ips_out_nosa);
+IPSEC_ACC32(ips_out_nomem);
+IPSEC_ACC32(ips_out_noroute);
+IPSEC_ACC32(ips_out_inval);
+IPSEC_ACC32(ips_out_bundlesa);
+IPSEC_ACC32(ips_mbcoalesced);
+IPSEC_ACC32(ips_clcoalesced);
+IPSEC_ACC32(ips_clcopied);
+IPSEC_ACC32(ips_mbinserted);
+IPSEC_ACC32(ips_input_front);
+IPSEC_ACC32(ips_input_middle);
+IPSEC_ACC32(ips_input_end);
+#undef IPSEC_ACC
+#undef IPSEC_ACC32
+#undef IPSEC_ACCA
#endif /* !IPSEC */
static const char *icmpnames[ICMP_MAXTYPE + 1] = {
==== //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/extern.h#30 (text+ko) ====
@@ -87,7 +87,7 @@
void carp_stats(const struct stat_type *);
void pfsync_stats(const struct stat_type *);
#ifdef IPSEC
-void ipsec_stats(u_long, const char *, int, int);
+void ipsec_stats(const struct stat_type *);
void esp_stats(const struct stat_type *);
void ah_stats(const struct stat_type *);
void ipcomp_stats(const struct stat_type *);
==== //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/ipsec.c#6 (text+ko) ====
@@ -27,6 +27,7 @@
*/
/*-
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * Copyright (c) 2009 Gabor Pali
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -95,125 +96,23 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/usr.bin/netstat/ipsec.c,v 1.18 2008/01/02 23:26:11 obrien Exp $");
-#include <sys/param.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-#include <sys/socketvar.h>
-
-#include <netinet/in.h>
-#include <netipsec/ipsec.h>
-#include <netipsec/ah_var.h>
-#include <netipsec/esp_var.h>
-#include <netipsec/ipcomp_var.h>
+#include <sys/types.h>
-#include <stdint.h>
#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
#include <netstat.h>
#include "extern.h"
-struct val2str {
- int val;
- const char *str;
-};
-
-static struct val2str ipsec_ahnames[] = {
- { SADB_AALG_NONE, "none", },
- { SADB_AALG_MD5HMAC, "hmac-md5", },
- { SADB_AALG_SHA1HMAC, "hmac-sha1", },
- { SADB_X_AALG_MD5, "md5", },
- { SADB_X_AALG_SHA, "sha", },
- { SADB_X_AALG_NULL, "null", },
-#ifdef SADB_X_AALG_SHA2_256
- { SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
-#endif
-#ifdef SADB_X_AALG_SHA2_384
- { SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
-#endif
-#ifdef SADB_X_AALG_SHA2_512
- { SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
-#endif
-#ifdef SADB_X_AALG_RIPEMD160HMAC
- { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", },
-#endif
-#ifdef SADB_X_AALG_AES_XCBC_MAC
- { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", },
-#endif
- { -1, NULL },
-};
-
-static struct val2str ipsec_espnames[] = {
- { SADB_EALG_NONE, "none", },
- { SADB_EALG_DESCBC, "des-cbc", },
- { SADB_EALG_3DESCBC, "3des-cbc", },
- { SADB_EALG_NULL, "null", },
- { SADB_X_EALG_CAST128CBC, "cast128-cbc", },
- { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
-#ifdef SADB_X_EALG_RIJNDAELCBC
- { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
-#endif
-#ifdef SADB_X_EALG_AESCTR
- { SADB_X_EALG_AESCTR, "aes-ctr", },
-#endif
- { -1, NULL },
-};
-
-static struct val2str ipsec_compnames[] = {
- { SADB_X_CALG_NONE, "none", },
- { SADB_X_CALG_OUI, "oui", },
- { SADB_X_CALG_DEFLATE, "deflate", },
- { SADB_X_CALG_LZS, "lzs", },
- { -1, NULL },
-};
-
-static void ipsec_hist(const u_quad_t *hist, size_t histmax,
- const struct val2str *name, const char *title);
-static void print_ipsecstats(const struct ipsecstat *ipsecstat);
-
-
-/*
- * Dump IPSEC statistics structure.
- */
-static void
-ipsec_hist(const u_quad_t *hist, size_t histmax, const struct val2str *name,
- const char *title)
+void
+ipsec_stats(const struct stat_type *sttp)
{
- int first;
- size_t proto;
- const struct val2str *p;
+ const struct ipsec_stat *s;
+ int first, proto;
- first = 1;
- for (proto = 0; proto < histmax; proto++) {
- if (hist[proto] <= 0)
- continue;
- if (first) {
- printf("\t%s histogram:\n", title);
- first = 0;
- }
- for (p = name; p && p->str; p++) {
- if (p->val == (int)proto)
- break;
- }
- if (p && p->str) {
- printf("\t\t%s: %ju\n", p->str, (uintmax_t)hist[proto]);
- } else {
- printf("\t\t#%ld: %ju\n", (long)proto,
- (uintmax_t)hist[proto]);
- }
- }
-}
-
-static void
-print_ipsecstats(const struct ipsecstat *ipsecstat)
-{
-#define p(f, m) if (ipsecstat->f || sflag <= 1) \
- printf(m, (uintmax_t)ipsecstat->f, plural(ipsecstat->f))
-#define pes(f, m) if (ipsecstat->f || sflag <= 1) \
- printf(m, (uintmax_t)ipsecstat->f, plurales(ipsecstat->f))
-#define hist(f, n, t) \
- ipsec_hist((f), sizeof(f)/sizeof(f[0]), (n), (t));
-
+ s = netstat_get_ipsecstats(sttp);
+#define p(f, m) if (netstat_ipsecs_get_##f(s) || sflag <= 1) \
+ printf(m, (uintmax_t)netstat_ipsecs_get_##f(s), plural(netstat_ipsecs_get_##f(s)))
+#define pes(f, m) if (netstat_ipsecs_get_##f(s) || sflag <= 1) \
+ printf(m, netstat_ipsecs_get_##f(s), plurales(netstat_ipsecs_get_##f(s)))
p(in_success, "\t%ju inbound packet%s processed successfully\n");
p(in_polvio, "\t%ju inbound packet%s violated process security "
"policy\n");
@@ -225,10 +124,39 @@
p(in_espreplay, "\t%ju inbound packet%s failed on ESP replay check\n");
p(in_ahauthsucc, "\t%ju inbound packet%s considered authentic\n");
p(in_ahauthfail, "\t%ju inbound packet%s failed on authentication\n");
- hist(ipsecstat->in_ahhist, ipsec_ahnames, "AH input");
- hist(ipsecstat->in_esphist, ipsec_espnames, "ESP input");
- hist(ipsecstat->in_comphist, ipsec_compnames, "IPComp input");
-
+ first = 1;
+ for (proto = 0; proto < NETSTAT_IPSEC_AH_HIST_MAX; proto++) {
+ if (netstat_ipsecs_get_in_ahhist(s, proto) == 0)
+ continue;
+ if (first != 0) {
+ printf("\tAH input histogram:\n");
+ first = 0;
+ }
+ printf("\t\t%s: %ju\n", netstat_ipsec_ahname(proto),
+ netstat_ipsecs_get_in_ahhist(s, proto));
+ }
+ first = 1;
+ for (proto = 0; proto < NETSTAT_IPSEC_ESP_HIST_MAX; proto++) {
+ if (netstat_ipsecs_get_in_esphist(s, proto) == 0)
+ continue;
+ if (first != 0) {
+ printf("\tESP input histogram:\n");
+ first = 0;
+ }
+ printf("\t\t%s: %ju\n", netstat_ipsec_espname(proto),
+ netstat_ipsecs_get_in_esphist(s, proto));
+ }
+ first = 1;
+ for (proto = 0; proto < NETSTAT_IPSEC_IPCOMP_HIST_MAX; proto++) {
+ if (netstat_ipsecs_get_in_comphist(s, proto) == 0)
+ continue;
+ if (first != 0) {
+ printf("\tIPcomp input histogram:\n");
+ first = 0;
+ }
+ printf("\t\t%s: %ju\n", netstat_ipsec_ipcompname(proto),
+ netstat_ipsecs_get_in_comphist(s, proto));
+ }
p(out_success, "\t%ju outbound packet%s processed successfully\n");
p(out_polvio, "\t%ju outbound packet%s violated process security "
"policy\n");
@@ -236,13 +164,42 @@
p(out_inval, "\t%ju invalid outbound packet%s\n");
p(out_nomem, "\t%ju outbound packet%s failed due to insufficient memory\n");
p(out_noroute, "\t%ju outbound packet%s with no route\n");
- hist(ipsecstat->out_ahhist, ipsec_ahnames, "AH output");
- hist(ipsecstat->out_esphist, ipsec_espnames, "ESP output");
- hist(ipsecstat->out_comphist, ipsec_compnames, "IPComp output");
+ first = 1;
+ for (proto = 0; proto < NETSTAT_IPSEC_AH_HIST_MAX; proto++) {
+ if (netstat_ipsecs_get_out_ahhist(s, proto) == 0)
+ continue;
+ if (first != 0) {
+ printf("\tAH output histogram:\n");
+ first = 0;
+ }
+ printf("\t\t%s: %ju\n", netstat_ipsec_ahname(proto),
+ netstat_ipsecs_get_out_ahhist(s, proto));
+ }
+ first = 1;
+ for (proto = 0; proto < NETSTAT_IPSEC_ESP_HIST_MAX; proto++) {
+ if (netstat_ipsecs_get_out_esphist(s, proto) == 0)
+ continue;
+ if (first != 0) {
+ printf("\tESP output histogram:\n");
+ first = 0;
+ }
+ printf("\t\t%s: %ju\n", netstat_ipsec_espname(proto),
+ netstat_ipsecs_get_out_esphist(s, proto));
+ }
+ first = 1;
+ for (proto = 0; proto < NETSTAT_IPSEC_IPCOMP_HIST_MAX; proto++) {
+ if (netstat_ipsecs_get_out_comphist(s, proto) == 0)
+ continue;
+ if (first != 0) {
+ printf("\tIPcomp output histogram:\n");
+ first = 0;
+ }
+ printf("\t\t%s: %ju\n", netstat_ipsec_ipcompname(proto),
+ netstat_ipsecs_get_out_comphist(s, proto));
+ }
p(spdcachelookup, "\t%ju SPD cache lookup%s\n");
pes(spdcachemiss, "\t%ju SPD cache miss%s\n");
#undef pes
-#undef hist
p(ips_in_polvio, "\t%ju inbound packet%s violated process "
"security policy\n");
p(ips_out_polvio, "\t%ju outbound packet%s violated process "
@@ -262,19 +219,6 @@
}
void
-ipsec_stats(u_long off, const char *name, int af1 __unused, int proto __unused)
-{
- struct ipsecstat ipsecstat;
-
- if (off == 0)
- return;
- printf ("%s:\n", name);
- kread(off, (char *)&ipsecstat, sizeof(ipsecstat));
-
- print_ipsecstats(&ipsecstat);
-}
-
-void
ah_stats(const struct stat_type *sttp)
{
const struct ah_stat *s;
==== //depot/projects/soc2009/pgj_libstat/src/usr.bin/netstat/main.c#38 (text+ko) ====
@@ -95,19 +95,15 @@
{ .n_name = "_ngsocklist"},
#define N_IP6STAT 8
{ .n_name = "_ip6stat" },
-#define N_IPSECSTAT 9
- { .n_name = "_ipsec4stat" },
-#define N_IPSEC6STAT 10
- { .n_name = "_ipsec6stat" },
-#define N_MRT6STAT 11
+#define N_MRT6STAT 9
{ .n_name = "_mrt6stat" },
-#define N_MF6CTABLE 12
+#define N_MF6CTABLE 10
{ .n_name = "_mf6ctable" },
-#define N_MIF6TABLE 13
+#define N_MIF6TABLE 11
{ .n_name = "_mif6table" },
-#define N_RTTRASH 14
+#define N_RTTRASH 12
{ .n_name = "_rttrash" },
-#define N_MFCTABLESIZE 15
+#define N_MFCTABLESIZE 13
{ .n_name = "_mfctablesize" },
{ .n_name = NULL },
};
@@ -144,8 +140,8 @@
{ 0, 0, 1, NULL, igmp_stats, stat_IGMP,
NULL, NULL, "igmp", 1, IPPROTO_IGMP },
#ifdef IPSEC
- { -1, N_IPSECSTAT, 1, NULL, NULL, stat_MAX, /* keep as compat */
- ipsec_stats, NULL, "ipsec", 0, 0},
+ { -1, 0, 1, NULL, ipsec_stats, stat_IPsec, /* keep as compat */
+ NULL, NULL, "ipsec", 0, 0},
{ -1, 0, 1, NULL, ah_stats, stat_AH,
NULL, NULL, "ah", 0, 0},
{ -1, 0, 1, NULL, esp_stats, stat_ESP,
@@ -174,8 +170,8 @@
{ 0, 0, 1, NULL, icmp6_stats, stat_ICMP6,
NULL, icmp6_ifstats, "icmp6", 1, IPPROTO_ICMPV6 },
#ifdef IPSEC
- { -1, N_IPSEC6STAT, 1, NULL, NULL, stat_MAX,
- ipsec_stats, NULL, "ipsec6", 0, 0 },
+ { -1, 0, 1, NULL, ipsec_stats, stat_IPsec,
+ NULL, NULL, "ipsec6", 0, 0 },
#endif
#ifdef notyet
{ -1, 0, 1, NULL, pim6_stats, stat_PIM6,
More information about the p4-projects
mailing list