svn commit: r308844 - projects/ipsec/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Sat Nov 19 16:23:55 UTC 2016
Author: ae
Date: Sat Nov 19 16:23:54 2016
New Revision: 308844
URL: https://svnweb.freebsd.org/changeset/base/308844
Log:
Adjust key_debug code to produce more readably output.
Add KEYDBG() macro that eventually will replace KEYDEBUG() macro.
Add IPSEC_ADDRSTRLEN macro to specify maximum buffer size needed
to format printable version of IP address used by IPsec.
It is equal to INET6_ADDRSTRLEN + '%' + strlen(maximum value of
sin6_scope_id).
Modified:
projects/ipsec/sys/netipsec/ipsec.h
projects/ipsec/sys/netipsec/key_debug.c
projects/ipsec/sys/netipsec/key_debug.h
Modified: projects/ipsec/sys/netipsec/ipsec.h
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.h Sat Nov 19 16:08:40 2016 (r308843)
+++ projects/ipsec/sys/netipsec/ipsec.h Sat Nov 19 16:23:54 2016 (r308844)
@@ -146,6 +146,9 @@ struct secspacq {
};
#endif /* _KERNEL */
+/* buffer size for formatted output of ipsec address */
+#define IPSEC_ADDRSTRLEN (INET6_ADDRSTRLEN + 11)
+
/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY 0
#define IPSEC_ULPROTO_ANY 255
Modified: projects/ipsec/sys/netipsec/key_debug.c
==============================================================================
--- projects/ipsec/sys/netipsec/key_debug.c Sat Nov 19 16:08:40 2016 (r308843)
+++ projects/ipsec/sys/netipsec/key_debug.c Sat Nov 19 16:23:54 2016 (r308844)
@@ -54,6 +54,7 @@
#include <netipsec/ipsec.h>
#ifdef _KERNEL
#include <netipsec/keydb.h>
+#include <netipsec/xform.h>
#endif
#ifndef _KERNEL
@@ -456,134 +457,219 @@ kdebug_sadb_x_policy(struct sadb_ext *ex
#ifdef _KERNEL
/* %%%: about SPD and SAD */
-void
-kdebug_secpolicy(struct secpolicy *sp)
+const char*
+kdebug_secpolicy_state(u_int state)
{
- /* sanity check */
- if (sp == NULL)
- panic("%s: NULL pointer was passed.\n", __func__);
- printf("secpolicy{ refcnt=%u policy=%u\n",
- sp->refcnt, sp->policy);
+ switch (state) {
+ case IPSEC_SPSTATE_DEAD:
+ return ("dead");
+ case IPSEC_SPSTATE_LARVAL:
+ return ("larval");
+ case IPSEC_SPSTATE_ALIVE:
+ return ("alive");
+ case IPSEC_SPSTATE_PCB:
+ return ("pcb");
+ case IPSEC_SPSTATE_IFNET:
+ return ("ifnet");
+ }
+ return ("unknown");
+}
- kdebug_secpolicyindex(&sp->spidx);
+const char*
+kdebug_secpolicy_policy(u_int policy)
+{
- switch (sp->policy) {
+ switch (policy) {
case IPSEC_POLICY_DISCARD:
- printf(" type=discard }\n");
- break;
+ return ("discard");
case IPSEC_POLICY_NONE:
- printf(" type=none }\n");
- break;
+ return ("none");
case IPSEC_POLICY_IPSEC:
- {
- struct ipsecrequest *isr;
- for (isr = sp->req; isr != NULL; isr = isr->next) {
-
- printf(" level=%u\n", isr->level);
- kdebug_secasindex(&isr->saidx);
-
- if (isr->sav != NULL)
- kdebug_secasv(isr->sav);
- }
- printf(" }\n");
- }
- break;
- case IPSEC_POLICY_BYPASS:
- printf(" type=bypass }\n");
- break;
+ return ("ipsec");
case IPSEC_POLICY_ENTRUST:
- printf(" type=entrust }\n");
- break;
- default:
- printf("%s: Invalid policy found. %d\n", __func__, sp->policy);
- break;
+ return ("entrust");
+ case IPSEC_POLICY_BYPASS:
+ return ("bypass");
}
-
- return;
+ return ("unknown");
}
-void
-kdebug_secpolicyindex(struct secpolicyindex *spidx)
+const char*
+kdebug_secpolicyindex_dir(u_int dir)
{
- char buf[INET6_ADDRSTRLEN];
- /* sanity check */
- if (spidx == NULL)
- panic("%s: NULL pointer was passed.\n", __func__);
+ switch (dir) {
+ case IPSEC_DIR_ANY:
+ return ("any");
+ case IPSEC_DIR_INBOUND:
+ return ("in");
+ case IPSEC_DIR_OUTBOUND:
+ return ("out");
+ }
+ return ("unknown");
+}
- printf("secpolicyindex{ dir=%u prefs=%u prefd=%u ul_proto=%u\n",
- spidx->dir, spidx->prefs, spidx->prefd, spidx->ul_proto);
+const char*
+kdebug_ipsecrequest_level(u_int level)
+{
- printf("%s -> ", ipsec_address(&spidx->src, buf, sizeof(buf)));
- printf("%s }\n", ipsec_address(&spidx->dst, buf, sizeof(buf)));
+ switch (level) {
+ case IPSEC_LEVEL_DEFAULT:
+ return ("default");
+ case IPSEC_LEVEL_USE:
+ return ("use");
+ case IPSEC_LEVEL_REQUIRE:
+ return ("require");
+ case IPSEC_LEVEL_UNIQUE:
+ return ("unique");
+ }
+ return ("unknown");
}
-void
-kdebug_secasindex(struct secasindex *saidx)
+const char*
+kdebug_secasindex_mode(u_int mode)
{
- char buf[INET6_ADDRSTRLEN];
- /* sanity check */
- if (saidx == NULL)
- panic("%s: NULL pointer was passed.\n", __func__);
+ switch (mode) {
+ case IPSEC_MODE_ANY:
+ return ("any");
+ case IPSEC_MODE_TRANSPORT:
+ return ("transport");
+ case IPSEC_MODE_TUNNEL:
+ return ("tunnel");
+ case IPSEC_MODE_TCPMD5:
+ return ("tcp-md5");
+ }
+ return ("unknown");
+}
- printf("secasindex{ mode=%u proto=%u\n",
- saidx->mode, saidx->proto);
+const char*
+kdebug_secasv_state(u_int state)
+{
- printf("%s -> ", ipsec_address(&saidx->src, buf, sizeof(buf)));
- printf("%s }\n", ipsec_address(&saidx->dst, buf, sizeof(buf)));
+ switch (state) {
+ case SADB_SASTATE_LARVAL:
+ return ("larval");
+ case SADB_SASTATE_MATURE:
+ return ("mature");
+ case SADB_SASTATE_DYING:
+ return ("dying");
+ case SADB_SASTATE_DEAD:
+ return ("dead");
+ }
+ return ("unknown");
}
-static void
-kdebug_sec_lifetime(struct seclifetime *lft)
+static char*
+kdebug_port2str(const struct sockaddr *sa, char *buf, size_t len)
{
- /* sanity check */
- if (lft == NULL)
- panic("%s: NULL pointer was passed.\n", __func__);
+ uint16_t port;
- printf("sec_lifetime{ alloc=%u, bytes=%u\n",
- lft->allocations, (u_int32_t)lft->bytes);
- printf(" addtime=%u, usetime=%u }\n",
- (u_int32_t)lft->addtime, (u_int32_t)lft->usetime);
+ IPSEC_ASSERT(sa != NULL, ("null sa"));
+ switch (sa->sa_family) {
+#ifdef INET
+ case AF_INET:
+ port = ntohs(((const struct sockaddr_in *)sa)->sin_port);
+ break;
+#endif
+#ifdef INET6
+ case AF_INET6:
+ port = ntohs(((const struct sockaddr_in6 *)sa)->sin6_port);
+ break;
+#endif
+ default:
+ port = 0;
+ }
+ if (port == 0)
+ return ("*");
+ snprintf(buf, len, "%u", port);
+ return (buf);
+}
- return;
+void
+kdebug_secpolicy(struct secpolicy *sp)
+{
+ u_int idx;
+
+ IPSEC_ASSERT(sp != NULL, ("null sp"));
+ printf("SP { refcnt=%u id=%u priority=%u state=%s policy=%s\n",
+ sp->refcnt, sp->id, sp->priority,
+ kdebug_secpolicy_state(sp->state),
+ kdebug_secpolicy_policy(sp->policy));
+ kdebug_secpolicyindex(&sp->spidx, " ");
+ for (idx = 0; idx < sp->tcount; idx++) {
+ printf(" req[%u]{ level=%s ", idx,
+ kdebug_ipsecrequest_level(sp->req[idx]->level));
+ kdebug_secasindex(&sp->req[idx]->saidx, NULL);
+ printf(" }\n");
+ }
+ printf("}\n");
}
void
-kdebug_secasv(struct secasvar *sav)
+kdebug_secpolicyindex(struct secpolicyindex *spidx, const char *indent)
{
- /* sanity check */
- if (sav == NULL)
- panic("%s: NULL pointer was passed.\n", __func__);
+ char buf[IPSEC_ADDRSTRLEN];
- printf("secas{");
- kdebug_secasindex(&sav->sah->saidx);
+ IPSEC_ASSERT(spidx != NULL, ("null spidx"));
+ if (indent != NULL)
+ printf("%s", indent);
+ printf("spidx { dir=%s ul_proto=",
+ kdebug_secpolicyindex_dir(spidx->dir));
+ if (spidx->ul_proto == IPSEC_ULPROTO_ANY)
+ printf("* ");
+ else
+ printf("%u ", spidx->ul_proto);
+ printf("%s/%u -> ", ipsec_address(&spidx->src, buf, sizeof(buf)),
+ spidx->prefs);
+ printf("%s/%u }\n", ipsec_address(&spidx->dst, buf, sizeof(buf)),
+ spidx->prefd);
+}
- printf(" refcnt=%u state=%u auth=%u enc=%u\n",
- sav->refcnt, sav->state, sav->alg_auth, sav->alg_enc);
- printf(" spi=%u flags=%u\n",
- (u_int32_t)ntohl(sav->spi), sav->flags);
+void
+kdebug_secasindex(const struct secasindex *saidx, const char *indent)
+{
+ char buf[IPSEC_ADDRSTRLEN], port[6];
+
+ IPSEC_ASSERT(saidx != NULL, ("null saidx"));
+ if (indent != NULL)
+ printf("%s", indent);
+ printf("saidx { mode=%s proto=%u reqid=%u ",
+ kdebug_secasindex_mode(saidx->mode), saidx->proto, saidx->reqid);
+ printf("%s:%s -> ", ipsec_address(&saidx->src, buf, sizeof(buf)),
+ kdebug_port2str(&saidx->src.sa, port, sizeof(port)));
+ printf("%s:%s }\n", ipsec_address(&saidx->dst, buf, sizeof(buf)),
+ kdebug_port2str(&saidx->dst.sa, port, sizeof(port)));
+}
- if (sav->key_auth != NULL)
- kdebug_sadb_key((struct sadb_ext *)sav->key_auth);
- if (sav->key_enc != NULL)
- kdebug_sadb_key((struct sadb_ext *)sav->key_enc);
+static void
+kdebug_sec_lifetime(struct seclifetime *lft, const char *indent)
+{
- if (sav->replay != NULL)
- kdebug_secreplay(sav->replay);
- if (sav->lft_c != NULL)
- kdebug_sec_lifetime(sav->lft_c);
- if (sav->lft_h != NULL)
- kdebug_sec_lifetime(sav->lft_h);
- if (sav->lft_s != NULL)
- kdebug_sec_lifetime(sav->lft_s);
+ IPSEC_ASSERT(lft != NULL, ("null lft"));
+ if (indent != NULL)
+ printf("%s", indent);
+ printf("lifetime { alloc=%u, bytes=%ju addtime=%ju usetime=%ju }\n",
+ lft->allocations, (uintmax_t)lft->bytes, (uintmax_t)lft->addtime,
+ (uintmax_t)lft->usetime);
+}
-#ifdef notyet
- /* XXX: misc[123] ? */
-#endif
+void
+kdebug_secash(struct secashead *sah, const char *indent)
+{
- return;
+ IPSEC_ASSERT(sah != NULL, ("null sah"));
+ if (indent != NULL)
+ printf("%s", indent);
+ printf("SAH { refcnt=%u state=%s\n", sah->refcnt,
+ kdebug_secasv_state(sah->state));
+ if (indent != NULL)
+ printf("%s", indent);
+ kdebug_secasindex(&sah->saidx, indent);
+ if (indent != NULL)
+ printf("%s", indent);
+ printf("}\n");
}
static void
@@ -591,27 +677,60 @@ kdebug_secreplay(struct secreplay *rpl)
{
int len, l;
- /* sanity check */
- if (rpl == NULL)
- panic("%s: NULL pointer was passed.\n", __func__);
-
- printf(" secreplay{ count=%u wsize=%u seq=%u lastseq=%u",
+ IPSEC_ASSERT(rpl != NULL, ("null rpl"));
+ printf(" secreplay { count=%u wsize=%u seq=%u lastseq=%u",
rpl->count, rpl->wsize, rpl->seq, rpl->lastseq);
if (rpl->bitmap == NULL) {
- printf(" }\n");
+ printf(" }\n");
return;
}
- printf("\n bitmap { ");
-
+ printf("\n bitmap { ");
for (len = 0; len < rpl->wsize; len++) {
for (l = 7; l >= 0; l--)
printf("%u", (((rpl->bitmap)[len] >> l) & 1) ? 1 : 0);
}
- printf(" }\n");
+ printf(" }\n");
+}
- return;
+void
+kdebug_secasv(struct secasvar *sav)
+{
+ struct seclifetime lft_c;
+
+ IPSEC_ASSERT(sav != NULL, ("null sav"));
+
+ printf("SA { refcnt=%u spi=%u seq=%u pid=%u flags=0x%x state=%s\n",
+ sav->refcnt, ntohl(sav->spi), sav->seq, (uint32_t)sav->pid,
+ sav->flags, kdebug_secasv_state(sav->state));
+ kdebug_secash(sav->sah, " ");
+
+ lft_c.addtime = sav->created;
+ lft_c.allocations = (uint32_t)counter_u64_fetch(
+ sav->lft_c_allocations);
+ lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes);
+ lft_c.usetime = sav->firstused;
+ kdebug_sec_lifetime(&lft_c, " c_");
+ if (sav->lft_h != NULL)
+ kdebug_sec_lifetime(sav->lft_h, " h_");
+ if (sav->lft_s != NULL)
+ kdebug_sec_lifetime(sav->lft_s, " s_");
+
+ if (sav->tdb_authalgxform != NULL)
+ printf(" alg_auth=%s\n", sav->tdb_authalgxform->name);
+ if (sav->key_auth != NULL)
+ KEYDBG(DUMP,
+ kdebug_sadb_key((struct sadb_ext *)sav->key_auth));
+ if (sav->tdb_encalgxform != NULL)
+ printf(" alg_enc=%s\n", sav->tdb_encalgxform->name);
+ if (sav->key_enc != NULL)
+ KEYDBG(DUMP,
+ kdebug_sadb_key((struct sadb_ext *)sav->key_enc));
+ if (sav->replay != NULL)
+ KEYDBG(DUMP,
+ kdebug_secreplay(sav->replay));
+ printf("}\n");
}
void
Modified: projects/ipsec/sys/netipsec/key_debug.h
==============================================================================
--- projects/ipsec/sys/netipsec/key_debug.h Sat Nov 19 16:08:40 2016 (r308843)
+++ projects/ipsec/sys/netipsec/key_debug.h Sat Nov 19 16:23:54 2016 (r308844)
@@ -53,10 +53,15 @@
#define KEYDEBUG_IPSEC_DATA (KEYDEBUG_IPSEC | KEYDEBUG_DATA)
#define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP)
+#define KEYDBG(lev, arg) \
+ if ((V_key_debug_level & (KEYDEBUG_ ## lev)) == (KEYDEBUG_ ## lev)) { \
+ arg; \
+ }
+
#define KEYDEBUG(lev,arg) \
do { if ((V_key_debug_level & (lev)) == (lev)) { arg; } } while (0)
-VNET_DECLARE(u_int32_t, key_debug_level);
+VNET_DECLARE(uint32_t, key_debug_level);
#define V_key_debug_level VNET(key_debug_level)
#endif /*_KERNEL*/
@@ -69,15 +74,23 @@ extern void kdebug_sadb_x_policy(struct
struct secpolicy;
struct secpolicyindex;
struct secasindex;
+struct secashead;
struct secasvar;
struct secreplay;
struct mbuf;
-extern void kdebug_secpolicy(struct secpolicy *);
-extern void kdebug_secpolicyindex(struct secpolicyindex *);
-extern void kdebug_secasindex(struct secasindex *);
-extern void kdebug_secasv(struct secasvar *);
-extern void kdebug_mbufhdr(const struct mbuf *);
-extern void kdebug_mbuf(const struct mbuf *);
+const char* kdebug_secpolicy_state(u_int);
+const char* kdebug_secpolicy_policy(u_int);
+const char* kdebug_secpolicyindex_dir(u_int);
+const char* kdebug_ipsecrequest_level(u_int);
+const char* kdebug_secasindex_mode(u_int);
+const char* kdebug_secasv_state(u_int);
+void kdebug_secpolicy(struct secpolicy *);
+void kdebug_secpolicyindex(struct secpolicyindex *, const char *);
+void kdebug_secasindex(const struct secasindex *, const char *);
+void kdebug_secash(struct secashead *, const char *);
+void kdebug_secasv(struct secasvar *);
+void kdebug_mbufhdr(const struct mbuf *);
+void kdebug_mbuf(const struct mbuf *);
#endif /*_KERNEL*/
struct sockaddr;
More information about the svn-src-projects
mailing list