Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the

userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index fc423f6..ae6ea60 100644 (file)
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_ah.c,v 1.166 2021/11/11 18:08:18 bluhm Exp $ */
+/*     $OpenBSD: ip_ah.c,v 1.167 2021/11/21 16:17:48 mvs Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -614,6 +614,7 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
        /* Hard expiration. */
        if (tdb->tdb_flags & TDBF_BYTES &&
            tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) {
+               ipsecstat_inc(ipsec_exctdb);
                pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
                tdb_delete(tdb);
                goto drop;
@@ -953,6 +954,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        /* Hard expiration. */
        if (tdb->tdb_flags & TDBF_BYTES &&
            tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) {
+               ipsecstat_inc(ipsec_exctdb);
                pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
                tdb_delete(tdb);
                error = EINVAL;

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 0c3bbc7..4c8df54 100644 (file)
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_esp.c,v 1.187 2021/11/11 18:08:18 bluhm Exp $ */
+/*     $OpenBSD: ip_esp.c,v 1.188 2021/11/21 16:17:48 mvs Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -426,6 +426,7 @@ esp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
        /* Hard expiration */
        if ((tdb->tdb_flags & TDBF_BYTES) &&
            (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
+               ipsecstat_inc(ipsec_exctdb);
                pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
                tdb_delete(tdb);
                goto drop;
@@ -782,6 +783,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        /* Hard byte expiration. */
        if (tdb->tdb_flags & TDBF_BYTES &&
            tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) {
+               ipsecstat_inc(ipsec_exctdb);
                pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
                tdb_delete(tdb);
                error = EINVAL;

diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c
index be1a393..3bfb99c 100644 (file)
--- a/sys/netinet/ip_ipcomp.c
+++ b/sys/netinet/ip_ipcomp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipcomp.c,v 1.87 2021/11/11 18:08:18 bluhm Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.88 2021/11/21 16:17:48 mvs Exp $ */
 
 /*
  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
@@ -199,6 +199,7 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
        /* Hard expiration */
        if ((tdb->tdb_flags & TDBF_BYTES) &&
            (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
+               ipsecstat_inc(ipsec_exctdb);
                pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
                tdb_delete(tdb);
                goto drop;
@@ -386,6 +387,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        /* Hard byte expiration */
        if ((tdb->tdb_flags & TDBF_BYTES) &&
            (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
+               ipsecstat_inc(ipsec_exctdb);
                pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
                tdb_delete(tdb);
                error = EINVAL;

diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index d986d9c..4e45911 100644 (file)
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_ipsp.c,v 1.252 2021/11/21 02:54:56 bluhm Exp $     */
+/*     $OpenBSD: ip_ipsp.c,v 1.253 2021/11/21 16:17:48 mvs Exp $       */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -652,8 +652,10 @@ tdb_timeout(void *v)
        NET_LOCK();
        if (tdb->tdb_flags & TDBF_TIMER) {
                /* If it's an "invalid" TDB do a silent expiration. */
-               if (!(tdb->tdb_flags & TDBF_INVALID))
+               if (!(tdb->tdb_flags & TDBF_INVALID)) {
+                       ipsecstat_inc(ipsec_exctdb);
                        pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
+               }
                tdb_delete(tdb);
        }
        NET_UNLOCK();
@@ -667,8 +669,10 @@ tdb_firstuse(void *v)
        NET_LOCK();
        if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) {
                /* If the TDB hasn't been used, don't renew it. */
-               if (tdb->tdb_first_use != 0)
+               if (tdb->tdb_first_use != 0) {
+                       ipsecstat_inc(ipsec_exctdb);
                        pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
+               }
                tdb_delete(tdb);
        }
        NET_UNLOCK();

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 2774363..65bcf73 100644 (file)
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_ipsp.h,v 1.220 2021/11/16 13:53:14 bluhm Exp $     */
+/*     $OpenBSD: ip_ipsp.h,v 1.221 2021/11/21 16:17:48 mvs Exp $       */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -131,8 +131,9 @@ struct ipsecstat {
        uint64_t        ipsec_idrops;           /* Dropped on input */
        uint64_t        ipsec_odrops;           /* Dropped on output */
        uint64_t        ipsec_crypto;           /* Crypto processing failure */
-       uint64_t        ipsec_notdb;            /* Expired while in crypto */
+       uint64_t        ipsec_notdb;            /* No TDB was found */
        uint64_t        ipsec_noxform;          /* Crypto error */
+       uint64_t        ipsec_exctdb;           /* TDBs with hardlimit excess */
 };
 
 struct tdb_data {
@@ -168,6 +169,7 @@ enum ipsec_counters {
        ipsec_crypto,
        ipsec_notdb,
        ipsec_noxform,
+       ipsec_exctdb,
        ipsec_ncounters
 };
 

diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c
index 5bb8536..d85bf67 100644 (file)
--- a/usr.bin/netstat/inet.c
+++ b/usr.bin/netstat/inet.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: inet.c,v 1.171 2021/01/26 18:22:35 deraadt Exp $      */
+/*     $OpenBSD: inet.c,v 1.172 2021/11/21 16:17:48 mvs Exp $  */
 /*     $NetBSD: inet.c,v 1.14 1995/10/03 21:42:37 thorpej Exp $        */
 
 /*
@@ -1046,6 +1046,7 @@ ipsec_stats(char *name)
        p(ipsec_crypto, "\t%llu packet%s that failed crypto processing\n");
        p(ipsec_noxform, "\t%llu packet%s for which no XFORM was set in TDB received\n");
        p(ipsec_notdb, "\t%llu packet%s for which no TDB was found\n");
+       p(ipsec_exctdb, "\t%llu TDB%s with hardlimit excess\n");
 #undef p
 }