From: mvs Date: Sun, 21 Nov 2021 16:17:48 +0000 (+0000) Subject: Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=6b86e01680a7732de840724727a0f13166129f8a;p=openbsd Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the userland the TDBs which exceeded hard limit. Also the `ipsec_notdb' counter description in header doesn't math to netstat(1) description. We never count `ipsec_notdb' and the netstat(1) description looks more appropriate so it's used to avoid confusion with the new counter. ok bluhm@ --- diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index fc423f62982..ae6ea60a73d 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.166 2021/11/11 18:08:18 bluhm Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.167 2021/11/21 16:17:48 mvs Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -614,6 +614,7 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) /* Hard expiration. */ if (tdb->tdb_flags & TDBF_BYTES && tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { + ipsecstat_inc(ipsec_exctdb); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); goto drop; @@ -953,6 +954,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Hard expiration. */ if (tdb->tdb_flags & TDBF_BYTES && tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { + ipsecstat_inc(ipsec_exctdb); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); error = EINVAL; diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 0c3bbc757c2..4c8df549f8c 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.187 2021/11/11 18:08:18 bluhm Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.188 2021/11/21 16:17:48 mvs Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -426,6 +426,7 @@ esp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) /* Hard expiration */ if ((tdb->tdb_flags & TDBF_BYTES) && (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { + ipsecstat_inc(ipsec_exctdb); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); goto drop; @@ -782,6 +783,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Hard byte expiration. */ if (tdb->tdb_flags & TDBF_BYTES && tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { + ipsecstat_inc(ipsec_exctdb); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); error = EINVAL; diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index be1a3931ee9..3bfb99c8daf 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.87 2021/11/11 18:08:18 bluhm Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.88 2021/11/21 16:17:48 mvs Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -199,6 +199,7 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) /* Hard expiration */ if ((tdb->tdb_flags & TDBF_BYTES) && (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { + ipsecstat_inc(ipsec_exctdb); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); goto drop; @@ -386,6 +387,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Hard byte expiration */ if ((tdb->tdb_flags & TDBF_BYTES) && (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { + ipsecstat_inc(ipsec_exctdb); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); error = EINVAL; diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index d986d9c787e..4e45911f96a 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.252 2021/11/21 02:54:56 bluhm Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.253 2021/11/21 16:17:48 mvs Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -652,8 +652,10 @@ tdb_timeout(void *v) NET_LOCK(); if (tdb->tdb_flags & TDBF_TIMER) { /* If it's an "invalid" TDB do a silent expiration. */ - if (!(tdb->tdb_flags & TDBF_INVALID)) + if (!(tdb->tdb_flags & TDBF_INVALID)) { + ipsecstat_inc(ipsec_exctdb); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); + } tdb_delete(tdb); } NET_UNLOCK(); @@ -667,8 +669,10 @@ tdb_firstuse(void *v) NET_LOCK(); if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) { /* If the TDB hasn't been used, don't renew it. */ - if (tdb->tdb_first_use != 0) + if (tdb->tdb_first_use != 0) { + ipsecstat_inc(ipsec_exctdb); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); + } tdb_delete(tdb); } NET_UNLOCK(); diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 2774363605d..65bcf73eb3b 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.220 2021/11/16 13:53:14 bluhm Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.221 2021/11/21 16:17:48 mvs Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -131,8 +131,9 @@ struct ipsecstat { uint64_t ipsec_idrops; /* Dropped on input */ uint64_t ipsec_odrops; /* Dropped on output */ uint64_t ipsec_crypto; /* Crypto processing failure */ - uint64_t ipsec_notdb; /* Expired while in crypto */ + uint64_t ipsec_notdb; /* No TDB was found */ uint64_t ipsec_noxform; /* Crypto error */ + uint64_t ipsec_exctdb; /* TDBs with hardlimit excess */ }; struct tdb_data { @@ -168,6 +169,7 @@ enum ipsec_counters { ipsec_crypto, ipsec_notdb, ipsec_noxform, + ipsec_exctdb, ipsec_ncounters }; diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c index 5bb853606ef..d85bf67c671 100644 --- a/usr.bin/netstat/inet.c +++ b/usr.bin/netstat/inet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: inet.c,v 1.171 2021/01/26 18:22:35 deraadt Exp $ */ +/* $OpenBSD: inet.c,v 1.172 2021/11/21 16:17:48 mvs Exp $ */ /* $NetBSD: inet.c,v 1.14 1995/10/03 21:42:37 thorpej Exp $ */ /* @@ -1046,6 +1046,7 @@ ipsec_stats(char *name) p(ipsec_crypto, "\t%llu packet%s that failed crypto processing\n"); p(ipsec_noxform, "\t%llu packet%s for which no XFORM was set in TDB received\n"); p(ipsec_notdb, "\t%llu packet%s for which no TDB was found\n"); + p(ipsec_exctdb, "\t%llu TDB%s with hardlimit excess\n"); #undef p }