>Number:         36210
>Category:       bin
>Synopsis:       netstat doesn't show ipsec statistics
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 25 07:00:00 +0000 2007
>Originator:     Michael van Elst
>Release:        NetBSD 4.0_BETA2
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."
>Environment:
	
	
System: NetBSD henery 4.0_BETA2 NetBSD 4.0_BETA2 (HENERY) #45: Sun Apr 15 14:26:33 CEST 2007 mlelstv@henery:/home/netbsd4/obj/home/netbsd4/src/sys/arch/i386/compile/HENERY i386
Architecture: i386
Machine: i386
>Description:
netstat doesn't show ipsec statistics.

KAME ipsec statistics still must be read from kernel memory,
as netstat is running without s-bit nowadays, this is limited
to the root user.

However, when requesting ipsec statistics, the code doesn't
open kvm even when running as root and exits.

>How-To-Repeat:
% netstat -p ipsec
%

>Fix:
Always open kvm when running as root:

Index: main.c
===================================================================
RCS file: /cvsroot/src/usr.bin/netstat/main.c,v
retrieving revision 1.63
diff -u -r1.63 main.c
--- main.c	15 Nov 2006 11:55:00 -0000	1.63
+++ main.c	25 Apr 2007 06:53:10 -0000
@@ -399,7 +399,7 @@
 		use_sysctl = 1;
 	}
 
-	if (!use_sysctl) {
+	if (egid == 0 || !use_sysctl) {
 		(void)setegid(egid);
 		kvmd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf);
 		(void)setgid(getgid());

A better solution however would be a sysctl interface to ipsec
statistics.

>Unformatted: