Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys inet, inet6: count packets dropped by IPsec



details:   https://anonhg.NetBSD.org/src/rev/67d0ed7c540f
branches:  trunk
changeset: 943159:67d0ed7c540f
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Fri Aug 28 06:19:13 2020 +0000

description:
inet, inet6: count packets dropped by IPsec

The counters count packets dropped due to security policy checks.

diffstat:

 sys/netinet/ip_input.c     |  6 ++++--
 sys/netinet/ip_output.c    |  9 ++++++---
 sys/netinet/ip_var.h       |  6 ++++--
 sys/netinet6/ip6_forward.c |  5 +++--
 sys/netinet6/ip6_input.c   |  8 +++++---
 sys/netinet6/ip6_output.c  |  5 +++--
 sys/netinet6/ip6_var.h     |  6 ++++--
 sys/netipsec/ipsec.c       |  7 ++++---
 sys/netipsec/ipsec.h       |  4 ++--
 9 files changed, 35 insertions(+), 21 deletions(-)

diffs (244 lines):

diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c    Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet/ip_input.c    Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_input.c,v 1.393 2019/11/13 02:51:22 ozaki-r Exp $   */
+/*     $NetBSD: ip_input.c,v 1.394 2020/08/28 06:19:13 ozaki-r Exp $   */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.393 2019/11/13 02:51:22 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.394 2020/08/28 06:19:13 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -741,6 +741,7 @@
                /* Check the security policy (SP) for the packet */
                if (ipsec_used) {
                        if (ipsec_ip_input(m, true) != 0) {
+                               IP_STATINC(IP_STAT_IPSECDROP_IN);
                                goto out;
                        }
                }
@@ -788,6 +789,7 @@
        if (ipsec_used &&
            (inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
                if (ipsec_ip_input(m, false) != 0) {
+                       IP_STATINC(IP_STAT_IPSECDROP_IN);
                        goto out;
                }
        }
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet/ip_output.c
--- a/sys/netinet/ip_output.c   Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet/ip_output.c   Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_output.c,v 1.315 2019/12/27 10:17:56 msaitoh Exp $  */
+/*     $NetBSD: ip_output.c,v 1.316 2020/08/28 06:19:13 ozaki-r Exp $  */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.315 2019/12/27 10:17:56 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.316 2020/08/28 06:19:13 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -609,10 +609,13 @@
 #ifdef IPSEC
        if (ipsec_used) {
                bool ipsec_done = false;
+               bool count_drop = false;
 
                /* Perform IPsec processing, if any. */
                error = ipsec4_output(m, inp, flags, &mtu, &natt_frag,
-                   &ipsec_done);
+                   &ipsec_done, &count_drop);
+               if (count_drop)
+                       IP_STATINC(IP_STAT_IPSECDROP_OUT);
                if (error || ipsec_done)
                        goto done;
        }
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet/ip_var.h
--- a/sys/netinet/ip_var.h      Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet/ip_var.h      Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_var.h,v 1.128 2019/05/13 07:47:59 ozaki-r Exp $     */
+/*     $NetBSD: ip_var.h,v 1.129 2020/08/28 06:19:13 ozaki-r Exp $     */
 
 /*
  * Copyright (c) 1982, 1986, 1993
@@ -149,8 +149,10 @@
 #define        IP_STAT_NOIPSEC         31      /* no match ipsec(4) found */
 #define        IP_STAT_PFILDROP_IN     32      /* dropped by pfil (PFIL_IN) */
 #define        IP_STAT_PFILDROP_OUT    33      /* dropped by pfil (PFIL_OUT) */
+#define        IP_STAT_IPSECDROP_IN    34      /* dropped by IPsec SP check */
+#define        IP_STAT_IPSECDROP_OUT   35      /* dropped by IPsec SP check */
 
-#define        IP_NSTATS               34
+#define        IP_NSTATS               36
 
 #ifdef _KERNEL
 
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet6/ip6_forward.c
--- a/sys/netinet6/ip6_forward.c        Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet6/ip6_forward.c        Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_forward.c,v 1.99 2020/06/12 11:04:45 roy Exp $     */
+/*     $NetBSD: ip6_forward.c,v 1.100 2020/08/28 06:19:13 ozaki-r Exp $        */
 /*     $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $   */
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.99 2020/06/12 11:04:45 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.100 2020/08/28 06:19:13 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -192,6 +192,7 @@
                        if (error == -EINVAL)
                                error = 0;
                        m_freem(m);
+                       IP6_STATINC(IP6_STAT_IPSECDROP_OUT);
                        goto freecopy;
                }
        }
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet6/ip6_input.c  Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.218 2020/07/27 14:06:58 roy Exp $      */
+/*     $NetBSD: ip6_input.c,v 1.219 2020/08/28 06:19:13 ozaki-r Exp $  */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.218 2020/07/27 14:06:58 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.219 2020/08/28 06:19:13 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -756,8 +756,10 @@
                                int error;
 
                                error = ipsec_ip_input(m, false);
-                               if (error)
+                               if (error) {
+                                       IP6_STATINC(IP6_STAT_IPSECDROP_IN);
                                        goto bad;
+                               }
                        }
                }
 #endif
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet6/ip6_output.c
--- a/sys/netinet6/ip6_output.c Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet6/ip6_output.c Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_output.c,v 1.223 2020/06/12 11:04:45 roy Exp $     */
+/*     $NetBSD: ip6_output.c,v 1.224 2020/08/28 06:19:13 ozaki-r Exp $ */
 /*     $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $    */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.223 2020/06/12 11:04:45 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.224 2020/08/28 06:19:13 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -295,6 +295,7 @@
                         */
                        if (error == -EINVAL)
                                error = 0;
+                       IP6_STATINC(IP6_STAT_IPSECDROP_OUT);
                        goto freehdrs;
                }
        }
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet6/ip6_var.h
--- a/sys/netinet6/ip6_var.h    Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet6/ip6_var.h    Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_var.h,v 1.84 2020/06/19 16:08:06 maxv Exp $        */
+/*     $NetBSD: ip6_var.h,v 1.85 2020/08/28 06:19:13 ozaki-r Exp $     */
 /*     $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $        */
 
 /*
@@ -188,8 +188,10 @@
 #define        IP6_STAT_NOIPSEC        402     /* no match ipsec(4) found */
 #define        IP6_STAT_PFILDROP_IN    403     /* dropped by pfil (PFIL_IN) */
 #define        IP6_STAT_PFILDROP_OUT   404     /* dropped by pfil (PFIL_OUT) */
+#define        IP6_STAT_IPSECDROP_IN   405     /* dropped by IPsec SP check */
+#define        IP6_STAT_IPSECDROP_OUT  406     /* dropped by IPsec SP check */
 
-#define        IP6_NSTATS              405
+#define        IP6_NSTATS              407
 
 #define IP6FLOW_HASHBITS         6 /* should not be a multiple of 8 */
 
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c      Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netipsec/ipsec.c      Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.170 2019/08/07 10:10:00 knakahara Exp $ */
+/* $NetBSD: ipsec.c,v 1.171 2020/08/28 06:19:13 ozaki-r Exp $ */
 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.170 2019/08/07 10:10:00 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.171 2020/08/28 06:19:13 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -616,7 +616,7 @@
 
 int
 ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
-    u_long *mtu, bool *natt_frag, bool *done)
+    u_long *mtu, bool *natt_frag, bool *done, bool *count_drop)
 {
        struct secpolicy *sp = NULL;
        u_long _mtu = 0;
@@ -660,6 +660,7 @@
                                error = 0;
                        m_freem(m);
                        *done = true;
+                       *count_drop = true;
                        return error;
                }
                /* No IPsec processing for this packet. */
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h      Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netipsec/ipsec.h      Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.h,v 1.89 2019/11/01 04:23:21 knakahara Exp $     */
+/*     $NetBSD: ipsec.h,v 1.90 2020/08/28 06:19:13 ozaki-r Exp $       */
 /*     $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $       */
 /*     $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
 
@@ -275,7 +275,7 @@
 void ipsec_invalpcbcacheall(void);
 
 struct inpcb;
-int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *);
+int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *, bool *);
 
 int ipsec_ip_input(struct mbuf *, bool);
 void ipsec_mtu(struct mbuf *, int *);



Home | Main Index | Thread Index | Old Index