Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys inet, inet6: count packets dropped by IPsec
details: https://anonhg.NetBSD.org/src/rev/67d0ed7c540f
branches: trunk
changeset: 943159:67d0ed7c540f
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Fri Aug 28 06:19:13 2020 +0000
description:
inet, inet6: count packets dropped by IPsec
The counters count packets dropped due to security policy checks.
diffstat:
sys/netinet/ip_input.c | 6 ++++--
sys/netinet/ip_output.c | 9 ++++++---
sys/netinet/ip_var.h | 6 ++++--
sys/netinet6/ip6_forward.c | 5 +++--
sys/netinet6/ip6_input.c | 8 +++++---
sys/netinet6/ip6_output.c | 5 +++--
sys/netinet6/ip6_var.h | 6 ++++--
sys/netipsec/ipsec.c | 7 ++++---
sys/netipsec/ipsec.h | 4 ++--
9 files changed, 35 insertions(+), 21 deletions(-)
diffs (244 lines):
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet/ip_input.c Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_input.c,v 1.393 2019/11/13 02:51:22 ozaki-r Exp $ */
+/* $NetBSD: ip_input.c,v 1.394 2020/08/28 06:19:13 ozaki-r Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.393 2019/11/13 02:51:22 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.394 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -741,6 +741,7 @@
/* Check the security policy (SP) for the packet */
if (ipsec_used) {
if (ipsec_ip_input(m, true) != 0) {
+ IP_STATINC(IP_STAT_IPSECDROP_IN);
goto out;
}
}
@@ -788,6 +789,7 @@
if (ipsec_used &&
(inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
if (ipsec_ip_input(m, false) != 0) {
+ IP_STATINC(IP_STAT_IPSECDROP_IN);
goto out;
}
}
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet/ip_output.c
--- a/sys/netinet/ip_output.c Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet/ip_output.c Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.315 2019/12/27 10:17:56 msaitoh Exp $ */
+/* $NetBSD: ip_output.c,v 1.316 2020/08/28 06:19:13 ozaki-r Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.315 2019/12/27 10:17:56 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.316 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -609,10 +609,13 @@
#ifdef IPSEC
if (ipsec_used) {
bool ipsec_done = false;
+ bool count_drop = false;
/* Perform IPsec processing, if any. */
error = ipsec4_output(m, inp, flags, &mtu, &natt_frag,
- &ipsec_done);
+ &ipsec_done, &count_drop);
+ if (count_drop)
+ IP_STATINC(IP_STAT_IPSECDROP_OUT);
if (error || ipsec_done)
goto done;
}
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet/ip_var.h
--- a/sys/netinet/ip_var.h Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet/ip_var.h Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_var.h,v 1.128 2019/05/13 07:47:59 ozaki-r Exp $ */
+/* $NetBSD: ip_var.h,v 1.129 2020/08/28 06:19:13 ozaki-r Exp $ */
/*
* Copyright (c) 1982, 1986, 1993
@@ -149,8 +149,10 @@
#define IP_STAT_NOIPSEC 31 /* no match ipsec(4) found */
#define IP_STAT_PFILDROP_IN 32 /* dropped by pfil (PFIL_IN) */
#define IP_STAT_PFILDROP_OUT 33 /* dropped by pfil (PFIL_OUT) */
+#define IP_STAT_IPSECDROP_IN 34 /* dropped by IPsec SP check */
+#define IP_STAT_IPSECDROP_OUT 35 /* dropped by IPsec SP check */
-#define IP_NSTATS 34
+#define IP_NSTATS 36
#ifdef _KERNEL
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet6/ip6_forward.c
--- a/sys/netinet6/ip6_forward.c Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet6/ip6_forward.c Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_forward.c,v 1.99 2020/06/12 11:04:45 roy Exp $ */
+/* $NetBSD: ip6_forward.c,v 1.100 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.99 2020/06/12 11:04:45 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.100 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_gateway.h"
@@ -192,6 +192,7 @@
if (error == -EINVAL)
error = 0;
m_freem(m);
+ IP6_STATINC(IP6_STAT_IPSECDROP_OUT);
goto freecopy;
}
}
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet6/ip6_input.c Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.218 2020/07/27 14:06:58 roy Exp $ */
+/* $NetBSD: ip6_input.c,v 1.219 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.218 2020/07/27 14:06:58 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.219 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_gateway.h"
@@ -756,8 +756,10 @@
int error;
error = ipsec_ip_input(m, false);
- if (error)
+ if (error) {
+ IP6_STATINC(IP6_STAT_IPSECDROP_IN);
goto bad;
+ }
}
}
#endif
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet6/ip6_output.c
--- a/sys/netinet6/ip6_output.c Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet6/ip6_output.c Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_output.c,v 1.223 2020/06/12 11:04:45 roy Exp $ */
+/* $NetBSD: ip6_output.c,v 1.224 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.223 2020/06/12 11:04:45 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.224 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -295,6 +295,7 @@
*/
if (error == -EINVAL)
error = 0;
+ IP6_STATINC(IP6_STAT_IPSECDROP_OUT);
goto freehdrs;
}
}
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netinet6/ip6_var.h
--- a/sys/netinet6/ip6_var.h Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netinet6/ip6_var.h Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_var.h,v 1.84 2020/06/19 16:08:06 maxv Exp $ */
+/* $NetBSD: ip6_var.h,v 1.85 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */
/*
@@ -188,8 +188,10 @@
#define IP6_STAT_NOIPSEC 402 /* no match ipsec(4) found */
#define IP6_STAT_PFILDROP_IN 403 /* dropped by pfil (PFIL_IN) */
#define IP6_STAT_PFILDROP_OUT 404 /* dropped by pfil (PFIL_OUT) */
+#define IP6_STAT_IPSECDROP_IN 405 /* dropped by IPsec SP check */
+#define IP6_STAT_IPSECDROP_OUT 406 /* dropped by IPsec SP check */
-#define IP6_NSTATS 405
+#define IP6_NSTATS 407
#define IP6FLOW_HASHBITS 6 /* should not be a multiple of 8 */
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netipsec/ipsec.c Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.170 2019/08/07 10:10:00 knakahara Exp $ */
+/* $NetBSD: ipsec.c,v 1.171 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.170 2019/08/07 10:10:00 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.171 2020/08/28 06:19:13 ozaki-r Exp $");
/*
* IPsec controller part.
@@ -616,7 +616,7 @@
int
ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
- u_long *mtu, bool *natt_frag, bool *done)
+ u_long *mtu, bool *natt_frag, bool *done, bool *count_drop)
{
struct secpolicy *sp = NULL;
u_long _mtu = 0;
@@ -660,6 +660,7 @@
error = 0;
m_freem(m);
*done = true;
+ *count_drop = true;
return error;
}
/* No IPsec processing for this packet. */
diff -r 6a93b1bde570 -r 67d0ed7c540f sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h Fri Aug 28 04:59:17 2020 +0000
+++ b/sys/netipsec/ipsec.h Fri Aug 28 06:19:13 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.89 2019/11/01 04:23:21 knakahara Exp $ */
+/* $NetBSD: ipsec.h,v 1.90 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -275,7 +275,7 @@
void ipsec_invalpcbcacheall(void);
struct inpcb;
-int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *);
+int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *, bool *);
int ipsec_ip_input(struct mbuf *, bool);
void ipsec_mtu(struct mbuf *, int *);
Home |
Main Index |
Thread Index |
Old Index