Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec Improve IPsec log when no key association found...
details: https://anonhg.NetBSD.org/src/rev/a026712ddb64
branches: trunk
changeset: 369609:a026712ddb64
user: knakahara <knakahara%NetBSD.org@localhost>
date: Tue Aug 23 09:25:10 2022 +0000
description:
Improve IPsec log when no key association found for SA. Implemented by ohishi@IIJ.
diffstat:
sys/netipsec/ipsec_input.c | 51 ++++++++++++++++++++++++++++++++++++++-------
1 files changed, 43 insertions(+), 8 deletions(-)
diffs (100 lines):
diff -r 95e804b1cb14 -r a026712ddb64 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c Tue Aug 23 07:42:28 2022 +0000
+++ b/sys/netipsec/ipsec_input.c Tue Aug 23 09:25:10 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.77 2022/05/24 20:50:20 andvar Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.78 2022/08/23 09:25:10 knakahara Exp $ */
/* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.77 2022/05/24 20:50:20 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.78 2022/08/23 09:25:10 knakahara Exp $");
/*
* IPsec input processing.
@@ -214,8 +214,8 @@
static int
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
{
- char buf[IPSEC_ADDRSTRLEN];
- union sockaddr_union dst_address;
+ char buf[IPSEC_ADDRSTRLEN], buf2[IPSEC_ADDRSTRLEN];
+ union sockaddr_union src_address, dst_address;
struct secasvar *sav;
u_int32_t spi;
u_int16_t sport;
@@ -255,12 +255,18 @@
* kernel crypto routine. The resulting mbuf chain is a valid
* IP packet ready to go through input processing.
*/
+ memset(&src_address, 0, sizeof (src_address));
memset(&dst_address, 0, sizeof(dst_address));
+ src_address.sa.sa_family = af;
dst_address.sa.sa_family = af;
switch (af) {
#ifdef INET
case AF_INET:
+ src_address.sin.sin_len = sizeof(struct sockaddr_in);
dst_address.sin.sin_len = sizeof(struct sockaddr_in);
+ m_copydata(m, offsetof(struct ip, ip_src),
+ sizeof(struct in_addr),
+ &src_address.sin.sin_addr);
m_copydata(m, offsetof(struct ip, ip_dst),
sizeof(struct in_addr),
&dst_address.sin.sin_addr);
@@ -268,7 +274,11 @@
#endif
#ifdef INET6
case AF_INET6:
+ src_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
+ m_copydata(m, offsetof(struct ip6_hdr, ip6_src),
+ sizeof(struct in6_addr),
+ &src_address.sin6.sin6_addr);
m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
sizeof(struct in6_addr),
&dst_address.sin6.sin6_addr);
@@ -291,10 +301,35 @@
/* NB: only pass dst since key_lookup_sa follows RFC2401 */
sav = KEY_LOOKUP_SA(&dst_address, sproto, spi, sport, dport);
if (sav == NULL) {
- IPSECLOG(LOG_DEBUG,
- "no key association found for SA %s/%08lx/%u/%u\n",
- ipsec_address(&dst_address, buf, sizeof(buf)),
- (u_long) ntohl(spi), sproto, ntohs(dport));
+ static struct timeval lasttime = {0, 0};
+ static int curpps = 0;
+
+ if (!ipsec_debug && ppsratecheck(&lasttime, &curpps, 1)) {
+ if (sport || dport) {
+ log(LOG_INFO,
+ "no key association found for SA"
+ " %s[%u]-%s[%u]/SPI 0x%08lx\n",
+ ipsec_address(&src_address, buf, sizeof(buf)),
+ ntohs(sport),
+ ipsec_address(&dst_address, buf2, sizeof(buf2)),
+ ntohs(dport),
+ (u_long) ntohl(spi));
+ } else {
+ log(LOG_INFO,
+ "no key association found for"
+ " SA %s-%s/SPI 0x%08lx\n",
+ ipsec_address(&src_address, buf, sizeof(buf)),
+ ipsec_address(&src_address, buf2, sizeof(buf2)),
+ (u_long) ntohl(spi));
+ }
+ } else if (ipsec_debug) {
+ IPSECLOG(LOG_DEBUG,
+ "no key association found for SA "
+ "%s-%s/SPI 0x%08lx/PROTO %u/PORT %u-%u\n",
+ ipsec_address(&src_address, buf, sizeof(buf)),
+ ipsec_address(&dst_address, buf2, sizeof(buf2)),
+ (u_long) ntohl(spi), sproto, ntohs(dport), ntohs(sport));
+ }
IPSEC_ISTAT(sproto, ESP_STAT_NOTDB, AH_STAT_NOTDB,
IPCOMP_STAT_NOTDB);
splx(s);
Home |
Main Index |
Thread Index |
Old Index