Module Name: src Committed By: knakahara Date: Tue Aug 23 09:25:10 UTC 2022
Modified Files: src/sys/netipsec: ipsec_input.c Log Message: Improve IPsec log when no key association found for SA. Implemented by ohishi@IIJ. To generate a diff of this commit: cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.77 src/sys/netipsec/ipsec_input.c:1.78 --- src/sys/netipsec/ipsec_input.c:1.77 Tue May 24 20:50:20 2022 +++ src/sys/netipsec/ipsec_input.c Tue Aug 23 09:25:10 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.77 2022/05/24 20:50:20 andvar Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.78 2022/08/23 09:25:10 knakahara Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.77 2022/05/24 20:50:20 andvar Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.78 2022/08/23 09:25:10 knakahara Exp $"); /* * IPsec input processing. @@ -214,8 +214,8 @@ spi_get(struct mbuf *m, int sproto, int static int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { - char buf[IPSEC_ADDRSTRLEN]; - union sockaddr_union dst_address; + char buf[IPSEC_ADDRSTRLEN], buf2[IPSEC_ADDRSTRLEN]; + union sockaddr_union src_address, dst_address; struct secasvar *sav; u_int32_t spi; u_int16_t sport; @@ -255,12 +255,18 @@ ipsec_common_input(struct mbuf *m, int s * kernel crypto routine. The resulting mbuf chain is a valid * IP packet ready to go through input processing. */ + memset(&src_address, 0, sizeof (src_address)); memset(&dst_address, 0, sizeof(dst_address)); + src_address.sa.sa_family = af; dst_address.sa.sa_family = af; switch (af) { #ifdef INET case AF_INET: + src_address.sin.sin_len = sizeof(struct sockaddr_in); dst_address.sin.sin_len = sizeof(struct sockaddr_in); + m_copydata(m, offsetof(struct ip, ip_src), + sizeof(struct in_addr), + &src_address.sin.sin_addr); m_copydata(m, offsetof(struct ip, ip_dst), sizeof(struct in_addr), &dst_address.sin.sin_addr); @@ -268,7 +274,11 @@ ipsec_common_input(struct mbuf *m, int s #endif #ifdef INET6 case AF_INET6: + src_address.sin6.sin6_len = sizeof(struct sockaddr_in6); dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); + m_copydata(m, offsetof(struct ip6_hdr, ip6_src), + sizeof(struct in6_addr), + &src_address.sin6.sin6_addr); m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), sizeof(struct in6_addr), &dst_address.sin6.sin6_addr); @@ -291,10 +301,35 @@ ipsec_common_input(struct mbuf *m, int s /* NB: only pass dst since key_lookup_sa follows RFC2401 */ sav = KEY_LOOKUP_SA(&dst_address, sproto, spi, sport, dport); if (sav == NULL) { - IPSECLOG(LOG_DEBUG, - "no key association found for SA %s/%08lx/%u/%u\n", - ipsec_address(&dst_address, buf, sizeof(buf)), - (u_long) ntohl(spi), sproto, ntohs(dport)); + static struct timeval lasttime = {0, 0}; + static int curpps = 0; + + if (!ipsec_debug && ppsratecheck(&lasttime, &curpps, 1)) { + if (sport || dport) { + log(LOG_INFO, + "no key association found for SA" + " %s[%u]-%s[%u]/SPI 0x%08lx\n", + ipsec_address(&src_address, buf, sizeof(buf)), + ntohs(sport), + ipsec_address(&dst_address, buf2, sizeof(buf2)), + ntohs(dport), + (u_long) ntohl(spi)); + } else { + log(LOG_INFO, + "no key association found for" + " SA %s-%s/SPI 0x%08lx\n", + ipsec_address(&src_address, buf, sizeof(buf)), + ipsec_address(&src_address, buf2, sizeof(buf2)), + (u_long) ntohl(spi)); + } + } else if (ipsec_debug) { + IPSECLOG(LOG_DEBUG, + "no key association found for SA " + "%s-%s/SPI 0x%08lx/PROTO %u/PORT %u-%u\n", + ipsec_address(&src_address, buf, sizeof(buf)), + ipsec_address(&dst_address, buf2, sizeof(buf2)), + (u_long) ntohl(spi), sproto, ntohs(dport), ntohs(sport)); + } IPSEC_ISTAT(sproto, ESP_STAT_NOTDB, AH_STAT_NOTDB, IPCOMP_STAT_NOTDB); splx(s);