Module Name: src
Committed By: ozaki-r
Date: Fri Aug 28 06:19:13 UTC 2020
Modified Files:
src/sys/netinet: ip_input.c ip_output.c ip_var.h
src/sys/netinet6: ip6_forward.c ip6_input.c ip6_output.c ip6_var.h
src/sys/netipsec: ipsec.c ipsec.h
Log Message:
inet, inet6: count packets dropped by IPsec
The counters count packets dropped due to security policy checks.
To generate a diff of this commit:
cvs rdiff -u -r1.393 -r1.394 src/sys/netinet/ip_input.c
cvs rdiff -u -r1.315 -r1.316 src/sys/netinet/ip_output.c
cvs rdiff -u -r1.128 -r1.129 src/sys/netinet/ip_var.h
cvs rdiff -u -r1.99 -r1.100 src/sys/netinet6/ip6_forward.c
cvs rdiff -u -r1.218 -r1.219 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.223 -r1.224 src/sys/netinet6/ip6_output.c
cvs rdiff -u -r1.84 -r1.85 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.170 -r1.171 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.89 -r1.90 src/sys/netipsec/ipsec.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_input.c
diff -u src/sys/netinet/ip_input.c:1.393 src/sys/netinet/ip_input.c:1.394
--- src/sys/netinet/ip_input.c:1.393 Wed Nov 13 02:51:22 2019
+++ src/sys/netinet/ip_input.c Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_input.c,v 1.393 2019/11/13 02:51:22 ozaki-r Exp $ */
+/* $NetBSD: ip_input.c,v 1.394 2020/08/28 06:19:13 ozaki-r Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.393 2019/11/13 02:51:22 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.394 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -741,6 +741,7 @@ ip_input(struct mbuf *m)
/* Check the security policy (SP) for the packet */
if (ipsec_used) {
if (ipsec_ip_input(m, true) != 0) {
+ IP_STATINC(IP_STAT_IPSECDROP_IN);
goto out;
}
}
@@ -788,6 +789,7 @@ ours:
if (ipsec_used &&
(inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
if (ipsec_ip_input(m, false) != 0) {
+ IP_STATINC(IP_STAT_IPSECDROP_IN);
goto out;
}
}
Index: src/sys/netinet/ip_output.c
diff -u src/sys/netinet/ip_output.c:1.315 src/sys/netinet/ip_output.c:1.316
--- src/sys/netinet/ip_output.c:1.315 Fri Dec 27 10:17:56 2019
+++ src/sys/netinet/ip_output.c Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.315 2019/12/27 10:17:56 msaitoh Exp $ */
+/* $NetBSD: ip_output.c,v 1.316 2020/08/28 06:19:13 ozaki-r Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.315 2019/12/27 10:17:56 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.316 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -609,10 +609,13 @@ sendit:
#ifdef IPSEC
if (ipsec_used) {
bool ipsec_done = false;
+ bool count_drop = false;
/* Perform IPsec processing, if any. */
error = ipsec4_output(m, inp, flags, &mtu, &natt_frag,
- &ipsec_done);
+ &ipsec_done, &count_drop);
+ if (count_drop)
+ IP_STATINC(IP_STAT_IPSECDROP_OUT);
if (error || ipsec_done)
goto done;
}
Index: src/sys/netinet/ip_var.h
diff -u src/sys/netinet/ip_var.h:1.128 src/sys/netinet/ip_var.h:1.129
--- src/sys/netinet/ip_var.h:1.128 Mon May 13 07:47:59 2019
+++ src/sys/netinet/ip_var.h Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_var.h,v 1.128 2019/05/13 07:47:59 ozaki-r Exp $ */
+/* $NetBSD: ip_var.h,v 1.129 2020/08/28 06:19:13 ozaki-r Exp $ */
/*
* Copyright (c) 1982, 1986, 1993
@@ -149,8 +149,10 @@ struct ip_pktopts {
#define IP_STAT_NOIPSEC 31 /* no match ipsec(4) found */
#define IP_STAT_PFILDROP_IN 32 /* dropped by pfil (PFIL_IN) */
#define IP_STAT_PFILDROP_OUT 33 /* dropped by pfil (PFIL_OUT) */
+#define IP_STAT_IPSECDROP_IN 34 /* dropped by IPsec SP check */
+#define IP_STAT_IPSECDROP_OUT 35 /* dropped by IPsec SP check */
-#define IP_NSTATS 34
+#define IP_NSTATS 36
#ifdef _KERNEL
Index: src/sys/netinet6/ip6_forward.c
diff -u src/sys/netinet6/ip6_forward.c:1.99 src/sys/netinet6/ip6_forward.c:1.100
--- src/sys/netinet6/ip6_forward.c:1.99 Fri Jun 12 11:04:45 2020
+++ src/sys/netinet6/ip6_forward.c Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_forward.c,v 1.99 2020/06/12 11:04:45 roy Exp $ */
+/* $NetBSD: ip6_forward.c,v 1.100 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.99 2020/06/12 11:04:45 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.100 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_gateway.h"
@@ -192,6 +192,7 @@ ip6_forward(struct mbuf *m, int srcrt)
if (error == -EINVAL)
error = 0;
m_freem(m);
+ IP6_STATINC(IP6_STAT_IPSECDROP_OUT);
goto freecopy;
}
}
Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.218 src/sys/netinet6/ip6_input.c:1.219
--- src/sys/netinet6/ip6_input.c:1.218 Mon Jul 27 14:06:58 2020
+++ src/sys/netinet6/ip6_input.c Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.218 2020/07/27 14:06:58 roy Exp $ */
+/* $NetBSD: ip6_input.c,v 1.219 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.218 2020/07/27 14:06:58 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.219 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_gateway.h"
@@ -756,8 +756,10 @@ hbhcheck:
int error;
error = ipsec_ip_input(m, false);
- if (error)
+ if (error) {
+ IP6_STATINC(IP6_STAT_IPSECDROP_IN);
goto bad;
+ }
}
}
#endif
Index: src/sys/netinet6/ip6_output.c
diff -u src/sys/netinet6/ip6_output.c:1.223 src/sys/netinet6/ip6_output.c:1.224
--- src/sys/netinet6/ip6_output.c:1.223 Fri Jun 12 11:04:45 2020
+++ src/sys/netinet6/ip6_output.c Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_output.c,v 1.223 2020/06/12 11:04:45 roy Exp $ */
+/* $NetBSD: ip6_output.c,v 1.224 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.223 2020/06/12 11:04:45 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.224 2020/08/28 06:19:13 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -295,6 +295,7 @@ ip6_output(
*/
if (error == -EINVAL)
error = 0;
+ IP6_STATINC(IP6_STAT_IPSECDROP_OUT);
goto freehdrs;
}
}
Index: src/sys/netinet6/ip6_var.h
diff -u src/sys/netinet6/ip6_var.h:1.84 src/sys/netinet6/ip6_var.h:1.85
--- src/sys/netinet6/ip6_var.h:1.84 Fri Jun 19 16:08:06 2020
+++ src/sys/netinet6/ip6_var.h Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_var.h,v 1.84 2020/06/19 16:08:06 maxv Exp $ */
+/* $NetBSD: ip6_var.h,v 1.85 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */
/*
@@ -188,8 +188,10 @@ struct ip6_pktopts {
#define IP6_STAT_NOIPSEC 402 /* no match ipsec(4) found */
#define IP6_STAT_PFILDROP_IN 403 /* dropped by pfil (PFIL_IN) */
#define IP6_STAT_PFILDROP_OUT 404 /* dropped by pfil (PFIL_OUT) */
+#define IP6_STAT_IPSECDROP_IN 405 /* dropped by IPsec SP check */
+#define IP6_STAT_IPSECDROP_OUT 406 /* dropped by IPsec SP check */
-#define IP6_NSTATS 405
+#define IP6_NSTATS 407
#define IP6FLOW_HASHBITS 6 /* should not be a multiple of 8 */
Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.170 src/sys/netipsec/ipsec.c:1.171
--- src/sys/netipsec/ipsec.c:1.170 Wed Aug 7 10:10:00 2019
+++ src/sys/netipsec/ipsec.c Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.170 2019/08/07 10:10:00 knakahara Exp $ */
+/* $NetBSD: ipsec.c,v 1.171 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.170 2019/08/07 10:10:00 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.171 2020/08/28 06:19:13 ozaki-r Exp $");
/*
* IPsec controller part.
@@ -616,7 +616,7 @@ ipsec_checkpolicy(struct mbuf *m, u_int
int
ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
- u_long *mtu, bool *natt_frag, bool *done)
+ u_long *mtu, bool *natt_frag, bool *done, bool *count_drop)
{
struct secpolicy *sp = NULL;
u_long _mtu = 0;
@@ -660,6 +660,7 @@ ipsec4_output(struct mbuf *m, struct inp
error = 0;
m_freem(m);
*done = true;
+ *count_drop = true;
return error;
}
/* No IPsec processing for this packet. */
Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.89 src/sys/netipsec/ipsec.h:1.90
--- src/sys/netipsec/ipsec.h:1.89 Fri Nov 1 04:23:21 2019
+++ src/sys/netipsec/ipsec.h Fri Aug 28 06:19:13 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.89 2019/11/01 04:23:21 knakahara Exp $ */
+/* $NetBSD: ipsec.h,v 1.90 2020/08/28 06:19:13 ozaki-r Exp $ */
/* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -275,7 +275,7 @@ void ipsec_pcbdisconn(struct inpcbpolicy
void ipsec_invalpcbcacheall(void);
struct inpcb;
-int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *);
+int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *, bool *);
int ipsec_ip_input(struct mbuf *, bool);
void ipsec_mtu(struct mbuf *, int *);
