Hi,
As mentioned before, IPsec packets could be dropped unaccounted if
output after crypto failed. Add a counter for that case.
ok?
bluhm
Index: sys/netinet/ip_ah.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ah.c,v
retrieving revision 1.126
diff -u -p -r1.126 ip_ah.c
--- sys/netinet/ip_ah.c 7 Feb 2017 15:10:48 -0000 1.126
+++ sys/netinet/ip_ah.c 7 Feb 2017 16:55:11 -0000
@@ -1247,8 +1247,8 @@ ah_output_cb(struct cryptop *crp)
/* No longer needed. */
crypto_freereq(crp);
- ipsp_process_done(m, tdb);
- /* XXX missing error counter if ipsp_process_done() drops packet */
+ if (ipsp_process_done(m, tdb))
+ ahstat.ahs_outfail++;
NET_UNLOCK(s);
baddone:
Index: sys/netinet/ip_ah.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ah.h,v
retrieving revision 1.33
diff -u -p -r1.33 ip_ah.h
--- sys/netinet/ip_ah.h 10 Jan 2010 12:43:07 -0000 1.33
+++ sys/netinet/ip_ah.h 7 Feb 2017 16:55:11 -0000
@@ -38,8 +38,7 @@
#ifndef _NETINET_IP_AH_H_
#define _NETINET_IP_AH_H_
-struct ahstat
-{
+struct ahstat {
u_int32_t ahs_hdrops; /* Packet shorter than header shows */
u_int32_t ahs_nopf; /* Protocol family not supported */
u_int32_t ahs_notdb;
@@ -58,10 +57,10 @@ struct ahstat
u_int32_t ahs_toobig; /* Packet got larger than IP_MAXPACKET */
u_int32_t ahs_pdrops; /* Packet blocked due to policy */
u_int32_t ahs_crypto; /* Crypto processing failure */
+ u_int32_t ahs_outfail; /* Packet output failure */
};
-struct ah
-{
+struct ah {
u_int8_t ah_nh;
u_int8_t ah_hl;
u_int16_t ah_rv;
Index: sys/netinet/ip_esp.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_esp.c,v
retrieving revision 1.144
diff -u -p -r1.144 ip_esp.c
--- sys/netinet/ip_esp.c 7 Feb 2017 15:10:48 -0000 1.144
+++ sys/netinet/ip_esp.c 7 Feb 2017 16:55:11 -0000
@@ -1088,7 +1088,8 @@ esp_output_cb(struct cryptop *crp)
crypto_freereq(crp);
/* Call the IPsec input callback. */
- ipsp_process_done(m, tdb);
+ if (ipsp_process_done(m, tdb))
+ espstat.esps_outfail++;
/* XXX missing error counter if ipsp_process_done() drops packet */
NET_UNLOCK(s);
return;
Index: sys/netinet/ip_esp.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_esp.h,v
retrieving revision 1.43
diff -u -p -r1.43 ip_esp.h
--- sys/netinet/ip_esp.h 2 Sep 2016 09:39:32 -0000 1.43
+++ sys/netinet/ip_esp.h 7 Feb 2017 16:55:11 -0000
@@ -38,8 +38,7 @@
#ifndef _NETINET_IP_ESP_H_
#define _NETINET_IP_ESP_H_
-struct espstat
-{
+struct espstat {
u_int32_t esps_hdrops; /* Packet shorter than header shows */
u_int32_t esps_nopf; /* Protocol family not supported */
u_int32_t esps_notdb;
@@ -63,6 +62,7 @@ struct espstat
u_int32_t esps_udpencout; /* Output ESP-in-UDP packets */
u_int32_t esps_udpinval; /* Invalid input ESP-in-UDP packets */
u_int32_t esps_udpneeded; /* Trying to use a ESP-in-UDP TDB */
+ u_int32_t esps_outfail; /* Packet output failure */
};
/*
Index: sys/netinet/ip_ipcomp.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipcomp.c,v
retrieving revision 1.51
diff -u -p -r1.51 ip_ipcomp.c
--- sys/netinet/ip_ipcomp.c 7 Feb 2017 15:10:48 -0000 1.51
+++ sys/netinet/ip_ipcomp.c 7 Feb 2017 16:55:11 -0000
@@ -579,8 +579,8 @@ ipcomp_output_cb(struct cryptop *crp)
if (rlen < crp->crp_olen) {
/* Compression was useless, we have lost time. */
crypto_freereq(crp);
- ipsp_process_done(m, tdb);
- /* XXX missing counter if ipsp_process_done() drops packet */
+ if (ipsp_process_done(m, tdb))
+ ipcompstat.ipcomps_outfail++;
NET_UNLOCK(s);
return;
}
@@ -628,8 +628,8 @@ ipcomp_output_cb(struct cryptop *crp)
/* Release the crypto descriptor. */
crypto_freereq(crp);
- ipsp_process_done(m, tdb);
- /* XXX missing error counter if ipsp_process_done() drops packet */
+ if (ipsp_process_done(m, tdb))
+ ipcompstat.ipcomps_outfail++;
NET_UNLOCK(s);
return;
Index: sys/netinet/ip_ipcomp.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipcomp.h,v
retrieving revision 1.7
diff -u -p -r1.7 ip_ipcomp.h
--- sys/netinet/ip_ipcomp.h 14 Dec 2007 18:33:41 -0000 1.7
+++ sys/netinet/ip_ipcomp.h 7 Feb 2017 16:55:11 -0000
@@ -51,6 +51,7 @@ struct ipcompstat {
u_int32_t ipcomps_pdrops; /* Packet blocked due to policy */
u_int32_t ipcomps_crypto; /* "Crypto" processing failure */
u_int32_t ipcomps_minlen; /* packets too short for compress */
+ u_int32_t ipcomps_outfail; /* Packet output failure */
};
/* IPCOMP header */
Index: usr.bin/netstat/inet.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/netstat/inet.c,v
retrieving revision 1.153
diff -u -p -r1.153 inet.c
--- usr.bin/netstat/inet.c 22 Dec 2016 11:04:44 -0000 1.153
+++ usr.bin/netstat/inet.c 7 Feb 2017 16:56:35 -0000
@@ -954,6 +954,7 @@ ah_stats(char *name)
p(ahs_invalid, "\t%u packet%s attempted to use an invalid TDB\n");
p(ahs_toobig, "\t%u packet%s got larger than max IP packet size\n");
p(ahs_crypto, "\t%u packet%s that failed crypto processing\n");
+ p(ahs_outfail, "\t%u output packet%s could not be sent\n");
p(ahs_ibytes, "\t%llu input byte%s\n");
p(ahs_obytes, "\t%llu output byte%s\n");
@@ -1032,6 +1033,7 @@ esp_stats(char *name)
p(esps_invalid, "\t%u packet%s attempted to use an invalid TDB\n");
p(esps_toobig, "\t%u packet%s got larger than max IP packet size\n");
p(esps_crypto, "\t%u packet%s that failed crypto processing\n");
+ p(esps_outfail, "\t%u output packet%s could not be sent\n");
p(esps_udpencin, "\t%u input UDP encapsulated ESP packet%s\n");
p(esps_udpencout, "\t%u output UDP encapsulated ESP packet%s\n");
p(esps_udpinval, "\t%u UDP packet%s for non-encapsulating TDB
received\n");
@@ -1226,6 +1228,7 @@ ipcomp_stats(char *name)
p(ipcomps_invalid, "\t%u packet%s attempted to use an invalid TDB\n");
p(ipcomps_toobig, "\t%u packet%s got larger than max IP packet size\n");
p(ipcomps_crypto, "\t%u packet%s that failed (de)compression
processing\n");
+ p(ipcomps_outfail, "\t%u output packet%s could not be sent\n");
p(ipcomps_minlen, "\t%u packet%s less than minimum compression
length\n");
p(ipcomps_ibytes, "\t%llu input byte%s\n");
p(ipcomps_obytes, "\t%llu output byte%s\n");
