diff options
Diffstat (limited to 'tools/tools/crypto/ipsecstats.c')
-rw-r--r-- | tools/tools/crypto/ipsecstats.c | 179 |
1 files changed, 179 insertions, 0 deletions
diff --git a/tools/tools/crypto/ipsecstats.c b/tools/tools/crypto/ipsecstats.c new file mode 100644 index 000000000000..6ecc1f454bcf --- /dev/null +++ b/tools/tools/crypto/ipsecstats.c @@ -0,0 +1,179 @@ +/*- + * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ +#include <stdio.h> +#include <sys/types.h> +#include <netipsec/ipsec.h> +#include <netipsec/ah_var.h> +#include <netipsec/esp_var.h> + +struct alg { + int a; + const char *name; +}; +static const struct alg aalgs[] = { + { SADB_AALG_NONE, "none", }, + { SADB_AALG_MD5HMAC, "hmac-md5", }, + { SADB_AALG_SHA1HMAC, "hmac-sha1", }, + { SADB_X_AALG_MD5, "md5", }, + { SADB_X_AALG_SHA, "sha", }, + { SADB_X_AALG_NULL, "null", }, + { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, + { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, + { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, +}; +static const struct alg espalgs[] = { + { SADB_EALG_NONE, "none", }, + { SADB_EALG_DESCBC, "des-cbc", }, + { SADB_EALG_3DESCBC, "3des-cbc", }, + { SADB_EALG_NULL, "null", }, + { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, + { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, + { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, +}; +static const struct alg ipcompalgs[] = { + { SADB_X_CALG_NONE, "none", }, + { SADB_X_CALG_OUI, "oui", }, + { SADB_X_CALG_DEFLATE, "deflate", }, + { SADB_X_CALG_LZS, "lzs", }, +}; +#define N(a) (sizeof(a)/sizeof(a[0])) + +static const char* +algname(int a, const struct alg algs[], int nalgs) +{ + static char buf[80]; + int i; + + for (i = 0; i < nalgs; i++) + if (algs[i].a == a) + return algs[i].name; + snprintf(buf, sizeof(buf), "alg#%u", a); + return buf; +} + +/* + * Little program to dump the statistics block for fast ipsec. + */ +int +main(int argc, char *argv[]) +{ +#define STAT(x,fmt) if (x) printf(fmt "\n", x) + struct ipsecstat ips; + struct ahstat ahs; + struct espstat esps; + size_t slen; + int i; + + slen = sizeof (ips); + if (sysctlbyname("net.inet.ipsec.ipsecstats", &ips, &slen, NULL, NULL) < 0) + err(1, "net.inet.ipsec.ipsecstats"); + slen = sizeof (ahs); + if (sysctlbyname("net.inet.ah.stats", &ahs, &slen, NULL, NULL) < 0) + err(1, "net.inet.ah.stats"); + slen = sizeof (esps); + if (sysctlbyname("net.inet.esp.stats", &esps, &slen, NULL, NULL) < 0) + err(1, "net.inet.esp.stats"); + +#define AHSTAT(x,fmt) if (x) printf("ah " fmt ": %u\n", x) +#define AHSTAT64(x,fmt) if (x) printf("ah " fmt ": %llu\n", x) + AHSTAT(ahs.ahs_input, "input packets processed"); + AHSTAT(ahs.ahs_output, "output packets processed"); + AHSTAT(ahs.ahs_hdrops, "headers too short"); + AHSTAT(ahs.ahs_nopf, "headers for unsupported address family"); + AHSTAT(ahs.ahs_notdb, "packets with no SA"); + AHSTAT(ahs.ahs_badkcr, "packets with bad kcr"); + AHSTAT(ahs.ahs_badauth, "packets with bad authentication"); + AHSTAT(ahs.ahs_noxform, "packets with no xform"); + AHSTAT(ahs.ahs_qfull, "packets dropped packet 'cuz queue full"); + AHSTAT(ahs.ahs_wrap, "packets dropped for replace counter wrap"); + AHSTAT(ahs.ahs_replay, "packets dropped for possible replay"); + AHSTAT(ahs.ahs_badauthl, "packets dropped for bad authenticator length"); + AHSTAT(ahs.ahs_invalid, "packets with an invalid SA"); + AHSTAT(ahs.ahs_toobig, "packets too big"); + AHSTAT(ahs.ahs_pdrops, "packets dropped due to policy"); + AHSTAT(ahs.ahs_crypto, "failed crypto requests"); + AHSTAT(ahs.ahs_tunnel, "tunnel sanity check failures"); + for (i = 0; i < AH_ALG_MAX; i++) + if (ahs.ahs_hist[i]) + printf("ah packets with %s: %u\n" + , algname(i, aalgs, N(aalgs)) + , ahs.ahs_hist[i] + ); + AHSTAT64(ahs.ahs_ibytes, "bytes received"); + AHSTAT64(ahs.ahs_obytes, "bytes transmitted"); +#undef AHSTAT64 +#undef AHSTAT + +#define ESPSTAT(x,fmt) if (x) printf("esp " fmt ": %u\n", x) +#define ESPSTAT64(x,fmt) if (x) printf("esp " fmt ": %llu\n", x) + ESPSTAT(esps.esps_input, "input packets processed"); + ESPSTAT(esps.esps_output, "output packets processed"); + ESPSTAT(esps.esps_hdrops, "headers too short"); + ESPSTAT(esps.esps_nopf, "headers for unsupported address family"); + ESPSTAT(esps.esps_notdb, "packets with no SA"); + ESPSTAT(esps.esps_badkcr, "packets with bad kcr"); + ESPSTAT(esps.esps_qfull, "packets dropped packet 'cuz queue full"); + ESPSTAT(esps.esps_noxform, "packets with no xform"); + ESPSTAT(esps.esps_badilen, "packets with bad ilen"); + ESPSTAT(esps.esps_badenc, "packets with bad encryption"); + ESPSTAT(esps.esps_badauth, "packets with bad authentication"); + ESPSTAT(esps.esps_wrap, "packets dropped for replay counter wrap"); + ESPSTAT(esps.esps_replay, "packets dropped for possible replay"); + ESPSTAT(esps.esps_invalid, "packets with an invalid SA"); + ESPSTAT(esps.esps_toobig, "packets too big"); + ESPSTAT(esps.esps_pdrops, "packets dropped due to policy"); + ESPSTAT(esps.esps_crypto, "failed crypto requests"); + ESPSTAT(esps.esps_tunnel, "tunnel sanity check failures"); + for (i = 0; i < ESP_ALG_MAX; i++) + if (esps.esps_hist[i]) + printf("esp packets with %s: %u\n" + , algname(i, espalgs, N(espalgs)) + , esps.esps_hist[i] + ); + ESPSTAT64(esps.esps_ibytes, "bytes received"); + ESPSTAT64(esps.esps_obytes, "bytes transmitted"); +#undef ESPSTAT64 +#undef ESPSTAT + + printf("\n"); + if (ips.ips_in_polvio+ips.ips_out_polvio) + printf("policy violations: input %u output %u\n", + ips.ips_in_polvio, ips.ips_out_polvio); + STAT(ips.ips_out_nosa, "no SA found %u (output)"); + STAT(ips.ips_out_nomem, "no memory available %u (output)"); + STAT(ips.ips_out_noroute, "no route available %u (output)"); + STAT(ips.ips_out_inval, "generic error %u (output)"); + STAT(ips.ips_out_bundlesa, "bundled SA processed %u (output)"); + printf("m_clone processing: %u mbufs + %u clusters coalesced\n", + ips.ips_mbcoalesced, ips.ips_clcoalesced); + printf("m_clone processing: %u clusters copied\n", ips.ips_clcopied); + printf("m_makespace: %u mbufs inserted\n", ips.ips_mbinserted); + printf("header position [front/middle/end]: %u/%u/%u\n", + ips.ips_input_front, ips.ips_input_middle, ips.ips_input_end); + return 0; +} |