From 9da359bbec88016be0a3babcb2f169eefcc0e10d Mon Sep 17 00:00:00 2001 From: itojun Date: Sat, 26 Feb 2000 09:55:24 +0000 Subject: [PATCH] revise IPsec, pfkey, IPv6 multicast and IPv6 statistics. (sync with kame) --- usr.bin/netstat/Makefile | 6 +- usr.bin/netstat/inet.c | 110 +------------ usr.bin/netstat/inet6.c | 169 ++++++++++++++++--- usr.bin/netstat/ipsec.c | 331 ++++++++++++++++++++++++++++++++++++++ usr.bin/netstat/main.c | 23 ++- usr.bin/netstat/mroute6.c | 62 +++---- usr.bin/netstat/netstat.h | 6 +- 7 files changed, 532 insertions(+), 175 deletions(-) create mode 100644 usr.bin/netstat/ipsec.c diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile index 2347aaedf0b3..82d135138b29 100644 --- a/usr.bin/netstat/Makefile +++ b/usr.bin/netstat/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.19 1999/12/13 15:22:55 itojun Exp $ +# $NetBSD: Makefile,v 1.20 2000/02/26 09:55:24 itojun Exp $ # from: @(#)Makefile 8.1 (Berkeley) 6/12/93 PROG= netstat -SRCS= atalk.c if.c inet.c inet6.c iso.c main.c mbuf.c mroute.c mroute6.c \ - ns.c route.c tp_astring.c unix.c +SRCS= atalk.c if.c inet.c inet6.c ipsec.c iso.c main.c mbuf.c mroute.c \ + mroute6.c ns.c route.c tp_astring.c unix.c .PATH: ${.CURDIR}/../../sys/netiso BINGRP= kmem BINMODE=2555 diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c index f5ec2de8fd5f..25acb231b96d 100644 --- a/usr.bin/netstat/inet.c +++ b/usr.bin/netstat/inet.c @@ -1,4 +1,4 @@ -/* $NetBSD: inet.c,v 1.38 1999/11/19 10:44:33 bouyer Exp $ */ +/* $NetBSD: inet.c,v 1.39 2000/02/26 09:55:24 itojun Exp $ */ /* * Copyright (c) 1983, 1988, 1993 @@ -38,7 +38,7 @@ #if 0 static char sccsid[] = "from: @(#)inet.c 8.4 (Berkeley) 4/20/94"; #else -__RCSID("$NetBSD: inet.c,v 1.38 1999/11/19 10:44:33 bouyer Exp $"); +__RCSID("$NetBSD: inet.c,v 1.39 2000/02/26 09:55:24 itojun Exp $"); #endif #endif /* not lint */ @@ -74,9 +74,6 @@ __RCSID("$NetBSD: inet.c,v 1.38 1999/11/19 10:44:33 bouyer Exp $"); #include #include #include -#ifdef IPSEC -#include -#endif #include #include @@ -506,109 +503,6 @@ igmp_stats(off, name) #undef py } -#ifdef IPSEC -static char *ipsec_ahnames[] = { - "none", - "hmac MD5", - "hmac SHA1", - "keyed MD5", - "keyed SHA1", - "null", -}; - -static char *ipsec_espnames[] = { - "none", - "DES CBC", - "3DES CBC", - "simple", - "blowfish CBC", - "CAST128 CBC", - "DES derived IV", -}; - -/* - * Dump IPSEC statistics structure. - */ -void -ipsec_stats(off, name) - u_long off; - char *name; -{ - struct ipsecstat ipsecstat; - int first, proto; - - if (off == 0) - return; - printf ("%s:\n", name); - kread(off, (char *)&ipsecstat, sizeof (ipsecstat)); - -#define p(f, m) if (ipsecstat.f || sflag <= 1) \ - printf(m, (unsigned long long)ipsecstat.f, plural(ipsecstat.f)) - - p(in_success, "\t%llu inbound packet%s processed successfully\n"); - p(in_polvio, "\t%llu inbound packet%s violated process security " - "policy\n"); - p(in_nosa, "\t%llu inbound packet%s with no SA available\n"); - p(in_inval, - "\t%llu inbound packet%s failed processing due to EINVAL\n"); - p(in_badspi, "\t%llu inbound packet%s failed getting SPI\n"); - p(in_ahreplay, "\t%llu inbound packet%s failed on AH replay check\n"); - p(in_espreplay, "\t%llu inbound packet%s failed on ESP replay check\n"); - p(in_ahauthsucc, "\t%llu inbound packet%s considered authentic\n"); - p(in_ahauthfail, "\t%llu inbound packet%s failed on authentication\n"); - for (first = 1, proto = 0; proto < SADB_AALG_MAX; proto++) { - if (ipsecstat.in_ahhist[proto] <= 0) - continue; - if (first) { - printf("\tAH input histogram:\n"); - first = 0; - } - printf("\t\t%s: %llu\n", - ipsec_ahnames[proto], - (unsigned long long)ipsecstat.in_ahhist[proto]); - } - for (first = 1, proto = 0; proto < SADB_EALG_MAX; proto++) { - if (ipsecstat.in_esphist[proto] <= 0) - continue; - if (first) { - printf("\tESP input histogram:\n"); - first = 0; - } - printf("\t\t%s: %llu\n", ipsec_espnames[proto], - (unsigned long long)ipsecstat.in_esphist[proto]); - } - - p(out_success, "\t%llu outbound packet%s processed successfully\n"); - p(out_polvio, "\t%llu outbound packet%s violated process security " - "policy\n"); - p(out_nosa, "\t%llu outbound packet%s with no SA available\n"); - p(out_inval, "\t%llu outbound packet%s failed processing due to " - "EINVAL\n"); - p(out_noroute, "\t%llu outbound packet%s with no route\n"); - for (first = 1, proto = 0; proto < SADB_AALG_MAX; proto++) { - if (ipsecstat.out_ahhist[proto] <= 0) - continue; - if (first) { - printf("\tAH output histogram:\n"); - first = 0; - } - printf("\t\t%s: %llu\n", ipsec_ahnames[proto], - (unsigned long long)ipsecstat.out_ahhist[proto]); - } - for (first = 1, proto = 0; proto < SADB_EALG_MAX; proto++) { - if (ipsecstat.out_esphist[proto] <= 0) - continue; - if (first) { - printf("\tESP output histogram:\n"); - first = 0; - } - printf("\t\t%s: %llu\n", ipsec_espnames[proto], - (unsigned long long)ipsecstat.out_esphist[proto]); - } -#undef p -} -#endif /*IPSEC*/ - /* * Pretty print an Internet address (net address + port). * If the nflag was specified, use numbers instead of names. diff --git a/usr.bin/netstat/inet6.c b/usr.bin/netstat/inet6.c index 6bd7b521935e..b1da4dcf71aa 100644 --- a/usr.bin/netstat/inet6.c +++ b/usr.bin/netstat/inet6.c @@ -1,6 +1,35 @@ -/* $NetBSD: inet6.c,v 1.6 1999/12/16 00:58:17 thorpej Exp $ */ - +/* $NetBSD: inet6.c,v 1.7 2000/02/26 09:55:24 itojun Exp $ */ /* BSDI inet.c,v 2.3 1995/10/24 02:19:29 prb Exp */ + +/* + * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + /* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. @@ -39,7 +68,7 @@ #if 0 static char sccsid[] = "@(#)inet.c 8.4 (Berkeley) 4/20/94"; #else -__RCSID("$NetBSD: inet6.c,v 1.6 1999/12/16 00:58:17 thorpej Exp $"); +__RCSID("$NetBSD: inet6.c,v 1.7 2000/02/26 09:55:24 itojun Exp $"); #endif #endif /* not lint */ @@ -60,6 +89,7 @@ __RCSID("$NetBSD: inet6.c,v 1.6 1999/12/16 00:58:17 thorpej Exp $"); #include #include #endif +#include #include #include #include @@ -305,7 +335,8 @@ udp6_stats(off, name) p1(udp6s_badsum, "\t%llu with bad checksum\n"); p1(udp6s_nosum, "\t%llu with no checksum\n"); p1(udp6s_noport, "\t%llu dropped due to no socket\n"); - p(udp6s_noportmcast, "\t%llu multicast datagram%s dropped due to no socket\n"); + p(udp6s_noportmcast, + "\t%llu multicast datagram%s dropped due to no socket\n"); p1(udp6s_fullsock, "\t%llu dropped due to full socket buffers\n"); delivered = udp6stat.udp6s_ipackets - udp6stat.udp6s_hdrops - @@ -609,7 +640,7 @@ ip6_stats(off, name) p1(ip6s_badvers, "\t%llu with incorrect version number\n"); p(ip6s_fragments, "\t%llu fragment%s received\n"); p(ip6s_fragdropped, - "\t%llu fragment%s dropped (dup or out of space)\n"); + "\t%llu fragment%s dropped (dup or out of space)\n"); p(ip6s_fragtimeout, "\t%llu fragment%s dropped after timeout\n"); p(ip6s_fragoverflow, "\t%llu fragment%s that exceeded limit\n"); p(ip6s_reassembled, "\t%llu packet%s reassembled ok\n"); @@ -620,7 +651,7 @@ ip6_stats(off, name) p(ip6s_localout, "\t%llu packet%s sent from this host\n"); p(ip6s_rawout, "\t%llu packet%s sent with fabricated ip header\n"); p(ip6s_odropped, - "\t%llu output packet%s dropped due to no bufs, etc.\n"); + "\t%llu output packet%s dropped due to no bufs, etc.\n"); p(ip6s_noroute, "\t%llu output packet%s discarded due to no route\n"); p(ip6s_fragmented, "\t%llu output datagram%s fragmented\n"); p(ip6s_ofragments, "\t%llu fragment%s created\n"); @@ -651,19 +682,117 @@ ip6_stats(off, name) } } printf("\t\t%llu one ext mbuf\n", - (unsigned long long)ip6stat.ip6s_mext1); + (unsigned long long)ip6stat.ip6s_mext1); printf("\t\t%llu two or more ext mbuf\n", - (unsigned long long)ip6stat.ip6s_mext2m); + (unsigned long long)ip6stat.ip6s_mext2m); p(ip6s_exthdrtoolong, - "\t%llu packet%s whose headers are not continuous\n"); + "\t%llu packet%s whose headers are not continuous\n"); p(ip6s_nogif, "\t%llu tunneling packet%s that can't find gif\n"); - p(ip6s_toomanyhdr, "\t%qu packet%s discarded due to too many headers\n"); - p(ip6s_pulldown, "\t%qu call%s to m_pulldown\n"); - p(ip6s_pulldown_alloc, "\t%qu mbuf allocation%s in m_pulldown\n"); - if (ip6stat.ip6s_pulldown_copy != 1) { - p1(ip6s_pulldown_copy, "\t%qu mbuf copies in m_pulldown\n"); - } else { - p1(ip6s_pulldown_copy, "\t%qu mbuf copy in m_pulldown\n"); + p(ip6s_toomanyhdr, + "\t%llu packet%s discarded due to too many headers\n"); + + if (ip6stat.ip6s_exthdrget || ip6stat.ip6s_exthdrget0) { + p(ip6s_exthdrget, "\t%llu use%s of IP6_EXTHDR_GET\n"); + p(ip6s_exthdrget0, "\t%llu use%s of IP6_EXTHDR_GET0\n"); + p(ip6s_pulldown, "\t%llu call%s to m_pulldown\n"); + p(ip6s_pulldown_alloc, + "\t%llu mbuf allocation%s in m_pulldown\n"); + if (ip6stat.ip6s_pulldown_copy != 1) { + p1(ip6s_pulldown_copy, + "\t%llu mbuf copies in m_pulldown\n"); + } else { + p1(ip6s_pulldown_copy, + "\t%llu mbuf copy in m_pulldown\n"); + } + p(ip6s_pullup, "\t%llu call%s to m_pullup\n"); + p(ip6s_pullup_alloc, "\t%llu mbuf allocation%s in m_pullup\n"); + if (ip6stat.ip6s_pullup_copy != 1) { + p1(ip6s_pullup_copy, + "\t%llu mbuf copies in m_pullup\n"); + } else { + p1(ip6s_pullup_copy, "\t%llu mbuf copy in m_pullup\n"); + } + p(ip6s_pullup_fail, "\t%llu failure%s in m_pullup\n"); + p(ip6s_pullup2, "\t%llu call%s to m_pullup2\n"); + p(ip6s_pullup2_alloc, + "\t%llu mbuf allocation%s in m_pullup2\n"); + if (ip6stat.ip6s_pullup2_copy != 1) { + p1(ip6s_pullup2_copy, + "\t%llu mbuf copies in m_pullup2\n"); + } else { + p1(ip6s_pullup2_copy, + "\t%llu mbuf copy in m_pullup2\n"); + } + p(ip6s_pullup2_fail, "\t%llu failure%s in m_pullup2\n"); + } + + /* for debugging source address selection */ +#define PRINT_SCOPESTAT(s,i) do {\ + switch(i) { /* XXX hardcoding in each case */\ + case 1:\ + p(s, "\t\t%llu node-local%s\n");\ + break;\ + case 2:\ + p(s, "\t\t%llu link-local%s\n");\ + break;\ + case 5:\ + p(s, "\t\t%llu site-local%s\n");\ + break;\ + case 14:\ + p(s, "\t\t%llu global%s\n");\ + break;\ + default:\ + printf("\t\t%llu addresses scope=%x\n",\ + (unsigned long long)ip6stat.s, i);\ + }\ + } while(0); + + p(ip6s_sources_none, + "\t%llu failure%s of source address selection\n"); + for (first = 1, i = 0; i < 16; i++) { + if (ip6stat.ip6s_sources_sameif[i]) { + if (first) { + printf("\tsource addresses on an outgoing I/F\n"); + first = 0; + } + PRINT_SCOPESTAT(ip6s_sources_sameif[i], i); + } + } + for (first = 1, i = 0; i < 16; i++) { + if (ip6stat.ip6s_sources_otherif[i]) { + if (first) { + printf("\tsource addresses on a non-outgoing I/F\n"); + first = 0; + } + PRINT_SCOPESTAT(ip6s_sources_otherif[i], i); + } + } + for (first = 1, i = 0; i < 16; i++) { + if (ip6stat.ip6s_sources_samescope[i]) { + if (first) { + printf("\tsource addresses of same scope\n"); + first = 0; + } + PRINT_SCOPESTAT(ip6s_sources_samescope[i], i); + } + } + for (first = 1, i = 0; i < 16; i++) { + if (ip6stat.ip6s_sources_otherscope[i]) { + if (first) { + printf("\tsource addresses of a different scope\n"); + first = 0; + } + PRINT_SCOPESTAT(ip6s_sources_otherscope[i], i); + } + } + for (first = 1, i = 0; i < 16; i++) { + if (ip6stat.ip6s_sources_deprecated[i]) { + if (first) { + printf("\tdeprecated source addresses\n"); + first = 0; + } + PRINT_SCOPESTAT(ip6s_sources_deprecated[i], i); + } } #undef p #undef p1 @@ -680,7 +809,7 @@ ip6_ifstats(ifname) int s; #define p(f, m) if (ifr.ifr_ifru.ifru_stat.f || sflag <= 1) \ printf(m, (unsigned long long)ifr.ifr_ifru.ifru_stat.f, \ - plural(ifr.ifr_ifru.ifru_stat.f)) + plural(ifr.ifr_ifru.ifru_stat.f)) #define p_5(f, m) if (ifr.ifr_ifru.ifru_stat.f || sflag <= 1) \ printf(m, ip6stat.f) @@ -1006,8 +1135,8 @@ icmp6_stats(off, name) printf(m, (unsigned long long)icmp6stat.f, plural(icmp6stat.f)) p(icp6s_error, "\t%llu call%s to icmp_error\n"); - p(icp6s_canterror, "\t%llu error%s not generated because old message " - "was icmp or so\n"); + p(icp6s_canterror, + "\t%llu error%s not generated because old message was icmp or so\n"); for (first = 1, i = 0; i < 256; i++) if (icmp6stat.icp6s_outhist[i] != 0) { if (first) { @@ -1046,7 +1175,7 @@ icmp6_ifstats(ifname) int s; #define p(f, m) if (ifr.ifr_ifru.ifru_icmp6stat.f || sflag <= 1) \ printf(m, (unsigned long long)ifr.ifr_ifru.ifru_icmp6stat.f, \ - plural(ifr.ifr_ifru.ifru_icmp6stat.f)) + plural(ifr.ifr_ifru.ifru_icmp6stat.f)) if ((s = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) { perror("Warning: socket(AF_INET6)"); diff --git a/usr.bin/netstat/ipsec.c b/usr.bin/netstat/ipsec.c new file mode 100644 index 000000000000..4c279055b44e --- /dev/null +++ b/usr.bin/netstat/ipsec.c @@ -0,0 +1,331 @@ +/* $NetBSD: ipsec.c,v 1.1 2000/02/26 09:55:24 itojun Exp $ */ + +/* + * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Copyright (c) 1983, 1988, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "from: @(#)inet.c 8.4 (Berkeley) 4/20/94"; +#else +#ifdef __NetBSD__ +__RCSID("$NetBSD: ipsec.c,v 1.1 2000/02/26 09:55:24 itojun Exp $"); +#endif +#endif +#endif /* not lint */ + +#include +#include +#include + +#include + +#ifdef IPSEC +#include +#include +#endif + +#include +#include +#include +#include "netstat.h" + +/* + * portability issues: + * - bsdi[34] uses PLURAL(), not plural(). + * - freebsd2 can't print "unsigned long long" properly. + */ +#ifdef __bsdi__ +#define plural(x) PLURAL(x) +#endif +#ifdef __FreeBSD__ +#define LLU "%qu" +#define CAST u_quad_t +#else +#define LLU "%llu" +#define CAST unsigned long long +#endif + +#ifdef IPSEC +static const char *ipsec_ahnames[] = { + "none", + "hmac MD5", + "hmac SHA1", + "keyed MD5", + "keyed SHA1", + "null", +}; + +static const char *ipsec_espnames[] = { + "none", + "DES CBC", + "3DES CBC", + "simple", + "blowfish CBC", + "CAST128 CBC", + "DES derived IV", +}; + +static const char *ipsec_compnames[] = { + "none", + "OUI", + "deflate", + "LZS", +}; + +static const char *pfkey_msgtypenames[] = { + "reserved", "getspi", "update", "add", "delete", + "get", "acquire", "register", "expire", "flush", + "dump", "x_promisc", "x_pchange", "x_spdupdate", "x_spdadd", + "x_spddelete", "x_spdget", "x_spdacquire", "x_spddump", "x_spdflush", + "x_spdsetidx", "x_spdexpire", +}; + +static struct ipsecstat ipsecstat; + +#if defined(__bsdi__) && _BSDI_VERSION >= 199802 +struct data_info ipsecstat_info = { /* for bsdi4 only */ + "_ipsecstat", + NULL, 0, + &ipsecstat, sizeof(struct ipsecstat) +}; +#endif + +static void print_ipsecstats __P((void)); +static const char *pfkey_msgtype_names __P((int)); +static void ipsec_hist __P((const u_quad_t *, size_t, const char **, size_t, + const char *)); + +/* + * Dump IPSEC statistics structure. + */ +static void +ipsec_hist(hist, histmax, name, namemax, title) + const u_quad_t *hist; + size_t histmax; + const char **name; + size_t namemax; + const char *title; +{ + int first; + size_t proto; + + for (first = 1, proto = 0; proto < histmax; proto++) { + if (hist[proto] <= 0) + continue; + if (first) { + printf("\t%s histogram:\n", title); + first = 0; + } + if (proto < namemax && name[proto]) { + printf("\t\t%s: " LLU "\n", name[proto], + (CAST)hist[proto]); + } else { + printf("\t\t#%ld: " LLU "\n", (long)proto, + (CAST)hist[proto]); + } + } +} + +static void +print_ipsecstats() +{ +#define p(f, m) if (ipsecstat.f || sflag <= 1) \ + printf(m, (CAST)ipsecstat.f, plural(ipsecstat.f)) +#define hist(f, n, t) \ + ipsec_hist((f), sizeof(f)/sizeof(f[0]), (n), sizeof(n)/sizeof(n[0]), (t)); + + p(in_success, "\t" LLU " inbound packet%s processed successfully\n"); + p(in_polvio, "\t" LLU " inbound packet%s violated process security " + "policy\n"); + p(in_nosa, "\t" LLU " inbound packet%s with no SA available\n"); + p(in_inval, "\t" LLU " invalid inbound packet%s\n"); + p(in_nomem, "\t" LLU " inbound packet%s failed due to insufficient memory\n"); + p(in_badspi, "\t" LLU " inbound packet%s failed getting SPI\n"); + p(in_ahreplay, "\t" LLU " inbound packet%s failed on AH replay check\n"); + p(in_espreplay, "\t" LLU " inbound packet%s failed on ESP replay check\n"); + p(in_ahauthsucc, "\t" LLU " inbound packet%s considered authentic\n"); + p(in_ahauthfail, "\t" LLU " inbound packet%s failed on authentication\n"); + hist(ipsecstat.in_ahhist, ipsec_ahnames, "AH input"); + hist(ipsecstat.in_esphist, ipsec_espnames, "ESP input"); + hist(ipsecstat.in_comphist, ipsec_compnames, "IPComp input"); + + p(out_success, "\t" LLU " outbound packet%s processed successfully\n"); + p(out_polvio, "\t" LLU " outbound packet%s violated process security " + "policy\n"); + p(out_nosa, "\t" LLU " outbound packet%s with no SA available\n"); + p(out_inval, "\t" LLU " invalid outbound packet%s\n"); + p(out_nomem, "\t" LLU " outbound packet%s failed due to insufficient memory\n"); + p(out_noroute, "\t" LLU " outbound packet%s with no route\n"); + hist(ipsecstat.out_ahhist, ipsec_ahnames, "AH output"); + hist(ipsecstat.out_esphist, ipsec_espnames, "ESP output"); + hist(ipsecstat.out_comphist, ipsec_compnames, "IPComp output"); +#undef p +#undef hist +} + +void +ipsec_stats(off, name) + u_long off; + char *name; +{ + if (off == 0) + return; + printf ("%s:\n", name); + kread(off, (char *)&ipsecstat, sizeof (ipsecstat)); + + print_ipsecstats(); +} + +#if defined(__bsdi__) && _BSDI_VERSION >= 199802 /* bsdi4 only */ +void +ipsec_stats0(name) + char *name; +{ + printf("%s:\n", name); + + skread(name, &ipsecstat_info); + + print_ipsecstats(); +} +#endif + +static const char * +pfkey_msgtype_names(x) + int x; +{ + const int max = + sizeof(pfkey_msgtypenames)/sizeof(pfkey_msgtypenames[0]); + static char buf[10]; + + if (x < max && pfkey_msgtypenames[x]) + return pfkey_msgtypenames[x]; + snprintf(buf, sizeof(buf), "#%d", x); + return buf; +} + +void +pfkey_stats(off, name) + u_long off; + char *name; +{ + struct pfkeystat pfkeystat; + int first, type; + + if (off == 0) + return; + printf ("%s:\n", name); + kread(off, (char *)&pfkeystat, sizeof(pfkeystat)); + +#define p(f, m) if (pfkeystat.f || sflag <= 1) \ + printf(m, (CAST)pfkeystat.f, plural(pfkeystat.f)) + + /* kernel -> userland */ + p(out_total, "\t" LLU " request%s sent to userland\n"); + p(out_bytes, "\t" LLU " byte%s sent to userland\n"); + for (first = 1, type = 0; + type < sizeof(pfkeystat.out_msgtype)/sizeof(pfkeystat.out_msgtype[0]); + type++) { + if (pfkeystat.out_msgtype[type] <= 0) + continue; + if (first) { + printf("\thistogram by message type:\n"); + first = 0; + } + printf("\t\t%s: " LLU "\n", pfkey_msgtype_names(type), + (CAST)pfkeystat.out_msgtype[type]); + } + p(out_invlen, "\t" LLU " message%s with invalid length field\n"); + p(out_invver, "\t" LLU " message%s with invalid version field\n"); + p(out_invmsgtype, "\t" LLU " message%s with invalid message type field\n"); + p(out_tooshort, "\t" LLU " message%s too short\n"); + p(out_nomem, "\t" LLU " message%s with memory allocation failure\n"); + p(out_dupext, "\t" LLU " message%s with duplicate extension\n"); + p(out_invexttype, "\t" LLU " message%s with invalid extension type\n"); + p(out_invsatype, "\t" LLU " message%s with invalid sa type\n"); + p(out_invaddr, "\t" LLU " message%s with invalid address extension\n"); + + /* userland -> kernel */ + p(in_total, "\t" LLU " request%s sent from userland\n"); + p(in_bytes, "\t" LLU " byte%s sent from userland\n"); + for (first = 1, type = 0; + type < sizeof(pfkeystat.in_msgtype)/sizeof(pfkeystat.in_msgtype[0]); + type++) { + if (pfkeystat.in_msgtype[type] <= 0) + continue; + if (first) { + printf("\thistogram by message type:\n"); + first = 0; + } + printf("\t\t%s: " LLU "\n", pfkey_msgtype_names(type), + (CAST)pfkeystat.in_msgtype[type]); + } + p(in_msgtarget[KEY_SENDUP_ONE], + "\t" LLU " message%s toward single socket\n"); + p(in_msgtarget[KEY_SENDUP_ALL], + "\t" LLU " message%s toward all sockets\n"); + p(in_msgtarget[KEY_SENDUP_REGISTERED], + "\t" LLU " message%s toward registered sockets\n"); + p(in_nomem, "\t" LLU " message%s with memory allocation failure\n"); +#undef p +} +#endif /*IPSEC*/ diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c index 8d653af87c20..f92aee57d9b2 100644 --- a/usr.bin/netstat/main.c +++ b/usr.bin/netstat/main.c @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.25 1999/12/13 15:22:55 itojun Exp $ */ +/* $NetBSD: main.c,v 1.26 2000/02/26 09:55:24 itojun Exp $ */ /* * Copyright (c) 1983, 1988, 1993 @@ -43,7 +43,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 1988, 1993\n\ #if 0 static char sccsid[] = "from: @(#)main.c 8.4 (Berkeley) 3/1/94"; #else -__RCSID("$NetBSD: main.c,v 1.25 1999/12/13 15:22:55 itojun Exp $"); +__RCSID("$NetBSD: main.c,v 1.26 2000/02/26 09:55:24 itojun Exp $"); #endif #endif /* not lint */ @@ -175,6 +175,8 @@ struct nlist nl[] = { { "_mf6ctable" }, #define N_MIF6TABLE 52 { "_mif6table" }, +#define N_PFKEYSTAT 53 + { "_pfkeystat" }, { "" }, }; @@ -236,6 +238,15 @@ struct protox ip6protox[] = { }; #endif +#ifdef IPSEC +struct protox pfkeyprotox[] = { + { -1, N_PFKEYSTAT, 1, 0, + pfkey_stats, NULL, 0, "pfkey" }, + { -1, -1, 0, 0, + 0, NULL, 0, 0 } +}; +#endif + #ifndef SMALL struct protox atalkprotox[] = { { N_DDPCB, N_DDPSTAT, 1, atalkprotopr, @@ -273,6 +284,9 @@ struct protox *protoprotox[] = { protox, #ifdef INET6 ip6protox, #endif +#ifdef IPSEC + pfkeyprotox, +#endif #ifndef SMALL atalkprotox, nsprotox, isoprotox, #endif @@ -549,6 +563,11 @@ main(argc, argv) for (tp = ip6protox; tp->pr_name; tp++) printproto(tp, tp->pr_name); #endif +#ifdef IPSEC + if (af == PF_KEY || af == AF_UNSPEC) + for (tp = pfkeyprotox; tp->pr_name; tp++) + printproto(tp, tp->pr_name); +#endif #ifndef SMALL if (af == AF_APPLETALK || af == AF_UNSPEC) for (tp = atalkprotox; tp->pr_name; tp++) diff --git a/usr.bin/netstat/mroute6.c b/usr.bin/netstat/mroute6.c index bf8423f70945..111e06079291 100644 --- a/usr.bin/netstat/mroute6.c +++ b/usr.bin/netstat/mroute6.c @@ -1,4 +1,4 @@ -/* $NetBSD: mroute6.c,v 1.6 1999/12/16 00:58:17 thorpej Exp $ */ +/* $NetBSD: mroute6.c,v 1.7 2000/02/26 09:55:24 itojun Exp $ */ /* * Copyright (C) 1998 WIDE Project. @@ -221,10 +221,12 @@ void mrt6_stats(mrpaddr, mstaddr) u_long mrpaddr, mstaddr; { +#define p(f, m) printf(m, (unsigned long long)mrtstat.f, plural(mrtstat.f)) +#define pes(f, m) printf(m, (unsigned long long)mrtstat.f, plurales(mrtstat.f)) u_int mrtproto; struct mrt6stat mrtstat; - if(mrpaddr == 0) { + if (mrpaddr == 0) { printf("mrt6_stats: symbol not in namelist\n"); return; } @@ -251,44 +253,22 @@ mrt6_stats(mrpaddr, mstaddr) kread(mstaddr, (char *)&mrtstat, sizeof(mrtstat)); printf("multicast forwarding:\n"); - printf(" %10llu multicast forwarding cache lookup%s\n", - (unsigned long long)mrtstat.mrt6s_mfc_lookups, - plural(mrtstat.mrt6s_mfc_lookups)); - printf(" %10llu multicast forwarding cache miss%s\n", - (unsigned long long)mrtstat.mrt6s_mfc_misses, - plurales(mrtstat.mrt6s_mfc_misses)); - printf(" %10llu upcall%s to mrouted\n", - (unsigned long long)mrtstat.mrt6s_upcalls, - plural(mrtstat.mrt6s_upcalls)); - printf(" %10llu upcall queue overflow%s\n", - (unsigned long long)mrtstat.mrt6s_upq_ovflw, - plural(mrtstat.mrt6s_upq_ovflw)); - printf(" %10llu upcall%s dropped due to full socket buffer\n", - (unsigned long long)mrtstat.mrt6s_upq_sockfull, - plural(mrtstat.mrt6s_upq_sockfull)); - printf(" %10llu cache cleanup%s\n", - (unsigned long long)mrtstat.mrt6s_cache_cleanups, - plural(mrtstat.mrt6s_cache_cleanups)); - printf(" %10llu datagram%s with no route for origin\n", - (unsigned long long)mrtstat.mrt6s_no_route, - plural(mrtstat.mrt6s_no_route)); - printf(" %10llu datagram%s arrived with bad tunneling\n", - (unsigned long long)mrtstat.mrt6s_bad_tunnel, - plural(mrtstat.mrt6s_bad_tunnel)); - printf(" %10llu datagram%s could not be tunneled\n", - (unsigned long long)mrtstat.mrt6s_cant_tunnel, - plural(mrtstat.mrt6s_cant_tunnel)); - printf(" %10llu datagram%s arrived on wrong interface\n", - (unsigned long long)mrtstat.mrt6s_wrong_if, - plural(mrtstat.mrt6s_wrong_if)); - printf(" %10llu datagram%s selectively dropped\n", - (unsigned long long)mrtstat.mrt6s_drop_sel, - plural(mrtstat.mrt6s_drop_sel)); - printf(" %10llu datagram%s dropped due to queue overflow\n", - (unsigned long long)mrtstat.mrt6s_q_overflow, - plural(mrtstat.mrt6s_q_overflow)); - printf(" %10llu datagram%s dropped for being too large\n", - (unsigned long long)mrtstat.mrt6s_pkt2large, - plural(mrtstat.mrt6s_pkt2large)); + p(mrt6s_mfc_lookups, " %10llu multicast forwarding cache lookup%s\n"); + pes(mrt6s_mfc_misses, " %10llu multicast forwarding cache miss%s\n"); + p(mrt6s_upcalls, " %10llu upcall%s to mrouted\n"); + p(mrt6s_upq_ovflw, " %10llu upcall llueue overflow%s\n"); + p(mrt6s_upq_sockfull, + " %10llu upcall%s dropped due to full socket buffer\n"); + p(mrt6s_cache_cleanups, " %10llu cache cleanup%s\n"); + p(mrt6s_no_route, " %10llu datagram%s with no route for origin\n"); + p(mrt6s_bad_tunnel, " %10llu datagram%s arrived with bad tunneling\n"); + p(mrt6s_cant_tunnel, " %10llu datagram%s could not be tunneled\n"); + p(mrt6s_wrong_if, " %10llu datagram%s arrived on wrong interface\n"); + p(mrt6s_drop_sel, " %10llu datagram%s selectively dropped\n"); + p(mrt6s_q_overflow, + " %10llu datagram%s dropped due to llueue overflow\n"); + p(mrt6s_pkt2large, " %10llu datagram%s dropped for being too large\n"); +#undef p +#undef pes } #endif /*INET6*/ diff --git a/usr.bin/netstat/netstat.h b/usr.bin/netstat/netstat.h index 75aa706df5bf..774bffda7ae3 100644 --- a/usr.bin/netstat/netstat.h +++ b/usr.bin/netstat/netstat.h @@ -1,4 +1,4 @@ -/* $NetBSD: netstat.h,v 1.17 1999/12/13 15:22:55 itojun Exp $ */ +/* $NetBSD: netstat.h,v 1.18 2000/02/26 09:55:24 itojun Exp $ */ /* * Copyright (c) 1992, 1993 @@ -96,6 +96,10 @@ void mrt6_stats __P((u_long, u_long)); char *routename6 __P((struct sockaddr_in6 *)); #endif /*INET6*/ +#ifdef IPSEC +void pfkey_stats __P((u_long, char *)); +#endif + void mbpr(u_long, u_long, u_long, u_long, u_long); void hostpr __P((u_long, u_long));