Home | History | Annotate | Download | only in ip
      1 /*
      2  * CDDL HEADER START
      3  *
      4  * The contents of this file are subject to the terms of the
      5  * Common Development and Distribution License (the "License").
      6  * You may not use this file except in compliance with the License.
      7  *
      8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
      9  * or http://www.opensolaris.org/os/licensing.
     10  * See the License for the specific language governing permissions
     11  * and limitations under the License.
     12  *
     13  * When distributing Covered Code, include this CDDL HEADER in each
     14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     15  * If applicable, add the following below this CDDL HEADER, with the
     16  * fields enclosed by brackets "[]" replaced with your own identifying
     17  * information: Portions Copyright [yyyy] [name of copyright owner]
     18  *
     19  * CDDL HEADER END
     20  */
     21 /*
     22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
     23  * Use is subject to license terms.
     24  */
     25 
     26 #include <sys/types.h>
     27 #include <sys/stream.h>
     28 #include <sys/strsun.h>
     29 #include <sys/sunddi.h>
     30 #include <sys/kstat.h>
     31 #include <sys/kmem.h>
     32 #include <sys/sdt.h>
     33 #include <net/pfkeyv2.h>
     34 #include <inet/common.h>
     35 #include <inet/ip.h>
     36 #include <inet/ip6.h>
     37 #include <inet/ipsec_impl.h>
     38 #include <inet/ipdrop.h>
     39 
     40 /*
     41  * Packet drop facility.
     42  */
     43 
     44 /*
     45  * Initialize drop facility kstats.
     46  */
     47 void
     48 ip_drop_init(ipsec_stack_t *ipss)
     49 {
     50 	ipss->ipsec_ip_drop_kstat = kstat_create_netstack("ip", 0, "ipdrop",
     51 	    "net", KSTAT_TYPE_NAMED,
     52 	    sizeof (struct ip_dropstats) / sizeof (kstat_named_t),
     53 	    KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid);
     54 
     55 	if (ipss->ipsec_ip_drop_kstat == NULL ||
     56 	    ipss->ipsec_ip_drop_kstat->ks_data == NULL)
     57 		return;
     58 
     59 	/*
     60 	 * Note: here ipss->ipsec_ip_drop_types is initialized, however,
     61 	 * if the previous kstat_create_netstack failed, it will remain
     62 	 * NULL. Note this is done for all stack instances, so it *could*
     63 	 * be NULL. Hence a non-NULL checking is added where
     64 	 * ipss->ipsec_ip_drop_types is used. This checking is hidden in
     65 	 * the DROPPER macro.
     66 	 */
     67 	ipss->ipsec_ip_drop_types = ipss->ipsec_ip_drop_kstat->ks_data;
     68 
     69 	/* TCP IPsec drop statistics. */
     70 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_clear,
     71 	    "tcp_clear", KSTAT_DATA_UINT64);
     72 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_secure,
     73 	    "tcp_secure", KSTAT_DATA_UINT64);
     74 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_mismatch,
     75 	    "tcp_mismatch", KSTAT_DATA_UINT64);
     76 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_ipsec_alloc,
     77 	    "tcp_ipsec_alloc", KSTAT_DATA_UINT64);
     78 
     79 	/* SADB-specific drop statistics. */
     80 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_timeout,
     81 	    "sadb_inlarval_timeout", KSTAT_DATA_UINT64);
     82 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_replace,
     83 	    "sadb_inlarval_replace", KSTAT_DATA_UINT64);
     84 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inidle_overflow,
     85 	    "sadb_inidle_overflow", KSTAT_DATA_UINT64);
     86 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inidle_timeout,
     87 	    "sadb_inidle_timeout", KSTAT_DATA_UINT64);
     88 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_nomem,
     89 	    "sadb_acquire_nomem", KSTAT_DATA_UINT64);
     90 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_toofull,
     91 	    "sadb_acquire_toofull", KSTAT_DATA_UINT64);
     92 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_timeout,
     93 	    "sadb_acquire_timeout", KSTAT_DATA_UINT64);
     94 
     95 	/* SPD drop statistics. */
     96 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ahesp_diffid,
     97 	    "spd_ahesp_diffid", KSTAT_DATA_UINT64);
     98 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_loopback_mismatch,
     99 	    "spd_loopback_mismatch", KSTAT_DATA_UINT64);
    100 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_explicit,
    101 	    "spd_explicit", KSTAT_DATA_UINT64);
    102 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_secure,
    103 	    "spd_got_secure", KSTAT_DATA_UINT64);
    104 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_clear,
    105 	    "spd_got_clear", KSTAT_DATA_UINT64);
    106 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_ahalg,
    107 	    "spd_bad_ahalg", KSTAT_DATA_UINT64);
    108 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_ah,
    109 	    "spd_got_ah", KSTAT_DATA_UINT64);
    110 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espealg,
    111 	    "spd_bad_espealg", KSTAT_DATA_UINT64);
    112 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espaalg,
    113 	    "spd_bad_espaalg", KSTAT_DATA_UINT64);
    114 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_esp,
    115 	    "spd_got_esp", KSTAT_DATA_UINT64);
    116 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_selfencap,
    117 	    "spd_got_selfencap", KSTAT_DATA_UINT64);
    118 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_selfencap,
    119 	    "spd_bad_selfencap", KSTAT_DATA_UINT64);
    120 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_nomem,
    121 	    "spd_nomem", KSTAT_DATA_UINT64);
    122 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_badid,
    123 	    "spd_ah_badid", KSTAT_DATA_UINT64);
    124 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_innermismatch,
    125 	    "spd_ah_innermismatch", KSTAT_DATA_UINT64);
    126 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_innermismatch,
    127 	    "spd_esp_innermismatch", KSTAT_DATA_UINT64);
    128 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_badid,
    129 	    "spd_esp_badid", KSTAT_DATA_UINT64);
    130 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_no_policy,
    131 	    "spd_no_policy", KSTAT_DATA_UINT64);
    132 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_packet,
    133 	    "spd_malformed_packet", KSTAT_DATA_UINT64);
    134 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_frag,
    135 	    "spd_malformed_frag", KSTAT_DATA_UINT64);
    136 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_overlap_frag,
    137 	    "spd_overlap_frag", KSTAT_DATA_UINT64);
    138 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_evil_frag,
    139 	    "spd_evil_frag", KSTAT_DATA_UINT64);
    140 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_max_frags,
    141 	    "spd_max_frags", KSTAT_DATA_UINT64);
    142 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_expired_frags,
    143 	    "spd_expired_frags", KSTAT_DATA_UINT64);
    144 
    145 	/* ESP-specific drop statistics. */
    146 
    147 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nomem,
    148 	    "esp_nomem", KSTAT_DATA_UINT64);
    149 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_no_sa,
    150 	    "esp_no_sa", KSTAT_DATA_UINT64);
    151 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_early_replay,
    152 	    "esp_early_replay", KSTAT_DATA_UINT64);
    153 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_replay,
    154 	    "esp_replay", KSTAT_DATA_UINT64);
    155 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bytes_expire,
    156 	    "esp_bytes_expire", KSTAT_DATA_UINT64);
    157 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padlen,
    158 	    "esp_bad_padlen", KSTAT_DATA_UINT64);
    159 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padding,
    160 	    "esp_bad_padding", KSTAT_DATA_UINT64);
    161 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_auth,
    162 	    "esp_bad_auth", KSTAT_DATA_UINT64);
    163 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_crypto_failed,
    164 	    "esp_crypto_failed", KSTAT_DATA_UINT64);
    165 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_icmp,
    166 	    "esp_icmp", KSTAT_DATA_UINT64);
    167 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ipsec,
    168 	    "esp_nat_t_ipsec", KSTAT_DATA_UINT64);
    169 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ka,
    170 	    "esp_nat_t_ka", KSTAT_DATA_UINT64);
    171 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_iv_wrap,
    172 	    "esp_iv_wrap", KSTAT_DATA_UINT64);
    173 
    174 	/* AH-specific drop statistics. */
    175 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_nomem,
    176 	    "ah_nomem", KSTAT_DATA_UINT64);
    177 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v6_hdrs,
    178 	    "ah_bad_v6_hdrs", KSTAT_DATA_UINT64);
    179 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v4_opts,
    180 	    "ah_bad_v4_opts", KSTAT_DATA_UINT64);
    181 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_no_sa,
    182 	    "ah_no_sa", KSTAT_DATA_UINT64);
    183 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_length,
    184 	    "ah_bad_length", KSTAT_DATA_UINT64);
    185 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_auth,
    186 	    "ah_bad_auth", KSTAT_DATA_UINT64);
    187 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_crypto_failed,
    188 	    "ah_crypto_failed", KSTAT_DATA_UINT64);
    189 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_early_replay,
    190 	    "ah_early_replay", KSTAT_DATA_UINT64);
    191 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_replay,
    192 	    "ah_replay", KSTAT_DATA_UINT64);
    193 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bytes_expire,
    194 	    "ah_bytes_expire", KSTAT_DATA_UINT64);
    195 
    196 	/* IP-specific drop statistics. */
    197 	kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ip_ipsec_not_loaded,
    198 	    "ip_ipsec_not_loaded", KSTAT_DATA_UINT64);
    199 
    200 	kstat_install(ipss->ipsec_ip_drop_kstat);
    201 }
    202 
    203 void
    204 ip_drop_destroy(ipsec_stack_t *ipss)
    205 {
    206 	kstat_delete_netstack(ipss->ipsec_ip_drop_kstat,
    207 	    ipss->ipsec_netstack->netstack_stackid);
    208 	ipss->ipsec_ip_drop_kstat = NULL;
    209 	ipss->ipsec_ip_drop_types = NULL;
    210 }
    211 
    212 /*
    213  * Register a packet dropper.
    214  */
    215 void
    216 ip_drop_register(ipdropper_t *ipd, char *name)
    217 {
    218 	if (ipd->ipd_name != NULL) {
    219 		cmn_err(CE_WARN,
    220 		    "ip_drop_register: ipdropper %s already registered with %s",
    221 		    name, ipd->ipd_name);
    222 		return;
    223 	}
    224 
    225 	/* Assume that name is reasonable in length.  This isn't user-land. */
    226 	ipd->ipd_name = kmem_alloc(strlen(name) + 1, KM_SLEEP);
    227 	(void) strcpy(ipd->ipd_name, name);
    228 }
    229 
    230 /*
    231  * Un-register a packet dropper.
    232  */
    233 void
    234 ip_drop_unregister(ipdropper_t *ipd)
    235 {
    236 	if (ipd->ipd_name == NULL) {
    237 		cmn_err(CE_WARN,
    238 		    "ip_drop_unregister: not registered (%p)\n",
    239 		    (void *)ipd);
    240 		return;
    241 	}
    242 	kmem_free(ipd->ipd_name, strlen(ipd->ipd_name) + 1);
    243 
    244 	ipd->ipd_name = NULL;
    245 }
    246 
    247 /*
    248  * Actually drop a packet.  Many things could happen here, but at the least,
    249  * the packet will be freemsg()ed.
    250  */
    251 void
    252 ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *ill,
    253     struct kstat_named *counter, ipdropper_t *who_called)
    254 {
    255 	char *str;
    256 
    257 	if (mp == NULL) {
    258 		/*
    259 		 * Return immediately - NULL packets should not affect any
    260 		 * statistics.
    261 		 */
    262 		return;
    263 	}
    264 
    265 	ASSERT(mp->b_datap->db_type == M_DATA);
    266 
    267 	/* Increment the bean counter, if available. */
    268 	if (counter != NULL) {
    269 		switch (counter->data_type) {
    270 		case KSTAT_DATA_INT32:
    271 			counter->value.i32++;
    272 			break;
    273 		case KSTAT_DATA_UINT32:
    274 			counter->value.ui32++;
    275 			break;
    276 		case KSTAT_DATA_INT64:
    277 			counter->value.i64++;
    278 			break;
    279 		case KSTAT_DATA_UINT64:
    280 			counter->value.ui64++;
    281 			break;
    282 		/* Other types we can't handle for now. */
    283 		}
    284 	}
    285 
    286 	if (counter != NULL)
    287 		str = counter->name;
    288 	else if (who_called != NULL)
    289 		str = who_called->ipd_name;
    290 	else
    291 		str = "Unspecified IPsec drop";
    292 
    293 	if (inbound)
    294 		ip_drop_input(str, mp, ill);
    295 	else
    296 		ip_drop_output(str, mp, ill);
    297 
    298 	/* TODO: queue the packet onto a snoop-friendly queue. */
    299 
    300 	/*
    301 	 * ASSERT this isn't a b_next linked mblk chain where a
    302 	 * chained dropper should be used instead
    303 	 */
    304 	ASSERT(mp->b_prev == NULL && mp->b_next == NULL);
    305 	freemsg(mp);
    306 }
    307 
    308 /*
    309  * This is just a convinient place for dtrace to see dropped packets
    310  */
    311 /*ARGSUSED*/
    312 void
    313 ip_drop_input(char *str, mblk_t *mp, ill_t *ill)
    314 {
    315 	if (mp == NULL)
    316 		return;
    317 
    318 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
    319 		ipha_t *ipha = (ipha_t *)mp->b_rptr;
    320 
    321 		DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
    322 		    ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha,
    323 		    ip6_t *, NULL, int, 0);
    324 	} else {
    325 		ip6_t *ip6h = (ip6_t *)mp->b_rptr;
    326 
    327 		DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
    328 		    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL,
    329 		    ip6_t *, ip6h, int, 0);
    330 	}
    331 }
    332 
    333 /*ARGSUSED*/
    334 void
    335 ip_drop_output(char *str, mblk_t *mp, ill_t *ill)
    336 {
    337 	if (mp == NULL)
    338 		return;
    339 
    340 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
    341 		ipha_t *ipha = (ipha_t *)mp->b_rptr;
    342 
    343 		DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
    344 		    ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha,
    345 		    ip6_t *, NULL, int, 0);
    346 	} else {
    347 		ip6_t *ip6h = (ip6_t *)mp->b_rptr;
    348 
    349 		DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
    350 		    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL,
    351 		    ip6_t *, ip6h, int, 0);
    352 	}
    353 }
    354