1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/strsun.h> 29 #include <sys/sunddi.h> 30 #include <sys/kstat.h> 31 #include <sys/kmem.h> 32 #include <sys/sdt.h> 33 #include <net/pfkeyv2.h> 34 #include <inet/common.h> 35 #include <inet/ip.h> 36 #include <inet/ip6.h> 37 #include <inet/ipsec_impl.h> 38 #include <inet/ipdrop.h> 39 40 /* 41 * Packet drop facility. 42 */ 43 44 /* 45 * Initialize drop facility kstats. 46 */ 47 void 48 ip_drop_init(ipsec_stack_t *ipss) 49 { 50 ipss->ipsec_ip_drop_kstat = kstat_create_netstack("ip", 0, "ipdrop", 51 "net", KSTAT_TYPE_NAMED, 52 sizeof (struct ip_dropstats) / sizeof (kstat_named_t), 53 KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid); 54 55 if (ipss->ipsec_ip_drop_kstat == NULL || 56 ipss->ipsec_ip_drop_kstat->ks_data == NULL) 57 return; 58 59 /* 60 * Note: here ipss->ipsec_ip_drop_types is initialized, however, 61 * if the previous kstat_create_netstack failed, it will remain 62 * NULL. Note this is done for all stack instances, so it *could* 63 * be NULL. Hence a non-NULL checking is added where 64 * ipss->ipsec_ip_drop_types is used. This checking is hidden in 65 * the DROPPER macro. 66 */ 67 ipss->ipsec_ip_drop_types = ipss->ipsec_ip_drop_kstat->ks_data; 68 69 /* TCP IPsec drop statistics. */ 70 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_clear, 71 "tcp_clear", KSTAT_DATA_UINT64); 72 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_secure, 73 "tcp_secure", KSTAT_DATA_UINT64); 74 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_mismatch, 75 "tcp_mismatch", KSTAT_DATA_UINT64); 76 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_ipsec_alloc, 77 "tcp_ipsec_alloc", KSTAT_DATA_UINT64); 78 79 /* SADB-specific drop statistics. */ 80 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_timeout, 81 "sadb_inlarval_timeout", KSTAT_DATA_UINT64); 82 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_replace, 83 "sadb_inlarval_replace", KSTAT_DATA_UINT64); 84 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inidle_overflow, 85 "sadb_inidle_overflow", KSTAT_DATA_UINT64); 86 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inidle_timeout, 87 "sadb_inidle_timeout", KSTAT_DATA_UINT64); 88 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_nomem, 89 "sadb_acquire_nomem", KSTAT_DATA_UINT64); 90 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_toofull, 91 "sadb_acquire_toofull", KSTAT_DATA_UINT64); 92 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_timeout, 93 "sadb_acquire_timeout", KSTAT_DATA_UINT64); 94 95 /* SPD drop statistics. */ 96 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ahesp_diffid, 97 "spd_ahesp_diffid", KSTAT_DATA_UINT64); 98 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_loopback_mismatch, 99 "spd_loopback_mismatch", KSTAT_DATA_UINT64); 100 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_explicit, 101 "spd_explicit", KSTAT_DATA_UINT64); 102 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_secure, 103 "spd_got_secure", KSTAT_DATA_UINT64); 104 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_clear, 105 "spd_got_clear", KSTAT_DATA_UINT64); 106 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_ahalg, 107 "spd_bad_ahalg", KSTAT_DATA_UINT64); 108 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_ah, 109 "spd_got_ah", KSTAT_DATA_UINT64); 110 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espealg, 111 "spd_bad_espealg", KSTAT_DATA_UINT64); 112 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espaalg, 113 "spd_bad_espaalg", KSTAT_DATA_UINT64); 114 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_esp, 115 "spd_got_esp", KSTAT_DATA_UINT64); 116 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_selfencap, 117 "spd_got_selfencap", KSTAT_DATA_UINT64); 118 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_selfencap, 119 "spd_bad_selfencap", KSTAT_DATA_UINT64); 120 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_nomem, 121 "spd_nomem", KSTAT_DATA_UINT64); 122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_badid, 123 "spd_ah_badid", KSTAT_DATA_UINT64); 124 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_innermismatch, 125 "spd_ah_innermismatch", KSTAT_DATA_UINT64); 126 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_innermismatch, 127 "spd_esp_innermismatch", KSTAT_DATA_UINT64); 128 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_badid, 129 "spd_esp_badid", KSTAT_DATA_UINT64); 130 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_no_policy, 131 "spd_no_policy", KSTAT_DATA_UINT64); 132 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_packet, 133 "spd_malformed_packet", KSTAT_DATA_UINT64); 134 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_frag, 135 "spd_malformed_frag", KSTAT_DATA_UINT64); 136 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_overlap_frag, 137 "spd_overlap_frag", KSTAT_DATA_UINT64); 138 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_evil_frag, 139 "spd_evil_frag", KSTAT_DATA_UINT64); 140 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_max_frags, 141 "spd_max_frags", KSTAT_DATA_UINT64); 142 143 /* ESP-specific drop statistics. */ 144 145 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nomem, 146 "esp_nomem", KSTAT_DATA_UINT64); 147 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_no_sa, 148 "esp_no_sa", KSTAT_DATA_UINT64); 149 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_early_replay, 150 "esp_early_replay", KSTAT_DATA_UINT64); 151 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_replay, 152 "esp_replay", KSTAT_DATA_UINT64); 153 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bytes_expire, 154 "esp_bytes_expire", KSTAT_DATA_UINT64); 155 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padlen, 156 "esp_bad_padlen", KSTAT_DATA_UINT64); 157 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padding, 158 "esp_bad_padding", KSTAT_DATA_UINT64); 159 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_auth, 160 "esp_bad_auth", KSTAT_DATA_UINT64); 161 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_crypto_failed, 162 "esp_crypto_failed", KSTAT_DATA_UINT64); 163 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_icmp, 164 "esp_icmp", KSTAT_DATA_UINT64); 165 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ipsec, 166 "esp_nat_t_ipsec", KSTAT_DATA_UINT64); 167 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ka, 168 "esp_nat_t_ka", KSTAT_DATA_UINT64); 169 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_iv_wrap, 170 "esp_iv_wrap", KSTAT_DATA_UINT64); 171 172 /* AH-specific drop statistics. */ 173 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_nomem, 174 "ah_nomem", KSTAT_DATA_UINT64); 175 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v6_hdrs, 176 "ah_bad_v6_hdrs", KSTAT_DATA_UINT64); 177 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v4_opts, 178 "ah_bad_v4_opts", KSTAT_DATA_UINT64); 179 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_no_sa, 180 "ah_no_sa", KSTAT_DATA_UINT64); 181 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_length, 182 "ah_bad_length", KSTAT_DATA_UINT64); 183 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_auth, 184 "ah_bad_auth", KSTAT_DATA_UINT64); 185 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_crypto_failed, 186 "ah_crypto_failed", KSTAT_DATA_UINT64); 187 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_early_replay, 188 "ah_early_replay", KSTAT_DATA_UINT64); 189 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_replay, 190 "ah_replay", KSTAT_DATA_UINT64); 191 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bytes_expire, 192 "ah_bytes_expire", KSTAT_DATA_UINT64); 193 194 /* IP-specific drop statistics. */ 195 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ip_ipsec_not_loaded, 196 "ip_ipsec_not_loaded", KSTAT_DATA_UINT64); 197 198 kstat_install(ipss->ipsec_ip_drop_kstat); 199 } 200 201 void 202 ip_drop_destroy(ipsec_stack_t *ipss) 203 { 204 kstat_delete_netstack(ipss->ipsec_ip_drop_kstat, 205 ipss->ipsec_netstack->netstack_stackid); 206 ipss->ipsec_ip_drop_kstat = NULL; 207 ipss->ipsec_ip_drop_types = NULL; 208 } 209 210 /* 211 * Register a packet dropper. 212 */ 213 void 214 ip_drop_register(ipdropper_t *ipd, char *name) 215 { 216 if (ipd->ipd_name != NULL) { 217 cmn_err(CE_WARN, 218 "ip_drop_register: ipdropper %s already registered with %s", 219 name, ipd->ipd_name); 220 return; 221 } 222 223 /* Assume that name is reasonable in length. This isn't user-land. */ 224 ipd->ipd_name = kmem_alloc(strlen(name) + 1, KM_SLEEP); 225 (void) strcpy(ipd->ipd_name, name); 226 } 227 228 /* 229 * Un-register a packet dropper. 230 */ 231 void 232 ip_drop_unregister(ipdropper_t *ipd) 233 { 234 if (ipd->ipd_name == NULL) { 235 cmn_err(CE_WARN, 236 "ip_drop_unregister: not registered (%p)\n", 237 (void *)ipd); 238 return; 239 } 240 kmem_free(ipd->ipd_name, strlen(ipd->ipd_name) + 1); 241 242 ipd->ipd_name = NULL; 243 } 244 245 /* 246 * Actually drop a packet. Many things could happen here, but at the least, 247 * the packet will be freemsg()ed. 248 */ 249 void 250 ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *ill, 251 struct kstat_named *counter, ipdropper_t *who_called) 252 { 253 char *str; 254 255 if (mp == NULL) { 256 /* 257 * Return immediately - NULL packets should not affect any 258 * statistics. 259 */ 260 return; 261 } 262 263 ASSERT(mp->b_datap->db_type == M_DATA); 264 265 /* Increment the bean counter, if available. */ 266 if (counter != NULL) { 267 switch (counter->data_type) { 268 case KSTAT_DATA_INT32: 269 counter->value.i32++; 270 break; 271 case KSTAT_DATA_UINT32: 272 counter->value.ui32++; 273 break; 274 case KSTAT_DATA_INT64: 275 counter->value.i64++; 276 break; 277 case KSTAT_DATA_UINT64: 278 counter->value.ui64++; 279 break; 280 /* Other types we can't handle for now. */ 281 } 282 } 283 284 if (counter != NULL) 285 str = counter->name; 286 else if (who_called != NULL) 287 str = who_called->ipd_name; 288 else 289 str = "Unspecified IPsec drop"; 290 291 if (inbound) 292 ip_drop_input(str, mp, ill); 293 else 294 ip_drop_output(str, mp, ill); 295 296 /* TODO: queue the packet onto a snoop-friendly queue. */ 297 298 /* 299 * ASSERT this isn't a b_next linked mblk chain where a 300 * chained dropper should be used instead 301 */ 302 ASSERT(mp->b_prev == NULL && mp->b_next == NULL); 303 freemsg(mp); 304 } 305 306 /* 307 * This is just a convinient place for dtrace to see dropped packets 308 */ 309 /*ARGSUSED*/ 310 void 311 ip_drop_input(char *str, mblk_t *mp, ill_t *ill) 312 { 313 if (mp == NULL) 314 return; 315 316 if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) { 317 ipha_t *ipha = (ipha_t *)mp->b_rptr; 318 319 DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *, 320 ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, 321 ip6_t *, NULL, int, 0); 322 } else { 323 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 324 325 DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *, 326 ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, 327 ip6_t *, ip6h, int, 0); 328 } 329 } 330 331 /*ARGSUSED*/ 332 void 333 ip_drop_output(char *str, mblk_t *mp, ill_t *ill) 334 { 335 if (mp == NULL) 336 return; 337 338 if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) { 339 ipha_t *ipha = (ipha_t *)mp->b_rptr; 340 341 DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *, 342 ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, 343 ip6_t *, NULL, int, 0); 344 } else { 345 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 346 347 DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *, 348 ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, 349 ip6_t *, ip6h, int, 0); 350 } 351 } 352
Indexes created Sat Nov 28 01:19:25 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.