diff options
| author |   bluhm <bluhm@openbsd.org> | 2017-02-07 18:18:16 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2017-02-07 18:18:16 +0000 |
| commit | 8092cf70ca617dbebfffcc059b48ca6d36c644d4 (patch) | |
| tree | e886a0a72f76ad8ce7b563b958bf46fc9e019c95 | |
| parent | Remove a debugging leftover. (diff) | |
| download | wireguard-openbsd-8092cf70ca617dbebfffcc059b48ca6d36c644d4.tar.xz wireguard-openbsd-8092cf70ca617dbebfffcc059b48ca6d36c644d4.zip | |
IPsec packets could be dropped unaccounted if output after crypto
failed. Add a counter for that case.
OK dhill@
| -rw-r--r-- | sys/netinet/ip_ah.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ah.h | 9 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.h | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ipcomp.c | 10 | ||||
| -rw-r--r-- | sys/netinet/ip_ipcomp.h | 3 | ||||
| -rw-r--r-- | usr.bin/netstat/inet.c | 5 |
7 files changed, 24 insertions, 21 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index d67711fad7a..86f41e5ce1a 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.127 2017/02/07 17:25:46 patrick Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.128 2017/02/07 18:18:16 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -1247,8 +1247,8 @@ ah_output_cb(struct cryptop *crp) /* No longer needed. */ crypto_freereq(crp); - ipsp_process_done(m, tdb); - /* XXX missing error counter if ipsp_process_done() drops packet */ + if (ipsp_process_done(m, tdb)) + ahstat.ahs_outfail++; NET_UNLOCK(s); baddone: diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h index c920cc19dc2..61ce7afa4fc 100644 --- a/sys/netinet/ip_ah.h +++ b/sys/netinet/ip_ah.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.h,v 1.33 2010/01/10 12:43:07 markus Exp $ */ +/* $OpenBSD: ip_ah.h,v 1.34 2017/02/07 18:18:16 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -38,8 +38,7 @@ #ifndef _NETINET_IP_AH_H_ #define _NETINET_IP_AH_H_ -struct ahstat -{ +struct ahstat { u_int32_t ahs_hdrops; /* Packet shorter than header shows */ u_int32_t ahs_nopf; /* Protocol family not supported */ u_int32_t ahs_notdb; @@ -58,10 +57,10 @@ struct ahstat u_int32_t ahs_toobig; /* Packet got larger than IP_MAXPACKET */ u_int32_t ahs_pdrops; /* Packet blocked due to policy */ u_int32_t ahs_crypto; /* Crypto processing failure */ + u_int32_t ahs_outfail; /* Packet output failure */ }; -struct ah -{ +struct ah { u_int8_t ah_nh; u_int8_t ah_hl; u_int16_t ah_rv; diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 0f8d3928eaf..f2567a662a0 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.145 2017/02/07 17:25:46 patrick Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.146 2017/02/07 18:18:16 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -1088,8 +1088,8 @@ esp_output_cb(struct cryptop *crp) crypto_freereq(crp); /* Call the IPsec input callback. */ - ipsp_process_done(m, tdb); - /* XXX missing error counter if ipsp_process_done() drops packet */ + if (ipsp_process_done(m, tdb)) + espstat.esps_outfail++; NET_UNLOCK(s); return; diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h index 22e186319ca..3ff93422939 100644 --- a/sys/netinet/ip_esp.h +++ b/sys/netinet/ip_esp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.h,v 1.43 2016/09/02 09:39:32 vgross Exp $ */ +/* $OpenBSD: ip_esp.h,v 1.44 2017/02/07 18:18:16 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -38,8 +38,7 @@ #ifndef _NETINET_IP_ESP_H_ #define _NETINET_IP_ESP_H_ -struct espstat -{ +struct espstat { u_int32_t esps_hdrops; /* Packet shorter than header shows */ u_int32_t esps_nopf; /* Protocol family not supported */ u_int32_t esps_notdb; @@ -63,6 +62,7 @@ struct espstat u_int32_t esps_udpencout; /* Output ESP-in-UDP packets */ u_int32_t esps_udpinval; /* Invalid input ESP-in-UDP packets */ u_int32_t esps_udpneeded; /* Trying to use a ESP-in-UDP TDB */ + u_int32_t esps_outfail; /* Packet output failure */ }; /* diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index d4dc26c48bc..6ffdd22ce62 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.52 2017/02/07 17:25:46 patrick Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.53 2017/02/07 18:18:16 bluhm Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -579,8 +579,8 @@ ipcomp_output_cb(struct cryptop *crp) if (rlen < crp->crp_olen) { /* Compression was useless, we have lost time. */ crypto_freereq(crp); - ipsp_process_done(m, tdb); - /* XXX missing counter if ipsp_process_done() drops packet */ + if (ipsp_process_done(m, tdb)) + ipcompstat.ipcomps_outfail++; NET_UNLOCK(s); return; } @@ -628,8 +628,8 @@ ipcomp_output_cb(struct cryptop *crp) /* Release the crypto descriptor. */ crypto_freereq(crp); - ipsp_process_done(m, tdb); - /* XXX missing error counter if ipsp_process_done() drops packet */ + if (ipsp_process_done(m, tdb)) + ipcompstat.ipcomps_outfail++; NET_UNLOCK(s); return; diff --git a/sys/netinet/ip_ipcomp.h b/sys/netinet/ip_ipcomp.h index 76596ebdadd..0ebd45d2edc 100644 --- a/sys/netinet/ip_ipcomp.h +++ b/sys/netinet/ip_ipcomp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.h,v 1.7 2007/12/14 18:33:41 deraadt Exp $ */ +/* $OpenBSD: ip_ipcomp.h,v 1.8 2017/02/07 18:18:16 bluhm Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -51,6 +51,7 @@ struct ipcompstat { u_int32_t ipcomps_pdrops; /* Packet blocked due to policy */ u_int32_t ipcomps_crypto; /* "Crypto" processing failure */ u_int32_t ipcomps_minlen; /* packets too short for compress */ + u_int32_t ipcomps_outfail; /* Packet output failure */ }; /* IPCOMP header */ diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c index ceae24934d1..71fcbf196b4 100644 --- a/usr.bin/netstat/inet.c +++ b/usr.bin/netstat/inet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: inet.c,v 1.153 2016/12/22 11:04:44 rzalamena Exp $ */ +/* $OpenBSD: inet.c,v 1.154 2017/02/07 18:18:16 bluhm Exp $ */ /* $NetBSD: inet.c,v 1.14 1995/10/03 21:42:37 thorpej Exp $ */ /* @@ -954,6 +954,7 @@ ah_stats(char *name) p(ahs_invalid, "\t%u packet%s attempted to use an invalid TDB\n"); p(ahs_toobig, "\t%u packet%s got larger than max IP packet size\n"); p(ahs_crypto, "\t%u packet%s that failed crypto processing\n"); + p(ahs_outfail, "\t%u output packet%s could not be sent\n"); p(ahs_ibytes, "\t%llu input byte%s\n"); p(ahs_obytes, "\t%llu output byte%s\n"); @@ -1032,6 +1033,7 @@ esp_stats(char *name) p(esps_invalid, "\t%u packet%s attempted to use an invalid TDB\n"); p(esps_toobig, "\t%u packet%s got larger than max IP packet size\n"); p(esps_crypto, "\t%u packet%s that failed crypto processing\n"); + p(esps_outfail, "\t%u output packet%s could not be sent\n"); p(esps_udpencin, "\t%u input UDP encapsulated ESP packet%s\n"); p(esps_udpencout, "\t%u output UDP encapsulated ESP packet%s\n"); p(esps_udpinval, "\t%u UDP packet%s for non-encapsulating TDB received\n"); @@ -1226,6 +1228,7 @@ ipcomp_stats(char *name) p(ipcomps_invalid, "\t%u packet%s attempted to use an invalid TDB\n"); p(ipcomps_toobig, "\t%u packet%s got larger than max IP packet size\n"); p(ipcomps_crypto, "\t%u packet%s that failed (de)compression processing\n"); + p(ipcomps_outfail, "\t%u output packet%s could not be sent\n"); p(ipcomps_minlen, "\t%u packet%s less than minimum compression length\n"); p(ipcomps_ibytes, "\t%llu input byte%s\n"); p(ipcomps_obytes, "\t%llu output byte%s\n"); |