Add per-TDB counters and a new SADB extension to export them to

userland.

Inputs from markus@, ok sthen@

1 files changed, 12 insertions, 5 deletions

diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 840903d16bd..c477793a01f 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_output.c,v 1.73 2018/07/12 15:51:50 mpi Exp $ */
+/*	$OpenBSD: ipsec_output.c,v 1.74 2018/08/28 15:15:02 mpi Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -361,6 +361,7 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready)
 	}
 
         ipsecstat_add(ipsec_ouncompbytes, m->m_pkthdr.len);
+        tdb->tdb_ouncompbytes += m->m_pkthdr.len;
 
 	/* Non expansion policy for IPCOMP */
 	if (tdb->tdb_sproto == IPPROTO_IPCOMP) {
@@ -441,13 +442,17 @@ ipsec_output_cb(struct cryptop *crp)
 	}
 
 	NET_UNLOCK();
-	if (error)
+	if (error) {
 		ipsecstat_inc(ipsec_odrops);
+		tdb->tdb_odrops++;
+	}
 	return;
 
  baddone:
 	NET_UNLOCK();
  droponly:
+ 	if (tdb != NULL)
+		tdb->tdb_odrops++;
 	m_freem(m);
 	free(tc, M_XDATA, 0);
 	crypto_freereq(crp);
@@ -572,14 +577,16 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb)
 
 	m_tag_prepend(m, mtag);
 
+	ipsecstat_inc(ipsec_opackets);
+	ipsecstat_add(ipsec_obytes, m->m_pkthdr.len);
+	tdb->tdb_opackets++;
+	tdb->tdb_obytes += m->m_pkthdr.len;
+
 	/* If there's another (bundled) TDB to apply, do so. */
 	if (tdb->tdb_onext)
 		return ipsp_process_packet(m, tdb->tdb_onext,
 		    tdb->tdb_dst.sa.sa_family, 0);
 
-	ipsecstat_inc(ipsec_opackets);
-	ipsecstat_add(ipsec_obytes, m->m_pkthdr.len);
-
 #if NPF > 0
 	/* Add pf tag if requested. */
 	pf_tag_packet(m, tdb->tdb_tag, -1);