diff options
| author | ae <ae@FreeBSD.org> | 2013-06-20 11:44:16 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2013-06-20 11:44:16 +0000 |
| commit | b05df49af65d3ab697c586f71af5d5fe6f368656 (patch) | |
| tree | 3928f332f78b418bcf02494aa8434e53a06aa4b4 /sys/netipsec | |
| parent | 1e4c88cc8b89f670f8e6f11dd0db6d4cc0f53c16 (diff) | |
| download | FreeBSD-src-b05df49af65d3ab697c586f71af5d5fe6f368656.zip FreeBSD-src-b05df49af65d3ab697c586f71af5d5fe6f368656.tar.gz | |
Use corresponding macros to update statistics for AH, ESP, IPIP, IPCOMP,
PFKEY.
MFC after: 2 weeks
Diffstat (limited to 'sys/netipsec')
| -rw-r--r-- | sys/netipsec/ah_var.h | 2 | ||||
| -rw-r--r-- | sys/netipsec/esp_var.h | 2 | ||||
| -rw-r--r-- | sys/netipsec/ipcomp_var.h | 2 | ||||
| -rw-r--r-- | sys/netipsec/ipip_var.h | 2 | ||||
| -rw-r--r-- | sys/netipsec/ipsec_input.c | 84 | ||||
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 16 | ||||
| -rw-r--r-- | sys/netipsec/key.c | 38 | ||||
| -rw-r--r-- | sys/netipsec/keysock.c | 48 | ||||
| -rw-r--r-- | sys/netipsec/keysock.h | 2 | ||||
| -rw-r--r-- | sys/netipsec/xform_ah.c | 52 | ||||
| -rw-r--r-- | sys/netipsec/xform_esp.c | 56 | ||||
| -rw-r--r-- | sys/netipsec/xform_ipcomp.c | 49 | ||||
| -rw-r--r-- | sys/netipsec/xform_ipip.c | 43 |
13 files changed, 194 insertions, 202 deletions
diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h index 6145dba..812fe2d 100644 --- a/sys/netipsec/ah_var.h +++ b/sys/netipsec/ah_var.h @@ -75,6 +75,8 @@ VNET_DECLARE(int, ah_enable); VNET_DECLARE(int, ah_cleartos); VNET_DECLARE(struct ahstat, ahstat); +#define AHSTAT_ADD(name, val) V_ahstat.name += (val) +#define AHSTAT_INC(name) AHSTAT_ADD(name, 1) #define V_ah_enable VNET(ah_enable) #define V_ah_cleartos VNET(ah_cleartos) #define V_ahstat VNET(ahstat) diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h index 477dcbf..c613361 100644 --- a/sys/netipsec/esp_var.h +++ b/sys/netipsec/esp_var.h @@ -75,6 +75,8 @@ struct espstat { VNET_DECLARE(int, esp_enable); VNET_DECLARE(struct espstat, espstat); +#define ESPSTAT_ADD(name, val) V_espstat.name += (val) +#define ESPSTAT_INC(name) ESPSTAT_ADD(name, 1) #define V_esp_enable VNET(esp_enable) #define V_espstat VNET(espstat) #endif /* _KERNEL */ diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h index c99a3be..ee15598 100644 --- a/sys/netipsec/ipcomp_var.h +++ b/sys/netipsec/ipcomp_var.h @@ -68,6 +68,8 @@ struct ipcompstat { VNET_DECLARE(int, ipcomp_enable); VNET_DECLARE(struct ipcompstat, ipcompstat); +#define IPCOMPSTAT_ADD(name, val) V_ipcompstat.name += (val) +#define IPCOMPSTAT_INC(name) IPCOMPSTAT_ADD(name, 1) #define V_ipcomp_enable VNET(ipcomp_enable) #define V_ipcompstat VNET(ipcompstat) #endif /* _KERNEL */ diff --git a/sys/netipsec/ipip_var.h b/sys/netipsec/ipip_var.h index 3c8c397..415d5c1 100644 --- a/sys/netipsec/ipip_var.h +++ b/sys/netipsec/ipip_var.h @@ -62,6 +62,8 @@ struct ipipstat VNET_DECLARE(int, ipip_allow); VNET_DECLARE(struct ipipstat, ipipstat); +#define IPIPSTAT_ADD(name, val) V_ipipstat.name += (val) +#define IPIPSTAT_INC(name) IPIPSTAT_ADD(name, 1) #define V_ipip_allow VNET(ipip_allow) #define V_ipipstat VNET(ipipstat) #endif /* _KERNEL */ diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 1f9ae64..23a4a5c 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -99,8 +99,14 @@ #endif -#define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \ - (p) == IPPROTO_AH ? (y)++ : (z)++) +#define IPSEC_ISTAT(proto, name) do { \ + if ((proto) == IPPROTO_ESP) \ + ESPSTAT_INC(esps_##name); \ + else if ((proto) == IPPROTO_AH) \ + AHSTAT_INC(ahs_##name); \ + else \ + IPCOMPSTAT_INC(ipcomps_##name); \ +} while (0) #ifdef INET static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); @@ -125,8 +131,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) #endif #endif - IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, - V_ipcompstat.ipcomps_input); + IPSEC_ISTAT(sproto, input); IPSEC_ASSERT(m != NULL, ("null packet")); @@ -138,15 +143,13 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) (sproto == IPPROTO_AH && !V_ah_enable) || (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, - V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); return EOPNOTSUPP; } if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); DPRINTF(("%s: packet too small\n", __func__)); return EINVAL; } @@ -197,8 +200,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) default: DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf, - V_ipcompstat.ipcomps_nopf); + IPSEC_ISTAT(sproto, nopf); return EPFNOSUPPORT; } @@ -208,8 +210,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb, - V_ipcompstat.ipcomps_notdb); + IPSEC_ISTAT(sproto, notdb); m_freem(m); return ENOENT; } @@ -218,8 +219,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform, - V_ipcompstat.ipcomps_noxform); + IPSEC_ISTAT(sproto, noxform); KEY_FREESAV(&sav); m_freem(m); return ENXIO; @@ -321,8 +321,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, - V_ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(sproto, badkcr); KEY_FREESAV(&sav); return EINVAL; } @@ -336,8 +335,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, DPRINTF(("%s: processing failed for SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = ENOBUFS; goto bad; } @@ -357,9 +355,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EINVAL; goto bad; } @@ -388,9 +384,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsp_address(saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, - V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); error = EACCES; goto bad; } @@ -401,9 +395,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EINVAL; goto bad; } @@ -430,9 +422,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, - V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); error = EACCES; goto bad; } @@ -453,8 +443,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = ENOMEM; goto bad; } @@ -494,9 +483,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, * Re-dispatch via software interrupt. */ if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) { - IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull, - V_ipcompstat.ipcomps_qfull); - + IPSEC_ISTAT(sproto, qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", __func__, sproto)); return error; @@ -548,9 +535,7 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto) if (protoff + l != *offp) { DPRINTF(("%s: bad packet header chain, protoff %u, " "l %u, off %u\n", __func__, protoff, l, *offp)); - IPSEC_ISTAT(proto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(proto, hdrops); m_freem(*mp); *mp = NULL; return IPPROTO_DONE; @@ -595,8 +580,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, - V_ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(sproto, badkcr); error = EINVAL; goto bad; } @@ -609,8 +593,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EACCES; goto bad; } @@ -628,9 +611,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EINVAL; goto bad; } @@ -655,8 +636,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTATsproto, (V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); error = EACCES; goto bad; } @@ -668,9 +648,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EINVAL; goto bad; } @@ -697,8 +675,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); error = EACCES; goto bad; } @@ -718,8 +695,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = ENOMEM; goto bad; } diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 6871f12..19b27ec 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -276,8 +276,14 @@ ipsec_nextisr( int *error ) { -#define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \ - isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++) +#define IPSEC_OSTAT(name) do { \ + if (isr->saidx.proto == IPPROTO_ESP) \ + ESPSTAT_INC(esps_##name); \ + else if (isr->saidx.proto == IPPROTO_AH)\ + AHSTAT_INC(ahs_##name); \ + else \ + IPCOMPSTAT_INC(ipcomps_##name); \ +} while (0) struct secasvar *sav; IPSECREQUEST_LOCK_ASSERT(isr); @@ -385,8 +391,7 @@ again: (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { DPRINTF(("%s: IPsec outbound packet dropped due" " to policy (check your sysctls)\n", __func__)); - IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, - V_ipcompstat.ipcomps_pdrops); + IPSEC_OSTAT(pdrops); *error = EHOSTUNREACH; goto bad; } @@ -397,8 +402,7 @@ again: */ if (sav->tdb_xform == NULL) { DPRINTF(("%s: no transform for SA\n", __func__)); - IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform, - V_ipcompstat.ipcomps_noxform); + IPSEC_OSTAT(noxform); *error = EHOSTUNREACH; goto bad; } diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 67afed2..35385e5 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -7316,7 +7316,7 @@ key_parse(m, so) if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != m->m_pkthdr.len) { ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__)); - V_pfkeystat.out_invlen++; + PFKEYSTAT_INC(out_invlen); error = EINVAL; goto senderror; } @@ -7324,7 +7324,7 @@ key_parse(m, so) if (msg->sadb_msg_version != PF_KEY_V2) { ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n", __func__, msg->sadb_msg_version)); - V_pfkeystat.out_invver++; + PFKEYSTAT_INC(out_invver); error = EINVAL; goto senderror; } @@ -7332,7 +7332,7 @@ key_parse(m, so) if (msg->sadb_msg_type > SADB_MAX) { ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", __func__, msg->sadb_msg_type)); - V_pfkeystat.out_invmsgtype++; + PFKEYSTAT_INC(out_invmsgtype); error = EINVAL; goto senderror; } @@ -7385,7 +7385,7 @@ key_parse(m, so) ipseclog((LOG_DEBUG, "%s: must specify satype " "when msg type=%u.\n", __func__, msg->sadb_msg_type)); - V_pfkeystat.out_invsatype++; + PFKEYSTAT_INC(out_invsatype); error = EINVAL; goto senderror; } @@ -7405,7 +7405,7 @@ key_parse(m, so) case SADB_X_SPDDELETE2: ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n", __func__, msg->sadb_msg_type)); - V_pfkeystat.out_invsatype++; + PFKEYSTAT_INC(out_invsatype); error = EINVAL; goto senderror; } @@ -7416,7 +7416,7 @@ key_parse(m, so) case SADB_SATYPE_MIP: ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n", __func__, msg->sadb_msg_satype)); - V_pfkeystat.out_invsatype++; + PFKEYSTAT_INC(out_invsatype); error = EOPNOTSUPP; goto senderror; case 1: /* XXX: What does it do? */ @@ -7426,7 +7426,7 @@ key_parse(m, so) default: ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", __func__, msg->sadb_msg_satype)); - V_pfkeystat.out_invsatype++; + PFKEYSTAT_INC(out_invsatype); error = EINVAL; goto senderror; } @@ -7444,7 +7444,7 @@ key_parse(m, so) if (src0->sadb_address_proto != dst0->sadb_address_proto) { ipseclog((LOG_DEBUG, "%s: upper layer protocol " "mismatched.\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7454,7 +7454,7 @@ key_parse(m, so) PFKEY_ADDR_SADDR(dst0)->sa_family) { ipseclog((LOG_DEBUG, "%s: address family mismatched.\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7462,7 +7462,7 @@ key_parse(m, so) PFKEY_ADDR_SADDR(dst0)->sa_len) { ipseclog((LOG_DEBUG, "%s: address struct size " "mismatched.\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7471,7 +7471,7 @@ key_parse(m, so) case AF_INET: if (PFKEY_ADDR_SADDR(src0)->sa_len != sizeof(struct sockaddr_in)) { - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7479,7 +7479,7 @@ key_parse(m, so) case AF_INET6: if (PFKEY_ADDR_SADDR(src0)->sa_len != sizeof(struct sockaddr_in6)) { - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7487,7 +7487,7 @@ key_parse(m, so) default: ipseclog((LOG_DEBUG, "%s: unsupported address family\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EAFNOSUPPORT; goto senderror; } @@ -7509,7 +7509,7 @@ key_parse(m, so) dst0->sadb_address_prefixlen > plen) { ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7522,7 +7522,7 @@ key_parse(m, so) if (msg->sadb_msg_type >= sizeof(key_typesw)/sizeof(key_typesw[0]) || key_typesw[msg->sadb_msg_type] == NULL) { - V_pfkeystat.out_invmsgtype++; + PFKEYSTAT_INC(out_invmsgtype); error = EINVAL; goto senderror; } @@ -7624,7 +7624,7 @@ key_align(m, mhp) ipseclog((LOG_DEBUG, "%s: duplicate ext_type " "%u\n", __func__, ext->sadb_ext_type)); m_freem(m); - V_pfkeystat.out_dupext++; + PFKEYSTAT_INC(out_dupext); return EINVAL; } break; @@ -7632,7 +7632,7 @@ key_align(m, mhp) ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n", __func__, ext->sadb_ext_type)); m_freem(m); - V_pfkeystat.out_invexttype++; + PFKEYSTAT_INC(out_invexttype); return EINVAL; } @@ -7640,7 +7640,7 @@ key_align(m, mhp) if (key_validate_ext(ext, extlen)) { m_freem(m); - V_pfkeystat.out_invlen++; + PFKEYSTAT_INC(out_invlen); return EINVAL; } @@ -7658,7 +7658,7 @@ key_align(m, mhp) if (off != end) { m_freem(m); - V_pfkeystat.out_invlen++; + PFKEYSTAT_INC(out_invlen); return EINVAL; } diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index 475befa..a29d8b0 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -91,19 +91,19 @@ key_output(struct mbuf *m, struct socket *so) if (m == 0) panic("%s: NULL pointer was passed.\n", __func__); - V_pfkeystat.out_total++; - V_pfkeystat.out_bytes += m->m_pkthdr.len; + PFKEYSTAT_INC(out_total); + PFKEYSTAT_ADD(out_bytes, m->m_pkthdr.len); len = m->m_pkthdr.len; if (len < sizeof(struct sadb_msg)) { - V_pfkeystat.out_tooshort++; + PFKEYSTAT_INC(out_tooshort); error = EINVAL; goto end; } if (m->m_len < sizeof(struct sadb_msg)) { if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) { - V_pfkeystat.out_nomem++; + PFKEYSTAT_INC(out_nomem); error = ENOBUFS; goto end; } @@ -114,9 +114,9 @@ key_output(struct mbuf *m, struct socket *so) KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m)); msg = mtod(m, struct sadb_msg *); - V_pfkeystat.out_msgtype[msg->sadb_msg_type]++; + PFKEYSTAT_INC(out_msgtype[msg->sadb_msg_type]); if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) { - V_pfkeystat.out_invlen++; + PFKEYSTAT_INC(out_invlen); error = EINVAL; goto end; } @@ -147,7 +147,7 @@ key_sendup0(rp, m, promisc) if (m && m->m_len < sizeof(struct sadb_msg)) m = m_pullup(m, sizeof(struct sadb_msg)); if (!m) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); m_freem(m); return ENOBUFS; } @@ -160,12 +160,12 @@ key_sendup0(rp, m, promisc) pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); /* pid and seq? */ - V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++; + PFKEYSTAT_INC(in_msgtype[pmsg->sadb_msg_type]); } if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src, m, NULL)) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); m_freem(m); error = ENOBUFS; } else @@ -197,9 +197,9 @@ key_sendup(so, msg, len, target) * we increment statistics here, just in case we have ENOBUFS * in this function. */ - V_pfkeystat.in_total++; - V_pfkeystat.in_bytes += len; - V_pfkeystat.in_msgtype[msg->sadb_msg_type]++; + PFKEYSTAT_INC(in_total); + PFKEYSTAT_ADD(in_bytes, len); + PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]); /* * Get mbuf chain whenever possible (not clusters), @@ -216,14 +216,14 @@ key_sendup(so, msg, len, target) if (tlen == len) { MGETHDR(n, M_NOWAIT, MT_DATA); if (n == NULL) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); return ENOBUFS; } n->m_len = MHLEN; } else { MGET(n, M_NOWAIT, MT_DATA); if (n == NULL) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); return ENOBUFS; } n->m_len = MLEN; @@ -233,7 +233,7 @@ key_sendup(so, msg, len, target) if ((n->m_flags & M_EXT) == 0) { m_free(n); m_freem(m); - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); return ENOBUFS; } n->m_len = MCLBYTES; @@ -256,9 +256,9 @@ key_sendup(so, msg, len, target) m_copyback(m, 0, len, (caddr_t)msg); /* avoid duplicated statistics */ - V_pfkeystat.in_total--; - V_pfkeystat.in_bytes -= len; - V_pfkeystat.in_msgtype[msg->sadb_msg_type]--; + PFKEYSTAT_ADD(in_total, -1); + PFKEYSTAT_ADD(in_bytes, -len); + PFKEYSTAT_ADD(in_msgtype[msg->sadb_msg_type], -1); return key_sendup_mbuf(so, m, target); } @@ -281,19 +281,19 @@ key_sendup_mbuf(so, m, target) if (so == NULL && target == KEY_SENDUP_ONE) panic("%s: NULL pointer was passed.\n", __func__); - V_pfkeystat.in_total++; - V_pfkeystat.in_bytes += m->m_pkthdr.len; + PFKEYSTAT_INC(in_total); + PFKEYSTAT_ADD(in_bytes, m->m_pkthdr.len); if (m->m_len < sizeof(struct sadb_msg)) { m = m_pullup(m, sizeof(struct sadb_msg)); if (m == NULL) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); return ENOBUFS; } } if (m->m_len >= sizeof(struct sadb_msg)) { struct sadb_msg *msg; msg = mtod(m, struct sadb_msg *); - V_pfkeystat.in_msgtype[msg->sadb_msg_type]++; + PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]); } mtx_lock(&rawcb_mtx); LIST_FOREACH(rp, &V_rawcb_list, list) @@ -338,14 +338,14 @@ key_sendup_mbuf(so, m, target) sendup++; break; } - V_pfkeystat.in_msgtarget[target]++; + PFKEYSTAT_INC(in_msgtarget[target]); if (!sendup) continue; if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) { m_freem(m); - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); mtx_unlock(&rawcb_mtx); return ENOBUFS; } diff --git a/sys/netipsec/keysock.h b/sys/netipsec/keysock.h index 3c0cc8b..6039dbb 100644 --- a/sys/netipsec/keysock.h +++ b/sys/netipsec/keysock.h @@ -70,6 +70,8 @@ struct keycb { }; VNET_DECLARE(struct pfkeystat, pfkeystat); +#define PFKEYSTAT_ADD(name, val) V_pfkeystat.name += (val) +#define PFKEYSTAT_INC(name) PFKEYSTAT_ADD(name, 1) #define V_pfkeystat VNET(pfkeystat) extern int key_output(struct mbuf *m, struct socket *so); diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 722879b..82c9a65a7 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -583,14 +583,14 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); if (ah == NULL) { DPRINTF(("ah_input: cannot pullup header\n")); - V_ahstat.ahs_hdrops++; /*XXX*/ + AHSTAT_INC(ahs_hdrops); /*XXX*/ m_freem(m); return ENOBUFS; } /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { - V_ahstat.ahs_replay++; + AHSTAT_INC(ahs_replay); DPRINTF(("%s: packet replay failure: %s\n", __func__, ipsec_logsastr(sav))); m_freem(m); @@ -607,17 +607,17 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) hl, (u_long) (authsize + rplen - sizeof (struct ah)), ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_badauthl++; + AHSTAT_INC(ahs_badauthl); m_freem(m); return EACCES; } - V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; + AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ crp = crypto_getreq(1); if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); m_freem(m); return ENOBUFS; } @@ -657,7 +657,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) } if (tc == NULL) { DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); crypto_freereq(crp); m_freem(m); return ENOBUFS; @@ -681,7 +681,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) skip, ahx->type, 0); if (error != 0) { /* NB: mbuf is free'd by ah_massage_headers */ - V_ahstat.ahs_hdrops++; + AHSTAT_INC(ahs_hdrops); free(tc, M_XDATA); crypto_freereq(crp); return error; @@ -760,19 +760,19 @@ ah_input_cb(struct cryptop *crp) if (crp->crp_etype == EAGAIN) return (crypto_dispatch(crp)); - V_ahstat.ahs_noxform++; + AHSTAT_INC(ahs_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } else { - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); crypto_freereq(crp); /* No longer needed. */ crp = NULL; } /* Shouldn't happen... */ if (m == NULL) { - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; @@ -798,7 +798,7 @@ ah_input_cb(struct cryptop *crp) "in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_badauth++; + AHSTAT_INC(ahs_badauth); error = EACCES; goto bad; } @@ -829,7 +829,7 @@ ah_input_cb(struct cryptop *crp) m_copydata(m, skip + offsetof(struct newah, ah_seq), sizeof (seq), (caddr_t) &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { - V_ahstat.ahs_replay++; + AHSTAT_INC(ahs_replay); error = ENOBUFS; /*XXX as above*/ goto bad; } @@ -843,7 +843,7 @@ ah_input_cb(struct cryptop *crp) DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_hdrops++; + AHSTAT_INC(ahs_hdrops); goto bad; } @@ -904,7 +904,7 @@ ah_output( ahx = sav->tdb_authalgxform; IPSEC_ASSERT(ahx != NULL, ("null authentication xform")); - V_ahstat.ahs_output++; + AHSTAT_INC(ahs_output); /* Figure out header size. */ rplen = HDRSIZE(sav); @@ -927,7 +927,7 @@ ah_output( sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_nopf++; + AHSTAT_INC(ahs_nopf); error = EPFNOSUPPORT; goto bad; } @@ -938,20 +938,20 @@ ah_output( ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi), rplen + authsize + m->m_pkthdr.len, maxpacketsize)); - V_ahstat.ahs_toobig++; + AHSTAT_INC(ahs_toobig); error = EMSGSIZE; goto bad; } /* Update the counters. */ - V_ahstat.ahs_obytes += m->m_pkthdr.len - skip; + AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip); m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_hdrops++; + AHSTAT_INC(ahs_hdrops); error = ENOBUFS; goto bad; } @@ -964,7 +964,7 @@ ah_output( rplen + authsize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_hdrops++; /*XXX differs from openbsd */ + AHSTAT_INC(ahs_hdrops); /*XXX differs from openbsd */ error = ENOBUFS; goto bad; } @@ -992,7 +992,7 @@ ah_output( __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_wrap++; + AHSTAT_INC(ahs_wrap); error = EINVAL; goto bad; } @@ -1009,7 +1009,7 @@ ah_output( if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); error = ENOBUFS; goto bad; } @@ -1031,7 +1031,7 @@ ah_output( if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); error = ENOBUFS; goto bad; } @@ -1135,7 +1135,7 @@ ah_output_cb(struct cryptop *crp) sav = tc->tc_sav; /* With the isr lock released SA pointer can be updated. */ if (sav != isr->sav) { - V_ahstat.ahs_notdb++; + AHSTAT_INC(ahs_notdb); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -1151,7 +1151,7 @@ ah_output_cb(struct cryptop *crp) return (crypto_dispatch(crp)); } - V_ahstat.ahs_noxform++; + AHSTAT_INC(ahs_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -1159,12 +1159,12 @@ ah_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); /* * Copy original headers (with the new protocol number) back diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 04e5832..127bbad 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -279,7 +279,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if ( (skip&3) || (m->m_pkthdr.len&3) ){ DPRINTF(("%s: misaligned packet, skip %u pkt len %u", __func__, skip, m->m_pkthdr.len)); - V_espstat.esps_badilen++; + ESPSTAT_INC(esps_badilen); m_freem(m); return EINVAL; } @@ -325,7 +325,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_badilen++; + ESPSTAT_INC(esps_badilen); m_freem(m); return EINVAL; } @@ -336,13 +336,13 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); /*XXX*/ - V_espstat.esps_replay++; + ESPSTAT_INC(esps_replay); m_freem(m); return ENOBUFS; /*XXX*/ } /* Update the counters */ - V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen); + ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen)); /* Find out if we've already done crypto */ for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); @@ -361,7 +361,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); m_freem(m); return ENOBUFS; } @@ -376,7 +376,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); m_freem(m); return ENOBUFS; } @@ -492,7 +492,7 @@ esp_input_cb(struct cryptop *crp) if (crp->crp_etype == EAGAIN) return (crypto_dispatch(crp)); - V_espstat.esps_noxform++; + ESPSTAT_INC(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -500,12 +500,12 @@ esp_input_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_espstat.esps_hist[sav->alg_enc]++; + ESPSTAT_INC(esps_hist[sav->alg_enc]); /* If authentication was performed, check now. */ if (esph != NULL) { @@ -524,7 +524,7 @@ esp_input_cb(struct cryptop *crp) * the verification for us. Otherwise we need to * check the authentication calculation. */ - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); if (mtag == NULL) { /* Copy the authenticator from the packet */ m_copydata(m, m->m_pkthdr.len - alen, @@ -539,7 +539,7 @@ esp_input_cb(struct cryptop *crp) __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_badauth++; + ESPSTAT_INC(esps_badauth); error = EACCES; goto bad; } @@ -569,7 +569,7 @@ esp_input_cb(struct cryptop *crp) if (ipsec_updatereplay(ntohl(seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); - V_espstat.esps_replay++; + ESPSTAT_INC(esps_replay); error = ENOBUFS; goto bad; } @@ -584,7 +584,7 @@ esp_input_cb(struct cryptop *crp) /* Remove the ESP header and IV from the mbuf. */ error = m_striphdr(m, skip, hlen); if (error) { - V_espstat.esps_hdrops++; + ESPSTAT_INC(esps_hdrops); DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -596,7 +596,7 @@ esp_input_cb(struct cryptop *crp) /* Verify pad length */ if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { - V_espstat.esps_badilen++; + ESPSTAT_INC(esps_badilen); DPRINTF(("%s: invalid padding length %d for %u byte packet " "in SA %s/%08lx\n", __func__, lastthree[1], m->m_pkthdr.len - skip, @@ -609,7 +609,7 @@ esp_input_cb(struct cryptop *crp) /* Verify correct decryption by checking the last padding bytes */ if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) { if (lastthree[1] != lastthree[0] && lastthree[1] != 0) { - V_espstat.esps_badenc++; + ESPSTAT_INC(esps_badenc); DPRINTF(("%s: decryption failed for packet in " "SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), @@ -716,7 +716,7 @@ esp_output( else alen = 0; - V_espstat.esps_output++; + ESPSTAT_INC(esps_output); saidx = &sav->sah->saidx; /* Check for maximum packet size violations. */ @@ -736,7 +736,7 @@ esp_output( "family %d, SA %s/%08lx\n", __func__, saidx->dst.sa.sa_family, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_nopf++; + ESPSTAT_INC(esps_nopf); error = EPFNOSUPPORT; goto bad; } @@ -745,19 +745,19 @@ esp_output( "(len %u, max len %u)\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi), skip + hlen + rlen + padding + alen, maxpacketsize)); - V_espstat.esps_toobig++; + ESPSTAT_INC(esps_toobig); error = EMSGSIZE; goto bad; } /* Update the counters. */ - V_espstat.esps_obytes += m->m_pkthdr.len - skip; + ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip); m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_hdrops++; + ESPSTAT_INC(esps_hdrops); error = ENOBUFS; goto bad; } @@ -768,7 +768,7 @@ esp_output( DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n", __func__, hlen, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_hdrops++; /* XXX diffs from openbsd */ + ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */ error = ENOBUFS; goto bad; } @@ -832,7 +832,7 @@ esp_output( if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); error = ENOBUFS; goto bad; } @@ -861,7 +861,7 @@ esp_output( if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); error = ENOBUFS; goto bad; } @@ -922,7 +922,7 @@ esp_output_cb(struct cryptop *crp) sav = tc->tc_sav; /* With the isr lock released SA pointer can be updated. */ if (sav != isr->sav) { - V_espstat.esps_notdb++; + ESPSTAT_INC(esps_notdb); DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n", __func__, ipsec_address(&tc->tc_dst), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); @@ -941,7 +941,7 @@ esp_output_cb(struct cryptop *crp) return (crypto_dispatch(crp)); } - V_espstat.esps_noxform++; + ESPSTAT_INC(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -949,14 +949,14 @@ esp_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_espstat.esps_hist[sav->alg_enc]++; + ESPSTAT_INC(esps_hist[sav->alg_enc]); if (sav->tdb_authalgxform != NULL) - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); /* Release crypto descriptors. */ free(tc, M_XDATA); diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 40ab951..8e8814a 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -152,7 +152,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) * compression it means someone is playing tricks on us. */ if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) { - V_ipcompstat.ipcomps_hdrops++; /*XXX*/ + IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/ DPRINTF(("%s: m_pullup failed\n", __func__)); return (ENOBUFS); } @@ -160,7 +160,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) ipcomp = (struct ipcomp *)addr; if (ipcomp->comp_nxt == IPPROTO_IPCOMP) { m_freem(m); - V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */ + IPCOMPSTAT_INC(ipcomps_pdrops); /* XXX have our own stats? */ DPRINTF(("%s: recursive compression detected\n", __func__)); return (EINVAL); } @@ -170,7 +170,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (crp == NULL) { m_freem(m); DPRINTF(("%s: no crypto descriptors\n", __func__)); - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); return ENOBUFS; } /* Get IPsec-specific opaque pointer */ @@ -179,7 +179,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) m_freem(m); crypto_freereq(crp); DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); return ENOBUFS; } crdc = crp->crp_desc; @@ -256,19 +256,19 @@ ipcomp_input_cb(struct cryptop *crp) if (crp->crp_etype == EAGAIN) { return crypto_dispatch(crp); } - V_ipcompstat.ipcomps_noxform++; + IPCOMPSTAT_INC(ipcomps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); DPRINTF(("%s: null mbuf returned from crypto\n", __func__)); error = EINVAL; goto bad; } - V_ipcompstat.ipcomps_hist[sav->alg_comp]++; + IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]); clen = crp->crp_olen; /* Length of data after processing */ @@ -280,7 +280,7 @@ ipcomp_input_cb(struct cryptop *crp) m->m_pkthdr.len = clen + hlen + skip; if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { - V_ipcompstat.ipcomps_hdrops++; /*XXX*/ + IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/ DPRINTF(("%s: m_pullup failed\n", __func__)); error = EINVAL; /*XXX*/ goto bad; @@ -293,7 +293,7 @@ ipcomp_input_cb(struct cryptop *crp) /* Remove the IPCOMP header */ error = m_striphdr(m, skip, hlen); if (error) { - V_ipcompstat.ipcomps_hdrops++; + IPCOMPSTAT_INC(ipcomps_hdrops); DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -364,12 +364,12 @@ ipcomp_output( * See RFC 3173, 2.2. Non-Expansion Policy. */ if (m->m_pkthdr.len <= ipcompx->minlen) { - V_ipcompstat.ipcomps_threshold++; + IPCOMPSTAT_INC(ipcomps_threshold); return ipsec_process_done(m, isr); } ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ - V_ipcompstat.ipcomps_output++; + IPCOMPSTAT_INC(ipcomps_output); /* Check for maximum packet size violations. */ switch (sav->sah->saidx.dst.sa.sa_family) { @@ -384,7 +384,7 @@ ipcomp_output( break; #endif /* INET6 */ default: - V_ipcompstat.ipcomps_nopf++; + IPCOMPSTAT_INC(ipcomps_nopf); DPRINTF(("%s: unknown/unsupported protocol family %d, " "IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, @@ -394,7 +394,7 @@ ipcomp_output( goto bad; } if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) { - V_ipcompstat.ipcomps_toobig++; + IPCOMPSTAT_INC(ipcomps_toobig); DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst), @@ -405,11 +405,11 @@ ipcomp_output( } /* Update the counters */ - V_ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; + IPCOMPSTAT_ADD(ipcomps_obytes, m->m_pkthdr.len - skip); m = m_unshare(m, M_NOWAIT); if (m == NULL) { - V_ipcompstat.ipcomps_hdrops++; + IPCOMPSTAT_INC(ipcomps_hdrops); DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -422,7 +422,7 @@ ipcomp_output( /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); error = ENOBUFS; goto bad; @@ -442,7 +442,7 @@ ipcomp_output( tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); crypto_freereq(crp); error = ENOBUFS; @@ -495,7 +495,7 @@ ipcomp_output_cb(struct cryptop *crp) sav = tc->tc_sav; /* With the isr lock released SA pointer can be updated. */ if (sav != isr->sav) { - V_ipcompstat.ipcomps_notdb++; + IPCOMPSTAT_INC(ipcomps_notdb); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -511,19 +511,19 @@ ipcomp_output_cb(struct cryptop *crp) IPSECREQUEST_UNLOCK(isr); return crypto_dispatch(crp); } - V_ipcompstat.ipcomps_noxform++; + IPCOMPSTAT_INC(ipcomps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); DPRINTF(("%s: bogus return buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_ipcompstat.ipcomps_hist[sav->alg_comp]++; + IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]); if (crp->crp_ilen - skip > crp->crp_olen) { struct mbuf *mo; @@ -534,7 +534,7 @@ ipcomp_output_cb(struct cryptop *crp) /* Compression helped, inject IPCOMP header. */ mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); if (mo == NULL) { - V_ipcompstat.ipcomps_wrap++; + IPCOMPSTAT_INC(ipcomps_wrap); DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -579,7 +579,7 @@ ipcomp_output_cb(struct cryptop *crp) break; #endif /* INET6 */ default: - V_ipcompstat.ipcomps_nopf++; + IPCOMPSTAT_INC(ipcomps_nopf); DPRINTF(("%s: unknown/unsupported protocol " "family %d, IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, @@ -590,7 +590,7 @@ ipcomp_output_cb(struct cryptop *crp) } } else { /* Compression was useless, we have lost time. */ - V_ipcompstat.ipcomps_uncompr++; + IPCOMPSTAT_INC(ipcomps_uncompr); DPRINTF(("%s: compressions was useless %d - %d <= %d\n", __func__, crp->crp_ilen, skip, crp->crp_olen)); /* XXX remember state to not compress the next couple @@ -636,6 +636,7 @@ static void vnet_ipcomp_attach(const void *unused __unused) { + /* XXX */ V_ipcompstat.version = IPCOMPSTAT_VERSION; } diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index fc3b1d2..8d00228 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -115,7 +115,7 @@ ip4_input6(struct mbuf **m, int *offp, int proto) /* If we do not accept IP-in-IP explicitly, drop. */ if (!V_ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) { DPRINTF(("%s: dropped due to policy\n", __func__)); - V_ipipstat.ipips_pdrops++; + IPIPSTAT_INC(ipips_pdrops); m_freem(*m); return IPPROTO_DONE; } @@ -136,7 +136,7 @@ ip4_input(struct mbuf *m, int off) /* If we do not accept IP-in-IP explicitly, drop. */ if (!V_ipip_allow && (m->m_flags & M_IPSEC) == 0) { DPRINTF(("%s: dropped due to policy\n", __func__)); - V_ipipstat.ipips_pdrops++; + IPIPSTAT_INC(ipips_pdrops); m_freem(m); return; } @@ -172,7 +172,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) u_int8_t v; int hlen; - V_ipipstat.ipips_ipackets++; + IPIPSTAT_INC(ipips_ipackets); m_copydata(m, 0, 1, &v); @@ -188,7 +188,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - V_ipipstat.ipips_family++; + IPIPSTAT_INC(ipips_family); m_freem(m); return /* EAFNOSUPPORT */; } @@ -197,7 +197,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { DPRINTF(("%s: m_pullup (1) failed\n", __func__)); - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); return; } } @@ -234,7 +234,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) /* Sanity check */ if (m->m_pkthdr.len < sizeof(struct ip)) { - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); m_freem(m); return; } @@ -254,7 +254,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - V_ipipstat.ipips_family++; + IPIPSTAT_INC(ipips_family); m_freem(m); return; /* EAFNOSUPPORT */ } @@ -265,7 +265,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { DPRINTF(("%s: m_pullup (2) failed\n", __func__)); - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); return; } } @@ -316,7 +316,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (sin->sin_addr.s_addr == ipo->ip_src.s_addr) { - V_ipipstat.ipips_spoof++; + IPIPSTAT_INC(ipips_spoof); m_freem(m); IFNET_RUNLOCK_NOSLEEP(); return; @@ -333,7 +333,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { - V_ipipstat.ipips_spoof++; + IPIPSTAT_INC(ipips_spoof); m_freem(m); IFNET_RUNLOCK_NOSLEEP(); return; @@ -347,7 +347,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } /* Statistics */ - V_ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; + IPIPSTAT_ADD(ipips_ibytes, m->m_pkthdr.len - iphlen); #ifdef DEV_ENC switch (v >> 4) { @@ -393,7 +393,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } if (netisr_queue(isr, m)) { /* (0) on success. */ - V_ipipstat.ipips_qfull++; + IPIPSTAT_INC(ipips_qfull); DPRINTF(("%s: packet dropped because of full queue\n", __func__)); } @@ -442,7 +442,7 @@ ipip_output( "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_ipipstat.ipips_unspec++; + IPIPSTAT_INC(ipips_unspec); error = EINVAL; goto bad; } @@ -450,7 +450,7 @@ ipip_output( M_PREPEND(m, sizeof(struct ip), M_NOWAIT); if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); error = ENOBUFS; goto bad; } @@ -522,7 +522,7 @@ ipip_output( "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_ipipstat.ipips_unspec++; + IPIPSTAT_INC(ipips_unspec); error = ENOBUFS; goto bad; } @@ -537,7 +537,7 @@ ipip_output( M_PREPEND(m, sizeof(struct ip6_hdr), M_NOWAIT); if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); error = ENOBUFS; goto bad; } @@ -591,12 +591,12 @@ ipip_output( nofamily: DPRINTF(("%s: unsupported protocol family %u\n", __func__, saidx->dst.sa.sa_family)); - V_ipipstat.ipips_family++; + IPIPSTAT_INC(ipips_family); error = EAFNOSUPPORT; /* XXX diffs from openbsd */ goto bad; } - V_ipipstat.ipips_opackets++; + IPIPSTAT_INC(ipips_opackets); *mp = m; #ifdef INET @@ -606,7 +606,8 @@ nofamily: tdb->tdb_cur_bytes += m->m_pkthdr.len - sizeof(struct ip); #endif - V_ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); + IPIPSTAT_ADD(ipips_obytes, + m->m_pkthdr.len - sizeof(struct ip)); } #endif /* INET */ @@ -617,8 +618,8 @@ nofamily: tdb->tdb_cur_bytes += m->m_pkthdr.len - sizeof(struct ip6_hdr); #endif - V_ipipstat.ipips_obytes += - m->m_pkthdr.len - sizeof(struct ip6_hdr); + IPIPSTAT_ADD(ipips_obytes, + m->m_pkthdr.len - sizeof(struct ip6_hdr)); } #endif /* INET6 */ |
