summaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
authorae <ae@FreeBSD.org>2013-06-20 11:44:16 +0000
committerae <ae@FreeBSD.org>2013-06-20 11:44:16 +0000
commitb05df49af65d3ab697c586f71af5d5fe6f368656 (patch)
tree3928f332f78b418bcf02494aa8434e53a06aa4b4 /sys
parent1e4c88cc8b89f670f8e6f11dd0db6d4cc0f53c16 (diff)
downloadFreeBSD-src-b05df49af65d3ab697c586f71af5d5fe6f368656.zip
FreeBSD-src-b05df49af65d3ab697c586f71af5d5fe6f368656.tar.gz
Use corresponding macros to update statistics for AH, ESP, IPIP, IPCOMP,
PFKEY. MFC after: 2 weeks
Diffstat (limited to 'sys')
-rw-r--r--sys/netipsec/ah_var.h2
-rw-r--r--sys/netipsec/esp_var.h2
-rw-r--r--sys/netipsec/ipcomp_var.h2
-rw-r--r--sys/netipsec/ipip_var.h2
-rw-r--r--sys/netipsec/ipsec_input.c84
-rw-r--r--sys/netipsec/ipsec_output.c16
-rw-r--r--sys/netipsec/key.c38
-rw-r--r--sys/netipsec/keysock.c48
-rw-r--r--sys/netipsec/keysock.h2
-rw-r--r--sys/netipsec/xform_ah.c52
-rw-r--r--sys/netipsec/xform_esp.c56
-rw-r--r--sys/netipsec/xform_ipcomp.c49
-rw-r--r--sys/netipsec/xform_ipip.c43
13 files changed, 194 insertions, 202 deletions
diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h
index 6145dba..812fe2d 100644
--- a/sys/netipsec/ah_var.h
+++ b/sys/netipsec/ah_var.h
@@ -75,6 +75,8 @@ VNET_DECLARE(int, ah_enable);
VNET_DECLARE(int, ah_cleartos);
VNET_DECLARE(struct ahstat, ahstat);
+#define AHSTAT_ADD(name, val) V_ahstat.name += (val)
+#define AHSTAT_INC(name) AHSTAT_ADD(name, 1)
#define V_ah_enable VNET(ah_enable)
#define V_ah_cleartos VNET(ah_cleartos)
#define V_ahstat VNET(ahstat)
diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h
index 477dcbf..c613361 100644
--- a/sys/netipsec/esp_var.h
+++ b/sys/netipsec/esp_var.h
@@ -75,6 +75,8 @@ struct espstat {
VNET_DECLARE(int, esp_enable);
VNET_DECLARE(struct espstat, espstat);
+#define ESPSTAT_ADD(name, val) V_espstat.name += (val)
+#define ESPSTAT_INC(name) ESPSTAT_ADD(name, 1)
#define V_esp_enable VNET(esp_enable)
#define V_espstat VNET(espstat)
#endif /* _KERNEL */
diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h
index c99a3be..ee15598 100644
--- a/sys/netipsec/ipcomp_var.h
+++ b/sys/netipsec/ipcomp_var.h
@@ -68,6 +68,8 @@ struct ipcompstat {
VNET_DECLARE(int, ipcomp_enable);
VNET_DECLARE(struct ipcompstat, ipcompstat);
+#define IPCOMPSTAT_ADD(name, val) V_ipcompstat.name += (val)
+#define IPCOMPSTAT_INC(name) IPCOMPSTAT_ADD(name, 1)
#define V_ipcomp_enable VNET(ipcomp_enable)
#define V_ipcompstat VNET(ipcompstat)
#endif /* _KERNEL */
diff --git a/sys/netipsec/ipip_var.h b/sys/netipsec/ipip_var.h
index 3c8c397..415d5c1 100644
--- a/sys/netipsec/ipip_var.h
+++ b/sys/netipsec/ipip_var.h
@@ -62,6 +62,8 @@ struct ipipstat
VNET_DECLARE(int, ipip_allow);
VNET_DECLARE(struct ipipstat, ipipstat);
+#define IPIPSTAT_ADD(name, val) V_ipipstat.name += (val)
+#define IPIPSTAT_INC(name) IPIPSTAT_ADD(name, 1)
#define V_ipip_allow VNET(ipip_allow)
#define V_ipipstat VNET(ipipstat)
#endif /* _KERNEL */
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 1f9ae64..23a4a5c 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -99,8 +99,14 @@
#endif
-#define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \
- (p) == IPPROTO_AH ? (y)++ : (z)++)
+#define IPSEC_ISTAT(proto, name) do { \
+ if ((proto) == IPPROTO_ESP) \
+ ESPSTAT_INC(esps_##name); \
+ else if ((proto) == IPPROTO_AH) \
+ AHSTAT_INC(ahs_##name); \
+ else \
+ IPCOMPSTAT_INC(ipcomps_##name); \
+} while (0)
#ifdef INET
static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
@@ -125,8 +131,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
#endif
#endif
- IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,
- V_ipcompstat.ipcomps_input);
+ IPSEC_ISTAT(sproto, input);
IPSEC_ASSERT(m != NULL, ("null packet"));
@@ -138,15 +143,13 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
(sproto == IPPROTO_AH && !V_ah_enable) ||
(sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
m_freem(m);
- IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
- V_ipcompstat.ipcomps_pdrops);
+ IPSEC_ISTAT(sproto, pdrops);
return EOPNOTSUPP;
}
if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
m_freem(m);
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
- V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
DPRINTF(("%s: packet too small\n", __func__));
return EINVAL;
}
@@ -197,8 +200,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
default:
DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
m_freem(m);
- IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf,
- V_ipcompstat.ipcomps_nopf);
+ IPSEC_ISTAT(sproto, nopf);
return EPFNOSUPPORT;
}
@@ -208,8 +210,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
- IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb,
- V_ipcompstat.ipcomps_notdb);
+ IPSEC_ISTAT(sproto, notdb);
m_freem(m);
return ENOENT;
}
@@ -218,8 +219,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
- IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform,
- V_ipcompstat.ipcomps_noxform);
+ IPSEC_ISTAT(sproto, noxform);
KEY_FREESAV(&sav);
m_freem(m);
return ENXIO;
@@ -321,8 +321,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
- IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
- V_ipcompstat.ipcomps_badkcr);
+ IPSEC_ISTAT(sproto, badkcr);
KEY_FREESAV(&sav);
return EINVAL;
}
@@ -336,8 +335,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
DPRINTF(("%s: processing failed for SA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
- V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
error = ENOBUFS;
goto bad;
}
@@ -357,9 +355,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
struct ip ipn;
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops,
- V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
error = EINVAL;
goto bad;
}
@@ -388,9 +384,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
ipsp_address(saidx->dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
- V_ahstat.ahs_pdrops,
- V_ipcompstat.ipcomps_pdrops);
+ IPSEC_ISTAT(sproto, pdrops);
error = EACCES;
goto bad;
}
@@ -401,9 +395,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
struct ip6_hdr ip6n;
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops,
- V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
error = EINVAL;
goto bad;
}
@@ -430,9 +422,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
- V_ahstat.ahs_pdrops,
- V_ipcompstat.ipcomps_pdrops);
+ IPSEC_ISTAT(sproto, pdrops);
error = EACCES;
goto bad;
}
@@ -453,8 +443,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
error = ENOMEM;
goto bad;
}
@@ -494,9 +483,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
* Re-dispatch via software interrupt.
*/
if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) {
- IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull,
- V_ipcompstat.ipcomps_qfull);
-
+ IPSEC_ISTAT(sproto, qfull);
DPRINTF(("%s: queue full; proto %u packet dropped\n",
__func__, sproto));
return error;
@@ -548,9 +535,7 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
if (protoff + l != *offp) {
DPRINTF(("%s: bad packet header chain, protoff %u, "
"l %u, off %u\n", __func__, protoff, l, *offp));
- IPSEC_ISTAT(proto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops,
- V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(proto, hdrops);
m_freem(*mp);
*mp = NULL;
return IPPROTO_DONE;
@@ -595,8 +580,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
- IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
- V_ipcompstat.ipcomps_badkcr);
+ IPSEC_ISTAT(sproto, badkcr);
error = EINVAL;
goto bad;
}
@@ -609,8 +593,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
- V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
error = EACCES;
goto bad;
}
@@ -628,9 +611,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
struct ip ipn;
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops,
- V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
error = EINVAL;
goto bad;
}
@@ -655,8 +636,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTATsproto, (V_espstat.esps_pdrops,
- V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops);
+ IPSEC_ISTAT(sproto, pdrops);
error = EACCES;
goto bad;
}
@@ -668,9 +648,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
struct ip6_hdr ip6n;
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops,
- V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
error = EINVAL;
goto bad;
}
@@ -697,8 +675,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
- V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops);
+ IPSEC_ISTAT(sproto, pdrops);
error = EACCES;
goto bad;
}
@@ -718,8 +695,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops);
+ IPSEC_ISTAT(sproto, hdrops);
error = ENOMEM;
goto bad;
}
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 6871f12..19b27ec 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -276,8 +276,14 @@ ipsec_nextisr(
int *error
)
{
-#define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \
- isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
+#define IPSEC_OSTAT(name) do { \
+ if (isr->saidx.proto == IPPROTO_ESP) \
+ ESPSTAT_INC(esps_##name); \
+ else if (isr->saidx.proto == IPPROTO_AH)\
+ AHSTAT_INC(ahs_##name); \
+ else \
+ IPCOMPSTAT_INC(ipcomps_##name); \
+} while (0)
struct secasvar *sav;
IPSECREQUEST_LOCK_ASSERT(isr);
@@ -385,8 +391,7 @@ again:
(isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
DPRINTF(("%s: IPsec outbound packet dropped due"
" to policy (check your sysctls)\n", __func__));
- IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
- V_ipcompstat.ipcomps_pdrops);
+ IPSEC_OSTAT(pdrops);
*error = EHOSTUNREACH;
goto bad;
}
@@ -397,8 +402,7 @@ again:
*/
if (sav->tdb_xform == NULL) {
DPRINTF(("%s: no transform for SA\n", __func__));
- IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform,
- V_ipcompstat.ipcomps_noxform);
+ IPSEC_OSTAT(noxform);
*error = EHOSTUNREACH;
goto bad;
}
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 67afed2..35385e5 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -7316,7 +7316,7 @@ key_parse(m, so)
if ((m->m_flags & M_PKTHDR) == 0 ||
m->m_pkthdr.len != m->m_pkthdr.len) {
ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__));
- V_pfkeystat.out_invlen++;
+ PFKEYSTAT_INC(out_invlen);
error = EINVAL;
goto senderror;
}
@@ -7324,7 +7324,7 @@ key_parse(m, so)
if (msg->sadb_msg_version != PF_KEY_V2) {
ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n",
__func__, msg->sadb_msg_version));
- V_pfkeystat.out_invver++;
+ PFKEYSTAT_INC(out_invver);
error = EINVAL;
goto senderror;
}
@@ -7332,7 +7332,7 @@ key_parse(m, so)
if (msg->sadb_msg_type > SADB_MAX) {
ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
__func__, msg->sadb_msg_type));
- V_pfkeystat.out_invmsgtype++;
+ PFKEYSTAT_INC(out_invmsgtype);
error = EINVAL;
goto senderror;
}
@@ -7385,7 +7385,7 @@ key_parse(m, so)
ipseclog((LOG_DEBUG, "%s: must specify satype "
"when msg type=%u.\n", __func__,
msg->sadb_msg_type));
- V_pfkeystat.out_invsatype++;
+ PFKEYSTAT_INC(out_invsatype);
error = EINVAL;
goto senderror;
}
@@ -7405,7 +7405,7 @@ key_parse(m, so)
case SADB_X_SPDDELETE2:
ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n",
__func__, msg->sadb_msg_type));
- V_pfkeystat.out_invsatype++;
+ PFKEYSTAT_INC(out_invsatype);
error = EINVAL;
goto senderror;
}
@@ -7416,7 +7416,7 @@ key_parse(m, so)
case SADB_SATYPE_MIP:
ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n",
__func__, msg->sadb_msg_satype));
- V_pfkeystat.out_invsatype++;
+ PFKEYSTAT_INC(out_invsatype);
error = EOPNOTSUPP;
goto senderror;
case 1: /* XXX: What does it do? */
@@ -7426,7 +7426,7 @@ key_parse(m, so)
default:
ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
__func__, msg->sadb_msg_satype));
- V_pfkeystat.out_invsatype++;
+ PFKEYSTAT_INC(out_invsatype);
error = EINVAL;
goto senderror;
}
@@ -7444,7 +7444,7 @@ key_parse(m, so)
if (src0->sadb_address_proto != dst0->sadb_address_proto) {
ipseclog((LOG_DEBUG, "%s: upper layer protocol "
"mismatched.\n", __func__));
- V_pfkeystat.out_invaddr++;
+ PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@@ -7454,7 +7454,7 @@ key_parse(m, so)
PFKEY_ADDR_SADDR(dst0)->sa_family) {
ipseclog((LOG_DEBUG, "%s: address family mismatched.\n",
__func__));
- V_pfkeystat.out_invaddr++;
+ PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@@ -7462,7 +7462,7 @@ key_parse(m, so)
PFKEY_ADDR_SADDR(dst0)->sa_len) {
ipseclog((LOG_DEBUG, "%s: address struct size "
"mismatched.\n", __func__));
- V_pfkeystat.out_invaddr++;
+ PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@@ -7471,7 +7471,7 @@ key_parse(m, so)
case AF_INET:
if (PFKEY_ADDR_SADDR(src0)->sa_len !=
sizeof(struct sockaddr_in)) {
- V_pfkeystat.out_invaddr++;
+ PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@@ -7479,7 +7479,7 @@ key_parse(m, so)
case AF_INET6:
if (PFKEY_ADDR_SADDR(src0)->sa_len !=
sizeof(struct sockaddr_in6)) {
- V_pfkeystat.out_invaddr++;
+ PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@@ -7487,7 +7487,7 @@ key_parse(m, so)
default:
ipseclog((LOG_DEBUG, "%s: unsupported address family\n",
__func__));
- V_pfkeystat.out_invaddr++;
+ PFKEYSTAT_INC(out_invaddr);
error = EAFNOSUPPORT;
goto senderror;
}
@@ -7509,7 +7509,7 @@ key_parse(m, so)
dst0->sadb_address_prefixlen > plen) {
ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n",
__func__));
- V_pfkeystat.out_invaddr++;
+ PFKEYSTAT_INC(out_invaddr);
error = EINVAL;
goto senderror;
}
@@ -7522,7 +7522,7 @@ key_parse(m, so)
if (msg->sadb_msg_type >= sizeof(key_typesw)/sizeof(key_typesw[0]) ||
key_typesw[msg->sadb_msg_type] == NULL) {
- V_pfkeystat.out_invmsgtype++;
+ PFKEYSTAT_INC(out_invmsgtype);
error = EINVAL;
goto senderror;
}
@@ -7624,7 +7624,7 @@ key_align(m, mhp)
ipseclog((LOG_DEBUG, "%s: duplicate ext_type "
"%u\n", __func__, ext->sadb_ext_type));
m_freem(m);
- V_pfkeystat.out_dupext++;
+ PFKEYSTAT_INC(out_dupext);
return EINVAL;
}
break;
@@ -7632,7 +7632,7 @@ key_align(m, mhp)
ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n",
__func__, ext->sadb_ext_type));
m_freem(m);
- V_pfkeystat.out_invexttype++;
+ PFKEYSTAT_INC(out_invexttype);
return EINVAL;
}
@@ -7640,7 +7640,7 @@ key_align(m, mhp)
if (key_validate_ext(ext, extlen)) {
m_freem(m);
- V_pfkeystat.out_invlen++;
+ PFKEYSTAT_INC(out_invlen);
return EINVAL;
}
@@ -7658,7 +7658,7 @@ key_align(m, mhp)
if (off != end) {
m_freem(m);
- V_pfkeystat.out_invlen++;
+ PFKEYSTAT_INC(out_invlen);
return EINVAL;
}
diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c
index 475befa..a29d8b0 100644
--- a/sys/netipsec/keysock.c
+++ b/sys/netipsec/keysock.c
@@ -91,19 +91,19 @@ key_output(struct mbuf *m, struct socket *so)
if (m == 0)
panic("%s: NULL pointer was passed.\n", __func__);
- V_pfkeystat.out_total++;
- V_pfkeystat.out_bytes += m->m_pkthdr.len;
+ PFKEYSTAT_INC(out_total);
+ PFKEYSTAT_ADD(out_bytes, m->m_pkthdr.len);
len = m->m_pkthdr.len;
if (len < sizeof(struct sadb_msg)) {
- V_pfkeystat.out_tooshort++;
+ PFKEYSTAT_INC(out_tooshort);
error = EINVAL;
goto end;
}
if (m->m_len < sizeof(struct sadb_msg)) {
if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) {
- V_pfkeystat.out_nomem++;
+ PFKEYSTAT_INC(out_nomem);
error = ENOBUFS;
goto end;
}
@@ -114,9 +114,9 @@ key_output(struct mbuf *m, struct socket *so)
KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m));
msg = mtod(m, struct sadb_msg *);
- V_pfkeystat.out_msgtype[msg->sadb_msg_type]++;
+ PFKEYSTAT_INC(out_msgtype[msg->sadb_msg_type]);
if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) {
- V_pfkeystat.out_invlen++;
+ PFKEYSTAT_INC(out_invlen);
error = EINVAL;
goto end;
}
@@ -147,7 +147,7 @@ key_sendup0(rp, m, promisc)
if (m && m->m_len < sizeof(struct sadb_msg))
m = m_pullup(m, sizeof(struct sadb_msg));
if (!m) {
- V_pfkeystat.in_nomem++;
+ PFKEYSTAT_INC(in_nomem);
m_freem(m);
return ENOBUFS;
}
@@ -160,12 +160,12 @@ key_sendup0(rp, m, promisc)
pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
/* pid and seq? */
- V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
+ PFKEYSTAT_INC(in_msgtype[pmsg->sadb_msg_type]);
}
if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src,
m, NULL)) {
- V_pfkeystat.in_nomem++;
+ PFKEYSTAT_INC(in_nomem);
m_freem(m);
error = ENOBUFS;
} else
@@ -197,9 +197,9 @@ key_sendup(so, msg, len, target)
* we increment statistics here, just in case we have ENOBUFS
* in this function.
*/
- V_pfkeystat.in_total++;
- V_pfkeystat.in_bytes += len;
- V_pfkeystat.in_msgtype[msg->sadb_msg_type]++;
+ PFKEYSTAT_INC(in_total);
+ PFKEYSTAT_ADD(in_bytes, len);
+ PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]);
/*
* Get mbuf chain whenever possible (not clusters),
@@ -216,14 +216,14 @@ key_sendup(so, msg, len, target)
if (tlen == len) {
MGETHDR(n, M_NOWAIT, MT_DATA);
if (n == NULL) {
- V_pfkeystat.in_nomem++;
+ PFKEYSTAT_INC(in_nomem);
return ENOBUFS;
}
n->m_len = MHLEN;
} else {
MGET(n, M_NOWAIT, MT_DATA);
if (n == NULL) {
- V_pfkeystat.in_nomem++;
+ PFKEYSTAT_INC(in_nomem);
return ENOBUFS;
}
n->m_len = MLEN;
@@ -233,7 +233,7 @@ key_sendup(so, msg, len, target)
if ((n->m_flags & M_EXT) == 0) {
m_free(n);
m_freem(m);
- V_pfkeystat.in_nomem++;
+ PFKEYSTAT_INC(in_nomem);
return ENOBUFS;
}
n->m_len = MCLBYTES;
@@ -256,9 +256,9 @@ key_sendup(so, msg, len, target)
m_copyback(m, 0, len, (caddr_t)msg);
/* avoid duplicated statistics */
- V_pfkeystat.in_total--;
- V_pfkeystat.in_bytes -= len;
- V_pfkeystat.in_msgtype[msg->sadb_msg_type]--;
+ PFKEYSTAT_ADD(in_total, -1);
+ PFKEYSTAT_ADD(in_bytes, -len);
+ PFKEYSTAT_ADD(in_msgtype[msg->sadb_msg_type], -1);
return key_sendup_mbuf(so, m, target);
}
@@ -281,19 +281,19 @@ key_sendup_mbuf(so, m, target)
if (so == NULL && target == KEY_SENDUP_ONE)
panic("%s: NULL pointer was passed.\n", __func__);
- V_pfkeystat.in_total++;
- V_pfkeystat.in_bytes += m->m_pkthdr.len;
+ PFKEYSTAT_INC(in_total);
+ PFKEYSTAT_ADD(in_bytes, m->m_pkthdr.len);
if (m->m_len < sizeof(struct sadb_msg)) {
m = m_pullup(m, sizeof(struct sadb_msg));
if (m == NULL) {
- V_pfkeystat.in_nomem++;
+ PFKEYSTAT_INC(in_nomem);
return ENOBUFS;
}
}
if (m->m_len >= sizeof(struct sadb_msg)) {
struct sadb_msg *msg;
msg = mtod(m, struct sadb_msg *);
- V_pfkeystat.in_msgtype[msg->sadb_msg_type]++;
+ PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]);
}
mtx_lock(&rawcb_mtx);
LIST_FOREACH(rp, &V_rawcb_list, list)
@@ -338,14 +338,14 @@ key_sendup_mbuf(so, m, target)
sendup++;
break;
}
- V_pfkeystat.in_msgtarget[target]++;
+ PFKEYSTAT_INC(in_msgtarget[target]);
if (!sendup)
continue;
if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) {
m_freem(m);
- V_pfkeystat.in_nomem++;
+ PFKEYSTAT_INC(in_nomem);
mtx_unlock(&rawcb_mtx);
return ENOBUFS;
}
diff --git a/sys/netipsec/keysock.h b/sys/netipsec/keysock.h
index 3c0cc8b..6039dbb 100644
--- a/sys/netipsec/keysock.h
+++ b/sys/netipsec/keysock.h
@@ -70,6 +70,8 @@ struct keycb {
};
VNET_DECLARE(struct pfkeystat, pfkeystat);
+#define PFKEYSTAT_ADD(name, val) V_pfkeystat.name += (val)
+#define PFKEYSTAT_INC(name) PFKEYSTAT_ADD(name, 1)
#define V_pfkeystat VNET(pfkeystat)
extern int key_output(struct mbuf *m, struct socket *so);
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 722879b..82c9a65a7 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -583,14 +583,14 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
if (ah == NULL) {
DPRINTF(("ah_input: cannot pullup header\n"));
- V_ahstat.ahs_hdrops++; /*XXX*/
+ AHSTAT_INC(ahs_hdrops); /*XXX*/
m_freem(m);
return ENOBUFS;
}
/* Check replay window, if applicable. */
if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
- V_ahstat.ahs_replay++;
+ AHSTAT_INC(ahs_replay);
DPRINTF(("%s: packet replay failure: %s\n", __func__,
ipsec_logsastr(sav)));
m_freem(m);
@@ -607,17 +607,17 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
hl, (u_long) (authsize + rplen - sizeof (struct ah)),
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- V_ahstat.ahs_badauthl++;
+ AHSTAT_INC(ahs_badauthl);
m_freem(m);
return EACCES;
}
- V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
+ AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
/* Get crypto descriptors. */
crp = crypto_getreq(1);
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
- V_ahstat.ahs_crypto++;
+ AHSTAT_INC(ahs_crypto);
m_freem(m);
return ENOBUFS;
}
@@ -657,7 +657,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
}
if (tc == NULL) {
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
- V_ahstat.ahs_crypto++;
+ AHSTAT_INC(ahs_crypto);
crypto_freereq(crp);
m_freem(m);
return ENOBUFS;
@@ -681,7 +681,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
skip, ahx->type, 0);
if (error != 0) {
/* NB: mbuf is free'd by ah_massage_headers */
- V_ahstat.ahs_hdrops++;
+ AHSTAT_INC(ahs_hdrops);
free(tc, M_XDATA);
crypto_freereq(crp);
return error;
@@ -760,19 +760,19 @@ ah_input_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN)
return (crypto_dispatch(crp));
- V_ahstat.ahs_noxform++;
+ AHSTAT_INC(ahs_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
} else {
- V_ahstat.ahs_hist[sav->alg_auth]++;
+ AHSTAT_INC(ahs_hist[sav->alg_auth]);
crypto_freereq(crp); /* No longer needed. */
crp = NULL;
}
/* Shouldn't happen... */
if (m == NULL) {
- V_ahstat.ahs_crypto++;
+ AHSTAT_INC(ahs_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
@@ -798,7 +798,7 @@ ah_input_cb(struct cryptop *crp)
"in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_ahstat.ahs_badauth++;
+ AHSTAT_INC(ahs_badauth);
error = EACCES;
goto bad;
}
@@ -829,7 +829,7 @@ ah_input_cb(struct cryptop *crp)
m_copydata(m, skip + offsetof(struct newah, ah_seq),
sizeof (seq), (caddr_t) &seq);
if (ipsec_updatereplay(ntohl(seq), sav)) {
- V_ahstat.ahs_replay++;
+ AHSTAT_INC(ahs_replay);
error = ENOBUFS; /*XXX as above*/
goto bad;
}
@@ -843,7 +843,7 @@ ah_input_cb(struct cryptop *crp)
DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
- V_ahstat.ahs_hdrops++;
+ AHSTAT_INC(ahs_hdrops);
goto bad;
}
@@ -904,7 +904,7 @@ ah_output(
ahx = sav->tdb_authalgxform;
IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
- V_ahstat.ahs_output++;
+ AHSTAT_INC(ahs_output);
/* Figure out header size. */
rplen = HDRSIZE(sav);
@@ -927,7 +927,7 @@ ah_output(
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- V_ahstat.ahs_nopf++;
+ AHSTAT_INC(ahs_nopf);
error = EPFNOSUPPORT;
goto bad;
}
@@ -938,20 +938,20 @@ ah_output(
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi),
rplen + authsize + m->m_pkthdr.len, maxpacketsize));
- V_ahstat.ahs_toobig++;
+ AHSTAT_INC(ahs_toobig);
error = EMSGSIZE;
goto bad;
}
/* Update the counters. */
- V_ahstat.ahs_obytes += m->m_pkthdr.len - skip;
+ AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- V_ahstat.ahs_hdrops++;
+ AHSTAT_INC(ahs_hdrops);
error = ENOBUFS;
goto bad;
}
@@ -964,7 +964,7 @@ ah_output(
rplen + authsize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- V_ahstat.ahs_hdrops++; /*XXX differs from openbsd */
+ AHSTAT_INC(ahs_hdrops); /*XXX differs from openbsd */
error = ENOBUFS;
goto bad;
}
@@ -992,7 +992,7 @@ ah_output(
__func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- V_ahstat.ahs_wrap++;
+ AHSTAT_INC(ahs_wrap);
error = EINVAL;
goto bad;
}
@@ -1009,7 +1009,7 @@ ah_output(
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
- V_ahstat.ahs_crypto++;
+ AHSTAT_INC(ahs_crypto);
error = ENOBUFS;
goto bad;
}
@@ -1031,7 +1031,7 @@ ah_output(
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
- V_ahstat.ahs_crypto++;
+ AHSTAT_INC(ahs_crypto);
error = ENOBUFS;
goto bad;
}
@@ -1135,7 +1135,7 @@ ah_output_cb(struct cryptop *crp)
sav = tc->tc_sav;
/* With the isr lock released SA pointer can be updated. */
if (sav != isr->sav) {
- V_ahstat.ahs_notdb++;
+ AHSTAT_INC(ahs_notdb);
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
@@ -1151,7 +1151,7 @@ ah_output_cb(struct cryptop *crp)
return (crypto_dispatch(crp));
}
- V_ahstat.ahs_noxform++;
+ AHSTAT_INC(ahs_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@@ -1159,12 +1159,12 @@ ah_output_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
- V_ahstat.ahs_crypto++;
+ AHSTAT_INC(ahs_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- V_ahstat.ahs_hist[sav->alg_auth]++;
+ AHSTAT_INC(ahs_hist[sav->alg_auth]);
/*
* Copy original headers (with the new protocol number) back
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 04e5832..127bbad 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -279,7 +279,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if ( (skip&3) || (m->m_pkthdr.len&3) ){
DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
__func__, skip, m->m_pkthdr.len));
- V_espstat.esps_badilen++;
+ ESPSTAT_INC(esps_badilen);
m_freem(m);
return EINVAL;
}
@@ -325,7 +325,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
plen, espx->blocksize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- V_espstat.esps_badilen++;
+ ESPSTAT_INC(esps_badilen);
m_freem(m);
return EINVAL;
}
@@ -336,13 +336,13 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav))); /*XXX*/
- V_espstat.esps_replay++;
+ ESPSTAT_INC(esps_replay);
m_freem(m);
return ENOBUFS; /*XXX*/
}
/* Update the counters */
- V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen);
+ ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
/* Find out if we've already done crypto */
for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
@@ -361,7 +361,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
m_freem(m);
return ENOBUFS;
}
@@ -376,7 +376,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
m_freem(m);
return ENOBUFS;
}
@@ -492,7 +492,7 @@ esp_input_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN)
return (crypto_dispatch(crp));
- V_espstat.esps_noxform++;
+ ESPSTAT_INC(esps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@@ -500,12 +500,12 @@ esp_input_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- V_espstat.esps_hist[sav->alg_enc]++;
+ ESPSTAT_INC(esps_hist[sav->alg_enc]);
/* If authentication was performed, check now. */
if (esph != NULL) {
@@ -524,7 +524,7 @@ esp_input_cb(struct cryptop *crp)
* the verification for us. Otherwise we need to
* check the authentication calculation.
*/
- V_ahstat.ahs_hist[sav->alg_auth]++;
+ AHSTAT_INC(ahs_hist[sav->alg_auth]);
if (mtag == NULL) {
/* Copy the authenticator from the packet */
m_copydata(m, m->m_pkthdr.len - alen,
@@ -539,7 +539,7 @@ esp_input_cb(struct cryptop *crp)
__func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_espstat.esps_badauth++;
+ ESPSTAT_INC(esps_badauth);
error = EACCES;
goto bad;
}
@@ -569,7 +569,7 @@ esp_input_cb(struct cryptop *crp)
if (ipsec_updatereplay(ntohl(seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav)));
- V_espstat.esps_replay++;
+ ESPSTAT_INC(esps_replay);
error = ENOBUFS;
goto bad;
}
@@ -584,7 +584,7 @@ esp_input_cb(struct cryptop *crp)
/* Remove the ESP header and IV from the mbuf. */
error = m_striphdr(m, skip, hlen);
if (error) {
- V_espstat.esps_hdrops++;
+ ESPSTAT_INC(esps_hdrops);
DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@@ -596,7 +596,7 @@ esp_input_cb(struct cryptop *crp)
/* Verify pad length */
if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
- V_espstat.esps_badilen++;
+ ESPSTAT_INC(esps_badilen);
DPRINTF(("%s: invalid padding length %d for %u byte packet "
"in SA %s/%08lx\n", __func__,
lastthree[1], m->m_pkthdr.len - skip,
@@ -609,7 +609,7 @@ esp_input_cb(struct cryptop *crp)
/* Verify correct decryption by checking the last padding bytes */
if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
- V_espstat.esps_badenc++;
+ ESPSTAT_INC(esps_badenc);
DPRINTF(("%s: decryption failed for packet in "
"SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
@@ -716,7 +716,7 @@ esp_output(
else
alen = 0;
- V_espstat.esps_output++;
+ ESPSTAT_INC(esps_output);
saidx = &sav->sah->saidx;
/* Check for maximum packet size violations. */
@@ -736,7 +736,7 @@ esp_output(
"family %d, SA %s/%08lx\n", __func__,
saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_espstat.esps_nopf++;
+ ESPSTAT_INC(esps_nopf);
error = EPFNOSUPPORT;
goto bad;
}
@@ -745,19 +745,19 @@ esp_output(
"(len %u, max len %u)\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
skip + hlen + rlen + padding + alen, maxpacketsize));
- V_espstat.esps_toobig++;
+ ESPSTAT_INC(esps_toobig);
error = EMSGSIZE;
goto bad;
}
/* Update the counters. */
- V_espstat.esps_obytes += m->m_pkthdr.len - skip;
+ ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip);
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
- V_espstat.esps_hdrops++;
+ ESPSTAT_INC(esps_hdrops);
error = ENOBUFS;
goto bad;
}
@@ -768,7 +768,7 @@ esp_output(
DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n",
__func__, hlen, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_espstat.esps_hdrops++; /* XXX diffs from openbsd */
+ ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */
error = ENOBUFS;
goto bad;
}
@@ -832,7 +832,7 @@ esp_output(
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
error = ENOBUFS;
goto bad;
}
@@ -861,7 +861,7 @@ esp_output(
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
error = ENOBUFS;
goto bad;
}
@@ -922,7 +922,7 @@ esp_output_cb(struct cryptop *crp)
sav = tc->tc_sav;
/* With the isr lock released SA pointer can be updated. */
if (sav != isr->sav) {
- V_espstat.esps_notdb++;
+ ESPSTAT_INC(esps_notdb);
DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n",
__func__, ipsec_address(&tc->tc_dst),
(u_long) ntohl(tc->tc_spi), tc->tc_proto));
@@ -941,7 +941,7 @@ esp_output_cb(struct cryptop *crp)
return (crypto_dispatch(crp));
}
- V_espstat.esps_noxform++;
+ ESPSTAT_INC(esps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@@ -949,14 +949,14 @@ esp_output_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- V_espstat.esps_hist[sav->alg_enc]++;
+ ESPSTAT_INC(esps_hist[sav->alg_enc]);
if (sav->tdb_authalgxform != NULL)
- V_ahstat.ahs_hist[sav->alg_auth]++;
+ AHSTAT_INC(ahs_hist[sav->alg_auth]);
/* Release crypto descriptors. */
free(tc, M_XDATA);
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 40ab951..8e8814a 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -152,7 +152,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
* compression it means someone is playing tricks on us.
*/
if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
- V_ipcompstat.ipcomps_hdrops++; /*XXX*/
+ IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/
DPRINTF(("%s: m_pullup failed\n", __func__));
return (ENOBUFS);
}
@@ -160,7 +160,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
ipcomp = (struct ipcomp *)addr;
if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
m_freem(m);
- V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */
+ IPCOMPSTAT_INC(ipcomps_pdrops); /* XXX have our own stats? */
DPRINTF(("%s: recursive compression detected\n", __func__));
return (EINVAL);
}
@@ -170,7 +170,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (crp == NULL) {
m_freem(m);
DPRINTF(("%s: no crypto descriptors\n", __func__));
- V_ipcompstat.ipcomps_crypto++;
+ IPCOMPSTAT_INC(ipcomps_crypto);
return ENOBUFS;
}
/* Get IPsec-specific opaque pointer */
@@ -179,7 +179,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
m_freem(m);
crypto_freereq(crp);
DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__));
- V_ipcompstat.ipcomps_crypto++;
+ IPCOMPSTAT_INC(ipcomps_crypto);
return ENOBUFS;
}
crdc = crp->crp_desc;
@@ -256,19 +256,19 @@ ipcomp_input_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN) {
return crypto_dispatch(crp);
}
- V_ipcompstat.ipcomps_noxform++;
+ IPCOMPSTAT_INC(ipcomps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
/* Shouldn't happen... */
if (m == NULL) {
- V_ipcompstat.ipcomps_crypto++;
+ IPCOMPSTAT_INC(ipcomps_crypto);
DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
+ IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
clen = crp->crp_olen; /* Length of data after processing */
@@ -280,7 +280,7 @@ ipcomp_input_cb(struct cryptop *crp)
m->m_pkthdr.len = clen + hlen + skip;
if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
- V_ipcompstat.ipcomps_hdrops++; /*XXX*/
+ IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/
DPRINTF(("%s: m_pullup failed\n", __func__));
error = EINVAL; /*XXX*/
goto bad;
@@ -293,7 +293,7 @@ ipcomp_input_cb(struct cryptop *crp)
/* Remove the IPCOMP header */
error = m_striphdr(m, skip, hlen);
if (error) {
- V_ipcompstat.ipcomps_hdrops++;
+ IPCOMPSTAT_INC(ipcomps_hdrops);
DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@@ -364,12 +364,12 @@ ipcomp_output(
* See RFC 3173, 2.2. Non-Expansion Policy.
*/
if (m->m_pkthdr.len <= ipcompx->minlen) {
- V_ipcompstat.ipcomps_threshold++;
+ IPCOMPSTAT_INC(ipcomps_threshold);
return ipsec_process_done(m, isr);
}
ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */
- V_ipcompstat.ipcomps_output++;
+ IPCOMPSTAT_INC(ipcomps_output);
/* Check for maximum packet size violations. */
switch (sav->sah->saidx.dst.sa.sa_family) {
@@ -384,7 +384,7 @@ ipcomp_output(
break;
#endif /* INET6 */
default:
- V_ipcompstat.ipcomps_nopf++;
+ IPCOMPSTAT_INC(ipcomps_nopf);
DPRINTF(("%s: unknown/unsupported protocol family %d, "
"IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
@@ -394,7 +394,7 @@ ipcomp_output(
goto bad;
}
if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
- V_ipcompstat.ipcomps_toobig++;
+ IPCOMPSTAT_INC(ipcomps_toobig);
DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
@@ -405,11 +405,11 @@ ipcomp_output(
}
/* Update the counters */
- V_ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip;
+ IPCOMPSTAT_ADD(ipcomps_obytes, m->m_pkthdr.len - skip);
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
- V_ipcompstat.ipcomps_hdrops++;
+ IPCOMPSTAT_INC(ipcomps_hdrops);
DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@@ -422,7 +422,7 @@ ipcomp_output(
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {
- V_ipcompstat.ipcomps_crypto++;
+ IPCOMPSTAT_INC(ipcomps_crypto);
DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
error = ENOBUFS;
goto bad;
@@ -442,7 +442,7 @@ ipcomp_output(
tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
- V_ipcompstat.ipcomps_crypto++;
+ IPCOMPSTAT_INC(ipcomps_crypto);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
crypto_freereq(crp);
error = ENOBUFS;
@@ -495,7 +495,7 @@ ipcomp_output_cb(struct cryptop *crp)
sav = tc->tc_sav;
/* With the isr lock released SA pointer can be updated. */
if (sav != isr->sav) {
- V_ipcompstat.ipcomps_notdb++;
+ IPCOMPSTAT_INC(ipcomps_notdb);
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
@@ -511,19 +511,19 @@ ipcomp_output_cb(struct cryptop *crp)
IPSECREQUEST_UNLOCK(isr);
return crypto_dispatch(crp);
}
- V_ipcompstat.ipcomps_noxform++;
+ IPCOMPSTAT_INC(ipcomps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
/* Shouldn't happen... */
if (m == NULL) {
- V_ipcompstat.ipcomps_crypto++;
+ IPCOMPSTAT_INC(ipcomps_crypto);
DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
+ IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
if (crp->crp_ilen - skip > crp->crp_olen) {
struct mbuf *mo;
@@ -534,7 +534,7 @@ ipcomp_output_cb(struct cryptop *crp)
/* Compression helped, inject IPCOMP header. */
mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
if (mo == NULL) {
- V_ipcompstat.ipcomps_wrap++;
+ IPCOMPSTAT_INC(ipcomps_wrap);
DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@@ -579,7 +579,7 @@ ipcomp_output_cb(struct cryptop *crp)
break;
#endif /* INET6 */
default:
- V_ipcompstat.ipcomps_nopf++;
+ IPCOMPSTAT_INC(ipcomps_nopf);
DPRINTF(("%s: unknown/unsupported protocol "
"family %d, IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
@@ -590,7 +590,7 @@ ipcomp_output_cb(struct cryptop *crp)
}
} else {
/* Compression was useless, we have lost time. */
- V_ipcompstat.ipcomps_uncompr++;
+ IPCOMPSTAT_INC(ipcomps_uncompr);
DPRINTF(("%s: compressions was useless %d - %d <= %d\n",
__func__, crp->crp_ilen, skip, crp->crp_olen));
/* XXX remember state to not compress the next couple
@@ -636,6 +636,7 @@ static void
vnet_ipcomp_attach(const void *unused __unused)
{
+ /* XXX */
V_ipcompstat.version = IPCOMPSTAT_VERSION;
}
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index fc3b1d2..8d00228 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -115,7 +115,7 @@ ip4_input6(struct mbuf **m, int *offp, int proto)
/* If we do not accept IP-in-IP explicitly, drop. */
if (!V_ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) {
DPRINTF(("%s: dropped due to policy\n", __func__));
- V_ipipstat.ipips_pdrops++;
+ IPIPSTAT_INC(ipips_pdrops);
m_freem(*m);
return IPPROTO_DONE;
}
@@ -136,7 +136,7 @@ ip4_input(struct mbuf *m, int off)
/* If we do not accept IP-in-IP explicitly, drop. */
if (!V_ipip_allow && (m->m_flags & M_IPSEC) == 0) {
DPRINTF(("%s: dropped due to policy\n", __func__));
- V_ipipstat.ipips_pdrops++;
+ IPIPSTAT_INC(ipips_pdrops);
m_freem(m);
return;
}
@@ -172,7 +172,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
u_int8_t v;
int hlen;
- V_ipipstat.ipips_ipackets++;
+ IPIPSTAT_INC(ipips_ipackets);
m_copydata(m, 0, 1, &v);
@@ -188,7 +188,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
break;
#endif
default:
- V_ipipstat.ipips_family++;
+ IPIPSTAT_INC(ipips_family);
m_freem(m);
return /* EAFNOSUPPORT */;
}
@@ -197,7 +197,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
if (m->m_len < hlen) {
if ((m = m_pullup(m, hlen)) == NULL) {
DPRINTF(("%s: m_pullup (1) failed\n", __func__));
- V_ipipstat.ipips_hdrops++;
+ IPIPSTAT_INC(ipips_hdrops);
return;
}
}
@@ -234,7 +234,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
/* Sanity check */
if (m->m_pkthdr.len < sizeof(struct ip)) {
- V_ipipstat.ipips_hdrops++;
+ IPIPSTAT_INC(ipips_hdrops);
m_freem(m);
return;
}
@@ -254,7 +254,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
break;
#endif
default:
- V_ipipstat.ipips_family++;
+ IPIPSTAT_INC(ipips_family);
m_freem(m);
return; /* EAFNOSUPPORT */
}
@@ -265,7 +265,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
if (m->m_len < hlen) {
if ((m = m_pullup(m, hlen)) == NULL) {
DPRINTF(("%s: m_pullup (2) failed\n", __func__));
- V_ipipstat.ipips_hdrops++;
+ IPIPSTAT_INC(ipips_hdrops);
return;
}
}
@@ -316,7 +316,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
if (sin->sin_addr.s_addr ==
ipo->ip_src.s_addr) {
- V_ipipstat.ipips_spoof++;
+ IPIPSTAT_INC(ipips_spoof);
m_freem(m);
IFNET_RUNLOCK_NOSLEEP();
return;
@@ -333,7 +333,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
sin6 = (struct sockaddr_in6 *) ifa->ifa_addr;
if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) {
- V_ipipstat.ipips_spoof++;
+ IPIPSTAT_INC(ipips_spoof);
m_freem(m);
IFNET_RUNLOCK_NOSLEEP();
return;
@@ -347,7 +347,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
}
/* Statistics */
- V_ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen;
+ IPIPSTAT_ADD(ipips_ibytes, m->m_pkthdr.len - iphlen);
#ifdef DEV_ENC
switch (v >> 4) {
@@ -393,7 +393,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
}
if (netisr_queue(isr, m)) { /* (0) on success. */
- V_ipipstat.ipips_qfull++;
+ IPIPSTAT_INC(ipips_qfull);
DPRINTF(("%s: packet dropped because of full queue\n",
__func__));
}
@@ -442,7 +442,7 @@ ipip_output(
"address in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_ipipstat.ipips_unspec++;
+ IPIPSTAT_INC(ipips_unspec);
error = EINVAL;
goto bad;
}
@@ -450,7 +450,7 @@ ipip_output(
M_PREPEND(m, sizeof(struct ip), M_NOWAIT);
if (m == 0) {
DPRINTF(("%s: M_PREPEND failed\n", __func__));
- V_ipipstat.ipips_hdrops++;
+ IPIPSTAT_INC(ipips_hdrops);
error = ENOBUFS;
goto bad;
}
@@ -522,7 +522,7 @@ ipip_output(
"address in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_ipipstat.ipips_unspec++;
+ IPIPSTAT_INC(ipips_unspec);
error = ENOBUFS;
goto bad;
}
@@ -537,7 +537,7 @@ ipip_output(
M_PREPEND(m, sizeof(struct ip6_hdr), M_NOWAIT);
if (m == 0) {
DPRINTF(("%s: M_PREPEND failed\n", __func__));
- V_ipipstat.ipips_hdrops++;
+ IPIPSTAT_INC(ipips_hdrops);
error = ENOBUFS;
goto bad;
}
@@ -591,12 +591,12 @@ ipip_output(
nofamily:
DPRINTF(("%s: unsupported protocol family %u\n", __func__,
saidx->dst.sa.sa_family));
- V_ipipstat.ipips_family++;
+ IPIPSTAT_INC(ipips_family);
error = EAFNOSUPPORT; /* XXX diffs from openbsd */
goto bad;
}
- V_ipipstat.ipips_opackets++;
+ IPIPSTAT_INC(ipips_opackets);
*mp = m;
#ifdef INET
@@ -606,7 +606,8 @@ nofamily:
tdb->tdb_cur_bytes +=
m->m_pkthdr.len - sizeof(struct ip);
#endif
- V_ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip);
+ IPIPSTAT_ADD(ipips_obytes,
+ m->m_pkthdr.len - sizeof(struct ip));
}
#endif /* INET */
@@ -617,8 +618,8 @@ nofamily:
tdb->tdb_cur_bytes +=
m->m_pkthdr.len - sizeof(struct ip6_hdr);
#endif
- V_ipipstat.ipips_obytes +=
- m->m_pkthdr.len - sizeof(struct ip6_hdr);
+ IPIPSTAT_ADD(ipips_obytes,
+ m->m_pkthdr.len - sizeof(struct ip6_hdr));
}
#endif /* INET6 */
OpenPOWER on IntegriCloud