summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sys/netipsec/ipcomp_var.h4
-rw-r--r--sys/netipsec/xform_ipcomp.c18
-rw-r--r--usr.bin/netstat/ipsec.c10
3 files changed, 29 insertions, 3 deletions
diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h
index a9dbe86..78f1848 100644
--- a/sys/netipsec/ipcomp_var.h
+++ b/sys/netipsec/ipcomp_var.h
@@ -41,6 +41,7 @@
*/
#define IPCOMP_ALG_MAX 8
+#define IPCOMPSTAT_VERSION 1
struct ipcompstat {
u_int32_t ipcomps_hdrops; /* Packet shorter than header shows */
u_int32_t ipcomps_nopf; /* Protocol family not supported */
@@ -58,6 +59,9 @@ struct ipcompstat {
u_int32_t ipcomps_pdrops; /* Packet blocked due to policy */
u_int32_t ipcomps_crypto; /* "Crypto" processing failure */
u_int32_t ipcomps_hist[IPCOMP_ALG_MAX];/* Per-algorithm op count */
+ u_int32_t version; /* Version of this structure. */
+ u_int32_t ipcomps_threshold; /* Packet < comp. algo. threshold. */
+ u_int32_t ipcomps_uncompr; /* Compression was useles. */
};
#ifdef _KERNEL
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 2dc18de..4d21e38 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -345,7 +345,7 @@ ipcomp_output(
* See RFC 3173, 2.2. Non-Expansion Policy.
*/
if (m->m_pkthdr.len <= ipcompx->minlen) {
- /* XXX-BZ V_ipcompstat.threshold++; */
+ V_ipcompstat.ipcomps_threshold++;
return ipsec_process_done(m, isr);
}
@@ -569,8 +569,10 @@ ipcomp_output_cb(struct cryptop *crp)
goto bad;
}
} else {
- /* compression was useless, we have lost time */
- /* XXX add statistic */
+ /* Compression was useless, we have lost time. */
+ V_ipcompstat.ipcomps_uncompr++;
+ DPRINTF(("%s: compressions was useless %d - %d <= %d\n",
+ __func__, crp->crp_ilen, skip, crp->crp_olen));
/* XXX remember state to not compress the next couple
* of packets, RFC 3173, 2.2. Non-Expansion Policy */
}
@@ -609,3 +611,13 @@ ipcomp_attach(void)
}
SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
+
+static void
+vnet_ipcomp_attach(const void *unused __unused)
+{
+
+ V_ipcompstat.version = IPCOMPSTAT_VERSION;
+}
+
+VNET_SYSINIT(vnet_ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
+ vnet_ipcomp_attach, NULL);
diff --git a/usr.bin/netstat/ipsec.c b/usr.bin/netstat/ipsec.c
index bfd8ce0..d3276bf 100644
--- a/usr.bin/netstat/ipsec.c
+++ b/usr.bin/netstat/ipsec.c
@@ -418,6 +418,7 @@ esp_stats(u_long off, const char *name, int family __unused, int proto __unused)
static void
print_ipcompstats(const struct ipcompstat *ipcompstat)
{
+ uint32_t version;
#define p32(f, m) if (ipcompstat->f || sflag <= 1) \
printf("\t%u" m, (unsigned int)ipcompstat->f, plural(ipcompstat->f))
#define p64(f, m) if (ipcompstat->f || sflag <= 1) \
@@ -425,6 +426,11 @@ print_ipcompstats(const struct ipcompstat *ipcompstat)
#define hist(f, n, t) \
ipsec_hist_new((f), sizeof(f)/sizeof(f[0]), (n), (t));
+#ifndef IPCOMPSTAT_VERSION
+ version = 0;
+#else
+ version = ipcompstat->version;
+#endif
p32(ipcomps_hdrops, " packet%s shorter than header shows\n");
p32(ipcomps_nopf, " packet%s dropped; protocol family not supported\n");
p32(ipcomps_notdb, " packet%s dropped; no TDB\n");
@@ -441,6 +447,10 @@ print_ipcompstats(const struct ipcompstat *ipcompstat)
p32(ipcomps_pdrops, " packet%s blocked due to policy\n");
p32(ipcomps_crypto, " crypto processing failure%s\n");
hist(ipcompstat->ipcomps_hist, ipsec_compnames, "COMP output");
+ if (version >= 1) {
+ p32(ipcomps_threshold, " packet%s sent uncompressed; size < compr. algo. threshold\n");
+ p32(ipcomps_uncompr, " packet%s sent uncompressed; compression was useless\n");
+ }
#undef p32
#undef p64
OpenPOWER on IntegriCloud