diff options
-rw-r--r-- | sys/netinet/tcp_input.c | 4 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 8 | ||||
-rw-r--r-- | sys/netinet6/ip6_forward.c | 6 | ||||
-rw-r--r-- | sys/netinet6/raw_ip6.c | 4 | ||||
-rw-r--r-- | sys/netinet6/udp6_usrreq.c | 2 | ||||
-rw-r--r-- | sys/netipsec/ipsec.c | 8 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 1 | ||||
-rw-r--r-- | sys/netipsec/ipsec6.h | 1 | ||||
-rw-r--r-- | sys/netipsec/ipsec_mbuf.c | 8 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 12 |
10 files changed, 28 insertions, 26 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 25b320e..e773d46 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -950,12 +950,12 @@ findpcb: #ifdef IPSEC #ifdef INET6 if (isipv6 && ipsec6_in_reject(m, inp)) { - V_ipsec6stat.in_polvio++; + IPSEC6STAT_INC(in_polvio); goto dropunlock; } else #endif /* INET6 */ if (ipsec4_in_reject(m, inp) != 0) { - V_ipsec4stat.in_polvio++; + IPSECSTAT_INC(in_polvio); goto dropunlock; } #endif /* IPSEC */ diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index b6297dc..6bc94c3 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -279,7 +279,7 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, /* Check AH/ESP integrity. */ if (ipsec4_in_reject(n, inp)) { m_freem(n); - V_ipsec4stat.in_polvio++; + IPSECSTAT_INC(in_polvio); return; } #ifdef IPSEC_NAT_T @@ -1291,7 +1291,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off) if (minlen > m->m_pkthdr.len) minlen = m->m_pkthdr.len; if ((m = m_pullup(m, minlen)) == NULL) { - V_ipsec4stat.in_inval++; + IPSECSTAT_INC(in_inval); return (NULL); /* Bypass caller processing. */ } data = mtod(m, caddr_t); /* Points to ip header. */ @@ -1331,7 +1331,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off) uint32_t spi; if (payload <= sizeof(struct esp)) { - V_ipsec4stat.in_inval++; + IPSECSTAT_INC(in_inval); m_freem(m); return (NULL); /* Discard. */ } @@ -1352,7 +1352,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off) tag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS, 2 * sizeof(uint16_t), M_NOWAIT); if (tag == NULL) { - V_ipsec4stat.in_nomem++; + IPSECSTAT_INC(in_nomem); m_freem(m); return (NULL); /* Discard. */ } diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 686fd4b..ed62a23 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -120,7 +120,7 @@ ip6_forward(struct mbuf *m, int srcrt) * before forwarding packet actually. */ if (ipsec6_in_reject(m, NULL)) { - V_ipsec6stat.in_polvio++; + IPSEC6STAT_INC(in_polvio); m_freem(m); return; } @@ -182,7 +182,7 @@ ip6_forward(struct mbuf *m, int srcrt) sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &error); if (sp == NULL) { - V_ipsec6stat.out_inval++; + IPSEC6STAT_INC(out_inval); IP6STAT_INC(ip6s_cantforward); if (mcopy) { #if 0 @@ -203,7 +203,7 @@ ip6_forward(struct mbuf *m, int srcrt) /* * This packet is just discarded. */ - V_ipsec6stat.out_polvio++; + IPSEC6STAT_INC(out_polvio); IP6STAT_INC(ip6s_cantforward); KEY_FREESP(&sp); if (mcopy) { diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 31eeb61..841d711 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -263,7 +263,7 @@ rip6_input(struct mbuf **mp, int *offp, int proto) */ if (n && ipsec6_in_reject(n, last)) { m_freem(n); - V_ipsec6stat.in_polvio++; + IPSEC6STAT_INC(in_polvio); /* Do not inject data into pcb. */ } else #endif /* IPSEC */ @@ -295,7 +295,7 @@ rip6_input(struct mbuf **mp, int *offp, int proto) */ if ((last != NULL) && ipsec6_in_reject(m, last)) { m_freem(m); - V_ipsec6stat.in_polvio++; + IPSEC6STAT_INC(in_polvio); IP6STAT_DEC(ip6s_delivered); /* Do not inject data into pcb. */ INP_RUNLOCK(last); diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 200fd68..1f0d52c 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -141,7 +141,7 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off, /* Check AH/ESP integrity. */ if (ipsec6_in_reject(n, inp)) { m_freem(n); - V_ipsec6stat.in_polvio++; + IPSEC6STAT_INC(in_polvio); return; } #endif /* IPSEC */ diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 6b41f51..e9e5f74 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -454,7 +454,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, sp = ipsec_getpolicybysock(m, dir, inp, error); if (sp == NULL) { IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); - V_ipsec4stat.ips_out_inval++; + IPSECSTAT_INC(ips_out_inval); return (NULL); } IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); @@ -464,7 +464,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, printf("%s: invalid policy %u\n", __func__, sp->policy); /* FALLTHROUGH */ case IPSEC_POLICY_DISCARD: - V_ipsec4stat.ips_out_polvio++; + IPSECSTAT_INC(ips_out_polvio); *error = -EINVAL; /* Packet is discarded by caller. */ break; case IPSEC_POLICY_BYPASS: @@ -1314,7 +1314,7 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) result = ipsec46_in_reject(m, inp); if (result) - V_ipsec4stat.ips_in_polvio++; + IPSECSTAT_INC(ips_in_polvio); return (result); } @@ -1332,7 +1332,7 @@ ipsec6_in_reject(struct mbuf *m, struct inpcb *inp) result = ipsec46_in_reject(m, inp); if (result) - V_ipsec6stat.ips_in_polvio++; + IPSEC6STAT_INC(ips_in_polvio); return (result); } diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 65faab8..ad22250 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -359,6 +359,7 @@ VNET_DECLARE(int, ip4_ipsec_ecn); VNET_DECLARE(int, ip4_esp_randpad); VNET_DECLARE(int, crypto_support); +#define IPSECSTAT_INC(name) V_ipsec4stat.name += 1 #define V_ipsec4stat VNET(ipsec4stat) #define V_ip4_def_policy VNET(ip4_def_policy) #define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev) diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h index c004220..21ec6b3 100644 --- a/sys/netipsec/ipsec6.h +++ b/sys/netipsec/ipsec6.h @@ -48,6 +48,7 @@ VNET_DECLARE(int, ip6_ah_trans_deflev); VNET_DECLARE(int, ip6_ah_net_deflev); VNET_DECLARE(int, ip6_ipsec_ecn); +#define IPSEC6STAT_INC(name) V_ipsec6stat.name += 1 #define V_ipsec6stat VNET(ipsec6stat) #define V_ip6_esp_trans_deflev VNET(ip6_esp_trans_deflev) #define V_ip6_esp_net_deflev VNET(ip6_esp_net_deflev) diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c index bc87409..fb105d4 100644 --- a/sys/netipsec/ipsec_mbuf.c +++ b/sys/netipsec/ipsec_mbuf.c @@ -135,7 +135,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) m = n; /* header is at front ... */ *off = 0; /* ... of new mbuf */ } - V_ipsec4stat.ips_mbinserted++; + IPSECSTAT_INC(ips_mbinserted); } else { /* * Copy the remainder to the back of the mbuf @@ -241,7 +241,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) /* Remove the header and associated data from the mbuf. */ if (roff == 0) { /* The header was at the beginning of the mbuf */ - V_ipsec4stat.ips_input_front++; + IPSECSTAT_INC(ips_input_front); m_adj(m1, hlen); if ((m1->m_flags & M_PKTHDR) == 0) m->m_pkthdr.len -= hlen; @@ -253,7 +253,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) * so first let's remove the remainder of the header from * the beginning of the remainder of the mbuf chain, if any. */ - V_ipsec4stat.ips_input_end++; + IPSECSTAT_INC(ips_input_end); if (roff + hlen > m1->m_len) { /* Adjust the next mbuf by the remainder */ m_adj(m1->m_next, roff + hlen - m1->m_len); @@ -278,7 +278,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) * The header lies in the "middle" of the mbuf; copy * the remainder of the mbuf down over the header. */ - V_ipsec4stat.ips_input_middle++; + IPSECSTAT_INC(ips_input_middle); bcopy(mtod(m1, u_char *) + roff + hlen, mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen)); diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 33054c0..6871f12 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -164,7 +164,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) * doing further processing. */ if (isr->next) { - V_ipsec4stat.ips_out_bundlesa++; + IPSECSTAT_INC(ips_out_bundlesa); /* XXX-BZ currently only support same AF bundles. */ switch (saidx->dst.sa.sa_family) { #ifdef INET @@ -356,7 +356,7 @@ again: * this packet because it is responsibility for * upper layer to retransmit the packet. */ - V_ipsec4stat.ips_out_nosa++; + IPSECSTAT_INC(ips_out_nosa); goto bad; } sav = isr->sav; @@ -827,14 +827,14 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int ipseclog((LOG_ERR, "%s: family mismatched between " "inner and outer, spi=%u\n", __func__, ntohl(isr->sav->spi))); - V_ipsec6stat.ips_out_inval++; + IPSEC6STAT_INC(ips_out_inval); error = EAFNOSUPPORT; goto bad; } m = ipsec6_splithdr(m); if (!m) { - V_ipsec6stat.ips_out_nomem++; + IPSEC6STAT_INC(ips_out_nomem); error = ENOMEM; goto bad; } @@ -864,7 +864,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int } if (state->ro->ro_rt == NULL) { IP6STAT_INC(ip6s_noroute); - V_ipsec6stat.ips_out_noroute++; + IPSEC6STAT_INC(ips_out_noroute); error = EHOSTUNREACH; goto bad; } @@ -876,7 +876,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int m = ipsec6_splithdr(m); if (!m) { - V_ipsec6stat.ips_out_nomem++; + IPSEC6STAT_INC(ips_out_nomem); error = ENOMEM; goto bad; } |