summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--sys/netinet/tcp_input.c4
-rw-r--r--sys/netinet/udp_usrreq.c8
-rw-r--r--sys/netinet6/ip6_forward.c6
-rw-r--r--sys/netinet6/raw_ip6.c4
-rw-r--r--sys/netinet6/udp6_usrreq.c2
-rw-r--r--sys/netipsec/ipsec.c8
-rw-r--r--sys/netipsec/ipsec.h1
-rw-r--r--sys/netipsec/ipsec6.h1
-rw-r--r--sys/netipsec/ipsec_mbuf.c8
-rw-r--r--sys/netipsec/ipsec_output.c12
10 files changed, 28 insertions, 26 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 25b320e..e773d46 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -950,12 +950,12 @@ findpcb:
#ifdef IPSEC
#ifdef INET6
if (isipv6 && ipsec6_in_reject(m, inp)) {
- V_ipsec6stat.in_polvio++;
+ IPSEC6STAT_INC(in_polvio);
goto dropunlock;
} else
#endif /* INET6 */
if (ipsec4_in_reject(m, inp) != 0) {
- V_ipsec4stat.in_polvio++;
+ IPSECSTAT_INC(in_polvio);
goto dropunlock;
}
#endif /* IPSEC */
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index b6297dc..6bc94c3 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -279,7 +279,7 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
/* Check AH/ESP integrity. */
if (ipsec4_in_reject(n, inp)) {
m_freem(n);
- V_ipsec4stat.in_polvio++;
+ IPSECSTAT_INC(in_polvio);
return;
}
#ifdef IPSEC_NAT_T
@@ -1291,7 +1291,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off)
if (minlen > m->m_pkthdr.len)
minlen = m->m_pkthdr.len;
if ((m = m_pullup(m, minlen)) == NULL) {
- V_ipsec4stat.in_inval++;
+ IPSECSTAT_INC(in_inval);
return (NULL); /* Bypass caller processing. */
}
data = mtod(m, caddr_t); /* Points to ip header. */
@@ -1331,7 +1331,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off)
uint32_t spi;
if (payload <= sizeof(struct esp)) {
- V_ipsec4stat.in_inval++;
+ IPSECSTAT_INC(in_inval);
m_freem(m);
return (NULL); /* Discard. */
}
@@ -1352,7 +1352,7 @@ udp4_espdecap(struct inpcb *inp, struct mbuf *m, int off)
tag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS,
2 * sizeof(uint16_t), M_NOWAIT);
if (tag == NULL) {
- V_ipsec4stat.in_nomem++;
+ IPSECSTAT_INC(in_nomem);
m_freem(m);
return (NULL); /* Discard. */
}
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 686fd4b..ed62a23 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -120,7 +120,7 @@ ip6_forward(struct mbuf *m, int srcrt)
* before forwarding packet actually.
*/
if (ipsec6_in_reject(m, NULL)) {
- V_ipsec6stat.in_polvio++;
+ IPSEC6STAT_INC(in_polvio);
m_freem(m);
return;
}
@@ -182,7 +182,7 @@ ip6_forward(struct mbuf *m, int srcrt)
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
IP_FORWARDING, &error);
if (sp == NULL) {
- V_ipsec6stat.out_inval++;
+ IPSEC6STAT_INC(out_inval);
IP6STAT_INC(ip6s_cantforward);
if (mcopy) {
#if 0
@@ -203,7 +203,7 @@ ip6_forward(struct mbuf *m, int srcrt)
/*
* This packet is just discarded.
*/
- V_ipsec6stat.out_polvio++;
+ IPSEC6STAT_INC(out_polvio);
IP6STAT_INC(ip6s_cantforward);
KEY_FREESP(&sp);
if (mcopy) {
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 31eeb61..841d711 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -263,7 +263,7 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
*/
if (n && ipsec6_in_reject(n, last)) {
m_freem(n);
- V_ipsec6stat.in_polvio++;
+ IPSEC6STAT_INC(in_polvio);
/* Do not inject data into pcb. */
} else
#endif /* IPSEC */
@@ -295,7 +295,7 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
*/
if ((last != NULL) && ipsec6_in_reject(m, last)) {
m_freem(m);
- V_ipsec6stat.in_polvio++;
+ IPSEC6STAT_INC(in_polvio);
IP6STAT_DEC(ip6s_delivered);
/* Do not inject data into pcb. */
INP_RUNLOCK(last);
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index 200fd68..1f0d52c 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -141,7 +141,7 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off,
/* Check AH/ESP integrity. */
if (ipsec6_in_reject(n, inp)) {
m_freem(n);
- V_ipsec6stat.in_polvio++;
+ IPSEC6STAT_INC(in_polvio);
return;
}
#endif /* IPSEC */
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 6b41f51..e9e5f74 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -454,7 +454,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
sp = ipsec_getpolicybysock(m, dir, inp, error);
if (sp == NULL) {
IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
- V_ipsec4stat.ips_out_inval++;
+ IPSECSTAT_INC(ips_out_inval);
return (NULL);
}
IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
@@ -464,7 +464,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
printf("%s: invalid policy %u\n", __func__, sp->policy);
/* FALLTHROUGH */
case IPSEC_POLICY_DISCARD:
- V_ipsec4stat.ips_out_polvio++;
+ IPSECSTAT_INC(ips_out_polvio);
*error = -EINVAL; /* Packet is discarded by caller. */
break;
case IPSEC_POLICY_BYPASS:
@@ -1314,7 +1314,7 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
result = ipsec46_in_reject(m, inp);
if (result)
- V_ipsec4stat.ips_in_polvio++;
+ IPSECSTAT_INC(ips_in_polvio);
return (result);
}
@@ -1332,7 +1332,7 @@ ipsec6_in_reject(struct mbuf *m, struct inpcb *inp)
result = ipsec46_in_reject(m, inp);
if (result)
- V_ipsec6stat.ips_in_polvio++;
+ IPSEC6STAT_INC(ips_in_polvio);
return (result);
}
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 65faab8..ad22250 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -359,6 +359,7 @@ VNET_DECLARE(int, ip4_ipsec_ecn);
VNET_DECLARE(int, ip4_esp_randpad);
VNET_DECLARE(int, crypto_support);
+#define IPSECSTAT_INC(name) V_ipsec4stat.name += 1
#define V_ipsec4stat VNET(ipsec4stat)
#define V_ip4_def_policy VNET(ip4_def_policy)
#define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev)
diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h
index c004220..21ec6b3 100644
--- a/sys/netipsec/ipsec6.h
+++ b/sys/netipsec/ipsec6.h
@@ -48,6 +48,7 @@ VNET_DECLARE(int, ip6_ah_trans_deflev);
VNET_DECLARE(int, ip6_ah_net_deflev);
VNET_DECLARE(int, ip6_ipsec_ecn);
+#define IPSEC6STAT_INC(name) V_ipsec6stat.name += 1
#define V_ipsec6stat VNET(ipsec6stat)
#define V_ip6_esp_trans_deflev VNET(ip6_esp_trans_deflev)
#define V_ip6_esp_net_deflev VNET(ip6_esp_net_deflev)
diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c
index bc87409..fb105d4 100644
--- a/sys/netipsec/ipsec_mbuf.c
+++ b/sys/netipsec/ipsec_mbuf.c
@@ -135,7 +135,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
m = n; /* header is at front ... */
*off = 0; /* ... of new mbuf */
}
- V_ipsec4stat.ips_mbinserted++;
+ IPSECSTAT_INC(ips_mbinserted);
} else {
/*
* Copy the remainder to the back of the mbuf
@@ -241,7 +241,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
/* Remove the header and associated data from the mbuf. */
if (roff == 0) {
/* The header was at the beginning of the mbuf */
- V_ipsec4stat.ips_input_front++;
+ IPSECSTAT_INC(ips_input_front);
m_adj(m1, hlen);
if ((m1->m_flags & M_PKTHDR) == 0)
m->m_pkthdr.len -= hlen;
@@ -253,7 +253,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
* so first let's remove the remainder of the header from
* the beginning of the remainder of the mbuf chain, if any.
*/
- V_ipsec4stat.ips_input_end++;
+ IPSECSTAT_INC(ips_input_end);
if (roff + hlen > m1->m_len) {
/* Adjust the next mbuf by the remainder */
m_adj(m1->m_next, roff + hlen - m1->m_len);
@@ -278,7 +278,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
* The header lies in the "middle" of the mbuf; copy
* the remainder of the mbuf down over the header.
*/
- V_ipsec4stat.ips_input_middle++;
+ IPSECSTAT_INC(ips_input_middle);
bcopy(mtod(m1, u_char *) + roff + hlen,
mtod(m1, u_char *) + roff,
m1->m_len - (roff + hlen));
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 33054c0..6871f12 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -164,7 +164,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
* doing further processing.
*/
if (isr->next) {
- V_ipsec4stat.ips_out_bundlesa++;
+ IPSECSTAT_INC(ips_out_bundlesa);
/* XXX-BZ currently only support same AF bundles. */
switch (saidx->dst.sa.sa_family) {
#ifdef INET
@@ -356,7 +356,7 @@ again:
* this packet because it is responsibility for
* upper layer to retransmit the packet.
*/
- V_ipsec4stat.ips_out_nosa++;
+ IPSECSTAT_INC(ips_out_nosa);
goto bad;
}
sav = isr->sav;
@@ -827,14 +827,14 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
ipseclog((LOG_ERR, "%s: family mismatched between "
"inner and outer, spi=%u\n", __func__,
ntohl(isr->sav->spi)));
- V_ipsec6stat.ips_out_inval++;
+ IPSEC6STAT_INC(ips_out_inval);
error = EAFNOSUPPORT;
goto bad;
}
m = ipsec6_splithdr(m);
if (!m) {
- V_ipsec6stat.ips_out_nomem++;
+ IPSEC6STAT_INC(ips_out_nomem);
error = ENOMEM;
goto bad;
}
@@ -864,7 +864,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
}
if (state->ro->ro_rt == NULL) {
IP6STAT_INC(ip6s_noroute);
- V_ipsec6stat.ips_out_noroute++;
+ IPSEC6STAT_INC(ips_out_noroute);
error = EHOSTUNREACH;
goto bad;
}
@@ -876,7 +876,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
m = ipsec6_splithdr(m);
if (!m) {
- V_ipsec6stat.ips_out_nomem++;
+ IPSEC6STAT_INC(ips_out_nomem);
error = ENOMEM;
goto bad;
}
OpenPOWER on IntegriCloud