1 0 stevel /* 2 0 stevel * CDDL HEADER START 3 0 stevel * 4 0 stevel * The contents of this file are subject to the terms of the 5 3055 danmcd * Common Development and Distribution License (the "License"). 6 3055 danmcd * You may not use this file except in compliance with the License. 7 0 stevel * 8 0 stevel * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 0 stevel * or http://www.opensolaris.org/os/licensing. 10 0 stevel * See the License for the specific language governing permissions 11 0 stevel * and limitations under the License. 12 0 stevel * 13 0 stevel * When distributing Covered Code, include this CDDL HEADER in each 14 0 stevel * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 0 stevel * If applicable, add the following below this CDDL HEADER, with the 16 0 stevel * fields enclosed by brackets "[]" replaced with your own identifying 17 0 stevel * information: Portions Copyright [yyyy] [name of copyright owner] 18 0 stevel * 19 0 stevel * CDDL HEADER END 20 0 stevel */ 21 0 stevel /* 22 10824 Mark * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 0 stevel * Use is subject to license terms. 24 0 stevel */ 25 0 stevel 26 0 stevel #include <sys/types.h> 27 0 stevel #include <sys/stream.h> 28 0 stevel #include <sys/strsun.h> 29 0 stevel #include <sys/sunddi.h> 30 0 stevel #include <sys/kstat.h> 31 0 stevel #include <sys/kmem.h> 32 11042 Erik #include <sys/sdt.h> 33 0 stevel #include <net/pfkeyv2.h> 34 0 stevel #include <inet/common.h> 35 0 stevel #include <inet/ip.h> 36 0 stevel #include <inet/ip6.h> 37 3448 dh155122 #include <inet/ipsec_impl.h> 38 0 stevel #include <inet/ipdrop.h> 39 0 stevel 40 0 stevel /* 41 0 stevel * Packet drop facility. 42 0 stevel */ 43 0 stevel 44 0 stevel /* 45 0 stevel * Initialize drop facility kstats. 46 0 stevel */ 47 0 stevel void 48 3448 dh155122 ip_drop_init(ipsec_stack_t *ipss) 49 0 stevel { 50 3448 dh155122 ipss->ipsec_ip_drop_kstat = kstat_create_netstack("ip", 0, "ipdrop", 51 3448 dh155122 "net", KSTAT_TYPE_NAMED, 52 3448 dh155122 sizeof (struct ip_dropstats) / sizeof (kstat_named_t), 53 3448 dh155122 KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid); 54 0 stevel 55 3448 dh155122 if (ipss->ipsec_ip_drop_kstat == NULL || 56 3448 dh155122 ipss->ipsec_ip_drop_kstat->ks_data == NULL) 57 0 stevel return; 58 0 stevel 59 3448 dh155122 /* 60 3448 dh155122 * Note: here ipss->ipsec_ip_drop_types is initialized, however, 61 3448 dh155122 * if the previous kstat_create_netstack failed, it will remain 62 3448 dh155122 * NULL. Note this is done for all stack instances, so it *could* 63 3448 dh155122 * be NULL. Hence a non-NULL checking is added where 64 3448 dh155122 * ipss->ipsec_ip_drop_types is used. This checking is hidden in 65 3448 dh155122 * the DROPPER macro. 66 3448 dh155122 */ 67 3448 dh155122 ipss->ipsec_ip_drop_types = ipss->ipsec_ip_drop_kstat->ks_data; 68 0 stevel 69 0 stevel /* TCP IPsec drop statistics. */ 70 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_clear, 71 3448 dh155122 "tcp_clear", KSTAT_DATA_UINT64); 72 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_secure, 73 3448 dh155122 "tcp_secure", KSTAT_DATA_UINT64); 74 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_mismatch, 75 3448 dh155122 "tcp_mismatch", KSTAT_DATA_UINT64); 76 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_ipsec_alloc, 77 3448 dh155122 "tcp_ipsec_alloc", KSTAT_DATA_UINT64); 78 0 stevel 79 0 stevel /* SADB-specific drop statistics. */ 80 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_timeout, 81 0 stevel "sadb_inlarval_timeout", KSTAT_DATA_UINT64); 82 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_replace, 83 0 stevel "sadb_inlarval_replace", KSTAT_DATA_UINT64); 84 7749 Thejaswini kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inidle_overflow, 85 7749 Thejaswini "sadb_inidle_overflow", KSTAT_DATA_UINT64); 86 7749 Thejaswini kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inidle_timeout, 87 7749 Thejaswini "sadb_inidle_timeout", KSTAT_DATA_UINT64); 88 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_nomem, 89 0 stevel "sadb_acquire_nomem", KSTAT_DATA_UINT64); 90 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_toofull, 91 0 stevel "sadb_acquire_toofull", KSTAT_DATA_UINT64); 92 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_timeout, 93 0 stevel "sadb_acquire_timeout", KSTAT_DATA_UINT64); 94 0 stevel 95 0 stevel /* SPD drop statistics. */ 96 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ahesp_diffid, 97 3448 dh155122 "spd_ahesp_diffid", KSTAT_DATA_UINT64); 98 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_loopback_mismatch, 99 0 stevel "spd_loopback_mismatch", KSTAT_DATA_UINT64); 100 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_explicit, 101 3448 dh155122 "spd_explicit", KSTAT_DATA_UINT64); 102 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_secure, 103 3448 dh155122 "spd_got_secure", KSTAT_DATA_UINT64); 104 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_clear, 105 3448 dh155122 "spd_got_clear", KSTAT_DATA_UINT64); 106 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_ahalg, 107 3448 dh155122 "spd_bad_ahalg", KSTAT_DATA_UINT64); 108 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_ah, 109 3448 dh155122 "spd_got_ah", KSTAT_DATA_UINT64); 110 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espealg, 111 3448 dh155122 "spd_bad_espealg", KSTAT_DATA_UINT64); 112 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espaalg, 113 3448 dh155122 "spd_bad_espaalg", KSTAT_DATA_UINT64); 114 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_esp, 115 3448 dh155122 "spd_got_esp", KSTAT_DATA_UINT64); 116 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_selfencap, 117 3448 dh155122 "spd_got_selfencap", KSTAT_DATA_UINT64); 118 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_selfencap, 119 3448 dh155122 "spd_bad_selfencap", KSTAT_DATA_UINT64); 120 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_nomem, 121 3448 dh155122 "spd_nomem", KSTAT_DATA_UINT64); 122 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_badid, 123 3448 dh155122 "spd_ah_badid", KSTAT_DATA_UINT64); 124 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_innermismatch, 125 691 sommerfe "spd_ah_innermismatch", KSTAT_DATA_UINT64); 126 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_innermismatch, 127 691 sommerfe "spd_esp_innermismatch", KSTAT_DATA_UINT64); 128 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_badid, 129 3448 dh155122 "spd_esp_badid", KSTAT_DATA_UINT64); 130 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_no_policy, 131 3448 dh155122 "spd_no_policy", KSTAT_DATA_UINT64); 132 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_packet, 133 3448 dh155122 "spd_malformed_packet", KSTAT_DATA_UINT64); 134 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_frag, 135 3448 dh155122 "spd_malformed_frag", KSTAT_DATA_UINT64); 136 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_overlap_frag, 137 3448 dh155122 "spd_overlap_frag", KSTAT_DATA_UINT64); 138 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_evil_frag, 139 3448 dh155122 "spd_evil_frag", KSTAT_DATA_UINT64); 140 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_max_frags, 141 3448 dh155122 "spd_max_frags", KSTAT_DATA_UINT64); 142 0 stevel 143 0 stevel /* ESP-specific drop statistics. */ 144 0 stevel 145 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nomem, 146 3448 dh155122 "esp_nomem", KSTAT_DATA_UINT64); 147 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_no_sa, 148 3448 dh155122 "esp_no_sa", KSTAT_DATA_UINT64); 149 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_early_replay, 150 3448 dh155122 "esp_early_replay", KSTAT_DATA_UINT64); 151 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_replay, 152 3448 dh155122 "esp_replay", KSTAT_DATA_UINT64); 153 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bytes_expire, 154 3448 dh155122 "esp_bytes_expire", KSTAT_DATA_UINT64); 155 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padlen, 156 3448 dh155122 "esp_bad_padlen", KSTAT_DATA_UINT64); 157 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padding, 158 3448 dh155122 "esp_bad_padding", KSTAT_DATA_UINT64); 159 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_auth, 160 3448 dh155122 "esp_bad_auth", KSTAT_DATA_UINT64); 161 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_crypto_failed, 162 3448 dh155122 "esp_crypto_failed", KSTAT_DATA_UINT64); 163 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_icmp, 164 3448 dh155122 "esp_icmp", KSTAT_DATA_UINT64); 165 4987 danmcd kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ipsec, 166 4987 danmcd "esp_nat_t_ipsec", KSTAT_DATA_UINT64); 167 4987 danmcd kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ka, 168 4987 danmcd "esp_nat_t_ka", KSTAT_DATA_UINT64); 169 10824 Mark kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_iv_wrap, 170 10824 Mark "esp_iv_wrap", KSTAT_DATA_UINT64); 171 0 stevel 172 0 stevel /* AH-specific drop statistics. */ 173 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_nomem, 174 3448 dh155122 "ah_nomem", KSTAT_DATA_UINT64); 175 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v6_hdrs, 176 3448 dh155122 "ah_bad_v6_hdrs", KSTAT_DATA_UINT64); 177 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v4_opts, 178 3448 dh155122 "ah_bad_v4_opts", KSTAT_DATA_UINT64); 179 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_no_sa, 180 3448 dh155122 "ah_no_sa", KSTAT_DATA_UINT64); 181 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_length, 182 3448 dh155122 "ah_bad_length", KSTAT_DATA_UINT64); 183 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_auth, 184 3448 dh155122 "ah_bad_auth", KSTAT_DATA_UINT64); 185 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_crypto_failed, 186 3448 dh155122 "ah_crypto_failed", KSTAT_DATA_UINT64); 187 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_early_replay, 188 3448 dh155122 "ah_early_replay", KSTAT_DATA_UINT64); 189 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_replay, 190 3448 dh155122 "ah_replay", KSTAT_DATA_UINT64); 191 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bytes_expire, 192 3448 dh155122 "ah_bytes_expire", KSTAT_DATA_UINT64); 193 0 stevel 194 0 stevel /* IP-specific drop statistics. */ 195 3448 dh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ip_ipsec_not_loaded, 196 3448 dh155122 "ip_ipsec_not_loaded", KSTAT_DATA_UINT64); 197 0 stevel 198 3448 dh155122 kstat_install(ipss->ipsec_ip_drop_kstat); 199 0 stevel } 200 0 stevel 201 0 stevel void 202 3448 dh155122 ip_drop_destroy(ipsec_stack_t *ipss) 203 0 stevel { 204 3448 dh155122 kstat_delete_netstack(ipss->ipsec_ip_drop_kstat, 205 3448 dh155122 ipss->ipsec_netstack->netstack_stackid); 206 3448 dh155122 ipss->ipsec_ip_drop_kstat = NULL; 207 3448 dh155122 ipss->ipsec_ip_drop_types = NULL; 208 0 stevel } 209 0 stevel 210 0 stevel /* 211 0 stevel * Register a packet dropper. 212 0 stevel */ 213 0 stevel void 214 0 stevel ip_drop_register(ipdropper_t *ipd, char *name) 215 0 stevel { 216 0 stevel if (ipd->ipd_name != NULL) { 217 0 stevel cmn_err(CE_WARN, 218 0 stevel "ip_drop_register: ipdropper %s already registered with %s", 219 0 stevel name, ipd->ipd_name); 220 0 stevel return; 221 0 stevel } 222 0 stevel 223 0 stevel /* Assume that name is reasonable in length. This isn't user-land. */ 224 0 stevel ipd->ipd_name = kmem_alloc(strlen(name) + 1, KM_SLEEP); 225 0 stevel (void) strcpy(ipd->ipd_name, name); 226 0 stevel } 227 0 stevel 228 0 stevel /* 229 0 stevel * Un-register a packet dropper. 230 0 stevel */ 231 0 stevel void 232 0 stevel ip_drop_unregister(ipdropper_t *ipd) 233 0 stevel { 234 3448 dh155122 if (ipd->ipd_name == NULL) { 235 3448 dh155122 cmn_err(CE_WARN, 236 3448 dh155122 "ip_drop_unregister: not registered (%p)\n", 237 3448 dh155122 (void *)ipd); 238 3448 dh155122 return; 239 3448 dh155122 } 240 0 stevel kmem_free(ipd->ipd_name, strlen(ipd->ipd_name) + 1); 241 0 stevel 242 0 stevel ipd->ipd_name = NULL; 243 0 stevel } 244 0 stevel 245 0 stevel /* 246 0 stevel * Actually drop a packet. Many things could happen here, but at the least, 247 0 stevel * the packet will be freemsg()ed. 248 0 stevel */ 249 0 stevel void 250 11042 Erik ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *ill, 251 11042 Erik struct kstat_named *counter, ipdropper_t *who_called) 252 0 stevel { 253 11042 Erik char *str; 254 0 stevel 255 0 stevel if (mp == NULL) { 256 0 stevel /* 257 0 stevel * Return immediately - NULL packets should not affect any 258 0 stevel * statistics. 259 0 stevel */ 260 0 stevel return; 261 0 stevel } 262 0 stevel 263 11042 Erik ASSERT(mp->b_datap->db_type == M_DATA); 264 0 stevel 265 0 stevel /* Increment the bean counter, if available. */ 266 0 stevel if (counter != NULL) { 267 0 stevel switch (counter->data_type) { 268 0 stevel case KSTAT_DATA_INT32: 269 0 stevel counter->value.i32++; 270 0 stevel break; 271 0 stevel case KSTAT_DATA_UINT32: 272 0 stevel counter->value.ui32++; 273 0 stevel break; 274 0 stevel case KSTAT_DATA_INT64: 275 0 stevel counter->value.i64++; 276 0 stevel break; 277 0 stevel case KSTAT_DATA_UINT64: 278 0 stevel counter->value.ui64++; 279 0 stevel break; 280 0 stevel /* Other types we can't handle for now. */ 281 0 stevel } 282 0 stevel } 283 0 stevel 284 11042 Erik if (counter != NULL) 285 11042 Erik str = counter->name; 286 11042 Erik else if (who_called != NULL) 287 11042 Erik str = who_called->ipd_name; 288 11042 Erik else 289 11042 Erik str = "Unspecified IPsec drop"; 290 11042 Erik 291 11042 Erik if (inbound) 292 11042 Erik ip_drop_input(str, mp, ill); 293 11042 Erik else 294 11042 Erik ip_drop_output(str, mp, ill); 295 11042 Erik 296 0 stevel /* TODO: queue the packet onto a snoop-friendly queue. */ 297 0 stevel 298 3055 danmcd /* 299 3055 danmcd * ASSERT this isn't a b_next linked mblk chain where a 300 3055 danmcd * chained dropper should be used instead 301 3055 danmcd */ 302 3055 danmcd ASSERT(mp->b_prev == NULL && mp->b_next == NULL); 303 0 stevel freemsg(mp); 304 0 stevel } 305 11042 Erik 306 11042 Erik /* 307 11042 Erik * This is just a convinient place for dtrace to see dropped packets 308 11042 Erik */ 309 11042 Erik /*ARGSUSED*/ 310 11042 Erik void 311 11042 Erik ip_drop_input(char *str, mblk_t *mp, ill_t *ill) 312 11042 Erik { 313 11042 Erik if (mp == NULL) 314 11042 Erik return; 315 11042 Erik 316 11042 Erik if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) { 317 11042 Erik ipha_t *ipha = (ipha_t *)mp->b_rptr; 318 11042 Erik 319 11042 Erik DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *, 320 11042 Erik ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, 321 11042 Erik ip6_t *, NULL, int, 0); 322 11042 Erik } else { 323 11042 Erik ip6_t *ip6h = (ip6_t *)mp->b_rptr; 324 11042 Erik 325 11042 Erik DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *, 326 11042 Erik ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, 327 11042 Erik ip6_t *, ip6h, int, 0); 328 11042 Erik } 329 11042 Erik } 330 11042 Erik 331 11042 Erik /*ARGSUSED*/ 332 11042 Erik void 333 11042 Erik ip_drop_output(char *str, mblk_t *mp, ill_t *ill) 334 11042 Erik { 335 11042 Erik if (mp == NULL) 336 11042 Erik return; 337 11042 Erik 338 11042 Erik if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) { 339 11042 Erik ipha_t *ipha = (ipha_t *)mp->b_rptr; 340 11042 Erik 341 11042 Erik DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *, 342 11042 Erik ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, 343 11042 Erik ip6_t *, NULL, int, 0); 344 11042 Erik } else { 345 11042 Erik ip6_t *ip6h = (ip6_t *)mp->b_rptr; 346 11042 Erik 347 11042 Erik DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *, 348 11042 Erik ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, 349 11042 Erik ip6_t *, ip6h, int, 0); 350 11042 Erik } 351 11042 Erik } 352
Indexes created Tue Nov 24 09:02:24 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.