git: b1c3a4d75f4f - main - netipsec: add probe points for the ipsec/esp/ah/ipcomp counters

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 28 Aug 2024 12:34:43 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=b1c3a4d75f4ff74218434a11cdd4e56632e13711

commit b1c3a4d75f4ff74218434a11cdd4e56632e13711
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-08-22 14:41:32 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-08-28 10:02:45 +0000

    netipsec: add probe points for the ipsec/esp/ah/ipcomp counters
    
    Extend what we did for netinet counters in 60d8dbbef075 (netinet: add a probe
    point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters, 2024-01-18) to the
    IPsec code.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D46416
---
 sys/netinet/in_kdtrace.c    | 93 +++++++++++++++++++++++++++++++++++++++++++++
 sys/netinet/in_kdtrace.h    | 82 +++++++++++++++++++++++++++++++++++++++
 sys/netipsec/ah_var.h       | 13 ++++++-
 sys/netipsec/esp_var.h      | 14 ++++++-
 sys/netipsec/ipcomp_var.h   | 14 ++++++-
 sys/netipsec/ipsec.h        | 10 ++++-
 sys/netipsec/xform_ah.c     |  4 +-
 sys/netipsec/xform_esp.c    |  8 ++--
 sys/netipsec/xform_ipcomp.c |  4 +-
 9 files changed, 226 insertions(+), 16 deletions(-)

diff --git a/sys/netinet/in_kdtrace.c b/sys/netinet/in_kdtrace.c
index 219bc6482910..bfa57bd8bf1e 100644
--- a/sys/netinet/in_kdtrace.c
+++ b/sys/netinet/in_kdtrace.c
@@ -341,6 +341,99 @@ MIB_PROBE_TCP(tcps_tlpresend_bytes);
 
 MIB_PROBE_TCP(tcps_rcvghostack);
 MIB_PROBE_TCP(tcps_rcvacktooold);
+
+#define	MIB_PROBE_IPSEC(name)	SDT_PROBE_DEFINE1(mib, ipsec, count, name, "int")
+
+MIB_PROBE_IPSEC(ips_in_polvio);
+MIB_PROBE_IPSEC(ips_in_nomem);
+MIB_PROBE_IPSEC(ips_in_inval);
+MIB_PROBE_IPSEC(ips_out_polvio);
+MIB_PROBE_IPSEC(ips_out_nosa);
+MIB_PROBE_IPSEC(ips_out_nomem);
+MIB_PROBE_IPSEC(ips_out_noroute);
+MIB_PROBE_IPSEC(ips_out_inval);
+MIB_PROBE_IPSEC(ips_out_bundlesa);
+
+MIB_PROBE_IPSEC(ips_spdcache_hits);
+MIB_PROBE_IPSEC(ips_spdcache_misses);
+
+MIB_PROBE_IPSEC(ips_clcopied);
+MIB_PROBE_IPSEC(ips_mbinserted);
+MIB_PROBE_IPSEC(ips_input_front);
+MIB_PROBE_IPSEC(ips_input_middle);
+MIB_PROBE_IPSEC(ips_input_end);
+
+#define	MIB_PROBE_ESP(name)	SDT_PROBE_DEFINE1(mib, esp, count, name, "int")
+#define	MIB_PROBE2_ESP(name)	SDT_PROBE_DEFINE2(mib, esp, count, name, "int", "int")
+
+MIB_PROBE_ESP(esps_hdrops);
+MIB_PROBE_ESP(esps_nopf);
+MIB_PROBE_ESP(esps_notdb);
+MIB_PROBE_ESP(esps_badkcr);
+MIB_PROBE_ESP(esps_qfull);
+MIB_PROBE_ESP(esps_noxform);
+MIB_PROBE_ESP(esps_badilen);
+MIB_PROBE_ESP(esps_wrap);
+MIB_PROBE_ESP(esps_badenc);
+MIB_PROBE_ESP(esps_badauth);
+MIB_PROBE_ESP(esps_replay);
+MIB_PROBE_ESP(esps_input);
+MIB_PROBE_ESP(esps_output);
+MIB_PROBE_ESP(esps_invalid);
+MIB_PROBE_ESP(esps_ibytes);
+MIB_PROBE_ESP(esps_obytes);
+MIB_PROBE_ESP(esps_toobig);
+MIB_PROBE_ESP(esps_pdrops);
+MIB_PROBE_ESP(esps_crypto);
+MIB_PROBE_ESP(esps_tunnel);
+MIB_PROBE2_ESP(esps_hist);
+
+#define	MIB_PROBE_AH(name)	SDT_PROBE_DEFINE1(mib, ah, count, name, "int")
+#define	MIB_PROBE_AH2(name)	SDT_PROBE_DEFINE2(mib, ah, count, name, "int", "int")
+
+MIB_PROBE_AH(ahs_hdrops);
+MIB_PROBE_AH(ahs_nopf);
+MIB_PROBE_AH(ahs_notdb);
+MIB_PROBE_AH(ahs_badkcr);
+MIB_PROBE_AH(ahs_badauth);
+MIB_PROBE_AH(ahs_noxform);
+MIB_PROBE_AH(ahs_qfull);
+MIB_PROBE_AH(ahs_wrap);
+MIB_PROBE_AH(ahs_replay);
+MIB_PROBE_AH(ahs_badauthl);
+MIB_PROBE_AH(ahs_input);
+MIB_PROBE_AH(ahs_output);
+MIB_PROBE_AH(ahs_invalid);
+MIB_PROBE_AH(ahs_ibytes);
+MIB_PROBE_AH(ahs_obytes);
+MIB_PROBE_AH(ahs_toobig);
+MIB_PROBE_AH(ahs_pdrops);
+MIB_PROBE_AH(ahs_crypto);
+MIB_PROBE_AH(ahs_tunnel);
+MIB_PROBE_AH2(ahs_hist);
+
+#define	MIB_PROBE_IPCOMP(name)	SDT_PROBE_DEFINE1(mib, ipcomp, count, name, "int")
+#define	MIB_PROBE_IPCOMP2(name)	SDT_PROBE_DEFINE2(mib, ipcomp, count, name, "int", "int")
+
+MIB_PROBE_IPCOMP(ipcomps_hdrops);
+MIB_PROBE_IPCOMP(ipcomps_nopf);
+MIB_PROBE_IPCOMP(ipcomps_notdb);
+MIB_PROBE_IPCOMP(ipcomps_badkcr);
+MIB_PROBE_IPCOMP(ipcomps_qfull);
+MIB_PROBE_IPCOMP(ipcomps_noxform);
+MIB_PROBE_IPCOMP(ipcomps_wrap);
+MIB_PROBE_IPCOMP(ipcomps_input);
+MIB_PROBE_IPCOMP(ipcomps_output);
+MIB_PROBE_IPCOMP(ipcomps_invalid);
+MIB_PROBE_IPCOMP(ipcomps_ibytes);
+MIB_PROBE_IPCOMP(ipcomps_obytes);
+MIB_PROBE_IPCOMP(ipcomps_toobig);
+MIB_PROBE_IPCOMP(ipcomps_pdrops);
+MIB_PROBE_IPCOMP(ipcomps_crypto);
+MIB_PROBE_IPCOMP2(ipcomps_hist);
+MIB_PROBE_IPCOMP(ipcomps_threshold);
+MIB_PROBE_IPCOMP(ipcomps_uncompr);
+
 #endif
 
 SDT_PROBE_DEFINE6_XLATE(ip, , , receive,
diff --git a/sys/netinet/in_kdtrace.h b/sys/netinet/in_kdtrace.h
index 22f181974f93..3fb82ad961dd 100644
--- a/sys/netinet/in_kdtrace.h
+++ b/sys/netinet/in_kdtrace.h
@@ -333,6 +333,88 @@ SDT_PROBE_DECLARE(mib, tcp, count, tcps_tlpresend_bytes);
 
 SDT_PROBE_DECLARE(mib, tcp, count, tcps_rcvghostack);
 SDT_PROBE_DECLARE(mib, tcp, count, tcps_rcvacktooold);
+
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_polvio);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_nomem);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_inval);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_polvio);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_nosa);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_nomem);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_noroute);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_inval);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_bundlesa);
+
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_spdcache_hits);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_spdcache_misses);
+
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_clcopied);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_mbinserted);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_front);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_middle);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_end);
+
+SDT_PROBE_DECLARE(mib, esp, count, esps_hdrops);
+SDT_PROBE_DECLARE(mib, esp, count, esps_nopf);
+SDT_PROBE_DECLARE(mib, esp, count, esps_notdb);
+SDT_PROBE_DECLARE(mib, esp, count, esps_badkcr);
+SDT_PROBE_DECLARE(mib, esp, count, esps_qfull);
+SDT_PROBE_DECLARE(mib, esp, count, esps_noxform);
+SDT_PROBE_DECLARE(mib, esp, count, esps_badilen);
+SDT_PROBE_DECLARE(mib, esp, count, esps_wrap);
+SDT_PROBE_DECLARE(mib, esp, count, esps_badenc);
+SDT_PROBE_DECLARE(mib, esp, count, esps_badauth);
+SDT_PROBE_DECLARE(mib, esp, count, esps_replay);
+SDT_PROBE_DECLARE(mib, esp, count, esps_input);
+SDT_PROBE_DECLARE(mib, esp, count, esps_output);
+SDT_PROBE_DECLARE(mib, esp, count, esps_invalid);
+SDT_PROBE_DECLARE(mib, esp, count, esps_ibytes);
+SDT_PROBE_DECLARE(mib, esp, count, esps_obytes);
+SDT_PROBE_DECLARE(mib, esp, count, esps_toobig);
+SDT_PROBE_DECLARE(mib, esp, count, esps_pdrops);
+SDT_PROBE_DECLARE(mib, esp, count, esps_crypto);
+SDT_PROBE_DECLARE(mib, esp, count, esps_tunnel);
+SDT_PROBE_DECLARE(mib, esp, count, esps_hist);
+
+SDT_PROBE_DECLARE(mib, ah, count, ahs_hdrops);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_nopf);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_notdb);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_badkcr);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_badauth);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_noxform);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_qfull);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_wrap);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_replay);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_badauthl);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_input);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_output);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_invalid);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_ibytes);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_obytes);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_toobig);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_pdrops);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_crypto);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_tunnel);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_hist);
+
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_hdrops);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_nopf);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_notdb);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_badkcr);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_qfull);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_noxform);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_wrap);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_input);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_output);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_invalid);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_ibytes);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_obytes);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_toobig);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_pdrops);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_crypto);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_hist);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_threshold);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_uncompr);
+
 #endif
 
 SDT_PROBE_DECLARE(ip, , , receive);
diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h
index 7f784a7ddeb3..c77113cf8258 100644
--- a/sys/netipsec/ah_var.h
+++ b/sys/netipsec/ah_var.h
@@ -71,13 +71,22 @@ struct ahstat {
 
 #ifdef _KERNEL
 #include <sys/counter.h>
+#include <netinet/in_kdtrace.h>
 
 VNET_DECLARE(int, ah_enable);
 VNET_DECLARE(int, ah_cleartos);
 VNET_PCPUSTAT_DECLARE(struct ahstat, ahstat);
 
-#define	AHSTAT_ADD(name, val)	\
-    VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name , (val))
+#define AHSTAT_ADD(name, val)                                          \
+	do {                                                           \
+		MIB_SDT_PROBE1(ah, count, name, (val));                \
+		VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name, (val)); \
+	} while (0)
+#define AHSTAT_INC2(name, type)                                          \
+	do {                                                             \
+		MIB_SDT_PROBE2(ah, count, name, 1, (type));              \
+		VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name[type], 1); \
+	} while (0)
 #define	AHSTAT_INC(name)	AHSTAT_ADD(name, 1)
 #define	V_ah_enable		VNET(ah_enable)
 #define	V_ah_cleartos		VNET(ah_cleartos)
diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h
index c1f492913107..3490bf2e3c40 100644
--- a/sys/netipsec/esp_var.h
+++ b/sys/netipsec/esp_var.h
@@ -72,15 +72,25 @@ struct espstat {
 
 #ifdef _KERNEL
 #include <sys/counter.h>
+#include <netinet/in_kdtrace.h>
 
 VNET_DECLARE(int, esp_enable);
 VNET_DECLARE(int, esp_ctr_compatibility);
 #define V_esp_ctr_compatibility VNET(esp_ctr_compatibility)
 VNET_PCPUSTAT_DECLARE(struct espstat, espstat);
 
-#define	ESPSTAT_ADD(name, val)	\
-    VNET_PCPUSTAT_ADD(struct espstat, espstat, name, (val))
+#define ESPSTAT_ADD(name, val)                                           \
+	do {                                                             \
+		MIB_SDT_PROBE1(esp, count, name, (val));                 \
+		VNET_PCPUSTAT_ADD(struct espstat, espstat, name, (val)); \
+	} while (0)
 #define	ESPSTAT_INC(name)	ESPSTAT_ADD(name, 1)
+#define ESPSTAT_INC2(name, type)                                               \
+	do {                                                                   \
+		MIB_SDT_PROBE2(esp, count, name, 1, (type));                   \
+		VNET_PCPUSTAT_ADD(struct espstat, espstat, name[type], 1); \
+	} while (0)
+
 #define	V_esp_enable	VNET(esp_enable)
 #endif /* _KERNEL */
 #endif /*_NETIPSEC_ESP_VAR_H_*/
diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h
index 396af64b57a2..3af4a3c199e4 100644
--- a/sys/netipsec/ipcomp_var.h
+++ b/sys/netipsec/ipcomp_var.h
@@ -66,12 +66,22 @@ struct ipcompstat {
 
 #ifdef _KERNEL
 #include <sys/counter.h>
+#include <netinet/in_kdtrace.h>
 
 VNET_DECLARE(int, ipcomp_enable);
 VNET_PCPUSTAT_DECLARE(struct ipcompstat, ipcompstat);
 
-#define	IPCOMPSTAT_ADD(name, val)	\
-    VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name, (val))
+#define IPCOMPSTAT_ADD(name, val)                                              \
+	do {                                                                   \
+		MIB_SDT_PROBE1(ipcomp, count, name, (val));                    \
+		VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name, (val)); \
+	} while (0)
+#define IPCOMPSTAT_INC2(name, type)                                          \
+	do {                                                                 \
+		MIB_SDT_PROBE2(ipcomp, count, name, 1, (type));              \
+		VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name[type], \
+		    1);                                                      \
+	} while (0)
 #define	IPCOMPSTAT_INC(name)		IPCOMPSTAT_ADD(name, 1)
 #define	V_ipcomp_enable		VNET(ipcomp_enable)
 #endif /* _KERNEL */
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 749813518092..8f3e8f02d88b 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -48,6 +48,8 @@
 #include <sys/_rwlock.h>
 #include <sys/sysctl.h>
 
+#include <netinet/in_kdtrace.h>
+
 #define	IPSEC_ASSERT(_c,_m) KASSERT(_c, _m)
 
 /*
@@ -295,8 +297,12 @@ VNET_DECLARE(int, crypto_support);
 VNET_DECLARE(int, async_crypto);
 VNET_DECLARE(int, natt_cksum_policy);
 
-#define	IPSECSTAT_INC(name)	\
-    VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1)
+#define IPSECSTAT_INC(name)                                               \
+	do {                                                              \
+		MIB_SDT_PROBE1(ipsec, count, name, 1);                    \
+		VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1); \
+	} while (0)
+
 #define	V_ip4_esp_trans_deflev	VNET(ip4_esp_trans_deflev)
 #define	V_ip4_esp_net_deflev	VNET(ip4_esp_net_deflev)
 #define	V_ip4_ah_trans_deflev	VNET(ip4_ah_trans_deflev)
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 4619ecaf8197..8f08872eb38a 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -731,7 +731,7 @@ ah_input_cb(struct cryptop *crp)
 		error = crp->crp_etype;
 		goto bad;
 	} else {
-		AHSTAT_INC(ahs_hist[sav->alg_auth]);
+		AHSTAT_INC2(ahs_hist, sav->alg_auth);
 		crypto_freereq(crp);		/* No longer needed. */
 		crp = NULL;
 	}
@@ -1137,7 +1137,7 @@ ah_output_cb(struct cryptop *crp)
 
 	free(xd, M_AH);
 	crypto_freereq(crp);
-	AHSTAT_INC(ahs_hist[sav->alg_auth]);
+	AHSTAT_INC2(ahs_hist, sav->alg_auth);
 #ifdef REGRESSION
 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
 	if (V_ipsec_integrity) {
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 599134f056ca..7aec10549e6c 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -548,12 +548,12 @@ esp_input_cb(struct cryptop *crp)
 		error = EINVAL;
 		goto bad;
 	}
-	ESPSTAT_INC(esps_hist[sav->alg_enc]);
+	ESPSTAT_INC2(esps_hist, sav->alg_enc);
 
 	/* If authentication was performed, check now. */
 	if (esph != NULL) {
 		alen = xform_ah_authsize(esph);
-		AHSTAT_INC(ahs_hist[sav->alg_auth]);
+		AHSTAT_INC2(ahs_hist, sav->alg_auth);
 		if (crp->crp_etype == EBADMSG) {
 			DPRINTF(("%s: authentication hash mismatch for "
 			    "packet in SA %s/%08lx\n", __func__,
@@ -1033,9 +1033,9 @@ esp_output_cb(struct cryptop *crp)
 	free(xd, M_ESP);
 	free(crp->crp_aad, M_ESP);
 	crypto_freereq(crp);
-	ESPSTAT_INC(esps_hist[sav->alg_enc]);
+	ESPSTAT_INC2(esps_hist, sav->alg_enc);
 	if (sav->tdb_authalgxform != NULL)
-		AHSTAT_INC(ahs_hist[sav->alg_auth]);
+		AHSTAT_INC2(ahs_hist, sav->alg_auth);
 
 #ifdef REGRESSION
 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 9a8d132d564d..737d4a50098a 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -327,7 +327,7 @@ ipcomp_input_cb(struct cryptop *crp)
 		error = EINVAL;
 		goto bad;
 	}
-	IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
+	IPCOMPSTAT_INC2(ipcomps_hist, sav->alg_comp);
 
 	clen = crp->crp_olen;		/* Length of data after processing */
 
@@ -571,7 +571,7 @@ ipcomp_output_cb(struct cryptop *crp)
 		error = EINVAL;
 		goto bad;
 	}
-	IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
+	IPCOMPSTAT_INC2(ipcomps_hist, sav->alg_comp);
 
 	if (crp->crp_payload_length > crp->crp_olen) {
 		struct mbuf *mo;