git: b1c3a4d75f4f - main - netipsec: add probe points for the ipsec/esp/ah/ipcomp counters
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 28 Aug 2024 12:34:43 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b1c3a4d75f4ff74218434a11cdd4e56632e13711 commit b1c3a4d75f4ff74218434a11cdd4e56632e13711 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-08-22 14:41:32 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-08-28 10:02:45 +0000 netipsec: add probe points for the ipsec/esp/ah/ipcomp counters Extend what we did for netinet counters in 60d8dbbef075 (netinet: add a probe point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters, 2024-01-18) to the IPsec code. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46416 --- sys/netinet/in_kdtrace.c | 93 +++++++++++++++++++++++++++++++++++++++++++++ sys/netinet/in_kdtrace.h | 82 +++++++++++++++++++++++++++++++++++++++ sys/netipsec/ah_var.h | 13 ++++++- sys/netipsec/esp_var.h | 14 ++++++- sys/netipsec/ipcomp_var.h | 14 ++++++- sys/netipsec/ipsec.h | 10 ++++- sys/netipsec/xform_ah.c | 4 +- sys/netipsec/xform_esp.c | 8 ++-- sys/netipsec/xform_ipcomp.c | 4 +- 9 files changed, 226 insertions(+), 16 deletions(-) diff --git a/sys/netinet/in_kdtrace.c b/sys/netinet/in_kdtrace.c index 219bc6482910..bfa57bd8bf1e 100644 --- a/sys/netinet/in_kdtrace.c +++ b/sys/netinet/in_kdtrace.c @@ -341,6 +341,99 @@ MIB_PROBE_TCP(tcps_tlpresend_bytes); MIB_PROBE_TCP(tcps_rcvghostack); MIB_PROBE_TCP(tcps_rcvacktooold); + +#define MIB_PROBE_IPSEC(name) SDT_PROBE_DEFINE1(mib, ipsec, count, name, "int") + +MIB_PROBE_IPSEC(ips_in_polvio); +MIB_PROBE_IPSEC(ips_in_nomem); +MIB_PROBE_IPSEC(ips_in_inval); +MIB_PROBE_IPSEC(ips_out_polvio); +MIB_PROBE_IPSEC(ips_out_nosa); +MIB_PROBE_IPSEC(ips_out_nomem); +MIB_PROBE_IPSEC(ips_out_noroute); +MIB_PROBE_IPSEC(ips_out_inval); +MIB_PROBE_IPSEC(ips_out_bundlesa); + +MIB_PROBE_IPSEC(ips_spdcache_hits); +MIB_PROBE_IPSEC(ips_spdcache_misses); + +MIB_PROBE_IPSEC(ips_clcopied); +MIB_PROBE_IPSEC(ips_mbinserted); +MIB_PROBE_IPSEC(ips_input_front); +MIB_PROBE_IPSEC(ips_input_middle); +MIB_PROBE_IPSEC(ips_input_end); + +#define MIB_PROBE_ESP(name) SDT_PROBE_DEFINE1(mib, esp, count, name, "int") +#define MIB_PROBE2_ESP(name) SDT_PROBE_DEFINE2(mib, esp, count, name, "int", "int") + +MIB_PROBE_ESP(esps_hdrops); +MIB_PROBE_ESP(esps_nopf); +MIB_PROBE_ESP(esps_notdb); +MIB_PROBE_ESP(esps_badkcr); +MIB_PROBE_ESP(esps_qfull); +MIB_PROBE_ESP(esps_noxform); +MIB_PROBE_ESP(esps_badilen); +MIB_PROBE_ESP(esps_wrap); +MIB_PROBE_ESP(esps_badenc); +MIB_PROBE_ESP(esps_badauth); +MIB_PROBE_ESP(esps_replay); +MIB_PROBE_ESP(esps_input); +MIB_PROBE_ESP(esps_output); +MIB_PROBE_ESP(esps_invalid); +MIB_PROBE_ESP(esps_ibytes); +MIB_PROBE_ESP(esps_obytes); +MIB_PROBE_ESP(esps_toobig); +MIB_PROBE_ESP(esps_pdrops); +MIB_PROBE_ESP(esps_crypto); +MIB_PROBE_ESP(esps_tunnel); +MIB_PROBE2_ESP(esps_hist); + +#define MIB_PROBE_AH(name) SDT_PROBE_DEFINE1(mib, ah, count, name, "int") +#define MIB_PROBE_AH2(name) SDT_PROBE_DEFINE2(mib, ah, count, name, "int", "int") + +MIB_PROBE_AH(ahs_hdrops); +MIB_PROBE_AH(ahs_nopf); +MIB_PROBE_AH(ahs_notdb); +MIB_PROBE_AH(ahs_badkcr); +MIB_PROBE_AH(ahs_badauth); +MIB_PROBE_AH(ahs_noxform); +MIB_PROBE_AH(ahs_qfull); +MIB_PROBE_AH(ahs_wrap); +MIB_PROBE_AH(ahs_replay); +MIB_PROBE_AH(ahs_badauthl); +MIB_PROBE_AH(ahs_input); +MIB_PROBE_AH(ahs_output); +MIB_PROBE_AH(ahs_invalid); +MIB_PROBE_AH(ahs_ibytes); +MIB_PROBE_AH(ahs_obytes); +MIB_PROBE_AH(ahs_toobig); +MIB_PROBE_AH(ahs_pdrops); +MIB_PROBE_AH(ahs_crypto); +MIB_PROBE_AH(ahs_tunnel); +MIB_PROBE_AH2(ahs_hist); + +#define MIB_PROBE_IPCOMP(name) SDT_PROBE_DEFINE1(mib, ipcomp, count, name, "int") +#define MIB_PROBE_IPCOMP2(name) SDT_PROBE_DEFINE2(mib, ipcomp, count, name, "int", "int") + +MIB_PROBE_IPCOMP(ipcomps_hdrops); +MIB_PROBE_IPCOMP(ipcomps_nopf); +MIB_PROBE_IPCOMP(ipcomps_notdb); +MIB_PROBE_IPCOMP(ipcomps_badkcr); +MIB_PROBE_IPCOMP(ipcomps_qfull); +MIB_PROBE_IPCOMP(ipcomps_noxform); +MIB_PROBE_IPCOMP(ipcomps_wrap); +MIB_PROBE_IPCOMP(ipcomps_input); +MIB_PROBE_IPCOMP(ipcomps_output); +MIB_PROBE_IPCOMP(ipcomps_invalid); +MIB_PROBE_IPCOMP(ipcomps_ibytes); +MIB_PROBE_IPCOMP(ipcomps_obytes); +MIB_PROBE_IPCOMP(ipcomps_toobig); +MIB_PROBE_IPCOMP(ipcomps_pdrops); +MIB_PROBE_IPCOMP(ipcomps_crypto); +MIB_PROBE_IPCOMP2(ipcomps_hist); +MIB_PROBE_IPCOMP(ipcomps_threshold); +MIB_PROBE_IPCOMP(ipcomps_uncompr); + #endif SDT_PROBE_DEFINE6_XLATE(ip, , , receive, diff --git a/sys/netinet/in_kdtrace.h b/sys/netinet/in_kdtrace.h index 22f181974f93..3fb82ad961dd 100644 --- a/sys/netinet/in_kdtrace.h +++ b/sys/netinet/in_kdtrace.h @@ -333,6 +333,88 @@ SDT_PROBE_DECLARE(mib, tcp, count, tcps_tlpresend_bytes); SDT_PROBE_DECLARE(mib, tcp, count, tcps_rcvghostack); SDT_PROBE_DECLARE(mib, tcp, count, tcps_rcvacktooold); + +SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_polvio); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_nomem); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_inval); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_polvio); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_nosa); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_nomem); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_noroute); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_inval); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_bundlesa); + +SDT_PROBE_DECLARE(mib, ipsec, count, ips_spdcache_hits); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_spdcache_misses); + +SDT_PROBE_DECLARE(mib, ipsec, count, ips_clcopied); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_mbinserted); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_front); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_middle); +SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_end); + +SDT_PROBE_DECLARE(mib, esp, count, esps_hdrops); +SDT_PROBE_DECLARE(mib, esp, count, esps_nopf); +SDT_PROBE_DECLARE(mib, esp, count, esps_notdb); +SDT_PROBE_DECLARE(mib, esp, count, esps_badkcr); +SDT_PROBE_DECLARE(mib, esp, count, esps_qfull); +SDT_PROBE_DECLARE(mib, esp, count, esps_noxform); +SDT_PROBE_DECLARE(mib, esp, count, esps_badilen); +SDT_PROBE_DECLARE(mib, esp, count, esps_wrap); +SDT_PROBE_DECLARE(mib, esp, count, esps_badenc); +SDT_PROBE_DECLARE(mib, esp, count, esps_badauth); +SDT_PROBE_DECLARE(mib, esp, count, esps_replay); +SDT_PROBE_DECLARE(mib, esp, count, esps_input); +SDT_PROBE_DECLARE(mib, esp, count, esps_output); +SDT_PROBE_DECLARE(mib, esp, count, esps_invalid); +SDT_PROBE_DECLARE(mib, esp, count, esps_ibytes); +SDT_PROBE_DECLARE(mib, esp, count, esps_obytes); +SDT_PROBE_DECLARE(mib, esp, count, esps_toobig); +SDT_PROBE_DECLARE(mib, esp, count, esps_pdrops); +SDT_PROBE_DECLARE(mib, esp, count, esps_crypto); +SDT_PROBE_DECLARE(mib, esp, count, esps_tunnel); +SDT_PROBE_DECLARE(mib, esp, count, esps_hist); + +SDT_PROBE_DECLARE(mib, ah, count, ahs_hdrops); +SDT_PROBE_DECLARE(mib, ah, count, ahs_nopf); +SDT_PROBE_DECLARE(mib, ah, count, ahs_notdb); +SDT_PROBE_DECLARE(mib, ah, count, ahs_badkcr); +SDT_PROBE_DECLARE(mib, ah, count, ahs_badauth); +SDT_PROBE_DECLARE(mib, ah, count, ahs_noxform); +SDT_PROBE_DECLARE(mib, ah, count, ahs_qfull); +SDT_PROBE_DECLARE(mib, ah, count, ahs_wrap); +SDT_PROBE_DECLARE(mib, ah, count, ahs_replay); +SDT_PROBE_DECLARE(mib, ah, count, ahs_badauthl); +SDT_PROBE_DECLARE(mib, ah, count, ahs_input); +SDT_PROBE_DECLARE(mib, ah, count, ahs_output); +SDT_PROBE_DECLARE(mib, ah, count, ahs_invalid); +SDT_PROBE_DECLARE(mib, ah, count, ahs_ibytes); +SDT_PROBE_DECLARE(mib, ah, count, ahs_obytes); +SDT_PROBE_DECLARE(mib, ah, count, ahs_toobig); +SDT_PROBE_DECLARE(mib, ah, count, ahs_pdrops); +SDT_PROBE_DECLARE(mib, ah, count, ahs_crypto); +SDT_PROBE_DECLARE(mib, ah, count, ahs_tunnel); +SDT_PROBE_DECLARE(mib, ah, count, ahs_hist); + +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_hdrops); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_nopf); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_notdb); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_badkcr); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_qfull); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_noxform); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_wrap); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_input); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_output); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_invalid); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_ibytes); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_obytes); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_toobig); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_pdrops); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_crypto); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_hist); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_threshold); +SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_uncompr); + #endif SDT_PROBE_DECLARE(ip, , , receive); diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h index 7f784a7ddeb3..c77113cf8258 100644 --- a/sys/netipsec/ah_var.h +++ b/sys/netipsec/ah_var.h @@ -71,13 +71,22 @@ struct ahstat { #ifdef _KERNEL #include <sys/counter.h> +#include <netinet/in_kdtrace.h> VNET_DECLARE(int, ah_enable); VNET_DECLARE(int, ah_cleartos); VNET_PCPUSTAT_DECLARE(struct ahstat, ahstat); -#define AHSTAT_ADD(name, val) \ - VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name , (val)) +#define AHSTAT_ADD(name, val) \ + do { \ + MIB_SDT_PROBE1(ah, count, name, (val)); \ + VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name, (val)); \ + } while (0) +#define AHSTAT_INC2(name, type) \ + do { \ + MIB_SDT_PROBE2(ah, count, name, 1, (type)); \ + VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name[type], 1); \ + } while (0) #define AHSTAT_INC(name) AHSTAT_ADD(name, 1) #define V_ah_enable VNET(ah_enable) #define V_ah_cleartos VNET(ah_cleartos) diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h index c1f492913107..3490bf2e3c40 100644 --- a/sys/netipsec/esp_var.h +++ b/sys/netipsec/esp_var.h @@ -72,15 +72,25 @@ struct espstat { #ifdef _KERNEL #include <sys/counter.h> +#include <netinet/in_kdtrace.h> VNET_DECLARE(int, esp_enable); VNET_DECLARE(int, esp_ctr_compatibility); #define V_esp_ctr_compatibility VNET(esp_ctr_compatibility) VNET_PCPUSTAT_DECLARE(struct espstat, espstat); -#define ESPSTAT_ADD(name, val) \ - VNET_PCPUSTAT_ADD(struct espstat, espstat, name, (val)) +#define ESPSTAT_ADD(name, val) \ + do { \ + MIB_SDT_PROBE1(esp, count, name, (val)); \ + VNET_PCPUSTAT_ADD(struct espstat, espstat, name, (val)); \ + } while (0) #define ESPSTAT_INC(name) ESPSTAT_ADD(name, 1) +#define ESPSTAT_INC2(name, type) \ + do { \ + MIB_SDT_PROBE2(esp, count, name, 1, (type)); \ + VNET_PCPUSTAT_ADD(struct espstat, espstat, name[type], 1); \ + } while (0) + #define V_esp_enable VNET(esp_enable) #endif /* _KERNEL */ #endif /*_NETIPSEC_ESP_VAR_H_*/ diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h index 396af64b57a2..3af4a3c199e4 100644 --- a/sys/netipsec/ipcomp_var.h +++ b/sys/netipsec/ipcomp_var.h @@ -66,12 +66,22 @@ struct ipcompstat { #ifdef _KERNEL #include <sys/counter.h> +#include <netinet/in_kdtrace.h> VNET_DECLARE(int, ipcomp_enable); VNET_PCPUSTAT_DECLARE(struct ipcompstat, ipcompstat); -#define IPCOMPSTAT_ADD(name, val) \ - VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name, (val)) +#define IPCOMPSTAT_ADD(name, val) \ + do { \ + MIB_SDT_PROBE1(ipcomp, count, name, (val)); \ + VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name, (val)); \ + } while (0) +#define IPCOMPSTAT_INC2(name, type) \ + do { \ + MIB_SDT_PROBE2(ipcomp, count, name, 1, (type)); \ + VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name[type], \ + 1); \ + } while (0) #define IPCOMPSTAT_INC(name) IPCOMPSTAT_ADD(name, 1) #define V_ipcomp_enable VNET(ipcomp_enable) #endif /* _KERNEL */ diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 749813518092..8f3e8f02d88b 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -48,6 +48,8 @@ #include <sys/_rwlock.h> #include <sys/sysctl.h> +#include <netinet/in_kdtrace.h> + #define IPSEC_ASSERT(_c,_m) KASSERT(_c, _m) /* @@ -295,8 +297,12 @@ VNET_DECLARE(int, crypto_support); VNET_DECLARE(int, async_crypto); VNET_DECLARE(int, natt_cksum_policy); -#define IPSECSTAT_INC(name) \ - VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1) +#define IPSECSTAT_INC(name) \ + do { \ + MIB_SDT_PROBE1(ipsec, count, name, 1); \ + VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1); \ + } while (0) + #define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev) #define V_ip4_esp_net_deflev VNET(ip4_esp_net_deflev) #define V_ip4_ah_trans_deflev VNET(ip4_ah_trans_deflev) diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 4619ecaf8197..8f08872eb38a 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -731,7 +731,7 @@ ah_input_cb(struct cryptop *crp) error = crp->crp_etype; goto bad; } else { - AHSTAT_INC(ahs_hist[sav->alg_auth]); + AHSTAT_INC2(ahs_hist, sav->alg_auth); crypto_freereq(crp); /* No longer needed. */ crp = NULL; } @@ -1137,7 +1137,7 @@ ah_output_cb(struct cryptop *crp) free(xd, M_AH); crypto_freereq(crp); - AHSTAT_INC(ahs_hist[sav->alg_auth]); + AHSTAT_INC2(ahs_hist, sav->alg_auth); #ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ if (V_ipsec_integrity) { diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 599134f056ca..7aec10549e6c 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -548,12 +548,12 @@ esp_input_cb(struct cryptop *crp) error = EINVAL; goto bad; } - ESPSTAT_INC(esps_hist[sav->alg_enc]); + ESPSTAT_INC2(esps_hist, sav->alg_enc); /* If authentication was performed, check now. */ if (esph != NULL) { alen = xform_ah_authsize(esph); - AHSTAT_INC(ahs_hist[sav->alg_auth]); + AHSTAT_INC2(ahs_hist, sav->alg_auth); if (crp->crp_etype == EBADMSG) { DPRINTF(("%s: authentication hash mismatch for " "packet in SA %s/%08lx\n", __func__, @@ -1033,9 +1033,9 @@ esp_output_cb(struct cryptop *crp) free(xd, M_ESP); free(crp->crp_aad, M_ESP); crypto_freereq(crp); - ESPSTAT_INC(esps_hist[sav->alg_enc]); + ESPSTAT_INC2(esps_hist, sav->alg_enc); if (sav->tdb_authalgxform != NULL) - AHSTAT_INC(ahs_hist[sav->alg_auth]); + AHSTAT_INC2(ahs_hist, sav->alg_auth); #ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 9a8d132d564d..737d4a50098a 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -327,7 +327,7 @@ ipcomp_input_cb(struct cryptop *crp) error = EINVAL; goto bad; } - IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]); + IPCOMPSTAT_INC2(ipcomps_hist, sav->alg_comp); clen = crp->crp_olen; /* Length of data after processing */ @@ -571,7 +571,7 @@ ipcomp_output_cb(struct cryptop *crp) error = EINVAL; goto bad; } - IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]); + IPCOMPSTAT_INC2(ipcomps_hist, sav->alg_comp); if (crp->crp_payload_length > crp->crp_olen) { struct mbuf *mo;