The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b1c3a4d75f4ff74218434a11cdd4e56632e13711
commit b1c3a4d75f4ff74218434a11cdd4e56632e13711
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2024-08-22 14:41:32 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2024-08-28 10:02:45 +0000
netipsec: add probe points for the ipsec/esp/ah/ipcomp counters
Extend what we did for netinet counters in 60d8dbbef075 (netinet: add a
probe
point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters, 2024-01-18) to
the
IPsec code.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46416
---
sys/netinet/in_kdtrace.c | 93 +++++++++++++++++++++++++++++++++++++++++++++
sys/netinet/in_kdtrace.h | 82 +++++++++++++++++++++++++++++++++++++++
sys/netipsec/ah_var.h | 13 ++++++-
sys/netipsec/esp_var.h | 14 ++++++-
sys/netipsec/ipcomp_var.h | 14 ++++++-
sys/netipsec/ipsec.h | 10 ++++-
sys/netipsec/xform_ah.c | 4 +-
sys/netipsec/xform_esp.c | 8 ++--
sys/netipsec/xform_ipcomp.c | 4 +-
9 files changed, 226 insertions(+), 16 deletions(-)
diff --git a/sys/netinet/in_kdtrace.c b/sys/netinet/in_kdtrace.c
index 219bc6482910..bfa57bd8bf1e 100644
--- a/sys/netinet/in_kdtrace.c
+++ b/sys/netinet/in_kdtrace.c
@@ -341,6 +341,99 @@ MIB_PROBE_TCP(tcps_tlpresend_bytes);
MIB_PROBE_TCP(tcps_rcvghostack);
MIB_PROBE_TCP(tcps_rcvacktooold);
+
+#define MIB_PROBE_IPSEC(name) SDT_PROBE_DEFINE1(mib, ipsec, count,
name, "int")
+
+MIB_PROBE_IPSEC(ips_in_polvio);
+MIB_PROBE_IPSEC(ips_in_nomem);
+MIB_PROBE_IPSEC(ips_in_inval);
+MIB_PROBE_IPSEC(ips_out_polvio);
+MIB_PROBE_IPSEC(ips_out_nosa);
+MIB_PROBE_IPSEC(ips_out_nomem);
+MIB_PROBE_IPSEC(ips_out_noroute);
+MIB_PROBE_IPSEC(ips_out_inval);
+MIB_PROBE_IPSEC(ips_out_bundlesa);
+
+MIB_PROBE_IPSEC(ips_spdcache_hits);
+MIB_PROBE_IPSEC(ips_spdcache_misses);
+
+MIB_PROBE_IPSEC(ips_clcopied);
+MIB_PROBE_IPSEC(ips_mbinserted);
+MIB_PROBE_IPSEC(ips_input_front);
+MIB_PROBE_IPSEC(ips_input_middle);
+MIB_PROBE_IPSEC(ips_input_end);
+
+#define MIB_PROBE_ESP(name) SDT_PROBE_DEFINE1(mib, esp, count,
name, "int")
+#define MIB_PROBE2_ESP(name) SDT_PROBE_DEFINE2(mib, esp, count,
name, "int", "int")
+
+MIB_PROBE_ESP(esps_hdrops);
+MIB_PROBE_ESP(esps_nopf);
+MIB_PROBE_ESP(esps_notdb);
+MIB_PROBE_ESP(esps_badkcr);
+MIB_PROBE_ESP(esps_qfull);
+MIB_PROBE_ESP(esps_noxform);
+MIB_PROBE_ESP(esps_badilen);
+MIB_PROBE_ESP(esps_wrap);
+MIB_PROBE_ESP(esps_badenc);
+MIB_PROBE_ESP(esps_badauth);
+MIB_PROBE_ESP(esps_replay);
+MIB_PROBE_ESP(esps_input);
+MIB_PROBE_ESP(esps_output);
+MIB_PROBE_ESP(esps_invalid);
+MIB_PROBE_ESP(esps_ibytes);
+MIB_PROBE_ESP(esps_obytes);
+MIB_PROBE_ESP(esps_toobig);
+MIB_PROBE_ESP(esps_pdrops);
+MIB_PROBE_ESP(esps_crypto);
+MIB_PROBE_ESP(esps_tunnel);
+MIB_PROBE2_ESP(esps_hist);
+
+#define MIB_PROBE_AH(name) SDT_PROBE_DEFINE1(mib, ah, count, name,
"int")
+#define MIB_PROBE_AH2(name) SDT_PROBE_DEFINE2(mib, ah, count, name,
"int", "int")
+
+MIB_PROBE_AH(ahs_hdrops);
+MIB_PROBE_AH(ahs_nopf);
+MIB_PROBE_AH(ahs_notdb);
+MIB_PROBE_AH(ahs_badkcr);
+MIB_PROBE_AH(ahs_badauth);
+MIB_PROBE_AH(ahs_noxform);
+MIB_PROBE_AH(ahs_qfull);
+MIB_PROBE_AH(ahs_wrap);
+MIB_PROBE_AH(ahs_replay);
+MIB_PROBE_AH(ahs_badauthl);
+MIB_PROBE_AH(ahs_input);
+MIB_PROBE_AH(ahs_output);
+MIB_PROBE_AH(ahs_invalid);
+MIB_PROBE_AH(ahs_ibytes);
+MIB_PROBE_AH(ahs_obytes);
+MIB_PROBE_AH(ahs_toobig);
+MIB_PROBE_AH(ahs_pdrops);
+MIB_PROBE_AH(ahs_crypto);
+MIB_PROBE_AH(ahs_tunnel);
+MIB_PROBE_AH2(ahs_hist);
+
+#define MIB_PROBE_IPCOMP(name) SDT_PROBE_DEFINE1(mib, ipcomp, count,
name, "int")
+#define MIB_PROBE_IPCOMP2(name) SDT_PROBE_DEFINE2(mib, ipcomp, count,
name, "int", "int")
+
+MIB_PROBE_IPCOMP(ipcomps_hdrops);
+MIB_PROBE_IPCOMP(ipcomps_nopf);
+MIB_PROBE_IPCOMP(ipcomps_notdb);
+MIB_PROBE_IPCOMP(ipcomps_badkcr);
+MIB_PROBE_IPCOMP(ipcomps_qfull);
+MIB_PROBE_IPCOMP(ipcomps_noxform);
+MIB_PROBE_IPCOMP(ipcomps_wrap);
+MIB_PROBE_IPCOMP(ipcomps_input);
+MIB_PROBE_IPCOMP(ipcomps_output);
+MIB_PROBE_IPCOMP(ipcomps_invalid);
+MIB_PROBE_IPCOMP(ipcomps_ibytes);
+MIB_PROBE_IPCOMP(ipcomps_obytes);
+MIB_PROBE_IPCOMP(ipcomps_toobig);
+MIB_PROBE_IPCOMP(ipcomps_pdrops);
+MIB_PROBE_IPCOMP(ipcomps_crypto);
+MIB_PROBE_IPCOMP2(ipcomps_hist);
+MIB_PROBE_IPCOMP(ipcomps_threshold);
+MIB_PROBE_IPCOMP(ipcomps_uncompr);
+
#endif
SDT_PROBE_DEFINE6_XLATE(ip, , , receive,
diff --git a/sys/netinet/in_kdtrace.h b/sys/netinet/in_kdtrace.h
index 22f181974f93..3fb82ad961dd 100644
--- a/sys/netinet/in_kdtrace.h
+++ b/sys/netinet/in_kdtrace.h
@@ -333,6 +333,88 @@ SDT_PROBE_DECLARE(mib, tcp, count, tcps_tlpresend_bytes);
SDT_PROBE_DECLARE(mib, tcp, count, tcps_rcvghostack);
SDT_PROBE_DECLARE(mib, tcp, count, tcps_rcvacktooold);
+
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_polvio);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_nomem);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_in_inval);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_polvio);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_nosa);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_nomem);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_noroute);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_inval);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_out_bundlesa);
+
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_spdcache_hits);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_spdcache_misses);
+
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_clcopied);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_mbinserted);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_front);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_middle);
+SDT_PROBE_DECLARE(mib, ipsec, count, ips_input_end);
+
+SDT_PROBE_DECLARE(mib, esp, count, esps_hdrops);
+SDT_PROBE_DECLARE(mib, esp, count, esps_nopf);
+SDT_PROBE_DECLARE(mib, esp, count, esps_notdb);
+SDT_PROBE_DECLARE(mib, esp, count, esps_badkcr);
+SDT_PROBE_DECLARE(mib, esp, count, esps_qfull);
+SDT_PROBE_DECLARE(mib, esp, count, esps_noxform);
+SDT_PROBE_DECLARE(mib, esp, count, esps_badilen);
+SDT_PROBE_DECLARE(mib, esp, count, esps_wrap);
+SDT_PROBE_DECLARE(mib, esp, count, esps_badenc);
+SDT_PROBE_DECLARE(mib, esp, count, esps_badauth);
+SDT_PROBE_DECLARE(mib, esp, count, esps_replay);
+SDT_PROBE_DECLARE(mib, esp, count, esps_input);
+SDT_PROBE_DECLARE(mib, esp, count, esps_output);
+SDT_PROBE_DECLARE(mib, esp, count, esps_invalid);
+SDT_PROBE_DECLARE(mib, esp, count, esps_ibytes);
+SDT_PROBE_DECLARE(mib, esp, count, esps_obytes);
+SDT_PROBE_DECLARE(mib, esp, count, esps_toobig);
+SDT_PROBE_DECLARE(mib, esp, count, esps_pdrops);
+SDT_PROBE_DECLARE(mib, esp, count, esps_crypto);
+SDT_PROBE_DECLARE(mib, esp, count, esps_tunnel);
+SDT_PROBE_DECLARE(mib, esp, count, esps_hist);
+
+SDT_PROBE_DECLARE(mib, ah, count, ahs_hdrops);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_nopf);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_notdb);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_badkcr);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_badauth);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_noxform);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_qfull);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_wrap);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_replay);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_badauthl);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_input);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_output);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_invalid);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_ibytes);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_obytes);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_toobig);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_pdrops);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_crypto);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_tunnel);
+SDT_PROBE_DECLARE(mib, ah, count, ahs_hist);
+
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_hdrops);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_nopf);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_notdb);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_badkcr);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_qfull);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_noxform);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_wrap);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_input);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_output);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_invalid);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_ibytes);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_obytes);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_toobig);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_pdrops);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_crypto);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_hist);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_threshold);
+SDT_PROBE_DECLARE(mib, ipcomp, count, ipcomps_uncompr);
+
#endif
SDT_PROBE_DECLARE(ip, , , receive);
diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h
index 7f784a7ddeb3..c77113cf8258 100644
--- a/sys/netipsec/ah_var.h
+++ b/sys/netipsec/ah_var.h
@@ -71,13 +71,22 @@ struct ahstat {
#ifdef _KERNEL
#include <sys/counter.h>
+#include <netinet/in_kdtrace.h>
VNET_DECLARE(int, ah_enable);
VNET_DECLARE(int, ah_cleartos);
VNET_PCPUSTAT_DECLARE(struct ahstat, ahstat);
-#define AHSTAT_ADD(name, val) \
- VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name , (val))
+#define AHSTAT_ADD(name, val) \
+ do { \
+ MIB_SDT_PROBE1(ah, count, name, (val)); \
+ VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name, (val)); \
+ } while (0)
+#define AHSTAT_INC2(name, type) \
+ do { \
+ MIB_SDT_PROBE2(ah, count, name, 1, (type)); \
+ VNET_PCPUSTAT_ADD(struct ahstat, ahstat, name[type], 1); \
+ } while (0)
#define AHSTAT_INC(name) AHSTAT_ADD(name, 1)
#define V_ah_enable VNET(ah_enable)
#define V_ah_cleartos VNET(ah_cleartos)
diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h
index c1f492913107..3490bf2e3c40 100644
--- a/sys/netipsec/esp_var.h
+++ b/sys/netipsec/esp_var.h
@@ -72,15 +72,25 @@ struct espstat {
#ifdef _KERNEL
#include <sys/counter.h>
+#include <netinet/in_kdtrace.h>
VNET_DECLARE(int, esp_enable);
VNET_DECLARE(int, esp_ctr_compatibility);
#define V_esp_ctr_compatibility VNET(esp_ctr_compatibility)
VNET_PCPUSTAT_DECLARE(struct espstat, espstat);
-#define ESPSTAT_ADD(name, val) \
- VNET_PCPUSTAT_ADD(struct espstat, espstat, name, (val))
+#define ESPSTAT_ADD(name, val) \
+ do { \
+ MIB_SDT_PROBE1(esp, count, name, (val)); \
+ VNET_PCPUSTAT_ADD(struct espstat, espstat, name, (val)); \
+ } while (0)
#define ESPSTAT_INC(name) ESPSTAT_ADD(name, 1)
+#define ESPSTAT_INC2(name, type)
\
+ do { \
+ MIB_SDT_PROBE2(esp, count, name, 1, (type)); \
+ VNET_PCPUSTAT_ADD(struct espstat, espstat, name[type], 1); \
+ } while (0)
+
#define V_esp_enable VNET(esp_enable)
#endif /* _KERNEL */
#endif /*_NETIPSEC_ESP_VAR_H_*/
diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h
index 396af64b57a2..3af4a3c199e4 100644
--- a/sys/netipsec/ipcomp_var.h
+++ b/sys/netipsec/ipcomp_var.h
@@ -66,12 +66,22 @@ struct ipcompstat {
#ifdef _KERNEL
#include <sys/counter.h>
+#include <netinet/in_kdtrace.h>
VNET_DECLARE(int, ipcomp_enable);
VNET_PCPUSTAT_DECLARE(struct ipcompstat, ipcompstat);
-#define IPCOMPSTAT_ADD(name, val) \
- VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name, (val))
+#define IPCOMPSTAT_ADD(name, val)
\
+ do { \
+ MIB_SDT_PROBE1(ipcomp, count, name, (val)); \
+ VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name, (val)); \
+ } while (0)
+#define IPCOMPSTAT_INC2(name, type) \
+ do { \
+ MIB_SDT_PROBE2(ipcomp, count, name, 1, (type)); \
+ VNET_PCPUSTAT_ADD(struct ipcompstat, ipcompstat, name[type], \
+ 1); \
+ } while (0)
#define IPCOMPSTAT_INC(name) IPCOMPSTAT_ADD(name, 1)
#define V_ipcomp_enable VNET(ipcomp_enable)
#endif /* _KERNEL */
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 749813518092..8f3e8f02d88b 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -48,6 +48,8 @@
#include <sys/_rwlock.h>
#include <sys/sysctl.h>
+#include <netinet/in_kdtrace.h>
+
#define IPSEC_ASSERT(_c,_m) KASSERT(_c, _m)
/*
@@ -295,8 +297,12 @@ VNET_DECLARE(int, crypto_support);
VNET_DECLARE(int, async_crypto);
VNET_DECLARE(int, natt_cksum_policy);
-#define IPSECSTAT_INC(name) \
- VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1)
+#define IPSECSTAT_INC(name) \
+ do { \
+ MIB_SDT_PROBE1(ipsec, count, name, 1); \
+ VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1); \
+ } while (0)
+
#define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev)
#define V_ip4_esp_net_deflev VNET(ip4_esp_net_deflev)
#define V_ip4_ah_trans_deflev VNET(ip4_ah_trans_deflev)
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 4619ecaf8197..8f08872eb38a 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -731,7 +731,7 @@ ah_input_cb(struct cryptop *crp)
error = crp->crp_etype;
goto bad;
} else {
- AHSTAT_INC(ahs_hist[sav->alg_auth]);
+ AHSTAT_INC2(ahs_hist, sav->alg_auth);
crypto_freereq(crp); /* No longer needed. */
crp = NULL;
}
@@ -1137,7 +1137,7 @@ ah_output_cb(struct cryptop *crp)
free(xd, M_AH);
crypto_freereq(crp);
- AHSTAT_INC(ahs_hist[sav->alg_auth]);
+ AHSTAT_INC2(ahs_hist, sav->alg_auth);
#ifdef REGRESSION
/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
if (V_ipsec_integrity) {
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 599134f056ca..7aec10549e6c 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -548,12 +548,12 @@ esp_input_cb(struct cryptop *crp)
error = EINVAL;
goto bad;
}
- ESPSTAT_INC(esps_hist[sav->alg_enc]);
+ ESPSTAT_INC2(esps_hist, sav->alg_enc);
/* If authentication was performed, check now. */
if (esph != NULL) {
alen = xform_ah_authsize(esph);
- AHSTAT_INC(ahs_hist[sav->alg_auth]);
+ AHSTAT_INC2(ahs_hist, sav->alg_auth);
if (crp->crp_etype == EBADMSG) {
DPRINTF(("%s: authentication hash mismatch for "
"packet in SA %s/%08lx\n", __func__,
@@ -1033,9 +1033,9 @@ esp_output_cb(struct cryptop *crp)
free(xd, M_ESP);
free(crp->crp_aad, M_ESP);
crypto_freereq(crp);
- ESPSTAT_INC(esps_hist[sav->alg_enc]);
+ ESPSTAT_INC2(esps_hist, sav->alg_enc);
if (sav->tdb_authalgxform != NULL)
- AHSTAT_INC(ahs_hist[sav->alg_auth]);
+ AHSTAT_INC2(ahs_hist, sav->alg_auth);
#ifdef REGRESSION
/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 9a8d132d564d..737d4a50098a 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -327,7 +327,7 @@ ipcomp_input_cb(struct cryptop *crp)
error = EINVAL;
goto bad;
}
- IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
+ IPCOMPSTAT_INC2(ipcomps_hist, sav->alg_comp);
clen = crp->crp_olen; /* Length of data after processing */
@@ -571,7 +571,7 @@ ipcomp_output_cb(struct cryptop *crp)
error = EINVAL;
goto bad;
}
- IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
+ IPCOMPSTAT_INC2(ipcomps_hist, sav->alg_comp);
if (crp->crp_payload_length > crp->crp_olen) {
struct mbuf *mo;
