304b44f0d5
Introduces validation for the x->dir attribute within the XFRM input data lookup path. If the configured direction does not match the expected direction, input, increment the XfrmInStateDirError counter and drop the packet to ensure data integrity and correct flow handling. grep -vw 0 /proc/net/xfrm_stat XfrmInStateDirError 1 Signed-off-by: Antony Antony <antony.antony@secunet.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
120 lines
2.3 KiB
ReStructuredText
120 lines
2.3 KiB
ReStructuredText
.. SPDX-License-Identifier: GPL-2.0
|
|
|
|
==================================
|
|
XFRM proc - /proc/net/xfrm_* files
|
|
==================================
|
|
|
|
Masahide NAKAMURA <nakam@linux-ipv6.org>
|
|
|
|
|
|
Transformation Statistics
|
|
-------------------------
|
|
|
|
The xfrm_proc code is a set of statistics showing numbers of packets
|
|
dropped by the transformation code and why. These counters are defined
|
|
as part of the linux private MIB. These counters can be viewed in
|
|
/proc/net/xfrm_stat.
|
|
|
|
|
|
Inbound errors
|
|
~~~~~~~~~~~~~~
|
|
|
|
XfrmInError:
|
|
All errors which is not matched others
|
|
|
|
XfrmInBufferError:
|
|
No buffer is left
|
|
|
|
XfrmInHdrError:
|
|
Header error
|
|
|
|
XfrmInNoStates:
|
|
No state is found
|
|
i.e. Either inbound SPI, address, or IPsec protocol at SA is wrong
|
|
|
|
XfrmInStateProtoError:
|
|
Transformation protocol specific error
|
|
e.g. SA key is wrong
|
|
|
|
XfrmInStateModeError:
|
|
Transformation mode specific error
|
|
|
|
XfrmInStateSeqError:
|
|
Sequence error
|
|
i.e. Sequence number is out of window
|
|
|
|
XfrmInStateExpired:
|
|
State is expired
|
|
|
|
XfrmInStateMismatch:
|
|
State has mismatch option
|
|
e.g. UDP encapsulation type is mismatch
|
|
|
|
XfrmInStateInvalid:
|
|
State is invalid
|
|
|
|
XfrmInTmplMismatch:
|
|
No matching template for states
|
|
e.g. Inbound SAs are correct but SP rule is wrong
|
|
|
|
XfrmInNoPols:
|
|
No policy is found for states
|
|
e.g. Inbound SAs are correct but no SP is found
|
|
|
|
XfrmInPolBlock:
|
|
Policy discards
|
|
|
|
XfrmInPolError:
|
|
Policy error
|
|
|
|
XfrmAcquireError:
|
|
State hasn't been fully acquired before use
|
|
|
|
XfrmFwdHdrError:
|
|
Forward routing of a packet is not allowed
|
|
|
|
XfrmInStateDirError:
|
|
State direction mismatch (lookup found an output state on the input path, expected input or no direction)
|
|
|
|
Outbound errors
|
|
~~~~~~~~~~~~~~~
|
|
XfrmOutError:
|
|
All errors which is not matched others
|
|
|
|
XfrmOutBundleGenError:
|
|
Bundle generation error
|
|
|
|
XfrmOutBundleCheckError:
|
|
Bundle check error
|
|
|
|
XfrmOutNoStates:
|
|
No state is found
|
|
|
|
XfrmOutStateProtoError:
|
|
Transformation protocol specific error
|
|
|
|
XfrmOutStateModeError:
|
|
Transformation mode specific error
|
|
|
|
XfrmOutStateSeqError:
|
|
Sequence error
|
|
i.e. Sequence number overflow
|
|
|
|
XfrmOutStateExpired:
|
|
State is expired
|
|
|
|
XfrmOutPolBlock:
|
|
Policy discards
|
|
|
|
XfrmOutPolDead:
|
|
Policy is dead
|
|
|
|
XfrmOutPolError:
|
|
Policy error
|
|
|
|
XfrmOutStateInvalid:
|
|
State is invalid, perhaps expired
|
|
|
|
XfrmOutStateDirError:
|
|
State direction mismatch (lookup found an input state on the output path, expected output or no direction)
|