diff options
author | Tom Jones <thj@FreeBSD.org> | 2019-04-19 17:06:43 +0000 |
---|---|---|
committer | Tom Jones <thj@FreeBSD.org> | 2019-04-19 17:06:43 +0000 |
commit | 2946a9415ce412eea21a11ebdb08a397c286a685 (patch) | |
tree | c210434fad3151e7a2eb0493fb8e131fa78a9f01 /usr.bin/systat | |
parent | 48ecceba1e8ba9b15b3d13f1c71fad09d1be2fd6 (diff) | |
download | src-test2-2946a9415ce412eea21a11ebdb08a397c286a685.tar.gz src-test2-2946a9415ce412eea21a11ebdb08a397c286a685.zip |
Add stat counter for ipv6 atomic fragments
Add a stat counter to track ipv6 atomic fragments. Atomic fragments can be
generated in response to invalid path MTU values, but are also a potential
attack vector and considered harmful (see RFC6946 and RFC8021).
While here add tracking of the atomic fragment counter to netstat and systat.
Reviewed by: tuexen, jtl, bz
Approved by: jtl (mentor), bz (mentor)
Event: Aberdeen hackathon 2019
Differential Revision: https://reviews.freebsd.org/D17511
Notes
Notes:
svn path=/head/; revision=346398
Diffstat (limited to 'usr.bin/systat')
-rw-r--r-- | usr.bin/systat/ip6.c | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/usr.bin/systat/ip6.c b/usr.bin/systat/ip6.c index 3b40a0676219..ac9063f48fce 100644 --- a/usr.bin/systat/ip6.c +++ b/usr.bin/systat/ip6.c @@ -121,16 +121,16 @@ labelip6(void) L(6, "- fragments dropped"); R(6, "destinations unreachable"); L(7, "- fragments timed out"); R(7, "packets output via raw IP"); L(8, "- fragments overflown"); - L(9, "- packets reassembled ok"); R(9, "Input next-header histogram"); - L(10, "packets forwarded"); R(10, " - destination options"); - L(11, "- unreachable dests"); R(11, " - hop-by-hop options"); - L(12, "- redirects generated"); R(12, " - IPv4"); - L(13, "option errors"); R(13, " - TCP"); - L(14, "unwanted multicasts"); R(14, " - UDP"); - L(15, "delivered to upper layer"); R(15, " - IPv6"); - L(16, "bad scope packets"); R(16, " - routing header"); - L(17, "address selection failed"); R(17, " - fragmentation header"); - R(18, " - ICMP6"); + L(9, "- atomic fragments"); R(9, "Input next-header histogram"); + L(10, "- packets reassembled ok"); R(10, " - destination options"); + L(11, "packets forwarded"); R(11, " - hop-by-hop options"); + L(12, "- unreachable dests"); R(12, " - IPv4"); + L(13, "- redirects generated"); R(13, " - TCP"); + L(14, "option errors"); R(14, " - UDP"); + L(15, "unwanted multicasts"); R(15, " - IPv6"); + L(16, "delivered to upper layer"); R(16, " - routing header"); + L(17, "bad scope packets"); R(17, " - fragmentation header"); + L(18, "address selection failed");R(18, " - ICMP6"); R(19, " - none"); #undef L #undef R @@ -165,6 +165,7 @@ domode(struct ip6stat *ret) DO(ip6s_fragdropped); DO(ip6s_fragtimeout); DO(ip6s_fragoverflow); + DO(ip6s_atomicfrags); DO(ip6s_forward); DO(ip6s_cantforward); DO(ip6s_redirectsent); @@ -214,22 +215,23 @@ showip6(void) DO(ip6s_fragtimeout, 7, 0); DO(ip6s_rawout, 7, 35); DO(ip6s_fragoverflow, 8, 0); - DO(ip6s_reassembled, 9, 0); - DO(ip6s_forward, 10, 0); + DO(ip6s_atomicfrags, 9, 0); + DO(ip6s_reassembled, 10, 0); + DO(ip6s_forward, 11, 0); DO(ip6s_nxthist[IPPROTO_DSTOPTS], 10, 35); - DO(ip6s_cantforward, 11, 0); + DO(ip6s_cantforward, 12, 0); DO(ip6s_nxthist[IPPROTO_HOPOPTS], 11, 35); - DO(ip6s_redirectsent, 12, 0); + DO(ip6s_redirectsent, 13, 0); DO(ip6s_nxthist[IPPROTO_IPV4], 12, 35); - DO(ip6s_badoptions, 13, 0); + DO(ip6s_badoptions, 14, 0); DO(ip6s_nxthist[IPPROTO_TCP], 13, 35); - DO(ip6s_notmember, 14, 0); + DO(ip6s_notmember, 15, 0); DO(ip6s_nxthist[IPPROTO_UDP], 14, 35); - DO(ip6s_delivered, 15, 0); + DO(ip6s_delivered, 16, 0); DO(ip6s_nxthist[IPPROTO_IPV6], 15, 35); - DO(ip6s_badscope, 16, 0); + DO(ip6s_badscope, 17, 0); DO(ip6s_nxthist[IPPROTO_ROUTING], 16, 35); - DO(ip6s_sources_none, 17, 0); + DO(ip6s_sources_none, 18, 0); DO(ip6s_nxthist[IPPROTO_FRAGMENT], 17, 35); DO(ip6s_nxthist[IPPROTO_ICMPV6], 18, 35); DO(ip6s_nxthist[IPPROTO_NONE], 19, 35); |