net: wireguard: stats: Add statistics support

Collect Wireguard VPN statistics and allow user to fetch it.

Signed-off-by: Jukka Rissanen <[email protected]>

Author: jukkar

include/zephyr/net/net_stats.h

@@ -724,6 +724,7 @@ enum net_request_stats_cmd {
 	NET_REQUEST_STATS_CMD_GET_PM,
 	NET_REQUEST_STATS_CMD_GET_WIFI,
 	NET_REQUEST_STATS_CMD_RESET_WIFI,
+	NET_REQUEST_STATS_CMD_GET_VPN,
 };
 
 /** @endcond */
@@ -853,6 +854,16 @@ NET_MGMT_DEFINE_REQUEST_HANDLER(NET_REQUEST_STATS_GET_PPP);
 /** @endcond */
 #endif /* CONFIG_NET_STATISTICS_PPP */
 
+#if defined(CONFIG_NET_STATISTICS_VPN)
+/** Request VPN statistics */
+#define NET_REQUEST_STATS_GET_VPN				\
+	(_NET_STATS_BASE | NET_REQUEST_STATS_CMD_GET_VPN)
+
+/** @cond INTERNAL_HIDDEN */
+NET_MGMT_DEFINE_REQUEST_HANDLER(NET_REQUEST_STATS_GET_VPN);
+/** @endcond */
+#endif /* CONFIG_NET_STATISTICS_VPN */
+
 #endif /* CONFIG_NET_STATISTICS_USER_API */
 
 #if defined(CONFIG_NET_STATISTICS_POWER_MANAGEMENT)

include/zephyr/net/wireguard.h

@@ -89,6 +89,52 @@ struct wireguard_peer_config {
 	uint16_t keepalive_interval;
 };
 
+/** Wireguard VPN statistics */
+struct net_stats_vpn {
+	/** Number of keepalive packets received */
+	uint32_t keepalive_rx;
+	/** Number of keepalive packets sent */
+	uint32_t keepalive_tx;
+	/** Number of peer not found errors */
+	uint32_t peer_not_found;
+	/** Number of key expired errors */
+	uint32_t key_expired;
+	/** Number of invalid packets */
+	uint32_t invalid_packet;
+	/** Number of invalid key errors */
+	uint32_t invalid_key;
+	/** Number of invalid MIC errors */
+	uint32_t invalid_mic;
+	/** Number of invalid packet length errors */
+	uint32_t invalid_packet_len;
+	/** Number of invalid keepalive errors */
+	uint32_t invalid_keepalive;
+	/** Number of invalid handshake errors */
+	uint32_t invalid_handshake;
+	/** Number of invalid cookie errors */
+	uint32_t invalid_cookie;
+	/** Number of invalid MAC1 errors */
+	uint32_t invalid_mac1;
+	/** Number of invalid MAC2 errors */
+	uint32_t invalid_mac2;
+	/** Number of decrypt failed errors */
+	uint32_t decrypt_failed;
+	/** Number of dropped RX packets */
+	uint32_t drop_rx;
+	/** Number of allocation failures */
+	uint32_t alloc_failed;
+	/** Number of invalid IP version */
+	uint32_t invalid_ip_version;
+	/** Number of invalid IP address family */
+	uint32_t invalid_ip_family;
+	/** Number of denied IP address */
+	uint32_t denied_ip;
+	/** Number of replay errors */
+	uint32_t replay_error;
+	/** Number of valid packets received */
+	uint32_t valid_rx;
+};
+
 /**
  * @brief Add a Wireguard peer to the system.
  *

subsys/net/ip/Kconfig.stats

@@ -162,4 +162,11 @@ config NET_STATISTICS_VIA_PROMETHEUS
 	  Enable this option to expose the network statistics
 	  to Prometheus monitoring system.
 
+config NET_STATISTICS_VPN
+	bool "Wireguard VPN statistics"
+	depends on WIREGUARD
+	default y
+	help
+	  Keep track of Wireguard VPN related statistics
+
 endif # NET_STATISTICS

subsys/net/lib/wireguard/wg.c

@@ -91,6 +91,10 @@ struct wg_iface_context {
 	struct wg_context *wg_ctx;
 	struct wg_peer *peer;
 
+#if defined(CONFIG_NET_STATISTICS_VPN)
+	struct net_stats_vpn stats;
+#endif /* CONFIG_NET_STATISTICS_VPN */
+
 	uint8_t public_key[WG_PUBLIC_KEY_LEN];
 	uint8_t private_key[WG_PRIVATE_KEY_LEN];
 
@@ -105,6 +109,8 @@ struct wg_iface_context {
 	bool init_done : 1;
 };
 
+#include "wg_stats.h"
+
 static int create_packet(struct net_if *iface,
 			 struct sockaddr *src,
 			 struct sockaddr *dst,
@@ -282,6 +288,10 @@ static int wg_send_keepalive(struct wg_iface_context *ctx,
 		net_if_get_by_iface(ctx->iface),
 		ret);
 
+	if (ret == 0) {
+		vpn_stats_update_keepalive_tx(ctx);
+	}
+
 	return ret;
 }
 
@@ -307,7 +317,7 @@ static void wg_periodic_timer(struct k_work *work)
 		}
 
 		if (should_send_keepalive(peer)) {
-			wg_send_keepalive(peer->ctx, peer);
+			(void)wg_send_keepalive(peer->ctx, peer);
 		}
 
 		if (should_send_init(peer)) {
@@ -1894,3 +1904,62 @@ void wireguard_peer_foreach(wg_peer_cb_t cb, void *user_data)
 
 	k_mutex_unlock(&lock);
 }
+
+#if defined(CONFIG_NET_STATISTICS_VPN) && defined(CONFIG_NET_STATISTICS_USER_API)
+
+static int wg_stats_get(uint32_t mgmt_request, struct net_if *iface,
+			 void *data, size_t len)
+{
+	size_t len_chk = 0;
+	struct net_stats_vpn *src = NULL;
+	struct wg_peer *peer, *next;
+	int ret = -ENOENT;
+
+	switch (NET_MGMT_GET_COMMAND(mgmt_request)) {
+	case NET_REQUEST_STATS_CMD_GET_VPN:
+		if (net_if_l2(iface) != &NET_L2_GET_NAME(VIRTUAL)) {
+			return -ENOENT;
+		}
+
+		if (net_virtual_get_iface_capabilities(iface) != VIRTUAL_INTERFACE_VPN) {
+			return -ENOENT;
+		}
+
+		len_chk = sizeof(struct net_stats_vpn);
+
+		k_mutex_lock(&lock, K_FOREVER);
+
+		SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&active_peers, peer, next, node) {
+			if (peer->iface != iface) {
+				continue;
+			}
+
+			src = &peer->ctx->stats;
+			ret = 0;
+			break;
+		}
+
+		k_mutex_unlock(&lock);
+		break;
+
+	default:
+		ret = -ENOTSUP;
+		break;
+	}
+
+	if (ret < 0) {
+		return ret;
+	}
+
+	if (len != len_chk || src == NULL) {
+		return -EINVAL;
+	}
+
+	memcpy(data, src, len);
+
+	return 0;
+}
+
+NET_MGMT_REGISTER_REQUEST_HANDLER(NET_REQUEST_STATS_GET_VPN, wg_stats_get);
+
+#endif /* CONFIG_NET_STATISTICS_USER_API && CONFIG_NET_STATISTICS_VPN */