Kernel-4.18.0-80.el8_xfrm_proc

XFRM proc - /proc/net/xfrm_* files

Masahide NAKAMURA nakam@linux-ipv6.org

Transformation Statistics

The xfrm_proc code is a set of statistics showing numbers of packets
dropped by the transformation code and why. These counters are defined
as part of the linux private MIB. These counters can be viewed in
/proc/net/xfrm_stat.

Inbound errors

XfrmInError:
    All errors which is not matched others
XfrmInBufferError:
    No buffer is left
XfrmInHdrError:
    Header error
XfrmInNoStates:
    No state is found
    i.e. Either inbound SPI, address, or IPsec protocol at SA is wrong
XfrmInStateProtoError:
    Transformation protocol specific error
    e.g. SA key is wrong
XfrmInStateModeError:
    Transformation mode specific error
XfrmInStateSeqError:
    Sequence error
    i.e. Sequence number is out of window
XfrmInStateExpired:
    State is expired
XfrmInStateMismatch:
    State has mismatch option
    e.g. UDP encapsulation type is mismatch
XfrmInStateInvalid:
    State is invalid
XfrmInTmplMismatch:
    No matching template for states
    e.g. Inbound SAs are correct but SP rule is wrong
XfrmInNoPols:
    No policy is found for states
    e.g. Inbound SAs are correct but no SP is found
XfrmInPolBlock:
    Policy discards
XfrmInPolError:
    Policy error
XfrmAcquireError:
    State hasn't been fully acquired before use
XfrmFwdHdrError:
    Forward routing of a packet is not allowed

Outbound errors

XfrmOutError:
All errors which is not matched others
XfrmOutBundleGenError:
Bundle generation error
XfrmOutBundleCheckError:
Bundle check error
XfrmOutNoStates:
No state is found
XfrmOutStateProtoError:
Transformation protocol specific error
XfrmOutStateModeError:
Transformation mode specific error
XfrmOutStateSeqError:
Sequence error
i.e. Sequence number overflow
XfrmOutStateExpired:
State is expired
XfrmOutPolBlock:
Policy discards
XfrmOutPolDead:
Policy is dead
XfrmOutPolError:
Policy error
XfrmOutStateInvalid:
State is invalid, perhaps expired