Add reqid to child SA

Author: sergeymakinen

README.md

@@ -31,12 +31,12 @@ make
 | ipsec_offline_pool_ips | Number of leases offline. | name, address
 | ipsec_ike_sa_state | IKE SA state. Created: 0, connecting: 1, established: 2, passive: 3, rekeying: 4, rekeyed: 5, deleting: 6, destroying: 7. | name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips
 | ipsec_ike_sa_established_seconds | Number of seconds since the IKE SA has been established. | name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips
-| ipsec_child_sa_state | Child SA state. Created: 0, routed: 1, installing: 2, installed: 3, updating: 4, rekeying: 5, rekeyed: 6, retrying: 7, deleting: 8, deleted: 9, destroying: 10. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
-| ipsec_child_sa_bytes_in | Number of input bytes processed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
-| ipsec_child_sa_packets_in | Number of input packets processed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
-| ipsec_child_sa_bytes_out | Number of output bytes processed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
-| ipsec_child_sa_packets_out | Number of output packets processed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
-| ipsec_child_sa_installed_seconds | Number of seconds since the child SA has been installed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_state | Child SA state. Created: 0, routed: 1, installing: 2, installed: 3, updating: 4, rekeying: 5, rekeyed: 6, retrying: 7, deleting: 8, deleted: 9, destroying: 10. | ike_sa_name, ike_sa_uid, name, uid, reqid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_bytes_in | Number of input bytes processed. | ike_sa_name, ike_sa_uid, name, uid, reqid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_packets_in | Number of input packets processed. | ike_sa_name, ike_sa_uid, name, uid, reqid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_bytes_out | Number of output bytes processed. | ike_sa_name, ike_sa_uid, name, uid, reqid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_packets_out | Number of output packets processed. | ike_sa_name, ike_sa_uid, name, uid, reqid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_installed_seconds | Number of seconds since the child SA has been installed. | ike_sa_name, ike_sa_uid, name, uid, reqid, mode, protocol, local_ts, remote_ts
 
 ### Flags
 

exporter/exporter.go

@@ -42,7 +42,7 @@ var (
 	reSAVersion        = regexp.MustCompile(`^(.+) SPIs:`)
 	reSARemoteIdentity = regexp.MustCompile(`^Remote (.+) identity: (.+)$`)
 	reChildSAPrefix    = regexp.MustCompile(`^\s*([^{]+){(\d+)}:  `)
-	reChildSAStatus    = regexp.MustCompile(`^([^,]+), ([^,]+), reqid \d+, (.+) SPIs:.+`)
+	reChildSAStatus    = regexp.MustCompile(`^([^,]+), ([^,]+), reqid (\d+), (.+) SPIs:.+`)
 	reChildSATraffic   = regexp.MustCompile(`(\d+) bytes_i(?: \((\d+) pkts?[^)]*\))?, (\d+) bytes_o(?: \((\d+) pkts?[^)]*\))?`)
 	reChildSATS        = regexp.MustCompile(`^ (.+) === (.+)$`)
 )
@@ -66,6 +66,7 @@ var (
 		"uid",
 		"mode",
 		"protocol",
+		"reqid",
 		"local_ts",
 		"remote_ts",
 	}
@@ -377,7 +378,9 @@ func (e *Exporter) scrapeIpsec() (m metrics, ok bool) {
 						if matches != nil {
 							childSA2.State = matches[1]
 							childSA2.Mode = matches[2]
-							childSA2.Protocol = matches[3]
+							n, _ := strconv.ParseUint(matches[3], 10, 64)
+							childSA2.ReqID = uint32(n)
+							childSA2.Protocol = matches[4]
 							continue
 						}
 						matches = reChildSATraffic.FindStringSubmatch(line)
@@ -455,6 +458,7 @@ func (e *Exporter) collect(m metrics, ch chan<- prometheus.Metric) {
 				strconv.FormatUint(uint64(childSA.UID), 10),
 				childSA.Mode,
 				childSA.Protocol,
+				strconv.FormatUint(uint64(childSA.ReqID), 10),
 				strings.Join(childSA.LocalTS, ", "),
 				strings.Join(childSA.RemoteTS, ", "),
 			}

exporter/exporter_test.go

@@ -80,6 +80,7 @@ func TestExporter(t *testing.T) {
 						"named-3": {
 							Name:       "named",
 							UID:        3,
+							ReqID:      4,
 							State:      "INSTALLED",
 							Mode:       "TUNNEL",
 							Protocol:   "AH",
@@ -93,6 +94,7 @@ func TestExporter(t *testing.T) {
 						"named-4": {
 							Name:       "named",
 							UID:        4,
+							ReqID:      5,
 							State:      "INSTALLED",
 							Mode:       "TUNNEL",
 							Protocol:   "AH",
@@ -119,6 +121,7 @@ func TestExporter(t *testing.T) {
 						"named-5": {
 							Name:       "named",
 							UID:        5,
+							ReqID:      6,
 							State:      "INSTALLED",
 							Mode:       "TUNNEL",
 							Protocol:   "AH",

exporter/metrics.go

@@ -66,6 +66,7 @@ type ikeSA struct {
 type childSA struct {
 	Name       string   `vici:"name"`
 	UID        uint32   `vici:"uniqueid"`
+	ReqID      uint32   `vici:"reqid"`
 	State      string   `vici:"state"`
 	Mode       string   `vici:"mode"`
 	Protocol   string   `vici:"protocol"`

exporter/testdata/metrics-1.txt

@@ -3,32 +3,32 @@
 ipsec_active_workers 10
 # HELP ipsec_child_sa_bytes_in Number of input bytes processed.
 # TYPE ipsec_child_sa_bytes_in gauge
-ipsec_child_sa_bytes_in{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="3"} 123
-ipsec_child_sa_bytes_in{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="4"} 124
-ipsec_child_sa_bytes_in{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="5"} 125
+ipsec_child_sa_bytes_in{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="4",uid="3"} 123
+ipsec_child_sa_bytes_in{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="5",uid="4"} 124
+ipsec_child_sa_bytes_in{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="6",uid="5"} 125
 # HELP ipsec_child_sa_bytes_out Number of output bytes processed.
 # TYPE ipsec_child_sa_bytes_out gauge
-ipsec_child_sa_bytes_out{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="3"} 789
-ipsec_child_sa_bytes_out{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="4"} 790
-ipsec_child_sa_bytes_out{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="5"} 791
+ipsec_child_sa_bytes_out{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="4",uid="3"} 789
+ipsec_child_sa_bytes_out{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="5",uid="4"} 790
+ipsec_child_sa_bytes_out{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="6",uid="5"} 791
 # HELP ipsec_child_sa_installed_seconds Number of seconds since the child SA has been installed.
 # TYPE ipsec_child_sa_installed_seconds gauge
-ipsec_child_sa_installed_seconds{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="4"} 123
+ipsec_child_sa_installed_seconds{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="5",uid="4"} 123
 # HELP ipsec_child_sa_packets_in Number of input packets processed.
 # TYPE ipsec_child_sa_packets_in gauge
-ipsec_child_sa_packets_in{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="3"} 456
-ipsec_child_sa_packets_in{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="4"} 457
-ipsec_child_sa_packets_in{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="5"} 458
+ipsec_child_sa_packets_in{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="4",uid="3"} 456
+ipsec_child_sa_packets_in{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="5",uid="4"} 457
+ipsec_child_sa_packets_in{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="6",uid="5"} 458
 # HELP ipsec_child_sa_packets_out Number of output packets processed.
 # TYPE ipsec_child_sa_packets_out gauge
-ipsec_child_sa_packets_out{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="3"} 901
-ipsec_child_sa_packets_out{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="4"} 902
-ipsec_child_sa_packets_out{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="5"} 903
+ipsec_child_sa_packets_out{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="4",uid="3"} 901
+ipsec_child_sa_packets_out{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="5",uid="4"} 902
+ipsec_child_sa_packets_out{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="6",uid="5"} 903
 # HELP ipsec_child_sa_state Child SA state.
 # TYPE ipsec_child_sa_state gauge
-ipsec_child_sa_state{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="3"} 3
-ipsec_child_sa_state{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="4"} 3
-ipsec_child_sa_state{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",uid="5"} 3
+ipsec_child_sa_state{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="4",uid="3"} 3
+ipsec_child_sa_state{ike_sa_name="named-1",ike_sa_uid="1",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="5",uid="4"} 3
+ipsec_child_sa_state{ike_sa_name="named-2",ike_sa_uid="2",local_ts="192.168.0.0/24, 192.168.1.0/24",mode="TUNNEL",name="named",protocol="AH",remote_ts="192.168.2.0/24, 192.168.3.0/24",reqid="6",uid="5"} 3
 # HELP ipsec_half_open_ike_sas Number of IKE SAs in half-open state.
 # TYPE ipsec_half_open_ike_sas gauge
 ipsec_half_open_ike_sas 5

exporter/testdata/metrics-2.txt

@@ -1,18 +1,18 @@
 # HELP ipsec_child_sa_bytes_in Number of input bytes processed.
 # TYPE ipsec_child_sa_bytes_in gauge
-ipsec_child_sa_bytes_in{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",uid="1"} 64
+ipsec_child_sa_bytes_in{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",reqid="1",uid="1"} 64
 # HELP ipsec_child_sa_bytes_out Number of output bytes processed.
 # TYPE ipsec_child_sa_bytes_out gauge
-ipsec_child_sa_bytes_out{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",uid="1"} 64
+ipsec_child_sa_bytes_out{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",reqid="1",uid="1"} 64
 # HELP ipsec_child_sa_packets_in Number of input packets processed.
 # TYPE ipsec_child_sa_packets_in gauge
-ipsec_child_sa_packets_in{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",uid="1"} 1
+ipsec_child_sa_packets_in{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",reqid="1",uid="1"} 1
 # HELP ipsec_child_sa_packets_out Number of output packets processed.
 # TYPE ipsec_child_sa_packets_out gauge
-ipsec_child_sa_packets_out{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",uid="1"} 1
+ipsec_child_sa_packets_out{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",reqid="1",uid="1"} 1
 # HELP ipsec_child_sa_state Child SA state.
 # TYPE ipsec_child_sa_state gauge
-ipsec_child_sa_state{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",uid="1"} 3
+ipsec_child_sa_state{ike_sa_name="host-host",ike_sa_uid="1",local_ts="172.31.0.1/32",mode="TRANSPORT",name="host-host",protocol="AH",remote_ts="172.31.0.2/32",reqid="1",uid="1"} 3
 # HELP ipsec_half_open_ike_sas Number of IKE SAs in half-open state.
 # TYPE ipsec_half_open_ike_sas gauge
 ipsec_half_open_ike_sas 0