Add new collector and metrics for XFRM (#2544) (#2866)

Signed-off-by: Gavin Lam <gavin.oss@tutamail.com>
2 years ago · 332232c22c
parent e508aff0d6
commit 332232c22c
7 changed files with 579 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -205,6 +205,7 @@ sysctl | Expose sysctl values from `/proc/sys`. Use `--collector.sysctl.include(
 systemd | Exposes service and system status from [systemd](http://www.freedesktop.org/wiki/Software/systemd/). | Linux
 tcpstat | Exposes TCP connection status information from `/proc/net/tcp` and `/proc/net/tcp6`. (Warning: the current version has potential performance issues in high load situations.) | Linux
 wifi | Exposes WiFi device and station statistics. | Linux
+xfrm | Exposes statistics from `/proc/net/xfrm_stat` | Linux
 zoneinfo | Exposes NUMA memory zone metrics. | Linux

 ### Deprecated
--- a/collector/fixtures/e2e-64k-page-output.txt
+++ b/collector/fixtures/e2e-64k-page-output.txt
@ -2944,6 +2944,7 @@ node_scrape_collector_success{collector="time"} 1
 node_scrape_collector_success{collector="udp_queues"} 1
 node_scrape_collector_success{collector="vmstat"} 1
 node_scrape_collector_success{collector="wifi"} 1
+node_scrape_collector_success{collector="xfrm"} 1
 node_scrape_collector_success{collector="xfs"} 1
 node_scrape_collector_success{collector="zfs"} 1
 node_scrape_collector_success{collector="zoneinfo"} 1
@ -3265,6 +3266,90 @@ node_wifi_station_transmit_failed_total{device="wlan0",mac_address="aa:bb:cc:dd:
 # TYPE node_wifi_station_transmit_retries_total counter
 node_wifi_station_transmit_retries_total{device="wlan0",mac_address="01:02:03:04:05:06"} 20
 node_wifi_station_transmit_retries_total{device="wlan0",mac_address="aa:bb:cc:dd:ee:ff"} 10
+# HELP node_xfrm_acquire_error_packets_total State hasn’t been fully acquired before use
+# TYPE node_xfrm_acquire_error_packets_total counter
+node_xfrm_acquire_error_packets_total 24532
+# HELP node_xfrm_fwd_hdr_error_packets_total Forward routing of a packet is not allowed
+# TYPE node_xfrm_fwd_hdr_error_packets_total counter
+node_xfrm_fwd_hdr_error_packets_total 6654
+# HELP node_xfrm_in_buffer_error_packets_total No buffer is left
+# TYPE node_xfrm_in_buffer_error_packets_total counter
+node_xfrm_in_buffer_error_packets_total 2
+# HELP node_xfrm_in_error_packets_total All errors not matched by other
+# TYPE node_xfrm_in_error_packets_total counter
+node_xfrm_in_error_packets_total 1
+# HELP node_xfrm_in_hdr_error_packets_total Header error
+# TYPE node_xfrm_in_hdr_error_packets_total counter
+node_xfrm_in_hdr_error_packets_total 4
+# HELP node_xfrm_in_no_pols_packets_total No policy is found for states e.g. Inbound SAs are correct but no SP is found
+# TYPE node_xfrm_in_no_pols_packets_total counter
+node_xfrm_in_no_pols_packets_total 65432
+# HELP node_xfrm_in_no_states_packets_total No state is found i.e. Either inbound SPI, address, or IPsec protocol at SA is wrong
+# TYPE node_xfrm_in_no_states_packets_total counter
+node_xfrm_in_no_states_packets_total 3
+# HELP node_xfrm_in_pol_block_packets_total Policy discards
+# TYPE node_xfrm_in_pol_block_packets_total counter
+node_xfrm_in_pol_block_packets_total 100
+# HELP node_xfrm_in_pol_error_packets_total Policy error
+# TYPE node_xfrm_in_pol_error_packets_total counter
+node_xfrm_in_pol_error_packets_total 10000
+# HELP node_xfrm_in_state_expired_packets_total State is expired
+# TYPE node_xfrm_in_state_expired_packets_total counter
+node_xfrm_in_state_expired_packets_total 7
+# HELP node_xfrm_in_state_invalid_packets_total State is invalid
+# TYPE node_xfrm_in_state_invalid_packets_total counter
+node_xfrm_in_state_invalid_packets_total 55555
+# HELP node_xfrm_in_state_mismatch_packets_total State has mismatch option e.g. UDP encapsulation type is mismatch
+# TYPE node_xfrm_in_state_mismatch_packets_total counter
+node_xfrm_in_state_mismatch_packets_total 23451
+# HELP node_xfrm_in_state_mode_error_packets_total Transformation mode specific error
+# TYPE node_xfrm_in_state_mode_error_packets_total counter
+node_xfrm_in_state_mode_error_packets_total 100
+# HELP node_xfrm_in_state_proto_error_packets_total Transformation protocol specific error e.g. SA key is wrong
+# TYPE node_xfrm_in_state_proto_error_packets_total counter
+node_xfrm_in_state_proto_error_packets_total 40
+# HELP node_xfrm_in_state_seq_error_packets_total Sequence error i.e. Sequence number is out of window
+# TYPE node_xfrm_in_state_seq_error_packets_total counter
+node_xfrm_in_state_seq_error_packets_total 6000
+# HELP node_xfrm_in_tmpl_mismatch_packets_total No matching template for states e.g. Inbound SAs are correct but SP rule is wrong
+# TYPE node_xfrm_in_tmpl_mismatch_packets_total counter
+node_xfrm_in_tmpl_mismatch_packets_total 51
+# HELP node_xfrm_out_bundle_check_error_packets_total Bundle check error
+# TYPE node_xfrm_out_bundle_check_error_packets_total counter
+node_xfrm_out_bundle_check_error_packets_total 555
+# HELP node_xfrm_out_bundle_gen_error_packets_total Bundle generation error
+# TYPE node_xfrm_out_bundle_gen_error_packets_total counter
+node_xfrm_out_bundle_gen_error_packets_total 43321
+# HELP node_xfrm_out_error_packets_total All errors which is not matched others
+# TYPE node_xfrm_out_error_packets_total counter
+node_xfrm_out_error_packets_total 1e+06
+# HELP node_xfrm_out_no_states_packets_total No state is found
+# TYPE node_xfrm_out_no_states_packets_total counter
+node_xfrm_out_no_states_packets_total 869
+# HELP node_xfrm_out_pol_block_packets_total Policy discards
+# TYPE node_xfrm_out_pol_block_packets_total counter
+node_xfrm_out_pol_block_packets_total 43456
+# HELP node_xfrm_out_pol_dead_packets_total Policy is dead
+# TYPE node_xfrm_out_pol_dead_packets_total counter
+node_xfrm_out_pol_dead_packets_total 7656
+# HELP node_xfrm_out_pol_error_packets_total Policy error
+# TYPE node_xfrm_out_pol_error_packets_total counter
+node_xfrm_out_pol_error_packets_total 1454
+# HELP node_xfrm_out_state_expired_packets_total State is expired
+# TYPE node_xfrm_out_state_expired_packets_total counter
+node_xfrm_out_state_expired_packets_total 565
+# HELP node_xfrm_out_state_invalid_packets_total State is invalid, perhaps expired
+# TYPE node_xfrm_out_state_invalid_packets_total counter
+node_xfrm_out_state_invalid_packets_total 28765
+# HELP node_xfrm_out_state_mode_error_packets_total Transformation mode specific error
+# TYPE node_xfrm_out_state_mode_error_packets_total counter
+node_xfrm_out_state_mode_error_packets_total 8
+# HELP node_xfrm_out_state_proto_error_packets_total Transformation protocol specific error
+# TYPE node_xfrm_out_state_proto_error_packets_total counter
+node_xfrm_out_state_proto_error_packets_total 4542
+# HELP node_xfrm_out_state_seq_error_packets_total Sequence error i.e. Sequence number overflow
+# TYPE node_xfrm_out_state_seq_error_packets_total counter
+node_xfrm_out_state_seq_error_packets_total 543
 # HELP node_xfs_allocation_btree_compares_total Number of allocation B-tree compares for a filesystem.
 # TYPE node_xfs_allocation_btree_compares_total counter
 node_xfs_allocation_btree_compares_total{device="sda1"} 0
--- a/collector/fixtures/e2e-output.txt
+++ b/collector/fixtures/e2e-output.txt
@ -2966,6 +2966,7 @@ node_scrape_collector_success{collector="time"} 1
 node_scrape_collector_success{collector="udp_queues"} 1
 node_scrape_collector_success{collector="vmstat"} 1
 node_scrape_collector_success{collector="wifi"} 1
+node_scrape_collector_success{collector="xfrm"} 1
 node_scrape_collector_success{collector="xfs"} 1
 node_scrape_collector_success{collector="zfs"} 1
 node_scrape_collector_success{collector="zoneinfo"} 1
@ -3287,6 +3288,90 @@ node_wifi_station_transmit_failed_total{device="wlan0",mac_address="aa:bb:cc:dd:
 # TYPE node_wifi_station_transmit_retries_total counter
 node_wifi_station_transmit_retries_total{device="wlan0",mac_address="01:02:03:04:05:06"} 20
 node_wifi_station_transmit_retries_total{device="wlan0",mac_address="aa:bb:cc:dd:ee:ff"} 10
+# HELP node_xfrm_acquire_error_packets_total State hasn’t been fully acquired before use
+# TYPE node_xfrm_acquire_error_packets_total counter
+node_xfrm_acquire_error_packets_total 24532
+# HELP node_xfrm_fwd_hdr_error_packets_total Forward routing of a packet is not allowed
+# TYPE node_xfrm_fwd_hdr_error_packets_total counter
+node_xfrm_fwd_hdr_error_packets_total 6654
+# HELP node_xfrm_in_buffer_error_packets_total No buffer is left
+# TYPE node_xfrm_in_buffer_error_packets_total counter
+node_xfrm_in_buffer_error_packets_total 2
+# HELP node_xfrm_in_error_packets_total All errors not matched by other
+# TYPE node_xfrm_in_error_packets_total counter
+node_xfrm_in_error_packets_total 1
+# HELP node_xfrm_in_hdr_error_packets_total Header error
+# TYPE node_xfrm_in_hdr_error_packets_total counter
+node_xfrm_in_hdr_error_packets_total 4
+# HELP node_xfrm_in_no_pols_packets_total No policy is found for states e.g. Inbound SAs are correct but no SP is found
+# TYPE node_xfrm_in_no_pols_packets_total counter
+node_xfrm_in_no_pols_packets_total 65432
+# HELP node_xfrm_in_no_states_packets_total No state is found i.e. Either inbound SPI, address, or IPsec protocol at SA is wrong
+# TYPE node_xfrm_in_no_states_packets_total counter
+node_xfrm_in_no_states_packets_total 3
+# HELP node_xfrm_in_pol_block_packets_total Policy discards
+# TYPE node_xfrm_in_pol_block_packets_total counter
+node_xfrm_in_pol_block_packets_total 100
+# HELP node_xfrm_in_pol_error_packets_total Policy error
+# TYPE node_xfrm_in_pol_error_packets_total counter
+node_xfrm_in_pol_error_packets_total 10000
+# HELP node_xfrm_in_state_expired_packets_total State is expired
+# TYPE node_xfrm_in_state_expired_packets_total counter
+node_xfrm_in_state_expired_packets_total 7
+# HELP node_xfrm_in_state_invalid_packets_total State is invalid
+# TYPE node_xfrm_in_state_invalid_packets_total counter
+node_xfrm_in_state_invalid_packets_total 55555
+# HELP node_xfrm_in_state_mismatch_packets_total State has mismatch option e.g. UDP encapsulation type is mismatch
+# TYPE node_xfrm_in_state_mismatch_packets_total counter
+node_xfrm_in_state_mismatch_packets_total 23451
+# HELP node_xfrm_in_state_mode_error_packets_total Transformation mode specific error
+# TYPE node_xfrm_in_state_mode_error_packets_total counter
+node_xfrm_in_state_mode_error_packets_total 100
+# HELP node_xfrm_in_state_proto_error_packets_total Transformation protocol specific error e.g. SA key is wrong
+# TYPE node_xfrm_in_state_proto_error_packets_total counter
+node_xfrm_in_state_proto_error_packets_total 40
+# HELP node_xfrm_in_state_seq_error_packets_total Sequence error i.e. Sequence number is out of window
+# TYPE node_xfrm_in_state_seq_error_packets_total counter
+node_xfrm_in_state_seq_error_packets_total 6000
+# HELP node_xfrm_in_tmpl_mismatch_packets_total No matching template for states e.g. Inbound SAs are correct but SP rule is wrong
+# TYPE node_xfrm_in_tmpl_mismatch_packets_total counter
+node_xfrm_in_tmpl_mismatch_packets_total 51
+# HELP node_xfrm_out_bundle_check_error_packets_total Bundle check error
+# TYPE node_xfrm_out_bundle_check_error_packets_total counter
+node_xfrm_out_bundle_check_error_packets_total 555
+# HELP node_xfrm_out_bundle_gen_error_packets_total Bundle generation error
+# TYPE node_xfrm_out_bundle_gen_error_packets_total counter
+node_xfrm_out_bundle_gen_error_packets_total 43321
+# HELP node_xfrm_out_error_packets_total All errors which is not matched others
+# TYPE node_xfrm_out_error_packets_total counter
+node_xfrm_out_error_packets_total 1e+06
+# HELP node_xfrm_out_no_states_packets_total No state is found
+# TYPE node_xfrm_out_no_states_packets_total counter
+node_xfrm_out_no_states_packets_total 869
+# HELP node_xfrm_out_pol_block_packets_total Policy discards
+# TYPE node_xfrm_out_pol_block_packets_total counter
+node_xfrm_out_pol_block_packets_total 43456
+# HELP node_xfrm_out_pol_dead_packets_total Policy is dead
+# TYPE node_xfrm_out_pol_dead_packets_total counter
+node_xfrm_out_pol_dead_packets_total 7656
+# HELP node_xfrm_out_pol_error_packets_total Policy error
+# TYPE node_xfrm_out_pol_error_packets_total counter
+node_xfrm_out_pol_error_packets_total 1454
+# HELP node_xfrm_out_state_expired_packets_total State is expired
+# TYPE node_xfrm_out_state_expired_packets_total counter
+node_xfrm_out_state_expired_packets_total 565
+# HELP node_xfrm_out_state_invalid_packets_total State is invalid, perhaps expired
+# TYPE node_xfrm_out_state_invalid_packets_total counter
+node_xfrm_out_state_invalid_packets_total 28765
+# HELP node_xfrm_out_state_mode_error_packets_total Transformation mode specific error
+# TYPE node_xfrm_out_state_mode_error_packets_total counter
+node_xfrm_out_state_mode_error_packets_total 8
+# HELP node_xfrm_out_state_proto_error_packets_total Transformation protocol specific error
+# TYPE node_xfrm_out_state_proto_error_packets_total counter
+node_xfrm_out_state_proto_error_packets_total 4542
+# HELP node_xfrm_out_state_seq_error_packets_total Sequence error i.e. Sequence number overflow
+# TYPE node_xfrm_out_state_seq_error_packets_total counter
+node_xfrm_out_state_seq_error_packets_total 543
 # HELP node_xfs_allocation_btree_compares_total Number of allocation B-tree compares for a filesystem.
 # TYPE node_xfs_allocation_btree_compares_total counter
 node_xfs_allocation_btree_compares_total{device="sda1"} 0
--- a/collector/fixtures/proc/net/xfrm_stat
+++ b/collector/fixtures/proc/net/xfrm_stat
@ -0,0 +1,28 @@
+XfrmInError                     1
+XfrmInBufferError               2
+XfrmInHdrError                  4
+XfrmInNoStates                  3
+XfrmInStateProtoError           40
+XfrmInStateModeError            100
+XfrmInStateSeqError             6000
+XfrmInStateExpired              7
+XfrmInStateMismatch             23451
+XfrmInStateInvalid              55555
+XfrmInTmplMismatch              51
+XfrmInNoPols                    65432
+XfrmInPolBlock                  100
+XfrmInPolError                  10000
+XfrmOutError                    1000000
+XfrmOutBundleGenError           43321
+XfrmOutBundleCheckError         555
+XfrmOutNoStates                 869
+XfrmOutStateProtoError          4542
+XfrmOutStateModeError           8
+XfrmOutStateSeqError            543
+XfrmOutStateExpired             565
+XfrmOutPolBlock                 43456
+XfrmOutPolDead                  7656
+XfrmOutPolError                 1454
+XfrmFwdHdrError                 6654
+XfrmOutStateInvalid             28765
+XfrmAcquireError                24532
--- a/collector/xfrm.go
+++ b/collector/xfrm.go
@ -0,0 +1,228 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !noxfrm
+// +build !noxfrm
+
+package collector
+
+import (
+	"fmt"
+
+	"github.com/go-kit/log"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/procfs"
+)
+
+type xfrmCollector struct {
+	fs     procfs.FS
+	logger log.Logger
+}
+
+func init() {
+	registerCollector("xfrm", defaultDisabled, NewXfrmCollector)
+}
+
+// NewXfrmCollector returns a new Collector exposing XFRM stats.
+func NewXfrmCollector(logger log.Logger) (Collector, error) {
+	fs, err := procfs.NewFS(*procPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open procfs: %w", err)
+	}
+
+	return &xfrmCollector{
+		fs:     fs,
+		logger: logger,
+	}, nil
+}
+
+var (
+	xfrmInErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_error_packets_total"),
+		"All errors not matched by other",
+		nil, nil,
+	)
+	xfrmInBufferErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_buffer_error_packets_total"),
+		"No buffer is left",
+		nil, nil,
+	)
+	xfrmInHdrErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_hdr_error_packets_total"),
+		"Header error",
+		nil, nil,
+	)
+	xfrmInNoStatesDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_no_states_packets_total"),
+		"No state is found i.e. Either inbound SPI, address, or IPsec protocol at SA is wrong",
+		nil, nil,
+	)
+	xfrmInStateProtoErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_state_proto_error_packets_total"),
+		"Transformation protocol specific error e.g. SA key is wrong",
+		nil, nil,
+	)
+	xfrmInStateModeErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_state_mode_error_packets_total"),
+		"Transformation mode specific error",
+		nil, nil,
+	)
+	xfrmInStateSeqErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_state_seq_error_packets_total"),
+		"Sequence error i.e. Sequence number is out of window",
+		nil, nil,
+	)
+	xfrmInStateExpiredDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_state_expired_packets_total"),
+		"State is expired",
+		nil, nil,
+	)
+	xfrmInStateMismatchDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_state_mismatch_packets_total"),
+		"State has mismatch option e.g. UDP encapsulation type is mismatch",
+		nil, nil,
+	)
+	xfrmInStateInvalidDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_state_invalid_packets_total"),
+		"State is invalid",
+		nil, nil,
+	)
+	xfrmInTmplMismatchDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_tmpl_mismatch_packets_total"),
+		"No matching template for states e.g. Inbound SAs are correct but SP rule is wrong",
+		nil, nil,
+	)
+	xfrmInNoPolsDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_no_pols_packets_total"),
+		"No policy is found for states e.g. Inbound SAs are correct but no SP is found",
+		nil, nil,
+	)
+	xfrmInPolBlockDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_pol_block_packets_total"),
+		"Policy discards",
+		nil, nil,
+	)
+	xfrmInPolErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "in_pol_error_packets_total"),
+		"Policy error",
+		nil, nil,
+	)
+	xfrmOutErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_error_packets_total"),
+		"All errors which is not matched others",
+		nil, nil,
+	)
+	xfrmOutBundleGenErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_bundle_gen_error_packets_total"),
+		"Bundle generation error",
+		nil, nil,
+	)
+	xfrmOutBundleCheckErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_bundle_check_error_packets_total"),
+		"Bundle check error",
+		nil, nil,
+	)
+	xfrmOutNoStatesDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_no_states_packets_total"),
+		"No state is found",
+		nil, nil,
+	)
+	xfrmOutStateProtoErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_state_proto_error_packets_total"),
+		"Transformation protocol specific error",
+		nil, nil,
+	)
+	xfrmOutStateModeErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_state_mode_error_packets_total"),
+		"Transformation mode specific error",
+		nil, nil,
+	)
+	xfrmOutStateSeqErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_state_seq_error_packets_total"),
+		"Sequence error i.e. Sequence number overflow",
+		nil, nil,
+	)
+	xfrmOutStateExpiredDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_state_expired_packets_total"),
+		"State is expired",
+		nil, nil,
+	)
+	xfrmOutPolBlockDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_pol_block_packets_total"),
+		"Policy discards",
+		nil, nil,
+	)
+	xfrmOutPolDeadDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_pol_dead_packets_total"),
+		"Policy is dead",
+		nil, nil,
+	)
+	xfrmOutPolErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_pol_error_packets_total"),
+		"Policy error",
+		nil, nil,
+	)
+	xfrmFwdHdrErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "fwd_hdr_error_packets_total"),
+		"Forward routing of a packet is not allowed",
+		nil, nil,
+	)
+	xfrmOutStateInvalidDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "out_state_invalid_packets_total"),
+		"State is invalid, perhaps expired",
+		nil, nil,
+	)
+	xfrmAcquireErrorDesc = prometheus.NewDesc(
+		prometheus.BuildFQName(namespace, "xfrm", "acquire_error_packets_total"),
+		"State hasn’t been fully acquired before use",
+		nil, nil,
+	)
+)
+
+func (c *xfrmCollector) Update(ch chan<- prometheus.Metric) error {
+	stat, err := c.fs.NewXfrmStat()
+	if err != nil {
+		return err
+	}
+
+	ch <- prometheus.MustNewConstMetric(xfrmInErrorDesc, prometheus.CounterValue, float64(stat.XfrmInError))
+	ch <- prometheus.MustNewConstMetric(xfrmInBufferErrorDesc, prometheus.CounterValue, float64(stat.XfrmInBufferError))
+	ch <- prometheus.MustNewConstMetric(xfrmInHdrErrorDesc, prometheus.CounterValue, float64(stat.XfrmInHdrError))
+	ch <- prometheus.MustNewConstMetric(xfrmInNoStatesDesc, prometheus.CounterValue, float64(stat.XfrmInNoStates))
+	ch <- prometheus.MustNewConstMetric(xfrmInStateProtoErrorDesc, prometheus.CounterValue, float64(stat.XfrmInStateProtoError))
+	ch <- prometheus.MustNewConstMetric(xfrmInStateModeErrorDesc, prometheus.CounterValue, float64(stat.XfrmInStateModeError))
+	ch <- prometheus.MustNewConstMetric(xfrmInStateSeqErrorDesc, prometheus.CounterValue, float64(stat.XfrmInStateSeqError))
+	ch <- prometheus.MustNewConstMetric(xfrmInStateExpiredDesc, prometheus.CounterValue, float64(stat.XfrmInStateExpired))
+	ch <- prometheus.MustNewConstMetric(xfrmInStateMismatchDesc, prometheus.CounterValue, float64(stat.XfrmInStateMismatch))
+	ch <- prometheus.MustNewConstMetric(xfrmInStateInvalidDesc, prometheus.CounterValue, float64(stat.XfrmInStateInvalid))
+	ch <- prometheus.MustNewConstMetric(xfrmInTmplMismatchDesc, prometheus.CounterValue, float64(stat.XfrmInTmplMismatch))
+	ch <- prometheus.MustNewConstMetric(xfrmInNoPolsDesc, prometheus.CounterValue, float64(stat.XfrmInNoPols))
+	ch <- prometheus.MustNewConstMetric(xfrmInPolBlockDesc, prometheus.CounterValue, float64(stat.XfrmInPolBlock))
+	ch <- prometheus.MustNewConstMetric(xfrmInPolErrorDesc, prometheus.CounterValue, float64(stat.XfrmInPolError))
+	ch <- prometheus.MustNewConstMetric(xfrmOutErrorDesc, prometheus.CounterValue, float64(stat.XfrmOutError))
+	ch <- prometheus.MustNewConstMetric(xfrmOutBundleGenErrorDesc, prometheus.CounterValue, float64(stat.XfrmOutBundleGenError))
+	ch <- prometheus.MustNewConstMetric(xfrmOutBundleCheckErrorDesc, prometheus.CounterValue, float64(stat.XfrmOutBundleCheckError))
+	ch <- prometheus.MustNewConstMetric(xfrmOutNoStatesDesc, prometheus.CounterValue, float64(stat.XfrmOutNoStates))
+	ch <- prometheus.MustNewConstMetric(xfrmOutStateProtoErrorDesc, prometheus.CounterValue, float64(stat.XfrmOutStateProtoError))
+	ch <- prometheus.MustNewConstMetric(xfrmOutStateModeErrorDesc, prometheus.CounterValue, float64(stat.XfrmOutStateModeError))
+	ch <- prometheus.MustNewConstMetric(xfrmOutStateSeqErrorDesc, prometheus.CounterValue, float64(stat.XfrmOutStateSeqError))
+	ch <- prometheus.MustNewConstMetric(xfrmOutStateExpiredDesc, prometheus.CounterValue, float64(stat.XfrmOutStateExpired))
+	ch <- prometheus.MustNewConstMetric(xfrmOutPolBlockDesc, prometheus.CounterValue, float64(stat.XfrmOutPolBlock))
+	ch <- prometheus.MustNewConstMetric(xfrmOutPolDeadDesc, prometheus.CounterValue, float64(stat.XfrmOutPolDead))
+	ch <- prometheus.MustNewConstMetric(xfrmOutPolErrorDesc, prometheus.CounterValue, float64(stat.XfrmOutPolError))
+	ch <- prometheus.MustNewConstMetric(xfrmFwdHdrErrorDesc, prometheus.CounterValue, float64(stat.XfrmFwdHdrError))
+	ch <- prometheus.MustNewConstMetric(xfrmOutStateInvalidDesc, prometheus.CounterValue, float64(stat.XfrmOutStateInvalid))
+	ch <- prometheus.MustNewConstMetric(xfrmAcquireErrorDesc, prometheus.CounterValue, float64(stat.XfrmAcquireError))
+
+	return err
+}
--- a/collector/xfrm_test.go
+++ b/collector/xfrm_test.go
@ -0,0 +1,151 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !noxfrm
+// +build !noxfrm
+
+package collector
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/go-kit/log"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/testutil"
+)
+
+type testXfrmCollector struct {
+	xc Collector
+}
+
+func (c testXfrmCollector) Collect(ch chan<- prometheus.Metric) {
+	c.xc.Update(ch)
+}
+
+func (c testXfrmCollector) Describe(ch chan<- *prometheus.Desc) {
+	prometheus.DescribeByCollect(c, ch)
+}
+
+func TestXfrmStats(t *testing.T) {
+	testcase := `# HELP node_xfrm_acquire_error_packets_total State hasn’t been fully acquired before use
+	# TYPE node_xfrm_acquire_error_packets_total counter
+	node_xfrm_acquire_error_packets_total 24532
+	# HELP node_xfrm_fwd_hdr_error_packets_total Forward routing of a packet is not allowed
+	# TYPE node_xfrm_fwd_hdr_error_packets_total counter
+	node_xfrm_fwd_hdr_error_packets_total 6654
+	# HELP node_xfrm_in_buffer_error_packets_total No buffer is left
+	# TYPE node_xfrm_in_buffer_error_packets_total counter
+	node_xfrm_in_buffer_error_packets_total 2
+	# HELP node_xfrm_in_error_packets_total All errors not matched by other
+	# TYPE node_xfrm_in_error_packets_total counter
+	node_xfrm_in_error_packets_total 1
+	# HELP node_xfrm_in_hdr_error_packets_total Header error
+	# TYPE node_xfrm_in_hdr_error_packets_total counter
+	node_xfrm_in_hdr_error_packets_total 4
+	# HELP node_xfrm_in_no_pols_packets_total No policy is found for states e.g. Inbound SAs are correct but no SP is found
+	# TYPE node_xfrm_in_no_pols_packets_total counter
+	node_xfrm_in_no_pols_packets_total 65432
+	# HELP node_xfrm_in_no_states_packets_total No state is found i.e. Either inbound SPI, address, or IPsec protocol at SA is wrong
+	# TYPE node_xfrm_in_no_states_packets_total counter
+	node_xfrm_in_no_states_packets_total 3
+	# HELP node_xfrm_in_pol_block_packets_total Policy discards
+	# TYPE node_xfrm_in_pol_block_packets_total counter
+	node_xfrm_in_pol_block_packets_total 100
+	# HELP node_xfrm_in_pol_error_packets_total Policy error
+	# TYPE node_xfrm_in_pol_error_packets_total counter
+	node_xfrm_in_pol_error_packets_total 10000
+	# HELP node_xfrm_in_state_expired_packets_total State is expired
+	# TYPE node_xfrm_in_state_expired_packets_total counter
+	node_xfrm_in_state_expired_packets_total 7
+	# HELP node_xfrm_in_state_invalid_packets_total State is invalid
+	# TYPE node_xfrm_in_state_invalid_packets_total counter
+	node_xfrm_in_state_invalid_packets_total 55555
+	# HELP node_xfrm_in_state_mismatch_packets_total State has mismatch option e.g. UDP encapsulation type is mismatch
+	# TYPE node_xfrm_in_state_mismatch_packets_total counter
+	node_xfrm_in_state_mismatch_packets_total 23451
+	# HELP node_xfrm_in_state_mode_error_packets_total Transformation mode specific error
+	# TYPE node_xfrm_in_state_mode_error_packets_total counter
+	node_xfrm_in_state_mode_error_packets_total 100
+	# HELP node_xfrm_in_state_proto_error_packets_total Transformation protocol specific error e.g. SA key is wrong
+	# TYPE node_xfrm_in_state_proto_error_packets_total counter
+	node_xfrm_in_state_proto_error_packets_total 40
+	# HELP node_xfrm_in_state_seq_error_packets_total Sequence error i.e. Sequence number is out of window
+	# TYPE node_xfrm_in_state_seq_error_packets_total counter
+	node_xfrm_in_state_seq_error_packets_total 6000
+	# HELP node_xfrm_in_tmpl_mismatch_packets_total No matching template for states e.g. Inbound SAs are correct but SP rule is wrong
+	# TYPE node_xfrm_in_tmpl_mismatch_packets_total counter
+	node_xfrm_in_tmpl_mismatch_packets_total 51
+	# HELP node_xfrm_out_bundle_check_error_packets_total Bundle check error
+	# TYPE node_xfrm_out_bundle_check_error_packets_total counter
+	node_xfrm_out_bundle_check_error_packets_total 555
+	# HELP node_xfrm_out_bundle_gen_error_packets_total Bundle generation error
+	# TYPE node_xfrm_out_bundle_gen_error_packets_total counter
+	node_xfrm_out_bundle_gen_error_packets_total 43321
+	# HELP node_xfrm_out_error_packets_total All errors which is not matched others
+	# TYPE node_xfrm_out_error_packets_total counter
+	node_xfrm_out_error_packets_total 1e+06
+	# HELP node_xfrm_out_no_states_packets_total No state is found
+	# TYPE node_xfrm_out_no_states_packets_total counter
+	node_xfrm_out_no_states_packets_total 869
+	# HELP node_xfrm_out_pol_block_packets_total Policy discards
+	# TYPE node_xfrm_out_pol_block_packets_total counter
+	node_xfrm_out_pol_block_packets_total 43456
+	# HELP node_xfrm_out_pol_dead_packets_total Policy is dead
+	# TYPE node_xfrm_out_pol_dead_packets_total counter
+	node_xfrm_out_pol_dead_packets_total 7656
+	# HELP node_xfrm_out_pol_error_packets_total Policy error
+	# TYPE node_xfrm_out_pol_error_packets_total counter
+	node_xfrm_out_pol_error_packets_total 1454
+	# HELP node_xfrm_out_state_expired_packets_total State is expired
+	# TYPE node_xfrm_out_state_expired_packets_total counter
+	node_xfrm_out_state_expired_packets_total 565
+	# HELP node_xfrm_out_state_invalid_packets_total State is invalid, perhaps expired
+	# TYPE node_xfrm_out_state_invalid_packets_total counter
+	node_xfrm_out_state_invalid_packets_total 28765
+	# HELP node_xfrm_out_state_mode_error_packets_total Transformation mode specific error
+	# TYPE node_xfrm_out_state_mode_error_packets_total counter
+	node_xfrm_out_state_mode_error_packets_total 8
+	# HELP node_xfrm_out_state_proto_error_packets_total Transformation protocol specific error
+	# TYPE node_xfrm_out_state_proto_error_packets_total counter
+	node_xfrm_out_state_proto_error_packets_total 4542
+	# HELP node_xfrm_out_state_seq_error_packets_total Sequence error i.e. Sequence number overflow
+	# TYPE node_xfrm_out_state_seq_error_packets_total counter
+	node_xfrm_out_state_seq_error_packets_total 543
+	`
+	*procPath = "fixtures/proc"
+
+	logger := log.NewLogfmtLogger(os.Stderr)
+	c, err := NewXfrmCollector(logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	reg := prometheus.NewRegistry()
+	reg.MustRegister(&testXfrmCollector{xc: c})
+
+	sink := make(chan prometheus.Metric)
+	go func() {
+		err = c.Update(sink)
+		if err != nil {
+			panic(fmt.Errorf("failed to update collector: %s", err))
+		}
+		close(sink)
+	}()
+
+	err = testutil.GatherAndCompare(reg, strings.NewReader(testcase))
+	if err != nil {
+		t.Fatal(err)
+	}
+}
--- a/end-to-end-test.sh
+++ b/end-to-end-test.sh
@ -51,6 +51,7 @@ enabled_collectors=$(cat << COLLECTORS
  udp_queues
  vmstat
  wifi
+  xfrm
  xfs
  zfs
  zoneinfo