diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1378,7 +1378,7 @@ #ifdef _KERNEL struct pf_kstatus { counter_u64_t counters[PFRES_MAX]; /* reason for passing/dropping */ - counter_u64_t lcounters[LCNT_MAX]; /* limit counters */ + counter_u64_t lcounters[KLCNT_MAX]; /* limit counters */ struct pf_counter_u64 fcounters[FCNT_MAX]; /* state operation counters */ counter_u64_t scounters[SCNT_MAX]; /* src_node operation counters */ uint32_t states; diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -161,6 +161,11 @@ #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ #define LCNT_MAX 7 /* total+1 */ +/* Only available via the nvlist-based API */ +#define KLCNT_SYNFLOODS 7 /* synfloods detected */ +#define KLCNT_SYNCOOKIES_SENT 8 /* syncookies sent */ +#define KLCNT_SYNCOOKIES_VALID 9 /* syncookies validated */ +#define KLCNT_MAX 10 /* total+1 */ #define LCNT_NAMES { \ "max states per rule", \ @@ -172,6 +177,19 @@ "overload flush states", \ NULL \ } +#define KLCNT_NAMES { \ + "max states per rule", \ + "max-src-states", \ + "max-src-nodes", \ + "max-src-conn", \ + "max-src-conn-rate", \ + "overload table insertion", \ + "overload flush states", \ + "synfloods detected", \ + "syncookies sent", \ + "syncookies validated", \ + NULL \ +} /* state operation counters */ #define FCNT_STATE_SEARCH 0 diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -368,7 +368,7 @@ for (int i = 0; i < PFRES_MAX; i++) V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK); - for (int i = 0; i < LCNT_MAX; i++) + for (int i = 0; i < KLCNT_MAX; i++) V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK); for (int i = 0; i < FCNT_MAX; i++) pf_counter_u64_init(&V_pf_status.fcounters[i], M_WAITOK); @@ -3125,7 +3125,7 @@ pf_counter_u64_zero(&V_pf_status.fcounters[i]); for (int i = 0; i < SCNT_MAX; i++) counter_u64_zero(V_pf_status.scounters[i]); - for (int i = 0; i < LCNT_MAX; i++) + for (int i = 0; i < KLCNT_MAX; i++) counter_u64_zero(V_pf_status.lcounters[i]); V_pf_status.since = time_second; if (*V_pf_status.ifname) @@ -4927,7 +4927,7 @@ int error; struct pf_status s; char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES; - char *pf_lcounter[LCNT_MAX+1] = LCNT_NAMES; + char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES; char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES; PF_RULES_RLOCK_TRACKER; @@ -4954,7 +4954,7 @@ /* lcounters */ error = pf_add_status_counters(nvl, "lcounters", V_pf_status.lcounters, - LCNT_MAX, pf_lcounter); + KLCNT_MAX, pf_lcounter); if (error != 0) ERROUT(error); @@ -5805,7 +5805,7 @@ for (int i = 0; i < PFRES_MAX; i++) counter_u64_free(V_pf_status.counters[i]); - for (int i = 0; i < LCNT_MAX; i++) + for (int i = 0; i < KLCNT_MAX; i++) counter_u64_free(V_pf_status.lcounters[i]); for (int i = 0; i < FCNT_MAX; i++) pf_counter_u64_deinit(&V_pf_status.fcounters[i]); diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -256,6 +256,7 @@ pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport, iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss, 0, 1, 0); + counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_SENT], 1); } uint8_t @@ -275,6 +276,8 @@ if ((ack & ~0xff) != (hash & ~0xff)) return (0); + counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_VALID], 1); + return (1); }