Page MenuHomeFreeBSD
Files F131837385

D31713.diff
No OneTemporary
Actions

D31713.diff
View Options

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1378,7 +1378,7 @@
#ifdef _KERNEL
struct pf_kstatus {
counter_u64_t counters[PFRES_MAX]; /* reason for passing/dropping */
- counter_u64_t lcounters[LCNT_MAX]; /* limit counters */
+ counter_u64_t lcounters[KLCNT_MAX]; /* limit counters */
struct pf_counter_u64 fcounters[FCNT_MAX]; /* state operation counters */
counter_u64_t scounters[SCNT_MAX]; /* src_node operation counters */
uint32_t states;
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -161,6 +161,11 @@
#define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
#define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
#define LCNT_MAX 7 /* total+1 */
+/* Only available via the nvlist-based API */
+#define KLCNT_SYNFLOODS 7 /* synfloods detected */
+#define KLCNT_SYNCOOKIES_SENT 8 /* syncookies sent */
+#define KLCNT_SYNCOOKIES_VALID 9 /* syncookies validated */
+#define KLCNT_MAX 10 /* total+1 */
#define LCNT_NAMES { \
"max states per rule", \
@@ -172,6 +177,19 @@
"overload flush states", \
NULL \
}
+#define KLCNT_NAMES { \
+ "max states per rule", \
+ "max-src-states", \
+ "max-src-nodes", \
+ "max-src-conn", \
+ "max-src-conn-rate", \
+ "overload table insertion", \
+ "overload flush states", \
+ "synfloods detected", \
+ "syncookies sent", \
+ "syncookies validated", \
+ NULL \
+}
/* state operation counters */
#define FCNT_STATE_SEARCH 0
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -368,7 +368,7 @@
for (int i = 0; i < PFRES_MAX; i++)
V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK);
- for (int i = 0; i < LCNT_MAX; i++)
+ for (int i = 0; i < KLCNT_MAX; i++)
V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK);
for (int i = 0; i < FCNT_MAX; i++)
pf_counter_u64_init(&V_pf_status.fcounters[i], M_WAITOK);
@@ -3125,7 +3125,7 @@
pf_counter_u64_zero(&V_pf_status.fcounters[i]);
for (int i = 0; i < SCNT_MAX; i++)
counter_u64_zero(V_pf_status.scounters[i]);
- for (int i = 0; i < LCNT_MAX; i++)
+ for (int i = 0; i < KLCNT_MAX; i++)
counter_u64_zero(V_pf_status.lcounters[i]);
V_pf_status.since = time_second;
if (*V_pf_status.ifname)
@@ -4927,7 +4927,7 @@
int error;
struct pf_status s;
char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
- char *pf_lcounter[LCNT_MAX+1] = LCNT_NAMES;
+ char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES;
char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES;
PF_RULES_RLOCK_TRACKER;
@@ -4954,7 +4954,7 @@
/* lcounters */
error = pf_add_status_counters(nvl, "lcounters", V_pf_status.lcounters,
- LCNT_MAX, pf_lcounter);
+ KLCNT_MAX, pf_lcounter);
if (error != 0)
ERROUT(error);
@@ -5805,7 +5805,7 @@
for (int i = 0; i < PFRES_MAX; i++)
counter_u64_free(V_pf_status.counters[i]);
- for (int i = 0; i < LCNT_MAX; i++)
+ for (int i = 0; i < KLCNT_MAX; i++)
counter_u64_free(V_pf_status.lcounters[i]);
for (int i = 0; i < FCNT_MAX; i++)
pf_counter_u64_deinit(&V_pf_status.fcounters[i]);
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -256,6 +256,7 @@
pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport,
iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss,
0, 1, 0);
+ counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_SENT], 1);
}
uint8_t
@@ -275,6 +276,8 @@
if ((ack & ~0xff) != (hash & ~0xff))
return (0);
+ counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_VALID], 1);
+
return (1);
}

File Metadata

Mime Type
text/plain
Expires
Sun, Oct 12, 2:27 PM (1 h, 18 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
23626484
Default Alt Text
D31713.diff (3 KB)

Event Timeline