Changeset View
Changeset View
Standalone View
Standalone View
sys/netpfil/pf/pf_syncookies.c
| Show First 20 Lines • Show All 79 Lines • ▼ Show 20 Lines | |||||
| #include <net/route.h> | #include <net/route.h> | ||||
| #include <netinet/in.h> | #include <netinet/in.h> | ||||
| #include <netinet/ip.h> | #include <netinet/ip.h> | ||||
| #include <netinet/tcp.h> | #include <netinet/tcp.h> | ||||
| #include <netinet/tcp_var.h> | #include <netinet/tcp_var.h> | ||||
| #include <net/pfvar.h> | #include <net/pfvar.h> | ||||
| #include <netpfil/pf/pf_nv.h> | |||||
| #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x | #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x | ||||
| union pf_syncookie { | union pf_syncookie { | ||||
| uint8_t cookie; | uint8_t cookie; | ||||
| struct { | struct { | ||||
| uint8_t oddeven:1, | uint8_t oddeven:1, | ||||
| sack_ok:1, | sack_ok:1, | ||||
| ▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines | pf_get_syncookies(struct pfioc_nv *nv) | ||||
| void *nvlpacked = NULL; | void *nvlpacked = NULL; | ||||
| nvl = nvlist_create(0); | nvl = nvlist_create(0); | ||||
| if (nvl == NULL) | if (nvl == NULL) | ||||
| return (ENOMEM); | return (ENOMEM); | ||||
| nvlist_add_bool(nvl, "enabled", | nvlist_add_bool(nvl, "enabled", | ||||
| V_pf_status.syncookies_mode != PF_SYNCOOKIES_NEVER); | V_pf_status.syncookies_mode != PF_SYNCOOKIES_NEVER); | ||||
| nvlist_add_bool(nvl, "adaptive", false); | nvlist_add_bool(nvl, "adaptive", | ||||
| V_pf_status.syncookies_mode == PF_SYNCOOKIES_ADAPTIVE); | |||||
| nvlist_add_number(nvl, "highwater", V_pf_syncookie_status.hiwat); | |||||
| nvlist_add_number(nvl, "lowwater", V_pf_syncookie_status.lowat); | |||||
| nvlpacked = nvlist_pack(nvl, &nv->len); | nvlpacked = nvlist_pack(nvl, &nv->len); | ||||
| if (nvlpacked == NULL) { | if (nvlpacked == NULL) { | ||||
| nvlist_destroy(nvl); | nvlist_destroy(nvl); | ||||
| return (ENOMEM); | return (ENOMEM); | ||||
| } | } | ||||
| if (nv->size == 0) { | if (nv->size == 0) { | ||||
| nvlist_destroy(nvl); | nvlist_destroy(nvl); | ||||
| Show All 10 Lines | |||||
| int | int | ||||
| pf_set_syncookies(struct pfioc_nv *nv) | pf_set_syncookies(struct pfioc_nv *nv) | ||||
| { | { | ||||
| nvlist_t *nvl = NULL; | nvlist_t *nvl = NULL; | ||||
| void *nvlpacked = NULL; | void *nvlpacked = NULL; | ||||
| int error; | int error; | ||||
| bool enabled, adaptive; | bool enabled, adaptive; | ||||
| uint32_t hiwat, lowat; | |||||
| uint8_t newmode; | |||||
| #define ERROUT(x) ERROUT_FUNCTION(errout, x) | |||||
| if (nv->len > pf_ioctl_maxcount) | if (nv->len > pf_ioctl_maxcount) | ||||
| return (ENOMEM); | return (ENOMEM); | ||||
| nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); | nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); | ||||
| if (nvlpacked == NULL) | if (nvlpacked == NULL) | ||||
| return (ENOMEM); | return (ENOMEM); | ||||
| error = copyin(nv->data, nvlpacked, nv->len); | error = copyin(nv->data, nvlpacked, nv->len); | ||||
| if (error) { | if (error) | ||||
| free(nvlpacked, M_TEMP); | ERROUT(error); | ||||
| return (error); | |||||
| } | |||||
| nvl = nvlist_unpack(nvlpacked, nv->len, 0); | nvl = nvlist_unpack(nvlpacked, nv->len, 0); | ||||
| if (nvl == NULL) { | if (nvl == NULL) | ||||
| free(nvlpacked, M_TEMP); | ERROUT(EBADMSG); | ||||
| return (EBADMSG); | |||||
| } | |||||
| if (! nvlist_exists_bool(nvl, "enabled") | if (! nvlist_exists_bool(nvl, "enabled") | ||||
| || ! nvlist_exists_bool(nvl, "adaptive")) { | || ! nvlist_exists_bool(nvl, "adaptive")) | ||||
| nvlist_destroy(nvl); | ERROUT(EBADMSG); | ||||
| free(nvlpacked, M_TEMP); | |||||
| return (EBADMSG); | |||||
| } | |||||
| enabled = nvlist_get_bool(nvl, "enabled"); | enabled = nvlist_get_bool(nvl, "enabled"); | ||||
| adaptive = nvlist_get_bool(nvl, "adaptive"); | adaptive = nvlist_get_bool(nvl, "adaptive"); | ||||
| PFNV_CHK(pf_nvuint32_opt(nvl, "highwater", &hiwat, | |||||
| V_pf_syncookie_status.hiwat)); | |||||
| PFNV_CHK(pf_nvuint32_opt(nvl, "lowwater", &lowat, | |||||
| V_pf_syncookie_status.lowat)); | |||||
| if (adaptive) { | if (lowat >= hiwat) | ||||
| nvlist_destroy(nvl); | ERROUT(EINVAL); | ||||
| free(nvlpacked, M_TEMP); | |||||
| return (ENOTSUP); | |||||
| } | |||||
| newmode = PF_SYNCOOKIES_NEVER; | |||||
| if (enabled) | |||||
| newmode = adaptive ? PF_SYNCOOKIES_ADAPTIVE : PF_SYNCOOKIES_ALWAYS; | |||||
| PF_RULES_WLOCK(); | PF_RULES_WLOCK(); | ||||
| error = pf_syncookies_setmode(enabled ? | error = pf_syncookies_setmode(newmode); | ||||
| PF_SYNCOOKIES_ALWAYS : PF_SYNCOOKIES_NEVER); | |||||
| V_pf_syncookie_status.lowat = lowat; | |||||
| V_pf_syncookie_status.hiwat = hiwat; | |||||
| PF_RULES_WUNLOCK(); | PF_RULES_WUNLOCK(); | ||||
| #undef ERROUT | |||||
| errout: | |||||
| nvlist_destroy(nvl); | |||||
| free(nvlpacked, M_TEMP); | |||||
| return (error); | return (error); | ||||
| } | } | ||||
| static int | static int | ||||
| pf_syncookies_setmode(u_int8_t mode) | pf_syncookies_setmode(u_int8_t mode) | ||||
| { | { | ||||
| if (mode > PF_SYNCOOKIES_MODE_MAX) | if (mode > PF_SYNCOOKIES_MODE_MAX) | ||||
| ▲ Show 20 Lines • Show All 258 Lines • Show Last 20 Lines | |||||