The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9136dfca19bfb9bc639010d05e95b2d56c6e0935
commit 9136dfca19bfb9bc639010d05e95b2d56c6e0935
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2021-08-29 13:54:50 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2021-09-08 07:28:14 +0000
pf: Add counters for syncookies
Count when we send a syncookie, receive a valid syncookie or detect a
synflood.
Reviewed by: kbowling
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31713
(cherry picked from commit 4cab80a8dfecdf16333a1113513e046b9f4dd7f6)
---
sys/net/pfvar.h | 2 +-
sys/netpfil/pf/pf.h | 18 ++++++++++++++++++
sys/netpfil/pf/pf_ioctl.c | 10 +++++-----
sys/netpfil/pf/pf_syncookies.c | 3 +++
4 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 0b83feea9085..9cd605f659c7 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1375,7 +1375,7 @@ enum pf_syncookies_mode {
#ifdef _KERNEL
struct pf_kstatus {
counter_u64_t counters[PFRES_MAX]; /* reason for passing/dropping */
- counter_u64_t lcounters[LCNT_MAX]; /* limit counters */
+ counter_u64_t lcounters[KLCNT_MAX]; /* limit counters */
struct pf_counter_u64 fcounters[FCNT_MAX]; /* state operation
counters */
counter_u64_t scounters[SCNT_MAX]; /* src_node operation counters */
uint32_t states;
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index 319cd8164d8d..cc6edc774da0 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -161,6 +161,11 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE,
PF_ADDR_DYNIFTL,
#define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
#define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
#define LCNT_MAX 7 /* total+1 */
+/* Only available via the nvlist-based API */
+#define KLCNT_SYNFLOODS 7 /* synfloods detected */
+#define KLCNT_SYNCOOKIES_SENT 8 /* syncookies sent */
+#define KLCNT_SYNCOOKIES_VALID 9 /* syncookies validated */
+#define KLCNT_MAX 10 /* total+1 */
#define LCNT_NAMES { \
"max states per rule", \
@@ -172,6 +177,19 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE,
PF_ADDR_DYNIFTL,
"overload flush states", \
NULL \
}
+#define KLCNT_NAMES { \
+ "max states per rule", \
+ "max-src-states", \
+ "max-src-nodes", \
+ "max-src-conn", \
+ "max-src-conn-rate", \
+ "overload table insertion", \
+ "overload flush states", \
+ "synfloods detected", \
+ "syncookies sent", \
+ "syncookies validated", \
+ NULL \
+}
/* state operation counters */
#define FCNT_STATE_SEARCH 0
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 1305d1adc913..f367ad9a2800 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -377,7 +377,7 @@ pfattach_vnet(void)
for (int i = 0; i < PFRES_MAX; i++)
V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK);
- for (int i = 0; i < LCNT_MAX; i++)
+ for (int i = 0; i < KLCNT_MAX; i++)
V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK);
for (int i = 0; i < FCNT_MAX; i++)
pf_counter_u64_init(&V_pf_status.fcounters[i], M_WAITOK);
@@ -3134,7 +3134,7 @@ DIOCGETSTATESV2_full:
pf_counter_u64_zero(&V_pf_status.fcounters[i]);
for (int i = 0; i < SCNT_MAX; i++)
counter_u64_zero(V_pf_status.scounters[i]);
- for (int i = 0; i < LCNT_MAX; i++)
+ for (int i = 0; i < KLCNT_MAX; i++)
counter_u64_zero(V_pf_status.lcounters[i]);
V_pf_status.since = time_second;
if (*V_pf_status.ifname)
@@ -4936,7 +4936,7 @@ pf_getstatus(struct pfioc_nv *nv)
int error;
struct pf_status s;
char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
- char *pf_lcounter[LCNT_MAX+1] = LCNT_NAMES;
+ char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES;
char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES;
PF_RULES_RLOCK_TRACKER;
@@ -4963,7 +4963,7 @@ pf_getstatus(struct pfioc_nv *nv)
/* lcounters */
error = pf_add_status_counters(nvl, "lcounters", V_pf_status.lcounters,
- LCNT_MAX, pf_lcounter);
+ KLCNT_MAX, pf_lcounter);
if (error != 0)
ERROUT(error);
@@ -5814,7 +5814,7 @@ pf_unload_vnet(void)
for (int i = 0; i < PFRES_MAX; i++)
counter_u64_free(V_pf_status.counters[i]);
- for (int i = 0; i < LCNT_MAX; i++)
+ for (int i = 0; i < KLCNT_MAX; i++)
counter_u64_free(V_pf_status.lcounters[i]);
for (int i = 0; i < FCNT_MAX; i++)
pf_counter_u64_deinit(&V_pf_status.fcounters[i]);
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index 744a12e4e21d..4eabbb5e2744 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -256,6 +256,7 @@ pf_syncookie_send(struct mbuf *m, int off, struct pf_pdesc
*pd)
pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport,
iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss,
0, 1, 0);
+ counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_SENT], 1);
}
uint8_t
@@ -275,6 +276,8 @@ pf_syncookie_validate(struct pf_pdesc *pd)
if ((ack & ~0xff) != (hash & ~0xff))
return (0);
+ counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_VALID], 1);
+
return (1);
}
_______________________________________________
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
