syncookies for pf.

when syncookies are on, pf will blindly answer each and every SYN with a
syncookie-SYNACK. Upon reception of the ACK completing the 3WHS, pf will
reconstruct the original SYN, shove it through pf_test, where state will
be created if the ruleset permits it. Then massage the freshly created state
(we won't see the SYNACK), set up the sequence number modulator, and call
into the existing synproxy code to start the 3WHS with the backend host.
Add an - somewhat basic for now - adaptive mode where syncookies get enabled
if a certain percentage of the state table is filled up with half-open tcp
connections. This makes pf firewalls resilient against large synflood
attacks.
syncookies are off by default until we gained more experience, considered
experimental for now.
see http://bulabula.org/papers/2017/bsdcan/ for more details.
joint work with sashan@, widely discussed and with lots of input by many

1 files changed, 16 insertions, 1 deletions

diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index a88a9466e86..231ff91b444 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.328 2018/02/06 09:16:11 henning Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.329 2018/02/06 23:44:48 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -173,6 +173,7 @@ pfattach(int num)
 	pfr_initialize();
 	pfi_initialize();
 	pf_osfp_initialize();
+	pf_syncookies_init();
 
 	pool_sethardlimit(pf_pool_limits[PF_LIMIT_STATES].pp,
 	    pf_pool_limits[PF_LIMIT_STATES].limit, NULL, 0);
@@ -2645,6 +2646,20 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		break;
 	}
 
+	case DIOCSETSYNFLWATS: {
+		struct pfioc_synflwats *io = (struct pfioc_synflwats *)addr;
+
+		error = pf_syncookies_setwats(io->hiwat, io->lowat);
+		break;
+	}
+
+	case DIOCSETSYNCOOKIES: {
+		u_int8_t	*mode = (u_int8_t *)addr;
+
+		error = pf_syncookies_setmode(*mode);
+		break;
+	}
+
 	default:
 		error = ENODEV;
 		break;