make the watermarks/thresholds for entering and leaving syncookie mode when

syncookies are set to adaptive tunable, ok claudio benno

2 files changed, 7 insertions, 4 deletions

diff --git a/sys/net/pf_syncookies.c b/sys/net/pf_syncookies.c
index 14becfb2b30..63d15f12bc2 100644
--- a/sys/net/pf_syncookies.c
+++ b/sys/net/pf_syncookies.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_syncookies.c,v 1.4 2018/02/08 02:25:44 henning Exp $ */
+/*	$OpenBSD: pf_syncookies.c,v 1.5 2018/02/08 09:15:46 henning Exp $ */
 
 /* Copyright (c) 2016,2017 Henning Brauer <henning@openbsd.org>
  * Copyright (c) 2016 Alexandr Nedvedicky <sashan@openbsd.org>
@@ -132,8 +132,8 @@ pf_syncookies_init(void)
 {
 	timeout_set(&pf_syncookie_status.keytimeout,
 	    pf_syncookie_rotate, NULL);
-	pf_syncookie_status.hiwat = PFSTATE_HIWAT/4;
-	pf_syncookie_status.lowat = PFSTATE_HIWAT/8;
+	pf_syncookie_status.hiwat = PFSTATE_HIWAT * PF_SYNCOOKIES_HIWATPCT/100;
+	pf_syncookie_status.lowat = PFSTATE_HIWAT * PF_SYNCOOKIES_LOWATPCT/100;
 	pf_syncookies_setmode(PF_SYNCOOKIES_NEVER);
 }
 
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 7ec2d91da41..fb245426ef4 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.473 2018/02/08 02:25:44 henning Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.474 2018/02/08 09:15:46 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1326,6 +1326,9 @@ struct pf_status {
 #define	PF_SYNCOOKIES_ADAPTIVE	2
 #define	PF_SYNCOOKIES_MODE_MAX	PF_SYNCOOKIES_ADAPTIVE
 
+#define	PF_SYNCOOKIES_HIWATPCT	25
+#define	PF_SYNCOOKIES_LOWATPCT	PF_SYNCOOKIES_HIWATPCT/2
+
 #define PF_PRIO_ZERO		0xff		/* match "prio 0" packets */
 
 struct pf_queue_bwspec {