From 4c2e2525b5c8a0fb232b86bd43d74a7d45801dd9 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Thu, 8 Feb 2018 02:25:45 +0000 Subject: add DIOCGETSYNFLWATS to get current synflood detection watermarks, ok claudio benno procter --- sys/net/pf_ioctl.c | 15 +++++++++++++-- sys/net/pf_syncookies.c | 10 +++++++++- sys/net/pfvar.h | 4 +++- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 63f5c86ae45..078caeb71fa 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,8 +1,8 @@ -/* $OpenBSD: pf_ioctl.c,v 1.330 2018/02/07 06:11:43 henning Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.331 2018/02/08 02:25:44 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier - * Copyright (c) 2002 - 2013 Henning Brauer + * Copyright (c) 2002 - 2018 Henning Brauer * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -943,6 +943,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) case DIOCIGETIFACES: case DIOCSETIFFLAG: case DIOCCLRIFFLAG: + case DIOCGETSYNFLWATS: break; case DIOCRCLRTABLES: case DIOCRADDTABLES: @@ -978,6 +979,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) case DIOCOSFPGET: case DIOCGETSRCNODES: case DIOCIGETIFACES: + case DIOCGETSYNFLWATS: break; case DIOCRCLRTABLES: case DIOCRADDTABLES: @@ -2655,6 +2657,15 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } + case DIOCGETSYNFLWATS: { + struct pfioc_synflwats *io = (struct pfioc_synflwats *)addr; + + PF_LOCK(); + error = pf_syncookies_getwats(io); + PF_UNLOCK(); + break; + } + case DIOCSETSYNCOOKIES: { u_int8_t *mode = (u_int8_t *)addr; diff --git a/sys/net/pf_syncookies.c b/sys/net/pf_syncookies.c index 2df85032dff..14becfb2b30 100644 --- a/sys/net/pf_syncookies.c +++ b/sys/net/pf_syncookies.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_syncookies.c,v 1.3 2018/02/07 05:48:47 henning Exp $ */ +/* $OpenBSD: pf_syncookies.c,v 1.4 2018/02/08 02:25:44 henning Exp $ */ /* Copyright (c) 2016,2017 Henning Brauer * Copyright (c) 2016 Alexandr Nedvedicky @@ -165,6 +165,14 @@ pf_syncookies_setwats(u_int32_t hiwat, u_int32_t lowat) return (0); } +int +pf_syncookies_getwats(struct pfioc_synflwats *wats) +{ + wats->hiwat = pf_syncookie_status.hiwat; + wats->lowat = pf_syncookie_status.lowat; + return (0); +} + int pf_synflood_check(struct pf_pdesc *pd) { diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index a62e7e2b860..7ec2d91da41 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.472 2018/02/07 05:48:47 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.473 2018/02/08 02:25:44 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1650,6 +1650,7 @@ struct pfioc_synflwats { #define DIOCGETQSTATS _IOWR('D', 96, struct pfioc_qstats) #define DIOCSETSYNFLWATS _IOWR('D', 97, struct pfioc_synflwats) #define DIOCSETSYNCOOKIES _IOWR('D', 98, u_int8_t) +#define DIOCGETSYNFLWATS _IOWR('D', 99, struct pfioc_synflwats) #ifdef _KERNEL @@ -1945,6 +1946,7 @@ void pf_send_tcp(const struct pf_rule *, sa_family_t, void pf_syncookies_init(void); int pf_syncookies_setmode(u_int8_t); int pf_syncookies_setwats(u_int32_t, u_int32_t); +int pf_syncookies_getwats(struct pfioc_synflwats *); int pf_synflood_check(struct pf_pdesc *); void pf_syncookie_send(struct pf_pdesc *); u_int8_t pf_syncookie_validate(struct pf_pdesc *); -- cgit v1.2.3