From da34c0e0269decb017a680092e02d33530b4e0a5 Mon Sep 17 00:00:00 2001
From: Henning Brauer <henning@cvs.openbsd.org>
Date: Mon, 13 Nov 2017 11:30:12 +0000
Subject: add a generic packet rate matching filter. allows things like pass in
 proto icmp max-pkt-rate 100/10 all packets matching the rule in the direction
 the state was created are taken into consideration (typically: requests, but
 not replies). Just like with the other max-*, the rule stops matching if the
 maximum is reached, so in typical scenarios the default block rule would kick
 in then. with input from Holger Mikolon ok mikeb

---
 sys/net/pfvar.h | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

(limited to 'sys/net/pfvar.h')

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 11ac9cf0ce3..c68814bc989 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.466 2017/09/05 22:15:32 sashan Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.467 2017/11/13 11:30:11 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -317,6 +317,15 @@ struct pf_rule_addr {
 	u_int16_t		 weight;
 };
 
+struct pf_threshold {
+	u_int32_t	limit;
+#define	PF_THRESHOLD_MULT	1000
+#define	PF_THRESHOLD_MAX	0xffffffff / PF_THRESHOLD_MULT
+	u_int32_t	seconds;
+	u_int32_t	count;
+	u_int32_t	last;
+};
+
 struct pf_poolhashkey {
 	union {
 		u_int8_t		key8[16];
@@ -496,6 +505,7 @@ struct pf_rule {
 	struct pf_pool		 nat;
 	struct pf_pool		 rdr;
 	struct pf_pool		 route;
+	struct pf_threshold	 pktrate;
 
 	u_int64_t		 evaluations;
 	u_int64_t		 packets[2];
@@ -610,15 +620,6 @@ struct pf_rule {
 #define PFSTATE_ADAPT_END	12000	/* default adaptive timeout end */
 
 
-struct pf_threshold {
-	u_int32_t	limit;
-#define	PF_THRESHOLD_MULT	1000
-#define PF_THRESHOLD_MAX	0xffffffff / PF_THRESHOLD_MULT
-	u_int32_t	seconds;
-	u_int32_t	count;
-	u_int32_t	last;
-};
-
 struct pf_rule_item {
 	SLIST_ENTRY(pf_rule_item)	 entry;
 	struct pf_rule			*r;
@@ -1749,6 +1750,7 @@ int	pf_translate(struct pf_pdesc *, struct pf_addr *, u_int16_t,
 int	pf_translate_af(struct pf_pdesc *);
 void	pf_route(struct pf_pdesc *, struct pf_rule *, struct pf_state *);
 void	pf_route6(struct pf_pdesc *, struct pf_rule *, struct pf_state *);
+void	pf_init_threshold(struct pf_threshold *, u_int32_t, u_int32_t);
 
 void	pfr_initialize(void);
 int	pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t);
-- 
cgit v1.2.3