From 254e79c998b297ccae33efa965dd18d33c468f4b Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@cvs.openbsd.org>
Date: Sat, 21 Jun 2003 09:07:02 +0000
Subject: count packets and bidirectionally on state entries, allowing for
 fine-grained traffic reporting w/ pfsync; ok dhartmei@

Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
---
 sys/net/if_pfsync.c |  8 ++++---
 sys/net/pf.c        | 60 +++++++++++++++++++++++++++++++----------------------
 sys/net/pf_ioctl.c  |  6 +++---
 sys/net/pfvar.h     |  6 +++---
 4 files changed, 46 insertions(+), 34 deletions(-)

(limited to 'sys')

diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 89a4f223ad9..e29a06ec861 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.c,v 1.5 2003/05/03 21:15:11 deraadt Exp $	*/
+/*	$OpenBSD: if_pfsync.c,v 1.6 2003/06/21 09:07:01 djm Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -284,8 +284,10 @@ pfsync_pack_state(action, st)
 		sp->expire = htonl(0);
 	else
 		sp->expire = htonl(st->expire - secs);
-	sp->packets = htonl(st->packets);
-	sp->bytes = htonl(st->bytes);
+	sp->packets[0] = htonl(st->packets[0]);
+	sp->packets[1] = htonl(st->packets[1]);
+	sp->bytes[0] = htonl(st->bytes[0]);
+	sp->bytes[1] = htonl(st->bytes[1]);
 	if (r == NULL)
 		sp->rule.nr = htonl(-1);
 	else
diff --git a/sys/net/pf.c b/sys/net/pf.c
index bdd9d41201b..fbf3e7a9741 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.366 2003/06/20 18:24:57 dhartmei Exp $ */
+/*	$OpenBSD: pf.c,v 1.367 2003/06/21 09:07:01 djm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -2352,8 +2352,8 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
 		s->creation = time.tv_sec;
 		s->expire = time.tv_sec;
 		s->timeout = PFTM_TCP_FIRST_PACKET;
-		s->packets = 1;
-		s->bytes = pd->tot_len;
+		s->packets[0] = 1;
+		s->bytes[0] = pd->tot_len;
 
 		if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
 		    off, pd, th, &s->src, &s->dst)) {
@@ -2623,8 +2623,8 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
 		s->creation = time.tv_sec;
 		s->expire = time.tv_sec;
 		s->timeout = PFTM_UDP_FIRST_PACKET;
-		s->packets = 1;
-		s->bytes = pd->tot_len;
+		s->packets[0] = 1;
+		s->bytes[0] = pd->tot_len;
 		if (pf_insert_state(s)) {
 			REASON_SET(&reason, PFRES_MEMORY);
 			pool_put(&pf_state_pl, s);
@@ -2872,8 +2872,8 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
 		s->creation = time.tv_sec;
 		s->expire = time.tv_sec;
 		s->timeout = PFTM_ICMP_FIRST_PACKET;
-		s->packets = 1;
-		s->bytes = pd->tot_len;
+		s->packets[0] = 1;
+		s->bytes[0] = pd->tot_len;
 		if (pf_insert_state(s)) {
 			REASON_SET(&reason, PFRES_MEMORY);
 			pool_put(&pf_state_pl, s);
@@ -3104,8 +3104,8 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
 		s->creation = time.tv_sec;
 		s->expire = time.tv_sec;
 		s->timeout = PFTM_OTHER_FIRST_PACKET;
-		s->packets = 1;
-		s->bytes = pd->tot_len;
+		s->packets[0] = 1;
+		s->bytes[0] = pd->tot_len;
 		if (pf_insert_state(s)) {
 			REASON_SET(&reason, PFRES_MEMORY);
 			if (r->log)
@@ -3209,7 +3209,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
 	u_int16_t		 win = ntohs(th->th_win);
 	u_int32_t		 ack, end, seq;
 	u_int8_t		 sws, dws;
-	int			 ackskew;
+	int			 ackskew, dirndx;
 	int			 copyback = 0;
 	struct pf_state_peer	*src, *dst;
 
@@ -3225,9 +3225,11 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
 	if (direction == (*state)->direction) {
 		src = &(*state)->src;
 		dst = &(*state)->dst;
+		dirndx = 0;
 	} else {
 		src = &(*state)->dst;
 		dst = &(*state)->src;
+		dirndx = 1;
 	}
 
 	if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
@@ -3425,8 +3427,8 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
 	    (ackskew <= (MAXACKWINDOW << sws))) {
 	    /* Acking not more than one window forward */
 
-		(*state)->packets++;
-		(*state)->bytes += pd->tot_len;
+		(*state)->packets[dirndx]++;
+		(*state)->bytes[dirndx] += pd->tot_len;
 
 		/* update max window */
 		if (src->max_win < win)
@@ -3507,12 +3509,13 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
 			printf("pf: loose state match: ");
 			pf_print_state(*state);
 			pf_print_flags(th->th_flags);
-			printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d\n",
-			    seq, ack, pd->p_len, ackskew, (*state)->packets);
+			printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n",
+			    seq, ack, pd->p_len, ackskew, 
+			    (*state)->packets[0], (*state)->packets[1]);
 		}
 
-		(*state)->packets++;
-		(*state)->bytes += pd->tot_len;
+		(*state)->packets[dirndx]++;
+		(*state)->bytes[dirndx] += pd->tot_len;
 
 		/* update max window */
 		if (src->max_win < win)
@@ -3561,9 +3564,9 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
 			printf("pf: BAD state: ");
 			pf_print_state(*state);
 			pf_print_flags(th->th_flags);
-			printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d "
+			printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d "
 			    "dir=%s,%s\n", seq, ack, pd->p_len, ackskew,
-			    ++(*state)->packets,
+			    (*state)->packets[0], (*state)->packets[1],
 			    direction == PF_IN ? "in" : "out",
 			    direction == (*state)->direction ? "fwd" : "rev");
 			printf("pf: State failure on: %c %c %c %c | %c %c\n",
@@ -3622,6 +3625,7 @@ pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp,
 	struct pf_state_peer	*src, *dst;
 	struct pf_tree_node	 key;
 	struct udphdr		*uh = pd->hdr.udp;
+	int			dirndx;
 
 	key.af = pd->af;
 	key.proto = IPPROTO_UDP;
@@ -3635,13 +3639,15 @@ pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp,
 	if (direction == (*state)->direction) {
 		src = &(*state)->src;
 		dst = &(*state)->dst;
+		dirndx = 0;
 	} else {
 		src = &(*state)->dst;
 		dst = &(*state)->src;
+		dirndx = 1;
 	}
 
-	(*state)->packets++;
-	(*state)->bytes += pd->tot_len;
+	(*state)->packets[dirndx]++;
+	(*state)->bytes[dirndx] += pd->tot_len;
 
 	/* update states */
 	if (src->state < PFUDPS_SINGLE)
@@ -3689,7 +3695,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp,
 	struct pf_addr	*saddr = pd->src, *daddr = pd->dst;
 	u_int16_t	 icmpid, *icmpsum;
 	u_int8_t	 icmptype;
-	int		 state_icmp = 0;
+	int		 state_icmp = 0, dirndx;
 
 	switch (pd->proto) {
 #ifdef INET
@@ -3738,8 +3744,9 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp,
 
 		STATE_LOOKUP();
 
-		(*state)->packets++;
-		(*state)->bytes += pd->tot_len;
+		dirndx = (direction == (*state)->direction) ? 0 : 1;
+		(*state)->packets[dirndx]++;
+		(*state)->bytes[dirndx] += pd->tot_len;
 		(*state)->expire = time.tv_sec;
 		(*state)->timeout = PFTM_ICMP_ERROR_REPLY;
 
@@ -4212,6 +4219,7 @@ pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp,
 {
 	struct pf_state_peer	*src, *dst;
 	struct pf_tree_node	 key;
+	int			dirndx;
 
 	key.af = pd->af;
 	key.proto = pd->proto;
@@ -4225,13 +4233,15 @@ pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp,
 	if (direction == (*state)->direction) {
 		src = &(*state)->src;
 		dst = &(*state)->dst;
+		dirndx = 0;
 	} else {
 		src = &(*state)->dst;
 		dst = &(*state)->src;
+		dirndx = 1;
 	}
 
-	(*state)->packets++;
-	(*state)->bytes += pd->tot_len;
+	(*state)->packets[dirndx]++;
+	(*state)->bytes[dirndx] += pd->tot_len;
 
 	/* update states */
 	if (src->state < PFOTHERS_SINGLE)
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 63bef915ec4..a9d2aaa4a02 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.68 2003/06/08 09:41:08 cedric Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.69 2003/06/21 09:07:01 djm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1085,8 +1085,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		state->anchor.ptr = NULL;
 		state->rt_ifp = NULL;
 		state->creation = time.tv_sec;
-		state->packets = 0;
-		state->bytes = 0;
+		state->packets[0] = state->packets[1] = 0;
+		state->bytes[0] = state->bytes[1] = 0;
 		if (pf_insert_state(state)) {
 			pool_put(&pf_state_pl, state);
 			error = ENOMEM;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 5bea9368633..d821ea4f77c 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.156 2003/06/20 18:24:57 dhartmei Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.157 2003/06/21 09:07:01 djm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -458,8 +458,8 @@ struct pf_state {
 	struct ifnet	*rt_ifp;
 	u_int32_t	 creation;
 	u_int32_t	 expire;
-	u_int32_t	 packets;
-	u_int32_t	 bytes;
+	u_int32_t	 packets[2];
+	u_int32_t	 bytes[2];
 	sa_family_t	 af;
 	u_int8_t	 proto;
 	u_int8_t	 direction;
-- 
cgit v1.2.3