git: 933be8d74b04 - main - pf: default syncookies to adaptive mode
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 13 Jan 2023 10:16:06 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=933be8d74b0471c8578a6ec965299383bc65138b
commit 933be8d74b0471c8578a6ec965299383bc65138b
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-12-31 18:26:24 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-01-13 22:14:25 +0000
pf: default syncookies to adaptive mode
The cost of enabling syncookies in adaptive mode is very low (basically
a single atomic add when we create a new half-open state), and the
payoff when under SYN flood is huge.
So, enable adaptive mode by default.
Suggested by: Eirik Øverby
---
sys/netpfil/pf/pf_ioctl.c | 3 ++-
sys/netpfil/pf/pf_syncookies.c | 8 +++++++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index ae53e40d66b6..dc62388f8da4 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -311,6 +311,8 @@ pfattach_vnet(void)
{
u_int32_t *my_timeout = V_pf_default_rule.timeout;
+ bzero(&V_pf_status, sizeof(V_pf_status));
+
pf_initialize();
pfr_initialize();
pfi_initialize_vnet();
@@ -380,7 +382,6 @@ pfattach_vnet(void)
my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
- bzero(&V_pf_status, sizeof(V_pf_status));
V_pf_status.debug = PF_DEBUG_URGENT;
V_pf_pfil_hooked = false;
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index db232579d595..cdfddadc3560 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -127,7 +127,13 @@ pf_syncookies_init(void)
{
callout_init(&V_pf_syncookie_status.keytimeout, 1);
PF_RULES_WLOCK();
- pf_syncookies_setmode(PF_SYNCOOKIES_NEVER);
+
+ V_pf_syncookie_status.hiwat = PF_SYNCOOKIES_HIWATPCT *
+ V_pf_limits[PF_LIMIT_STATES].limit / 100;
+ V_pf_syncookie_status.lowat = PF_SYNCOOKIES_LOWATPCT *
+ V_pf_limits[PF_LIMIT_STATES].limit / 100;
+ pf_syncookies_setmode(PF_SYNCOOKIES_ADAPTIVE);
+
PF_RULES_WUNLOCK();
}