git: 253d1f4e3161 - stable/12 - pf: Add counters for syncookies

Kristof Provost kp at FreeBSD.org
Wed Sep 8 12:03:16 UTC 2021 

The branch stable/12 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=253d1f4e316127def53919bbd65696123253483d

commit 253d1f4e316127def53919bbd65696123253483d
Author:     Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-08-29 13:54:50 +0000
Commit:     Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-09-08 07:32:46 +0000

    pf: Add counters for syncookies
    
    Count when we send a syncookie, receive a valid syncookie or detect a
    synflood.
    
    Reviewed by:    kbowling
    MFC after:      1 week
    Sponsored by:   Modirum MDPay
    Differential Revision:  https://reviews.freebsd.org/D31713
    
    (cherry picked from commit 4cab80a8dfecdf16333a1113513e046b9f4dd7f6)
---
 sys/net/pfvar.h                |  2 +-
 sys/netpfil/pf/pf.h            | 18 ++++++++++++++++++
 sys/netpfil/pf/pf_ioctl.c      | 10 +++++-----
 sys/netpfil/pf/pf_syncookies.c |  3 +++
 4 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 0b1e3f3a27a2..3433f3790fd7 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1375,7 +1375,7 @@ enum pf_syncookies_mode {
 #ifdef _KERNEL
 struct pf_kstatus {
 	counter_u64_t	counters[PFRES_MAX]; /* reason for passing/dropping */
-	counter_u64_t	lcounters[LCNT_MAX]; /* limit counters */
+	counter_u64_t	lcounters[KLCNT_MAX]; /* limit counters */
 	struct pf_counter_u64	fcounters[FCNT_MAX]; /* state operation counters */
 	counter_u64_t	scounters[SCNT_MAX]; /* src_node operation counters */
 	uint32_t	states;
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index 319cd8164d8d..cc6edc774da0 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -161,6 +161,11 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 #define LCNT_OVERLOAD_TABLE	5	/* entry added to overload table */
 #define LCNT_OVERLOAD_FLUSH	6	/* state entries flushed */
 #define LCNT_MAX		7	/* total+1 */
+/* Only available via the nvlist-based API */
+#define KLCNT_SYNFLOODS		7	/* synfloods detected */
+#define KLCNT_SYNCOOKIES_SENT	8	/* syncookies sent */
+#define KLCNT_SYNCOOKIES_VALID	9	/* syncookies validated */
+#define KLCNT_MAX		10	/* total+1 */
 
 #define LCNT_NAMES { \
 	"max states per rule", \
@@ -172,6 +177,19 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 	"overload flush states", \
 	NULL \
 }
+#define KLCNT_NAMES { \
+	"max states per rule", \
+	"max-src-states", \
+	"max-src-nodes", \
+	"max-src-conn", \
+	"max-src-conn-rate", \
+	"overload table insertion", \
+	"overload flush states", \
+	"synfloods detected", \
+	"syncookies sent", \
+	"syncookies validated", \
+	NULL \
+}
 
 /* state operation counters */
 #define FCNT_STATE_SEARCH	0
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index c1cb8e0435de..e3d194f92c61 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -363,7 +363,7 @@ pfattach_vnet(void)
 
 	for (int i = 0; i < PFRES_MAX; i++)
 		V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK);
-	for (int i = 0; i < LCNT_MAX; i++)
+	for (int i = 0; i < KLCNT_MAX; i++)
 		V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK);
 	for (int i = 0; i < FCNT_MAX; i++)
 		pf_counter_u64_init(&V_pf_status.fcounters[i], M_WAITOK);
@@ -3103,7 +3103,7 @@ DIOCGETSTATESV2_full:
 			pf_counter_u64_zero(&V_pf_status.fcounters[i]);
 		for (int i = 0; i < SCNT_MAX; i++)
 			counter_u64_zero(V_pf_status.scounters[i]);
-		for (int i = 0; i < LCNT_MAX; i++)
+		for (int i = 0; i < KLCNT_MAX; i++)
 			counter_u64_zero(V_pf_status.lcounters[i]);
 		V_pf_status.since = time_second;
 		if (*V_pf_status.ifname)
@@ -4942,7 +4942,7 @@ pf_getstatus(struct pfioc_nv *nv)
 	int              error;
 	struct pf_status s;
 	char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
-	char *pf_lcounter[LCNT_MAX+1] = LCNT_NAMES;
+	char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES;
 	char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES;
 	PF_RULES_RLOCK_TRACKER;
 
@@ -4969,7 +4969,7 @@ pf_getstatus(struct pfioc_nv *nv)
 
 	/* lcounters */
 	error = pf_add_status_counters(nvl, "lcounters", V_pf_status.lcounters,
-	    LCNT_MAX, pf_lcounter);
+	    KLCNT_MAX, pf_lcounter);
 	if (error != 0)
 		ERROUT(error);
 
@@ -5812,7 +5812,7 @@ pf_unload_vnet(void)
 
 	for (int i = 0; i < PFRES_MAX; i++)
 		counter_u64_free(V_pf_status.counters[i]);
-	for (int i = 0; i < LCNT_MAX; i++)
+	for (int i = 0; i < KLCNT_MAX; i++)
 		counter_u64_free(V_pf_status.lcounters[i]);
 	for (int i = 0; i < FCNT_MAX; i++)
 		pf_counter_u64_deinit(&V_pf_status.fcounters[i]);
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index a02ab0370204..c019640d7cb5 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -256,6 +256,7 @@ pf_syncookie_send(struct mbuf *m, int off, struct pf_pdesc *pd)
 	pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport,
 	    iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss,
 	    0, 1, 0);
+	counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_SENT], 1);
 }
 
 uint8_t
@@ -275,6 +276,8 @@ pf_syncookie_validate(struct pf_pdesc *pd)
 	if ((ack & ~0xff) != (hash & ~0xff))
 		return (0);
 
+	counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_VALID], 1);
+
 	return (1);
 }

More information about the dev-commits-src-all mailing list