git: 955460d41e99 - main - pf: hook up adaptive mode configuration

Wed Sep 29 13:42:31 UTC 2021

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=955460d41e99031906841870e02063ffdf227f09

commit 955460d41e99031906841870e02063ffdf227f09
Author:     Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-07-24 12:23:59 +0000
Commit:     Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-09-29 13:11:54 +0000

    pf: hook up adaptive mode configuration
    
    The kernel side of pf syncookie adaptive mode configuration.
    
    MFC after:      1 week
    Sponsored by:   Modirum MDPay
    Differential Revision:  https://reviews.freebsd.org/D32135
---
 sys/netpfil/pf/pf_syncookies.c | 56 ++++++++++++++++++++++++++----------------
 1 file changed, 35 insertions(+), 21 deletions(-)

diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index 11093b636777..32b2bec6c3d6 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -85,6 +85,7 @@
 #include <netinet/tcp_var.h>
 
 #include <net/pfvar.h>
+#include <netpfil/pf/pf_nv.h>
 
 #define	DPFPRINTF(n, x)	if (V_pf_status.debug >= (n)) printf x
 
@@ -147,7 +148,10 @@ pf_get_syncookies(struct pfioc_nv *nv)
 
 	nvlist_add_bool(nvl, "enabled",
 	    V_pf_status.syncookies_mode != PF_SYNCOOKIES_NEVER);
-	nvlist_add_bool(nvl, "adaptive", false);
+	nvlist_add_bool(nvl, "adaptive",
+	    V_pf_status.syncookies_mode == PF_SYNCOOKIES_ADAPTIVE);
+	nvlist_add_number(nvl, "highwater", V_pf_syncookie_status.hiwat);
+	nvlist_add_number(nvl, "lowwater", V_pf_syncookie_status.lowat);
 
 	nvlpacked = nvlist_pack(nvl, &nv->len);
 	if (nvlpacked == NULL) {
@@ -174,6 +178,10 @@ pf_set_syncookies(struct pfioc_nv *nv)
 	void		*nvlpacked = NULL;
 	int		 error;
 	bool		 enabled, adaptive;
+	uint32_t	 hiwat, lowat;
+	uint8_t		 newmode;
+
+#define ERROUT(x)	ERROUT_FUNCTION(errout, x)
 
 	if (nv->len > pf_ioctl_maxcount)
 		return (ENOMEM);
@@ -183,38 +191,44 @@ pf_set_syncookies(struct pfioc_nv *nv)
 		return (ENOMEM);
 
 	error = copyin(nv->data, nvlpacked, nv->len);
-	if (error) {
-		free(nvlpacked, M_TEMP);
-		return (error);
-	}
+	if (error)
+		ERROUT(error);
 
 	nvl = nvlist_unpack(nvlpacked, nv->len, 0);
-	if (nvl == NULL) {
-		free(nvlpacked, M_TEMP);
-		return (EBADMSG);
-	}
+	if (nvl == NULL)
+		ERROUT(EBADMSG);
 
 	if (! nvlist_exists_bool(nvl, "enabled")
-	    || ! nvlist_exists_bool(nvl, "adaptive")) {
-		nvlist_destroy(nvl);
-		free(nvlpacked, M_TEMP);
-		return (EBADMSG);
-	}
+	    || ! nvlist_exists_bool(nvl, "adaptive"))
+		ERROUT(EBADMSG);
 
 	enabled = nvlist_get_bool(nvl, "enabled");
 	adaptive = nvlist_get_bool(nvl, "adaptive");
+	PFNV_CHK(pf_nvuint32_opt(nvl, "highwater", &hiwat,
+	    V_pf_syncookie_status.hiwat));
+	PFNV_CHK(pf_nvuint32_opt(nvl, "lowwater", &lowat,
+	    V_pf_syncookie_status.lowat));
 
-	if (adaptive) {
-		nvlist_destroy(nvl);
-		free(nvlpacked, M_TEMP);
-		return (ENOTSUP);
-	}
+	if (lowat >= hiwat)
+		ERROUT(EINVAL);
+
+	newmode = PF_SYNCOOKIES_NEVER;
+	if (enabled)
+		newmode = adaptive ? PF_SYNCOOKIES_ADAPTIVE : PF_SYNCOOKIES_ALWAYS;
 
 	PF_RULES_WLOCK();
-	error = pf_syncookies_setmode(enabled ?
-	    PF_SYNCOOKIES_ALWAYS : PF_SYNCOOKIES_NEVER);
+	error = pf_syncookies_setmode(newmode);
+
+	V_pf_syncookie_status.lowat = lowat;
+	V_pf_syncookie_status.hiwat = hiwat;
+
 	PF_RULES_WUNLOCK();
 
+#undef ERROUT
+errout:
+	nvlist_destroy(nvl);
+	free(nvlpacked, M_TEMP);
+
 	return (error);
 }
 
