-/* $OpenBSD: pfctl_parser.c,v 1.350 2024/02/07 23:53:44 jsg Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.351 2024/04/22 13:30:22 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
const char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
const char *pf_lcounters[LCNT_MAX+1] = LCNT_NAMES;
const char *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES;
-const char *pf_scounters[FCNT_MAX+1] = FCNT_NAMES;
+const char *pf_scounters[SCNT_MAX+1] = FCNT_NAMES;
+const char *pf_ncounters[NCNT_MAX+1] = FCNT_NAMES;
void
print_status(struct pf_status *s, struct pfctl_watermarks *synflwats, int opts)
printf("%14s\n", "");
}
}
+ if (opts & PF_OPT_VERBOSE) {
+ printf("Fragments\n");
+ printf(" %-25s %14u %14s\n", "current entries",
+ s->fragments, "");
+ for (i = 0; i < NCNT_MAX; i++) {
+ printf(" %-25s %14lld ", pf_ncounters[i],
+ s->ncounters[i]);
+ if (runtime > 0)
+ printf("%14.1f/s\n",
+ (double)s->ncounters[i] / (double)runtime);
+ else
+ printf("%14s\n", "");
+ }
+ }
printf("Counters\n");
for (i = 0; i < PFRES_MAX; i++) {
printf(" %-25s %14llu ", pf_reasons[i],
-/* $OpenBSD: pf_ioctl.c,v 1.415 2023/07/06 04:55:05 dlg Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.416 2024/04/22 13:30:22 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
struct pf_status *s = (struct pf_status *)addr;
NET_LOCK();
PF_LOCK();
+ PF_FRAG_LOCK();
memcpy(s, &pf_status, sizeof(struct pf_status));
+ PF_FRAG_UNLOCK();
pfi_update_status(s->ifname, s);
PF_UNLOCK();
NET_UNLOCK();
memset(pf_status.counters, 0, sizeof(pf_status.counters));
memset(pf_status.fcounters, 0, sizeof(pf_status.fcounters));
memset(pf_status.scounters, 0, sizeof(pf_status.scounters));
+ PF_FRAG_LOCK();
+ memset(pf_status.ncounters, 0, sizeof(pf_status.ncounters));
+ PF_FRAG_UNLOCK();
pf_status.since = getuptime();
PF_UNLOCK();
NET_LOCK_SHARED();
PF_LOCK();
+ PF_FRAG_LOCK();
memcpy(&pfs, &pf_status, sizeof(struct pf_status));
+ PF_FRAG_UNLOCK();
pfi_update_status(pfs.ifname, &pfs);
PF_UNLOCK();
NET_UNLOCK_SHARED();
-/* $OpenBSD: pf_norm.c,v 1.229 2023/10/10 11:25:31 bluhm Exp $ */
+/* $OpenBSD: pf_norm.c,v 1.230 2024/04/22 13:30:22 bluhm Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
/* Globals */
struct pool pf_frent_pl, pf_frag_pl, pf_frnode_pl;
struct pool pf_state_scrub_pl;
-int pf_nfrents;
struct mutex pf_frag_mtx;
#define PF_FRAG_LOCK_INIT() mtx_init(&pf_frag_mtx, IPL_SOFTNET)
-#define PF_FRAG_LOCK() mtx_enter(&pf_frag_mtx)
-#define PF_FRAG_UNLOCK() mtx_leave(&pf_frag_mtx)
void
pf_normalize_init(void)
pf_flush_fragments(void)
{
struct pf_fragment *frag;
- int goal;
+ u_int goal;
- goal = pf_nfrents * 9 / 10;
- DPFPRINTF(LOG_NOTICE, "trying to free > %d frents", pf_nfrents - goal);
- while (goal < pf_nfrents) {
+ goal = pf_status.fragments * 9 / 10;
+ DPFPRINTF(LOG_NOTICE, "trying to free > %u frents",
+ pf_status.fragments - goal);
+ while (goal < pf_status.fragments) {
if ((frag = TAILQ_LAST(&pf_fragqueue, pf_fragqueue)) == NULL)
break;
pf_free_fragment(frag);
/* Free all fragment entries */
while ((frent = TAILQ_FIRST(&frag->fr_queue)) != NULL) {
TAILQ_REMOVE(&frag->fr_queue, frent, fr_next);
+ pf_status.ncounters[NCNT_FRAG_REMOVALS]++;
m_freem(frent->fe_m);
pool_put(&pf_frent_pl, frent);
- pf_nfrents--;
+ pf_status.fragments--;
}
pool_put(&pf_frag_pl, frag);
}
u_int32_t stale;
frnode = RB_FIND(pf_frnode_tree, &pf_frnode_tree, key);
+ pf_status.ncounters[NCNT_FRAG_SEARCH]++;
if (frnode == NULL)
return (NULL);
KASSERT(frnode->fn_fragments >= 1);
return (NULL);
}
}
- pf_nfrents++;
+ pf_status.fragments++;
return (frent);
}
KASSERT(prev->fe_off + prev->fe_len <= frent->fe_off);
TAILQ_INSERT_AFTER(&frag->fr_queue, prev, frent, fr_next);
}
+ pf_status.ncounters[NCNT_FRAG_INSERT]++;
if (frag->fr_firstoff[index] == NULL) {
KASSERT(prev == NULL || pf_frent_index(prev) < index);
}
TAILQ_REMOVE(&frag->fr_queue, frent, fr_next);
+ pf_status.ncounters[NCNT_FRAG_REMOVALS]++;
KASSERT(frag->fr_entries[index] > 0);
frag->fr_entries[index]--;
"fragment requeue limit exceeded");
m_freem(after->fe_m);
pool_put(&pf_frent_pl, after);
- pf_nfrents--;
+ pf_status.fragments--;
/* There is not way to recover */
goto free_fragment;
}
pf_frent_remove(frag, after);
m_freem(after->fe_m);
pool_put(&pf_frent_pl, after);
- pf_nfrents--;
+ pf_status.fragments--;
}
/* If part of the queue gets too long, there is not way to recover. */
REASON_SET(reason, PFRES_FRAG);
drop_fragment:
pool_put(&pf_frent_pl, frent);
- pf_nfrents--;
+ pf_status.fragments--;
return (NULL);
}
frent = TAILQ_FIRST(&frag->fr_queue);
TAILQ_REMOVE(&frag->fr_queue, frent, fr_next);
+ pf_status.ncounters[NCNT_FRAG_REMOVALS]++;
m = frent->fe_m;
/* Strip off any trailing bytes */
m->m_next = NULL;
m_cat(m, m2);
pool_put(&pf_frent_pl, frent);
- pf_nfrents--;
+ pf_status.fragments--;
while ((frent = TAILQ_FIRST(&frag->fr_queue)) != NULL) {
TAILQ_REMOVE(&frag->fr_queue, frent, fr_next);
+ pf_status.ncounters[NCNT_FRAG_REMOVALS]++;
m2 = frent->fe_m;
/* Strip off ip header */
m_adj(m2, frent->fe_hdrlen);
if (frent->fe_len < m2->m_pkthdr.len)
m_adj(m2, frent->fe_len - m2->m_pkthdr.len);
pool_put(&pf_frent_pl, frent);
- pf_nfrents--;
+ pf_status.fragments--;
m_removehdr(m2);
m_cat(m, m2);
}
-/* $OpenBSD: pfvar.h,v 1.535 2024/01/01 22:16:51 bluhm Exp $ */
+/* $OpenBSD: pfvar.h,v 1.536 2024/04/22 13:30:22 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
#define SCNT_SRC_NODE_REMOVALS 2
#define SCNT_MAX 3
+#define NCNT_FRAG_SEARCH 0
+#define NCNT_FRAG_INSERT 1
+#define NCNT_FRAG_REMOVALS 2
+#define NCNT_MAX 3
+
#define REASON_SET(a, x) \
do { \
if ((void *)(a) != NULL) { \
u_int64_t lcounters[LCNT_MAX]; /* limit counters */
u_int64_t fcounters[FCNT_MAX];
u_int64_t scounters[SCNT_MAX];
+ u_int64_t ncounters[NCNT_MAX];
u_int64_t pcounters[2][2][3];
u_int64_t bcounters[2][2];
u_int64_t stateid;
u_int32_t states;
u_int32_t states_halfopen;
u_int32_t src_nodes;
+ u_int32_t fragments;
u_int32_t debug;
u_int32_t hostid;
u_int32_t reass; /* reassembly */
-/* $OpenBSD: pfvar_priv.h,v 1.35 2024/01/01 22:16:51 bluhm Exp $ */
+/* $OpenBSD: pfvar_priv.h,v 1.36 2024/04/22 13:30:22 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
extern struct rwlock pf_lock;
extern struct rwlock pf_state_lock;
+extern struct mutex pf_frag_mtx;
extern struct mutex pf_inp_mtx;
#define PF_LOCK() do { \
rw_status(&pf_state_lock), __func__);\
} while (0)
+#define PF_FRAG_LOCK() mtx_enter(&pf_frag_mtx)
+#define PF_FRAG_UNLOCK() mtx_leave(&pf_frag_mtx)
+
/* for copies to/from network byte order */
void pf_state_peer_hton(const struct pf_state_peer *,
struct pfsync_state_peer *);
-/* $OpenBSD: pf.c,v 1.13 2020/09/14 11:15:30 kn Exp $ */
+/* $OpenBSD: pf.c,v 1.14 2024/04/22 13:30:22 bluhm Exp $ */
/*
* Copyright (c) 2001, 2007 Can Erkin Acar <canacar@openbsd.org>
*
const char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
const char *pf_lcounters[LCNT_MAX+1] = LCNT_NAMES;
const char *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES;
-const char *pf_scounters[FCNT_MAX+1] = FCNT_NAMES;
+const char *pf_scounters[SCNT_MAX+1] = FCNT_NAMES;
+const char *pf_ncounters[NCNT_MAX+1] = FCNT_NAMES;
static struct pf_status status;
int num_pf = 0;
num_disp += FCNT_MAX + 2;
num_disp += SCNT_MAX + 2;
+ num_disp += NCNT_MAX + 2;
num_disp += PFRES_MAX + 1;
num_disp += LCNT_MAX + 1;
ADD_LINE_V("src track", pf_scounters[i], s->scounters[i]);
}
+ ADD_EMPTY_LINE;
+ ADD_LINE_V("fragment", "Count", s->fragments);
+
+ for (i = 0; i < NCNT_MAX; i++) {
+ if (tm > 0)
+ ADD_LINE_VR("fragment", pf_ncounters[i], s->ncounters[i],
+ (double)s->ncounters[i] / (double)tm);
+ else
+ ADD_LINE_V("fragment", pf_ncounters[i], s->ncounters[i]);
+ }
+
ADD_EMPTY_LINE;
for (i = 0; i < PFRES_MAX; i++) {
if (tm > 0)
projects / openbsd / commitdiff