provide counters for # of synfloods detected, # of syncookies sent,

author henning <henning@openbsd.org>

Wed, 7 Feb 2018 05:48:47 +0000 (05:48 +0000)

committer henning <henning@openbsd.org>

Wed, 7 Feb 2018 05:48:47 +0000 (05:48 +0000)
author henning <henning@openbsd.org>
Wed, 7 Feb 2018 05:48:47 +0000 (05:48 +0000)
committer henning <henning@openbsd.org>
Wed, 7 Feb 2018 05:48:47 +0000 (05:48 +0000)
diff --git a/sys/net/pf_syncookies.c b/sys/net/pf_syncookies.c

index 511eb38..2df8503 100644 (file)
--- a/sys/net/pf_syncookies.c
+++ b/sys/net/pf_syncookies.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf_syncookies.c,v 1.2 2018/02/07 01:50:48 dlg Exp $ */
+/*     $OpenBSD: pf_syncookies.c,v 1.3 2018/02/07 05:48:47 henning Exp $ */
  
  /* Copyright (c) 2016,2017 Henning Brauer <henning@openbsd.org>
   * Copyright (c) 2016 Alexandr Nedvedicky <sashan@openbsd.org>
@@ -182,6 +182,7 @@ pf_synflood_check(struct pf_pdesc *pd)
                 pf_status.syncookies_active = 1;
                 DPFPRINTF(LOG_WARNING,
                     "synflood detected, enabling syncookies");
+               pf_status.lcounters[LCNT_SYNFLOODS]++;
         }
  
         return (pf_status.syncookies_active);
@@ -199,6 +200,7 @@ pf_syncookie_send(struct pf_pdesc *pd)
             iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss,
             0, 1, 0, pd->rdomain);
         pf_status.syncookies_inflight[pf_syncookie_status.oddeven]++;
+       pf_status.lcounters[LCNT_SYNCOOKIES_SENT]++;
  }
  
  uint8_t
@@ -218,6 +220,7 @@ pf_syncookie_validate(struct pf_pdesc *pd)
                 return (0);
  
         pf_status.syncookies_inflight[cookie.flags.oddeven]--;
+       pf_status.lcounters[LCNT_SYNCOOKIES_VALID]++;
         return (1);
  }
  
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h

index 8cade49..a62e7e2 100644 (file)
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfvar.h,v 1.471 2018/02/06 23:44:48 henning Exp $ */
+/*     $OpenBSD: pfvar.h,v 1.472 2018/02/07 05:48:47 henning Exp $ */
  
  /*
   * Copyright (c) 2001 Daniel Hartmeier
@@ -1222,7 +1222,10 @@ enum pfi_kif_refs {
  #define LCNT_SRCCONNRATE       4       /* max-src-conn-rate */
  #define LCNT_OVERLOAD_TABLE    5       /* entry added to overload table */
  #define LCNT_OVERLOAD_FLUSH    6       /* state entries flushed */
-#define LCNT_MAX               7       /* total+1 */
+#define        LCNT_SYNFLOODS          7       /* synfloods detected */
+#define        LCNT_SYNCOOKIES_SENT    8       /* syncookies sent */
+#define        LCNT_SYNCOOKIES_VALID   9       /* syncookies validated */
+#define LCNT_MAX               10      /* total+1 */
  
  #define LCNT_NAMES { \
         "max states per rule", \
@@ -1232,6 +1235,9 @@ enum pfi_kif_refs {
         "max-src-conn-rate", \
         "overload table insertion", \
         "overload flush states", \
+       "synfloods detected", \
+       "syncookies sent", \
+       "syncookies validated", \
         NULL \
  }
author	henning <henning@openbsd.org>
	Wed, 7 Feb 2018 05:48:47 +0000 (05:48 +0000)
committer	henning <henning@openbsd.org>
	Wed, 7 Feb 2018 05:48:47 +0000 (05:48 +0000)
sys/net/pf_syncookies.c		patch \| blob \| history
sys/net/pfvar.h		patch \| blob \| history