show current synflood detection watermarks in pfctl -vsi, for the lack

of a more appropriate place. ok claudio benno procter

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 20df20f..141c94f 100644 (file)
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl.c,v 1.352 2018/02/06 23:47:47 henning Exp $ */
+/*     $OpenBSD: pfctl.c,v 1.353 2018/02/08 02:26:39 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1106,14 +1106,22 @@ int
 pfctl_show_status(int dev, int opts)
 {
        struct pf_status status;
+       struct pfctl_watermarks wats;
+       struct pfioc_synflwats iocwats;
 
        if (ioctl(dev, DIOCGETSTATUS, &status)) {
                warn("DIOCGETSTATUS");
                return (-1);
        }
+       if (ioctl(dev, DIOCGETSYNFLWATS, &iocwats)) {
+               warn("DIOCGETSYNFLWATS");
+               return (-1);
+       }
+       wats.hi = iocwats.hiwat;
+       wats.lo = iocwats.lowat;
        if (opts & PF_OPT_SHOWALL)
                pfctl_print_title("INFO:");
-       print_status(&status, opts);
+       print_status(&status, &wats, opts);
        return (0);
 }
 

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index f0e4388..03c0f8e 100644 (file)
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl_parser.c,v 1.318 2017/11/28 16:05:47 bluhm Exp $ */
+/*     $OpenBSD: pfctl_parser.c,v 1.319 2018/02/08 02:26:39 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -515,7 +515,7 @@ const char  *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES;
 const char     *pf_scounters[FCNT_MAX+1] = FCNT_NAMES;
 
 void
-print_status(struct pf_status *s, int opts)
+print_status(struct pf_status *s, struct pfctl_watermarks *synflwats, int opts)
 {
        char                    statline[80], *running, *debug;
        time_t                  runtime = 0;
@@ -632,6 +632,11 @@ print_status(struct pf_status *s, int opts)
                                printf("%14s\n", "");
                }
        }
+       if (opts & PF_OPT_VERBOSE) {
+               printf("Adaptive Syncookies Watermarks\n");
+               printf("  %-25s %14d states\n", "start", synflwats->hi);
+               printf("  %-25s %14d states\n", "end", synflwats->lo);
+       }
 }
 
 void

diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 9c30184..ef42d86 100644 (file)
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl_parser.h,v 1.108 2018/02/06 23:47:47 henning Exp $ */
+/*     $OpenBSD: pfctl_parser.h,v 1.109 2018/02/08 02:26:39 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -203,6 +203,10 @@ struct pfctl_qsitem {
        int                              matches;
 };
 
+struct pfctl_watermarks {
+       u_int32_t       hi;
+       u_int32_t       lo;
+};
 
 int    pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *);
 int    pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *);
@@ -237,7 +241,7 @@ void        print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int, int);
 void   print_src_node(struct pf_src_node *, int);
 void   print_rule(struct pf_rule *, const char *, int);
 void   print_tabledef(const char *, int, int, struct node_tinithead *);
-void   print_status(struct pf_status *, int);
+void   print_status(struct pf_status *, struct pfctl_watermarks *, int);
 void   print_queuespec(struct pf_queuespec *);
 
 int    pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *,