From 21b1f051a09114b39df742c0d92cd8fffbd01cf7 Mon Sep 17 00:00:00 2001
From: henning <henning@openbsd.org>
Date: Wed, 7 Feb 2018 05:48:47 +0000
Subject: [PATCH] provide counters for # of synfloods detected, # of syncookies
 sent, # of syncookies successfuly validated, ok phessler

---
 sys/net/pf_syncookies.c |  5 ++++-
 sys/net/pfvar.h         | 10 ++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/sys/net/pf_syncookies.c b/sys/net/pf_syncookies.c
index 511eb381997..2df85032dff 100644
--- a/sys/net/pf_syncookies.c
+++ b/sys/net/pf_syncookies.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_syncookies.c,v 1.2 2018/02/07 01:50:48 dlg Exp $ */
+/*	$OpenBSD: pf_syncookies.c,v 1.3 2018/02/07 05:48:47 henning Exp $ */
 
 /* Copyright (c) 2016,2017 Henning Brauer <henning@openbsd.org>
  * Copyright (c) 2016 Alexandr Nedvedicky <sashan@openbsd.org>
@@ -182,6 +182,7 @@ pf_synflood_check(struct pf_pdesc *pd)
 		pf_status.syncookies_active = 1;
 		DPFPRINTF(LOG_WARNING,
 		    "synflood detected, enabling syncookies");
+		pf_status.lcounters[LCNT_SYNFLOODS]++;
 	}
 
 	return (pf_status.syncookies_active);
@@ -199,6 +200,7 @@ pf_syncookie_send(struct pf_pdesc *pd)
 	    iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss,
 	    0, 1, 0, pd->rdomain);
 	pf_status.syncookies_inflight[pf_syncookie_status.oddeven]++;
+	pf_status.lcounters[LCNT_SYNCOOKIES_SENT]++;
 }
 
 uint8_t
@@ -218,6 +220,7 @@ pf_syncookie_validate(struct pf_pdesc *pd)
 		return (0);
 
 	pf_status.syncookies_inflight[cookie.flags.oddeven]--;
+	pf_status.lcounters[LCNT_SYNCOOKIES_VALID]++;
 	return (1);
 }
 
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 8cade49569a..a62e7e2b860 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.471 2018/02/06 23:44:48 henning Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.472 2018/02/07 05:48:47 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1222,7 +1222,10 @@ enum pfi_kif_refs {
 #define LCNT_SRCCONNRATE	4	/* max-src-conn-rate */
 #define LCNT_OVERLOAD_TABLE	5	/* entry added to overload table */
 #define LCNT_OVERLOAD_FLUSH	6	/* state entries flushed */
-#define LCNT_MAX		7	/* total+1 */
+#define	LCNT_SYNFLOODS		7	/* synfloods detected */
+#define	LCNT_SYNCOOKIES_SENT	8	/* syncookies sent */
+#define	LCNT_SYNCOOKIES_VALID	9	/* syncookies validated */
+#define LCNT_MAX		10	/* total+1 */
 
 #define LCNT_NAMES { \
 	"max states per rule", \
@@ -1232,6 +1235,9 @@ enum pfi_kif_refs {
 	"max-src-conn-rate", \
 	"overload table insertion", \
 	"overload flush states", \
+	"synfloods detected", \
+	"syncookies sent", \
+	"syncookies validated", \
 	NULL \
 }
 
-- 
2.20.1