From 6af768114498cef737349f00a72a3551ee747c3a Mon Sep 17 00:00:00 2001 From: henning Date: Thu, 8 Feb 2018 02:26:39 +0000 Subject: [PATCH] show current synflood detection watermarks in pfctl -vsi, for the lack of a more appropriate place. ok claudio benno procter --- sbin/pfctl/pfctl.c | 12 ++++++++++-- sbin/pfctl/pfctl_parser.c | 9 +++++++-- sbin/pfctl/pfctl_parser.h | 8 ++++++-- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 20df20f91b8..141c94fbf94 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.352 2018/02/06 23:47:47 henning Exp $ */ +/* $OpenBSD: pfctl.c,v 1.353 2018/02/08 02:26:39 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1106,14 +1106,22 @@ int pfctl_show_status(int dev, int opts) { struct pf_status status; + struct pfctl_watermarks wats; + struct pfioc_synflwats iocwats; if (ioctl(dev, DIOCGETSTATUS, &status)) { warn("DIOCGETSTATUS"); return (-1); } + if (ioctl(dev, DIOCGETSYNFLWATS, &iocwats)) { + warn("DIOCGETSYNFLWATS"); + return (-1); + } + wats.hi = iocwats.hiwat; + wats.lo = iocwats.lowat; if (opts & PF_OPT_SHOWALL) pfctl_print_title("INFO:"); - print_status(&status, opts); + print_status(&status, &wats, opts); return (0); } diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index f0e43882790..03c0f8eeab7 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.318 2017/11/28 16:05:47 bluhm Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.319 2018/02/08 02:26:39 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -515,7 +515,7 @@ const char *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES; const char *pf_scounters[FCNT_MAX+1] = FCNT_NAMES; void -print_status(struct pf_status *s, int opts) +print_status(struct pf_status *s, struct pfctl_watermarks *synflwats, int opts) { char statline[80], *running, *debug; time_t runtime = 0; @@ -632,6 +632,11 @@ print_status(struct pf_status *s, int opts) printf("%14s\n", ""); } } + if (opts & PF_OPT_VERBOSE) { + printf("Adaptive Syncookies Watermarks\n"); + printf(" %-25s %14d states\n", "start", synflwats->hi); + printf(" %-25s %14d states\n", "end", synflwats->lo); + } } void diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 9c301841160..ef42d864c24 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.108 2018/02/06 23:47:47 henning Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.109 2018/02/08 02:26:39 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -203,6 +203,10 @@ struct pfctl_qsitem { int matches; }; +struct pfctl_watermarks { + u_int32_t hi; + u_int32_t lo; +}; int pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *); int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *); @@ -237,7 +241,7 @@ void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int, int); void print_src_node(struct pf_src_node *, int); void print_rule(struct pf_rule *, const char *, int); void print_tabledef(const char *, int, int, struct node_tinithead *); -void print_status(struct pf_status *, int); +void print_status(struct pf_status *, struct pfctl_watermarks *, int); void print_queuespec(struct pf_queuespec *); int pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *, -- 2.20.1