Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Sep 2022 08:20:51 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 6049ee60e016 - main - libpfctl: improve syncookie watermark calculation
Message-ID:  <202209120820.28C8KpoG067052@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=6049ee60e0160bc6d564b733f02015259473f166

commit 6049ee60e0160bc6d564b733f02015259473f166
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-09-08 16:32:02 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-09-12 07:32:02 +0000

    libpfctl: improve syncookie watermark calculation
    
    Ensure that we always pass sane limits for the high and low watermark
    values.
    This is especially important if users do something silly, like set the
    state limit to 1. In that case we wound up calculating 0/0 as a limit,
    which gets rejected by the kernel.
    
    While here also shift the calculation to use uint64_t, so we don't end
    up with overflows (and subsequently higher low than high values) with
    very large state limits.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D36497
---
 lib/libpfctl/libpfctl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 3adfb7b94af3..5b93fd1043d6 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -1335,17 +1335,25 @@ pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s)
 	nvlist_t	*nvl;
 	int		 ret;
 	uint		 state_limit;
+	uint64_t	 lim, hi, lo;
 
 	ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
 	if (ret != 0)
 		return (ret);
 
+	lim = state_limit;
+	hi = lim * s->highwater / 100;
+	lo = lim * s->lowwater / 100;
+
+	if (lo == hi)
+		hi++;
+
 	nvl = nvlist_create(0);
 
 	nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER);
 	nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE);
-	nvlist_add_number(nvl, "highwater", state_limit * s->highwater / 100);
-	nvlist_add_number(nvl, "lowwater", state_limit * s->lowwater / 100);
+	nvlist_add_number(nvl, "highwater", hi);
+	nvlist_add_number(nvl, "lowwater", lo);
 
 	nv.data = nvlist_pack(nvl, &nv.len);
 	nv.size = nv.len;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202209120820.28C8KpoG067052>