From owner-dev-commits-src-branches@freebsd.org Wed Sep 8 12:03:14 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 840A3679B99; Wed, 8 Sep 2021 12:03:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H4LPZ3Mzkz3DRC; Wed, 8 Sep 2021 12:03:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5409F25942; Wed, 8 Sep 2021 12:03:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 188C3Ewd012436; Wed, 8 Sep 2021 12:03:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 188C3EgG012435; Wed, 8 Sep 2021 12:03:14 GMT (envelope-from git) Date: Wed, 8 Sep 2021 12:03:14 GMT Message-Id: <202109081203.188C3EgG012435@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 9136dfca19bf - stable/13 - pf: Add counters for syncookies MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 9136dfca19bfb9bc639010d05e95b2d56c6e0935 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2021 12:03:14 -0000 The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9136dfca19bfb9bc639010d05e95b2d56c6e0935 commit 9136dfca19bfb9bc639010d05e95b2d56c6e0935 Author: Kristof Provost AuthorDate: 2021-08-29 13:54:50 +0000 Commit: Kristof Provost CommitDate: 2021-09-08 07:28:14 +0000 pf: Add counters for syncookies Count when we send a syncookie, receive a valid syncookie or detect a synflood. Reviewed by: kbowling MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31713 (cherry picked from commit 4cab80a8dfecdf16333a1113513e046b9f4dd7f6) --- sys/net/pfvar.h | 2 +- sys/netpfil/pf/pf.h | 18 ++++++++++++++++++ sys/netpfil/pf/pf_ioctl.c | 10 +++++----- sys/netpfil/pf/pf_syncookies.c | 3 +++ 4 files changed, 27 insertions(+), 6 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 0b83feea9085..9cd605f659c7 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1375,7 +1375,7 @@ enum pf_syncookies_mode { #ifdef _KERNEL struct pf_kstatus { counter_u64_t counters[PFRES_MAX]; /* reason for passing/dropping */ - counter_u64_t lcounters[LCNT_MAX]; /* limit counters */ + counter_u64_t lcounters[KLCNT_MAX]; /* limit counters */ struct pf_counter_u64 fcounters[FCNT_MAX]; /* state operation counters */ counter_u64_t scounters[SCNT_MAX]; /* src_node operation counters */ uint32_t states; diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index 319cd8164d8d..cc6edc774da0 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -161,6 +161,11 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ #define LCNT_MAX 7 /* total+1 */ +/* Only available via the nvlist-based API */ +#define KLCNT_SYNFLOODS 7 /* synfloods detected */ +#define KLCNT_SYNCOOKIES_SENT 8 /* syncookies sent */ +#define KLCNT_SYNCOOKIES_VALID 9 /* syncookies validated */ +#define KLCNT_MAX 10 /* total+1 */ #define LCNT_NAMES { \ "max states per rule", \ @@ -172,6 +177,19 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, "overload flush states", \ NULL \ } +#define KLCNT_NAMES { \ + "max states per rule", \ + "max-src-states", \ + "max-src-nodes", \ + "max-src-conn", \ + "max-src-conn-rate", \ + "overload table insertion", \ + "overload flush states", \ + "synfloods detected", \ + "syncookies sent", \ + "syncookies validated", \ + NULL \ +} /* state operation counters */ #define FCNT_STATE_SEARCH 0 diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 1305d1adc913..f367ad9a2800 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -377,7 +377,7 @@ pfattach_vnet(void) for (int i = 0; i < PFRES_MAX; i++) V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK); - for (int i = 0; i < LCNT_MAX; i++) + for (int i = 0; i < KLCNT_MAX; i++) V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK); for (int i = 0; i < FCNT_MAX; i++) pf_counter_u64_init(&V_pf_status.fcounters[i], M_WAITOK); @@ -3134,7 +3134,7 @@ DIOCGETSTATESV2_full: pf_counter_u64_zero(&V_pf_status.fcounters[i]); for (int i = 0; i < SCNT_MAX; i++) counter_u64_zero(V_pf_status.scounters[i]); - for (int i = 0; i < LCNT_MAX; i++) + for (int i = 0; i < KLCNT_MAX; i++) counter_u64_zero(V_pf_status.lcounters[i]); V_pf_status.since = time_second; if (*V_pf_status.ifname) @@ -4936,7 +4936,7 @@ pf_getstatus(struct pfioc_nv *nv) int error; struct pf_status s; char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES; - char *pf_lcounter[LCNT_MAX+1] = LCNT_NAMES; + char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES; char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES; PF_RULES_RLOCK_TRACKER; @@ -4963,7 +4963,7 @@ pf_getstatus(struct pfioc_nv *nv) /* lcounters */ error = pf_add_status_counters(nvl, "lcounters", V_pf_status.lcounters, - LCNT_MAX, pf_lcounter); + KLCNT_MAX, pf_lcounter); if (error != 0) ERROUT(error); @@ -5814,7 +5814,7 @@ pf_unload_vnet(void) for (int i = 0; i < PFRES_MAX; i++) counter_u64_free(V_pf_status.counters[i]); - for (int i = 0; i < LCNT_MAX; i++) + for (int i = 0; i < KLCNT_MAX; i++) counter_u64_free(V_pf_status.lcounters[i]); for (int i = 0; i < FCNT_MAX; i++) pf_counter_u64_deinit(&V_pf_status.fcounters[i]); diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c index 744a12e4e21d..4eabbb5e2744 100644 --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -256,6 +256,7 @@ pf_syncookie_send(struct mbuf *m, int off, struct pf_pdesc *pd) pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport, iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss, 0, 1, 0); + counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_SENT], 1); } uint8_t @@ -275,6 +276,8 @@ pf_syncookie_validate(struct pf_pdesc *pd) if ((ack & ~0xff) != (hash & ~0xff)) return (0); + counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_VALID], 1); + return (1); }