diff options
| author |   henning <henning@openbsd.org> | 2018-02-07 05:48:47 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2018-02-07 05:48:47 +0000 |
| commit | 21b1f051a09114b39df742c0d92cd8fffbd01cf7 (patch) | |
| tree | 3b0a422e530097ad7cc20cf9e568266644a213ca | |
| parent | Indent labels with a single space so that diff prototypes are more useful. (diff) | |
| download | wireguard-openbsd-21b1f051a09114b39df742c0d92cd8fffbd01cf7.tar.xz wireguard-openbsd-21b1f051a09114b39df742c0d92cd8fffbd01cf7.zip | |
provide counters for # of synfloods detected, # of syncookies sent,
# of syncookies successfuly validated, ok phessler
| -rw-r--r-- | sys/net/pf_syncookies.c | 5 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 10 |
2 files changed, 12 insertions, 3 deletions
diff --git a/sys/net/pf_syncookies.c b/sys/net/pf_syncookies.c index 511eb381997..2df85032dff 100644 --- a/sys/net/pf_syncookies.c +++ b/sys/net/pf_syncookies.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_syncookies.c,v 1.2 2018/02/07 01:50:48 dlg Exp $ */ +/* $OpenBSD: pf_syncookies.c,v 1.3 2018/02/07 05:48:47 henning Exp $ */ /* Copyright (c) 2016,2017 Henning Brauer <henning@openbsd.org> * Copyright (c) 2016 Alexandr Nedvedicky <sashan@openbsd.org> @@ -182,6 +182,7 @@ pf_synflood_check(struct pf_pdesc *pd) pf_status.syncookies_active = 1; DPFPRINTF(LOG_WARNING, "synflood detected, enabling syncookies"); + pf_status.lcounters[LCNT_SYNFLOODS]++; } return (pf_status.syncookies_active); @@ -199,6 +200,7 @@ pf_syncookie_send(struct pf_pdesc *pd) iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss, 0, 1, 0, pd->rdomain); pf_status.syncookies_inflight[pf_syncookie_status.oddeven]++; + pf_status.lcounters[LCNT_SYNCOOKIES_SENT]++; } uint8_t @@ -218,6 +220,7 @@ pf_syncookie_validate(struct pf_pdesc *pd) return (0); pf_status.syncookies_inflight[cookie.flags.oddeven]--; + pf_status.lcounters[LCNT_SYNCOOKIES_VALID]++; return (1); } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 8cade49569a..a62e7e2b860 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.471 2018/02/06 23:44:48 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.472 2018/02/07 05:48:47 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1222,7 +1222,10 @@ enum pfi_kif_refs { #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ -#define LCNT_MAX 7 /* total+1 */ +#define LCNT_SYNFLOODS 7 /* synfloods detected */ +#define LCNT_SYNCOOKIES_SENT 8 /* syncookies sent */ +#define LCNT_SYNCOOKIES_VALID 9 /* syncookies validated */ +#define LCNT_MAX 10 /* total+1 */ #define LCNT_NAMES { \ "max states per rule", \ @@ -1232,6 +1235,9 @@ enum pfi_kif_refs { "max-src-conn-rate", \ "overload table insertion", \ "overload flush states", \ + "synfloods detected", \ + "syncookies sent", \ + "syncookies validated", \ NULL \ } |