D31140.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D31140.diff
View Options

	diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
	--- a/lib/libpfctl/libpfctl.h
	+++ b/lib/libpfctl/libpfctl.h
	@@ -244,6 +244,15 @@
	size_t count;
	};

	+enum pfctl_syncookies_mode {
	+ PFCTL_SYNCOOKIES_NEVER,
	+ PFCTL_SYNCOOKIES_ALWAYS
	+};
	+
	+struct pfctl_syncookies {
	+ enum pfctl_syncookies_mode mode;
	+};
	+
	int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
	const char anchor, u_int32_t ruleset, struct pfctl_rule rule,
	char *anchor_call);
	@@ -260,5 +269,7 @@
	unsigned int *killed);
	int pfctl_kill_states(int dev, const struct pfctl_kill *kill,
	unsigned int *killed);
	+int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
	+int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);

	#endif
	diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
	--- a/lib/libpfctl/libpfctl.c
	+++ b/lib/libpfctl/libpfctl.c
	@@ -816,3 +816,60 @@
	{
	return (_pfctl_clear_states(dev, kill, killed, DIOCKILLSTATESNV));
	}
	+
	+int
	+pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s)
	+{
	+ struct pfioc_nv nv;
	+ nvlist_t *nvl;
	+ int ret;
	+
	+ nvl = nvlist_create(0);
	+
	+ nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER);
	+ nvlist_add_bool(nvl, "adaptive", false); /* XXX TODO */
	+
	+ nv.data = nvlist_pack(nvl, &nv.len);
	+ nv.size = nv.len;
	+ nvlist_destroy(nvl);
	+ nvl = NULL;
	+
	+ ret = ioctl(dev, DIOCSETSYNCOOKIES, &nv);
	+
	+ free(nv.data);
	+ return (ret);
	+}
	+
	+int
	+pfctl_get_syncookies(int dev, struct pfctl_syncookies *s)
	+{
	+ struct pfioc_nv nv;
	+ nvlist_t *nvl;
	+ bool enabled, adaptive;
	+
	+ bzero(s, sizeof(*s));
	+
	+ nv.data = malloc(128);
	+ nv.len = nv.size = 128;
	+
	+ if (ioctl(dev, DIOCGETSYNCOOKIES, &nv)) {
	+ free(nv.data);
	+ return (errno);
	+ }
	+
	+ nvl = nvlist_unpack(nv.data, nv.len, 0);
	+ free(nv.data);
	+ if (nvl == NULL) {
	+ free(nv.data);
	+ return (EIO);
	+ }
	+
	+ enabled = nvlist_get_bool(nvl, "enabled");
	+ adaptive = nvlist_get_bool(nvl, "adaptive");
	+
	+ s->mode = enabled ? PFCTL_SYNCOOKIES_ALWAYS : PFCTL_SYNCOOKIES_NEVER;
	+
	+ nvlist_destroy(nvl);
	+
	+ return (0);
	+}
	diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
	--- a/sbin/pfctl/parse.y
	+++ b/sbin/pfctl/parse.y
	@@ -464,7 +464,7 @@
	%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
	%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY
	%token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
	-%token ANTISPOOF FOR INCLUDE KEEPCOUNTERS
	+%token ANTISPOOF FOR INCLUDE KEEPCOUNTERS SYNCOOKIES
	%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY MAPEPORTSET
	%token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME
	%token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL
	@@ -480,7 +480,7 @@
	%type <v.number> number icmptype icmp6type uid gid
	%type <v.number> tos not yesno
	%type <v.probability> probability
	-%type <v.i> no dir af fragcache optimizer
	+%type <v.i> no dir af fragcache optimizer syncookie_val
	%type <v.i> sourcetrack flush unaryop statelock
	%type <v.b> action nataction natpasslog scrubaction
	%type <v.b> flags flag blockspec prio
	@@ -725,6 +725,21 @@
	\| SET KEEPCOUNTERS {
	pf->keep_counters = true;
	}
	+ \| SET SYNCOOKIES syncookie_val {
	+ pf->syncookies = $3;
	+ }
	+ ;
	+
	+syncookie_val : STRING {
	+ if (!strcmp($1, "never"))
	+ $$ = PFCTL_SYNCOOKIES_NEVER;
	+ else if (!strcmp($1, "always"))
	+ $$ = PFCTL_SYNCOOKIES_ALWAYS;
	+ else {
	+ yyerror("illegal value for syncookies");
	+ YYERROR;
	+ }
	+ }
	;

	stringall : STRING { $$ = $1; }
	@@ -5673,6 +5688,7 @@
	{ "state-policy", STATEPOLICY},
	{ "static-port", STATICPORT},
	{ "sticky-address", STICKYADDRESS},
	+ { "syncookies", SYNCOOKIES},
	{ "synproxy", SYNPROXY},
	{ "table", TABLE},
	{ "tag", TAG},
	diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
	--- a/sbin/pfctl/pfctl.c
	+++ b/sbin/pfctl/pfctl.c
	@@ -93,6 +93,7 @@
	int pfctl_load_debug(struct pfctl *, unsigned int);
	int pfctl_load_logif(struct pfctl , char );
	int pfctl_load_hostid(struct pfctl *, u_int32_t);
	+int pfctl_load_syncookies(struct pfctl *, u_int8_t);
	int pfctl_get_pool(int, struct pfctl_pool *, u_int32_t, u_int32_t, int,
	char *);
	void pfctl_print_rule_counters(struct pfctl_rule *, int);
	@@ -1307,15 +1308,20 @@
	int
	pfctl_show_status(int dev, int opts)
	{
	- struct pf_status status;
	+ struct pf_status status;
	+ struct pfctl_syncookies cookies;

	if (ioctl(dev, DIOCGETSTATUS, &status)) {
	warn("DIOCGETSTATUS");
	return (-1);
	}
	+ if (pfctl_get_syncookies(dev, &cookies)) {
	+ warn("DIOCGETSYNCOOKIES");
	+ return (-1);
	+ }
	if (opts & PF_OPT_SHOWALL)
	pfctl_print_title("INFO:");
	- print_status(&status, opts);
	+ print_status(&status, &cookies, opts);
	return (0);
	}

	@@ -1861,6 +1867,10 @@
	if (pfctl_set_keepcounters(pf->dev, pf->keep_counters))
	error = 1;

	+ /* load syncookies settings */
	+ if (pfctl_load_syncookies(pf, pf->syncookies))
	+ error = 1;
	+
	return (error);
	}

	@@ -2047,6 +2057,22 @@
	return (0);
	}

	+int
	+pfctl_load_syncookies(struct pfctl *pf, u_int8_t val)
	+{
	+ struct pfctl_syncookies cookies;
	+
	+ bzero(&cookies, sizeof(cookies));
	+
	+ cookies.mode = val ? PFCTL_SYNCOOKIES_ALWAYS : PFCTL_SYNCOOKIES_NEVER;
	+
	+ if (pfctl_set_syncookies(dev, &cookies)) {
	+ warnx("DIOCSETSYNCOOKIES");
	+ return (1);
	+ }
	+ return (0);
	+}
	+
	int
	pfctl_set_debug(struct pfctl pf, char d)
	{
	diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
	--- a/sbin/pfctl/pfctl_parser.h
	+++ b/sbin/pfctl/pfctl_parser.h
	@@ -100,6 +100,7 @@
	u_int32_t hostid;
	char *ifname;
	bool keep_counters;
	+ u_int8_t syncookies;

	u_int8_t timeout_set[PFTM_MAX];
	u_int8_t limit_set[PF_LIMIT_MAX];
	@@ -278,7 +279,7 @@
	void print_src_node(struct pf_src_node *, int);
	void print_rule(struct pfctl_rule , const char , int, int);
	void print_tabledef(const char , int, int, struct node_tinithead );
	-void print_status(struct pf_status *, int);
	+void print_status(struct pf_status , struct pfctl_syncookies , int);
	void print_running(struct pf_status *);

	int eval_pfaltq(struct pfctl , struct pf_altq , struct node_queue_bw *,
	diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
	--- a/sbin/pfctl/pfctl_parser.c
	+++ b/sbin/pfctl/pfctl_parser.c
	@@ -497,7 +497,7 @@
	const char * const pf_scounters[FCNT_MAX+1] = FCNT_NAMES;

	void
	-print_status(struct pf_status *s, int opts)
	+print_status(struct pf_status s, struct pfctl_syncookies cookies, int opts)
	{
	char statline[80], *running;
	time_t runtime;
	@@ -627,6 +627,11 @@
	else
	printf("%14s\n", "");
	}
	+
	+ printf("Syncookies\n");
	+ printf(" %-25s %s\n", "mode",
	+ cookies->mode == PFCTL_SYNCOOKIES_NEVER ?
	+ "never" : "always");
	}
	}

File Metadata

Mime Type: text/plain
Expires: Sun, Jan 12, 10:39 AM (20 h, 45 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 15768565
Default Alt Text: D31140.diff (6 KB)

D31140.diffNo OneTemporaryActions

D31140.diffView Options

File Metadata

Event Timeline

D31140.diff
No OneTemporary
Actions

D31140.diff
View Options