upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

libpfctl: improve syncookie watermark calculation

Browse source 
Ensure that we always pass sane limits for the high and low watermark
values.
This is especially important if users do something silly, like set the
state limit to 1. In that case we wound up calculating 0/0 as a limit,
which gets rejected by the kernel.

While here also shift the calculation to use uint64_t, so we don't end
up with overflows (and subsequently higher low than high values) with
very large state limits.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D36497
This commit is contained in:
Kristof Provost 2022-09-08 18:32:02 +02:00
parent 7d0e83c60b
commit 6049ee60e0
1 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
lib/libpfctl/libpfctl.c
View file

@ -1335,17 +1335,25 @@ pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s)
nvlist_t *nvl;
int ret;
uint state_limit;
uint64_t lim, hi, lo;
ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
if (ret != 0)
return (ret);
lim = state_limit;
hi = lim * s->highwater / 100;
lo = lim * s->lowwater / 100;
if (lo == hi)
hi++;
nvl = nvlist_create(0);
nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER);
nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE);
nvlist_add_number(nvl, "highwater", state_limit * s->highwater / 100);
nvlist_add_number(nvl, "lowwater", state_limit * s->lowwater / 100);
nvlist_add_number(nvl, "highwater", hi);
nvlist_add_number(nvl, "lowwater", lo);
nv.data = nvlist_pack(nvl, &nv.len);
nv.size = nv.len;