diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2021-08-13 11:42:59 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2021-09-29 13:11:54 +0000 |
| commit | 5062afff9de7e67da96e3f0dcb9d8bbd5a4e1c5b (patch) | |
| tree | e708d721ef891e9b4d6584168f7f6ad6898ac1f2 /sbin/pfctl/parse.y | |
| parent | 955460d41e99031906841870e02063ffdf227f09 (diff) | |
| download | src-5062afff9de7e67da96e3f0dcb9d8bbd5a4e1c5b.tar.gz src-5062afff9de7e67da96e3f0dcb9d8bbd5a4e1c5b.zip | |
pfctl: userspace adaptive syncookies configration
Hook up the userspace bits to configure syncookies in adaptive mode.
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D32136
Diffstat (limited to 'sbin/pfctl/parse.y')
| -rw-r--r-- | sbin/pfctl/parse.y | 43 |
1 files changed, 41 insertions, 2 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 6bcf5a0bc397..89d5f330da47 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -320,6 +320,7 @@ static struct codel_opts codel_opts; static struct node_hfsc_opts hfsc_opts; static struct node_fairq_opts fairq_opts; static struct node_state_opt *keep_state_defaults = NULL; +static struct pfctl_watermarks syncookie_opts; int disallow_table(struct node_host *, const char *); int disallow_urpf_failed(struct node_host *, const char *); @@ -445,6 +446,7 @@ typedef struct { struct node_hfsc_opts hfsc_opts; struct node_fairq_opts fairq_opts; struct codel_opts codel_opts; + struct pfctl_watermarks *watermarks; } v; int lineno; } YYSTYPE; @@ -531,6 +533,7 @@ int parseport(char *, struct range *r, int); %type <v.pool_opts> pool_opts pool_opt pool_opts_l %type <v.tagged> tagged %type <v.rtableid> rtable +%type <v.watermarks> syncookie_opts %% ruleset : /* empty */ @@ -729,14 +732,19 @@ option : SET OPTIMIZATION STRING { | SET KEEPCOUNTERS { pf->keep_counters = true; } - | SET SYNCOOKIES syncookie_val { - pf->syncookies = $3; + | SET SYNCOOKIES syncookie_val syncookie_opts { + if (pfctl_cfg_syncookies(pf, $3, $4)) { + yyerror("error setting syncookies"); + YYERROR; + } } ; syncookie_val : STRING { if (!strcmp($1, "never")) $$ = PFCTL_SYNCOOKIES_NEVER; + else if (!strcmp($1, "adaptive")) + $$ = PFCTL_SYNCOOKIES_ADAPTIVE; else if (!strcmp($1, "always")) $$ = PFCTL_SYNCOOKIES_ALWAYS; else { @@ -745,6 +753,37 @@ syncookie_val : STRING { } } ; +syncookie_opts : /* empty */ { $$ = NULL; } + | { + memset(&syncookie_opts, 0, sizeof(syncookie_opts)); + } '(' syncookie_opt_l ')' { $$ = &syncookie_opts; } + ; + +syncookie_opt_l : syncookie_opt_l comma syncookie_opt + | syncookie_opt + ; + +syncookie_opt : STRING STRING { + double val; + char *cp; + + val = strtod($2, &cp); + if (cp == NULL || strcmp(cp, "%")) + YYERROR; + if (val <= 0 || val > 100) { + yyerror("illegal percentage value"); + YYERROR; + } + if (!strcmp($1, "start")) { + syncookie_opts.hi = val; + } else if (!strcmp($1, "end")) { + syncookie_opts.lo = val; + } else { + yyerror("illegal syncookie option"); + YYERROR; + } + } + ; stringall : STRING { $$ = $1; } | ALL { |