pf: default syncookies to adaptive mode

The cost of enabling syncookies in adaptive mode is very low (basically a single atomic add when we create a new half-open state), and the payoff when under SYN flood is huge. So, enable adaptive mode by default. Suggested by: Eirik Øverby
2022-12-31 19:26:24 +01:00 · 2022-12-31 19:26:24 +01:00 · 933be8d74b
commit 933be8d74b
parent dc698b2cd5
2 changed files with 9 additions and 2 deletions
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -311,6 +311,8 @@ pfattach_vnet(void)
 {
 	u_int32_t *my_timeout = V_pf_default_rule.timeout;

+	bzero(&V_pf_status, sizeof(V_pf_status));
+
 	pf_initialize();
 	pfr_initialize();
 	pfi_initialize_vnet();
@ -380,7 +382,6 @@ pfattach_vnet(void)
 	my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
 	my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;

-	bzero(&V_pf_status, sizeof(V_pf_status));
 	V_pf_status.debug = PF_DEBUG_URGENT;

 	V_pf_pfil_hooked = false;
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@ -127,7 +127,13 @@ pf_syncookies_init(void)
 {
 	callout_init(&V_pf_syncookie_status.keytimeout, 1);
 	PF_RULES_WLOCK();
-	pf_syncookies_setmode(PF_SYNCOOKIES_NEVER);
+
+	V_pf_syncookie_status.hiwat = PF_SYNCOOKIES_HIWATPCT *
+	    V_pf_limits[PF_LIMIT_STATES].limit / 100;
+	V_pf_syncookie_status.lowat = PF_SYNCOOKIES_LOWATPCT *
+	    V_pf_limits[PF_LIMIT_STATES].limit / 100;
+	pf_syncookies_setmode(PF_SYNCOOKIES_ADAPTIVE);
+
 	PF_RULES_WUNLOCK();
 }