pf: expose more syncookie state information to userspace

Allow userspace to retrieve low and high water marks, as well as the
current number of half open states.

MFC after:	1 week
Sponsored by:	Modirum MDPay

lib/libpfctl/libpfctl.c

@@ -1694,6 +1694,7 @@ pfctl_get_syncookies(int dev, struct pfctl_syncookies *s)
 
 	s->highwater = nvlist_get_number(nvl, "highwater") * 100 / state_limit;
 	s->lowwater = nvlist_get_number(nvl, "lowwater") * 100 / state_limit;
+	s->halfopen_states = nvlist_get_number(nvl, "halfopen_states");
 
 	nvlist_destroy(nvl);
 

lib/libpfctl/libpfctl.h

@@ -382,6 +382,7 @@ struct pfctl_syncookies {
 	enum pfctl_syncookies_mode	mode;
 	uint8_t				highwater;	/* Percent */
 	uint8_t				lowwater;	/* Percent */
+	uint32_t			halfopen_states;
 };
 
 int	pfctl_startstop(int start);

sbin/pfctl/pfctl_parser.c

@@ -628,6 +628,11 @@ print_status(struct pfctl_status *s, struct pfctl_syncookies *cookies, int opts)
 		    PFCTL_SYNCOOKIES_MODE_NAMES[cookies->mode]);
 		printf("  %-25s %s\n", "active",
 		    s->syncookies_active ? "active" : "inactive");
+		if (opts & PF_OPT_VERBOSE2) {
+			printf("  %-25s %d %%\n", "highwater", cookies->highwater);
+			printf("  %-25s %d %%\n", "lowwater", cookies->lowwater);
+			printf("  %-25s %d\n", "halfopen states", cookies->halfopen_states);
+		}
 		printf("Reassemble %24s %s\n",
 		    s->reass & PF_REASS_ENABLED ? "yes" : "no",
 		    s->reass & PF_REASS_NODF ? "no-df" : ""

sys/netpfil/pf/pf_ioctl.c

@@ -5691,6 +5691,7 @@ pf_getstatus(struct pfioc_nv *nv)
 	nvlist_add_number(nvl, "reass", V_pf_status.reass);
 	nvlist_add_bool(nvl, "syncookies_active",
 	    V_pf_status.syncookies_active);
+	nvlist_add_number(nvl, "halfopen_states", V_pf_status.states_halfopen);
 
 	/* counters */
 	error = pf_add_status_counters(nvl, "counters", V_pf_status.counters,

sys/netpfil/pf/pf_syncookies.c

@@ -162,6 +162,8 @@ pf_get_syncookies(struct pfioc_nv *nv)
 	    V_pf_status.syncookies_mode == PF_SYNCOOKIES_ADAPTIVE);
 	nvlist_add_number(nvl, "highwater", V_pf_syncookie_status.hiwat);
 	nvlist_add_number(nvl, "lowwater", V_pf_syncookie_status.lowat);
+	nvlist_add_number(nvl, "halfopen_states",
+	    atomic_load_32(&V_pf_status.states_halfopen));
 
 	nvlpacked = nvlist_pack(nvl, &nv->len);
 	if (nvlpacked == NULL)