From nobody Mon Sep 12 08:20:51 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MR00g5ZSgz4bqNj;
	Mon, 12 Sep 2022 08:20:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MR00g4wmHz3TYV;
	Mon, 12 Sep 2022 08:20:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1662970851;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9x37bR6RX0yNsoR/80wcHbUyG6tS2daTGRDfLEOO0vQ=;
	b=KktSyz5gaSXvBAyF6mnwiBc3uqKiOatxWllJJrLFryouHnP6/ZjjTfDmSCSXd1mTGNuBSL
	5hN3t77jA/B957lEKi3LrpvEJLA/hbSHSXh+RDsYHcvmJ2atDbRkHP8paVfhKzJ1O8qc/R
	N0BJtgq2tB0nHpTKDr1gevKfUBjV2cumUq1tnjYEMmztTZ+U02BhYHOMI2sOwDMmIlQfrJ
	Enkv7AxqMveYnZfMSe1YuWshw4lNGowgoRts2EqklMBNGAVVEiYRNqhovo/7HIwkcHX9lR
	S/NJXRXIkIhdDBi0d9vW8Mgsh1LZJ4LkXR4Mn9+vHmJCzUEIRtfudYYPoAw8MA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MR00g40mlzw9T;
	Mon, 12 Sep 2022 08:20:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 28C8Kpgl067053;
	Mon, 12 Sep 2022 08:20:51 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 28C8KpoG067052;
	Mon, 12 Sep 2022 08:20:51 GMT
	(envelope-from git)
Date: Mon, 12 Sep 2022 08:20:51 GMT
Message-Id: <202209120820.28C8KpoG067052@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 6049ee60e016 - main - libpfctl: improve syncookie watermark calculation
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 6049ee60e0160bc6d564b733f02015259473f166
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1662970851;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9x37bR6RX0yNsoR/80wcHbUyG6tS2daTGRDfLEOO0vQ=;
	b=V9HLGOwlNFy7rxi+0mZNiZZN0NKgIwnF7Hj0ThoB92ENKgc8lVT1J6JjJ1EyCMcv1c06gd
	ZsbN+fGeBmVMjVyQ4XSCup4zEG/hItW35piQMOxs1wNGalis2oV0VsvWm48zwJrwmI0qFT
	rd/m6VhaVGi97ATni08jVNyoSc+NfgI4RWkHaAOQZDA22YD2OiLevVdQLFfpXa8xo0WFjZ
	tkNLGuEIUbBcneeItSZJD88dFBQNHQsAgjKRuwMQMH5NaTKsG35wDJ1Y7+QLzxotuathes
	+hIvhlKWLAvrsB2scfgEeESu3MKLB47U73f6+NPba3QzsnpVajsHOSrJv0uMyA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1662970851; a=rsa-sha256; cv=none;
	b=YtmHISfM1WaA8LDquLTMvXeJKAKU8GpYzJOfgyOpPwIcLAA2TZ3RJgPYcPrF6LQuw0qaHx
	1UNAWyS8AqqD25HQa6kx2POsxGIRiqQkjL+zT89z//ELDZ/YfPA6bTUW14KTQg6CULumId
	ImFy+Jjktk7H6JfD6VwzSAnp9KkX6lxpcCmsxbHPp1cX0lVWJpv7poDRMKG0jCiCihmUkN
	/W9+VhhsXTZVe70SH7NGPtAKTwz9HXZ42I34ufTGrkh5/Lls6U2sbc9SEw3FmzaDCRsBjc
	YAlk7onMHTsZx8SWdShDLcu7gnFsNnn2sxc90EYwHdBm2LGuQ5Sbob6MbVQnQA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=6049ee60e0160bc6d564b733f02015259473f166

commit 6049ee60e0160bc6d564b733f02015259473f166
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-09-08 16:32:02 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-09-12 07:32:02 +0000

    libpfctl: improve syncookie watermark calculation
    
    Ensure that we always pass sane limits for the high and low watermark
    values.
    This is especially important if users do something silly, like set the
    state limit to 1. In that case we wound up calculating 0/0 as a limit,
    which gets rejected by the kernel.
    
    While here also shift the calculation to use uint64_t, so we don't end
    up with overflows (and subsequently higher low than high values) with
    very large state limits.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D36497
---
 lib/libpfctl/libpfctl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 3adfb7b94af3..5b93fd1043d6 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -1335,17 +1335,25 @@ pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s)
 	nvlist_t	*nvl;
 	int		 ret;
 	uint		 state_limit;
+	uint64_t	 lim, hi, lo;
 
 	ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
 	if (ret != 0)
 		return (ret);
 
+	lim = state_limit;
+	hi = lim * s->highwater / 100;
+	lo = lim * s->lowwater / 100;
+
+	if (lo == hi)
+		hi++;
+
 	nvl = nvlist_create(0);
 
 	nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER);
 	nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE);
-	nvlist_add_number(nvl, "highwater", state_limit * s->highwater / 100);
-	nvlist_add_number(nvl, "lowwater", state_limit * s->lowwater / 100);
+	nvlist_add_number(nvl, "highwater", hi);
+	nvlist_add_number(nvl, "lowwater", lo);
 
 	nv.data = nvlist_pack(nvl, &nv.len);
 	nv.size = nv.len;