diff options
| author | glebius <glebius@FreeBSD.org> | 2012-04-03 18:09:20 +0000 |
|---|---|---|
| committer | glebius <glebius@FreeBSD.org> | 2012-04-03 18:09:20 +0000 |
| commit | 4a817f8ca2d8bd5e782e41eb4c17c5b9a3775702 (patch) | |
| tree | 72e76fabdc0891293c1e4081032ee76dafb61019 | |
| parent | d54496d7dd5f79f0c555daafda2f2f8d9a27b17d (diff) | |
| download | FreeBSD-src-4a817f8ca2d8bd5e782e41eb4c17c5b9a3775702.zip FreeBSD-src-4a817f8ca2d8bd5e782e41eb4c17c5b9a3775702.tar.gz | |
Since pf 4.5 import pf(4) has a mechanism to defer
forwarding a packet, that creates state, until
pfsync(4) peer acks state addition (or 10 msec
timeout passes).
This is needed for active-active CARP configurations,
which are poorly supported in FreeBSD and arguably
a good idea at all.
Unfortunately by the time of import this feature in
OpenBSD was turned on, and did not have a switch to
turn it off. This leaked to FreeBSD.
This change make it possible to turn this feature
off via ioctl() and turns it off by default.
Obtained from: OpenBSD
| -rw-r--r-- | sys/contrib/pf/net/if_pfsync.c | 14 | ||||
| -rw-r--r-- | sys/contrib/pf/net/if_pfsync.h | 2 |
2 files changed, 11 insertions, 5 deletions
diff --git a/sys/contrib/pf/net/if_pfsync.c b/sys/contrib/pf/net/if_pfsync.c index f4d296d..9c479c4 100644 --- a/sys/contrib/pf/net/if_pfsync.c +++ b/sys/contrib/pf/net/if_pfsync.c @@ -50,6 +50,7 @@ * 1.128 - cleanups * 1.146 - bzero() mbuf before sparsely filling it with data * 1.170 - SIOCSIFMTU checks + * 1.126, 1.142 - deferred packets processing */ #ifdef __FreeBSD__ @@ -262,6 +263,7 @@ struct pfsync_softc { struct pfsync_upd_reqs sc_upd_req_list; + int sc_defer; struct pfsync_deferrals sc_deferrals; u_int sc_deferred; @@ -1805,6 +1807,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer; pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates; + pfsyncr.pfsyncr_defer = sc->sc_defer; return (copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr))); case SIOCSETPFSYNC: @@ -1840,6 +1843,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } #endif sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates; + sc->sc_defer = pfsyncr.pfsyncr_defer; if (pfsyncr.pfsyncr_syncdev[0] == 0) { sc->sc_sync_if = NULL; @@ -2378,10 +2382,7 @@ pfsync_insert_state(struct pf_state *st) pfsync_q_ins(st, PFSYNC_S_INS); - if (ISSET(st->state_flags, PFSTATE_ACK)) - schednetisr(NETISR_PFSYNC); - else - st->sync_updates = 0; + st->sync_updates = 0; } int defer = 10; @@ -2402,6 +2403,9 @@ pfsync_defer(struct pf_state *st, struct mbuf *m) splassert(IPL_SOFTNET); #endif + if (!sc->sc_defer || m->m_flags & (M_BCAST|M_MCAST)) + return (0); + if (sc->sc_deferred >= 128) pfsync_undefer(TAILQ_FIRST(&sc->sc_deferrals), 0); @@ -2430,6 +2434,8 @@ pfsync_defer(struct pf_state *st, struct mbuf *m) timeout_add(&pd->pd_tmo, defer); #endif + swi_sched(V_pfsync_swi_cookie, 0); + return (1); } diff --git a/sys/contrib/pf/net/if_pfsync.h b/sys/contrib/pf/net/if_pfsync.h index 17259b7..3f34038 100644 --- a/sys/contrib/pf/net/if_pfsync.h +++ b/sys/contrib/pf/net/if_pfsync.h @@ -265,7 +265,7 @@ struct pfsyncreq { char pfsyncr_syncdev[IFNAMSIZ]; struct in_addr pfsyncr_syncpeer; int pfsyncr_maxupdates; - int pfsyncr_authlevel; + int pfsyncr_defer; }; #ifdef __FreeBSD__ |
