diff options
| author | glebius <glebius@FreeBSD.org> | 2012-04-04 14:47:59 +0000 |
|---|---|---|
| committer | glebius <glebius@FreeBSD.org> | 2012-04-04 14:47:59 +0000 |
| commit | 7676adf25d6182c1722f79935bb39b3667558934 (patch) | |
| tree | 0377642ac6c3d632e59791cd90596abc5523a3cf | |
| parent | b45da04a8e396598388534d55651196579a41415 (diff) | |
| download | FreeBSD-src-7676adf25d6182c1722f79935bb39b3667558934.zip FreeBSD-src-7676adf25d6182c1722f79935bb39b3667558934.tar.gz | |
Merge from OpenBSD:
revision 1.173
date: 2011/11/09 12:36:03; author: camield; state: Exp; lines: +11 -12
State expire time is a baseline time ("last active") for expiry
calculations, and does _not_ denote the time when to expire. So
it should never be added to (set into the future).
Try to reconstruct it with an educated guess on state import and
just set it to the current time on state updates.
This fixes a problem on pfsync listeners where the expiry time
could be double the expected value and cause a lot more states
to linger.
| -rw-r--r-- | sys/contrib/pf/net/if_pfsync.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/sys/contrib/pf/net/if_pfsync.c b/sys/contrib/pf/net/if_pfsync.c index 9c479c4..f09f021 100644 --- a/sys/contrib/pf/net/if_pfsync.c +++ b/sys/contrib/pf/net/if_pfsync.c @@ -51,6 +51,7 @@ * 1.146 - bzero() mbuf before sparsely filling it with data * 1.170 - SIOCSIFMTU checks * 1.126, 1.142 - deferred packets processing + * 1.173 - correct expire time processing */ #ifdef __FreeBSD__ @@ -789,11 +790,16 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags) st->creation = time_uptime - ntohl(sp->creation); st->expire = time_second; if (sp->expire) { - /* XXX No adaptive scaling. */ - st->expire -= r->timeout[sp->timeout] - ntohl(sp->expire); + uint32_t timeout; + + timeout = r->timeout[sp->timeout]; + if (!timeout) + timeout = pf_default_rule.timeout[sp->timeout]; + + /* sp->expire may have been adaptively scaled by export. */ + st->expire -= timeout - ntohl(sp->expire); } - st->expire = ntohl(sp->expire) + time_second; st->direction = sp->direction; st->log = sp->log; st->timeout = sp->timeout; @@ -1291,7 +1297,7 @@ pfsync_in_upd(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) pfsync_alloc_scrub_memory(&sp->dst, &st->dst); pf_state_peer_ntoh(&sp->src, &st->src); pf_state_peer_ntoh(&sp->dst, &st->dst); - st->expire = ntohl(sp->expire) + time_second; + st->expire = time_second; st->timeout = sp->timeout; st->pfsync_time = time_uptime; } @@ -1397,7 +1403,7 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) pfsync_alloc_scrub_memory(&up->dst, &st->dst); pf_state_peer_ntoh(&up->src, &st->src); pf_state_peer_ntoh(&up->dst, &st->dst); - st->expire = ntohl(up->expire) + time_second; + st->expire = time_second; st->timeout = up->timeout; st->pfsync_time = time_uptime; } @@ -2021,12 +2027,6 @@ pfsync_out_upd_c(struct pf_state *st, struct mbuf *m, int offset) pf_state_peer_hton(&st->src, &up->src); pf_state_peer_hton(&st->dst, &up->dst); up->creatorid = st->creatorid; - - up->expire = pf_state_expires(st); - if (up->expire <= time_second) - up->expire = htonl(0); - else - up->expire = htonl(up->expire - time_second); up->timeout = st->timeout; return (sizeof(*up)); |
