From owner-freebsd-pf@freebsd.org  Mon Feb 18 17:30:44 2019
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD9B614E54A6
 for <freebsd-pf@mailman.ysv.freebsd.org>; Mon, 18 Feb 2019 17:30:44 +0000 (UTC)
 (envelope-from longwitz@incore.de)
Received: from dss.incore.de (dss.incore.de [195.145.1.138])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CB9E67453A;
 Mon, 18 Feb 2019 17:30:43 +0000 (UTC)
 (envelope-from longwitz@incore.de)
Received: from inetmail.dmz (inetmail.dmz [10.3.0.3])
 by dss.incore.de (Postfix) with ESMTP id E752527D73;
 Mon, 18 Feb 2019 18:30:33 +0100 (CET)
X-Virus-Scanned: amavisd-new at incore.de
Received: from dss.incore.de ([10.3.0.3])
 by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024)
 with LMTP id nYiE4_q7ypRT; Mon, 18 Feb 2019 18:30:33 +0100 (CET)
Received: from mail.local.incore (fwintern.dmz [10.0.0.253])
 by dss.incore.de (Postfix) with ESMTP id 2450828198;
 Mon, 18 Feb 2019 18:30:33 +0100 (CET)
Received: from bsdmhs.longwitz (unknown [192.168.99.6])
 by mail.local.incore (Postfix) with ESMTP id EDDAA190;
 Mon, 18 Feb 2019 18:30:32 +0100 (CET)
Message-ID: <5C6AEBB8.2030305@incore.de>
Date: Mon, 18 Feb 2019 18:30:32 +0100
From: Andreas Longwitz <longwitz@incore.de>
User-Agent: Thunderbird 2.0.0.19 (X11/20090113)
MIME-Version: 1.0
To: Konstantin Belousov <kib@freebsd.org>
CC: freebsd-pf@freebsd.org, Gleb Smirnoff <glebius@freebsd.org>, 
 Kristof Provost <kristof@sigsegv.be>
Subject: Re: rdr pass for proto tcp sometimes creates states with expire time
 zero and so breaking connections
References: <C4D1F141-2979-4103-957F-F0314637D978@sigsegv.be>
 <5BD45882.1000207@incore.de>
 <D5EEA773-1F0F-4FA0-A39A-486EE323907D@sigsegv.be>
 <5BEB3B9A.9080402@incore.de> <20181113222533.GJ9744@FreeBSD.org>
 <5C49ECAA.7060505@incore.de> <20190124203802.GU24863@kib.kiev.ua>
 <5C4A37A1.80206@incore.de> <20190125131409.GZ24863@kib.kiev.ua>
 <5C557065.10600@incore.de> <20190202184208.GG24863@kib.kiev.ua>
In-Reply-To: <20190202184208.GG24863@kib.kiev.ua>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: CB9E67453A
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
 spf=pass (mx1.freebsd.org: domain of longwitz@incore.de designates
 195.145.1.138 as permitted sender) smtp.mailfrom=longwitz@incore.de
X-Spamd-Result: default: False [-1.46 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.83)[-0.832,0]; RCVD_COUNT_FIVE(0.00)[5];
 RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx]; FROM_HAS_DN(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 DMARC_NA(0.00)[incore.de]; NEURAL_SPAM_SHORT(0.62)[0.617,0];
 NEURAL_HAM_LONG(-0.97)[-0.972,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[dss.incore.de];
 RCVD_IN_DNSWL_NONE(0.00)[138.1.145.195.list.dnswl.org : 127.0.10.0];
 IP_SCORE(0.04)[asn: 3320(0.21), country: DE(-0.01)];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:3320, ipnet:195.145.0.0/16, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2019 17:30:45 -0000

Hello,

> Ok, thanks, I will commit the patch shortly.  I do not see a point in waiting
> for two more weeks, sure report me if anything goes wrong.

your patch for counter(9) on i386 definitely solves my problem discussed
in this thread.

Because fetching a counter is a rather expansive function we should use
counter_u64_fetch() in pf_state_expires() only when necessary. A "rdr
pass" rule should not cause more effort than separate "rdr" and "pass"
rules. For rules with adaptive timeout values the call of
counter_u64_fetch() should be accepted, but otherwise not.

For a small gain in performance especially for "rdr pass" rules I
suggest something like

--- pf.c.orig   2019-02-18 17:49:22.944751000 +0100
+++ pf.c        2019-02-18 17:55:07.396163000 +0100
@@ -1558,7 +1558,7 @@
        if (!timeout)
                timeout = V_pf_default_rule.timeout[state->timeout];
        start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
-       if (start) {
+       if (start && state->rule.ptr != &V_pf_default_rule) {
                end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
                states = counter_u64_fetch(state->rule.ptr->states_cur);
        } else {

-- 
Andreas