From owner-svn-src-head@FreeBSD.ORG Wed Apr 4 14:48:00 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6AF06106564A; Wed, 4 Apr 2012 14:48:00 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 3C3E08FC08; Wed, 4 Apr 2012 14:48:00 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q34Em0f1008622; Wed, 4 Apr 2012 14:48:00 GMT (envelope-from glebius@svn.freebsd.org) Received: (from glebius@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q34Em0Bu008620; Wed, 4 Apr 2012 14:48:00 GMT (envelope-from glebius@svn.freebsd.org) Message-Id: <201204041448.q34Em0Bu008620@svn.freebsd.org> From: Gleb Smirnoff Date: Wed, 4 Apr 2012 14:48:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r233874 - head/sys/contrib/pf/net X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2012 14:48:00 -0000 Author: glebius Date: Wed Apr 4 14:47:59 2012 New Revision: 233874 URL: http://svn.freebsd.org/changeset/base/233874 Log: Merge from OpenBSD: revision 1.173 date: 2011/11/09 12:36:03; author: camield; state: Exp; lines: +11 -12 State expire time is a baseline time ("last active") for expiry calculations, and does _not_ denote the time when to expire. So it should never be added to (set into the future). Try to reconstruct it with an educated guess on state import and just set it to the current time on state updates. This fixes a problem on pfsync listeners where the expiry time could be double the expected value and cause a lot more states to linger. Modified: head/sys/contrib/pf/net/if_pfsync.c Modified: head/sys/contrib/pf/net/if_pfsync.c ============================================================================== --- head/sys/contrib/pf/net/if_pfsync.c Wed Apr 4 14:31:48 2012 (r233873) +++ head/sys/contrib/pf/net/if_pfsync.c Wed Apr 4 14:47:59 2012 (r233874) @@ -51,6 +51,7 @@ * 1.146 - bzero() mbuf before sparsely filling it with data * 1.170 - SIOCSIFMTU checks * 1.126, 1.142 - deferred packets processing + * 1.173 - correct expire time processing */ #ifdef __FreeBSD__ @@ -789,11 +790,16 @@ pfsync_state_import(struct pfsync_state st->creation = time_uptime - ntohl(sp->creation); st->expire = time_second; if (sp->expire) { - /* XXX No adaptive scaling. */ - st->expire -= r->timeout[sp->timeout] - ntohl(sp->expire); + uint32_t timeout; + + timeout = r->timeout[sp->timeout]; + if (!timeout) + timeout = pf_default_rule.timeout[sp->timeout]; + + /* sp->expire may have been adaptively scaled by export. */ + st->expire -= timeout - ntohl(sp->expire); } - st->expire = ntohl(sp->expire) + time_second; st->direction = sp->direction; st->log = sp->log; st->timeout = sp->timeout; @@ -1291,7 +1297,7 @@ pfsync_in_upd(struct pfsync_pkt *pkt, st pfsync_alloc_scrub_memory(&sp->dst, &st->dst); pf_state_peer_ntoh(&sp->src, &st->src); pf_state_peer_ntoh(&sp->dst, &st->dst); - st->expire = ntohl(sp->expire) + time_second; + st->expire = time_second; st->timeout = sp->timeout; st->pfsync_time = time_uptime; } @@ -1397,7 +1403,7 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, pfsync_alloc_scrub_memory(&up->dst, &st->dst); pf_state_peer_ntoh(&up->src, &st->src); pf_state_peer_ntoh(&up->dst, &st->dst); - st->expire = ntohl(up->expire) + time_second; + st->expire = time_second; st->timeout = up->timeout; st->pfsync_time = time_uptime; } @@ -2021,12 +2027,6 @@ pfsync_out_upd_c(struct pf_state *st, st pf_state_peer_hton(&st->src, &up->src); pf_state_peer_hton(&st->dst, &up->dst); up->creatorid = st->creatorid; - - up->expire = pf_state_expires(st); - if (up->expire <= time_second) - up->expire = htonl(0); - else - up->expire = htonl(up->expire - time_second); up->timeout = st->timeout; return (sizeof(*up));