From owner-svn-src-all@FreeBSD.ORG  Tue Feb 28 22:00:42 2012
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EDDF2106564A;
	Tue, 28 Feb 2012 22:00:41 +0000 (UTC)
	(envelope-from oleg@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id D2DDF8FC13;
	Tue, 28 Feb 2012 22:00:41 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q1SM0f25094205;
	Tue, 28 Feb 2012 22:00:41 GMT (envelope-from oleg@svn.freebsd.org)
Received: (from oleg@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id q1SM0f5R094203;
	Tue, 28 Feb 2012 22:00:41 GMT (envelope-from oleg@svn.freebsd.org)
Message-Id: <201202282200.q1SM0f5R094203@svn.freebsd.org>
From: Oleg Bulyzhin <oleg@FreeBSD.org>
Date: Tue, 28 Feb 2012 22:00:41 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r232273 - head/sys/netinet/ipfw
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2012 22:00:42 -0000

Author: oleg
Date: Tue Feb 28 22:00:41 2012
New Revision: 232273
URL: http://svn.freebsd.org/changeset/base/232273

Log:
  - Refresh dynamic tcp rule only if both sides answered keepalive packets.
  - Remove some useless assignments.
  
  MFC after:	1 month

Modified:
  head/sys/netinet/ipfw/ip_fw_dynamic.c

Modified: head/sys/netinet/ipfw/ip_fw_dynamic.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_dynamic.c	Tue Feb 28 21:53:39 2012	(r232272)
+++ head/sys/netinet/ipfw/ip_fw_dynamic.c	Tue Feb 28 22:00:41 2012	(r232273)
@@ -472,8 +472,12 @@ next:
 
 #define BOTH_SYN	(TH_SYN | (TH_SYN << 8))
 #define BOTH_FIN	(TH_FIN | (TH_FIN << 8))
+#define	TCP_FLAGS	(TH_FLAGS | (TH_FLAGS << 8))
+#define	ACK_FWD		0x10000			/* fwd ack seen */
+#define	ACK_REV		0x20000			/* rev ack seen */
+
 		q->state |= (dir == MATCH_FORWARD) ? flags : (flags << 8);
-		switch (q->state) {
+		switch (q->state & TCP_FLAGS) {
 		case TH_SYN:			/* opening */
 			q->expire = time_uptime + V_dyn_syn_lifetime;
 			break;
@@ -482,24 +486,28 @@ next:
 		case BOTH_SYN | TH_FIN:		/* one side tries to close */
 		case BOTH_SYN | (TH_FIN << 8):
 #define _SEQ_GE(a,b) ((int)(a) - (int)(b) >= 0)
-			if (tcp == NULL) {
-				q->expire = time_uptime + V_dyn_ack_lifetime;
+			if (tcp == NULL)
 				break;
-			}
 
 			ack = ntohl(tcp->th_ack);
 			if (dir == MATCH_FORWARD) {
-				if (q->ack_fwd == 0 || _SEQ_GE(ack, q->ack_fwd))
+				if (q->ack_fwd == 0 ||
+				    _SEQ_GE(ack, q->ack_fwd)) {
 					q->ack_fwd = ack;
-				else	/* ignore out-of-sequence */
-					break;
+					q->state |= ACK_FWD;
+				}
 			} else {
-				if (q->ack_rev == 0 || _SEQ_GE(ack, q->ack_rev))
+				if (q->ack_rev == 0 ||
+				    _SEQ_GE(ack, q->ack_rev)) {
 					q->ack_rev = ack;
-				else	/* ignore out-of-sequence */
-					break;
+					q->state |= ACK_REV;
+				}
+			}
+			if ((q->state & (ACK_FWD | ACK_REV)) ==
+			    (ACK_FWD | ACK_REV)) {
+				q->expire = time_uptime + V_dyn_ack_lifetime;
+				q->state &= ~(ACK_FWD | ACK_REV);
 			}
-			q->expire = time_uptime + V_dyn_ack_lifetime;
 			break;
 
 		case BOTH_SYN | BOTH_FIN:	/* both sides closed */
@@ -1074,10 +1082,12 @@ ipfw_tick(void * vnetx) 
 			if (TIME_LEQ(q->expire, time_uptime))
 				continue;	/* too late, rule expired */
 
-			m = ipfw_send_pkt(NULL, &(q->id), q->ack_rev - 1,
-				q->ack_fwd, TH_SYN);
-			mnext = ipfw_send_pkt(NULL, &(q->id), q->ack_fwd - 1,
-				q->ack_rev, 0);
+			m = (q->state & ACK_REV) ? NULL :
+			    ipfw_send_pkt(NULL, &(q->id), q->ack_rev - 1,
+			    q->ack_fwd, TH_SYN);
+			mnext = (q->state & ACK_FWD) ? NULL :
+			    ipfw_send_pkt(NULL, &(q->id), q->ack_fwd - 1,
+			    q->ack_rev, 0);
 
 			switch (q->id.addr_type) {
 			case 4:
@@ -1103,18 +1113,16 @@ ipfw_tick(void * vnetx) 
 				break;
 #endif
 			}
-
-			m = mnext = NULL;
 		}
 	}
 	IPFW_DYN_UNLOCK();
-	for (m = mnext = m0; m != NULL; m = mnext) {
+	for (m = m0; m != NULL; m = mnext) {
 		mnext = m->m_nextpkt;
 		m->m_nextpkt = NULL;
 		ip_output(m, NULL, NULL, 0, NULL, NULL);
 	}
 #ifdef INET6
-	for (m = mnext = m6; m != NULL; m = mnext) {
+	for (m = m6; m != NULL; m = mnext) {
 		mnext = m->m_nextpkt;
 		m->m_nextpkt = NULL;
 		ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);