Date: Wed, 4 Apr 2012 14:48:00 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r233874 - head/sys/contrib/pf/net Message-ID: <201204041448.q34Em0Bu008620@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Wed Apr 4 14:47:59 2012 New Revision: 233874 URL: http://svn.freebsd.org/changeset/base/233874 Log: Merge from OpenBSD: revision 1.173 date: 2011/11/09 12:36:03; author: camield; state: Exp; lines: +11 -12 State expire time is a baseline time ("last active") for expiry calculations, and does _not_ denote the time when to expire. So it should never be added to (set into the future). Try to reconstruct it with an educated guess on state import and just set it to the current time on state updates. This fixes a problem on pfsync listeners where the expiry time could be double the expected value and cause a lot more states to linger. Modified: head/sys/contrib/pf/net/if_pfsync.c Modified: head/sys/contrib/pf/net/if_pfsync.c ============================================================================== --- head/sys/contrib/pf/net/if_pfsync.c Wed Apr 4 14:31:48 2012 (r233873) +++ head/sys/contrib/pf/net/if_pfsync.c Wed Apr 4 14:47:59 2012 (r233874) @@ -51,6 +51,7 @@ * 1.146 - bzero() mbuf before sparsely filling it with data * 1.170 - SIOCSIFMTU checks * 1.126, 1.142 - deferred packets processing + * 1.173 - correct expire time processing */ #ifdef __FreeBSD__ @@ -789,11 +790,16 @@ pfsync_state_import(struct pfsync_state st->creation = time_uptime - ntohl(sp->creation); st->expire = time_second; if (sp->expire) { - /* XXX No adaptive scaling. */ - st->expire -= r->timeout[sp->timeout] - ntohl(sp->expire); + uint32_t timeout; + + timeout = r->timeout[sp->timeout]; + if (!timeout) + timeout = pf_default_rule.timeout[sp->timeout]; + + /* sp->expire may have been adaptively scaled by export. */ + st->expire -= timeout - ntohl(sp->expire); } - st->expire = ntohl(sp->expire) + time_second; st->direction = sp->direction; st->log = sp->log; st->timeout = sp->timeout; @@ -1291,7 +1297,7 @@ pfsync_in_upd(struct pfsync_pkt *pkt, st pfsync_alloc_scrub_memory(&sp->dst, &st->dst); pf_state_peer_ntoh(&sp->src, &st->src); pf_state_peer_ntoh(&sp->dst, &st->dst); - st->expire = ntohl(sp->expire) + time_second; + st->expire = time_second; st->timeout = sp->timeout; st->pfsync_time = time_uptime; } @@ -1397,7 +1403,7 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, pfsync_alloc_scrub_memory(&up->dst, &st->dst); pf_state_peer_ntoh(&up->src, &st->src); pf_state_peer_ntoh(&up->dst, &st->dst); - st->expire = ntohl(up->expire) + time_second; + st->expire = time_second; st->timeout = up->timeout; st->pfsync_time = time_uptime; } @@ -2021,12 +2027,6 @@ pfsync_out_upd_c(struct pf_state *st, st pf_state_peer_hton(&st->src, &up->src); pf_state_peer_hton(&st->dst, &up->dst); up->creatorid = st->creatorid; - - up->expire = pf_state_expires(st); - if (up->expire <= time_second) - up->expire = htonl(0); - else - up->expire = htonl(up->expire - time_second); up->timeout = st->timeout; return (sizeof(*up));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204041448.q34Em0Bu008620>