Date: Fri, 20 Apr 2012 09:43:42 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r234486 - projects/pf/head/sys/contrib/pf/net Message-ID: <201204200943.q3K9hgYQ032351@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Fri Apr 20 09:43:42 2012 New Revision: 234486 URL: http://svn.freebsd.org/changeset/base/234486 Log: Use monotonic time_uptime to drive expiry of states, source nodes, fragments, thresholds. Modified: projects/pf/head/sys/contrib/pf/net/if_pfsync.c projects/pf/head/sys/contrib/pf/net/pf.c projects/pf/head/sys/contrib/pf/net/pf_ioctl.c projects/pf/head/sys/contrib/pf/net/pf_norm.c Modified: projects/pf/head/sys/contrib/pf/net/if_pfsync.c ============================================================================== --- projects/pf/head/sys/contrib/pf/net/if_pfsync.c Fri Apr 20 08:26:05 2012 (r234485) +++ projects/pf/head/sys/contrib/pf/net/if_pfsync.c Fri Apr 20 09:43:42 2012 (r234486) @@ -495,7 +495,7 @@ pfsync_state_import(struct pfsync_state /* copy to state */ bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr)); st->creation = time_uptime - ntohl(sp->creation); - st->expire = time_second; + st->expire = time_uptime; if (sp->expire) { uint32_t timeout; @@ -898,7 +898,7 @@ pfsync_in_upd(struct pfsync_pkt *pkt, st pfsync_alloc_scrub_memory(&sp->dst, &st->dst); pf_state_peer_ntoh(&sp->src, &st->src); pf_state_peer_ntoh(&sp->dst, &st->dst); - st->expire = time_second; + st->expire = time_uptime; st->timeout = sp->timeout; st->pfsync_time = time_uptime; PF_STATE_UNLOCK(st); @@ -992,7 +992,7 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, pfsync_alloc_scrub_memory(&up->dst, &st->dst); pf_state_peer_ntoh(&up->src, &st->src); pf_state_peer_ntoh(&up->dst, &st->dst); - st->expire = time_second; + st->expire = time_uptime; st->timeout = up->timeout; st->pfsync_time = time_uptime; PF_STATE_UNLOCK(st); Modified: projects/pf/head/sys/contrib/pf/net/pf.c ============================================================================== --- projects/pf/head/sys/contrib/pf/net/pf.c Fri Apr 20 08:26:05 2012 (r234485) +++ projects/pf/head/sys/contrib/pf/net/pf.c Fri Apr 20 09:43:42 2012 (r234486) @@ -436,13 +436,13 @@ pf_init_threshold(struct pf_threshold *t threshold->limit = limit * PF_THRESHOLD_MULT; threshold->seconds = seconds; threshold->count = 0; - threshold->last = time_second; + threshold->last = time_uptime; } static void pf_add_threshold(struct pf_threshold *threshold) { - u_int32_t t = time_second, diff = t - threshold->last; + u_int32_t t = time_uptime, diff = t - threshold->last; if (diff >= threshold->seconds) threshold->count = 0; @@ -627,7 +627,7 @@ pf_insert_src_node(struct pf_src_node ** (*sn)->rule.ptr = rule; PF_ACPY(&(*sn)->addr, src, af); LIST_INSERT_HEAD(&sh->nodes, *sn, entry); - (*sn)->creation = time_second; + (*sn)->creation = time_uptime; (*sn)->ruletype = rule->action; if ((*sn)->rule.ptr != NULL) (*sn)->rule.ptr->src_nodes++; @@ -1324,7 +1324,7 @@ pf_state_expires(const struct pf_state * /* handle all PFTM_* > PFTM_MAX here */ if (state->timeout == PFTM_PURGE) - return (time_second); + return (time_uptime); if (state->timeout == PFTM_UNTIL_PACKET) return (0); KASSERT(state->timeout != PFTM_UNLINKED, @@ -1348,7 +1348,7 @@ pf_state_expires(const struct pf_state * return (state->expire + timeout * (end - states) / (end - start)); else - return (time_second); + return (time_uptime); } return (state->expire + timeout); } @@ -1363,7 +1363,7 @@ pf_purge_expired_src_nodes() for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask; i++, sh++) { PF_HASHROW_LOCK(sh); LIST_FOREACH_SAFE(cur, &sh->nodes, entry, next) - if (cur->states <= 0 && cur->expire <= time_second) { + if (cur->states <= 0 && cur->expire <= time_uptime) { if (cur->rule.ptr != NULL) { cur->rule.ptr->src_nodes--; if (cur->rule.ptr->states_cur <= 0 && @@ -1392,7 +1392,7 @@ pf_src_tree_remove_state(struct pf_state if (!timeout) timeout = V_pf_default_rule.timeout[PFTM_SRC_NODE]; - s->src_node->expire = time_second + timeout; + s->src_node->expire = time_uptime + timeout; } } if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { @@ -1401,7 +1401,7 @@ pf_src_tree_remove_state(struct pf_state if (!timeout) timeout = V_pf_default_rule.timeout[PFTM_SRC_NODE]; - s->nat_src_node->expire = time_second + timeout; + s->nat_src_node->expire = time_uptime + timeout; } } s->src_node = s->nat_src_node = NULL; @@ -1501,7 +1501,7 @@ pf_purge_expired_states(int maxcheck) relock: PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { - if (pf_state_expires(s) <= time_second) { + if (pf_state_expires(s) <= time_uptime) { pf_unlink_state(s, PF_ENTER_LOCKED); goto relock; } @@ -3365,8 +3365,8 @@ pf_create_state(struct pf_rule *r, struc s->timeout = PFTM_OTHER_FIRST_PACKET; } - s->creation = time_second; - s->expire = time_second; + s->creation = time_uptime; + s->expire = time_uptime; if (sn != NULL) { s->src_node = sn; @@ -3781,7 +3781,7 @@ pf_tcp_track_full(struct pf_state_peer * src->state = dst->state = TCPS_TIME_WAIT; /* update expire time */ - (*state)->expire = time_second; + (*state)->expire = time_uptime; if (src->state >= TCPS_FIN_WAIT_2 && dst->state >= TCPS_FIN_WAIT_2) (*state)->timeout = PFTM_TCP_CLOSED; @@ -3962,7 +3962,7 @@ pf_tcp_track_sloppy(struct pf_state_peer src->state = dst->state = TCPS_TIME_WAIT; /* update expire time */ - (*state)->expire = time_second; + (*state)->expire = time_uptime; if (src->state >= TCPS_FIN_WAIT_2 && dst->state >= TCPS_FIN_WAIT_2) (*state)->timeout = PFTM_TCP_CLOSED; @@ -4189,7 +4189,7 @@ pf_test_state_udp(struct pf_state **stat dst->state = PFUDPS_MULTIPLE; /* update expire time */ - (*state)->expire = time_second; + (*state)->expire = time_uptime; if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) (*state)->timeout = PFTM_UDP_MULTIPLE; else @@ -4276,7 +4276,7 @@ pf_test_state_icmp(struct pf_state **sta STATE_LOOKUP(kif, &key, direction, *state, pd); - (*state)->expire = time_second; + (*state)->expire = time_uptime; (*state)->timeout = PFTM_ICMP_ERROR_REPLY; /* translate source/destination address, if necessary */ @@ -4844,7 +4844,7 @@ pf_test_state_other(struct pf_state **st dst->state = PFOTHERS_MULTIPLE; /* update expire time */ - (*state)->expire = time_second; + (*state)->expire = time_uptime; if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) (*state)->timeout = PFTM_OTHER_MULTIPLE; else Modified: projects/pf/head/sys/contrib/pf/net/pf_ioctl.c ============================================================================== --- projects/pf/head/sys/contrib/pf/net/pf_ioctl.c Fri Apr 20 08:26:05 2012 (r234485) +++ projects/pf/head/sys/contrib/pf/net/pf_ioctl.c Fri Apr 20 09:43:42 2012 (r234486) @@ -3165,7 +3165,7 @@ DIOCGETSTATES_full: i++, sh++) { PF_HASHROW_LOCK(sh); LIST_FOREACH(n, &sh->nodes, entry) { - int secs = time_second, diff; + int secs = time_uptime, diff; if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len) break; @@ -3340,12 +3340,12 @@ pfsync_state_export(struct pfsync_state /* copy from state */ strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname)); bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr)); - sp->creation = htonl(time_second - st->creation); + sp->creation = htonl(time_uptime - st->creation); sp->expire = pf_state_expires(st); - if (sp->expire <= time_second) + if (sp->expire <= time_uptime) sp->expire = htonl(0); else - sp->expire = htonl(sp->expire - time_second); + sp->expire = htonl(sp->expire - time_uptime); sp->direction = st->direction; sp->log = st->log; Modified: projects/pf/head/sys/contrib/pf/net/pf_norm.c ============================================================================== --- projects/pf/head/sys/contrib/pf/net/pf_norm.c Fri Apr 20 08:26:05 2012 (r234485) +++ projects/pf/head/sys/contrib/pf/net/pf_norm.c Fri Apr 20 09:43:42 2012 (r234486) @@ -234,7 +234,7 @@ void pf_purge_expired_fragments(void) { struct pf_fragment *frag; - u_int32_t expire = time_second - + u_int32_t expire = time_uptime - V_pf_default_rule.timeout[PFTM_FRAG]; PF_FRAG_LOCK(); @@ -359,7 +359,7 @@ pf_find_fragment(struct ip *ip, struct p frag = RB_FIND(pf_frag_tree, tree, &key); if (frag != NULL) { /* XXX Are we sure we want to update the timeout? */ - frag->fr_timeout = time_second; + frag->fr_timeout = time_uptime; if (BUFFER_FRAGMENTS(frag)) { TAILQ_REMOVE(&V_pf_fragqueue, frag, frag_next); TAILQ_INSERT_HEAD(&V_pf_fragqueue, frag, frag_next); @@ -429,7 +429,7 @@ pf_reassemble(struct mbuf **m0, struct p (*frag)->fr_dst = frent->fr_ip->ip_dst; (*frag)->fr_p = frent->fr_ip->ip_p; (*frag)->fr_id = frent->fr_ip->ip_id; - (*frag)->fr_timeout = time_second; + (*frag)->fr_timeout = time_uptime; LIST_INIT(&(*frag)->fr_queue); RB_INSERT(pf_frag_tree, &V_pf_frag_tree, *frag); @@ -639,7 +639,7 @@ pf_fragcache(struct mbuf **m0, struct ip (*frag)->fr_dst = h->ip_dst; (*frag)->fr_p = h->ip_p; (*frag)->fr_id = h->ip_id; - (*frag)->fr_timeout = time_second; + (*frag)->fr_timeout = time_uptime; cur->fr_off = off; cur->fr_end = max; @@ -1689,7 +1689,7 @@ pf_normalize_tcp_stateful(struct mbuf *m getmicrouptime(&uptime); if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) && (uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE || - time_second - state->creation > TS_MAX_CONN)) { + time_uptime - state->creation > TS_MAX_CONN)) { if (V_pf_status.debug >= PF_DEBUG_MISC) { DPFPRINTF(("src idled out of PAWS\n")); pf_print_state(state);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204200943.q3K9hgYQ032351>