Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Feb 2019 18:30:32 +0100
From:      Andreas Longwitz <longwitz@incore.de>
To:        Konstantin Belousov <kib@freebsd.org>
Cc:        freebsd-pf@freebsd.org, Gleb Smirnoff <glebius@freebsd.org>,  Kristof Provost <kristof@sigsegv.be>
Subject:   Re: rdr pass for proto tcp sometimes creates states with expire time zero and so breaking connections
Message-ID:  <5C6AEBB8.2030305@incore.de>
In-Reply-To: <20190202184208.GG24863@kib.kiev.ua>
References:  <C4D1F141-2979-4103-957F-F0314637D978@sigsegv.be> <5BD45882.1000207@incore.de> <D5EEA773-1F0F-4FA0-A39A-486EE323907D@sigsegv.be> <5BEB3B9A.9080402@incore.de> <20181113222533.GJ9744@FreeBSD.org> <5C49ECAA.7060505@incore.de> <20190124203802.GU24863@kib.kiev.ua> <5C4A37A1.80206@incore.de> <20190125131409.GZ24863@kib.kiev.ua> <5C557065.10600@incore.de> <20190202184208.GG24863@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello,

> Ok, thanks, I will commit the patch shortly.  I do not see a point in waiting
> for two more weeks, sure report me if anything goes wrong.

your patch for counter(9) on i386 definitely solves my problem discussed
in this thread.

Because fetching a counter is a rather expansive function we should use
counter_u64_fetch() in pf_state_expires() only when necessary. A "rdr
pass" rule should not cause more effort than separate "rdr" and "pass"
rules. For rules with adaptive timeout values the call of
counter_u64_fetch() should be accepted, but otherwise not.

For a small gain in performance especially for "rdr pass" rules I
suggest something like

--- pf.c.orig   2019-02-18 17:49:22.944751000 +0100
+++ pf.c        2019-02-18 17:55:07.396163000 +0100
@@ -1558,7 +1558,7 @@
        if (!timeout)
                timeout = V_pf_default_rule.timeout[state->timeout];
        start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
-       if (start) {
+       if (start && state->rule.ptr != &V_pf_default_rule) {
                end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
                states = counter_u64_fetch(state->rule.ptr->states_cur);
        } else {

-- 
Andreas

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5C6AEBB8.2030305>