diff options
| author |   camield <camield@openbsd.org> | 2011-11-09 12:36:03 +0000 |
|---|---|---|
| committer | camield <camield@openbsd.org> | 2011-11-09 12:36:03 +0000 |
| commit | 3d99ce6dbe52f552bf8c1a218fc0e12ae056cf73 (patch) | |
| tree | dfdcc477c25ad8c931a5c858b483584b2122fa41 | |
| parent | Fix manual wfi instruction encoding. (diff) | |
| download | wireguard-openbsd-3d99ce6dbe52f552bf8c1a218fc0e12ae056cf73.tar.xz wireguard-openbsd-3d99ce6dbe52f552bf8c1a218fc0e12ae056cf73.zip | |
State expire time is a baseline time ("last active") for expiry
calculations, and does _not_ denote the time when to expire. So
it should never be added to (set into the future).
Try to reconstruct it with an educated guess on state import and
just set it to the current time on state updates.
This fixes a problem on pfsync listeners where the expiry time
could be double the expected value and cause a lot more states
to linger.
Timeout code from mikeb.
Found and testing by Maxim Bourmistrov.
ok mikeb dlg
| -rw-r--r-- | sys/net/if_pfsync.c | 23 |
1 files changed, 11 insertions, 12 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 3e0cab5df52..1d0c4205137 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.172 2011/11/04 22:11:11 mikeb Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.173 2011/11/09 12:36:03 camield Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -592,11 +592,16 @@ pfsync_state_import(struct pfsync_state *sp, int flags) st->creation = time_second - ntohl(sp->creation); st->expire = time_second; if (sp->expire) { - /* XXX No adaptive scaling. */ - st->expire -= r->timeout[sp->timeout] - ntohl(sp->expire); + u_int32_t timeout; + + timeout = r->timeout[sp->timeout]; + if (!timeout) + timeout = pf_default_rule.timeout[sp->timeout]; + + /* sp->expire may have been adaptively scaled by export. */ + st->expire -= timeout - ntohl(sp->expire); } - st->expire = ntohl(sp->expire) + time_second; st->direction = sp->direction; st->log = sp->log; st->timeout = sp->timeout; @@ -960,7 +965,7 @@ pfsync_in_upd(caddr_t buf, int len, int count, int flags) if (sync < 2) { pfsync_alloc_scrub_memory(&sp->dst, &st->dst); pf_state_peer_ntoh(&sp->dst, &st->dst); - st->expire = ntohl(sp->expire) + time_second; + st->expire = time_second; st->timeout = sp->timeout; } st->pfsync_time = time_uptime; @@ -1034,7 +1039,7 @@ pfsync_in_upd_c(caddr_t buf, int len, int count, int flags) if (sync < 2) { pfsync_alloc_scrub_memory(&up->dst, &st->dst); pf_state_peer_ntoh(&up->dst, &st->dst); - st->expire = ntohl(up->expire) + time_second; + st->expire = time_second; st->timeout = up->timeout; } st->pfsync_time = time_uptime; @@ -1449,12 +1454,6 @@ pfsync_out_upd_c(struct pf_state *st, void *buf) pf_state_peer_hton(&st->src, &up->src); pf_state_peer_hton(&st->dst, &up->dst); up->creatorid = st->creatorid; - - up->expire = pf_state_expires(st); - if (up->expire <= time_second) - up->expire = htonl(0); - else - up->expire = htonl(up->expire - time_second); up->timeout = st->timeout; } |