diff options
| author |   henning <henning@openbsd.org> | 2018-07-10 13:01:38 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2018-07-10 13:01:38 +0000 |
| commit | d1b124b3fdd3f51fd21b605bf0d60070c58b27ea (patch) | |
| tree | c0b0820e3824a21ca225e3aadd0587b5eb81794d /sys/net/pf.c | |
| parent | You can run multiple copies of bgpd in seperate rdomains. (diff) | |
| download | wireguard-openbsd-d1b124b3fdd3f51fd21b605bf0d60070c58b27ea.tar.xz wireguard-openbsd-d1b124b3fdd3f51fd21b605bf0d60070c58b27ea.zip | |
in pf_set_protostate(), only decrement the half-open states counter when
the state was created on this host, i. e. not for those pfsync-imported.
whether pfsync-imported states should be accounted is a seperate discussion,
but as things are, we only increment the counter in pf_create_state(), and
imported states don't excercise that path.
probably fixes the half-open states accounting underflow-wraparounds that
some people have been seeing.
ok sashan
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 1a523239ca2..da62df2a060 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1069 2018/07/10 09:28:27 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.1070 2018/07/10 13:01:38 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -402,7 +402,7 @@ pf_set_protostate(struct pf_state *s, int which, u_int8_t newstate) if (s->src.state == newstate) return; - if (s->key[PF_SK_STACK] != NULL && + if (s->creatorid == pf_status.hostid && s->key[PF_SK_STACK] != NULL && s->key[PF_SK_STACK]->proto == IPPROTO_TCP && !(TCPS_HAVEESTABLISHED(s->src.state) || s->src.state == TCPS_CLOSED) && |