diff options
| author |   sashan <sashan@openbsd.org> | 2016-09-03 17:11:40 +0000 |
|---|---|---|
| committer | sashan <sashan@openbsd.org> | 2016-09-03 17:11:40 +0000 |
| commit | 8cf23eed7fe41b57c6ce2264de5e7fd5d7bd227b (patch) | |
| tree | 3ec1f4b5f25496d308329f9612bd040daab7d6bb /sys/net/pf_ioctl.c | |
| parent | In iwm, move assignments to 'err' outside of if-statements. (diff) | |
| download | wireguard-openbsd-8cf23eed7fe41b57c6ce2264de5e7fd5d7bd227b.tar.xz wireguard-openbsd-8cf23eed7fe41b57c6ce2264de5e7fd5d7bd227b.zip | |
Let purge thread to remove once rules, not packets.
Thanks mikeb@ for idea to add expire time.
OK mpi@, OK mikeb@
Diffstat (limited to 'sys/net/pf_ioctl.c')
| -rw-r--r-- | sys/net/pf_ioctl.c | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 32359ac56c6..7b360b0db05 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.298 2016/09/02 10:19:49 dlg Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.299 2016/09/03 17:11:40 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -309,12 +309,13 @@ pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule) } void -pf_purge_rule(struct pf_ruleset *ruleset, struct pf_rule *rule, - struct pf_ruleset *aruleset, struct pf_rule *arule) +pf_purge_rule(struct pf_rule *rule) { u_int32_t nr = 0; + struct pf_ruleset *ruleset; - KASSERT(ruleset != NULL && rule != NULL); + KASSERT((rule != NULL) && (rule->ruleset != NULL)); + ruleset = rule->ruleset; pf_rm_rule(ruleset->rules.active.ptr, rule); ruleset->rules.active.rcount--; @@ -322,16 +323,6 @@ pf_purge_rule(struct pf_ruleset *ruleset, struct pf_rule *rule, rule->nr = nr++; ruleset->rules.active.ticket++; pf_calc_skip_steps(ruleset->rules.active.ptr); - - /* remove the parent anchor rule */ - if (nr == 0 && arule && aruleset) { - pf_rm_rule(aruleset->rules.active.ptr, arule); - aruleset->rules.active.rcount--; - TAILQ_FOREACH(rule, aruleset->rules.active.ptr, entries) - rule->nr = nr++; - aruleset->rules.active.ticket++; - pf_calc_skip_steps(aruleset->rules.active.ptr); - } } u_int16_t @@ -783,6 +774,9 @@ pf_commit_rules(u_int32_t ticket, char *anchor) int s, error; u_int32_t old_rcount; + /* Make sure any expired rules get removed from active rules first. */ + pf_purge_expired_rules(1); + rs = pf_find_ruleset(anchor); if (rs == NULL || !rs->rules.inactive.open || ticket != rs->rules.inactive.ticket) @@ -1217,6 +1211,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } TAILQ_INSERT_TAIL(ruleset->rules.inactive.ptr, rule, entries); + rule->ruleset = ruleset; ruleset->rules.inactive.rcount++; break; } @@ -1273,6 +1268,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) pr->rule.rcv_kif = NULL; pr->rule.anchor = NULL; pr->rule.overload_tbl = NULL; + bzero(&pr->rule.gcle, sizeof(pr->rule.gcle)); + pr->rule.ruleset = NULL; if (pf_anchor_copyout(ruleset, rule, pr)) { error = EBUSY; break; |