summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2008-06-10 23:12:37 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2008-06-10 23:12:37 +0000
commit4038ab3e38f456cb864f832d929f72c1747ff2f8 (patch)
treee229ea7cb64f35edb0a9f1917e3cde703c09f719
parent7ee50b3f90920f1b1e1d9ad8cd2898f249ba4f71 (diff)
set the inactivity timeout of redirections to a shorter timeout of 600
seconds by default (pf's default is 86400s), they can be cranked with the "session timeout" directive and it is consistent to relay session timeouts. also remove the hack to modify the closing timeout because pf's sloppy state handling is taking care about half connection closing now.
-rw-r--r--usr.sbin/relayd/pfe_filter.c6
-rw-r--r--usr.sbin/relayd/relayd.conf.57
2 files changed, 6 insertions, 7 deletions
diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c
index 82e8f32e963..f9fb944834c 100644
--- a/usr.sbin/relayd/pfe_filter.c
+++ b/usr.sbin/relayd/pfe_filter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfe_filter.c,v 1.28 2008/06/10 22:02:28 reyk Exp $ */
+/* $OpenBSD: pfe_filter.c,v 1.29 2008/06/10 23:12:36 reyk Exp $ */
/*
* Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -366,10 +366,10 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable)
/* Use sloppy state handling for half connections */
rio.rule.keep_state = PF_STATE_NORMAL;
rio.rule.rule_flag = PFRULE_STATESLOPPY;
- rio.rule.timeout[PFTM_TCP_CLOSING] =
- rdr->conf.timeout.tv_sec;
}
+ rio.rule.timeout[PFTM_TCP_ESTABLISHED] =
+ rdr->conf.timeout.tv_sec;
rio.ticket = env->sc_pf->pfte[rs].ticket;
if (ioctl(env->sc_pf->dev, DIOCBEGINADDRS, &pio) == -1)
fatal("sync_ruleset: cannot initialise address pool");
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 81aaf12833c..ec8837c1645 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: relayd.conf.5,v 1.85 2008/06/10 22:02:28 reyk Exp $
+.\" $OpenBSD: relayd.conf.5,v 1.86 2008/06/10 23:12:36 reyk Exp $
.\"
.\" Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -439,8 +439,7 @@ Note that the hosts have to accept sessions for the same address as
the gateway, this is typically done by configuring a loopback
interface on the host with this address.
.It Ic session timeout Ar seconds
-Specify the timeout after closing in seconds for routed session
-states.
+Specify the inactivity timeout in seconds for established redirections.
The default timeout is 600 seconds (10 minutes).
.It Ic sticky-address
This has the same effect as specifying sticky-address
@@ -551,7 +550,7 @@ see the
.Sx PROTOCOLS
section below.
.It Ic session timeout Ar seconds
-Specify the timeout in seconds for accepted sessions.
+Specify the inactivity timeout in seconds for accepted sessions.
The default timeout is 600 seconds (10 minutes).
.El
.Sh PROTOCOLS