diff options
| author | David Gwynne <dlg@cvs.openbsd.org> | 2009-06-14 00:16:51 +0000 |
|---|---|---|
| committer | David Gwynne <dlg@cvs.openbsd.org> | 2009-06-14 00:16:51 +0000 |
| commit | 60209ff128ca8e8164d2ece1a0c77a081afbfd78 (patch) | |
| tree | 3365f20e76e577be13c4a22c6b3346e430cf12d6 /sys/net/if_pfsync.c | |
| parent | 930a36719b6849df05a657bab7f55606daea8f0b (diff) | |
enable support for deferring the packet that creates a state so that your
sync peers are able to get the states before the replies. previously there
was a race where the reply could hit a partner firewall before it had the
state for it, which caused the reply to get processed by the ruleset which
probably would drop it.
this behaviour is off by default because it does delay packets, which is
only wanted in active-active firewalls or when an upstream router is slow
to learn that you're moved the active member of the pfsync cluster. it also
uses memory keeping the packets in the kernel.
use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to
disable.
tested by sthen@ who loves it. he's got manpage changes coming up for me.
Diffstat (limited to 'sys/net/if_pfsync.c')
| -rw-r--r-- | sys/net/if_pfsync.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 74255495e7f..15183d08a7e 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.125 2009/06/12 02:03:51 dlg Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.126 2009/06/14 00:16:50 dlg Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -190,6 +190,7 @@ struct pfsync_softc { struct pfsync_upd_reqs sc_upd_req_list; + int sc_defer; struct pfsync_deferrals sc_deferrals; u_int sc_deferred; @@ -1380,6 +1381,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer; pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates; + pfsyncr.pfsyncr_defer = sc->sc_defer; return (copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr))); case SIOCSETPFSYNC: @@ -1402,6 +1404,8 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates; + sc->sc_defer = pfsyncr.pfsyncr_defer; + if (pfsyncr.pfsyncr_syncdev[0] == 0) { sc->sc_sync_if = NULL; if (imo->imo_num_memberships > 0) { @@ -1785,10 +1789,7 @@ pfsync_insert_state(struct pf_state *st) pfsync_q_ins(st, PFSYNC_S_INS); - if (ISSET(st->state_flags, PFSTATE_ACK)) - schednetisr(NETISR_PFSYNC); - else - st->sync_updates = 0; + st->sync_updates = 0; } int defer = 10; @@ -1796,13 +1797,14 @@ int defer = 10; int pfsync_defer(struct pf_state *st, struct mbuf *m) { - return (0); -#ifdef notyet struct pfsync_softc *sc = pfsyncif; struct pfsync_deferral *pd; splsoftassert(IPL_SOFTNET); + if (!sc->sc_defer) + return (0); + if (sc->sc_deferred >= 128) pfsync_undefer(TAILQ_FIRST(&sc->sc_deferrals), 0); @@ -1821,8 +1823,9 @@ pfsync_defer(struct pf_state *st, struct mbuf *m) timeout_set(&pd->pd_tmo, pfsync_defer_tmo, pd); timeout_add(&pd->pd_tmo, defer); + schednetisr(NETISR_PFSYNC); + return (1); -#endif } void |