diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2009-12-14 12:31:46 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2009-12-14 12:31:46 +0000 |
| commit | 4f35e8f6a0e5a588652214cff0b402cdcddff9ad (patch) | |
| tree | 2719c4331751ddb27b59edea2b6165cf3f0b5513 /sys/net/pfvar.h | |
| parent | 05813d26aa0af17535ea41acf9b69bfc2f3feefa (diff) | |
fix sticky-address - by pretty much re-implementing it. still following
the original approach using a source tracking node.
the reimplementation i smore flexible than the original one, we now have an
slist of source tracking nodes per state. that is cheap because more than
one entry will be an absolute exception.
ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
Diffstat (limited to 'sys/net/pfvar.h')
| -rw-r--r-- | sys/net/pfvar.h | 60 |
1 files changed, 38 insertions, 22 deletions
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 1bd5304a288..0be8bd29c10 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.301 2009/11/24 13:23:55 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.302 2009/12/14 12:31:45 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -658,23 +658,32 @@ struct pf_rule_item { SLIST_HEAD(pf_rule_slist, pf_rule_item); +enum pf_sn_types { PF_SN_NONE, PF_SN_NAT, PF_SN_RDR, PF_SN_ROUTE, PF_SN_MAX }; + struct pf_src_node { - RB_ENTRY(pf_src_node) entry; - struct pf_addr addr; - struct pf_addr raddr; - union pf_rule_ptr rule; - struct pfi_kif *kif; - u_int64_t bytes[2]; - u_int64_t packets[2]; - u_int32_t states; - u_int32_t conn; - struct pf_threshold conn_rate; - u_int32_t creation; - u_int32_t expire; - sa_family_t af; - u_int8_t ruletype; + RB_ENTRY(pf_src_node) entry; + struct pf_addr addr; + struct pf_addr raddr; + union pf_rule_ptr rule; + struct pfi_kif *kif; + u_int64_t bytes[2]; + u_int64_t packets[2]; + u_int32_t states; + u_int32_t conn; + struct pf_threshold conn_rate; + u_int32_t creation; + u_int32_t expire; + sa_family_t af; + u_int8_t type; }; +struct pf_sn_item { + SLIST_ENTRY(pf_sn_item) next; + struct pf_src_node *sn; +}; + +SLIST_HEAD(pf_sn_head, pf_sn_item); + #define PFSNODE_HIWAT 10000 /* default source node table size */ struct pf_state_scrub { @@ -766,10 +775,10 @@ struct pf_state { union pf_rule_ptr rule; union pf_rule_ptr anchor; struct pf_addr rt_addr; + struct pf_sn_head src_nodes; struct pf_state_key *key[2]; /* addresses stack and wire */ struct pfi_kif *kif; struct pfi_kif *rt_kif; - struct pf_src_node *src_node; u_int64_t packets[2]; u_int64_t bytes[2]; u_int32_t creation; @@ -1649,7 +1658,7 @@ extern int pf_tbladdr_setup(struct pf_ruleset *, extern void pf_tbladdr_remove(struct pf_addr_wrap *); extern void pf_tbladdr_copyout(struct pf_addr_wrap *); extern void pf_calc_skip_steps(struct pf_rulequeue *); -extern struct pool pf_src_tree_pl, pf_rule_pl; +extern struct pool pf_src_tree_pl, pf_sn_item_pl, pf_rule_pl; extern struct pool pf_state_pl, pf_state_key_pl, pf_state_item_pl, pf_altq_pl, pf_pooladdr_pl, pf_rule_item_pl; extern struct pool pf_state_scrub_pl; @@ -1662,10 +1671,17 @@ extern int pf_state_insert(struct pfi_kif *, struct pf_state_key *, struct pf_state_key *, struct pf_state *); -extern int pf_insert_src_node(struct pf_src_node **, - struct pf_rule *, struct pf_addr *, - sa_family_t); +int pf_insert_src_node(struct pf_src_node **, + struct pf_rule *, enum pf_sn_types, + sa_family_t, struct pf_addr *, + struct pf_addr *, int); +void pf_remove_src_node(struct pf_src_node *); +struct pf_src_node *pf_get_src_node(struct pf_state *, + enum pf_sn_types); void pf_src_tree_remove_state(struct pf_state *); +void pf_state_rm_src_node(struct pf_state *, + struct pf_src_node *); + extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *); extern struct pf_state *pf_find_state_all(struct pf_state_key_cmp *, u_int, int *); @@ -1870,12 +1886,12 @@ int pf_step_out_of_anchor(int *, struct pf_ruleset **, int pf_get_transaddr(struct pf_rule *, struct pf_pdesc *, struct pf_addr *, u_int16_t *, struct pf_addr *, - u_int16_t *); + u_int16_t *, struct pf_src_node **); int pf_map_addr(sa_family_t, struct pf_rule *, struct pf_addr *, struct pf_addr *, struct pf_addr *, struct pf_src_node **, - struct pf_pool *); + struct pf_pool *, enum pf_sn_types); int pf_state_key_setup(struct pf_pdesc *, struct pf_state_key **, struct pf_state_key **, |