diff options
| author | David Gwynne <dlg@cvs.openbsd.org> | 2011-11-25 12:52:11 +0000 |
|---|---|---|
| committer | David Gwynne <dlg@cvs.openbsd.org> | 2011-11-25 12:52:11 +0000 |
| commit | 2c2ac65534ab77b6acd99df373626b6b4a2a125c (patch) | |
| tree | c27e27281c86b724ab57024b8fc7dc4444c72bdc /sys/net | |
| parent | 816430ab77740cb24cdc5ad3f2f39b80d654ed9c (diff) | |
use time_uptime to set state creation values as time_second can be
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.
ok deraadt@ mikeb@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/if_pflow.c | 4 | ||||
| -rw-r--r-- | sys/net/if_pfsync.c | 6 | ||||
| -rw-r--r-- | sys/net/pf.c | 6 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 4 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 4 |
5 files changed, 12 insertions, 12 deletions
diff --git a/sys/net/if_pflow.c b/sys/net/if_pflow.c index 89c39106fb7..9524609c18d 100644 --- a/sys/net/if_pflow.c +++ b/sys/net/if_pflow.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflow.c,v 1.17 2011/07/09 04:11:15 dhill Exp $ */ +/* $OpenBSD: if_pflow.c,v 1.18 2011/11/25 12:52:10 dlg Exp $ */ /* * Copyright (c) 2008 Henning Brauer <henning@openbsd.org> @@ -359,7 +359,7 @@ copy_flow_data(struct pflow_flow *flow1, struct pflow_flow *flow2, flow2->flow_octets = htonl(st->bytes[1]); flow1->flow_start = flow2->flow_start = - htonl((st->creation - (time_second - time_uptime)) * 1000); + htonl(st->creation * 1000); flow1->flow_finish = flow2->flow_finish = htonl((time_uptime - (st->rule.ptr->timeout[st->timeout] ? st->rule.ptr->timeout[st->timeout] : diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 660a60f68c9..fad21969a58 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.174 2011/11/16 11:59:28 mikeb Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.175 2011/11/25 12:52:10 dlg Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -441,7 +441,7 @@ pfsync_state_export(struct pfsync_state *sp, struct pf_state *st) /* copy from state */ strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname)); bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr)); - sp->creation = htonl(time_second - st->creation); + sp->creation = htonl(time_uptime - st->creation); sp->expire = pf_state_expires(st); if (sp->expire <= time_second) sp->expire = htonl(0); @@ -589,7 +589,7 @@ pfsync_state_import(struct pfsync_state *sp, int flags) /* copy to state */ bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr)); - st->creation = time_second - ntohl(sp->creation); + st->creation = time_uptime - ntohl(sp->creation); st->expire = time_second; if (sp->expire) { u_int32_t timeout; diff --git a/sys/net/pf.c b/sys/net/pf.c index 6e7bb67797a..9d46baaa90f 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.785 2011/10/21 09:21:44 mikeb Exp $ */ +/* $OpenBSD: pf.c,v 1.786 2011/11/25 12:52:10 dlg Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -567,7 +567,7 @@ pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, pool_put(&pf_src_tree_pl, *sn); return (-1); } - (*sn)->creation = time_second; + (*sn)->creation = time_uptime; if ((*sn)->rule.ptr != NULL) (*sn)->rule.ptr->src_nodes++; pf_status.scounters[SCNT_SRC_NODE_INSERT]++; @@ -3641,7 +3641,7 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a, s->timeout = PFTM_OTHER_FIRST_PACKET; } - s->creation = time_second; + s->creation = time_uptime; s->expire = time_second; if (pd->proto == IPPROTO_TCP) { diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 2392481a84d..88e667244bc 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.244 2011/10/13 18:23:40 claudio Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.245 2011/11/25 12:52:10 dlg Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2338,7 +2338,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) bcopy(n, pstore, sizeof(*pstore)); if (n->rule.ptr != NULL) pstore->rule.nr = n->rule.ptr->nr; - pstore->creation = secs - pstore->creation; + pstore->creation = time_uptime - pstore->creation; if (pstore->expire > secs) pstore->expire -= secs; else diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index a5ed6ce43e4..30b2d69b1cb 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.146 2011/09/28 17:15:45 bluhm Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.147 2011/11/25 12:52:10 dlg Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -1102,7 +1102,7 @@ pf_normalize_tcp_stateful(struct pf_pdesc *pd, u_short *reason, getmicrouptime(&uptime); if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) && (uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE || - time_second - state->creation > TS_MAX_CONN)) { + time_uptime - state->creation > TS_MAX_CONN)) { if (pf_status.debug >= LOG_NOTICE) { log(LOG_NOTICE, "pf: src idled out of PAWS "); pf_print_state(state); |