pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@

1 files changed, 11 insertions, 1 deletions

diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 7009e45b1a9..625cef392b1 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.174 2008/10/22 23:04:45 mpf Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.175 2009/02/16 00:31:25 dlg Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -38,6 +38,7 @@
  */
 
 #include "pf.h"
+#include "pfsync.h"
 
 #include <sys/param.h>
 #include <sys/mbuf.h>
@@ -52,6 +53,10 @@
 #include <net/pfvar.h>
 #endif
 
+#if NPFSYNC > 0
+#include <net/if_pfsync.h>
+#endif
+
 #ifdef INET
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -789,6 +794,11 @@ tdb_free(struct tdb *tdbp)
 		tdbp->tdb_xform = NULL;
 	}
 
+#if NPFSYNC > 0
+	/* Cleanup pfsync references */
+	pfsync_delete_tdb(tdbp);
+#endif
+
 	/* Cleanup inp references. */
 	for (inp = TAILQ_FIRST(&tdbp->tdb_inp_in); inp;
 	    inp = TAILQ_FIRST(&tdbp->tdb_inp_in)) {