diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-05-28 02:04:16 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-05-28 02:04:16 +0000 |
| commit | 1c0c7dd860780ae17bd8ea82bff30b6c35a586e0 (patch) | |
| tree | a6a15178260c3fdd0a0571f0b4b6ccfd01f2d257 /sys | |
| parent | 7e12d8bf8633f87688e8a0c2941545054434766c (diff) | |
Only preemptively increase the replay counter for outbound TDBs.
Another ipsec failover fix from nathanael at polymorpheus dot com.
ok hshoexer@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/if_pfsync.c | 43 | ||||
| -rw-r--r-- | sys/net/if_pfsync.h | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_ah.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 6 |
4 files changed, 30 insertions, 29 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 7f907254a71..9f43fc4be85 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.64 2006/05/13 05:23:45 mcbride Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.65 2006/05/28 02:04:15 mcbride Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -1548,24 +1548,7 @@ pfsync_update_net_tdb(struct pfsync_tdb *pt) s = spltdb(); tdb = gettdb(pt->spi, &pt->dst, pt->sproto); if (tdb) { - /* - * When a failover happens, the master's rpl is probably above - * what we see here (we may be up to a second late), so - * increase it a bit to manage most such situations. - * - * For now, just add an offset that is likely to be larger - * than the number of packets we can see in one second. The RFC - * just says the next packet must have a higher seq value. - * - * XXX What is a good algorithm for this? We could use - * a rate-determined increase, but to know it, we would have - * to extend struct tdb. - * XXX pt->rpl can wrap over MAXINT, but if so the real tdb - * will soon be replaced anyway. For now, just don't handle - * this edge case. - */ -#define RPL_INCR 16384 - pt->rpl = ntohl(pt->rpl) + RPL_INCR; + pt->rpl = ntohl(pt->rpl); pt->cur_bytes = betoh64(pt->cur_bytes); /* Neither replay nor byte counter should ever decrease. */ @@ -1591,7 +1574,7 @@ pfsync_update_net_tdb(struct pfsync_tdb *pt) /* One of our local tdbs have been updated, need to sync rpl with others */ int -pfsync_update_tdb(struct tdb *tdb) +pfsync_update_tdb(struct tdb *tdb, int output) { struct ifnet *ifp = &pfsyncif.sc_if; struct pfsync_softc *sc = ifp->if_softc; @@ -1667,7 +1650,25 @@ pfsync_update_tdb(struct tdb *tdb) pt->sproto = tdb->tdb_sproto; } - pt->rpl = htonl(tdb->tdb_rpl); + /* + * When a failover happens, the master's rpl is probably above + * what we see here (we may be up to a second late), so + * increase it a bit for outbound tdbs to manage most such + * situations. + * + * For now, just add an offset that is likely to be larger + * than the number of packets we can see in one second. The RFC + * just says the next packet must have a higher seq value. + * + * XXX What is a good algorithm for this? We could use + * a rate-determined increase, but to know it, we would have + * to extend struct tdb. + * XXX pt->rpl can wrap over MAXINT, but if so the real tdb + * will soon be replaced anyway. For now, just don't handle + * this edge case. + */ +#define RPL_INCR 16384 + pt->rpl = htonl(tdb->tdb_rpl + (output ? RPL_INCR : 0)); pt->cur_bytes = htobe64(tdb->tdb_cur_bytes); if (h->count == sc->sc_maxcount || diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h index 62902ddc1dc..46459655d75 100644 --- a/sys/net/if_pfsync.h +++ b/sys/net/if_pfsync.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.h,v 1.28 2005/11/04 08:24:14 mcbride Exp $ */ +/* $OpenBSD: if_pfsync.h,v 1.29 2006/05/28 02:04:15 mcbride Exp $ */ /* * Copyright (c) 2001 Michael Shalayeff @@ -330,7 +330,7 @@ int pfsync_pack_state(u_int8_t, struct pf_state *, int); pfsync_pack_state(PFSYNC_ACT_DEL, (st), \ PFSYNC_FLAG_COMPRESS); \ } while (0) -int pfsync_update_tdb(struct tdb *); +int pfsync_update_tdb(struct tdb *, int); #endif #endif /* _NET_IF_PFSYNC_H_ */ diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 58b2ae3c5af..d53ac8078f3 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.84 2006/03/25 22:41:48 djm Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.85 2006/05/28 02:04:15 mcbride Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -814,7 +814,7 @@ ah_input_cb(void *op) tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) { case 0: /* All's well. */ #if NPFSYNC > 0 - pfsync_update_tdb(tdb); + pfsync_update_tdb(tdb,0); #endif break; @@ -1105,7 +1105,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, if (!(tdb->tdb_flags & TDBF_NOREPLAY)) { ah->ah_rpl = htonl(tdb->tdb_rpl++); #if NPFSYNC > 0 - pfsync_update_tdb(tdb); + pfsync_update_tdb(tdb,1); #endif } diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 40643e1ffb4..02558d2744d 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.97 2006/03/25 22:41:48 djm Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.98 2006/05/28 02:04:15 mcbride Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -588,7 +588,7 @@ esp_input_cb(void *op) tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) { case 0: /* All's well */ #if NPFSYNC > 0 - pfsync_update_tdb(tdb); + pfsync_update_tdb(tdb,0); #endif break; @@ -884,7 +884,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t), sizeof(u_int32_t)); #if NPFSYNC > 0 - pfsync_update_tdb(tdb); + pfsync_update_tdb(tdb,1); #endif } |