diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2004-12-07 10:33:42 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2004-12-07 10:33:42 +0000 |
| commit | 8093c48d60266b935803115416eb9ad49c87f636 (patch) | |
| tree | 4cf8af10ff0f568f0c01dea07ce9dbaa47efa53f /sys | |
| parent | d3e5801134e0a112c5a1676e2a6872980913f2e7 (diff) | |
re-commit mcbride@'s 'flush global', this time without the breakage in
pfvar.h. builds kernel and userland.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pf.c | 15 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 7 |
2 files changed, 14 insertions, 8 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 507a30a3a15..9cc42939eaf 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.469 2004/12/07 09:36:16 deraadt Exp $ */ +/* $OpenBSD: pf.c,v 1.470 2004/12/07 10:33:41 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -682,14 +682,14 @@ pf_src_connlimit(struct pf_state **state) &p, time_second); /* kill existing states if that's required. */ - if ((*state)->rule.ptr->rule_flag & PFRULE_SRCTRACK_FLUSH) { + if ((*state)->rule.ptr->flush) { pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; RB_FOREACH(s, pf_state_tree_id, &tree_id) { /* - * Kill all states from this source. - * - * XXX Kill states _to_ the source? + * Kill states from this source. (Only those + * from the same rule if PF_FLUSH_GLOBAL is not + * set) */ if (s->af == (*state)->af && (((*state)->direction == PF_OUT && @@ -697,7 +697,10 @@ pf_src_connlimit(struct pf_state **state) &s->lan.addr, s->af)) || ((*state)->direction == PF_IN && PF_AEQ(&(*state)->src_node->addr, - &s->ext.addr, s->af)))) { + &s->ext.addr, s->af))) && + ((*state)->rule.ptr->flush & + PF_FLUSH_GLOBAL || + (*state)->rule.ptr == s->rule.ptr)) { s->timeout = PFTM_PURGE; s->src.state = s->dst.state = TCPS_CLOSED; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index a87417c4631..32718dda6c8 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.207 2004/12/07 09:36:16 deraadt Exp $ */ +/* $OpenBSD: pfvar.h,v 1.208 2004/12/07 10:33:41 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -537,6 +537,10 @@ struct pf_rule { u_int8_t tos; u_int8_t anchor_relative; u_int8_t anchor_wildcard; + +#define PF_FLUSH 0x01 +#define PF_FLUSH_GLOBAL 0x02 + u_int8_t flush; }; /* rule flags */ @@ -548,7 +552,6 @@ struct pf_rule { #define PFRULE_NOSYNC 0x0010 #define PFRULE_SRCTRACK 0x0020 /* track source states */ #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ -#define PFRULE_SRCTRACK_FLUSH 0x0080 /* flush for src_node->open_states */ /* scrub flags */ #define PFRULE_NODF 0x0100 |