diff options
| author | Joel Knight <joel@cvs.openbsd.org> | 2005-08-11 05:09:31 +0000 |
|---|---|---|
| committer | Joel Knight <joel@cvs.openbsd.org> | 2005-08-11 05:09:31 +0000 |
| commit | e905b550c263d54bb85997afb6286a06d1ec3722 (patch) | |
| tree | 20422c923b64dedb5352423c6b5d9669cd9e2dec /sys | |
| parent | 421f4ee9d25312f7ce5c7ecafa854b169634f1be (diff) | |
Only decrement the max-src-conn counter for tcp connections that reached
"established" state. Requires recompiling pfctl, etc.
ok dhartmei@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pf.c | 6 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 4 |
2 files changed, 6 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index c708d25af91..178f80269c7 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.498 2005/07/31 05:20:56 pascoe Exp $ */ +/* $OpenBSD: pf.c,v 1.499 2005/08/11 05:09:29 joel Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -634,6 +634,7 @@ pf_src_connlimit(struct pf_state **state) int bad = 0; (*state)->src_node->conn++; + (*state)->src.tcp_est = 1; pf_add_threshold(&(*state)->src_node->conn_rate); if ((*state)->rule.ptr->max_src_conn && @@ -940,8 +941,7 @@ pf_src_tree_remove_state(struct pf_state *s) if (s->src_node != NULL) { if (s->proto == IPPROTO_TCP) { - if (s->src.state == PF_TCPS_PROXY_DST || - s->timeout >= PFTM_TCP_ESTABLISHED) + if (s->src.tcp_est) --s->src_node->conn; } if (--s->src_node->states <= 0) { diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 0ed3b1ae83d..73bbc1610ef 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.227 2005/08/02 12:40:42 pascoe Exp $ */ +/* $OpenBSD: pfvar.h,v 1.228 2005/08/11 05:09:30 joel Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -666,7 +666,9 @@ struct pf_state_peer { u_int8_t state; /* active state level */ u_int8_t wscale; /* window scaling factor */ u_int16_t mss; /* Maximum segment size option */ + u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */ struct pf_state_scrub *scrub; /* state is scrubbed */ + u_int8_t pad[3]; }; TAILQ_HEAD(pf_state_queue, pf_state); |