diff options
| -rw-r--r-- | sbin/pfctl/pfctl.c | 24 | ||||
| -rw-r--r-- | sys/net/pf.c | 9 | ||||
| -rw-r--r-- | sys/net/pf_table.c | 22 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 8 |
4 files changed, 34 insertions, 29 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index f65c816d9d1..c2038a72576 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.237 2005/05/22 21:05:23 mpf Exp $ */ +/* $OpenBSD: pfctl.c,v 1.238 2005/05/23 23:28:53 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -114,10 +114,12 @@ static const struct { const char *name; int index; } pf_limits[] = { - { "states", PF_LIMIT_STATES }, - { "src-nodes", PF_LIMIT_SRC_NODES }, - { "frags", PF_LIMIT_FRAGS }, - { NULL, 0 } + { "states", PF_LIMIT_STATES }, + { "src-nodes", PF_LIMIT_SRC_NODES }, + { "frags", PF_LIMIT_FRAGS }, + { "tables", PF_LIMIT_TABLES }, + { "table-entries", PF_LIMIT_TABLE_ENTRIES }, + { NULL, 0 } }; struct pf_hint { @@ -879,11 +881,11 @@ pfctl_show_limits(int dev, int opts) pl.index = pf_limits[i].index; if (ioctl(dev, DIOCGETLIMIT, &pl)) err(1, "DIOCGETLIMIT"); - printf("%-10s ", pf_limits[i].name); + printf("%-13s ", pf_limits[i].name); if (pl.limit == UINT_MAX) printf("unlimited\n"); else - printf("hard limit %6u\n", pl.limit); + printf("hard limit %8u\n", pl.limit); } return (0); } @@ -1202,9 +1204,11 @@ pfctl_init_options(struct pfctl *pf) pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL; pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL; - pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT; - pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT; - pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; + pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT; + pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT; + pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; + pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT; + pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT; pf->debug = PF_DEBUG_URGENT; } diff --git a/sys/net/pf.c b/sys/net/pf.c index 86c220cd25e..8dea6c47aca 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.489 2005/05/21 21:03:57 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.490 2005/05/23 23:28:53 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -218,10 +218,15 @@ struct pf_state *pf_find_state_recurse(struct pfi_kif *, int pf_src_connlimit(struct pf_state **); int pf_check_congestion(struct ifqueue *); +extern struct pool pfr_ktable_pl; +extern struct pool pfr_kentry_pl; + struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = { { &pf_state_pl, PFSTATE_HIWAT }, { &pf_src_tree_pl, PFSNODE_HIWAT }, - { &pf_frent_pl, PFFRAG_FRENT_HIWAT } + { &pf_frent_pl, PFFRAG_FRENT_HIWAT }, + { &pfr_ktable_pl, PFR_KTABLE_HIWAT }, + { &pfr_kentry_pl, PFR_KENTRY_HIWAT } }; #define STATE_LOOKUP() \ diff --git a/sys/net/pf_table.c b/sys/net/pf_table.c index f456dc9e1c4..0bb46dfc021 100644 --- a/sys/net/pf_table.c +++ b/sys/net/pf_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_table.c,v 1.63 2005/05/23 20:47:02 henning Exp $ */ +/* $OpenBSD: pf_table.c,v 1.64 2005/05/23 23:28:53 dhartmei Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -125,7 +125,6 @@ struct pfr_walktree { struct pool pfr_ktable_pl; struct pool pfr_kentry_pl; -struct pool pfr_kentry_pl2; struct sockaddr_in pfr_sin; struct sockaddr_in6 pfr_sin6; union sockaddr_union pfr_mask; @@ -189,11 +188,9 @@ void pfr_initialize(void) { pool_init(&pfr_ktable_pl, sizeof(struct pfr_ktable), 0, 0, 0, - "pfrktable", &pool_allocator_oldnointr); + "pfrktable", NULL); pool_init(&pfr_kentry_pl, sizeof(struct pfr_kentry), 0, 0, 0, - "pfrkentry", &pool_allocator_oldnointr); - pool_init(&pfr_kentry_pl2, sizeof(struct pfr_kentry), 0, 0, 0, - "pfrkentry2", NULL); + "pfrkentry", NULL); pfr_sin.sin_len = sizeof(pfr_sin); pfr_sin.sin_family = AF_INET; @@ -796,10 +793,8 @@ pfr_create_kentry(struct pfr_addr *ad, int intr) { struct pfr_kentry *ke; - if (intr) - ke = pool_get(&pfr_kentry_pl2, PR_NOWAIT); - else - ke = pool_get(&pfr_kentry_pl, PR_NOWAIT); + ke = pool_get(&pfr_kentry_pl, intr ? PR_NOWAIT : + (PR_WAITOK | PR_LIMITFAIL)); if (ke == NULL) return (NULL); bzero(ke, sizeof(*ke)); @@ -829,10 +824,7 @@ pfr_destroy_kentries(struct pfr_kentryworkq *workq) void pfr_destroy_kentry(struct pfr_kentry *ke) { - if (ke->pfrke_intrpool) - pool_put(&pfr_kentry_pl2, ke); - else - pool_put(&pfr_kentry_pl, ke); + pool_put(&pfr_kentry_pl, ke); } void @@ -1875,7 +1867,7 @@ pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset) struct pfr_ktable *kt; struct pf_ruleset *rs; - kt = pool_get(&pfr_ktable_pl, PR_NOWAIT); + kt = pool_get(&pfr_ktable_pl, PR_WAITOK | PR_LIMITFAIL); if (kt == NULL) return (NULL); bzero(kt, sizeof(*kt)); diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index bde89c0863e..aed89e219ed 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.216 2005/05/23 22:30:21 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.217 2005/05/23 23:28:53 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -94,7 +94,8 @@ enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; -enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, PF_LIMIT_MAX }; +enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, + PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; #define PF_POOL_IDMASK 0x0f enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; @@ -1111,6 +1112,9 @@ struct pf_tagname { #define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */ #define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */ +#define PFR_KTABLE_HIWAT 1000 /* Number of tables */ +#define PFR_KENTRY_HIWAT 100000 /* Number of table entries */ + /* * ioctl parameter structures */ |