summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/net/if_pfsync.c21
-rw-r--r--sys/net/pf.c73
-rw-r--r--sys/net/pfvar.h3
3 files changed, 47 insertions, 50 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 11aae4fb565..2ac08a3dbd5 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pfsync.c,v 1.28 2004/04/25 17:52:37 pb Exp $ */
+/* $OpenBSD: if_pfsync.c,v 1.29 2004/04/25 18:09:30 pb Exp $ */
/*
* Copyright (c) 2002 Michael Shalayeff
@@ -326,11 +326,12 @@ pfsync_input(struct mbuf *m, ...)
}
RB_FOREACH(st, pf_state_tree_lan_ext,
&kif->pfik_lan_ext) {
- if (st->creatorid == creatorid)
+ if (st->creatorid == creatorid) {
st->timeout = PFTM_PURGE;
+ pf_purge_expired_state(st);
+ }
}
}
- pf_purge_expired_states();
splx(s);
break;
@@ -475,15 +476,10 @@ pfsync_input(struct mbuf *m, ...)
pfsyncstats.pfsyncs_badstate++;
continue;
}
- /*
- * XXX
- * pf_purge_expired_states() is expensive,
- * we really want to purge the state directly.
- */
st->timeout = PFTM_PURGE;
st->sync_flags |= PFSTATE_FROMSYNC;
+ pf_purge_expired_state(st);
}
- pf_purge_expired_states();
splx(s);
break;
case PFSYNC_ACT_UPD_C: {
@@ -601,15 +597,10 @@ pfsync_input(struct mbuf *m, ...)
pfsyncstats.pfsyncs_badstate++;
continue;
}
- /*
- * XXX
- * pf_purge_expired_states() is expensive,
- * we really want to purge the state directly.
- */
st->timeout = PFTM_PURGE;
st->sync_flags |= PFSTATE_FROMSYNC;
+ pf_purge_expired_state(st);
}
- pf_purge_expired_states();
splx(s);
break;
case PFSYNC_ACT_INS_F:
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 1ddfe8f51a5..96e2bb0bcbf 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.438 2004/04/25 02:32:35 pb Exp $ */
+/* $OpenBSD: pf.c,v 1.439 2004/04/25 18:09:29 pb Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -783,6 +783,42 @@ pf_src_tree_remove_state(struct pf_state *s)
}
void
+pf_purge_expired_state(struct pf_state *cur)
+{
+ if (cur->src.state == PF_TCPS_PROXY_DST)
+ pf_send_tcp(cur->rule.ptr, cur->af,
+ &cur->ext.addr, &cur->lan.addr,
+ cur->ext.port, cur->lan.port,
+ cur->src.seqhi, cur->src.seqlo + 1,
+ TH_RST|TH_ACK, 0, 0, 0, 1);
+ RB_REMOVE(pf_state_tree_ext_gwy,
+ &cur->u.s.kif->pfik_ext_gwy, cur);
+ RB_REMOVE(pf_state_tree_lan_ext,
+ &cur->u.s.kif->pfik_lan_ext, cur);
+ RB_REMOVE(pf_state_tree_id, &tree_id, cur);
+#if NPFSYNC
+ pfsync_delete_state(cur);
+#endif
+ pf_src_tree_remove_state(cur);
+ if (--cur->rule.ptr->states <= 0 &&
+ cur->rule.ptr->src_nodes <= 0)
+ pf_rm_rule(NULL, cur->rule.ptr);
+ if (cur->nat_rule.ptr != NULL)
+ if (--cur->nat_rule.ptr->states <= 0 &&
+ cur->nat_rule.ptr->src_nodes <= 0)
+ pf_rm_rule(NULL, cur->nat_rule.ptr);
+ if (cur->anchor.ptr != NULL)
+ if (--cur->anchor.ptr->states <= 0)
+ pf_rm_rule(NULL, cur->anchor.ptr);
+ pf_normalize_tcp_cleanup(cur);
+ pfi_detach_state(cur->u.s.kif);
+ TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates);
+ pool_put(&pf_state_pl, cur);
+ pf_status.fcounters[FCNT_STATE_REMOVALS]++;
+ pf_status.states--;
+}
+
+void
pf_purge_expired_states(void)
{
struct pf_state *cur, *next;
@@ -791,39 +827,8 @@ pf_purge_expired_states(void)
cur; cur = next) {
next = RB_NEXT(pf_state_tree_id, &tree_id, cur);
- if (pf_state_expires(cur) <= time.tv_sec) {
- if (cur->src.state == PF_TCPS_PROXY_DST)
- pf_send_tcp(cur->rule.ptr, cur->af,
- &cur->ext.addr, &cur->lan.addr,
- cur->ext.port, cur->lan.port,
- cur->src.seqhi, cur->src.seqlo + 1,
- TH_RST|TH_ACK, 0, 0, 0, 1);
- RB_REMOVE(pf_state_tree_ext_gwy,
- &cur->u.s.kif->pfik_ext_gwy, cur);
- RB_REMOVE(pf_state_tree_lan_ext,
- &cur->u.s.kif->pfik_lan_ext, cur);
- RB_REMOVE(pf_state_tree_id, &tree_id, cur);
-#if NPFSYNC
- pfsync_delete_state(cur);
-#endif
- pf_src_tree_remove_state(cur);
- if (--cur->rule.ptr->states <= 0 &&
- cur->rule.ptr->src_nodes <= 0)
- pf_rm_rule(NULL, cur->rule.ptr);
- if (cur->nat_rule.ptr != NULL)
- if (--cur->nat_rule.ptr->states <= 0 &&
- cur->nat_rule.ptr->src_nodes <= 0)
- pf_rm_rule(NULL, cur->nat_rule.ptr);
- if (cur->anchor.ptr != NULL)
- if (--cur->anchor.ptr->states <= 0)
- pf_rm_rule(NULL, cur->anchor.ptr);
- pf_normalize_tcp_cleanup(cur);
- pfi_detach_state(cur->u.s.kif);
- TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates);
- pool_put(&pf_state_pl, cur);
- pf_status.fcounters[FCNT_STATE_REMOVALS]++;
- pf_status.states--;
- }
+ if (pf_state_expires(cur) <= time.tv_sec)
+ pf_purge_expired_state(cur);
}
}
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 705f2fc0d0a..0af8381b406 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.188 2004/04/24 23:22:54 cedric Exp $ */
+/* $OpenBSD: pfvar.h,v 1.189 2004/04/25 18:09:30 pb Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1313,6 +1313,7 @@ extern struct pool pf_state_scrub_pl;
extern void pf_purge_timeout(void *);
extern void pf_purge_expired_src_nodes(void);
extern void pf_purge_expired_states(void);
+extern void pf_purge_expired_state(struct pf_state *);
extern int pf_insert_state(struct pfi_kif *,
struct pf_state *);
extern int pf_insert_src_node(struct pf_src_node **,