diff options
| -rw-r--r-- | sys/net/if_pfsync.c | 21 | ||||
| -rw-r--r-- | sys/net/if_pfsync.h | 4 | ||||
| -rw-r--r-- | sys/net/pf.c | 6 |
3 files changed, 22 insertions, 9 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index bf685712ec9..da32ef94efe 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.318 2023/07/06 04:55:05 dlg Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.319 2023/07/31 11:13:09 dlg Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -1676,11 +1676,14 @@ pfsync_init_state(struct pf_state *st, const struct pf_state_key *skw, } /* state came off the wire */ - if (ISSET(st->state_flags, PFSTATE_ACK)) { - CLR(st->state_flags, PFSTATE_ACK); + if (ISSET(flags, PFSYNC_SI_PFSYNC)) { + if (ISSET(st->state_flags, PFSTATE_ACK)) { + CLR(st->state_flags, PFSTATE_ACK); - /* peer wants an iack, not an insert */ - st->sync_state = PFSYNC_S_SYNC; + /* peer wants an iack, not an insert */ + st->sync_state = PFSYNC_S_SYNC; + } else + st->sync_state = PFSYNC_S_PFSYNC; } } @@ -1713,6 +1716,10 @@ pfsync_insert_state(struct pf_state *st) pfsync_q_ins(s, st, PFSYNC_S_IACK); pfsync_slice_sched(s); /* the peer is waiting */ break; + case PFSYNC_S_PFSYNC: + /* state was just inserted by pfsync */ + st->sync_state = PFSYNC_S_NONE; + break; default: panic("%s: state %p unexpected sync_state %d", __func__, st, st->sync_state); @@ -2829,7 +2836,7 @@ pfsync_in_ins(struct pfsync_softc *sc, continue; } - if (pf_state_import(sp, 0) == ENOMEM) { + if (pf_state_import(sp, PFSYNC_SI_PFSYNC) == ENOMEM) { /* drop out, but process the rest of the actions */ break; } @@ -3009,7 +3016,7 @@ pfsync_in_upd(struct pfsync_softc *sc, if (st == NULL) { /* insert the update */ PF_LOCK(); - error = pf_state_import(sp, 0); + error = pf_state_import(sp, PFSYNC_SI_PFSYNC); if (error) pfsyncstat_inc(pfsyncs_badstate); PF_UNLOCK(); diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h index e83ddd8306c..16982cba864 100644 --- a/sys/net/if_pfsync.h +++ b/sys/net/if_pfsync.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.h,v 1.60 2023/07/06 04:55:05 dlg Exp $ */ +/* $OpenBSD: if_pfsync.h,v 1.61 2023/07/31 11:13:10 dlg Exp $ */ /* * Copyright (c) 2001 Michael Shalayeff @@ -307,6 +307,7 @@ enum pfsync_counters { #define PFSYNC_S_NONE 0xd0 #define PFSYNC_S_SYNC 0xd1 +#define PFSYNC_S_PFSYNC 0xd2 #define PFSYNC_S_DEAD 0xde int pfsync_input4(struct mbuf **, int *, int, int); @@ -316,6 +317,7 @@ int pfsync_sysctl(int *, u_int, void *, size_t *, #define PFSYNC_SI_IOCTL 0x01 #define PFSYNC_SI_CKSUM 0x02 #define PFSYNC_SI_ACK 0x04 +#define PFSYNC_SI_PFSYNC 0x08 int pfsync_state_import(struct pfsync_state *, int); void pfsync_state_export(struct pfsync_state *, struct pf_state *); diff --git a/sys/net/pf.c b/sys/net/pf.c index eb233a8af37..4f0fc3f91a9 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1183 2023/07/07 08:05:02 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1184 2023/07/31 11:13:09 dlg Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -4698,6 +4698,10 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a, sni->sn->states++; } +#if NPFSYNC > 0 + pfsync_init_state(st, *skw, *sks, 0); +#endif + if (pf_state_insert(BOUND_IFACE(r, pd->kif), skw, sks, st)) { *sks = *skw = NULL; REASON_SET(&reason, PFRES_STATEINS); |