diff options
Diffstat (limited to 'sys/net')
-rw-r--r-- | sys/net/pf.c | 39 | ||||
-rw-r--r-- | sys/net/pf_ioctl.c | 37 | ||||
-rw-r--r-- | sys/net/pf_norm.c | 6 | ||||
-rw-r--r-- | sys/net/pfvar.h | 5 |
4 files changed, 40 insertions, 47 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 82c265fcc0e..275018039e8 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.332 2003/04/05 20:18:23 cedric Exp $ */ +/* $OpenBSD: pf.c,v 1.333 2003/04/05 20:20:58 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -105,41 +105,8 @@ u_int32_t ticket_altqs_active; u_int32_t ticket_altqs_inactive; u_int32_t ticket_pabuf; -/* Timeouts */ -int pftm_tcp_first_packet = 120; /* First TCP packet */ -int pftm_tcp_opening = 30; /* No response yet */ -int pftm_tcp_established = 24*60*60; /* established */ -int pftm_tcp_closing = 15 * 60; /* Half closed */ -int pftm_tcp_fin_wait = 45; /* Got both FINs */ -int pftm_tcp_closed = 90; /* Got a RST */ - -int pftm_udp_first_packet = 60; /* First UDP packet */ -int pftm_udp_single = 30; /* Unidirectional */ -int pftm_udp_multiple = 60; /* Bidirectional */ - -int pftm_icmp_first_packet = 20; /* First ICMP packet */ -int pftm_icmp_error_reply = 10; /* Got error response */ - -int pftm_other_first_packet = 60; /* First packet */ -int pftm_other_single = 30; /* Unidirectional */ -int pftm_other_multiple = 60; /* Bidirectional */ - -int pftm_frag = 30; /* Fragment expire */ - -int pftm_interval = 10; /* expire interval */ struct timeout pf_expire_to; /* expire timeout */ -int *pftm_timeouts[PFTM_MAX] = { &pftm_tcp_first_packet, - &pftm_tcp_opening, &pftm_tcp_established, - &pftm_tcp_closing, &pftm_tcp_fin_wait, - &pftm_tcp_closed, &pftm_udp_first_packet, - &pftm_udp_single, &pftm_udp_multiple, - &pftm_icmp_first_packet, &pftm_icmp_error_reply, - &pftm_other_first_packet, &pftm_other_single, - &pftm_other_multiple, &pftm_frag, - &pftm_interval }; - - struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl; struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; @@ -272,7 +239,7 @@ struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = (s)->lan.port != (s)->gwy.port #define TIMEOUT(r,i) \ - (((r) && (r)->timeout[(i)]) ? (r)->timeout[(i)] : *pftm_timeouts[(i)]) + (((r) && (r)->timeout[(i)]) ? (r)->timeout[(i)] : pf_default_rule.timeout[(i)]) static __inline int pf_state_compare(struct pf_tree_node *, struct pf_tree_node *); @@ -470,7 +437,7 @@ pf_purge_timeout(void *arg) pf_purge_expired_fragments(); splx(s); - timeout_add(to, pftm_interval * hz); + timeout_add(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz); } void diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 25b4cef0a33..62103d60612 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.53 2003/04/03 15:27:17 cedric Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.54 2003/04/05 20:20:58 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -84,11 +84,15 @@ int pfioctl(dev_t, u_long, caddr_t, int, struct proc *); extern struct timeout pf_expire_to; +struct pf_rule pf_default_rule; + #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x void pfattach(int num) { + u_int32_t *timeout = pf_default_rule.timeout; + pool_init(&pf_tree_pl, sizeof(struct pf_tree_node), 0, 0, 0, "pftrpl", NULL); pool_init(&pf_rule_pl, sizeof(struct pf_rule), 0, 0, 0, "pfrulepl", @@ -114,8 +118,31 @@ pfattach(int num) pf_altqs_active = &pf_altqs[0]; pf_altqs_inactive = &pf_altqs[1]; + /* default rule should never be garbage collected */ + pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next; + pf_default_rule.action = PF_PASS; + pf_default_rule.nr = -1; + + /* initialize default timeouts */ + timeout[PFTM_TCP_FIRST_PACKET] = 120; /* First TCP packet */ + timeout[PFTM_TCP_OPENING] = 30; /* No response yet */ + timeout[PFTM_TCP_ESTABLISHED] = 24*60*60; /* Established */ + timeout[PFTM_TCP_CLOSING] = 15 * 60; /* Half closed */ + timeout[PFTM_TCP_FIN_WAIT] = 45; /* Got both FINs */ + timeout[PFTM_TCP_CLOSED] = 90; /* Got a RST */ + timeout[PFTM_UDP_FIRST_PACKET] = 60; /* First UDP packet */ + timeout[PFTM_UDP_SINGLE] = 30; /* Unidirectional */ + timeout[PFTM_UDP_MULTIPLE] = 60; /* Bidirectional */ + timeout[PFTM_ICMP_FIRST_PACKET] = 20; /* First ICMP packet */ + timeout[PFTM_ICMP_ERROR_REPLY] = 10; /* Got error response */ + timeout[PFTM_OTHER_FIRST_PACKET] = 60; /* First packet */ + timeout[PFTM_OTHER_SINGLE] = 30; /* Unidirectional */ + timeout[PFTM_OTHER_MULTIPLE] = 60; /* Bidirectional */ + timeout[PFTM_FRAG] = 30; /* Fragment expire */ + timeout[PFTM_INTERVAL] = 10; /* Expire interval */ + timeout_set(&pf_expire_to, pf_purge_timeout, &pf_expire_to); - timeout_add(&pf_expire_to, pftm_interval * hz); + timeout_add(&pf_expire_to, timeout[PFTM_INTERVAL] * hz); pf_normalize_init(); pf_status.debug = PF_DEBUG_URGENT; @@ -1127,8 +1154,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EINVAL; goto fail; } - old = *pftm_timeouts[pt->timeout]; - *pftm_timeouts[pt->timeout] = pt->seconds; + old = pf_default_rule.timeout[pt->timeout]; + pf_default_rule.timeout[pt->timeout] = pt->seconds; pt->seconds = old; break; } @@ -1140,7 +1167,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EINVAL; goto fail; } - pt->seconds = *pftm_timeouts[pt->timeout]; + pt->seconds = pf_default_rule.timeout[pt->timeout]; break; } diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 54e049520eb..e4dc2689e5d 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.55 2003/02/18 08:05:15 camield Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.56 2003/04/05 20:20:58 cedric Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -121,7 +121,6 @@ int pf_normalize_tcpopt(struct pf_rule *, struct mbuf *, /* Globals */ struct pool pf_frent_pl, pf_frag_pl, pf_cache_pl, pf_cent_pl; int pf_nfrents, pf_ncache; -extern int pftm_frag; /* Fragment expire timeout */ void pf_normalize_init(void) @@ -168,7 +167,8 @@ void pf_purge_expired_fragments(void) { struct pf_fragment *frag; - u_int32_t expire = time.tv_sec - pftm_frag; + u_int32_t expire = time.tv_sec - + pf_default_rule.timeout[PFTM_FRAG]; while ((frag = TAILQ_LAST(&pf_fragqueue, pf_fragqueue)) != NULL) { KASSERT(BUFFER_FRAGMENTS(frag)); diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index e7bb4ec08e5..c50f37cb181 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.137 2003/03/31 13:15:27 cedric Exp $ */ +/* $OpenBSD: pfvar.h,v 1.138 2003/04/05 20:20:58 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -965,14 +965,13 @@ extern void pf_update_anchor_rules(void); extern struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl; extern struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; extern void pf_purge_timeout(void *); -extern int pftm_interval; extern void pf_purge_expired_states(void); extern int pf_insert_state(struct pf_state *); extern struct pf_state *pf_find_state(struct pf_state_tree *, struct pf_tree_node *); extern struct pf_anchor *pf_find_anchor(const char *); extern struct ifnet *status_ifp; -extern int *pftm_timeouts[PFTM_MAX]; +extern struct pf_rule pf_default_rule; extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, u_int8_t); void pf_rm_rule(struct pf_rulequeue *, |