summaryrefslogtreecommitdiff
path: root/sys/net
diff options
context:
space:
mode:
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/pf.c39
-rw-r--r--sys/net/pf_ioctl.c37
-rw-r--r--sys/net/pf_norm.c6
-rw-r--r--sys/net/pfvar.h5
4 files changed, 40 insertions, 47 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 82c265fcc0e..275018039e8 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.332 2003/04/05 20:18:23 cedric Exp $ */
+/* $OpenBSD: pf.c,v 1.333 2003/04/05 20:20:58 cedric Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -105,41 +105,8 @@ u_int32_t ticket_altqs_active;
u_int32_t ticket_altqs_inactive;
u_int32_t ticket_pabuf;
-/* Timeouts */
-int pftm_tcp_first_packet = 120; /* First TCP packet */
-int pftm_tcp_opening = 30; /* No response yet */
-int pftm_tcp_established = 24*60*60; /* established */
-int pftm_tcp_closing = 15 * 60; /* Half closed */
-int pftm_tcp_fin_wait = 45; /* Got both FINs */
-int pftm_tcp_closed = 90; /* Got a RST */
-
-int pftm_udp_first_packet = 60; /* First UDP packet */
-int pftm_udp_single = 30; /* Unidirectional */
-int pftm_udp_multiple = 60; /* Bidirectional */
-
-int pftm_icmp_first_packet = 20; /* First ICMP packet */
-int pftm_icmp_error_reply = 10; /* Got error response */
-
-int pftm_other_first_packet = 60; /* First packet */
-int pftm_other_single = 30; /* Unidirectional */
-int pftm_other_multiple = 60; /* Bidirectional */
-
-int pftm_frag = 30; /* Fragment expire */
-
-int pftm_interval = 10; /* expire interval */
struct timeout pf_expire_to; /* expire timeout */
-int *pftm_timeouts[PFTM_MAX] = { &pftm_tcp_first_packet,
- &pftm_tcp_opening, &pftm_tcp_established,
- &pftm_tcp_closing, &pftm_tcp_fin_wait,
- &pftm_tcp_closed, &pftm_udp_first_packet,
- &pftm_udp_single, &pftm_udp_multiple,
- &pftm_icmp_first_packet, &pftm_icmp_error_reply,
- &pftm_other_first_packet, &pftm_other_single,
- &pftm_other_multiple, &pftm_frag,
- &pftm_interval };
-
-
struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl;
struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
@@ -272,7 +239,7 @@ struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] =
(s)->lan.port != (s)->gwy.port
#define TIMEOUT(r,i) \
- (((r) && (r)->timeout[(i)]) ? (r)->timeout[(i)] : *pftm_timeouts[(i)])
+ (((r) && (r)->timeout[(i)]) ? (r)->timeout[(i)] : pf_default_rule.timeout[(i)])
static __inline int pf_state_compare(struct pf_tree_node *,
struct pf_tree_node *);
@@ -470,7 +437,7 @@ pf_purge_timeout(void *arg)
pf_purge_expired_fragments();
splx(s);
- timeout_add(to, pftm_interval * hz);
+ timeout_add(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz);
}
void
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 25b4cef0a33..62103d60612 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.53 2003/04/03 15:27:17 cedric Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.54 2003/04/05 20:20:58 cedric Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -84,11 +84,15 @@ int pfioctl(dev_t, u_long, caddr_t, int, struct proc *);
extern struct timeout pf_expire_to;
+struct pf_rule pf_default_rule;
+
#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
void
pfattach(int num)
{
+ u_int32_t *timeout = pf_default_rule.timeout;
+
pool_init(&pf_tree_pl, sizeof(struct pf_tree_node), 0, 0, 0, "pftrpl",
NULL);
pool_init(&pf_rule_pl, sizeof(struct pf_rule), 0, 0, 0, "pfrulepl",
@@ -114,8 +118,31 @@ pfattach(int num)
pf_altqs_active = &pf_altqs[0];
pf_altqs_inactive = &pf_altqs[1];
+ /* default rule should never be garbage collected */
+ pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
+ pf_default_rule.action = PF_PASS;
+ pf_default_rule.nr = -1;
+
+ /* initialize default timeouts */
+ timeout[PFTM_TCP_FIRST_PACKET] = 120; /* First TCP packet */
+ timeout[PFTM_TCP_OPENING] = 30; /* No response yet */
+ timeout[PFTM_TCP_ESTABLISHED] = 24*60*60; /* Established */
+ timeout[PFTM_TCP_CLOSING] = 15 * 60; /* Half closed */
+ timeout[PFTM_TCP_FIN_WAIT] = 45; /* Got both FINs */
+ timeout[PFTM_TCP_CLOSED] = 90; /* Got a RST */
+ timeout[PFTM_UDP_FIRST_PACKET] = 60; /* First UDP packet */
+ timeout[PFTM_UDP_SINGLE] = 30; /* Unidirectional */
+ timeout[PFTM_UDP_MULTIPLE] = 60; /* Bidirectional */
+ timeout[PFTM_ICMP_FIRST_PACKET] = 20; /* First ICMP packet */
+ timeout[PFTM_ICMP_ERROR_REPLY] = 10; /* Got error response */
+ timeout[PFTM_OTHER_FIRST_PACKET] = 60; /* First packet */
+ timeout[PFTM_OTHER_SINGLE] = 30; /* Unidirectional */
+ timeout[PFTM_OTHER_MULTIPLE] = 60; /* Bidirectional */
+ timeout[PFTM_FRAG] = 30; /* Fragment expire */
+ timeout[PFTM_INTERVAL] = 10; /* Expire interval */
+
timeout_set(&pf_expire_to, pf_purge_timeout, &pf_expire_to);
- timeout_add(&pf_expire_to, pftm_interval * hz);
+ timeout_add(&pf_expire_to, timeout[PFTM_INTERVAL] * hz);
pf_normalize_init();
pf_status.debug = PF_DEBUG_URGENT;
@@ -1127,8 +1154,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EINVAL;
goto fail;
}
- old = *pftm_timeouts[pt->timeout];
- *pftm_timeouts[pt->timeout] = pt->seconds;
+ old = pf_default_rule.timeout[pt->timeout];
+ pf_default_rule.timeout[pt->timeout] = pt->seconds;
pt->seconds = old;
break;
}
@@ -1140,7 +1167,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EINVAL;
goto fail;
}
- pt->seconds = *pftm_timeouts[pt->timeout];
+ pt->seconds = pf_default_rule.timeout[pt->timeout];
break;
}
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 54e049520eb..e4dc2689e5d 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_norm.c,v 1.55 2003/02/18 08:05:15 camield Exp $ */
+/* $OpenBSD: pf_norm.c,v 1.56 2003/04/05 20:20:58 cedric Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -121,7 +121,6 @@ int pf_normalize_tcpopt(struct pf_rule *, struct mbuf *,
/* Globals */
struct pool pf_frent_pl, pf_frag_pl, pf_cache_pl, pf_cent_pl;
int pf_nfrents, pf_ncache;
-extern int pftm_frag; /* Fragment expire timeout */
void
pf_normalize_init(void)
@@ -168,7 +167,8 @@ void
pf_purge_expired_fragments(void)
{
struct pf_fragment *frag;
- u_int32_t expire = time.tv_sec - pftm_frag;
+ u_int32_t expire = time.tv_sec -
+ pf_default_rule.timeout[PFTM_FRAG];
while ((frag = TAILQ_LAST(&pf_fragqueue, pf_fragqueue)) != NULL) {
KASSERT(BUFFER_FRAGMENTS(frag));
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index e7bb4ec08e5..c50f37cb181 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.137 2003/03/31 13:15:27 cedric Exp $ */
+/* $OpenBSD: pfvar.h,v 1.138 2003/04/05 20:20:58 cedric Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -965,14 +965,13 @@ extern void pf_update_anchor_rules(void);
extern struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl;
extern struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
extern void pf_purge_timeout(void *);
-extern int pftm_interval;
extern void pf_purge_expired_states(void);
extern int pf_insert_state(struct pf_state *);
extern struct pf_state *pf_find_state(struct pf_state_tree *,
struct pf_tree_node *);
extern struct pf_anchor *pf_find_anchor(const char *);
extern struct ifnet *status_ifp;
-extern int *pftm_timeouts[PFTM_MAX];
+extern struct pf_rule pf_default_rule;
extern void pf_addrcpy(struct pf_addr *, struct pf_addr *,
u_int8_t);
void pf_rm_rule(struct pf_rulequeue *,