summaryrefslogtreecommitdiff
path: root/sys/net
diff options
context:
space:
mode:
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/pf.c15
-rw-r--r--sys/net/pfvar.h22
2 files changed, 22 insertions, 15 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 6b2c61043dd..961ed27c69d 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.467 2004/12/06 23:28:38 dhartmei Exp $ */
+/* $OpenBSD: pf.c,v 1.468 2004/12/07 05:30:25 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -682,14 +682,14 @@ pf_src_connlimit(struct pf_state **state)
&p, time_second);
/* kill existing states if that's required. */
- if ((*state)->rule.ptr->rule_flag & PFRULE_SRCTRACK_FLUSH) {
+ if ((*state)->rule.ptr->flush) {
pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++;
RB_FOREACH(s, pf_state_tree_id, &tree_id) {
/*
- * Kill all states from this source.
- *
- * XXX Kill states _to_ the source?
+ * Kill states from this source. (Only those
+ * from the same rule if PF_FLUSH_GLOBAL is not
+ * set)
*/
if (s->af == (*state)->af &&
(((*state)->direction == PF_OUT &&
@@ -697,7 +697,10 @@ pf_src_connlimit(struct pf_state **state)
&s->lan.addr, s->af)) ||
((*state)->direction == PF_IN &&
PF_AEQ(&(*state)->src_node->addr,
- &s->ext.addr, s->af)))) {
+ &s->ext.addr, s->af))) &&
+ ((*state)->rule.ptr->flush &
+ PF_FLUSH_GLOBAL ||
+ (*state)->rule.ptr == s->rule.ptr)) {
s->timeout = PFTM_PURGE;
s->src.state = s->dst.state =
TCPS_CLOSED;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 3c385a966c3..cbffd25aa5d 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.205 2004/12/04 07:49:48 mcbride Exp $ */
+/* $OpenBSD: pfvar.h,v 1.206 2004/12/07 05:30:26 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -537,6 +537,10 @@ struct pf_rule {
u_int8_t tos;
u_int8_t anchor_relative;
u_int8_t anchor_wildcard;
+
+#define PF_FLUSH 0x01
+#define PF_FLUSH_GLOBAL 0x02
+ u_int8_t flush;
};
/* rule flags */
@@ -548,7 +552,6 @@ struct pf_rule {
#define PFRULE_NOSYNC 0x0010
#define PFRULE_SRCTRACK 0x0020 /* track source states */
#define PFRULE_RULESRCTRACK 0x0040 /* per rule */
-#define PFRULE_SRCTRACK_FLUSH 0x0080 /* flush for src_node->open_states */
/* scrub flags */
#define PFRULE_NODF 0x0100
@@ -1219,7 +1222,8 @@ struct pfioc_table {
struct pfr_table pfrio_table;
void *pfrio_buffer;
int pfrio_esize;
- int pfrio_size;
+ int pfrio_size; /* entries this transaction */
+ int pfrio_tsize; /* total entries */
int pfrio_size2;
int pfrio_nadd;
int pfrio_ndel;
@@ -1444,12 +1448,12 @@ int pfr_clr_tstats(struct pfr_table *, int, int *, int);
int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int);
int pfr_clr_addrs(struct pfr_table *, int *, int);
int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long);
-int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
- int);
-int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
- int);
-int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
- int *, int *, int *, int);
+int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int, int *,
+ int, u_int32_t *);
+int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int, int *,
+ int, u_int32_t *);
+int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int, int *,
+ int *, int *, int *, int, u_int32_t *);
int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *,
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 09:27:21 +0000