Since pf 4.5 import pf(4) has a mechanism to defer
forwarding a packet, that creates state, until pfsync(4) peer acks state addition (or 10 msec timeout passes). This is needed for active-active CARP configurations, which are poorly supported in FreeBSD and arguably a good idea at all. Unfortunately by the time of import this feature in OpenBSD was turned on, and did not have a switch to turn it off. This leaked to FreeBSD. This change make it possible to turn this feature off via ioctl() and turns it off by default. Obtained from: OpenBSD
This commit is contained in:
Gleb Smirnoff
parent
a2a4a2aa53
commit
64484cf630
@ -50,6 +50,7 @@
|
||||
* 1.128 - cleanups
|
||||
* 1.146 - bzero() mbuf before sparsely filling it with data
|
||||
* 1.170 - SIOCSIFMTU checks
|
||||
* 1.126, 1.142 - deferred packets processing
|
||||
*/
|
||||
|
||||
#ifdef __FreeBSD__
|
||||
@ -262,6 +263,7 @@ struct pfsync_softc {
|
||||
|
||||
struct pfsync_upd_reqs sc_upd_req_list;
|
||||
|
||||
int sc_defer;
|
||||
struct pfsync_deferrals sc_deferrals;
|
||||
u_int sc_deferred;
|
||||
|
||||
@ -1805,6 +1807,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
|
||||
}
|
||||
pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer;
|
||||
pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates;
|
||||
pfsyncr.pfsyncr_defer = sc->sc_defer;
|
||||
return (copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr)));
|
||||
|
||||
case SIOCSETPFSYNC:
|
||||
@ -1840,6 +1843,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
|
||||
}
|
||||
#endif
|
||||
sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates;
|
||||
sc->sc_defer = pfsyncr.pfsyncr_defer;
|
||||
|
||||
if (pfsyncr.pfsyncr_syncdev[0] == 0) {
|
||||
sc->sc_sync_if = NULL;
|
||||
@ -2378,10 +2382,7 @@ pfsync_insert_state(struct pf_state *st)
|
||||
|
||||
pfsync_q_ins(st, PFSYNC_S_INS);
|
||||
|
||||
if (ISSET(st->state_flags, PFSTATE_ACK))
|
||||
schednetisr(NETISR_PFSYNC);
|
||||
else
|
||||
st->sync_updates = 0;
|
||||
st->sync_updates = 0;
|
||||
}
|
||||
|
||||
int defer = 10;
|
||||
@ -2402,6 +2403,9 @@ pfsync_defer(struct pf_state *st, struct mbuf *m)
|
||||
splassert(IPL_SOFTNET);
|
||||
#endif
|
||||
|
||||
if (!sc->sc_defer || m->m_flags & (M_BCAST|M_MCAST))
|
||||
return (0);
|
||||
|
||||
if (sc->sc_deferred >= 128)
|
||||
pfsync_undefer(TAILQ_FIRST(&sc->sc_deferrals), 0);
|
||||
|
||||
@ -2430,6 +2434,8 @@ pfsync_defer(struct pf_state *st, struct mbuf *m)
|
||||
timeout_add(&pd->pd_tmo, defer);
|
||||
#endif
|
||||
|
||||
swi_sched(V_pfsync_swi_cookie, 0);
|
||||
|
||||
return (1);
|
||||
}
|
||||
|
||||
|
||||
@ -265,7 +265,7 @@ struct pfsyncreq {
|
||||
char pfsyncr_syncdev[IFNAMSIZ];
|
||||
struct in_addr pfsyncr_syncpeer;
|
||||
int pfsyncr_maxupdates;
|
||||
int pfsyncr_authlevel;
|
||||
int pfsyncr_defer;
|
||||
};
|
||||
|
||||
#ifdef __FreeBSD__
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user