Only decrement the max-src-conn counter for tcp connections that reached

"established" state. Similar to OpenBSD's rev. 1.499 by joel but not breaking ABI. Obtained from: OpenBSD (with changes) Reported by: Bruno Afonso MFC after: 3 days X-MFC: together with local_flags
2005-12-25 23:52:00 +00:00 · 2005-12-25 23:52:00 +00:00 · 6ae8d74a9e
commit 6ae8d74a9e
parent e2f9880300
2 changed files with 8 additions and 0 deletions
--- a/sys/contrib/pf/net/pf.c
+++ b/sys/contrib/pf/net/pf.c
@ -742,6 +742,9 @@ pf_src_connlimit(struct pf_state **state)
 	int bad = 0;

 	(*state)->src_node->conn++;
+#ifdef __FreeBSD__
+	(*state)->local_flags |= PFSTATE_SRC_CONN;
+#endif
 	pf_add_threshold(&(*state)->src_node->conn_rate);

 	if ((*state)->rule.ptr->max_src_conn &&
@ -1074,8 +1077,12 @@ pf_src_tree_remove_state(struct pf_state *s)

 	if (s->src_node != NULL) {
 		if (s->proto == IPPROTO_TCP) {
+#ifdef __FreeBSD__
+			if (s->local_flags & PFSTATE_SRC_CONN)
+#else
 			if (s->src.state == PF_TCPS_PROXY_DST ||
 			    s->timeout >= PFTM_TCP_ESTABLISHED)
+#endif
 				--s->src_node->conn;
 		}
 		if (--s->src_node->states <= 0) {
--- a/sys/contrib/pf/net/pfvar.h
+++ b/sys/contrib/pf/net/pfvar.h
@ -793,6 +793,7 @@ struct pf_state {
 #ifdef __FreeBSD__
 	u_int8_t	 local_flags;
 #define	PFSTATE_EXPIRING 0x01
+#define	PFSTATE_SRC_CONN 0x02
 #else
 	u_int8_t	 pad;
 #endif