d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Only decrement the max-src-conn counter for tcp connections that reached

Browse Source 
"established" state.

Similar to OpenBSD's rev. 1.499 by joel but not breaking ABI.

Obtained from:	OpenBSD (with changes)
Reported by:	Bruno Afonso
MFC after:	3 days
X-MFC:		together with local_flags
This commit is contained in:
Max Laier 2005-12-25 23:52:00 +00:00
parent e2f9880300
commit 6ae8d74a9e
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/contrib/pf/net/pf.c
View File

@ -742,6 +742,9 @@ pf_src_connlimit(struct pf_state **state)
int bad = 0; int bad = 0;
(*state)->src_node->conn++; (*state)->src_node->conn++;
#ifdef __FreeBSD__
(*state)->local_flags |= PFSTATE_SRC_CONN;
#endif
pf_add_threshold(&(*state)->src_node->conn_rate); pf_add_threshold(&(*state)->src_node->conn_rate);
if ((*state)->rule.ptr->max_src_conn && if ((*state)->rule.ptr->max_src_conn &&
@ -1074,8 +1077,12 @@ pf_src_tree_remove_state(struct pf_state *s)
if (s->src_node != NULL) { if (s->src_node != NULL) {
if (s->proto == IPPROTO_TCP) { if (s->proto == IPPROTO_TCP) {
#ifdef __FreeBSD__
if (s->local_flags & PFSTATE_SRC_CONN)
#else
if (s->src.state == PF_TCPS_PROXY_DST || if (s->src.state == PF_TCPS_PROXY_DST ||
s->timeout >= PFTM_TCP_ESTABLISHED) s->timeout >= PFTM_TCP_ESTABLISHED)
#endif
--s->src_node->conn; --s->src_node->conn;
} }
if (--s->src_node->states <= 0) { if (--s->src_node->states <= 0) {

1
sys/contrib/pf/net/pfvar.h
View File

@ -793,6 +793,7 @@ struct pf_state {
#ifdef __FreeBSD__ #ifdef __FreeBSD__
u_int8_t local_flags; u_int8_t local_flags;
#define PFSTATE_EXPIRING 0x01 #define PFSTATE_EXPIRING 0x01
#define PFSTATE_SRC_CONN 0x02
#else #else
u_int8_t pad; u_int8_t pad;
#endif #endif