Author: glebius
Date: Tue Apr 3 18:09:20 2012
New Revision: 233846
URL: http://svn.freebsd.org/changeset/base/233846
Log:
Since pf 4.5 import pf(4) has a mechanism to defer
forwarding a packet, that creates state, until
pfsync(4) peer acks state addition (or 10 msec
timeout passes).
This is needed for active-active CARP configurations,
which are poorly supported in FreeBSD and arguably
a good idea at all.
Unfortunately by the time of import this feature in
OpenBSD was turned on, and did not have a switch to
turn it off. This leaked to FreeBSD.
This change make it possible to turn this feature
off via ioctl() and turns it off by default.
Obtained from: OpenBSD
Modified:
head/sys/contrib/pf/net/if_pfsync.c
head/sys/contrib/pf/net/if_pfsync.h
Modified: head/sys/contrib/pf/net/if_pfsync.c
==============================================================================
--- head/sys/contrib/pf/net/if_pfsync.c Tue Apr 3 17:48:42 2012
(r233845)
+++ head/sys/contrib/pf/net/if_pfsync.c Tue Apr 3 18:09:20 2012
(r233846)
@@ -50,6 +50,7 @@
* 1.128 - cleanups
* 1.146 - bzero() mbuf before sparsely filling it with data
* 1.170 - SIOCSIFMTU checks
+ * 1.126, 1.142 - deferred packets processing
*/
#ifdef __FreeBSD__
@@ -262,6 +263,7 @@ struct pfsync_softc {
struct pfsync_upd_reqs sc_upd_req_list;
+ int sc_defer;
struct pfsync_deferrals sc_deferrals;
u_int sc_deferred;
@@ -1805,6 +1807,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cm
}
pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer;
pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates;
+ pfsyncr.pfsyncr_defer = sc->sc_defer;
return (copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr)));
case SIOCSETPFSYNC:
@@ -1840,6 +1843,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cm
}
#endif
sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates;
+ sc->sc_defer = pfsyncr.pfsyncr_defer;
if (pfsyncr.pfsyncr_syncdev[0] == 0) {
sc->sc_sync_if = NULL;
@@ -2378,10 +2382,7 @@ pfsync_insert_state(struct pf_state *st)
pfsync_q_ins(st, PFSYNC_S_INS);
- if (ISSET(st->state_flags, PFSTATE_ACK))
- schednetisr(NETISR_PFSYNC);
- else
- st->sync_updates = 0;
+ st->sync_updates = 0;
}
int defer = 10;
@@ -2402,6 +2403,9 @@ pfsync_defer(struct pf_state *st, struct
splassert(IPL_SOFTNET);
#endif
+ if (!sc->sc_defer || m->m_flags & (M_BCAST|M_MCAST))
+ return (0);
+
if (sc->sc_deferred >= 128)
pfsync_undefer(TAILQ_FIRST(&sc->sc_deferrals), 0);
@@ -2430,6 +2434,8 @@ pfsync_defer(struct pf_state *st, struct
timeout_add(&pd->pd_tmo, defer);
#endif
+ swi_sched(V_pfsync_swi_cookie, 0);
+
return (1);
}
Modified: head/sys/contrib/pf/net/if_pfsync.h
==============================================================================
--- head/sys/contrib/pf/net/if_pfsync.h Tue Apr 3 17:48:42 2012
(r233845)
+++ head/sys/contrib/pf/net/if_pfsync.h Tue Apr 3 18:09:20 2012
(r233846)
@@ -265,7 +265,7 @@ struct pfsyncreq {
char pfsyncr_syncdev[IFNAMSIZ];
struct in_addr pfsyncr_syncpeer;
int pfsyncr_maxupdates;
- int pfsyncr_authlevel;
+ int pfsyncr_defer;
};
#ifdef __FreeBSD__
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
