On Mon, Jul 30, 2012 at 12:07:15AM +0200, Hrvoje Popovski wrote:
> On 29.7.2012. 18:09, Mike Belopuhov wrote:
> > On Sun, Jul 29, 2012 at 5:47 PM, Hrvoje Popovski wrote:
> >>
> >> Hello,
> >>
> >> i have tested your patches with torrent box behind 2 firewalls (nat,
> >> carp,pfsync). One firewall is patched and second box isn't. Both of them
> >> quite often export flows with duration of 429496*
> >>
> >
> > is it possible that these flows are coming from the unpatched box?
> > you can compare creatorid value to the hostid that is prited by
> > pfctl -vsi.
> >
>
> Hello,
>
> now with only one patched firewall, second firewall is halted, i'm still
> having flows with 4294*.
>
There are 3 calls to pf_unlink_state in pf.c which leed to pflow (and
some more in if_pfsync.c und pf_ioctl.c). I think my patch fixes the
call in pf_purge_expired_states and you are seeing the call in
pf_test_state_tcp.
Benno pointed out that we can skip the timeout dance in if_pflow.c
since with my patch st->expire contains time_uptime when the last
package for that state was seen. This is supposed to be on top of my
original patch:
Index: sys/net/if_pflow.c
===================================================================
RCS file: /opt/OpenBSD-CVS/src/sys/net/if_pflow.c,v
retrieving revision 1.20
diff -u -p -r1.20 if_pflow.c
--- sys/net/if_pflow.c 11 Apr 2012 17:42:53 -0000 1.20
+++ sys/net/if_pflow.c 30 Jul 2012 09:08:43 -0000
@@ -555,10 +555,8 @@ copy_flow_data(struct pflow_flow *flow1,
flow1->flow_start = flow2->flow_start =
htonl(st->creation * 1000);
- flow1->flow_finish = flow2->flow_finish =
- htonl((time_uptime - (st->rule.ptr->timeout[st->timeout] ?
- st->rule.ptr->timeout[st->timeout] :
- pf_default_rule.timeout[st->timeout])) * 1000);
+ flow1->flow_finish = flow2->flow_finish = htonl(st->expire * 1000);
+
flow1->tcp_flags = flow2->tcp_flags = 0;
flow1->protocol = flow2->protocol = sk->proto;
flow1->tos = flow2->tos = st->rule.ptr->tos;
@@ -582,10 +580,7 @@ copy_flow4_data(struct pflow_flow4 *flow
flow1->flow_start = flow2->flow_start =
htonl(st->creation * 1000);
- flow1->flow_finish = flow2->flow_finish =
- htonl((time_uptime - (st->rule.ptr->timeout[st->timeout] ?
- st->rule.ptr->timeout[st->timeout] :
- pf_default_rule.timeout[st->timeout])) * 1000);
+ flow1->flow_finish = flow2->flow_finish = htonl(st->expire * 1000);
flow1->protocol = flow2->protocol = sk->proto;
flow1->tos = flow2->tos = st->rule.ptr->tos;
@@ -610,10 +605,7 @@ copy_flow6_data(struct pflow_flow6 *flow
flow1->flow_start = flow2->flow_start =
htonl(st->creation * 1000);
- flow1->flow_finish = flow2->flow_finish =
- htonl((time_uptime - (st->rule.ptr->timeout[st->timeout] ?
- st->rule.ptr->timeout[st->timeout] :
- pf_default_rule.timeout[st->timeout])) * 1000);
+ flow1->flow_finish = flow2->flow_finish = htonl(st->expire * 1000);
flow1->protocol = flow2->protocol = sk->proto;
flow1->tos = flow2->tos = st->rule.ptr->tos;
--
I'm not entirely sure you are real.
