On 30.7.2012. 12:32, Florian Obser wrote: > On Mon, Jul 30, 2012 at 12:07:15AM +0200, Hrvoje Popovski wrote: >> On 29.7.2012. 18:09, Mike Belopuhov wrote: >>> On Sun, Jul 29, 2012 at 5:47 PM, Hrvoje Popovski wrote: >>>> >>>> Hello, >>>> >>>> i have tested your patches with torrent box behind 2 firewalls (nat, >>>> carp,pfsync). One firewall is patched and second box isn't. Both of them >>>> quite often export flows with duration of 429496* >>>> >>> >>> is it possible that these flows are coming from the unpatched box? >>> you can compare creatorid value to the hostid that is prited by >>> pfctl -vsi. >>> >> >> Hello, >> >> now with only one patched firewall, second firewall is halted, i'm still >> having flows with 4294*. >> > > There are 3 calls to pf_unlink_state in pf.c which leed to pflow (and > some more in if_pfsync.c und pf_ioctl.c). I think my patch fixes the > call in pf_purge_expired_states and you are seeing the call in > pf_test_state_tcp. > > Benno pointed out that we can skip the timeout dance in if_pflow.c > since with my patch st->expire contains time_uptime when the last > package for that state was seen. This is supposed to be on top of my > original patch: > > Index: sys/net/if_pflow.c > =================================================================== > RCS file: /opt/OpenBSD-CVS/src/sys/net/if_pflow.c,v > retrieving revision 1.20 > diff -u -p -r1.20 if_pflow.c > --- sys/net/if_pflow.c 11 Apr 2012 17:42:53 -0000 1.20 > +++ sys/net/if_pflow.c 30 Jul 2012 09:08:43 -0000 > @@ -555,10 +555,8 @@ copy_flow_data(struct pflow_flow *flow1, > > flow1->flow_start = flow2->flow_start = > htonl(st->creation * 1000); > - flow1->flow_finish = flow2->flow_finish = > - htonl((time_uptime - (st->rule.ptr->timeout[st->timeout] ? > - st->rule.ptr->timeout[st->timeout] : > - pf_default_rule.timeout[st->timeout])) * 1000); > + flow1->flow_finish = flow2->flow_finish = htonl(st->expire * 1000); > + > flow1->tcp_flags = flow2->tcp_flags = 0; > flow1->protocol = flow2->protocol = sk->proto; > flow1->tos = flow2->tos = st->rule.ptr->tos; > @@ -582,10 +580,7 @@ copy_flow4_data(struct pflow_flow4 *flow > > flow1->flow_start = flow2->flow_start = > htonl(st->creation * 1000); > - flow1->flow_finish = flow2->flow_finish = > - htonl((time_uptime - (st->rule.ptr->timeout[st->timeout] ? > - st->rule.ptr->timeout[st->timeout] : > - pf_default_rule.timeout[st->timeout])) * 1000); > + flow1->flow_finish = flow2->flow_finish = htonl(st->expire * 1000); > > flow1->protocol = flow2->protocol = sk->proto; > flow1->tos = flow2->tos = st->rule.ptr->tos; > @@ -610,10 +605,7 @@ copy_flow6_data(struct pflow_flow6 *flow > > flow1->flow_start = flow2->flow_start = > htonl(st->creation * 1000); > - flow1->flow_finish = flow2->flow_finish = > - htonl((time_uptime - (st->rule.ptr->timeout[st->timeout] ? > - st->rule.ptr->timeout[st->timeout] : > - pf_default_rule.timeout[st->timeout])) * 1000); > + flow1->flow_finish = flow2->flow_finish = htonl(st->expire * 1000); > > flow1->protocol = flow2->protocol = sk->proto; > flow1->tos = flow2->tos = st->rule.ptr->tos; > >
Hello, I have applied your new patch on top of old one and I still see 4294* flow duration. I have tcpdumped 5 min netflow traffic on collector and have same 5 min netflow data if you are interested. http://kosjenka.srce.hr/~hrvoje/netflow.pcap http://kosjenka.srce.hr/~hrvoje/netflow.txt
