svn commit: r234486 - projects/pf/head/sys/contrib/pf/net

Gleb Smirnoff glebius at FreeBSD.org
Fri Apr 20 09:43:43 UTC 2012 

Author: glebius
Date: Fri Apr 20 09:43:42 2012
New Revision: 234486
URL: http://svn.freebsd.org/changeset/base/234486

Log:
  Use monotonic time_uptime to drive expiry of states, source nodes, fragments,
  thresholds.

Modified:
  projects/pf/head/sys/contrib/pf/net/if_pfsync.c
  projects/pf/head/sys/contrib/pf/net/pf.c
  projects/pf/head/sys/contrib/pf/net/pf_ioctl.c
  projects/pf/head/sys/contrib/pf/net/pf_norm.c

Modified: projects/pf/head/sys/contrib/pf/net/if_pfsync.c
==============================================================================
--- projects/pf/head/sys/contrib/pf/net/if_pfsync.c	Fri Apr 20 08:26:05 2012	(r234485)
+++ projects/pf/head/sys/contrib/pf/net/if_pfsync.c	Fri Apr 20 09:43:42 2012	(r234486)
@@ -495,7 +495,7 @@ pfsync_state_import(struct pfsync_state 
 	/* copy to state */
 	bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr));
 	st->creation = time_uptime - ntohl(sp->creation);
-	st->expire = time_second;
+	st->expire = time_uptime;
 	if (sp->expire) {
 		uint32_t timeout;
 
@@ -898,7 +898,7 @@ pfsync_in_upd(struct pfsync_pkt *pkt, st
 		pfsync_alloc_scrub_memory(&sp->dst, &st->dst);
 		pf_state_peer_ntoh(&sp->src, &st->src);
 		pf_state_peer_ntoh(&sp->dst, &st->dst);
-		st->expire = time_second;
+		st->expire = time_uptime;
 		st->timeout = sp->timeout;
 		st->pfsync_time = time_uptime;
 		PF_STATE_UNLOCK(st);
@@ -992,7 +992,7 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, 
 		pfsync_alloc_scrub_memory(&up->dst, &st->dst);
 		pf_state_peer_ntoh(&up->src, &st->src);
 		pf_state_peer_ntoh(&up->dst, &st->dst);
-		st->expire = time_second;
+		st->expire = time_uptime;
 		st->timeout = up->timeout;
 		st->pfsync_time = time_uptime;
 		PF_STATE_UNLOCK(st);

Modified: projects/pf/head/sys/contrib/pf/net/pf.c
==============================================================================
--- projects/pf/head/sys/contrib/pf/net/pf.c	Fri Apr 20 08:26:05 2012	(r234485)
+++ projects/pf/head/sys/contrib/pf/net/pf.c	Fri Apr 20 09:43:42 2012	(r234486)
@@ -436,13 +436,13 @@ pf_init_threshold(struct pf_threshold *t
 	threshold->limit = limit * PF_THRESHOLD_MULT;
 	threshold->seconds = seconds;
 	threshold->count = 0;
-	threshold->last = time_second;
+	threshold->last = time_uptime;
 }
 
 static void
 pf_add_threshold(struct pf_threshold *threshold)
 {
-	u_int32_t t = time_second, diff = t - threshold->last;
+	u_int32_t t = time_uptime, diff = t - threshold->last;
 
 	if (diff >= threshold->seconds)
 		threshold->count = 0;
@@ -627,7 +627,7 @@ pf_insert_src_node(struct pf_src_node **
 		(*sn)->rule.ptr = rule;
 		PF_ACPY(&(*sn)->addr, src, af);
 		LIST_INSERT_HEAD(&sh->nodes, *sn, entry);
-		(*sn)->creation = time_second;
+		(*sn)->creation = time_uptime;
 		(*sn)->ruletype = rule->action;
 		if ((*sn)->rule.ptr != NULL)
 			(*sn)->rule.ptr->src_nodes++;
@@ -1324,7 +1324,7 @@ pf_state_expires(const struct pf_state *
 
 	/* handle all PFTM_* > PFTM_MAX here */
 	if (state->timeout == PFTM_PURGE)
-		return (time_second);
+		return (time_uptime);
 	if (state->timeout == PFTM_UNTIL_PACKET)
 		return (0);
 	KASSERT(state->timeout != PFTM_UNLINKED,
@@ -1348,7 +1348,7 @@ pf_state_expires(const struct pf_state *
 			return (state->expire + timeout * (end - states) /
 			    (end - start));
 		else
-			return (time_second);
+			return (time_uptime);
 	}
 	return (state->expire + timeout);
 }
@@ -1363,7 +1363,7 @@ pf_purge_expired_src_nodes()
 	for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask; i++, sh++) {
 	    PF_HASHROW_LOCK(sh);
 	    LIST_FOREACH_SAFE(cur, &sh->nodes, entry, next) 
-		if (cur->states <= 0 && cur->expire <= time_second) {
+		if (cur->states <= 0 && cur->expire <= time_uptime) {
 			if (cur->rule.ptr != NULL) {
 				cur->rule.ptr->src_nodes--;
 				if (cur->rule.ptr->states_cur <= 0 &&
@@ -1392,7 +1392,7 @@ pf_src_tree_remove_state(struct pf_state
 			if (!timeout)
 				timeout =
 				    V_pf_default_rule.timeout[PFTM_SRC_NODE];
-			s->src_node->expire = time_second + timeout;
+			s->src_node->expire = time_uptime + timeout;
 		}
 	}
 	if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
@@ -1401,7 +1401,7 @@ pf_src_tree_remove_state(struct pf_state
 			if (!timeout)
 				timeout =
 				    V_pf_default_rule.timeout[PFTM_SRC_NODE];
-			s->nat_src_node->expire = time_second + timeout;
+			s->nat_src_node->expire = time_uptime + timeout;
 		}
 	}
 	s->src_node = s->nat_src_node = NULL;
@@ -1501,7 +1501,7 @@ pf_purge_expired_states(int maxcheck)
 relock:
 		PF_HASHROW_LOCK(ih);
 		LIST_FOREACH(s, &ih->states, entry) {
-			if (pf_state_expires(s) <= time_second) {
+			if (pf_state_expires(s) <= time_uptime) {
 				pf_unlink_state(s, PF_ENTER_LOCKED);
 				goto relock;
 			}
@@ -3365,8 +3365,8 @@ pf_create_state(struct pf_rule *r, struc
 		s->timeout = PFTM_OTHER_FIRST_PACKET;
 	}
 
-	s->creation = time_second;
-	s->expire = time_second;
+	s->creation = time_uptime;
+	s->expire = time_uptime;
 
 	if (sn != NULL) {
 		s->src_node = sn;
@@ -3781,7 +3781,7 @@ pf_tcp_track_full(struct pf_state_peer *
 			src->state = dst->state = TCPS_TIME_WAIT;
 
 		/* update expire time */
-		(*state)->expire = time_second;
+		(*state)->expire = time_uptime;
 		if (src->state >= TCPS_FIN_WAIT_2 &&
 		    dst->state >= TCPS_FIN_WAIT_2)
 			(*state)->timeout = PFTM_TCP_CLOSED;
@@ -3962,7 +3962,7 @@ pf_tcp_track_sloppy(struct pf_state_peer
 		src->state = dst->state = TCPS_TIME_WAIT;
 
 	/* update expire time */
-	(*state)->expire = time_second;
+	(*state)->expire = time_uptime;
 	if (src->state >= TCPS_FIN_WAIT_2 &&
 	    dst->state >= TCPS_FIN_WAIT_2)
 		(*state)->timeout = PFTM_TCP_CLOSED;
@@ -4189,7 +4189,7 @@ pf_test_state_udp(struct pf_state **stat
 		dst->state = PFUDPS_MULTIPLE;
 
 	/* update expire time */
-	(*state)->expire = time_second;
+	(*state)->expire = time_uptime;
 	if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
 		(*state)->timeout = PFTM_UDP_MULTIPLE;
 	else
@@ -4276,7 +4276,7 @@ pf_test_state_icmp(struct pf_state **sta
 
 		STATE_LOOKUP(kif, &key, direction, *state, pd);
 
-		(*state)->expire = time_second;
+		(*state)->expire = time_uptime;
 		(*state)->timeout = PFTM_ICMP_ERROR_REPLY;
 
 		/* translate source/destination address, if necessary */
@@ -4844,7 +4844,7 @@ pf_test_state_other(struct pf_state **st
 		dst->state = PFOTHERS_MULTIPLE;
 
 	/* update expire time */
-	(*state)->expire = time_second;
+	(*state)->expire = time_uptime;
 	if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
 		(*state)->timeout = PFTM_OTHER_MULTIPLE;
 	else

Modified: projects/pf/head/sys/contrib/pf/net/pf_ioctl.c
==============================================================================
--- projects/pf/head/sys/contrib/pf/net/pf_ioctl.c	Fri Apr 20 08:26:05 2012	(r234485)
+++ projects/pf/head/sys/contrib/pf/net/pf_ioctl.c	Fri Apr 20 09:43:42 2012	(r234486)
@@ -3165,7 +3165,7 @@ DIOCGETSTATES_full:
 		    i++, sh++) {
 		    PF_HASHROW_LOCK(sh);
 		    LIST_FOREACH(n, &sh->nodes, entry) {
-			int	secs = time_second, diff;
+			int	secs = time_uptime, diff;
 
 			if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
 				break;
@@ -3340,12 +3340,12 @@ pfsync_state_export(struct pfsync_state 
 	/* copy from state */
 	strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
 	bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
-	sp->creation = htonl(time_second - st->creation);
+	sp->creation = htonl(time_uptime - st->creation);
 	sp->expire = pf_state_expires(st);
-	if (sp->expire <= time_second)
+	if (sp->expire <= time_uptime)
 		sp->expire = htonl(0);
 	else
-		sp->expire = htonl(sp->expire - time_second);
+		sp->expire = htonl(sp->expire - time_uptime);
 
 	sp->direction = st->direction;
 	sp->log = st->log;

Modified: projects/pf/head/sys/contrib/pf/net/pf_norm.c
==============================================================================
--- projects/pf/head/sys/contrib/pf/net/pf_norm.c	Fri Apr 20 08:26:05 2012	(r234485)
+++ projects/pf/head/sys/contrib/pf/net/pf_norm.c	Fri Apr 20 09:43:42 2012	(r234486)
@@ -234,7 +234,7 @@ void
 pf_purge_expired_fragments(void)
 {
 	struct pf_fragment	*frag;
-	u_int32_t		 expire = time_second -
+	u_int32_t		 expire = time_uptime -
 				    V_pf_default_rule.timeout[PFTM_FRAG];
 
 	PF_FRAG_LOCK();
@@ -359,7 +359,7 @@ pf_find_fragment(struct ip *ip, struct p
 	frag = RB_FIND(pf_frag_tree, tree, &key);
 	if (frag != NULL) {
 		/* XXX Are we sure we want to update the timeout? */
-		frag->fr_timeout = time_second;
+		frag->fr_timeout = time_uptime;
 		if (BUFFER_FRAGMENTS(frag)) {
 			TAILQ_REMOVE(&V_pf_fragqueue, frag, frag_next);
 			TAILQ_INSERT_HEAD(&V_pf_fragqueue, frag, frag_next);
@@ -429,7 +429,7 @@ pf_reassemble(struct mbuf **m0, struct p
 		(*frag)->fr_dst = frent->fr_ip->ip_dst;
 		(*frag)->fr_p = frent->fr_ip->ip_p;
 		(*frag)->fr_id = frent->fr_ip->ip_id;
-		(*frag)->fr_timeout = time_second;
+		(*frag)->fr_timeout = time_uptime;
 		LIST_INIT(&(*frag)->fr_queue);
 
 		RB_INSERT(pf_frag_tree, &V_pf_frag_tree, *frag);
@@ -639,7 +639,7 @@ pf_fragcache(struct mbuf **m0, struct ip
 		(*frag)->fr_dst = h->ip_dst;
 		(*frag)->fr_p = h->ip_p;
 		(*frag)->fr_id = h->ip_id;
-		(*frag)->fr_timeout = time_second;
+		(*frag)->fr_timeout = time_uptime;
 
 		cur->fr_off = off;
 		cur->fr_end = max;
@@ -1689,7 +1689,7 @@ pf_normalize_tcp_stateful(struct mbuf *m
 	getmicrouptime(&uptime);
 	if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) &&
 	    (uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE ||
-	    time_second - state->creation > TS_MAX_CONN))  {
+	    time_uptime - state->creation > TS_MAX_CONN))  {
 		if (V_pf_status.debug >= PF_DEBUG_MISC) {
 			DPFPRINTF(("src idled out of PAWS\n"));
 			pf_print_state(state);

More information about the svn-src-projects mailing list