rdr pass for proto tcp sometimes creates states with expire time zero and so breaking connections

Gleb Smirnoff glebius at freebsd.org
Mon Feb 18 18:07:37 UTC 2019


  Thanks, Andreas!

Kristof, will you handle that? If you are busy, I can try to refresh
my memory.

On Mon, Feb 18, 2019 at 06:30:32PM +0100, Andreas Longwitz wrote:
A> Hello,
A> 
A> > Ok, thanks, I will commit the patch shortly.  I do not see a point in waiting
A> > for two more weeks, sure report me if anything goes wrong.
A> 
A> your patch for counter(9) on i386 definitely solves my problem discussed
A> in this thread.
A> 
A> Because fetching a counter is a rather expansive function we should use
A> counter_u64_fetch() in pf_state_expires() only when necessary. A "rdr
A> pass" rule should not cause more effort than separate "rdr" and "pass"
A> rules. For rules with adaptive timeout values the call of
A> counter_u64_fetch() should be accepted, but otherwise not.
A> 
A> For a small gain in performance especially for "rdr pass" rules I
A> suggest something like
A> 
A> --- pf.c.orig   2019-02-18 17:49:22.944751000 +0100
A> +++ pf.c        2019-02-18 17:55:07.396163000 +0100
A> @@ -1558,7 +1558,7 @@
A>         if (!timeout)
A>                 timeout = V_pf_default_rule.timeout[state->timeout];
A>         start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
A> -       if (start) {
A> +       if (start && state->rule.ptr != &V_pf_default_rule) {
A>                 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
A>                 states = counter_u64_fetch(state->rule.ptr->states_cur);
A>         } else {
A> 
A> -- 
A> Andreas
A> 

-- 
Gleb Smirnoff


More information about the freebsd-pf mailing list