rdr pass for proto tcp sometimes creates states with expire time zero and so breaking connections

Kristof Provost kp at FreeBSD.org
Mon Feb 18 20:17:26 UTC 2019


On 18 Feb 2019, at 18:30, Andreas Longwitz wrote:
>> Ok, thanks, I will commit the patch shortly.  I do not see a point in 
>> waiting
>> for two more weeks, sure report me if anything goes wrong.
>
> your patch for counter(9) on i386 definitely solves my problem 
> discussed
> in this thread.
>
> Because fetching a counter is a rather expansive function we should 
> use
> counter_u64_fetch() in pf_state_expires() only when necessary. A "rdr
> pass" rule should not cause more effort than separate "rdr" and "pass"
> rules. For rules with adaptive timeout values the call of
> counter_u64_fetch() should be accepted, but otherwise not.
>
> For a small gain in performance especially for "rdr pass" rules I
> suggest something like
>
> --- pf.c.orig   2019-02-18 17:49:22.944751000 +0100
> +++ pf.c        2019-02-18 17:55:07.396163000 +0100
> @@ -1558,7 +1558,7 @@
>         if (!timeout)
>                 timeout = V_pf_default_rule.timeout[state->timeout];
>         start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
> -       if (start) {
> +       if (start && state->rule.ptr != &V_pf_default_rule) {
>                 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
>                 states = 
> counter_u64_fetch(state->rule.ptr->states_cur);
>         } else {
>
I think that looks correct. Do you have any performance measurements on 
this?

Although presumably it only really matters in cases where there’s no 
explicit catch-all rule, so I do wonder if it’s worth it.

Regards,
Kristof


More information about the freebsd-pf mailing list