From 841ad46d42a7e6cf5bb3c548b8ed44d5b9800270 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sat, 2 Mar 2013 00:48:37 +0400 Subject: [PATCH] Pfsync: extend update trigger routine Create infrastructure to specify protocols that will trigger increment of the updates count and, thus, will push updates to the peers once there will be enough of them. Signed-off-by: Eygene Ryabinkin --- sys/contrib/pf/net/if_pfsync.c | 49 +++++++++++++++++++++++++++++++++++++++++- sys/contrib/pf/net/if_pfsync.h | 10 +++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) diff --git a/sys/contrib/pf/net/if_pfsync.c b/sys/contrib/pf/net/if_pfsync.c index 9942645..f41c943 100644 --- a/sys/contrib/pf/net/if_pfsync.c +++ b/sys/contrib/pf/net/if_pfsync.c @@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #ifdef __FreeBSD__ #include #include @@ -150,6 +151,42 @@ __FBSDID("$FreeBSD$"); #define PFSYNC_MAX_UPD_WAIT 2 +#define PFSYNC_UPDPROTO_BPE 32 /* Bits per mask value */ +#define PFSYNC_UPDPROTO_SHIFT 5 /* 2^shift = BPE */ +#define PFSYNC_UPDPROTO_MASK 0x1f /* Masks lower (BPE-1) bits */ +#if LONG_BIT < PFSYNC_UPDPROTO_BPE +#error I expect that long can carry at least 32 bits +#endif +/* + * Bit table for the protocol types that we will count as + * permitted to add to the 'sync_updates' counter. Each + * table element holds the mask for 32 protocols. + * + * By-default, only TCP triggers counter update to be consistent + * with OpenBSD's change in their v 1.122. + */ +static unsigned long +_proto_adds_to_sync_updates[IPPROTO_MAX/PFSYNC_UPDPROTO_BPE] = { + 0x00000040, 0x00000000, 0x00000000, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000 +}; +/* Sysctls for setting bit table members */ +SYSCTL_DECL(_net_pfsync); +#define _UPDPROTO_MASK_N_SYSCTL(n, value, protorange) \ +SYSCTL_UINT(_net_pfsync, PFSYNC_SCTL_UPDPROTO_MASK ## n, \ + updproto_mask ## n, CTLFLAG_RW, \ + &_proto_adds_to_sync_updates[(n)], (value), \ + "update trigger mask for protocols " protorange) +_UPDPROTO_MASK_N_SYSCTL(0, 0x00000040, "0-31"); +_UPDPROTO_MASK_N_SYSCTL(1, 0x00000000, "32-63"); +_UPDPROTO_MASK_N_SYSCTL(2, 0x00000000, "64-95"); +_UPDPROTO_MASK_N_SYSCTL(3, 0x00000000, "96-127"); +_UPDPROTO_MASK_N_SYSCTL(4, 0x00000000, "128-159"); +_UPDPROTO_MASK_N_SYSCTL(5, 0x00000000, "160-191"); +_UPDPROTO_MASK_N_SYSCTL(6, 0x00000000, "192-223"); +_UPDPROTO_MASK_N_SYSCTL(7, 0x00000000, "224-255"); +#undef _UPDPROTO_MASK_N_SYSCTL + struct pfsync_pkt { struct ip *ip; struct in_addr src; @@ -390,6 +427,16 @@ struct if_clone pfsync_cloner = IF_CLONE_INITIALIZER("pfsync", pfsync_clone_create, pfsync_clone_destroy); #endif + +/* Checks if the protocol is permitted to trigger counter update */ +static inline int +proto_adds_to_sync_updates(uint8_t protonum) +{ + return (_proto_adds_to_sync_updates[protonum >> PFSYNC_UPDPROTO_SHIFT] & + (1 << (protonum & PFSYNC_UPDPROTO_MASK))); +} + + void pfsyncattach(int npfsync) { @@ -2582,7 +2629,7 @@ pfsync_update_state(struct pf_state *st) case PFSYNC_S_INS: /* we're already handling it */ - if (st->key[PF_SK_WIRE]->proto == IPPROTO_TCP) { + if (proto_adds_to_sync_updates(st->key[PF_SK_WIRE]->proto)) { st->sync_updates++; if (st->sync_updates >= sc->sc_maxupdates) sync = 1; diff --git a/sys/contrib/pf/net/if_pfsync.h b/sys/contrib/pf/net/if_pfsync.h index 17259b7..a2e13bf 100644 --- a/sys/contrib/pf/net/if_pfsync.h +++ b/sys/contrib/pf/net/if_pfsync.h @@ -79,6 +79,16 @@ #define PFSYNC_HMAC_LEN 20 +/* Pfsync sysctl assignments */ +#define PFSYNC_SCTL_UPDPROTO_MASK0 0 +#define PFSYNC_SCTL_UPDPROTO_MASK1 1 +#define PFSYNC_SCTL_UPDPROTO_MASK2 2 +#define PFSYNC_SCTL_UPDPROTO_MASK3 3 +#define PFSYNC_SCTL_UPDPROTO_MASK4 4 +#define PFSYNC_SCTL_UPDPROTO_MASK5 5 +#define PFSYNC_SCTL_UPDPROTO_MASK6 6 +#define PFSYNC_SCTL_UPDPROTO_MASK7 7 + /* * A pfsync frame is built from a header followed by several sections which * are all prefixed with their own subheaders. Frames must be terminated with -- 1.8.1