don't let pfsync send an insert message for a state pfsync just inserted

sthen@ upgraded and ended up with a lot of pfsync traffic which was
mostly made up of the two firewalls telling each other to insert
the same state over and over again.

this has each of the paths that insert states (actual pf, ioctls,
and pfsync) identify themselves so pfsync can enter them into its
own state machine in the right place. when pfsync inserts a state
into pf, it knows it should just swallow the state silently without
sending out another insert for it.

ok sthen@ sashan@

diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index bf68571..da32ef9 100644 (file)
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_pfsync.c,v 1.318 2023/07/06 04:55:05 dlg Exp $     */
+/*     $OpenBSD: if_pfsync.c,v 1.319 2023/07/31 11:13:09 dlg Exp $     */
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -1676,11 +1676,14 @@ pfsync_init_state(struct pf_state *st, const struct pf_state_key *skw,
        }
 
        /* state came off the wire */
-       if (ISSET(st->state_flags, PFSTATE_ACK)) {
-               CLR(st->state_flags, PFSTATE_ACK);
+       if (ISSET(flags, PFSYNC_SI_PFSYNC)) {
+               if (ISSET(st->state_flags, PFSTATE_ACK)) {
+                       CLR(st->state_flags, PFSTATE_ACK);
 
-               /* peer wants an iack, not an insert */
-               st->sync_state = PFSYNC_S_SYNC;
+                       /* peer wants an iack, not an insert */
+                       st->sync_state = PFSYNC_S_SYNC;
+               } else
+                       st->sync_state = PFSYNC_S_PFSYNC;
        }
 }
 
@@ -1713,6 +1716,10 @@ pfsync_insert_state(struct pf_state *st)
                        pfsync_q_ins(s, st, PFSYNC_S_IACK);
                        pfsync_slice_sched(s); /* the peer is waiting */
                        break;
+               case PFSYNC_S_PFSYNC:
+                       /* state was just inserted by pfsync */
+                       st->sync_state = PFSYNC_S_NONE;
+                       break;
                default:
                        panic("%s: state %p unexpected sync_state %d",
                            __func__, st, st->sync_state);
@@ -2829,7 +2836,7 @@ pfsync_in_ins(struct pfsync_softc *sc,
                        continue;
                }
 
-               if (pf_state_import(sp, 0) == ENOMEM) {
+               if (pf_state_import(sp, PFSYNC_SI_PFSYNC) == ENOMEM) {
                        /* drop out, but process the rest of the actions */
                        break;
                }
@@ -3009,7 +3016,7 @@ pfsync_in_upd(struct pfsync_softc *sc,
                if (st == NULL) {
                        /* insert the update */
                        PF_LOCK();
-                       error = pf_state_import(sp, 0);
+                       error = pf_state_import(sp, PFSYNC_SI_PFSYNC);
                        if (error)
                                pfsyncstat_inc(pfsyncs_badstate);
                        PF_UNLOCK();

diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h
index e83ddd8..16982cb 100644 (file)
--- a/sys/net/if_pfsync.h
+++ b/sys/net/if_pfsync.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_pfsync.h,v 1.60 2023/07/06 04:55:05 dlg Exp $      */
+/*     $OpenBSD: if_pfsync.h,v 1.61 2023/07/31 11:13:10 dlg Exp $      */
 
 /*
  * Copyright (c) 2001 Michael Shalayeff
@@ -307,6 +307,7 @@ enum pfsync_counters {
 
 #define PFSYNC_S_NONE  0xd0
 #define PFSYNC_S_SYNC  0xd1
+#define PFSYNC_S_PFSYNC        0xd2
 #define PFSYNC_S_DEAD  0xde
 
 int                    pfsync_input4(struct mbuf **, int *, int, int);
@@ -316,6 +317,7 @@ int                 pfsync_sysctl(int *, u_int,  void *, size_t *,
 #define        PFSYNC_SI_IOCTL         0x01
 #define        PFSYNC_SI_CKSUM         0x02
 #define        PFSYNC_SI_ACK           0x04
+#define        PFSYNC_SI_PFSYNC        0x08
 int                    pfsync_state_import(struct pfsync_state *, int);
 void                   pfsync_state_export(struct pfsync_state *,
                            struct pf_state *);

diff --git a/sys/net/pf.c b/sys/net/pf.c
index eb233a8..4f0fc3f 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1183 2023/07/07 08:05:02 bluhm Exp $ */
+/*     $OpenBSD: pf.c,v 1.1184 2023/07/31 11:13:09 dlg Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -4698,6 +4698,10 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
                        sni->sn->states++;
                }
 
+#if NPFSYNC > 0
+       pfsync_init_state(st, *skw, *sks, 0);
+#endif
+
        if (pf_state_insert(BOUND_IFACE(r, pd->kif), skw, sks, st)) {
                *sks = *skw = NULL;
                REASON_SET(&reason, PFRES_STATEINS);