in pf_set_protostate(), only decrement the half-open states counter when

the state was created on this host, i. e. not for those pfsync-imported.
whether pfsync-imported states should be accounted is a seperate discussion,
but as things are, we only increment the counter in pf_create_state(), and
imported states don't excercise that path.
probably fixes the half-open states accounting underflow-wraparounds that
some people have been seeing.
ok sashan

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 1a52323..da62df2 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1069 2018/07/10 09:28:27 henning Exp $ */
+/*     $OpenBSD: pf.c,v 1.1070 2018/07/10 13:01:38 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -402,7 +402,7 @@ pf_set_protostate(struct pf_state *s, int which, u_int8_t newstate)
 
        if (s->src.state == newstate)
                return;
-       if (s->key[PF_SK_STACK] != NULL &&
+       if (s->creatorid == pf_status.hostid && s->key[PF_SK_STACK] != NULL &&
            s->key[PF_SK_STACK]->proto == IPPROTO_TCP &&
            !(TCPS_HAVEESTABLISHED(s->src.state) ||
            s->src.state == TCPS_CLOSED) &&