From: patrick <patrick@openbsd.org>
Date: Thu, 1 Jun 2017 14:38:28 +0000 (+0000)
Subject: Return time_uptime as value for when pf was enabled instead of
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=63b24bda997b0879d685c1d16ba2d37acb62bdf2;p=openbsd

Return time_uptime as value for when pf was enabled instead of
time_second.  Since time_second changes depending on the wall-
clock time, time_second is not a reliable source for the status.
We can even end up with a negative time delta.  Thus, use the
monotonically growing time_uptime and export it to userland.

ok bluhm@ mikeb@
---

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index a69acb2e5b2..8f5ec3ff291 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.311 2017/05/15 16:56:42 mikeb Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.312 2017/06/01 14:38:28 patrick Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -519,15 +519,17 @@ void
 print_status(struct pf_status *s, int opts)
 {
 	char			statline[80], *running, *debug;
-	time_t			runtime;
+	time_t			runtime = 0;
+	struct timespec		uptime;
 	int			i;
 	char			buf[PF_MD5_DIGEST_LENGTH * 2 + 1];
 	static const char	hex[] = "0123456789abcdef";
 
-	runtime = time(NULL) - s->since;
+	if (!clock_gettime(CLOCK_UPTIME, &uptime))
+		runtime = uptime.tv_sec - s->since;
 	running = s->running ? "Enabled" : "Disabled";
 
-	if (s->since) {
+	if (runtime) {
 		unsigned int	sec, min, hrs;
 		time_t		day = runtime;
 
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 9c6b02e9bbb..541cb72e8cc 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.313 2017/05/30 19:37:54 henning Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.314 2017/06/01 14:38:28 patrick Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1005,7 +1005,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			error = EEXIST;
 		else {
 			pf_status.running = 1;
-			pf_status.since = time_second;
+			pf_status.since = time_uptime;
 			if (pf_status.stateid == 0) {
 				pf_status.stateid = time_second;
 				pf_status.stateid = pf_status.stateid << 32;
@@ -1020,7 +1020,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			error = ENOENT;
 		else {
 			pf_status.running = 0;
-			pf_status.since = time_second;
+			pf_status.since = time_uptime;
 			pf_remove_queues();
 			DPFPRINTF(LOG_NOTICE, "pf: stopped");
 		}
@@ -1674,7 +1674,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		bzero(pf_status.counters, sizeof(pf_status.counters));
 		bzero(pf_status.fcounters, sizeof(pf_status.fcounters));
 		bzero(pf_status.scounters, sizeof(pf_status.scounters));
-		pf_status.since = time_second;
+		pf_status.since = time_uptime;
 
 		break;
 	}
diff --git a/usr.bin/systat/pf.c b/usr.bin/systat/pf.c
index 6e282bb7359..96b214da26d 100644
--- a/usr.bin/systat/pf.c
+++ b/usr.bin/systat/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.8 2016/01/02 20:03:28 benno Exp $ */
+/*	$OpenBSD: pf.c,v 1.9 2017/06/01 14:38:28 patrick Exp $ */
 /*
  * Copyright (c) 2001, 2007 Can Erkin Acar <canacar@openbsd.org>
  *
@@ -220,7 +220,8 @@ void
 print_pf(void)
 {
 	char		*debug;
-	time_t		tm;
+	time_t		tm = 0;
+	struct timespec	uptime;
 	int		i;
 	struct pf_status *s = &status;
 
@@ -229,7 +230,8 @@ print_pf(void)
 	if (end > num_disp)
 		end = num_disp;
 
-	tm = time(NULL) - s->since;
+	if (!clock_gettime(CLOCK_UPTIME, &uptime))
+		tm = uptime.tv_sec - s->since;
 
 	ADD_LINE_S("pf", "Status", s->running ? "Enabled" : "Disabled");
 	ADD_LINE_A("pf", "Since", tm);
diff --git a/usr.sbin/snmpd/mib.c b/usr.sbin/snmpd/mib.c
index f53d9379b07..995f887662e 100644
--- a/usr.sbin/snmpd/mib.c
+++ b/usr.sbin/snmpd/mib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mib.c,v 1.83 2017/01/31 21:31:04 sthen Exp $	*/
+/*	$OpenBSD: mib.c,v 1.84 2017/06/01 14:38:28 patrick Exp $	*/
 
 /*
  * Copyright (c) 2012 Joel Knight <joel@openbsd.org>
@@ -1650,7 +1650,8 @@ int
 mib_pfinfo(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
 {
 	struct pf_status	 s;
-	time_t			 runtime;
+	time_t			 runtime = 0;
+	struct timespec		 uptime;
 	char			 str[11];
 
 	if (pf_get_stats(&s))
@@ -1661,10 +1662,8 @@ mib_pfinfo(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
 		*elm = ber_add_integer(*elm, s.running);
 		break;
 	case 2:
-		if (s.since > 0)
-			runtime = time(NULL) - s.since;
-		else
-			runtime = 0;
+		if (!clock_gettime(CLOCK_UPTIME, &uptime))
+			runtime = uptime.tv_sec - s.since;
 		runtime *= 100;
 		*elm = ber_add_integer(*elm, runtime);
 		ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);