From 740063f5e7cdc28404cf4beeee9d16bb2f21dc07 Mon Sep 17 00:00:00 2001 From: dlg Date: Mon, 31 Jul 2023 11:13:09 +0000 Subject: [PATCH] don't let pfsync send an insert message for a state pfsync just inserted sthen@ upgraded and ended up with a lot of pfsync traffic which was mostly made up of the two firewalls telling each other to insert the same state over and over again. this has each of the paths that insert states (actual pf, ioctls, and pfsync) identify themselves so pfsync can enter them into its own state machine in the right place. when pfsync inserts a state into pf, it knows it should just swallow the state silently without sending out another insert for it. ok sthen@ sashan@ --- sys/net/if_pfsync.c | 21 ++++++++++++++------- sys/net/if_pfsync.h | 4 +++- sys/net/pf.c | 6 +++++- 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index bf685712ec9..da32ef94efe 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.318 2023/07/06 04:55:05 dlg Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.319 2023/07/31 11:13:09 dlg Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -1676,11 +1676,14 @@ pfsync_init_state(struct pf_state *st, const struct pf_state_key *skw, } /* state came off the wire */ - if (ISSET(st->state_flags, PFSTATE_ACK)) { - CLR(st->state_flags, PFSTATE_ACK); + if (ISSET(flags, PFSYNC_SI_PFSYNC)) { + if (ISSET(st->state_flags, PFSTATE_ACK)) { + CLR(st->state_flags, PFSTATE_ACK); - /* peer wants an iack, not an insert */ - st->sync_state = PFSYNC_S_SYNC; + /* peer wants an iack, not an insert */ + st->sync_state = PFSYNC_S_SYNC; + } else + st->sync_state = PFSYNC_S_PFSYNC; } } @@ -1713,6 +1716,10 @@ pfsync_insert_state(struct pf_state *st) pfsync_q_ins(s, st, PFSYNC_S_IACK); pfsync_slice_sched(s); /* the peer is waiting */ break; + case PFSYNC_S_PFSYNC: + /* state was just inserted by pfsync */ + st->sync_state = PFSYNC_S_NONE; + break; default: panic("%s: state %p unexpected sync_state %d", __func__, st, st->sync_state); @@ -2829,7 +2836,7 @@ pfsync_in_ins(struct pfsync_softc *sc, continue; } - if (pf_state_import(sp, 0) == ENOMEM) { + if (pf_state_import(sp, PFSYNC_SI_PFSYNC) == ENOMEM) { /* drop out, but process the rest of the actions */ break; } @@ -3009,7 +3016,7 @@ pfsync_in_upd(struct pfsync_softc *sc, if (st == NULL) { /* insert the update */ PF_LOCK(); - error = pf_state_import(sp, 0); + error = pf_state_import(sp, PFSYNC_SI_PFSYNC); if (error) pfsyncstat_inc(pfsyncs_badstate); PF_UNLOCK(); diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h index e83ddd8306c..16982cba864 100644 --- a/sys/net/if_pfsync.h +++ b/sys/net/if_pfsync.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.h,v 1.60 2023/07/06 04:55:05 dlg Exp $ */ +/* $OpenBSD: if_pfsync.h,v 1.61 2023/07/31 11:13:10 dlg Exp $ */ /* * Copyright (c) 2001 Michael Shalayeff @@ -307,6 +307,7 @@ enum pfsync_counters { #define PFSYNC_S_NONE 0xd0 #define PFSYNC_S_SYNC 0xd1 +#define PFSYNC_S_PFSYNC 0xd2 #define PFSYNC_S_DEAD 0xde int pfsync_input4(struct mbuf **, int *, int, int); @@ -316,6 +317,7 @@ int pfsync_sysctl(int *, u_int, void *, size_t *, #define PFSYNC_SI_IOCTL 0x01 #define PFSYNC_SI_CKSUM 0x02 #define PFSYNC_SI_ACK 0x04 +#define PFSYNC_SI_PFSYNC 0x08 int pfsync_state_import(struct pfsync_state *, int); void pfsync_state_export(struct pfsync_state *, struct pf_state *); diff --git a/sys/net/pf.c b/sys/net/pf.c index eb233a8af37..4f0fc3f91a9 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1183 2023/07/07 08:05:02 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1184 2023/07/31 11:13:09 dlg Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -4698,6 +4698,10 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a, sni->sn->states++; } +#if NPFSYNC > 0 + pfsync_init_state(st, *skw, *sks, 0); +#endif + if (pf_state_insert(BOUND_IFACE(r, pd->kif), skw, sks, st)) { *sks = *skw = NULL; REASON_SET(&reason, PFRES_STATEINS); -- 2.20.1