From matuska@wall2.zoznam.sk  Sat Jul  9 14:54:04 2005
Return-Path: <matuska@wall2.zoznam.sk>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9183016A41C
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  9 Jul 2005 14:54:04 +0000 (GMT)
	(envelope-from matuska@wall2.zoznam.sk)
Received: from wall2.zoznam.sk (wall2.zoznam.sk [62.65.179.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 049B243D45
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  9 Jul 2005 14:54:03 +0000 (GMT)
	(envelope-from matuska@wall2.zoznam.sk)
Received: from wall2.zoznam.sk (localhost [127.0.0.1])
	by wall2.zoznam.sk (8.13.3/8.13.3) with ESMTP id j69ErvKQ004786
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 9 Jul 2005 16:53:57 +0200 (CEST)
	(envelope-from matuska@wall2.zoznam.sk)
Received: (from matuska@localhost)
	by wall2.zoznam.sk (8.13.3/8.13.3/Submit) id j69ErvXN004785;
	Sat, 9 Jul 2005 16:53:57 +0200 (CEST)
	(envelope-from matuska)
Message-Id: <200507091453.j69ErvXN004785@wall2.zoznam.sk>
Date: Sat, 9 Jul 2005 16:53:57 +0200 (CEST)
From: Martin Matuska <martin@matuska.org>
Reply-To: Martin Matuska <martin@matuska.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: pfsync in RELENG_5 does not work correctly with nat rules
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         83186
>Category:       kern
>Synopsis:       [pfsync] [patch] pfsync in RELENG_5 does not work correctly with nat rules
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 09 15:00:34 GMT 2005
>Closed-Date:    Thu Nov 03 12:26:07 GMT 2005
>Last-Modified:  Thu Nov 03 12:26:07 GMT 2005
>Originator:     Martin Matuska
>Release:        FreeBSD 5-STABLE i386
>Organization:
>Environment:
>Description:
pfsync in RELENG_5 does not work correcly with nat and anchor rules

Comments from OpenBSD cvslog for src/sys/net/if_pfsync.c 1.38:
Clean up reference counting wrt state creation and destruction. Fixes
problems with adaptive timeouts, max-states limits, and rules not being
freed from memory.

Diff from Chris Pascoe.
ok henning@ dhartmei@

Comments from OpenBSD cvslog for src/sys/net/if_pfsync.c 1.37:
Increment the states reference counter in the rule attached to the state
being inserted, so that the counter does not wrap back when the state
is removed. This fixes pfsync setups with adaptive timeouts.

From Chris Pascoe
ok canacar@ dhartmei@ henning@ deraadt@

>How-To-Repeat:
>Fix:
fixed in OpenBSD: src/sys/net/if_pfsync.c rev. 1.37 and 1.38
already included in HEAD
please MFC to RELENG_5 the following patches from HEAD:

--- src/sys/contrib/pf/net/if_pfsync.c.orig	Sat Jul  9 15:31:31 2005
+++ src/sys/contrib/pf/net/if_pfsync.c	Sat Jul  9 15:56:51 2005
@@ -336,6 +336,9 @@
 	st->rule.ptr = r;
 	/* XXX get pointers to nat_rule and anchor */
 
+	/* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */
+	r->states++;
+
 	/* fill in the rest of the state entry */
 	pf_state_host_ntoh(&sp->lan, &st->lan);
 	pf_state_host_ntoh(&sp->gwy, &st->gwy);
@@ -367,6 +370,8 @@
 
 	if (pf_insert_state(kif, st)) {
 		pfi_maybe_destroy(kif);
+		/* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */
+		r->states--;
 		pool_put(&pf_state_pl, st);
 		return (EINVAL);
 	}
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->mlaier 
Responsible-Changed-By: simon 
Responsible-Changed-When: Sat Jul 9 18:51:34 GMT 2005 
Responsible-Changed-Why:  
Over to our pf maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=83186 
Responsible-Changed-From-To: mlaier->glebius 
Responsible-Changed-By: mlaier 
Responsible-Changed-When: Tue Jul 12 18:27:50 GMT 2005 
Responsible-Changed-Why:  
Gleb is in a position to test this, thanks for looking into the issue! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=83186 
State-Changed-From-To: open->closed 
State-Changed-By: glebius 
State-Changed-When: Thu Nov 3 12:25:52 GMT 2005 
State-Changed-Why:  
Committed to RELENG_5. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=83186 
>Unformatted:
