The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=67d1ea0cfeb48e9cfb216ef87021604f9ec58e6f
commit 67d1ea0cfeb48e9cfb216ef87021604f9ec58e6f
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-05-28 12:18:07 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-06-09 19:37:36 +0000
pf: use time_uptime rather than time_seconds
Use time_uptime as value for when pf was enabled instead of time_second.
Since
time_second changes depending on the wall- clock time, time_second is not a
reliable source for the status. We can even end up with a negative time
delta.
Thus, use the monotonically growing time_uptime and compute the correct wall
clock time when userspace requests the status.
ok bluhm@ mikeb@
Reviewed by: imp
Obtained from: OpenBSD, patrick <patr...@openbsd.org>, 63b24bda99
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50722
---
sys/netpfil/pf/pf_ioctl.c | 12 ++++++++----
sys/netpfil/pf/pf_nl.c | 5 ++++-
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index cfa17b9925aa..c8ad007e2e92 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2439,7 +2439,7 @@ pf_start(void)
if (! TAILQ_EMPTY(V_pf_keth->active.rules))
hook_pf_eth();
V_pf_status.running = 1;
- V_pf_status.since = time_second;
+ V_pf_status.since = time_uptime;
new_unrhdr64(&V_pf_stateid, time_second);
DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
@@ -2461,7 +2461,7 @@ pf_stop(void)
V_pf_status.running = 0;
dehook_pf();
dehook_pf_eth();
- V_pf_status.since = time_second;
+ V_pf_status.since = time_uptime;
DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
}
sx_xunlock(&V_pf_ioctl_lock);
@@ -2481,7 +2481,7 @@ pf_ioctl_clear_status(void)
counter_u64_zero(V_pf_status.scounters[i]);
for (int i = 0; i < KLCNT_MAX; i++)
counter_u64_zero(V_pf_status.lcounters[i]);
- V_pf_status.since = time_second;
+ V_pf_status.since = time_uptime;
if (*V_pf_status.ifname)
pfi_update_status(V_pf_status.ifname, NULL);
PF_RULES_WUNLOCK();
@@ -5867,6 +5867,8 @@ pf_getstatus(struct pfioc_nv *nv)
char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES;
char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES;
+ time_t since;
+
PF_RULES_RLOCK_TRACKER;
#define ERROUT(x) ERROUT_FUNCTION(errout, x)
@@ -5877,8 +5879,10 @@ pf_getstatus(struct pfioc_nv *nv)
if (nvl == NULL)
ERROUT(ENOMEM);
+ since = time_second - (time_uptime - V_pf_status.since);
+
nvlist_add_bool(nvl, "running", V_pf_status.running);
- nvlist_add_number(nvl, "since", V_pf_status.since);
+ nvlist_add_number(nvl, "since", since);
nvlist_add_number(nvl, "debug", V_pf_status.debug);
nvlist_add_number(nvl, "hostid", V_pf_status.hostid);
nvlist_add_number(nvl, "states", V_pf_status.states);
diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c
index fb1f5f1f470e..4d631568f991 100644
--- a/sys/netpfil/pf/pf_nl.c
+++ b/sys/netpfil/pf/pf_nl.c
@@ -1177,6 +1177,7 @@ pf_handle_get_status(struct nlmsghdr *hdr, struct
nl_pstate *npt)
char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES;
char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES;
+ time_t since;
int error;
PF_RULES_RLOCK_TRACKER;
@@ -1189,11 +1190,13 @@ pf_handle_get_status(struct nlmsghdr *hdr, struct
nl_pstate *npt)
ghdr_new->version = 0;
ghdr_new->reserved = 0;
+ since = time_second - (time_uptime - V_pf_status.since);
+
PF_RULES_RLOCK();
nlattr_add_string(nw, PF_GS_IFNAME, V_pf_status.ifname);
nlattr_add_bool(nw, PF_GS_RUNNING, V_pf_status.running);
- nlattr_add_u32(nw, PF_GS_SINCE, V_pf_status.since);
+ nlattr_add_u32(nw, PF_GS_SINCE, since);
nlattr_add_u32(nw, PF_GS_DEBUG, V_pf_status.debug);
nlattr_add_u32(nw, PF_GS_HOSTID, ntohl(V_pf_status.hostid));
nlattr_add_u32(nw, PF_GS_STATES, V_pf_status.states);
