I have this diff running on the failover-side currently.
I'v disabled all extra "set timeout"-settings on failover-side which I used to
hold down the exp. time.
The replication of exp. time seems to work.
I have a long-lived tcp connection which used to show up with double exp. time
on the failover-side.
The time for this connection is almost identical now on both sides(1 sec. is a
diff in between).
The rest of connections seems to be OK too - I don't see doubled exp. time
values anymore while scrolling in systat.
//maxim
On Oct 28, 2011, at 3:49 PM, Mike Belopuhov wrote:
> On Fri, Oct 28, 2011 at 11:25 AM, Mike Belopuhov <m...@crypt.org.ru> wrote:
>> On Thu, Oct 27, 2011 at 11:18 AM, Mike Belopuhov <m...@crypt.org.ru> wrote:
>>>>> On 26-10-2011 20:32, Maxim Bourmistrov wrote:
>>>>>> The side question, after observing 'systat -s1 states', is WHY
"failover"-side
>>>>>> doubles exp. time??
>>>>>> I'm more expected to have it like a "copy" of the current state of the
>>>>>> master.
>>>
>>> i've started looking into the problem, but it's not yet apparent as to
>>> why it happens.
>>>
>>
>> ok, so what i've figured out is that expire timeouts are transferred
>> as values of "rule->timeout[state->timeout]" and not absolute ones
>> (to compensate for a local time difference). but when you insert
>> the rule into the state table you have to subtract the timeout value
>> as pf_state_expires does a good job itself by adding those back.
>>
>> so here's a diff. i've tried to solve "no adaptive scaling" caveat as
well.
>>
>> ok?
>>
>
> need to assign a rule pointer before dereferencing it, right?
>
> Index: if_pfsync.c
> ===================================================================
> RCS file: /cvs/src/sys/net/if_pfsync.c,v
> retrieving revision 1.169
> diff -u -p -u -p -r1.169 if_pfsync.c
> --- if_pfsync.c 20 Oct 2011 08:57:26 -0000 1.169
> +++ if_pfsync.c 28 Oct 2011 13:46:12 -0000
> @@ -266,6 +266,8 @@ void pfsync_bulk_status(u_int8_t);
> void pfsync_bulk_update(void *);
> void pfsync_bulk_fail(void *);
>
> +u_int32_t pfsync_expires(const struct pf_state *, u_int32_t, u_int8_t);
> +
> #define PFSYNC_MAX_BULKTRIES 12
> int pfsync_sync_ok;
>
> @@ -578,13 +580,7 @@ pfsync_state_import(struct pfsync_state
> /* copy to state */
> bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr));
> st->creation = time_second - ntohl(sp->creation);
> - st->expire = time_second;
> - if (sp->expire) {
> - /* XXX No adaptive scaling. */
> - st->expire -= r->timeout[sp->timeout] - ntohl(sp->expire);
> - }
>
> - st->expire = ntohl(sp->expire) + time_second;
> st->direction = sp->direction;
> st->log = sp->log;
> st->timeout = sp->timeout;
> @@ -603,6 +599,8 @@ pfsync_state_import(struct pfsync_state
> st->anchor.ptr = NULL;
> st->rt_kif = NULL;
>
> + st->expire = pfsync_expires(st, ntohl(sp->expire), sp->timeout);
> +
> st->pfsync_time = time_uptime;
> st->sync_state = PFSYNC_S_NONE;
>
> @@ -948,7 +946,8 @@ pfsync_in_upd(caddr_t buf, int len, int
> if (sync < 2) {
> pfsync_alloc_scrub_memory(&sp->dst, &st->dst);
> pf_state_peer_ntoh(&sp->dst, &st->dst);
> - st->expire = ntohl(sp->expire) + time_second;
> + st->expire = pfsync_expires(st, ntohl(sp->expire),
> + sp->timeout);
> st->timeout = sp->timeout;
> }
> st->pfsync_time = time_uptime;
> @@ -1019,10 +1018,12 @@ pfsync_in_upd_c(caddr_t buf, int len, in
> else
> pf_state_peer_ntoh(&up->dst, &st->dst);
> }
> +
> if (sync < 2) {
> pfsync_alloc_scrub_memory(&up->dst, &st->dst);
> pf_state_peer_ntoh(&up->dst, &st->dst);
> - st->expire = ntohl(up->expire) + time_second;
> + st->expire = pfsync_expires(st, ntohl(up->expire),
> + up->timeout);
> st->timeout = up->timeout;
> }
> st->pfsync_time = time_uptime;
> @@ -2330,4 +2331,37 @@ pfsync_sysctl(int *name, u_int namelen,
> default:
> return (ENOPROTOOPT);
> }
> +}
> +
> +u_int32_t
> +pfsync_expires(const struct pf_state *st, u_int32_t expire, u_int8_t
ttype)
> +{
> + u_int32_t start;
> + u_int32_t end;
> + u_int32_t states;
> + u_int32_t result;
> + u_int32_t timeout;
> +
> + if (expire == 0 || ttype >= PFTM_MAX)
> + return (time_second);
> +
> + timeout = st->rule.ptr->timeout[ttype];
> + result = time_second - timeout + expire;
> + start = st->rule.ptr->timeout[PFTM_ADAPTIVE_START];
> + if (start) {
> + end = st->rule.ptr->timeout[PFTM_ADAPTIVE_END];
> + states = st->rule.ptr->states_cur;
> + } else {
> + start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
> + end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
> + states = pf_status.states;
> + }
> + if (end && states > start && start < end) {
> + if (states < end)
> + return (result + timeout * (end - states) /
> + (end - start));
> + else
> + return (time_second);
> + }
> + return (result);
> }
