diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1061,8 +1061,8 @@ struct pf_ksrc_node *nat_src_node; u_int64_t packets[2]; u_int64_t bytes[2]; - u_int32_t creation; - u_int32_t expire; + u_int64_t creation; + u_int64_t expire; u_int32_t pfsync_time; struct pf_rule_actions act; u_int16_t tag; @@ -2238,6 +2238,22 @@ return (0); } +static __inline uint64_t +pf_get_uptime(void) +{ + struct timeval t; + microuptime(&t); + return ((t.tv_sec * 1000) + (t.tv_usec / 1000)); +} + +static __inline uint64_t +pf_get_time(void) +{ + struct timeval t; + microtime(&t); + return ((t.tv_sec * 1000) + (t.tv_usec / 1000)); +} + extern struct pf_kstate *pf_find_state_byid(uint64_t, uint32_t); extern struct pf_kstate *pf_find_state_all(struct pf_state_key_cmp *, u_int, int *); diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -611,8 +611,8 @@ /* copy to state */ bcopy(&sp->pfs_1301.rt_addr, &st->rt_addr, sizeof(st->rt_addr)); - st->creation = time_uptime - ntohl(sp->pfs_1301.creation); - st->expire = time_uptime; + st->creation = (time_uptime - ntohl(sp->pfs_1301.creation)) * 1000; + st->expire = pf_get_uptime(); if (sp->pfs_1301.expire) { uint32_t timeout; @@ -621,7 +621,7 @@ timeout = V_pf_default_rule.timeout[sp->pfs_1301.timeout]; /* sp->expire may have been adaptively scaled by export. */ - st->expire -= timeout - ntohl(sp->pfs_1301.expire); + st->expire -= (timeout - ntohl(sp->pfs_1301.expire)) * 1000; } st->direction = sp->pfs_1301.direction; @@ -1198,7 +1198,7 @@ if (sync < 2) { pfsync_alloc_scrub_memory(&sp->pfs_1301.dst, &st->dst); pf_state_peer_ntoh(&sp->pfs_1301.dst, &st->dst); - st->expire = time_uptime; + st->expire = pf_get_uptime(); st->timeout = sp->pfs_1301.timeout; } st->pfsync_time = time_uptime; @@ -1285,7 +1285,7 @@ if (sync < 2) { pfsync_alloc_scrub_memory(&up->dst, &st->dst); pf_state_peer_ntoh(&up->dst, &st->dst); - st->expire = time_uptime; + st->expire = pf_get_uptime(); st->timeout = up->timeout; } st->pfsync_time = time_uptime; diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -2037,12 +2037,12 @@ if (states < end) { timeout = (u_int64_t)timeout * (end - states) / (end - start); - return (state->expire + timeout); + return ((state->expire / 1000) + timeout); } else return (time_uptime); } - return (state->expire + timeout); + return ((state->expire / 1000) + timeout); } void @@ -4951,8 +4951,7 @@ s->rt = r->rt; } - s->creation = time_uptime; - s->expire = time_uptime; + s->creation = s->expire = pf_get_uptime(); if (sn != NULL) s->src_node = sn; @@ -5426,7 +5425,7 @@ pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT); /* update expire time */ - (*state)->expire = time_uptime; + (*state)->expire = pf_get_uptime(); if (src->state >= TCPS_FIN_WAIT_2 && dst->state >= TCPS_FIN_WAIT_2) (*state)->timeout = PFTM_TCP_CLOSED; @@ -5622,7 +5621,7 @@ pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT); /* update expire time */ - (*state)->expire = time_uptime; + (*state)->expire = pf_get_uptime(); if (src->state >= TCPS_FIN_WAIT_2 && dst->state >= TCPS_FIN_WAIT_2) (*state)->timeout = PFTM_TCP_CLOSED; @@ -5870,7 +5869,7 @@ pf_set_protostate(*state, pdst, PFUDPS_MULTIPLE); /* update expire time */ - (*state)->expire = time_uptime; + (*state)->expire = pf_get_uptime(); if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) (*state)->timeout = PFTM_UDP_MULTIPLE; else @@ -5971,7 +5970,7 @@ return (PF_DROP); } - (*state)->expire = time_uptime; + (*state)->expire = pf_get_uptime(); /* translate source/destination address, if necessary */ if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { @@ -6478,7 +6477,7 @@ STATE_LOOKUP(kif, &key, *state, pd); - (*state)->expire = time_uptime; + (*state)->expire = pf_get_uptime(); (*state)->timeout = PFTM_ICMP_ERROR_REPLY; /* translate source/destination address, if necessary */ @@ -7063,7 +7062,7 @@ pf_set_protostate(*state, pdst, PFOTHERS_MULTIPLE); /* update expire time */ - (*state)->expire = time_uptime; + (*state)->expire = pf_get_uptime(); if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) (*state)->timeout = PFTM_OTHER_MULTIPLE; else diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -5483,7 +5483,7 @@ /* copy from state */ strlcpy(sp->pfs_1301.ifname, st->kif->pfik_name, sizeof(sp->pfs_1301.ifname)); bcopy(&st->rt_addr, &sp->pfs_1301.rt_addr, sizeof(sp->pfs_1301.rt_addr)); - sp->pfs_1301.creation = htonl(time_uptime - st->creation); + sp->pfs_1301.creation = htonl(time_uptime - (st->creation / 1000)); sp->pfs_1301.expire = pf_state_expires(st); if (sp->pfs_1301.expire <= time_uptime) sp->pfs_1301.expire = htonl(0); @@ -5574,7 +5574,7 @@ strlcpy(sp->orig_ifname, st->orig_kif->pfik_name, sizeof(sp->orig_ifname)); bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr)); - sp->creation = htonl(time_uptime - st->creation); + sp->creation = htonl(time_uptime - (st->creation / 1000)); sp->expire = pf_state_expires(st); if (sp->expire <= time_uptime) sp->expire = htonl(0); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -169,7 +169,7 @@ nlattr_add_string(nw, PF_ST_IFNAME, s->kif->pfik_name); nlattr_add_string(nw, PF_ST_ORIG_IFNAME, s->orig_kif->pfik_name); dump_addr(nw, PF_ST_RT_ADDR, &s->rt_addr, af); - nlattr_add_u32(nw, PF_ST_CREATION, time_uptime - s->creation); + nlattr_add_u32(nw, PF_ST_CREATION, time_uptime - (s->creation / 1000)); uint32_t expire = pf_state_expires(s); if (expire > time_uptime) expire = expire - time_uptime; diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1745,7 +1745,7 @@ getmicrouptime(&uptime); if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) && (uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE || - time_uptime - state->creation > TS_MAX_CONN)) { + time_uptime - (state->creation / 1000) > TS_MAX_CONN)) { if (V_pf_status.debug >= PF_DEBUG_MISC) { DPFPRINTF(("src idled out of PAWS\n")); pf_print_state(state); diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c --- a/sys/netpfil/pf/pf_nv.c +++ b/sys/netpfil/pf/pf_nv.c @@ -974,7 +974,7 @@ s->anchor.ptr ? s->anchor.ptr->nr : -1); nvlist_add_number(nvl, "nat_rule", s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1); - nvlist_add_number(nvl, "creation", s->creation); + nvlist_add_number(nvl, "creation", s->creation / 1000); expire = pf_state_expires(s); if (expire <= time_uptime) diff --git a/sys/netpfil/pf/pflow.c b/sys/netpfil/pf/pflow.c --- a/sys/netpfil/pf/pflow.c +++ b/sys/netpfil/pf/pflow.c @@ -543,9 +543,9 @@ * or was created / expired before this machine came up due to pfsync. */ flow1->flow_start = flow2->flow_start = st->creation < 0 || - st->creation > st->expire ? htonl(0) : htonl(st->creation * 1000); + st->creation > st->expire ? htonl(0) : htonl(st->creation); flow1->flow_finish = flow2->flow_finish = st->expire < 0 ? htonl(0) : - htonl(st->expire * 1000); + htonl(st->expire); flow1->tcp_flags = flow2->tcp_flags = 0; flow1->protocol = flow2->protocol = sk->proto; flow1->tos = flow2->tos = st->rule.ptr->tos; @@ -579,10 +579,10 @@ flow1->flow_start = flow2->flow_start = htobe64((time_second - time_uptime)*1000); else - flow1->flow_start = flow2->flow_start = htobe64((time_second - - (time_uptime - st->creation))*1000); - flow1->flow_finish = flow2->flow_finish = htobe64((time_second - - (time_uptime - st->expire))*1000); + flow1->flow_start = flow2->flow_start = htobe64((pf_get_time() - + (pf_get_uptime() - st->creation))); + flow1->flow_finish = flow2->flow_finish = htobe64((pf_get_time() - + (pf_get_uptime() - st->expire))); flow1->protocol = flow2->protocol = sk->proto; flow1->tos = flow2->tos = st->rule.ptr->tos; @@ -618,10 +618,10 @@ flow1->flow_start = flow2->flow_start = htobe64((time_second - time_uptime)*1000); else - flow1->flow_start = flow2->flow_start = htobe64((time_second - - (time_uptime - st->creation))*1000); - flow1->flow_finish = flow2->flow_finish = htobe64((time_second - - (time_uptime - st->expire))*1000); + flow1->flow_start = flow2->flow_start = htobe64((pf_get_time() - + (pf_get_uptime() - st->creation))); + flow1->flow_finish = flow2->flow_finish = htobe64((pf_get_time() - + (pf_get_uptime() - st->expire))); flow1->protocol = flow2->protocol = sk->proto; flow1->tos = flow2->tos = st->rule.ptr->tos;