From owner-freebsd-questions@FreeBSD.ORG Sat Jul 21 12:12:49 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3EBB16A419 for ; Sat, 21 Jul 2007 12:12:49 +0000 (UTC) (envelope-from jgordeev@dir.bg) Received: from dir.bg (mail.dir.bg [194.145.63.28]) by mx1.freebsd.org (Postfix) with ESMTP id 6F10513C45D for ; Sat, 21 Jul 2007 12:12:49 +0000 (UTC) (envelope-from jgordeev@dir.bg) Received: from [87.126.90.187] (account jgordeev HELO [10.102.9.50]) by dir.bg (CommuniGate Pro SMTP 4.2.10) with ESMTP-TLS id 23254676; Sat, 21 Jul 2007 14:12:43 +0300 Message-ID: <46A1EA91.5000306@dir.bg> Date: Sat, 21 Jul 2007 14:14:25 +0300 From: Jordan Gordeev User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7) Gecko/20070411 X-Accept-Language: bg, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <200702252202.l1PM2r46003312@cheyenne.sixcompanies.com> <720051dc0702260052v8e4d2b2v9bbca164bfe87a4b@mail.gmail.com> <720051dc0702260052v8e4d2b2v9bbca164bfe87a4b@mail.gmail.com > <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> In-Reply-To: <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: max@love2party.net, jbronson@wixb.com Subject: Re: pf and keep/modulate state on 6.2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2007 12:12:50 -0000 J.D. Bronson wrote: > At 02:52 AM 02/26/2007, you wrote: > >> Wow, this fixed my FTP-over-DSL-to-6.2 problem too. With modulate >> state, I was getting ~30K/sec. With just keep state, I'm now getting >> more like what my connection is capable of. This is between two 6.2 >> hosts on opposite sides of the Atlantic. >> >> Ted, I use pf because I like the format of the configuration file, I >> like the logging and pftop, and like how it's harder to lock yourself >> out of a remote machine by accident :) >> >> /JMS > > > I use pf since its newer (I think?) and I came from openbsd..pf just > works and the config file is nice and sweet. > > I had thought that modulate state would put a load on my proc, but > sheesh, its a p4-3.06 - thats more than robust for a router. > > I wonder if we should file a bug on this? > > I am glad my post helped here. I still use modulate state for any > INCOMING connections though (www/smtp/etc). I'm replying to an old and long-forgotten thread to report my recent findings. There's a bug in PF with modulate/synproxy state. Modulate/synproxy state modulate sequence numbers, but don't modulate sequence numbers in TCP SACK options. Some firewalls block TCP segments with sequence numbers in the SACK option pointing outside the window, which causes connection stalls. The bug was fixed in OpenBSD with revision 1.509 of src/sys/net/pf.c about an year and a half ago. The bug is present in FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with the big import of PF from OpenBSD 4.1. I'm CC-ing Max to notify him of the bug present in -STABLE and to ask him to deal with the issue by either porting the fix from OpenBSD, or by documenting that modulate/synproxy state is broken.