Date: Thu, 20 Aug 2009 11:08:38 +0200 From: Max Laier <max@love2party.net> To: freebsd-net@freebsd.org, d@delphij.net Cc: freebsd-pf@freebsd.org Subject: Re: (just for fun) port of OpenBSD pf's sloppy mode Message-ID: <200908201108.39177.max@love2party.net> In-Reply-To: <4A8CFDAF.1000309@delphij.net> References: <4A8CFDAF.1000309@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Nice Work! Thanks a lot! On Thursday 20 August 2009 09:39:27 Xin LI wrote: > Since there is effort undergoing to port a newer pf version to FreeBSD, > I think this work would not be useful for inclusion in -CURRENT. > However, I'd like to share it here as someone may find it useful before > the new pf code hits the tree. The patch can also be downloaded from my I disagree about the usefulness of this. As your patch doesn't affect ABI this could make it into 8.1 (which the all new pf won't). With SVN it is also much simpler to manage the vendor branch differences, now. > website: > > http://www.delphij.net/pf-sloppy.diff freebsd-pf@ test and provide feedback - I know people have asked about this in the past. > About this patch: > > When pf(4) is operating in a manner that not all packet would went > through it, specifically, when being used in a DSR ("Direct Server > Return") network, the strict TCP state tracking would prevent some > packets from being able to pass through. This can exhibit as, when you > upload files, the connection would stall at ~60KB (may differ if you > have special TCP setting), or stalled connections. > > With this change, pf.conf would support a new syntax, i.e. "(sloppy)" as > state flag, e.g.: > > pass in quick on em0 route-to { (em1 $server1), (em1 $server2) } > round-robin proto tcp from any to $ext_ip port 80 keep state (sloppy) > > When enabled, the "sloppy" TCP FSM would be activated, which loosens the > state check. When using this option, the backend server has to use its > own mechanism to prevent ICMP teardown attack and/or insertion attacks, > so please use caution and limit the use in cases where pf(4) won't see > some packets in the connection. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908201108.39177.max>