From owner-freebsd-net@FreeBSD.ORG Thu May 29 12:30:01 2014 Return-Path: Delivered-To: freebsd-net@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5027239C for ; Thu, 29 May 2014 12:30:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 25AF62441 for ; Thu, 29 May 2014 12:30:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4TCU1QD077758 for ; Thu, 29 May 2014 12:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4TCU0f9077757; Thu, 29 May 2014 12:30:00 GMT (envelope-from gnats) Date: Thu, 29 May 2014 12:30:00 GMT Message-Id: <201405291230.s4TCU0f9077757@freefall.freebsd.org> To: freebsd-net@FreeBSD.org Cc: From: Mark Felder Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10 [regression] Reply-To: Mark Felder X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 May 2014 12:30:01 -0000 The following reply was made to PR kern/190102; it has been noted by GNATS. From: Mark Felder To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10 [regression] Date: Thu, 29 May 2014 07:25:31 -0500 The test box in particular is using pf and does not have any scrub statements in pf.conf. The dropping of SYN+FIN worked for us in 9.1 and older just by setting net.inet.tcp.drop_synfin=1. We skipped 9.2 for the most part, so I don't have any experience with its behavior in production.