Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 May 2014 10:58:14 -0700
From:      hiren panchasara <hiren.panchasara@gmail.com>
To:        Eygene Ryabinkin <rea@freebsd.org>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ [regression]
Message-ID:  <CALCpEUEG2H=L_OC7VQq%2Bx-xs5L16mzs3Q91Do%2Bu-2orGRvWAYQ@mail.gmail.com>
In-Reply-To: <%2BUw/Ss5bElti5gir%2B%2Bydy1GLu7M@dHhGgwofm7uNfL6/X5%2BbGIkDUYs>
References:  <201405222101.s4ML122N061489@freefall.freebsd.org> <%2BUw/Ss5bElti5gir%2B%2Bydy1GLu7M@dHhGgwofm7uNfL6/X5%2BbGIkDUYs>

next in thread | previous in thread | raw e-mail | index | archive | help
- bugs (as this is not related to it)

On Wed, May 28, 2014 at 10:46 PM, Eygene Ryabinkin <rea@freebsd.org> wrote:

> clearing FIN bit for SYN packets was
> the standard behaviour of pf since approximately at least 10 years,
>   http://svnweb.freebsd.org/base/vendor-sys/pf/dist/sys/contrib/pf/net/pf_norm.c?view=markup&pathrev=126258#l1242

I am curious, what's the rationale for this behavior? Why does PF
clear the FIN bit for such a packet being a firewall?

Cheers,
Hiren



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALCpEUEG2H=L_OC7VQq%2Bx-xs5L16mzs3Q91Do%2Bu-2orGRvWAYQ>