Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 May 2014 10:58:14 -0700
From:      hiren panchasara <hiren.panchasara@gmail.com>
To:        Eygene Ryabinkin <rea@freebsd.org>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ [regression]
Message-ID:  <CALCpEUEG2H=L_OC7VQq+x-xs5L16mzs3Q91Do+u-2orGRvWAYQ@mail.gmail.com>
In-Reply-To: <+Uw/Ss5bElti5gir++ydy1GLu7M@dHhGgwofm7uNfL6/X5+bGIkDUYs>
References:  <201405222101.s4ML122N061489@freefall.freebsd.org> <+Uw/Ss5bElti5gir++ydy1GLu7M@dHhGgwofm7uNfL6/X5+bGIkDUYs>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
- bugs (as this is not related to it)

On Wed, May 28, 2014 at 10:46 PM, Eygene Ryabinkin <rea@freebsd.org> wrote:

> clearing FIN bit for SYN packets was
> the standard behaviour of pf since approximately at least 10 years,
>   http://svnweb.freebsd.org/base/vendor-sys/pf/dist/sys/contrib/pf/net/pf_norm.c?view=markup&pathrev=126258#l1242

I am curious, what's the rationale for this behavior? Why does PF
clear the FIN bit for such a packet being a firewall?

Cheers,
Hiren



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CALCpEUEG2H=L_OC7VQq+x-xs5L16mzs3Q91Do+u-2orGRvWAYQ>