From owner-freebsd-questions@FreeBSD.ORG Wed Jul 25 19:50:48 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B3CD16A41A for ; Wed, 25 Jul 2007 19:50:48 +0000 (UTC) (envelope-from jbronson@sixcompanies.com) Received: from grid.sixcompanies.com (grid.sixcompanies.com [69.90.133.39]) by mx1.freebsd.org (Postfix) with ESMTP id 6118A13C469 for ; Wed, 25 Jul 2007 19:50:46 +0000 (UTC) (envelope-from jbronson@sixcompanies.com) Received: from smtp.sixcompanies.com (CPE-72-128-113-230.wi.res.rr.com [72.128.113.230]) (authenticated bits=128) by grid.sixcompanies.com (8.14.1/8.14.1) with ESMTP id l6PJoRV9029710 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 25 Jul 2007 12:50:34 -0700 (PDT) Received: from coors.sixcompanies.com (coors.sixcompanies.com [10.43.82.9]) by smtp.sixcompanies.com (8.14.1/8.14.1) with ESMTP id l6PJoRxk029389; Wed, 25 Jul 2007 14:50:27 -0500 (CDT) Message-Id: <200707251950.l6PJoRxk029389@smtp.sixcompanies.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 25 Jul 2007 14:50:26 -0500 To: mlaier@freebsd.org From: JD Bronson In-Reply-To: <200707252055.50780.max@love2party.net> References: <200702252202.l1PM2r46003312@cheyenne.sixcompanies.com> <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> <46A1EA91.5000306@dir.bg> <200707252055.50780.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Jordan Gordeev , freebsd-questions@freebsd.org Subject: Re: pf and keep/modulate state on 6.2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 19:50:48 -0000 At 08:55 PM 7/25/2007 +0200, Max Laier wrote: >On Saturday 21 July 2007, Jordan Gordeev wrote: > > > I'm replying to an old and long-forgotten thread to report my recent > > findings. > > There's a bug in PF with modulate/synproxy state. Modulate/synproxy > > state modulate sequence numbers, but don't modulate sequence numbers in > > TCP SACK options. Some firewalls block TCP segments with sequence > > numbers in the SACK option pointing outside the window, which causes > > connection stalls. The bug was fixed in OpenBSD with revision 1.509 of > > src/sys/net/pf.c about an year and a half ago. The bug is present in > > FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with > > the big import of PF from OpenBSD 4.1. > > I'm CC-ing Max to notify him of the bug present in -STABLE and to ask > > him to deal with the issue by either porting the fix from OpenBSD, or > > by documenting that modulate/synproxy state is broken. > >Good catch - sorry for the delay. Here is the diff (almost verbatim from >OPENBSD_3_8). Please test and report back. I plan to commit this to >RELENG_6 in a bit. > >-- >/"\ Best regards, | mlaier@freebsd.org >\ / Max Laier | ICQ #67774661 Max - 3.8? Cant we get a bit closer and more up-to-date as far as staying with pf and openbsd? I know pf changed - especially for OBSD 4.1 and it would be nice to be CLOSER than 3.8 ? -JD