Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Jul 2007 14:50:26 -0500
From:      JD Bronson <jbronson@sixcompanies.com>
To:        mlaier@freebsd.org
Cc:        Jordan Gordeev <jgordeev@dir.bg>, freebsd-questions@freebsd.org
Subject:   Re: pf and keep/modulate state on 6.2
Message-ID:  <200707251950.l6PJoRxk029389@smtp.sixcompanies.com>
In-Reply-To: <200707252055.50780.max@love2party.net>
References:  <200702252202.l1PM2r46003312@cheyenne.sixcompanies.com> <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> <46A1EA91.5000306@dir.bg> <200707252055.50780.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 08:55 PM 7/25/2007 +0200, Max Laier wrote:
>On Saturday 21 July 2007, Jordan Gordeev wrote:
>
> > I'm replying to an old and long-forgotten thread to report my recent
> > findings.
> > There's a bug in PF with modulate/synproxy state. Modulate/synproxy
> > state modulate sequence numbers, but don't modulate sequence numbers in
> > TCP SACK options. Some firewalls block TCP segments with sequence
> > numbers in the SACK option pointing outside the window, which causes
> > connection stalls. The bug was fixed in OpenBSD with revision 1.509 of
> > src/sys/net/pf.c about an year and a half ago. The bug is present in
> > FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with
> > the big import of PF from OpenBSD 4.1.
> > I'm CC-ing Max to notify him of the bug present in -STABLE and to ask
> > him to deal with the issue by either porting the fix from OpenBSD, or
> > by documenting that modulate/synproxy state is broken.
>
>Good catch - sorry for the delay.  Here is the diff (almost verbatim from
>OPENBSD_3_8).  Please test and report back.  I plan to commit this to
>RELENG_6 in a bit.
>
>--
>/"\  Best regards,                      | mlaier@freebsd.org
>\ /  Max Laier                          | ICQ #67774661


Max - 3.8? Cant we get a bit closer and more up-to-date as far as 
staying with pf and openbsd?

I know pf changed - especially for OBSD 4.1 and it would be nice to 
be CLOSER than 3.8 ?

-JD

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707251950.l6PJoRxk029389>