pf and keep/modulate state on 6.2

[Jordan Gordeev]

J.D. Bronson wrote:
> At 02:52 AM 02/26/2007, you wrote:
> 
>> Wow, this fixed my FTP-over-DSL-to-6.2 problem too. With modulate
>> state, I was getting ~30K/sec. With just keep state, I'm now getting
>> more like what my connection is capable of. This is between two 6.2
>> hosts on opposite sides of the Atlantic.
>>
>> Ted, I use pf because I like the format of the configuration file, I
>> like the logging and pftop, and like how it's harder to lock yourself
>> out of a remote machine by accident :)
>>
>> /JMS
> 
> 
> I use pf since its newer (I think?) and I came from openbsd..pf just 
> works and the config file is nice and sweet.
> 
> I had thought that modulate state would put a load on my proc, but 
> sheesh, its a p4-3.06 - thats more than robust for a router.
> 
> I wonder if we should file a bug on this?
> 
> I am glad my post helped here. I still use modulate state for any 
> INCOMING connections though (www/smtp/etc).


I'm replying to an old and long-forgotten thread to report my recent 
findings.
There's a bug in PF with modulate/synproxy state. Modulate/synproxy 
state modulate sequence numbers, but don't modulate sequence numbers in 
TCP SACK options. Some firewalls block TCP segments with sequence 
numbers in the SACK option pointing outside the window, which causes 
connection stalls. The bug was fixed in OpenBSD with revision 1.509 of 
src/sys/net/pf.c about an year and a half ago. The bug is present in 
FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with 
the big import of PF from OpenBSD 4.1.
I'm CC-ing Max to notify him of the bug present in -STABLE and to ask 
him to deal with the issue by either porting the fix from OpenBSD, or by 
documenting that modulate/synproxy state is broken.