pf and keep/modulate state on 6.2
Jordan Gordeev
jgordeev at dir.bg
Thu Jul 26 20:20:04 UTC 2007
Max Laier wrote:
>On Saturday 21 July 2007, Jordan Gordeev wrote:
>
>>I'm replying to an old and long-forgotten thread to report my recent
>>findings.
>>There's a bug in PF with modulate/synproxy state. Modulate/synproxy
>>state modulate sequence numbers, but don't modulate sequence numbers in
>>TCP SACK options. Some firewalls block TCP segments with sequence
>>numbers in the SACK option pointing outside the window, which causes
>>connection stalls. The bug was fixed in OpenBSD with revision 1.509 of
>>src/sys/net/pf.c about an year and a half ago. The bug is present in
>>FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with
>>the big import of PF from OpenBSD 4.1.
>>I'm CC-ing Max to notify him of the bug present in -STABLE and to ask
>>him to deal with the issue by either porting the fix from OpenBSD, or
>>by documenting that modulate/synproxy state is broken.
>>
>>
>
>Good catch - sorry for the delay. Here is the diff (almost verbatim from
>OPENBSD_3_8). Please test and report back. I plan to commit this to
>RELENG_6 in a bit.
>
>
>
The patch fixed the problem I was having with modulate state and SACK on
my lightly loaded personal NAT box.
More information about the freebsd-questions
mailing list