> Things get sticky deep in the firewall code because our firewalls
> include credential-aware rules, which essentially "peek up the stack"
> in order to decide what user is associated with a packet before
> delivery to the connection is done.  The firewall rule lock is held
> over this lookup and inspection of TCP-layer state.  In the out-bound
> path, we pass down the TCP state reference (PCB pointer) and guarantee
> the lock is already held. However, in the in-bound direction, the
> firewall has to do the full lookup and lock acquisition.  Which
> reverses the lock order, and can lead to deadlocks.

Thanks for the explanation :-)

Previously you pointed out the ipfw man page which seems to be say the
same thing (albeit with much less detail):

  gid group
    Matches all TCP or UDP packets sent by or received for a group.
    A group may be specified by name or number.  This option should
    be used only if debug.mpsafenet=0 to avoid possible deadlocks due
    to layering violations in its implementation.

Setting debug.mpsafenet=0 worked for me until the TCP timer change. Is
the LOR situation always true for every inbound packet, or only with
certain firewall rules in place?

That question has me wondering if I can avoid the issue by avoiding
certain PF features. My current ruleset is pretty simple. If I drop the
variables definitions and comments, the whole thing is 13 lines:

nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $int_if proto tcp from $internal_net to any port ftp -> port 8021
block log all
pass quick on lo0 all
pass quick on $int_if proto ospf all
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
pass in on $int_if from $metanetwork to any
pass out on $int_if from any to $metanetwork
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state


