kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ [regression]
Eygene Ryabinkin
rea at freebsd.org
Thu May 29 05:46:50 UTC 2014
I assume that your pf(4) is enabled during these tests, you have
"scrub" statements in the ruleset and removing "scrub" will restore
the expected behaviour on 10.x?
I am slightly amused that on 9.x with "scrub" you're getting the
expected behaviour, because clearing FIN bit for SYN packets was
the standard behaviour of pf since approximately at least 10 years,
http://svnweb.freebsd.org/base/vendor-sys/pf/dist/sys/contrib/pf/net/pf_norm.c?view=markup&pathrev=126258#l1242
Can you show relevant parts of the pf.conf from both machines
and output from 'pfctl -s rules' if you are sure that both machines
are configured identically pf-wise?
Thanks!
--
Eygene Ryabinkin ,,,^..^,,,
[ Life's unfair - but root password helps! | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 358 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20140529/2be9e170/attachment.sig>
More information about the freebsd-net
mailing list