kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ [regression]
Eygene Ryabinkin
rea at freebsd.org
Thu May 29 05:50:01 UTC 2014
The following reply was made to PR kern/190102; it has been noted by GNATS.
From: Eygene Ryabinkin <rea at freebsd.org>
To: FreeBSD GNATS followup <bug-followup at freebsd.org>,
freebsd-net at freebsd.org
Cc:
Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on
FreeBSD 10+ [regression]
Date: Thu, 29 May 2014 09:46:45 +0400
--LXx4g46d83wF7unj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I assume that your pf(4) is enabled during these tests, you have
"scrub" statements in the ruleset and removing "scrub" will restore
the expected behaviour on 10.x?
I am slightly amused that on 9.x with "scrub" you're getting the
expected behaviour, because clearing FIN bit for SYN packets was
the standard behaviour of pf since approximately at least 10 years,
http://svnweb.freebsd.org/base/vendor-sys/pf/dist/sys/contrib/pf/net/pf_n=
orm.c?view=3Dmarkup&pathrev=3D126258#l1242
Can you show relevant parts of the pf.conf from both machines
and output from 'pfctl -s rules' if you are sure that both machines
are configured identically pf-wise?
Thanks!
--=20
Eygene Ryabinkin ,,,^..^,,,
[ Life's unfair - but root password helps! | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
--LXx4g46d83wF7unj
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iL4EABEKAGYFAlOGycVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDgyRkUwNkJDRDQ5N0MwREU0OUVDNEZGMDE2
QUY5RUFFODE1MkVDRkIACgkQFq+eroFS7Pv7kQD+JjKVNIOqBBGv12DsILxmIr+U
5A76OhcjmiaO5ricQ2oA/jJy8E/D2nXSdaaAqYsNJaelqQ72Lx927Sxyj50hLDpx
=2WMS
-----END PGP SIGNATURE-----
--LXx4g46d83wF7unj--
More information about the freebsd-net
mailing list