pf and keep/modulate state on 6.2
drew at mykitchentable.net
Thu Jul 26 00:07:56 UTC 2007
On 7/25/2007 12:50 PM JD Bronson wrote:
> At 08:55 PM 7/25/2007 +0200, Max Laier wrote:
>> On Saturday 21 July 2007, Jordan Gordeev wrote:
>> > I'm replying to an old and long-forgotten thread to report my recent
>> > findings.
>> > There's a bug in PF with modulate/synproxy state. Modulate/synproxy
>> > state modulate sequence numbers, but don't modulate sequence
>> numbers in
>> > TCP SACK options. Some firewalls block TCP segments with sequence
>> > numbers in the SACK option pointing outside the window, which causes
>> > connection stalls. The bug was fixed in OpenBSD with revision 1.509 of
>> > src/sys/net/pf.c about an year and a half ago. The bug is present in
>> > FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with
>> > the big import of PF from OpenBSD 4.1.
>> > I'm CC-ing Max to notify him of the bug present in -STABLE and to ask
>> > him to deal with the issue by either porting the fix from OpenBSD, or
>> > by documenting that modulate/synproxy state is broken.
>> Good catch - sorry for the delay. Here is the diff (almost verbatim
>> OPENBSD_3_8). Please test and report back. I plan to commit this to
>> RELENG_6 in a bit.
>> /"\ Best regards, | mlaier at freebsd.org
>> \ / Max Laier | ICQ #67774661
> Max - 3.8? Cant we get a bit closer and more up-to-date as far as
> staying with pf and openbsd?
> I know pf changed - especially for OBSD 4.1 and it would be nice to be
> CLOSER than 3.8 ?
Excuse me for butting in. This has been discussed on the pf list. A
search of the archives will find you the details but basically 4.1 and
FBSD 6 won't work together as I understand it. Major changes are
required. However work has been done in CURRENT and is undergoing
testing now but will not be back ported to STABLE because of the major
Be a Great Magician!
Visit The Alchemist's Warehouse
More information about the freebsd-questions