Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Dec 2024 11:53:25 +0300
From:      "Andrey V. Elsukov" <bu7cher@yandex.ru>
To:        freebsd-current@freebsd.org
Subject:   Re: (ipfw) Re: HELP! fetch: stuck forever OR error: RPC failed: curl 56 recv failure: Operation timed out
Message-ID:  <dc452c86-4a39-4a75-9d56-ee69f16987ee@yandex.ru>
In-Reply-To: <f37a769d-99ea-4bd8-ba93-e7a7425c940b@FreeBSD.org>
References:  <20241206034709.4dd32cc5@thor.intern.walstatt.dynvpn.de> <279848701.11738.1733510402875@localhost> <20241206210947.3ae835e4@thor.intern.walstatt.dynvpn.de> <f8952585-4b68-4cfd-a60f-1ebbd7f2545f@FreeBSD.org> <8E43EAA1-BA3E-4655-ACE1-2E4523E901DE@FreeBSD.org> <20241209214314.2443b590d774423a2b97f0a8@dec.sakura.ne.jp> <20241209174541.39c286f5@thor.intern.walstatt.dynvpn.de> <20241210022710.88c9087dd7cb09774507f232@dec.sakura.ne.jp> <20241209191947.39ac4843@thor.intern.walstatt.dynvpn.de> <6B720B82-09EF-4208-B814-B6BD75FC2F0E@FreeBSD.org> <f37a769d-99ea-4bd8-ba93-e7a7425c940b@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 11.12.2024 16:25, Ronald Klop wrote:
> I did a bisect of commits and my finding is that commit 347dd053 on 
> 2024-11-29 is the cause.
> 
> "tcp: add TH_AE capabilities to ppp and pf"
> https://github.com/freebsd/freebsd-src/commit/347dd0539f3a75fdf2128dd4620ca99e96f311e9
> 
> The commit before (0fc7bdc978) works fine.
> 
> I cc'ed the author of the commit.
> (for context: start of the thread is here: 
> https://lists.freebsd.org/archives/freebsd-current/2024-December/006778.html, it looks like the commit breaks a statefull ipfw firewall)

Hi,

thanks for bisecting. I think this patch should fix problem with 
statefull ipfw:

--- a/sys/netpfil/ipfw/ip_fw_dynamic.c
+++ b/sys/netpfil/ipfw/ip_fw_dynamic.c
@@ -927,7 +927,7 @@ print_dyn_rule_flags(const struct ipfw_flow_id *id, 
int dyn_type,
  #define        _SEQ_GE(a,b)    ((int)((a)-(b)) >= 0)
  #define        BOTH_SYN        (TH_SYN | (TH_SYN << 8))
  #define        BOTH_FIN        (TH_FIN | (TH_FIN << 8))
-#define        TCP_FLAGS       (TH_FLAGS | (TH_FLAGS << 8))
+#define        TCP_FLAGS       ((TH_FLAGS & 0xff) | ((TH_FLAGS & 0xff) 
<< 8))
  #define        ACK_FWD         0x00010000      /* fwd ack seen */
  #define        ACK_REV         0x00020000      /* rev ack seen */
  #define        ACK_BOTH        (ACK_FWD | ACK_REV)

-- 
WBR, Andrey V. Elsukov

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dc452c86-4a39-4a75-9d56-ee69f16987ee>