Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 18 Apr 2018 00:31:07 +0200
From:      Andreas Longwitz <longwitz@incore.de>
To:        "Andrey V. Elsukov" <bu7cher@yandex.ru>, freebsd-net@freebsd.org
Subject:   Re: Changed behaviour of pf after new handling of EACCES in tcp_output() in r315514
Message-ID:  <5AD675AB.803@incore.de>
In-Reply-To: <1f7edaeb-8a88-a99c-b427-cc19a693172a@yandex.ru>
References:  <5AD5FE79.7050309@incore.de> <1f7edaeb-8a88-a99c-b427-cc19a693172a@yandex.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for quick answer,

> This change was based on
> 	https://svnweb.freebsd.org/base?view=revision&revision=309610
> 
> Now I think it can be removed, because:
> 
> 1. SAs should be configured by application before initiating of TCP
> connection;
> 2. If there are no matching SAs, connection will be dropped after
> several tries.
> 3. Even if connection will be dropped after first failed SYN, there is
> special tcps_sig_err_buildsig error counter, that will be incremented
> and we can determine the cause.

So you introduced the change as part of the new IPSec project and not to
help pf in the special situation of reloading rukes (Bug 214613), correct ?

> So, can you try this patch? And maybe someone who uses TCP-MD5 can try
> it too (with and without configured SAs)?

I tried your patch on FreeBSD 11 (r331217) and FreeBSD 12 (r328652) and
pf workes in both cases as expected, the telnet command now returned
immediately.

Compared to the old behaviour your patch reverted two lines in
tcp_output.c but not the line "EACCES:". I think thats what you wanted,
tp->t_softerror is now set to EACCESS, when this error occurs. It seems
to me that this does not make a big difference, but maybe I am wrong.

Do you plan to commit your patch ?


Andreas Longwitz




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5AD675AB.803>