From owner-freebsd-net@freebsd.org Tue Apr 17 22:31:19 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47C92FA1702 for ; Tue, 17 Apr 2018 22:31:19 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D02A871482 for ; Tue, 17 Apr 2018 22:31:18 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 63471378; Wed, 18 Apr 2018 00:31:10 +0200 (CEST) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id wsCdnzUQZ0-V; Wed, 18 Apr 2018 00:31:08 +0200 (CEST) Received: from mail.local.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id 41E1C2DC; Wed, 18 Apr 2018 00:31:08 +0200 (CEST) Received: from bsdmhs.longwitz (unknown [192.168.99.6]) by mail.local.incore (Postfix) with ESMTP id 0E9DE508AA; Wed, 18 Apr 2018 00:31:08 +0200 (CEST) Message-ID: <5AD675AB.803@incore.de> Date: Wed, 18 Apr 2018 00:31:07 +0200 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: "Andrey V. Elsukov" , freebsd-net@freebsd.org Subject: Re: Changed behaviour of pf after new handling of EACCES in tcp_output() in r315514 References: <5AD5FE79.7050309@incore.de> <1f7edaeb-8a88-a99c-b427-cc19a693172a@yandex.ru> In-Reply-To: <1f7edaeb-8a88-a99c-b427-cc19a693172a@yandex.ru> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2018 22:31:19 -0000 Thanks for quick answer, > This change was based on > https://svnweb.freebsd.org/base?view=revision&revision=309610 > > Now I think it can be removed, because: > > 1. SAs should be configured by application before initiating of TCP > connection; > 2. If there are no matching SAs, connection will be dropped after > several tries. > 3. Even if connection will be dropped after first failed SYN, there is > special tcps_sig_err_buildsig error counter, that will be incremented > and we can determine the cause. So you introduced the change as part of the new IPSec project and not to help pf in the special situation of reloading rukes (Bug 214613), correct ? > So, can you try this patch? And maybe someone who uses TCP-MD5 can try > it too (with and without configured SAs)? I tried your patch on FreeBSD 11 (r331217) and FreeBSD 12 (r328652) and pf workes in both cases as expected, the telnet command now returned immediately. Compared to the old behaviour your patch reverted two lines in tcp_output.c but not the line "EACCES:". I think thats what you wanted, tp->t_softerror is now set to EACCESS, when this error occurs. It seems to me that this does not make a big difference, but maybe I am wrong. Do you plan to commit your patch ? Andreas Longwitz