From owner-freebsd-net@FreeBSD.ORG Thu Aug 20 09:08:41 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78FBB106568C for ; Thu, 20 Aug 2009 09:08:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by mx1.freebsd.org (Postfix) with ESMTP id 0EAB18FC57 for ; Thu, 20 Aug 2009 09:08:41 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-032-025.pools.arcor-ip.net [88.66.32.25]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0MKsym-1Me3dP3csh-000lLb; Thu, 20 Aug 2009 11:08:39 +0200 Received: (qmail 16825 invoked from network); 20 Aug 2009 09:08:39 -0000 Received: from kvm.laiers.local (HELO kvm.localnet) (192.168.4.200) by mx.laiers.local with SMTP; 20 Aug 2009 09:08:39 -0000 From: Max Laier Organization: FreeBSD To: freebsd-net@freebsd.org, d@delphij.net Date: Thu, 20 Aug 2009 11:08:38 +0200 User-Agent: KMail/1.12.0 (Linux/2.6.30-ARCH; KDE/4.3.0; x86_64; ; ) References: <4A8CFDAF.1000309@delphij.net> In-Reply-To: <4A8CFDAF.1000309@delphij.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200908201108.39177.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+rMCYVYDLFe7knC20llxS1JNwALQuTDKUQTb9 mZNx0FdjtbRAmA5aJb0i/+EzY5N09Kp5voaBVfWIYDktrBuhdb QstOpTUZVdC+u5QaXuw/g== Cc: freebsd-pf@freebsd.org Subject: Re: (just for fun) port of OpenBSD pf's sloppy mode X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 09:08:41 -0000 Nice Work! Thanks a lot! On Thursday 20 August 2009 09:39:27 Xin LI wrote: > Since there is effort undergoing to port a newer pf version to FreeBSD, > I think this work would not be useful for inclusion in -CURRENT. > However, I'd like to share it here as someone may find it useful before > the new pf code hits the tree. The patch can also be downloaded from my I disagree about the usefulness of this. As your patch doesn't affect ABI this could make it into 8.1 (which the all new pf won't). With SVN it is also much simpler to manage the vendor branch differences, now. > website: > > http://www.delphij.net/pf-sloppy.diff freebsd-pf@ test and provide feedback - I know people have asked about this in the past. > About this patch: > > When pf(4) is operating in a manner that not all packet would went > through it, specifically, when being used in a DSR ("Direct Server > Return") network, the strict TCP state tracking would prevent some > packets from being able to pass through. This can exhibit as, when you > upload files, the connection would stall at ~60KB (may differ if you > have special TCP setting), or stalled connections. > > With this change, pf.conf would support a new syntax, i.e. "(sloppy)" as > state flag, e.g.: > > pass in quick on em0 route-to { (em1 $server1), (em1 $server2) } > round-robin proto tcp from any to $ext_ip port 80 keep state (sloppy) > > When enabled, the "sloppy" TCP FSM would be activated, which loosens the > state check. When using this option, the backend server has to use its > own mechanism to prevent ICMP teardown attack and/or insertion attacks, > so please use caution and limit the use in cases where pf(4) won't see > some packets in the connection. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News