From owner-svn-src-all@FreeBSD.ORG Tue Dec 11 08:37:09 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5540BC54; Tue, 11 Dec 2012 08:37:09 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 1F9878FC17; Tue, 11 Dec 2012 08:37:09 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qBB8b8YI042269; Tue, 11 Dec 2012 08:37:08 GMT (envelope-from glebius@svn.freebsd.org) Received: (from glebius@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qBB8b8m8042268; Tue, 11 Dec 2012 08:37:08 GMT (envelope-from glebius@svn.freebsd.org) Message-Id: <201212110837.qBB8b8m8042268@svn.freebsd.org> From: Gleb Smirnoff Date: Tue, 11 Dec 2012 08:37:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r244113 - head/sys/netpfil/pf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Dec 2012 08:37:09 -0000 Author: glebius Date: Tue Dec 11 08:37:08 2012 New Revision: 244113 URL: http://svnweb.freebsd.org/changeset/base/244113 Log: Merge 1.127 from OpenBSD, that closes a regression from 1.125 (merged as r242694): do better detection of when we have a better version of the tcp sequence windows than our peer. this resolves the last of the pfsync traffic storm issues ive been able to produce, and therefore makes it possible to do usable active-active statuful firewalls with pf. Modified: head/sys/netpfil/pf/if_pfsync.c Modified: head/sys/netpfil/pf/if_pfsync.c ============================================================================== --- head/sys/netpfil/pf/if_pfsync.c Tue Dec 11 07:08:14 2012 (r244112) +++ head/sys/netpfil/pf/if_pfsync.c Tue Dec 11 08:37:08 2012 (r244113) @@ -47,7 +47,7 @@ * 1.118, 1.124, 1.148, 1.149, 1.151, 1.171 - fixes to bulk updates * 1.120, 1.175 - use monotonic time_uptime * 1.122 - reduce number of updates for non-TCP sessions - * 1.125 - rewrite merge or stale processing + * 1.125, 1.127 - rewrite merge or stale processing * 1.128 - cleanups * 1.146 - bzero() mbuf before sparsely filling it with data * 1.170 - SIOCSIFMTU checks @@ -787,12 +787,15 @@ pfsync_upd_tcp(struct pf_state *st, stru if ((st->src.state > src->state && (st->src.state < PF_TCPS_PROXY_SRC || src->state >= PF_TCPS_PROXY_SRC)) || - SEQ_GT(st->src.seqlo, ntohl(src->seqlo))) + + (st->src.state == src->state && + SEQ_GT(st->src.seqlo, ntohl(src->seqlo)))) sync++; else pf_state_peer_ntoh(src, &st->src); - if (st->dst.state > dst->state || + if ((st->dst.state > dst->state) || + (st->dst.state >= TCPS_SYN_SENT && SEQ_GT(st->dst.seqlo, ntohl(dst->seqlo)))) sync++;