Date: Tue, 11 Dec 2012 08:37:08 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r244113 - head/sys/netpfil/pf Message-ID: <201212110837.qBB8b8m8042268@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Tue Dec 11 08:37:08 2012 New Revision: 244113 URL: http://svnweb.freebsd.org/changeset/base/244113 Log: Merge 1.127 from OpenBSD, that closes a regression from 1.125 (merged as r242694): do better detection of when we have a better version of the tcp sequence windows than our peer. this resolves the last of the pfsync traffic storm issues ive been able to produce, and therefore makes it possible to do usable active-active statuful firewalls with pf. Modified: head/sys/netpfil/pf/if_pfsync.c Modified: head/sys/netpfil/pf/if_pfsync.c ============================================================================== --- head/sys/netpfil/pf/if_pfsync.c Tue Dec 11 07:08:14 2012 (r244112) +++ head/sys/netpfil/pf/if_pfsync.c Tue Dec 11 08:37:08 2012 (r244113) @@ -47,7 +47,7 @@ * 1.118, 1.124, 1.148, 1.149, 1.151, 1.171 - fixes to bulk updates * 1.120, 1.175 - use monotonic time_uptime * 1.122 - reduce number of updates for non-TCP sessions - * 1.125 - rewrite merge or stale processing + * 1.125, 1.127 - rewrite merge or stale processing * 1.128 - cleanups * 1.146 - bzero() mbuf before sparsely filling it with data * 1.170 - SIOCSIFMTU checks @@ -787,12 +787,15 @@ pfsync_upd_tcp(struct pf_state *st, stru if ((st->src.state > src->state && (st->src.state < PF_TCPS_PROXY_SRC || src->state >= PF_TCPS_PROXY_SRC)) || - SEQ_GT(st->src.seqlo, ntohl(src->seqlo))) + + (st->src.state == src->state && + SEQ_GT(st->src.seqlo, ntohl(src->seqlo)))) sync++; else pf_state_peer_ntoh(src, &st->src); - if (st->dst.state > dst->state || + if ((st->dst.state > dst->state) || + (st->dst.state >= TCPS_SYN_SENT && SEQ_GT(st->dst.seqlo, ntohl(dst->seqlo)))) sync++;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212110837.qBB8b8m8042268>