From owner-freebsd-pf@FreeBSD.ORG Thu Jul 26 21:20:02 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4827816A41F for <freebsd-pf@freebsd.org>; Thu, 26 Jul 2007 21:20:02 +0000 (UTC) (envelope-from jgordeev@dir.bg) Received: from dir.bg (mail.dir.bg [194.145.63.28]) by mx1.freebsd.org (Postfix) with ESMTP id CB85313C478 for <freebsd-pf@freebsd.org>; Thu, 26 Jul 2007 21:20:00 +0000 (UTC) (envelope-from jgordeev@dir.bg) Received: from [77.85.115.15] (account jgordeev HELO [10.102.9.50]) by dir.bg (CommuniGate Pro SMTP 4.2.10) with ESMTP-TLS id 24235065; Thu, 26 Jul 2007 23:19:59 +0300 Message-ID: <46A90266.5050204@dir.bg> Date: Thu, 26 Jul 2007 23:21:58 +0300 From: Jordan Gordeev <jgordeev@dir.bg> User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7) Gecko/20070411 X-Accept-Language: bg, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200702252202.l1PM2r46003312@cheyenne.sixcompanies.com> <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> <46A1EA91.5000306@dir.bg> <200707252055.50780.max@love2party.net> In-Reply-To: <200707252055.50780.max@love2party.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: pf and keep/modulate state on 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 26 Jul 2007 21:20:02 -0000 Max Laier wrote: >On Saturday 21 July 2007, Jordan Gordeev wrote: > >>I'm replying to an old and long-forgotten thread to report my recent >>findings. >>There's a bug in PF with modulate/synproxy state. Modulate/synproxy >>state modulate sequence numbers, but don't modulate sequence numbers in >>TCP SACK options. Some firewalls block TCP segments with sequence >>numbers in the SACK option pointing outside the window, which causes >>connection stalls. The bug was fixed in OpenBSD with revision 1.509 of >>src/sys/net/pf.c about an year and a half ago. The bug is present in >>FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with >>the big import of PF from OpenBSD 4.1. >>I'm CC-ing Max to notify him of the bug present in -STABLE and to ask >>him to deal with the issue by either porting the fix from OpenBSD, or >>by documenting that modulate/synproxy state is broken. >> >> > >Good catch - sorry for the delay. Here is the diff (almost verbatim from >OPENBSD_3_8). Please test and report back. I plan to commit this to >RELENG_6 in a bit. > > > The patch fixed the problem I was having with modulate state and SACK on my lightly loaded personal NAT box.