What real-life situation is this fix for? If this is for connections coming from behind a 3rd party SNAT, where SNAT reuses source ports faster than pf expires states, then maybe tuning pf timeouts would be enough. Or we could allow pf states to transition from TCPS_FIN_WAIT_2 back to TCPS_SYN_SENT, basically implementing SO_REUSEPORT for pf.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Mar 24 2024
Feb 13 2024
In D43866#1000864, @kp wrote:I failed to apply this patch, and I think it's because you already fixed this problem in https://cgit.freebsd.org/src/commit/?id=4d19eceaefb7106d761bc9504bb0da737ae0d674
Or am I missing something else?
This is a duplicate.
pfsync: Fix offset calculation
Feb 5 2024
A slightly less invasive patch.
Feb 4 2024
Oct 26 2023
In D42363#966766, @kp wrote:The bug is in D42355, where we remove part of this test case, including the pfctl -e.
This fixes it, but I'm going to squash this together with the other review to keep the history simpler.
In D42355#966767, @kp wrote:Is this Sponsored by: InnoGames GmbH?
Oct 25 2023
In D42355#966621, @kp wrote:I've not yet investigated why, but I'm seeing a lot of failures with both of these patches:
fragmentation_compat:reassemble -> failed: atf-check failed; see the output of the test for details [1.535s] …
Fix test cleanups.
Oct 24 2023
Oct 18 2023
Oct 17 2023
Update man page's date.
Oct 16 2023
Remove pf.conf.5 changes added by mistake.
In D42214#963332, @kp wrote:In D42214#963330, @emaste wrote:https://ipv6.social/@tuxpowered/111239166771971768
pfsync format changed
@kp might be able to suggest a descriptionPossibly something like
The pfsync packet format has been extended to improve support for route-to rules. This format is incompatible with older releases. The old format can be selected using ifconfig pfsync0 version 1301. This is especially important if members of a pfsync cluster are not upgraded simultaneously.
Oct 12 2023
Sep 28 2023
Sep 13 2023
In D41517#953290, @kp wrote:Yeah, I think you're taking the right direction here, but sadly I don't think we can get rid of the old behaviour right now.
One of the big users of route-to is pfSense's multi-wan support, where we basically have two default routes and pf is used to direct traffic down one or the other link.
Sep 9 2023
Aug 23 2023
In D41517#946200, @kp wrote:I'm generally in agreement that pf_route() approach isn't the best, but I'm also very, very afraid of making major changes there, because a lot of rulesets out there rely on it, and any change we make is going to break things and come with a pile of bug reports. My enthusiasm for wading through dozens of bug reports trying to understand if it's a configuration error, misguided setup or real bug is not particularly high.
Aug 20 2023
In D41502#945945, @kp wrote:Also, is this Sponsored by: InnoGames GmbH?
Aug 18 2023
Add the missing "Respond to SYN with a syncookie" part.
In D41502#945583, @kp wrote:I didn't realise we didn't support synproxy on IPv6, and I'm a little confused, given that we have the pf/synproxy:local_v6 test case which appears to pass.
I'll take a deeper look sometime next week. If you get a moment can you create a test case like synproxy:synproxy for IPv6?
Aug 17 2023
Updated to cover the IPv6 forwarding too
Aug 16 2023
Jul 12 2023
Jun 17 2023
This change has been in fact merged.
May 28 2023
May 24 2023
Added tcpdump and netstat changes to this patch because of change of struct pfsync_state to struct pfsync_state_1301.
Split userspace export into a separate commit for DIOCGETSTATESV2.
May 15 2023
Don't remove tcpdump compatibility.
May 9 2023
In D40013#911225, @melifaro wrote:The new kernel code uses uint32_t as the table id, I’m curious why do you want to have rtableid signef.
May 8 2023
Fixed broken rebase on main.
Rebased again, the previous diff has been wrongly generated.
Remove support for printing the old state deletion messages from tcpdump.
May 7 2023
This revision has been merged.
May 5 2023
@kp , I see that you've merged it on 2023-04-13. But this review is still opened. What's the procedure here, will you close it or should I abandon it?
May 2 2023
May 1 2023
The returnlocked flag is now a booelan.
Updated pointer handing. Changed the flag to boolean.
Apr 30 2023
Removed unnecessary state lock assertion.
Apr 29 2023
Apr 15 2023
Apr 9 2023
Added function pfsync_sstate_to_qid to translates pf_kstate->sync_state to queue name. This removes multiple such translations scattered around the code and fixes pfsync_q_del.
Apr 4 2023
Apr 3 2023
Apr 2 2023
Remove debug printfs
Apr 1 2023
Created PFSTATE_DN_IS_PIPE and PFSTATE_DN_IS_QUEUE mapped from corresponding PFRULE_DN_IS_.*. Grouped all of PFRULE_.* and PFSTATE_.* flags together, aligned them and documented to which variables they get assigned.
Mar 20 2023
Fix "fragment" in printing rules. Use proper integer types. Restore actions for pfsynced states. Expand pfsync_state->state_flags to 16b.
Update tests to use new test function names.
Mar 12 2023
Make normalization functions behave in more straightforward manner. If there are no scrub rules then the normalization of IP and TCP is enforced just like in OpenBSD. Otherwise if scrub rules are present, obey them.