What real-life situation is this fix for? If this is for connections coming from behind a 3rd party SNAT, where SNAT reuses source ports faster than pf expires states, then maybe tuning pf timeouts would be enough. Or we could allow pf states to transition from TCPS_FIN_WAIT_2 back to TCPS_SYN_SENT, basically implementing SO_REUSEPORT for pf.

In D43866#1000864, @kp wrote:

I failed to apply this patch, and I think it's because you already fixed this problem in https://cgit.freebsd.org/src/commit/?id=4d19eceaefb7106d761bc9504bb0da737ae0d674

Or am I missing something else?

This is a duplicate.

pfsync: Fix offset calculation

A slightly less invasive patch.

In D42363#966766, @kp wrote:

The bug is in D42355, where we remove part of this test case, including the pfctl -e.
This fixes it, but I'm going to squash this together with the other review to keep the history simpler.

In D42355#966767, @kp wrote:

Is this Sponsored by: InnoGames GmbH?

In D42355#966621, @kp wrote:

I've not yet investigated why, but I'm seeing a lot of failures with both of these patches:

fragmentation_compat:reassemble  ->  failed: atf-check failed; see the output of the test for details  [1.535s]
…

Fix test cleanups.

Update man page's date.

Remove pf.conf.5 changes added by mistake.

In D42214#963332, @kp wrote:

In D42214#963330, @emaste wrote:

https://ipv6.social/@tuxpowered/111239166771971768
pfsync format changed
@kp might be able to suggest a description

Possibly something like

The pfsync packet format has been extended to improve support for route-to rules. This format is incompatible with older releases. The old format can be selected using ifconfig pfsync0 version 1301. This is especially important if members of a pfsync cluster are not upgraded simultaneously.

In D41517#953290, @kp wrote:

Yeah, I think you're taking the right direction here, but sadly I don't think we can get rid of the old behaviour right now.
One of the big users of route-to is pfSense's multi-wan support, where we basically have two default routes and pf is used to direct traffic down one or the other link.

In D41517#946200, @kp wrote:

I'm generally in agreement that pf_route() approach isn't the best, but I'm also very, very afraid of making major changes there, because a lot of rulesets out there rely on it, and any change we make is going to break things and come with a pile of bug reports. My enthusiasm for wading through dozens of bug reports trying to understand if it's a configuration error, misguided setup or real bug is not particularly high.

In D41502#945945, @kp wrote:

Also, is this Sponsored by: InnoGames GmbH?

Add the missing "Respond to SYN with a syncookie" part.

In D41502#945583, @kp wrote:

I didn't realise we didn't support synproxy on IPv6, and I'm a little confused, given that we have the pf/synproxy:local_v6 test case which appears to pass.

I'll take a deeper look sometime next week. If you get a moment can you create a test case like synproxy:synproxy for IPv6?

Updated to cover the IPv6 forwarding too

This change has been in fact merged.

Added tcpdump and netstat changes to this patch because of change of struct pfsync_state to struct pfsync_state_1301.

Split userspace export into a separate commit for DIOCGETSTATESV2.

Don't remove tcpdump compatibility.

In D40013#911225, @melifaro wrote:

The new kernel code uses uint32_t as the table id, I’m curious why do you want to have rtableid signef.

Fixed broken rebase on main.

Rebased again, the previous diff has been wrongly generated.

Rebased on D40004 and D40013 as separate commits.

Remove support for printing the old state deletion messages from tcpdump.

This revision has been merged.

@kp , I see that you've merged it on 2023-04-13. But this review is still opened. What's the procedure here, will you close it or should I abandon it?

The returnlocked flag is now a booelan.

Updated pointer handing. Changed the flag to boolean.

Removed unnecessary state lock assertion.

Added function pfsync_sstate_to_qid to translates pf_kstate->sync_state to queue name. This removes multiple such translations scattered around the code and fixes pfsync_q_del.

Remove debug printfs

Created PFSTATE_DN_IS_PIPE and PFSTATE_DN_IS_QUEUE mapped from corresponding PFRULE_DN_IS_.*. Grouped all of PFRULE_.* and PFSTATE_.* flags together, aligned them and documented to which variables they get assigned.

Fix "fragment" in printing rules. Use proper integer types. Restore actions for pfsynced states. Expand pfsync_state->state_flags to 16b.

Update tests to use new test function names.

Make normalization functions behave in more straightforward manner. If there are no scrub rules then the normalization of IP and TCP is enforced just like in OpenBSD. Otherwise if scrub rules are present, obey them.