From jdc@koitsu.dyndns.org Fri Jul 4 11:55:02 2008 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C76591065682 for ; Fri, 4 Jul 2008 11:55:02 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA10.westchester.pa.mail.comcast.net (qmta10.westchester.pa.mail.comcast.net [76.96.62.17]) by mx1.freebsd.org (Postfix) with ESMTP id 746B38FC15 for ; Fri, 4 Jul 2008 11:55:02 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA10.westchester.pa.mail.comcast.net ([76.96.62.28]) by QMTA10.westchester.pa.mail.comcast.net with comcast id lmJ51Z00M0cZkys5AnksHE; Fri, 04 Jul 2008 11:44:52 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA10.westchester.pa.mail.comcast.net with comcast id lnkz1Z0034v8bD73Wnkzxt; Fri, 04 Jul 2008 11:45:00 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 2A96A17B833; Fri, 4 Jul 2008 04:44:59 -0700 (PDT) Message-Id: <20080704114459.2A96A17B833@icarus.home.lan> Date: Fri, 4 Jul 2008 04:44:59 -0700 (PDT) From: Jeremy Chadwick Reply-To: Jeremy Chadwick To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: Backport OpenBSD 4.3 patch for pf re-using state X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 125261 >Category: kern >Synopsis: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state >Confidential: no >Severity: non-critical >Priority: medium >Responsible: mlaier >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Jul 04 12:00:08 UTC 2008 >Closed-Date: Tue Mar 31 12:44:55 UTC 2009 >Last-Modified: Tue Mar 31 12:44:55 UTC 2009 >Originator: Jeremy Chadwick >Release: FreeBSD 7.0-STABLE amd64 >Organization: >Environment: System: FreeBSD icarus.home.lan 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat May 3 16:20:41 PDT 2008 root@icarus.home.lan:/usr/obj/usr/src/sys/PDSMI_PLUS_amd64 amd64 >Description: OpenBSD 4.3's pf contains a sufficient workaround for a problem where a state mismatch can occur as a result of a TCP port being re-used (SYN) before the state table entry is removed. The change is described here: http://www.openbsd.org/plus43.html * In pf(4), allow state reuse if both sides are in FIN_WAIT_2 and a new SYN arrives. >How-To-Repeat: n/a >Fix: CVS diff is here: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r2=1.559&r1=1.558&f=H This would have to be applied to src/sys/contrib/net/pf.c, inserted at line ~4762, for RELENG_7. I believe this can also be backported to RELENG_6. >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Jul 4 13:10:36 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 Responsible-Changed-From-To: freebsd-pf->mlaier Responsible-Changed-By: mlaier Responsible-Changed-When: Fri Jul 4 15:17:48 UTC 2008 Responsible-Changed-Why: I'll take a look at this. While here I'll also try to get the missing diffs for SACK vs. modulate state imported. http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 From: Kenneth Vestergaard Schmidt To: bug-followup@FreeBSD.org, koitsu@FreeBSD.org Cc: Subject: Re: kern/125261: [pf] [patch] Backport OpenBSD 4.3 patch for pf re-using state Date: Fri, 4 Jul 2008 22:16:19 +0200 Hi, Confirmed working here - we've been bitten pretty hard by this on different occasions. Replicating it was as easy as doing 10k fetches of an empty file via HTTP, and either the source or the target would barf. Not with this patch. -- Kenneth Schmidt pil.dk From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/125261: commit references a PR Date: Mon, 4 Aug 2008 14:42:29 +0000 (UTC) mlaier 2008-08-04 14:42:09 UTC FreeBSD src repository Modified files: sys/contrib/pf/net pf.c Log: SVN rev 181295 on 2008-08-04 14:42:09Z by mlaier Merge state reuse for tcp. PR: kern/125261 Obtained from: OpenBSD MFC after: 1 week Revision Changes Path 1.55 +17 -0 src/sys/contrib/pf/net/pf.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/125261: commit references a PR Date: Mon, 11 Aug 2008 18:00:15 +0000 (UTC) mlaier 2008-08-11 17:59:47 UTC FreeBSD src repository Modified files: (Branch: RELENG_7) sys/contrib/pf/net pf.c Log: SVN rev 181596 on 2008-08-11 17:59:47Z by mlaier MFC r181295: tcp state reuse PR: kern/125261 Revision Changes Path 1.46.2.3 +17 -0 src/sys/contrib/pf/net/pf.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" State-Changed-From-To: open->patched State-Changed-By: emaste State-Changed-When: Thu Mar 19 19:57:38 UTC 2009 State-Changed-Why: Patch has been applied and MFC'd to 7. Max, I suspect you're not planning to MFC this to 6, in which case I think this can be closed. http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 State-Changed-From-To: patched->closed State-Changed-By: mlaier State-Changed-When: Tue Mar 31 12:44:18 UTC 2009 State-Changed-Why: Close this one. As Ed noted, a merge to RELENG_6 is not planned. http://www.freebsd.org/cgi/query-pr.cgi?pr=125261 >Unformatted: