HEADS UP - full build recommended for master, PF comments

Alex Hornung alex at alexhornung.com
Mon Sep 1 23:32:40 PDT 2014


On 2014-09-01 22:10, Matthew Dillon wrote:
>     If you have a PF configuration using RDR and also have PASS rules
>     as described above, the PASS rules will only see one side of the
>     tcp connection (because the RDR eats the other side).  Thus, any
>     such PASS rules must be sure to either not specify a 'keep state'
>     clause and thus use the default keep state (which is 'pickups' and
>     'sloppy'), or if they do specify a 'keep state' clause they must be 
> sure
>     to specify the 'pickups' and 'sloppy' option to prevent those 
> states
>     from doing full-duplex tcp sequence spcae checks and RSTing the
>     connection.

This is a regression from 3.8 - it works just fine in 3.8. This is a bug 
introduced by the recent pf SMP work.

Cheers,
Alex



More information about the Users mailing list