HEADS UP - full build recommended for master, PF comments
Alex Hornung
alex at alexhornung.com
Mon Sep 1 23:32:40 PDT 2014
On 2014-09-01 22:10, Matthew Dillon wrote:
> If you have a PF configuration using RDR and also have PASS rules
> as described above, the PASS rules will only see one side of the
> tcp connection (because the RDR eats the other side). Thus, any
> such PASS rules must be sure to either not specify a 'keep state'
> clause and thus use the default keep state (which is 'pickups' and
> 'sloppy'), or if they do specify a 'keep state' clause they must be
> sure
> to specify the 'pickups' and 'sloppy' option to prevent those
> states
> from doing full-duplex tcp sequence spcae checks and RSTing the
> connection.
This is a regression from 3.8 - it works just fine in 3.8. This is a bug
introduced by the recent pf SMP work.
Cheers,
Alex
More information about the Users
mailing list