Merge 1.127 from OpenBSD, that closes a regression from 1.125 (merged

as r242694): do better detection of when we have a better version of the tcp sequence windows than our peer. this resolves the last of the pfsync traffic storm issues ive been able to produce, and therefore makes it possible to do usable active-active statuful firewalls with pf.
svn path=/head/; revision=244113
2024-12-23 11:18:54 +00:00 · 2012-12-11 08:37:08 +00:00 · 2012-12-11 08:37:08 +00:00 · fed7635002 · 2020-12-20 02:59:44 +00:00
commit fed7635002
parent 15d32bd543
1 changed files with 6 additions and 3 deletions
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@ -47,7 +47,7 @@
 * 1.118, 1.124, 1.148, 1.149, 1.151, 1.171 - fixes to bulk updates
 * 1.120, 1.175 - use monotonic time_uptime
 * 1.122 - reduce number of updates for non-TCP sessions
- * 1.125 - rewrite merge or stale processing
+ * 1.125, 1.127 - rewrite merge or stale processing
 * 1.128 - cleanups
 * 1.146 - bzero() mbuf before sparsely filling it with data
 * 1.170 - SIOCSIFMTU checks
@ -787,12 +787,15 @@ pfsync_upd_tcp(struct pf_state *st, struct pfsync_state_peer *src,
 	if ((st->src.state > src->state &&
 	    (st->src.state < PF_TCPS_PROXY_SRC ||
 	    src->state >= PF_TCPS_PROXY_SRC)) ||
-	    SEQ_GT(st->src.seqlo, ntohl(src->seqlo)))
+
+	    (st->src.state == src->state &&
+	    SEQ_GT(st->src.seqlo, ntohl(src->seqlo))))
 		sync++;
 	else
 		pf_state_peer_ntoh(src, &st->src);

-	if (st->dst.state > dst->state ||
+	if ((st->dst.state > dst->state) ||
+
 	    (st->dst.state >= TCPS_SYN_SENT &&
 	    SEQ_GT(st->dst.seqlo, ntohl(dst->seqlo))))
 		sync++;