diff options
author | David Gwynne <dlg@cvs.openbsd.org> | 2009-06-17 04:24:03 +0000 |
---|---|---|
committer | David Gwynne <dlg@cvs.openbsd.org> | 2009-06-17 04:24:03 +0000 |
commit | e668e3fd4236b45350755c692599868e4d1a48d6 (patch) | |
tree | 0d64da39779f82fb89e131847eb006eeeb12d46c /sys | |
parent | 3308619ca9dfc72c278750a58eea03702e0c2441 (diff) |
do better detection of when we have a better version of the tcp sequence
windows than our peer.
this resolves the last of the pfsync traffic storm issues ive been able to
produce, and therefore makes it possible to do usable active-active
statuful firewalls with pf.
lots of testing locally on the production firewalls, also tested by sthen@
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/if_pfsync.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 15183d08a7e..8b946dea498 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.126 2009/06/14 00:16:50 dlg Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.127 2009/06/17 04:24:02 dlg Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -856,12 +856,15 @@ pfsync_upd_tcp(struct pf_state *st, struct pfsync_state_peer *src, if ((st->src.state > src->state && (st->src.state < PF_TCPS_PROXY_SRC || src->state >= PF_TCPS_PROXY_SRC)) || - SEQ_GT(st->src.seqlo, ntohl(src->seqlo))) + + (st->src.state == src->state && + SEQ_GT(st->src.seqlo, ntohl(src->seqlo)))) sync++; else pf_state_peer_ntoh(src, &st->src); - if (st->dst.state > dst->state || + if ((st->dst.state > dst->state) || + (st->dst.state >= TCPS_SYN_SENT && SEQ_GT(st->dst.seqlo, ntohl(dst->seqlo)))) sync++; |