Is there a patch for the keep state/OOW-issues in version 4.1.13 on
FreeBSD6.2 and if so, what are the instructions to apply the patch?
I can give an example of the phenomena. When a user is trying to upload
a photobook to fujidirect (145.7.16.174) and the rule below is being
used: (if being interface and LAN being the private ip range and mask)
"pass out quick on <if> proto tcp from <LAN> to 145.7.16.174 port = 80
keep state"
The upload stops after a short burst and the following is seen in the
log: (userip being the ip of the machine on the LAN)
"@0:1 b <userip>,1227 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1235 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1287 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1309 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW"
After removing the "keep state" the upload stops immediately and the
following appears in the log:
"@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT
@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT
@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT"
Leading to the forced open of traffic IN from 145.7.16.174, ie a
stateless transfer that works but, is not preferable.
This is just one example of many.
Seeing this from a laymans point of view, an option for the ruleset aka
keep state would be preferable. In other words, 'keep OOW' as an option
like so:
"pass out quick on <if> proto tcp from <LAN> to 145.7.16.174 port = 80
keep state keep OOW"
Grateful for any response,
Greetings
/Roger
On 2007-Mar-04 00:36:13 +0100, Roger Olofsson <rag...@passagen.se> wrote:
>Is there a patch for the keep state/OOW-issues in version 4.1.13 on=20
>FreeBSD6.2 and if so, what are the instructions to apply the patch?
You can just copy /sys/config/ipfilter/netinet/ip_state.c from -current.
As far as I can determine, the only changes are the OOW fixes.
Note that these fixes only affect the handling of TCP connections with
window scaling enabled. You might like to check a tcpdump to confirm
that this is the problem you are having.
--=20
Peter Jeremy
--QWRRbczYj8mXuejp
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFF6hoz/opHv/APuIcRAvlGAKCWsMIx+WGfc0Cnncb61AbCv8K7lgCfd7ar
Uw9Ot4+0H3tagwedG+O9V2E=
=01Xa
-----END PGP SIGNATURE-----
--QWRRbczYj8mXuejp--
Will this patch be applied to the STABLE branch and available via cvsup
or is the only way to implement this to manually do as you describe?
Peter Jeremy skrev:
> On 2007-Mar-04 00:36:13 +0100, Roger Olofsson <rag...@passagen.se> wrote:
>> Is there a patch for the keep state/OOW-issues in version 4.1.13 on