Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FreeBSD6.2 ipfilter 4.1.13 OOW-patch?

0 views
Skip to first unread message

Roger Olofsson

unread,
Mar 3, 2007, 6:48:18 PM3/3/07
to
Dear mailing list,

Is there a patch for the keep state/OOW-issues in version 4.1.13 on
FreeBSD6.2 and if so, what are the instructions to apply the patch?

I can give an example of the phenomena. When a user is trying to upload
a photobook to fujidirect (145.7.16.174) and the rule below is being
used: (if being interface and LAN being the private ip range and mask)

"pass out quick on <if> proto tcp from <LAN> to 145.7.16.174 port = 80
keep state"

The upload stops after a short burst and the following is seen in the
log: (userip being the ip of the machine on the LAN)


"@0:1 b <userip>,1227 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1235 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1287 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1309 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW"

After removing the "keep state" the upload stops immediately and the
following appears in the log:

"@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT
@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT
@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT"

Leading to the forced open of traffic IN from 145.7.16.174, ie a
stateless transfer that works but, is not preferable.

This is just one example of many.

Seeing this from a laymans point of view, an option for the ruleset aka
keep state would be preferable. In other words, 'keep OOW' as an option
like so:

"pass out quick on <if> proto tcp from <LAN> to 145.7.16.174 port = 80
keep state keep OOW"


Grateful for any response,

Greetings
/Roger

Peter Jeremy

unread,
Mar 3, 2007, 8:24:45 PM3/3/07
to

--QWRRbczYj8mXuejp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2007-Mar-04 00:36:13 +0100, Roger Olofsson <rag...@passagen.se> wrote:
>Is there a patch for the keep state/OOW-issues in version 4.1.13 on=20


>FreeBSD6.2 and if so, what are the instructions to apply the patch?

You can just copy /sys/config/ipfilter/netinet/ip_state.c from -current.
As far as I can determine, the only changes are the OOW fixes.

Note that these fixes only affect the handling of TCP connections with
window scaling enabled. You might like to check a tcpdump to confirm
that this is the problem you are having.

--=20
Peter Jeremy

--QWRRbczYj8mXuejp
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFF6hoz/opHv/APuIcRAvlGAKCWsMIx+WGfc0Cnncb61AbCv8K7lgCfd7ar
Uw9Ot4+0H3tagwedG+O9V2E=
=01Xa
-----END PGP SIGNATURE-----

--QWRRbczYj8mXuejp--

Roger Olofsson

unread,
Mar 5, 2007, 6:15:23 AM3/5/07
to
Hello Peter and thanks for your swift reply,

Will this patch be applied to the STABLE branch and available via cvsup
or is the only way to implement this to manually do as you describe?

Peter Jeremy skrev:


> On 2007-Mar-04 00:36:13 +0100, Roger Olofsson <rag...@passagen.se> wrote:
>> Is there a patch for the keep state/OOW-issues in version 4.1.13 on

0 new messages