Created attachment 152799 [details] the fix pf synproxy will do the 3WHS on behalf of the target machine, and once the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. reference: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c?rev=1.901&content-type=text/x-cvsweb-markup
Any updates on this?
A commit references this bug: Author: kp Date: Sat Oct 20 18:37:22 UTC 2018 New revision: 339470 URL: https://svnweb.freebsd.org/changeset/base/339470 Log: pf synproxy will do the 3WHS on behalf of the target machine, and once the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. PR: 197484 Obtained from: OpenBSD MFC after: 2 weeks Changes: head/sys/netpfil/pf/pf.c
A commit references this bug: Author: kp Date: Sun Nov 18 10:47:37 UTC 2018 New revision: 340558 URL: https://svnweb.freebsd.org/changeset/base/340558 Log: MFC r339470: pf synproxy will do the 3WHS on behalf of the target machine, and once the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. PR: 197484 Obtained from: OpenBSD Changes: _U stable/12/ stable/12/sys/netpfil/pf/pf.c
A commit references this bug: Author: kp Date: Sun Nov 18 10:47:51 UTC 2018 New revision: 340559 URL: https://svnweb.freebsd.org/changeset/base/340559 Log: MFC r339470: pf synproxy will do the 3WHS on behalf of the target machine, and once the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. PR: 197484 Obtained from: OpenBSD Changes: _U stable/11/ stable/11/sys/netpfil/pf/pf.c