OpenBSD Patches

• pf: fix packet tagging when used with TCP synproxy
• pf: fix killing of inbound state table entries
• pf: fix counting of fully-established TCP connections when using stateful tracking

This is a list of patches and/or fixes that I've written for OpenBSD. These patches apply to OpenBSD 3.7-release.

pf: fix packet tagging when used with TCP synproxy

When using tag and synproxy in the same rule, the packets sent to the destination (after establishing a full connection with the source) do not contain the tag and therefore it cannot be filtered on.

In a ruleset such as this, packets tagged SMTP will not match the 3rd rule and will be blocked. Note however that from the source host's point of view, the connection will be fully established since its communication with the synproxy was successful.

Patch: pf-tag-fix.diff
Requires: kernel rebuild and reboot.
Checked into -current on April 15.

pf: fix killing of inbound state table entries

States created in the "inbound" direction cannot be killed using pfctl(8).

Patch: pf-killstates-fix.diff
Requires: kernel rebuild and reboot.
Checked into -current on May 10.

pf: fix counting of fully-established TCP connections when using stateful tracking

It's possible for the "connections" counter to be decremented without first being incremented which results in an incorrect count of established TCP connections (and and in some cases as in above, results in the counter wrapping under).

Patch: pf-src-conn-fix.diff
Requires: kernel rebuild and reboot; recompile of pfctl(8).
Checked into -current on August 10.