Re: RFC: enabling pf syncookies by default

On 28 Sep 2022, at 11:44, Kristof Provost wrote:
> Thanks for this update. Henning told me about the fast re-use issue during EuroBSD, and I had looking at that on my todo list.
>
So I’ve found a bit of time to look at this, and I think I understand the problem now, and I’m also pretty sure it affects FreeBSD too. Porting the OpenBSD fix to FreeBSD should be possible without too much difficulty.

That said, I’m going to try to build a test case for this first, to make sure I actually understand the problem correctly.

In the mean time, I’ll drop my notes-to-self here, in case anyone else wants to play (or tell me I’m wrong):

> Basic scenario: we have a closed connection (In TCPS_FIN_WAIT_2), and get a new connection (i.e. SYN) re-using the tuple.

> Without syncookies we look at the SYN, and completely unlink the old, closed state on the SYN.
> With syncookies we send a generated SYN|ACK back, and drop the SYN, never looking at the state table.
> So when the ACK turns up, as the last part of connection setup, we’ve not actually removed the old state, so we find it, and don’t do the syncookie dance, or allow the new connection to get set up.

Best regards,
Kristof