On Thu, Mar 30, 2006 at 11:51:36AM +0200, Fredrik Widlund wrote: > Is this a wscale issue desyncing the session? I'm guessing here, but > does PF set the window to 46 receiving the data push from the server, > while C still believes it's 5792<<7 and sends out 59 bytes? What is > wrong here, PF interpretation of wscale, or the external servers wscale > implementation? Or is this something else completely, like window > calculation? What happens when PF gets a packet with a new win size from > the server but the client sends out data before this has reached it? Is > there a race condition between pkts #4 i both dumps below?
pf should correctly honour the wscale option when it creates state on the initial TCP SYN. You can check with pfctl -vss, it should show the right wscale factors in its output. If you haven't seen it, see the recent thread Subject: pf: State failure on: 1 http://marc.theaimsgroup.com/?t=114364036600003 for the most common explanation of why pf would not honour wscale. Please enable debug logging (pfctl -xm), and repeat the procedure, capturing one failing connection from handshake to the point of failure as you already did. Then check /var/log/messages for any lines from pf related to this connection ('BAD state' messages, likely). Then post both. Daniel
