pfsync must let to progress state for destination peer

The issue has been noticed by matthieu@ when he was chasing
cause of excessive pfsync traffic between firewall boxes.
When comparing content of state tables between primary
and backup firewall the backup firewall showed many
states as follows:
	ESTABLISHED:SYN_SENT
	FIN_WAIT_2:SYN_SENT
	*         :SYN_SENT
this is caused by pfsync_upd_tcp() which fails to update
TCP-state for destination connection peer, so it remains
stuck in SYN_SENT.

matthieu@ confirms diff helps with 'stuck-state'. It also
seems to help with excessive pfsync traffic.

ok @dlg

diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 4ad5148..55b23de 100644 (file)
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_pfsync.c,v 1.325 2024/02/13 12:22:09 bluhm Exp $   */
+/*     $OpenBSD: if_pfsync.c,v 1.326 2024/05/24 06:38:41 sashan Exp $  */
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -2892,7 +2892,7 @@ pfsync_upd_tcp(struct pf_state *st, const struct pfsync_state_peer *src,
 
        if ((st->dst.state > dst->state) ||
 
-           (st->dst.state >= TCPS_SYN_SENT &&
+           (st->dst.state == dst->state &&
             SEQ_GT(st->dst.seqlo, ntohl(dst->seqlo))))
                sync++;
        else