From 6064c65c33524491775c95e480b7a907bfccb6cc Mon Sep 17 00:00:00 2001
From: sashan <sashan@openbsd.org>
Date: Fri, 24 May 2024 06:38:41 +0000
Subject: [PATCH] pfsync must let to progress state for destination peer

The issue has been noticed by matthieu@ when he was chasing
cause of excessive pfsync traffic between firewall boxes.
When comparing content of state tables between primary
and backup firewall the backup firewall showed many
states as follows:
	ESTABLISHED:SYN_SENT
	FIN_WAIT_2:SYN_SENT
	*         :SYN_SENT
this is caused by pfsync_upd_tcp() which fails to update
TCP-state for destination connection peer, so it remains
stuck in SYN_SENT.

matthieu@ confirms diff helps with 'stuck-state'. It also
seems to help with excessive pfsync traffic.

ok @dlg
---
 sys/net/if_pfsync.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 4ad51489509..55b23de392b 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.c,v 1.325 2024/02/13 12:22:09 bluhm Exp $	*/
+/*	$OpenBSD: if_pfsync.c,v 1.326 2024/05/24 06:38:41 sashan Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -2892,7 +2892,7 @@ pfsync_upd_tcp(struct pf_state *st, const struct pfsync_state_peer *src,
 
 	if ((st->dst.state > dst->state) ||
 
-	    (st->dst.state >= TCPS_SYN_SENT &&
+	    (st->dst.state == dst->state &&
 	     SEQ_GT(st->dst.seqlo, ntohl(dst->seqlo))))
 		sync++;
 	else
-- 
2.20.1