10409 ipf sometimes freezes RFC 1323 transfers
Reviewed by: Jason King <jbk@joyent.com>

@@ -1727,11 +1727,11 @@
                         if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
                                 fr_checknewisn(fin, is);
                 } else if (flags == TH_SYN) {
                         is->is_s0[source] = ntohl(tcp->th_seq) + 1;
                         if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)))
-                                (void) fr_tcpoptions(fin, tcp, tdata);
+                                (void) fr_tcpoptions(fin, tcp, fdata);
 
                         if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
                                 fr_checknewisn(fin, is);
 
                 }

@@ -1838,10 +1838,11 @@
          * SYN), we can assume that the receiver of the SYN did
          * already send back the SYN/ACK (and thus that we know if
          * the receiver also does window scaling)
          */
         if (!(tcpflags & TH_SYN) && (fdata->td_winflags & TCP_WSCALE_FIRST)) {
+                fdata->td_winflags &= ~TCP_WSCALE_FIRST;
                 fdata->td_maxwin = win;
         }
 
         end = seq + dsize;
 

@@ -1900,11 +1901,11 @@
                  */
             (SEQ_GE(seq, fdata->td_end - maxwin)) &&
 #endif
 /* XXX what about big packets */
 #define MAXACKWINDOW 66000
-            (-ackskew <= (MAXACKWINDOW << fdata->td_winscale)) &&
+            (-ackskew <= (MAXACKWINDOW)) &&
             ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
                 inseq = 1;
         /*
          * Microsoft Windows will send the next packet to the right of the
          * window if SACK is in use.