Please refer to my previous message for a detailed explanation.
What follows is a brief rationale and a patch...

The kernel should handle TCP RST packets using the same criteria as
PF. PF accepts the exact SEQ and the SEQ +1/-1 case, as seen here:

vi /usr/src/sys/net/pf.c +/'match on resets'

The kernel only accepts SEQ and SEQ +1 (here we add the -1 case).

The SEQ is a 16 bit value held in an unsigned 32 bit variable. By
using addition to implement the test, we avoid wrap-around
surprises and match the PF implementation (thanks Janne!).

In the absence of this change, a -1 RST rightly makes PF delete
state for a connection, but the associated socket incorrectly
remains without error (ECONNRESET is not set).

- Tor

Index: tcp_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.313
diff -u -p -r1.313 tcp_input.c
--- tcp_input.c 22 Jan 2016 11:10:17 -0000 1.313
+++ tcp_input.c 12 Feb 2016 19:51:22 -0000
@@ -1437,6 +1437,7 @@ trimthenstep6:
if (tiflags & TH_RST) {
if (th->th_seq != tp->last_ack_sent &&
th->th_seq != tp->rcv_nxt &&
+ (th->th_seq + 1) != tp->rcv_nxt &&
th->th_seq != (tp->rcv_nxt + 1))
goto drop;