[Bug 253476] ipfw keepalive: tcp_do_segment: Timestamp missing, segment silently dropped
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Feb 15 21:49:42 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253476
Andrey V. Elsukov <ae at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ae at FreeBSD.org
--- Comment #8 from Andrey V. Elsukov <ae at FreeBSD.org> ---
(In reply to Michael Tuexen from comment #7)
>OK. We agree that there this is a bug in ipfw. Why not use in ipfw a timeout
>which is in tune with standard keepalive timeout. Then there is no need for ipfw
>to send out packets pretending that a peer is still alive...
ipfw by default uses 300 seconds as TTL for TCP states. The default keepalive
idle interval in TCP stack, AFAIR, is 2 hours. For 2 hours typical gateway with
ipfw for some network can create several tens millions of states. Small
interval is used to reduce memory requirements and CPU usage, since state
search can be done for every packet several times, depending from the ruleset.
This keepalive implementation in ipfw was used and worked well at least last 20
years.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
More information about the freebsd-ipfw
mailing list