problems caused by net.inet.tcp.blackhole=2

Don Lewis truckman at FreeBSD.org
Mon Nov 10 00:03:19 PST 2003 

On 10 Nov, Joerg Pernfuss wrote:
> On Sat, 8 Nov 2003 15:25:18 -0800 (PST)
> Don Lewis <truckman at freebsd.org> wrote:
> 
>> On  8 Nov, Michal wrote:
>> > Hello,
>> > maybe someone will be able to help me with the problem. Namely setting 
>> > net.inet.tcp.blackhole=2 make samba to start very slow (90sec). Also 
>> > smbclient is slow. After samba starts there is no delay to connect from 
>> > the another machine with persistant local problems (smbclient). 
>> > Additionally the sysctl setting has veird impact on mozilla: trying to 
>> > write to web forms causes freezing of mozilla. Now setting 
>> > net.inet.tcp.blackhole=0 reverts all the problemsr: samba starts fast 
>> > and no problems with writing to the web forms.
>> > my system:
>> > FreeBSD 5.1-CURRENT #0: Thu Oct 30 17:49:13 EST 2003
>> > ports updated 11-08-03
>> > 
>> > I appreciate any suggestions
>> 
>> I looked at a similar problem that someone was having a while back.  It
>> appears that the problem is that this sysctl setting is suppressing the
>> sending of TCP RST packets which are needed to tear down dead
>> connections, and if one end of the connection thinks the connection is
>> still established, it is not possible to create a new connection between
>> the hosts that reuses the same addresses and ports as the old
>> connection.
>> 
>> Since the whole point of net.inet.tcp.blackhole=2 is to block the RST
>> packets that could allow the host to be scanned, I suspect you are
>> stuck.
> 
> That's not a bug, that is the only feature :)
> 
> First of all, check on which ports the connections that time out occur.
> One possibility would be `tcpdump', the other is to set the sysctl
> net.inet.tcp.log_in_vain to 1. Then start samba and look in the logs to
> which closed ports connection attempts were made.
> Maybe there is a decent solution to provide these packets the answer they
> desire so hard.

You'll probably need to crank net.inet.tcp.log_in_vain all the way up to
2.  If you just set it to 1, it won't tell you about packets that don't
have the SYN flag set.

More information about the freebsd-net mailing list