Sockets stuck in FIN_WAIT_1
Robert Blayzor
rblayzor.bulk at inoc.net
Fri May 30 17:34:18 UTC 2008
On May 30, 2008, at 12:43 PM, Matthew Dillon wrote:
> I would be very careful with any type of ruleset (IPFW or PF) which
> relies on keep-state. You can wind up causing legitimate
> connections
> to drop if it isn't carefully tuned.
Thanks again Matt...
I do agree on the firewall and keep-state and scaling issue. It
wasn't the magic bullet I thought it may have been. The stuck
connections just dropped off due to the load dropping at night. The
bandaid I have is the tcpdrop hack that was posted here. That seems
to clear all the stuck sessions. While it's probably not the best
thing to do, it protects the server at least. I don't know what more
to do at this point. While these may be broken client issues, it's
breaking the server. I don't know if it makes sense to push something
upstream to see if some type of knob can be implemented into the
network stack to force close/drop these or to just let it go and deal
with it as-is. I have a message into the clamav-devel list to see if
this is a problem on the freshclam client and the way it handles
closing connections/broken connections. It's quite possible it's
something broken in freshclam where it's failing to deal with a
network failure properly....
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
More information about the freebsd-stable
mailing list