[Bug 236829] pf does not respect timeout values at all

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236829

            Bug ID: 236829
           Summary: pf does not respect timeout values at all
           Product: Base System
           Version: 11.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: rs at bytecamp.net

Created attachment 203189
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=203189&action=edit
simple pf.conf

Timeout values (global and per rule) are not recognised. This issue is present
since at least 10.3, I'm now reporting since I have a test case on a machine
with a recent version of FreeBSD (11.2-RELEASE-p8).

Steps to reproduce:

* load attached simple pf.conf
* start local nc in listening mode on port 12345
* telnet inbound (from another machine) to port 12345
* disconnect telnet
* see wrong timeouts in state list

The global timeout for finwait/closing are set to 20/25, the per rule timeouts
are set to 15/10.

The timeouts applied can be check with the command:
# pfctl -vvvss | grep -B2 'rule 2'

1) after establishing client connection:

all tcp x.x.x.x:12345 <- y.y.y.y:53187       ESTABLISHED:ESTABLISHED
   [3217899334 + 29312] wscale 6  [1370442108 + 65537] wscale 7
   age 00:00:02, expires in 23:59:58, 2:1 pkts, 112:60 bytes, rule 2

2) after closing client connection:

all tcp x.x.x.x:12345 <- y.y.y.y:53187       FIN_WAIT_2:FIN_WAIT_2
   [3217899335 + 29312] wscale 6  [1370442110 + 65664] wscale 7
   age 00:00:04, expires in 00:01:29, 4:3 pkts, 216:164 bytes, rule 2

So clear to see: neither global timeout nor per rule timeout are applied here.
Instead, the defaults are used (90s for closing).

-- 
You are receiving this mail because:
You are the assignee for the bug.