IPFW V2 dynamic keepalives broken
Gregory Neil Shapiro
gshapiro at freebsd.org
Tue May 27 15:50:41 PDT 2003
Since enabling IPFW V2 on RELENG_4, I've had a fairly busy web/ftp
server run out dynamic buckets for new rules. Stopping the web/ftp
server processes and starting it helped allevaite the problem somewhat.
When it gets in this state, there are thousands of connections in
FIN_WAIT or FIN_WAIT_2. It takes about 2 weeks to collect enough of
these FIN_WAIT* sockets to cause a problem.
After about 5 days, the count is already up to 461:
# netstat -anf inet | grep FIN_WAIT | wc -l
461
I discovered however that it is somehow dyn_keepalives that is causing
the problem. If I turn them off, things return to normal:
# sysctl net.inet.ip.fw.dyn_keepalive=0
net.inet.ip.fw.dyn_keepalive: 1 -> 0
(wait a few seconds)
# netstat -anf inet | grep FIN_WAIT | wc -l
16
Here is a snapshot of how things looked before disabling dyn_keepalive:
# sysctl -a | grep net.inet.ip.fw
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 497
net.inet.ip.fw.dyn_max: 2000
net.inet.ip.fw.static_count: 65
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 60
net.inet.ip.fw.dyn_keepalive: 1
Any ideas? Could enabling dyn_keepalives prevent the FIN_WAIT* process
from completing?
More information about the freebsd-ipfw
mailing list