IPFW V2 dynamic keepalives broken

Luigi Rizzo rizzo at icir.org
Wed May 28 01:32:52 PDT 2003


i imagine the following happens:
 + the client does not properly close the connection;
 + when a keepalive is sent (every 5 minutes), the the server's TCP
   responds (thus refreshing the rule), and the TCP timeout
   is reset so it stays in the FIN_WAIT[2] state for another cycle, whereas
   the client does not bother to send back a RST (which would cause the
   timeout for the dynamic rule go down to very low values).

This would explain why the phenomenon is relatively rare (500 entries in
5 days).

Maybe i should change the logic in the dynamic rules so that further
keepalives are not sent unless a reply has been received from both
sides.
 
On Tue, May 27, 2003 at 03:50:40PM -0700, Gregory Neil Shapiro wrote:
> Since enabling IPFW V2 on RELENG_4, I've had a fairly busy web/ftp
> server run out dynamic buckets for new rules.  Stopping the web/ftp
...`
> I discovered however that it is somehow dyn_keepalives that is causing
> the problem.  If I turn them off, things return to normal:
> 
> # sysctl net.inet.ip.fw.dyn_keepalive=0
> net.inet.ip.fw.dyn_keepalive: 1 -> 0
> (wait a few seconds)

how "few" seconds ? I suppose in the order of 300 or so, enough
to let the local session expire ?

	cheers
	luigi

> # netstat -anf inet | grep FIN_WAIT | wc -l
>       16
> 
> Here is a snapshot of how things looked before disabling dyn_keepalive:
> 
> # sysctl -a | grep net.inet.ip.fw
> net.inet.ip.fw.enable: 1
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.one_pass: 1
> net.inet.ip.fw.debug: 1
> net.inet.ip.fw.verbose: 1
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.dyn_buckets: 256
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_count: 497
> net.inet.ip.fw.dyn_max: 2000
> net.inet.ip.fw.static_count: 65
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_short_lifetime: 60
> net.inet.ip.fw.dyn_keepalive: 1
> 
> Any ideas?  Could enabling dyn_keepalives prevent the FIN_WAIT* process
> from completing?
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"


More information about the freebsd-ipfw mailing list