13.0-BETA1: ipfw regression?

[Stefan Ehmann]

On Wednesday, February 10, 2021 7:46:25 AM CET Helge Oldach wrote:
> Hi,
>
> Stefan Ehmann wrote on Tue, 09 Feb 2021 23:23:32 +0100 (CET):
> > I'm having issues with stale TCP connections after the upgrade from 12.2
> > to
> > 13.0-BETA1.
> >
> > Symptoms:
> > Outgoing TCP connections no longer receive data after being idle.
> >
> > I can do more testing later, but I think these ipfw rules trigger the
> > problem: - check-state
> > - allow tcp from me to any setup keep-state
> > - deny ip from any to any
> >
> > After establishing an outgoing connection (e.g, via netcat), I see a new
> > dynamic rule and the 300s counter running down via
> > # ipfw -Da list
> >
> > net.inet.ip.fw.dyn_keepalive is set to 1, so the timer should be refreshed
> > via keep-alive on idle connections.
> >
> > Don't know if it's deterministic, but from what I've seen so far:
> > - When counter gets low the first time, it is reset to 300 as expected.
> > - When the counter nears zero for the second time, the dynamic rule is
> > deleted and I get ipfw denies.
>
> I am afraid I can't reproduce. I have followed your test case however
> I'm seeing that a TCP keepalive reliably triggers a timer refresh. For
> example (sleep 1 loop over ipfw -Da list | grep):
>
[...]

Repeated my tests with tcpdump on remote host.

What I see: First the timer goes down to ~20s and is reset to 300s (as
expected). The remote host sees a keep-alive-packet at that point.

On second run, there's no keep-alive packet seen on the remote host.
Timer expires and rule is removed. Expected at this point since there was no
keep-alive exchange.

The connection is still working at this point (deny rule was deleted).

> This is amd64 stable/13-n244495-7d9e00cd8bd which is slightly more
> recent than BETA1 I believe. Can you share the git commit please

I'm on releng/13.0 (just updated to 0b54d2764737).

There are some additional commits in stable/13 (including sys/net). I can try
stable later.