Date: Wed, 10 Feb 2021 20:26:31 +0100 From: Stefan Ehmann <shoesoft@gmx.net> To: freebsd-stable@freebsd.org, Helge Oldach <freebsd@oldach.net> Subject: Re: 13.0-BETA1: ipfw regression? Message-ID: <3795201.kAAoriTUSa@walrus.pepperland> In-Reply-To: <202102100646.11A6kQGS068916@nuc.oldach.net> References: <202102100646.11A6kQGS068916@nuc.oldach.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday, February 10, 2021 7:46:25 AM CET Helge Oldach wrote: > Hi, > > Stefan Ehmann wrote on Tue, 09 Feb 2021 23:23:32 +0100 (CET): > > I'm having issues with stale TCP connections after the upgrade from 12= .2 > > to > > 13.0-BETA1. > > > > Symptoms: > > Outgoing TCP connections no longer receive data after being idle. > > > > I can do more testing later, but I think these ipfw rules trigger the > > problem: - check-state > > - allow tcp from me to any setup keep-state > > - deny ip from any to any > > > > After establishing an outgoing connection (e.g, via netcat), I see a n= ew > > dynamic rule and the 300s counter running down via > > # ipfw -Da list > > > > net.inet.ip.fw.dyn_keepalive is set to 1, so the timer should be refre= shed > > via keep-alive on idle connections. > > > > Don't know if it's deterministic, but from what I've seen so far: > > - When counter gets low the first time, it is reset to 300 as expected= . > > - When the counter nears zero for the second time, the dynamic rule is > > deleted and I get ipfw denies. > > I am afraid I can't reproduce. I have followed your test case however > I'm seeing that a TCP keepalive reliably triggers a timer refresh. For > example (sleep 1 loop over ipfw -Da list | grep): > [...] Repeated my tests with tcpdump on remote host. What I see: First the timer goes down to ~20s and is reset to 300s (as expected). The remote host sees a keep-alive-packet at that point. On second run, there's no keep-alive packet seen on the remote host. Timer expires and rule is removed. Expected at this point since there was = no keep-alive exchange. The connection is still working at this point (deny rule was deleted). > This is amd64 stable/13-n244495-7d9e00cd8bd which is slightly more > recent than BETA1 I believe. Can you share the git commit please I'm on releng/13.0 (just updated to 0b54d2764737). There are some additional commits in stable/13 (including sys/net). I can = try stable later.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3795201.kAAoriTUSa>