From owner-freebsd-stable@freebsd.org  Wed Feb 10 19:26:44 2021
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3514B528605
 for <freebsd-stable@mailman.nyi.freebsd.org>;
 Wed, 10 Feb 2021 19:26:44 +0000 (UTC)
 (envelope-from shoesoft@gmx.net)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest
 SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mout.gmx.net",
 Issuer "TeleSec ServerPass Class 2 CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DbVBB6QsSz3D84
 for <freebsd-stable@freebsd.org>; Wed, 10 Feb 2021 19:26:42 +0000 (UTC)
 (envelope-from shoesoft@gmx.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1612985192;
 bh=4yshuPoHtNquE2qHNk9sffjS8zCJOvyY3u7YXKIkGds=;
 h=X-UI-Sender-Class:From:To:Subject:Date:In-Reply-To:References;
 b=l8PmSJOM6bpnhijqXFuny/nknyIcjl/6BjcY79FAXTeGBSnyLeYC6j95y5h0kXkRj
 Kqdg9yVrBhEfjyLF2uPiemkgMQDNxdTXrdGrpkxc2YtYzi5uTBRBCAay3cVwY0aM5M
 xbSTcpt7i17iFRAL3jUbutzLVZC4CcVE6qt9YtHM=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from walrus.pepperland ([81.217.72.171]) by mail.gmx.net (mrgmx004
 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MQMyZ-1lWFD70JjV-00MOI5; Wed, 10
 Feb 2021 20:26:32 +0100
From: Stefan Ehmann <shoesoft@gmx.net>
To: freebsd-stable@freebsd.org, Helge Oldach <freebsd@oldach.net>
Subject: Re: 13.0-BETA1: ipfw regression?
Date: Wed, 10 Feb 2021 20:26:31 +0100
Message-ID: <3795201.kAAoriTUSa@walrus.pepperland>
In-Reply-To: <202102100646.11A6kQGS068916@nuc.oldach.net>
References: <202102100646.11A6kQGS068916@nuc.oldach.net>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
X-Provags-ID: V03:K1:iQINxXcSyRfjgCiDyjcC+GGSLhc7eLwnHSv4RNFeTMP0VjCzd0i
 f/4Wb55v1LXCnC7nj5qS+IX9XXISU6WqjTP3qdxLJpwRyOxdszn68n8R8RGJ43mJw58HlzR
 04vZ0Ialjm45gjBKr1eOI62+JHlrDssMRMVFoKW2UQydY8MgsP8+b2ppO9mlV/rUNbtiCfJ
 y5cIwGjFemy86QDweKrpg==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:tUbd4Z5LVmU=:T9bduPY813GWAa9HIxjNTA
 WyLNYC7xs8ZRS98/lu/S24S/0ucP+Qh3x7ABO3Npo1BjGZX0hz+eYgYq2qpHSXSiNI0MkArsv
 yA58wMnq8SjAKYE/0HFmws7a3Eoa1LUyCPVYbOIMyzPjwqnJz3CsYxsYaQ/0zu/Q+6s/2BaDY
 IadoyXrvb1Svwj2I11MO0ldujROzIasVqNRk2+Jca7eOMLC1wtkecXHZKD4LIfs12ZA7a907T
 3ZRa4WvfB8eTNAjGFLjN9ETkgWmA+gIPxMzWf5EU1/wcf6/fV+81tamhmez9psSwZ4oDqVGh/
 THPLjjORJhqi+iXco9wyCeWVFpMG+wlVWhrnqp9uOi/lVyIQvc1KuRS0Sr2E96yph6s7NK0r2
 i6fUfwWeN54RtdqcUAeunPbwE/cyG7SHs6XmU56vrv+hJGoQSyHRN6/YQVH1FNWSb9zTSmbT/
 L+u5BUBzGmIjdA0epwwjR1nnFidivih8oTVMghw+MYSw7K4Ld3Pcuvt85aZB0RG+Z0BwZ8wVf
 qQTDnciA2zPW5L00Inpfi8jDEPjL+pTWLK6f1nmaieZVy9tPs8PeSm+9FNrI47wQnVAViBxKs
 KAF633GtDfX0YTbZdxITyGTv2dlbn/bRQdyNBQRP4YIeFbLrPToJFFTtf6kft9QJmFIhMOOPO
 UvzW8Dq6EJlQtVBhGkplsADrZCoG6CCodGeTJ4nfAM7kynquAh7kCrKw7Rf8jctp+KKxi5Fz5
 btrgOvzX/HfvhDHQEbKN3e0ZvHUBaAptbHv4060MbJhlPL2UGDGkhjzGZ45ZrQxZd0PtN8OST
 NUNkDzLH/xMCvZSkbQulDBPiCnSUaqX2UMu19uL2aq0JN6oytL9ajGah6dACvVuSHjDxWx3Py
 zx9j2JGcmX20ymiSjOZA==
X-Rspamd-Queue-Id: 4DbVBB6QsSz3D84
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=l8PmSJOM;
 dmarc=pass (policy=none) header.from=gmx.net;
 spf=pass (mx1.freebsd.org: domain of shoesoft@gmx.net designates 212.227.15.15
 as permitted sender) smtp.mailfrom=shoesoft@gmx.net
X-Spamd-Result: default: False [-4.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmx.net];
 R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25];
 DKIM_TRACE(0.00)[gmx.net:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[gmx.net,none];
 NEURAL_HAM_SHORT(-1.00)[-1.000];
 RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.15:from];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[gmx.net];
 ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE];
 RBL_DBL_DONT_QUERY_IPS(0.00)[212.227.15.15:from];
 RECEIVED_SPAMHAUS_PBL(0.00)[81.217.72.171:received];
 SUBJECT_ENDS_QUESTION(1.00)[]; ARC_NA(0.00)[];
 R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain];
 DWL_DNSWL_LOW(-1.00)[gmx.net:dkim];
 SPAMHAUS_ZRD(0.00)[212.227.15.15:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.15:from];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 MAILMAN_DEST(0.00)[freebsd-stable]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 19:26:44 -0000

On Wednesday, February 10, 2021 7:46:25 AM CET Helge Oldach wrote:
> Hi,
>
> Stefan Ehmann wrote on Tue, 09 Feb 2021 23:23:32 +0100 (CET):
> > I'm having issues with stale TCP connections after the upgrade from 12=
.2
> > to
> > 13.0-BETA1.
> >
> > Symptoms:
> > Outgoing TCP connections no longer receive data after being idle.
> >
> > I can do more testing later, but I think these ipfw rules trigger the
> > problem: - check-state
> > - allow tcp from me to any setup keep-state
> > - deny ip from any to any
> >
> > After establishing an outgoing connection (e.g, via netcat), I see a n=
ew
> > dynamic rule and the 300s counter running down via
> > # ipfw -Da list
> >
> > net.inet.ip.fw.dyn_keepalive is set to 1, so the timer should be refre=
shed
> > via keep-alive on idle connections.
> >
> > Don't know if it's deterministic, but from what I've seen so far:
> > - When counter gets low the first time, it is reset to 300 as expected=
.
> > - When the counter nears zero for the second time, the dynamic rule is
> > deleted and I get ipfw denies.
>
> I am afraid I can't reproduce. I have followed your test case however
> I'm seeing that a TCP keepalive reliably triggers a timer refresh. For
> example (sleep 1 loop over ipfw -Da list | grep):
>
[...]

Repeated my tests with tcpdump on remote host.

What I see: First the timer goes down to ~20s and is reset to 300s (as
expected). The remote host sees a keep-alive-packet at that point.

On second run, there's no keep-alive packet seen on the remote host.
Timer expires and rule is removed. Expected at this point since there was =
no
keep-alive exchange.

The connection is still working at this point (deny rule was deleted).

> This is amd64 stable/13-n244495-7d9e00cd8bd which is slightly more
> recent than BETA1 I believe. Can you share the git commit please

I'm on releng/13.0 (just updated to 0b54d2764737).

There are some additional commits in stable/13 (including sys/net). I can =
try
stable later.