Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Feb 2021 02:50:35 +0100
From:      Stefan Ehmann <shoesoft@gmx.net>
To:        freebsd-stable@freebsd.org, Helge Oldach <freebsd@oldach.net>
Subject:   Re: 13.0-BETA1: ipfw regression?
Message-ID:  <2807953.hHqAuc6tWs@walrus.pepperland>
In-Reply-To: <202102100646.11A6kQGS068916@nuc.oldach.net>
References:  <202102100646.11A6kQGS068916@nuc.oldach.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wednesday, February 10, 2021 7:46:25 AM CET Helge Oldach wrote:
> Hi,
>
> Stefan Ehmann wrote on Tue, 09 Feb 2021 23:23:32 +0100 (CET):
> > I'm having issues with stale TCP connections after the upgrade from 12=
.2
> > to
> > 13.0-BETA1.
> >
> > Symptoms:
> > Outgoing TCP connections no longer receive data after being idle.
> >
> > I can do more testing later, but I think these ipfw rules trigger the
> > problem: - check-state
> > - allow tcp from me to any setup keep-state
> > - deny ip from any to any
> >
> > After establishing an outgoing connection (e.g, via netcat), I see a n=
ew
> > dynamic rule and the 300s counter running down via
> > # ipfw -Da list
> >
> > net.inet.ip.fw.dyn_keepalive is set to 1, so the timer should be refre=
shed
> > via keep-alive on idle connections.
> >
> > Don't know if it's deterministic, but from what I've seen so far:
> > - When counter gets low the first time, it is reset to 300 as expected=
.
> > - When the counter nears zero for the second time, the dynamic rule is
> > deleted and I get ipfw denies.
>
> I am afraid I can't reproduce. I have followed your test case however
> I'm seeing that a TCP keepalive reliably triggers a timer refresh. For
> example (sleep 1 loop over ipfw -Da list | grep):

Tested in VirtualBox with amd64.vmdk from:

https://download.freebsd.org/ftp/releases/VM-IMAGES/13.0-BETA1/

Terminal 1:
kldload ipfw
ipfw add check-state
ipfw allow tcp from me to any setup keep-state

/bin/sh (I don't speek csh)
while true; do sleep 1; ipfw -Da list; done

Terminal 2:
nc <remote> 12345

On <remote> nc -l 12345 is running

Updated to 187492ef639f, but nothing changed.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2807953.hHqAuc6tWs>