Date: Mon, 10 Nov 2003 00:03:10 -0800 (PST) From: Don Lewis <truckman@FreeBSD.org> To: elessar@galgenberg.net Cc: freebsd-net@FreeBSD.org Subject: Re: problems caused by net.inet.tcp.blackhole=2 Message-ID: <200311100803.hAA83AeF065509@gw.catspoiler.org> In-Reply-To: <20031110072426.0607baf4.elessar@galgenberg.net>
index | next in thread | previous in thread | raw e-mail
On 10 Nov, Joerg Pernfuss wrote: > On Sat, 8 Nov 2003 15:25:18 -0800 (PST) > Don Lewis <truckman@freebsd.org> wrote: > >> On 8 Nov, Michal wrote: >> > Hello, >> > maybe someone will be able to help me with the problem. Namely setting >> > net.inet.tcp.blackhole=2 make samba to start very slow (90sec). Also >> > smbclient is slow. After samba starts there is no delay to connect from >> > the another machine with persistant local problems (smbclient). >> > Additionally the sysctl setting has veird impact on mozilla: trying to >> > write to web forms causes freezing of mozilla. Now setting >> > net.inet.tcp.blackhole=0 reverts all the problemsr: samba starts fast >> > and no problems with writing to the web forms. >> > my system: >> > FreeBSD 5.1-CURRENT #0: Thu Oct 30 17:49:13 EST 2003 >> > ports updated 11-08-03 >> > >> > I appreciate any suggestions >> >> I looked at a similar problem that someone was having a while back. It >> appears that the problem is that this sysctl setting is suppressing the >> sending of TCP RST packets which are needed to tear down dead >> connections, and if one end of the connection thinks the connection is >> still established, it is not possible to create a new connection between >> the hosts that reuses the same addresses and ports as the old >> connection. >> >> Since the whole point of net.inet.tcp.blackhole=2 is to block the RST >> packets that could allow the host to be scanned, I suspect you are >> stuck. > > That's not a bug, that is the only feature :) > > First of all, check on which ports the connections that time out occur. > One possibility would be `tcpdump', the other is to set the sysctl > net.inet.tcp.log_in_vain to 1. Then start samba and look in the logs to > which closed ports connection attempts were made. > Maybe there is a decent solution to provide these packets the answer they > desire so hard. You'll probably need to crank net.inet.tcp.log_in_vain all the way up to 2. If you just set it to 1, it won't tell you about packets that don't have the SYN flag set.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311100803.hAA83AeF065509>