Date: Sun, 15 Apr 2007 15:54:02 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Ivan Voras <ivoras@fer.hr> Cc: freebsd-net@freebsd.org Subject: Re: Understanding ipfw keep-state dynamic rules Message-ID: <20070415155402.A40022@xorpc.icir.org> In-Reply-To: <4622A227.9090003@fer.hr>; from ivoras@fer.hr on Mon, Apr 16, 2007 at 12:07:35AM %2B0200 References: <evu1b2$c29$1@sea.gmane.org> <20070415145621.B39338@xorpc.icir.org> <4622A227.9090003@fer.hr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 16, 2007 at 12:07:35AM +0200, Ivan Voras wrote: > Luigi Rizzo wrote: > > > yes the numbers should be the expire time for the rule. > > So, the total time the connection was active or the time the connection > had some traffic through it? it is the expire time (i.e. how many seconds from now the rule will be deleted). It should normally be the preset timeout (300 as a default for active sessions) minus the time for which the connection has been idle. > Hmm. There are several dynamic rules with large expire times - could it > mean that a lot of clients are not properly closing the connection? yes, i believe so. > If I set net.inet.ip.fw.dyn_ack_lifetime to a small-ish value (like 15 > seconds), will it interfere with long-lasting downloads or slow clients? this is related to the way TCP handles retransmissions, and i don't want to write a long explaination here. But if you make it shorter than the TCP retransmission timeout (which can be as large as 1 minute in some cases) you risk your connection to be dropped in case of a packet loss or two. > Would it do anything to the server application? (e.g. close its side of > the connection so the application doesn't keep the socket open for such > a long time) in terms of tcp, on the server you would need to send a FIN (to signal "no more data from me") followed by a RST (to signal "i am not listening anymore"). Maybe a shutdown(s, SHUT_RDWR) can do the job, probably just close() is not enough. But i am not 100% sure. cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070415155402.A40022>