From owner-freebsd-net@FreeBSD.ORG Sun Apr 15 22:54:05 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B4D616A403 for ; Sun, 15 Apr 2007 22:54:05 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.freebsd.org (Postfix) with ESMTP id EBCB213C44B for ; Sun, 15 Apr 2007 22:54:04 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.13.6) with ESMTP id l3FMs21P040305; Sun, 15 Apr 2007 15:54:02 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id l3FMs2WC040304; Sun, 15 Apr 2007 15:54:02 -0700 (PDT) (envelope-from rizzo) Date: Sun, 15 Apr 2007 15:54:02 -0700 From: Luigi Rizzo To: Ivan Voras Message-ID: <20070415155402.A40022@xorpc.icir.org> References: <20070415145621.B39338@xorpc.icir.org> <4622A227.9090003@fer.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4622A227.9090003@fer.hr>; from ivoras@fer.hr on Mon, Apr 16, 2007 at 12:07:35AM +0200 Cc: freebsd-net@freebsd.org Subject: Re: Understanding ipfw keep-state dynamic rules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Apr 2007 22:54:05 -0000 On Mon, Apr 16, 2007 at 12:07:35AM +0200, Ivan Voras wrote: > Luigi Rizzo wrote: > > > yes the numbers should be the expire time for the rule. > > So, the total time the connection was active or the time the connection > had some traffic through it? it is the expire time (i.e. how many seconds from now the rule will be deleted). It should normally be the preset timeout (300 as a default for active sessions) minus the time for which the connection has been idle. > Hmm. There are several dynamic rules with large expire times - could it > mean that a lot of clients are not properly closing the connection? yes, i believe so. > If I set net.inet.ip.fw.dyn_ack_lifetime to a small-ish value (like 15 > seconds), will it interfere with long-lasting downloads or slow clients? this is related to the way TCP handles retransmissions, and i don't want to write a long explaination here. But if you make it shorter than the TCP retransmission timeout (which can be as large as 1 minute in some cases) you risk your connection to be dropped in case of a packet loss or two. > Would it do anything to the server application? (e.g. close its side of > the connection so the application doesn't keep the socket open for such > a long time) in terms of tcp, on the server you would need to send a FIN (to signal "no more data from me") followed by a RST (to signal "i am not listening anymore"). Maybe a shutdown(s, SHUT_RDWR) can do the job, probably just close() is not enough. But i am not 100% sure. cheers luigi