From owner-freebsd-stable@FreeBSD.ORG  Fri May 30 16:43:30 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7F52B106566B
	for <freebsd-stable@freebsd.org>; Fri, 30 May 2008 16:43:30 +0000 (UTC)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 001678FC0A
	for <freebsd-stable@freebsd.org>; Fri, 30 May 2008 16:43:29 +0000 (UTC)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.14.1/8.14.1) with ESMTP id m4UGhSK4033919;
	Fri, 30 May 2008 09:43:28 -0700 (PDT)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.14.1/8.13.4/Submit) id m4UGhSa0033918;
	Fri, 30 May 2008 09:43:28 -0700 (PDT)
Date: Fri, 30 May 2008 09:43:28 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200805301643.m4UGhSa0033918@apollo.backplane.com>
To: Robert Blayzor <rblayzor.bulk@inoc.net>
References: <B42F9BDF-1E00-45FF-BD88-5A07B5B553DC@inoc.net>	<1A19ABA2-61CD-4D92-A08D-5D9650D69768@mac.com>	<23C02C8B-281A-4ABD-8144-3E25E36EDAB4@inoc.net>	<483DE2E0.90003@FreeBSD.org>	<B775700E-7494-42C1-A9B2-A600CE176ACB@inoc.net>	<483E36CE.3060400@FreeBSD.org>	<483E3C26.3060103@paradise.net.nz>	<483E4657.9060906@FreeBSD.org>	<483EA513.4070409@earthlink.net>	<96AFE8D3-7EAC-4A4A-8EFF-35A5DCEC6426@inoc.net>	<483EAED1.2050404@FreeBSD.org>	<200805291912.m4TJCG56025525@apollo.backplane.com>	<14DA211A-A9C5-483A-8CB9-886E5B19A840@inoc.net>	<200805291930.m4TJUeGX025815@apollo.backplane.com>	<0C827F66-09CE-476D-86E9-146AB255926B@inoc.net>	<200805292132.m4TLWhCv026720@apollo.backplane.com>	<CCBAEE3E-35A5-4BF8-A0B7-321272533B62@inoc.net>	<200805300055.m4U0tkqx027965@apollo.backplane.com>
	<EB975E1A-7995-4214-A2CC-AE2D789B19AB@inoc.net>
	<483F6F66.4050909@FreeBSD.org>
	<C1CC6D9D-6584-43BD-8675-021A0495FDA3@inoc.net>
Cc: Doug Barton <dougb@freebsd.org>, freebsd-stable@freebsd.org
Subject: Re: Sockets stuck in FIN_WAIT_1
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 May 2008 16:43:30 -0000


:Yes, IPFW is running on the box.  Why not?
:
:-- 
:Robert Blayzor, BOFH
:INOC, LLC
:rblayzor@inoc.net
:http://www.inoc.net/~rblayzor/

    There's nothing wrong with running IPFW on the same box :-)

    But, I think that rule change is masking the problem rather then solving
    it.  The keep-state is limited.  The reason the number of dead connections
    isn't going up is probably because IPFW is either hitting its keep-state
    limit and dropping connections, or the connection becomes idle long 
    enough for IPFW to recycle the keep-state for it, also causing it to
    drop.

    Once the keep-state is lost that deny established rule will cause the
    connection to fail.

    I would be very careful with any type of ruleset (IPFW or PF) which
    relies on keep-state.  You can wind up causing legitimate connections
    to drop if it isn't carefully tuned.

    It might be a reasonable bandaid, though.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>