From owner-freebsd-net@freebsd.org Thu Feb 11 15:20:03 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 98D3E52B701 for ; Thu, 11 Feb 2021 15:20:03 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4Dc0g72cxLz3tp3 for ; Thu, 11 Feb 2021 15:20:03 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mailman.nyi.freebsd.org (Postfix) id 59EBE52B3D6; Thu, 11 Feb 2021 15:20:03 +0000 (UTC) Delivered-To: net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 59B1552B3D5 for ; Thu, 11 Feb 2021 15:20:03 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dc0g71y8jz3tgC for ; Thu, 11 Feb 2021 15:20:03 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-lj1-x22e.google.com with SMTP id x1so1143888ljj.11 for ; Thu, 11 Feb 2021 07:20:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z9/xWgXivLTy+9FCTaxQb1QyVsGWl0Gwz9wSIdaUFl8=; b=fqKkmW7mbZaVD2qVhgkQjk35clTS+2FNbDR+nz7RacgJ1AEevI4UeHUO9ppGmXb7MM jF4Vzn+1Z0fZBg3b9fX5d42fU+dBUjrVohkw+esQka7fjaoyJy1qELu2aQPgms8Rm2Bz zZCCTJOazZYD+r0iOGW4idCdFQtOcrahx9J8B/NRrGzgvngODxmrWu83x4qtxrHdsmF5 2DnyVFLxGRrwRvMe7Jw8tsgK7wBmfq18RYsdvXTHYc0IRnvT9WvvqrZo6ki9BnRNke5x VeN0Z0mb2VwQ3S9e2ojCJqDHFwpQySAvJNK9ZB0zTkkkLLhX9UosZGNBeNYr7i7lwmFD zHcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z9/xWgXivLTy+9FCTaxQb1QyVsGWl0Gwz9wSIdaUFl8=; b=rshksczlUPY1tP4WkOaF7MKl1gO2shq8xruE39rEMs+WhrDyDBGEn7zZ8fsT+qqIHv N/Dj7AltzDPrj1wKkmLL3Fe0QtTMRGu11C5Tm9Qlv2MomL4kEi8QXXvPEqcTZVLE24s/ w5LN0oyGAQ4qXaOBWDBOGBTvnR7I8T1o2+7xmQGZES4Odej/0qUwilgP5YtruNdgchD2 4CTyB9qoCk3FmAESsjYN6XeGfk+OGCmIgOIno1I3w4MAk5Nn7XE1s3YmsFV0BCrjv1G5 3qlmfxam+6VhoAtRMUAr7MXdpTb9cWLYKaphOSkPU9aE6V7FgkrJk4b13D4ue6ly/CSh h50w== X-Gm-Message-State: AOAM532G+KU+lL88+wstU1iOxqTjubXm0O0AP0d0JWsLVPWGWoNWed+S Tgw7qLx8ZfBYHdEQTiOjz4S0zLgoc+YFsweVzWnZ/A== X-Google-Smtp-Source: ABdhPJykMNmmHdvB7BVBs7DV55utDYg2NsoiCjAt23QgVMBL8YzDZ2ar9gw+H1d55bHyEDCpQtK2piwqI3C9VdiiyEo= X-Received: by 2002:a2e:b80b:: with SMTP id u11mr5224246ljo.361.1613056801227; Thu, 11 Feb 2021 07:20:01 -0800 (PST) MIME-Version: 1.0 References: <5ccab312-085c-b764-97c9-4c2bc846cd22@FreeBSD.org> In-Reply-To: <5ccab312-085c-b764-97c9-4c2bc846cd22@FreeBSD.org> From: Michael Sierchio Date: Thu, 11 Feb 2021 07:19:25 -0800 Message-ID: Subject: Re: ipfw stateful rules and quick port re-use To: Andriy Gapon Cc: "freebsd-net@freebsd.org" , "Andrey V. Elsukov" X-Rspamd-Queue-Id: 4Dc0g71y8jz3tgC X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2021 15:20:03 -0000 Check the values of these sysctl MIBS net.inet.ip.fw.dyn_keep_states net.inet.ip.fw.dyn_keepalive net.inet.ip.fw.dyn_short_lifetime net.inet.ip.fw.dyn_udp_lifetime net.inet.ip.fw.dyn_rst_lifetime net.inet.ip.fw.dyn_fin_lifetime net.inet.ip.fw.dyn_syn_lifetime net.inet.ip.fw.dyn_ack_lifetime On Thu, Feb 11, 2021 at 7:09 AM Andriy Gapon wrote: > > Recently we encountered an interesting issue at work. > By accident our software started to quickly re-use a source TCP port when > connecting to a remote system. That is, after a graceful shutdown of a > connection (two FINs, etc), the software would quickly establish an > identical > connection by re-using the same local port and connecting to the same > remote > end-point. > > That did not work well for the application :) > We saw problems where packets from the second connection would be dropped > by > ipfw. That happened because there would be no dynamic rule to let the > packets > through even though the first connection worked without any issues. > > From a quick glance at the code it seems that the TCP protocol state kept > by > ipfw for dynamic rules is "append-only". That is, bits can be set in it > but > never cleared. So, when the first connection is closed the dynamic has > "both > syn" and "both fin" bits. When the second connection is established > before the > rule is expired, the rule is re-used for it, but its state remains the > same. > And its expiry time remains dyn_fin_lifetime. I think that that opens a > race > between the expiry timer (running every second) and the connection's > packets > given the short lifetime. > > Maybe I misanalyzed the situation and it's probably very rare. > But still it's a valid use of TCP, so maybe ipfw could support it better > (e.g., > by detecting "syn" after "both fin"). > > -- > Andriy Gapon > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata