Date: Thu, 12 Mar 2009 17:50:51 +0100 (CET) From: "Joost Bekkers" <joost@jodocus.org> To: "Ivan Voras" <ivoras@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: IPFW and IPv6 TCP timeout problem Message-ID: <2498.192.168.100.227.1236876651.squirrel@jodocus.org> In-Reply-To: <49B92870.1090600@freebsd.org> References: <good54$65u$1@ger.gmane.org> <29230.62.12.14.25.1236258269.squirrel@jodocus.org> <49B92870.1090600@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, March 12, 2009 16:21, Ivan Voras wrote: > Joost Bekkers wrote: >> On Thu, March 5, 2009 12:30, Ivan Voras wrote: >>> Hi, >>> >>> It appears that IPFW drops dynamic (state-keeping) rules for idle IPv6 >>> TCP connections after a short (60 seconds by default) timeout. This of >>> course creates problems for services like SSH and NFS. I've contacted >>> Luigi Rizzo about it but he cannot help with the IPv6 part of the ipfw. >>> His guess is that the part that should send keepalive ACK packets like >>> ipfw does for IPv4 is broken or nonexistent for IPv6. >>> >>> Any takers? Should I file a PR? >>> >>> >> >> You might want to check if kern/117234 is relevant here. I've got a >> feeling this is the problem you're seeing. >> >> The PR includes a patch, it just needs somebody to commit it. > > I'm running a patched kernel now and it doesn't fix the issue - the > dynamic rules continue to disappear after the timeout like before. > > Maybe the patch solves something else? The patch solves a problem where dyn-rules for idle connections are dropped after net.inet.ip.fw.dyn_ack_lifetime because the keep-alive packets aren't being send. Sounds suspiciously the same to me... You did use the later patch in the pr and not max's, right? The first patch in the pr sends keep-alives to the wrong port. I'm assuming the timer does get reset whenever the connection is in use, so if there is a response to a keep-alive that packet reaches check-state. Can you do a tcpdump to see if keep-alives are being sent. They should appear in the last 20 seconds of the dyn-rule timer. Joost.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2498.192.168.100.227.1236876651.squirrel>