From owner-freebsd-net@FreeBSD.ORG Thu Mar 12 16:50:56 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C83A106566B; Thu, 12 Mar 2009 16:50:56 +0000 (UTC) (envelope-from joost@jodocus.org) Received: from viefep11-int.chello.at (viefep11-int.chello.at [62.179.121.31]) by mx1.freebsd.org (Postfix) with ESMTP id 2CF408FC15; Thu, 12 Mar 2009 16:50:54 +0000 (UTC) (envelope-from joost@jodocus.org) Received: from edge03.upc.biz ([192.168.13.238]) by viefep11-int.chello.at (InterMail vM.7.09.01.00 201-2219-108-20080618) with ESMTP id <20090312165053.FYAO29990.viefep11-int.chello.at@edge03.upc.biz>; Thu, 12 Mar 2009 17:50:53 +0100 Received: from bps.jodocus.org ([77.248.200.61]) by edge03.upc.biz with edge id SGqr1b01P1Kyz9103GqsHk; Thu, 12 Mar 2009 17:50:52 +0100 X-SourceIP: 77.248.200.61 Received: from jodocus.org (localhost [IPv6:::1]) by bps.jodocus.org (8.14.2/8.14.2) with ESMTP id n2CGopDS002196; Thu, 12 Mar 2009 17:50:51 +0100 (CET) (envelope-from joost@jodocus.org) Received: from 192.168.100.227 (SquirrelMail authenticated user joost) by jodocus.org with HTTP; Thu, 12 Mar 2009 17:50:51 +0100 (CET) Message-ID: <2498.192.168.100.227.1236876651.squirrel@jodocus.org> In-Reply-To: <49B92870.1090600@freebsd.org> References: <29230.62.12.14.25.1236258269.squirrel@jodocus.org> <49B92870.1090600@freebsd.org> Date: Thu, 12 Mar 2009 17:50:51 +0100 (CET) From: "Joost Bekkers" To: "Ivan Voras" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (bps.jodocus.org [IPv6:::1]); Thu, 12 Mar 2009 17:50:51 +0100 (CET) Cc: freebsd-net@freebsd.org Subject: Re: IPFW and IPv6 TCP timeout problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 16:50:56 -0000 On Thu, March 12, 2009 16:21, Ivan Voras wrote: > Joost Bekkers wrote: >> On Thu, March 5, 2009 12:30, Ivan Voras wrote: >>> Hi, >>> >>> It appears that IPFW drops dynamic (state-keeping) rules for idle IPv6 >>> TCP connections after a short (60 seconds by default) timeout. This of >>> course creates problems for services like SSH and NFS. I've contacted >>> Luigi Rizzo about it but he cannot help with the IPv6 part of the ipfw. >>> His guess is that the part that should send keepalive ACK packets like >>> ipfw does for IPv4 is broken or nonexistent for IPv6. >>> >>> Any takers? Should I file a PR? >>> >>> >> >> You might want to check if kern/117234 is relevant here. I've got a >> feeling this is the problem you're seeing. >> >> The PR includes a patch, it just needs somebody to commit it. > > I'm running a patched kernel now and it doesn't fix the issue - the > dynamic rules continue to disappear after the timeout like before. > > Maybe the patch solves something else? The patch solves a problem where dyn-rules for idle connections are dropped after net.inet.ip.fw.dyn_ack_lifetime because the keep-alive packets aren't being send. Sounds suspiciously the same to me... You did use the later patch in the pr and not max's, right? The first patch in the pr sends keep-alives to the wrong port. I'm assuming the timer does get reset whenever the connection is in use, so if there is a response to a keep-alive that packet reaches check-state. Can you do a tcpdump to see if keep-alives are being sent. They should appear in the last 20 seconds of the dyn-rule timer. Joost.