Date: Thu, 11 Feb 2021 07:19:25 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Andriy Gapon <avg@freebsd.org> Cc: "freebsd-net@freebsd.org" <net@freebsd.org>, "Andrey V. Elsukov" <ae@freebsd.org> Subject: Re: ipfw stateful rules and quick port re-use Message-ID: <CAHu1Y72F4tnB-y3mDxj2Hi_ALrrUC_1zK-ERKMypCL0mBDA2eg@mail.gmail.com> In-Reply-To: <5ccab312-085c-b764-97c9-4c2bc846cd22@FreeBSD.org> References: <5ccab312-085c-b764-97c9-4c2bc846cd22@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Check the values of these sysctl MIBS net.inet.ip.fw.dyn_keep_states net.inet.ip.fw.dyn_keepalive net.inet.ip.fw.dyn_short_lifetime net.inet.ip.fw.dyn_udp_lifetime net.inet.ip.fw.dyn_rst_lifetime net.inet.ip.fw.dyn_fin_lifetime net.inet.ip.fw.dyn_syn_lifetime net.inet.ip.fw.dyn_ack_lifetime On Thu, Feb 11, 2021 at 7:09 AM Andriy Gapon <avg@freebsd.org> wrote: > > Recently we encountered an interesting issue at work. > By accident our software started to quickly re-use a source TCP port when > connecting to a remote system. That is, after a graceful shutdown of a > connection (two FINs, etc), the software would quickly establish an > identical > connection by re-using the same local port and connecting to the same > remote > end-point. > > That did not work well for the application :) > We saw problems where packets from the second connection would be dropped > by > ipfw. That happened because there would be no dynamic rule to let the > packets > through even though the first connection worked without any issues. > > From a quick glance at the code it seems that the TCP protocol state kept > by > ipfw for dynamic rules is "append-only". That is, bits can be set in it > but > never cleared. So, when the first connection is closed the dynamic has > "both > syn" and "both fin" bits. When the second connection is established > before the > rule is expired, the rule is re-used for it, but its state remains the > same. > And its expiry time remains dyn_fin_lifetime. I think that that opens a > race > between the expiry timer (running every second) and the connection's > packets > given the short lifetime. > > Maybe I misanalyzed the situation and it's probably very rare. > But still it's a valid use of TCP, so maybe ipfw could support it better > (e.g., > by detecting "syn" after "both fin"). > > -- > Andriy Gapon > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y72F4tnB-y3mDxj2Hi_ALrrUC_1zK-ERKMypCL0mBDA2eg>