From owner-freebsd-ipfw@FreeBSD.ORG Wed May 28 01:32:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00E3F37B405; Wed, 28 May 2003 01:32:51 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18AEC43F75; Wed, 28 May 2003 01:32:51 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h4S8WoQg039397; Wed, 28 May 2003 01:32:50 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h4S8WoBZ039396; Wed, 28 May 2003 01:32:50 -0700 (PDT) (envelope-from rizzo) Date: Wed, 28 May 2003 01:32:50 -0700 From: Luigi Rizzo To: Gregory Neil Shapiro Message-ID: <20030528013250.A30254@xorpc.icir.org> References: <20030527225040.GV13285@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030527225040.GV13285@horsey.gshapiro.net>; from gshapiro@freebsd.org on Tue, May 27, 2003 at 03:50:40PM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW V2 dynamic keepalives broken X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 08:32:52 -0000 i imagine the following happens: + the client does not properly close the connection; + when a keepalive is sent (every 5 minutes), the the server's TCP responds (thus refreshing the rule), and the TCP timeout is reset so it stays in the FIN_WAIT[2] state for another cycle, whereas the client does not bother to send back a RST (which would cause the timeout for the dynamic rule go down to very low values). This would explain why the phenomenon is relatively rare (500 entries in 5 days). Maybe i should change the logic in the dynamic rules so that further keepalives are not sent unless a reply has been received from both sides. On Tue, May 27, 2003 at 03:50:40PM -0700, Gregory Neil Shapiro wrote: > Since enabling IPFW V2 on RELENG_4, I've had a fairly busy web/ftp > server run out dynamic buckets for new rules. Stopping the web/ftp ...` > I discovered however that it is somehow dyn_keepalives that is causing > the problem. If I turn them off, things return to normal: > > # sysctl net.inet.ip.fw.dyn_keepalive=0 > net.inet.ip.fw.dyn_keepalive: 1 -> 0 > (wait a few seconds) how "few" seconds ? I suppose in the order of 300 or so, enough to let the local session expire ? cheers luigi > # netstat -anf inet | grep FIN_WAIT | wc -l > 16 > > Here is a snapshot of how things looked before disabling dyn_keepalive: > > # sysctl -a | grep net.inet.ip.fw > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.autoinc_step: 100 > net.inet.ip.fw.one_pass: 1 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > net.inet.ip.fw.verbose_limit: 0 > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 497 > net.inet.ip.fw.dyn_max: 2000 > net.inet.ip.fw.static_count: 65 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 1 > net.inet.ip.fw.dyn_rst_lifetime: 1 > net.inet.ip.fw.dyn_udp_lifetime: 10 > net.inet.ip.fw.dyn_short_lifetime: 60 > net.inet.ip.fw.dyn_keepalive: 1 > > Any ideas? Could enabling dyn_keepalives prevent the FIN_WAIT* process > from completing? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"