From owner-freebsd-stable@FreeBSD.ORG  Fri May 30 19:30:50 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D37701065677;
	Fri, 30 May 2008 19:30:50 +0000 (UTC)
	(envelope-from rblayzor.bulk@inoc.net)
Received: from mx1-b.inoc.net (mx1-b.inoc.net [64.246.131.28])
	by mx1.freebsd.org (Postfix) with ESMTP id 7792B8FC14;
	Fri, 30 May 2008 19:30:50 +0000 (UTC)
	(envelope-from rblayzor.bulk@inoc.net)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=inoc.net;
	h=Received:From:To:Subject:Date;
	b=U4FgiWrSOUPDudjzMa5eb55t/fn+hL5Fu5haiMvBj3IgCY8MpiVFVx29x8ZiHqBWAeRPf0wJOqc1eOxGXQZT8TGA8sARwNWAO8HbylMR7rUXSkvSOSCXydm9/W5eaVqSoCeNOWxf3uCVkIxfgIWnZXHJxaCR17UyfvGRv3UKSAw=;
Received: from void.ops.inoc.net (vanguard.noc.albyny.inoc.net [64.246.135.8])
	by mx1-b.inoc.net (build v8.3.29) with ESMTP id 149862239-1941382 
	for multiple; Fri, 30 May 2008 19:30:49 +0000 (UTC)
Message-Id: <D28D308F-1375-455C-9373-52F2C431E571@inoc.net>
From: Robert Blayzor <rblayzor.bulk@inoc.net>
To: Doug Barton <dougb@FreeBSD.org>
In-Reply-To: <484052B7.2050906@FreeBSD.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v924)
Date: Fri, 30 May 2008 15:30:49 -0400
References: <B42F9BDF-1E00-45FF-BD88-5A07B5B553DC@inoc.net>	<1A19ABA2-61CD-4D92-A08D-5D9650D69768@mac.com>	<23C02C8B-281A-4ABD-8144-3E25E36EDAB4@inoc.net>	<483DE2E0.90003@FreeBSD.org>	<B775700E-7494-42C1-A9B2-A600CE176ACB@inoc.net>	<483E36CE.3060400@FreeBSD.org>	<483E3C26.3060103@paradise.net.nz>	<483E4657.9060906@FreeBSD.org>	<483EA513.4070409@earthlink.net>	<96AFE8D3-7EAC-4A4A-8EFF-35A5DCEC6426@inoc.net>	<483EAED1.2050404@FreeBSD.org>	<200805291912.m4TJCG56025525@apollo.backplane.com>	<14DA211A-A9C5-483A-8CB9-886E5B19A840@inoc.net>	<200805291930.m4TJUeGX025815@apollo.backplane.com>	<0C827F66-09CE-476D-86E9-146AB255926B@inoc.net>	<200805292132.m4TLWhCv026720@apollo.backplane.com>	<CCBAEE3E-35A5-4BF8-A0B7-321272533B62@inoc.net>	<200805300055.m4U0tkqx027965@apollo.backplane.com>
	<EB975E1A-7995-4214-A2CC-AE2D789B19AB@inoc.net>
	<483F6F66.4050909@FreeBSD.org>
	<C1CC6D9D-6584-43BD-8675-021A0495FDA3@inoc.net>
	<484052B7.2050906@FreeBSD.org>
X-Mailer: Apple Mail (2.924)
Cc: freebsd-stable@freebsd.org
Subject: Re: Sockets stuck in FIN_WAIT_1
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 May 2008 19:30:50 -0000

On May 30, 2008, at 3:17 PM, Doug Barton wrote:
> I'm not sure why, but I sense hostility on your part. I'm not sure  
> why, since that is an odd reaction to someone who is trying to help  
> you. If I'm wrong about that, never mind.

I'm not being hostile, geez. ;)  I simply asked "why not"?  Plenty of  
people do it, and with good reason.  It's always been effective, if  
this is some sort of an IPFW load issue, then surely I concede your  
point to use an external firewall, which I can do with basic external  
router ACL's.

> A basic rule of system administration is to have a good reason for  
> everything you do. If you have some kind of need for a firewall on  
> your web server, that's fine. Personally I prefer not to run  
> firewalls on application servers, but TIMTOWTDI.

Of course, but every situation is different.  In this case, an  
external firewall is not available and the application doesn't really  
require it, so simple IPFW rules are sufficient.

> The real crux of my question (which you did not answer) is, does the  
> problem go away if you take IPFW completely out of the equation? If  
> the answer to that is yes, it greatly narrows the focus of the  
> investigation.

No, turning IPFW off does not make the problem go away.  I originally  
thought of this when the issue came up.  I've tried with and without  
both the http accept filter and IPFW.

> I think that the theories that have been proposed by others that the  
> FIN_WAITs are a symptom of a problem in the clients is not only  
> possible, it's likely. I'm just not sure it's the complete story.


I'm thinking it probably is bad client behavior.  I'm leaning toward  
all of the freshclam clients not handling a network error correctly.   
It's quite possible when something in the connection fouls up the  
client, it just behaves badly.  I don't know much about how freshclam  
uses sockets, I'm trying to figure that out now. (if they use some  
native code, http library, etc).  It not might even be that at all,  
but it's a good starting point.

The other half of the story however is if it's that easy to hose up  
TCP sockets on a server, that's a bigger problem IMHO. :-/

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/