pf(4) using inapropriate timeout values, 6.2-R
Daniel Hartmeier
daniel at benzedrine.cx
Tue Nov 20 02:25:21 PST 2007
The specific change in the OpenBSD tree was
Revision 1.494
Mon Jul 4 08:28:04 2005 UTC (2 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.493: +3 -3 lines
restrict the tcp.finwait timeout (45s) to state combinations where we have
seen a FIN from both sides (whether ACKed or not) and use tcp.closing (900s)
for half closed connections. otherwise half closed connections will time out
within 45s. ok dhartmei, henning.
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.493&r2=1.494&f=h
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.493
retrieving revision 1.494
diff -u -r1.493 -r1.494
--- pf.c 13 Jun 2005 20:17:25 -0000 1.493
+++ pf.c 4 Jul 2005 08:28:04 -0000 1.494
@@ -4273,8 +4273,8 @@
if (src->state >= TCPS_FIN_WAIT_2 &&
dst->state >= TCPS_FIN_WAIT_2)
(*state)->timeout = PFTM_TCP_CLOSED;
- else if (src->state >= TCPS_FIN_WAIT_2 ||
- dst->state >= TCPS_FIN_WAIT_2)
+ else if (src->state >= TCPS_CLOSING &&
+ dst->state >= TCPS_CLOSING)
(*state)->timeout = PFTM_TCP_FIN_WAIT;
else if (src->state < TCPS_ESTABLISHED ||
dst->state < TCPS_ESTABLISHED)
Daniel
More information about the freebsd-pf
mailing list