-----Original Message-----
From: Arjan de Vet [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 12:26
To: Frank Volf
Cc: IP Filter
Subject: Re: TCP age for not fully established connections
In article <[EMAIL PROTECTED]> you write:
>Hi,
>
>I often experience problems with connections in my state table that are
>in 2/4 "state" (one side fully established, the other side, not yet). The
What types of connections are these? A misbehaving OS?
Yes, the 2/4 are misbehaving, but the problem also occurs with 4/0 without 'flags S'
[removed]
Some years ago I proposed the code that is now unused between #ifdef
#endif in my own CVS tree:
@@ -1835,6 +1848,15 @@
*/
if (!fsm && (flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) {
/* we saw an A, guess 'dir' is in ESTABLISHED mode */
+#ifdef ADV
+ state[dir] = TCPS_ESTABLISHED;
+ if (ostate >= TCPS_ESTABLISHED)
+ /*
+ * only when the other side is ESTABLISHED
+ * already, increase timeout
+ */
+ *age = fr_tcpidletimeout;
+#endif
if (state[1 - dir] == TCPS_CLOSED ||
state[1 - dir] == TCPS_ESTABLISHED) {
state[dir] = TCPS_ESTABLISHED;
I think the lower fr_tcptimeout value should only be set when the other
side is not TCPS_ESTABLISHED yet. So I suggest adding an 'if (ostate ==
...)' clause here as is done in the other parts of your proposed patch.
Seems a logic thing to do: added!
B.t.w., I don't see this piece of 'official' ipfilter code:
if (state[1 - dir] == TCPS_CLOSED ||
state[1 - dir] == TCPS_ESTABLISHED) {
state[dir] = TCPS_ESTABLISHED;
in your code before the 'TODO: besides regular ACK packets' comment.
I did not said that the diff was generated with a recent version of IP Filter :-)
>@@ -1707,7 +1709,15 @@
> * which it received, SYN_SENT -> ESTABLISHED
> */
> state[dir] = TCPS_ESTABLISHED;
>- *age = fr_tcpidletimeout;
>+ /* Use a long (5 day) timeout only if both sides
>+ * are in established mode. This fixes long
>+ * living states in 2/4 mode
>+ */
>+ if (ostate == TCPS_ESTABLISHED) {
>+ *age = fr_tcpidletimeout;
>+ } else {
>+ *age = fr_tcptimeout;
>+ }
> } else if (flags & TH_FIN) {
> /*
> * We see an F from 'dir' which is in SYN_SENT
This will cause problems for connections in 4/3 state; that's the state
of a TCP connection where only the three handshake packets have been
sent. Such 'silent' but fully established TCP connections will now be
terminated in fr_tcptimeout time. If five days is indeed undesirable for
such connections I would suggest the same timeout as used for
half-closed connections (2 hours by default).
Agreed, although I wonder what the use of such connection would be.
Thanks,
Frank
