hi everybody
I have a question on using ipfilter "keep state" on Solaris 10. I want to set
the tcp state timeout value to small values, e.g., 30 seconds. I tried
/etc/system or ipf -T. But I found that although I can change ipf tcp timeout
values (as shown by ipf -T list), ipf still keeps some TCP state for very long
time. Following is an example:
# ipf -T list | grep tcp
fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000
fr_tcpclosewait min 0x1 max 0x7fffffff current 40
fr_tcplastack min 0x1 max 0x7fffffff current 50
fr_tcptimeout min 0x1 max 0x7fffffff current 60
fr_tcpclosed min 0x1 max 0x7fffffff current 30
fr_tcphalfclosed min 0x1 max 0x7fffffff current 30
# ipfstat -sl
IBCF-linux1 -> hostname pass 0x40008502 pr 6 state 7/11 bkt 19433
tag 0 ttl 60
54798 -> 23 9e255c76:f124aab 5840<<0:49232<<0
cmsk 0000 smsk 0000 isc 0 s0 9e255bdf/0f1249a4
FWD:ISN inc 0 sumd 0
REV:ISN inc 0 sumd 0
forward: pkts in 70 bytes in 3798 pkts out 0 bytes out 0
backward: pkts in 0 bytes in 0 pkts out 52 bytes out 2978
pass in quick keep state IPv4
pkt_flags & 0(10000) = 1000, pkt_options & ffffffff = 0,
ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
is_flx 0x1 0 0 0x1
interfaces: in bge0[bge0],-[] out -[],bge0[bge0]
=== this TCP state has been in 7/B state for very long time ( I think at least
10 hours), its ttl is just 60 seconds!
=== the system info is:
# uname -a
SunOS hostname 5.10 Generic_118833-36 sun4u sparc SUNW,Sun-Fire-V240
# more /etc/release
Solaris 10 11/06 s10s_u3wos_10 SPARC
Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 14 November 2006
Can somebody give me some hint why my tcp state never times out ?
Thanks in advance
Eric
This message posted from opensolaris.org
_______________________________________________
networking-discuss mailing list
[email protected]
