[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: so what does keep * do?
From:       Darren Reed <darrenr () cyber ! com ! au>
Date:       1996-10-29 4:54:30
[Download RAW message or body]

In some mail I received from davidw@optimation.com.au, sie wrote
[...]
> We were using "keep state" for tcp but there seems to be a problem with
> extraneous FIN and RST packets being blocked at the end of a session.
> We've noticed this, for example, when using Netscape and have fetched
> some information.  Perhaps the first FIN or RST (from either end)
> throws away the state information, then subsequent FIN or RST packets
> (particularly from the opposite end) get blocked?

This is going to be just a matter of tuning, I think.  At the moment, if it
sees an RST packet go through, it assumes both ends are going to realise the
connection is closed and set a quick expirey on that state information.

For FIN packets, it checks to see that one comes from each direction (and
carries no data and doesn't have the PUSH flag set) it also sets the state
up for quick expirey.

How quick is too quick ?  I don't know yet, and this is probably going to
be something that'll need tuning.  Hopefully it can be something a lot less
than 2 minutes (which is 2*FSM, the value required for connections going
through FIN_WAIT and CLOSE_WAIT states).

If you want to play with the values, look in ip_state.c.  Maybe these should
be adb'able too...

Darren

[prev in list] [next in list] [prev in thread] [next in thread]