|
Description
|
Since 125014-02 ipf sometimes blocks internal pkts which should pass.
During this problem, 'ipfilter -T list' doesn't show a lack of resources.
The state table remains at max 3% occupied.
After a backout of 125014-02, the problem was resolved.
"ipf sometimes blocks internal pkts which should pass" Is inherently bad CR description. In fact it is the same statement as one would say ,,my car does not start sometimes''. It is impossible to figure out a cause from such short description since it coveres many possible causes. I'm going to change it to reflect a fix, which will be provided. New description "IPF blocks TCP SYN packets for connections in TIME_WAIT state -> some clients can't reconnect". I agree no one would figure out that statement
in time of filing that bug. IMHO it is not a good practice to keep such generic records, one must see it at glanc in synopsis what's going on.
The IPF state filter blocks SYN packets for given connection once it is established.
This state lasts until connection is properly closed or timeouts. There are some clients, which improperly reuse source port in time wait state to reconnect to service again (Imagine web browser, which would use the same source port for every request). those clients are not able to reconnect through IPF, since IPF keeps connection state and drops all SYN packets for connection until it reaches CLOSED state.
The fix works as follows: once IPF sees a SYN packet for connection, which is not in ESTABLISHED state it moves connection state to internal Deleted state and drops the fist SYN packet. while client retransmits SYN packet again everything already works and new state table entry is created.
the IPF log will record SYN packets dropped due to out of window (OOW). so any time you see SYN packets blocked with reason OOW, you can be absolutely sure, you are experiencing this bug.
|