I'm having issues with stale TCP connections after the upgrade from 12.2 to
13.0-BETA1.
Symptoms:
Outgoing TCP connections no longer receive data after being idle.
I can do more testing later, but I think these ipfw rules trigger the problem:
- check-state
- allow tcp from me to any setup keep-state
- deny ip from any to any
After establishing an outgoing connection (e.g, via netcat), I see a new
dynamic rule and the 300s counter running down via
# ipfw -Da list
net.inet.ip.fw.dyn_keepalive is set to 1, so the timer should be refreshed via
keep-alive on idle connections.
Don't know if it's deterministic, but from what I've seen so far:
- When counter gets low the first time, it is reset to 300 as expected.
- When the counter nears zero for the second time, the dynamic rule is deleted
and I get ipfw denies.