ipfilter breaks TCP connexions

To: tech-net%netbsd.org@localhost
Subject: ipfilter breaks TCP connexions
From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Date: Mon, 7 Jun 2010 10:58:51 +0000

Hello

I upgraded a firewall to 5.0.2, and now IPfilter will break any connexion
that has been idle for more than between 30 and 150 seconds (I have 
not yet measured the exact time it needs to kill).

ipfstat -t shows the connexion with a TTL for more than 119 hours, 
and then it suddently dispaear, while no traffic has been exchanged 
(I checked with tcpdump on both interfaces).

Is there a known problem? I wonder if this could not be because the
state table is full (I recall having to rebuild a kernel with some
option about that on the previous machine, but it was a very long
time ago, and I don't find the relevant options in the sources anymore)

Here is how many entries I have, I do not know if this is big or not:
# ipfstat -Rsl|grep ^[0-9]|wc -l 
    3697


-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost

Follow-Ups:
- Re: ipfilter breaks TCP connexions
  - From: Emmanuel Dreyfus

Prev by Date: mbuf pool allocator can sleep in interrupt context?
Next by Date: Re: ipfilter breaks TCP connexions
Previous by Thread: mbuf pool allocator can sleep in interrupt context?
Next by Thread: Re: ipfilter breaks TCP connexions
Indexes:

Home | Main Index | Thread Index | Old Index