From nobody@FreeBSD.org  Wed Jan 23 13:10:34 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id 5DA78EA7
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Jan 2013 13:10:34 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 4A45882
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Jan 2013 13:10:34 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r0NDAXbi062130
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Jan 2013 13:10:33 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r0NDAXFb062129;
	Wed, 23 Jan 2013 13:10:33 GMT
	(envelope-from nobody)
Message-Id: <201301231310.r0NDAXFb062129@red.freebsd.org>
Date: Wed, 23 Jan 2013 13:10:33 GMT
From: Vladimir Spiridenkov <vs@gtn.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: lost dynamic IPFW rule for TCP session after 5 min inactivity
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         175530
>Category:       kern
>Synopsis:       [ipfw] [patch] lost dynamic IPFW rule for TCP session after 5 min inactivity
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    melifaro
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 23 13:20:00 UTC 2013
>Closed-Date:    Mon Oct 14 11:09:53 UTC 2013
>Last-Modified:  Mon Oct 14 11:09:53 UTC 2013
>Originator:     Vladimir Spiridenkov
>Release:        9.1-STABLE
>Organization:
ITR
>Environment:
FreeBSD vswork.itreg.ru 9.1-STABLE FreeBSD 9.1-STABLE #0 r245462M: Wed Jan 23 15:39:15 MSK 2013     vs@vswork.itreg.ru:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
there is no keepalive packets for TCP session during live time of dynamic IPFW rule

>How-To-Repeat:
root@vs# ssh 10.255.255.60

root@vs# ipfw -d show|grep -e 10.255.255.60
10200      32     7002 (299s) STATE tcp 10.10.10.44 46787 <-> 10.255.255.60 22

root@vs# sleep 275

root@vs# ipfw -d show|grep -e 10.255.255.60
10200      32     7002 (24s) STATE tcp 10.10.10.44 46787 <-> 10.255.255.60 22

root@vs# sleep 30

root@vs# ipfw -d show|grep -e 10.255.255.60

root@vs#

>Fix:
--- /usr/src/sys/netpfil/ipfw/ip_fw_dynamic.c-PREV      2013-01-15 21:03:16.000000000 +0400
+++ /usr/src/sys/netpfil/ipfw/ip_fw_dynamic.c   2013-01-23 15:27:23.356498876 +0400
@@ -1322,7 +1322,7 @@
         V_dyn_keepalive_interval = 20;
         V_dyn_keepalive_period = 5;
         V_dyn_keepalive = 1;    /* do send keepalives */
-       V_dyn_keepalive = time_uptime;
+       V_dyn_keepalive_last = time_uptime;
         
         V_dyn_max = 4096;       /* max # of dynamic rules */


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->melifaro 
Responsible-Changed-By: melifaro 
Responsible-Changed-When: Thu Jan 24 10:33:32 UTC 2013 
Responsible-Changed-Why:  
Take 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175530 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/175530: commit references a PR
Date: Sat,  2 Mar 2013 14:47:25 +0000 (UTC)

 Author: melifaro
 Date: Sat Mar  2 14:47:10 2013
 New Revision: 247626
 URL: http://svnweb.freebsd.org/changeset/base/247626
 
 Log:
   Fix callout expiring dynamic rules.
   
   PR:		kern/175530
   Submitted by:	Vladimir Spiridenkov <vs@gtn.ru>
   MFC after:	2 weeks
 
 Modified:
   head/sys/netpfil/ipfw/ip_fw_dynamic.c
 
 Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c
 ==============================================================================
 --- head/sys/netpfil/ipfw/ip_fw_dynamic.c	Sat Mar  2 14:39:48 2013	(r247625)
 +++ head/sys/netpfil/ipfw/ip_fw_dynamic.c	Sat Mar  2 14:47:10 2013	(r247626)
 @@ -980,8 +980,8 @@ ipfw_dyn_tick(void * vnetx) 
  
  	chain = &V_layer3_chain;
  
 -	/* Run keepalive checks every keepalive_interval iff ka is enabled */
 -	if ((V_dyn_keepalive_last + V_dyn_keepalive_interval >= time_uptime) &&
 +	/* Run keepalive checks every keepalive_period iff ka is enabled */
 +	if ((V_dyn_keepalive_last + V_dyn_keepalive_period <= time_uptime) &&
  	    (V_dyn_keepalive != 0)) {
  		V_dyn_keepalive_last = time_uptime;
  		check_ka = 1;
 @@ -1320,7 +1320,7 @@ ipfw_dyn_init(struct ip_fw_chain *chain)
          V_dyn_keepalive_interval = 20;
          V_dyn_keepalive_period = 5;
          V_dyn_keepalive = 1;    /* do send keepalives */
 -	V_dyn_keepalive = time_uptime;
 +	V_dyn_keepalive_last = time_uptime;
          
          V_dyn_max = 4096;       /* max # of dynamic rules */
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: melifaro 
State-Changed-When: Sun Mar 3 21:51:51 UTC 2013 
State-Changed-Why:  
Fixed in HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175530 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/175530: commit references a PR
Date: Tue, 19 Mar 2013 12:42:32 +0000 (UTC)

 Author: melifaro
 Date: Tue Mar 19 12:42:14 2013
 New Revision: 248497
 URL: http://svnweb.freebsd.org/changeset/base/248497
 
 Log:
   MFC r247626.
   
   Fix callout expiring dynamic rules.
   
   PR:		kern/175530
   Submitted by:	Vladimir Spiridenkov <vs@gtn.ru>
 
 Modified:
   stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c
 Directory Properties:
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c
 ==============================================================================
 --- stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c	Tue Mar 19 12:35:33 2013	(r248496)
 +++ stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c	Tue Mar 19 12:42:14 2013	(r248497)
 @@ -982,8 +982,8 @@ ipfw_dyn_tick(void * vnetx) 
  
  	chain = &V_layer3_chain;
  
 -	/* Run keepalive checks every keepalive_interval iff ka is enabled */
 -	if ((V_dyn_keepalive_last + V_dyn_keepalive_interval >= time_uptime) &&
 +	/* Run keepalive checks every keepalive_period iff ka is enabled */
 +	if ((V_dyn_keepalive_last + V_dyn_keepalive_period <= time_uptime) &&
  	    (V_dyn_keepalive != 0)) {
  		V_dyn_keepalive_last = time_uptime;
  		check_ka = 1;
 @@ -1322,7 +1322,7 @@ ipfw_dyn_init(struct ip_fw_chain *chain)
          V_dyn_keepalive_interval = 20;
          V_dyn_keepalive_period = 5;
          V_dyn_keepalive = 1;    /* do send keepalives */
 -	V_dyn_keepalive = time_uptime;
 +	V_dyn_keepalive_last = time_uptime;
          
          V_dyn_max = 4096;       /* max # of dynamic rules */
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: melifaro 
State-Changed-When: Mon Oct 14 11:09:03 UTC 2013 
State-Changed-Why:  
Patched/merged. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175530 
>Unformatted:
