-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vincent Fox wrote: | Darren Reed wrote: |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> This problem isn't about 'out of window', it is that the check to |> allow a new session is not working right - I think. |> |> Unfortunately there's only so much I can do with what's shipped |> with Solaris 10 (can't get you to recompile with printf's.) |> |> btw, please add this to sourceforge as a bug: |> https://sourceforge.net/tracker/?func=add&group_id=169098&atid=849053 |> | I added a bug entry, let me know if it needs more details. | | I have compiled 4.1.32rc5 and can recompile install and | test with that if you tell me what you need. We have 5 | identical Solaris 10 systems running in a pool I can pull | one of them out for testing.
I would like to see you at least try the attached patch. There is code in ipfilter that recognises a SYN packet arriving for a connection that is "closing" but it may be that it was still interfering with things. The code that looks for this is in fr_tcpstate(): ~ /*~ * If a SYN packet is received for a connection that is on the way out
~ * but hasn't yet departed then advance this session along the way.
~ */
~ if ((tcp->th_flags & TH_OPENING) == TH_SYN) {
~ if ((is->is_state[0] > IPF_TCPS_ESTABLISHED) &&
~ (is->is_state[1] > IPF_TCPS_ESTABLISHED)) {
~ is->is_state[!source] = IPF_TCPS_CLOSED;
~ fr_movequeue(&is->is_sti, is->is_sti.tqe_ifq,
~ &ips_deletetq);
~ MUTEX_EXIT(&is->is_lock);
~ return 0;
~ }
~ }
so we may need to add in some debugging there...
Darren
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoKdOkACgkQP7JIXtvLbFX7VQCeJ/8lHDoDSc8ovm3R+8KQ+SqE
I34AoJxvTMkYt43wncXjcyCr9fIhSbli
=rXEg
-----END PGP SIGNATURE-----
Index: ip_state.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_state.c,v
retrieving revision 2.186.2.93
diff -c -r2.186.2.93 ip_state.c
*** ip_state.c 14 Feb 2009 01:53:05 -0000 2.186.2.93
--- ip_state.c 12 May 2009 21:19:10 -0000
***************
*** 2056,2061 ****
--- 2062,2074 ----
u_32_t cflx;
void *ifp;
+ /*
+ * If a connection is about to be deleted, no packets
+ * are allowed to match it.
+ */
+ if (is->is_sti.tqe_ifq == &ips_deletetq)
+ return NULL;
+
rev = IP6_NEQ(&is->is_dst, dst);
ifp = fin->fin_ifp;
out = fin->fin_out;
***************
*** 2649,2661 ****
hvm = DOUBLE_HASH(hv);
for (isp = &ips_table[hvm]; ((is = *isp) != NULL); ) {
isp = &is->is_hnext;
- /*
- * If a connection is about to be deleted, no packets
- * are allowed to match it.
- */
- if (is->is_sti.tqe_ifq == &ips_deletetq)
- continue;
-
if ((is->is_p != pr) || (is->is_v != v))
continue;
is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
--- 2662,2667 ----
ipsd.patch.sig
Description: Binary data
