On Fri, Aug 28, 2009 at 11:11:11AM -0400, Brian Utterback wrote: > This sounds to me like it needs to run through an ARC case.
Most definitely. > Personally, what you are trying to do seems to me to be a misuse of > the keepalive to work around a broken firewall. Which may be desirable > feature, I don't know. How can one misuse TCP_KEEPALIVE? I can only think: because keeping idle connections is inappropriate (not for us to decide), or because it would be violate the policy that the firewall is trying to enforce (the firewall can still tell that the connection is idle though, even with TCP_KEEPALIVE). TCP_KEEPALIVE is about dead peer detection for idle connections. There are middle boxes in the Internet (not just firewalls). Middle boxes can certainly cause a peer to appear unresponsive (think network partitions, failed routers, ...). That a middle box that does that is likely to be a firewall can't possibly make use of TCP_KEEPALIVE inappropriate. If TCP_KEEPALIVE is ever appropriate then we should have this feature. Sure, the firewall is doing something obnoxious: it keeps state for connections traversing it, and it fakes RSTs to clear out idle connections so as not to run out of memory (most likely) and/or for policiy reasons (if TCP_KEEPALIVE gets around this then the firewall is broken). But why punish the end-points for the firewall's existence? > That having been said, my first thought is that this should be a per > service attribute, which would make it less useful for you, but more > useful in general. But that's already there: > >It's also possible to disable it by default but enable it for > >individual services. I've also verified that null packets are sent > >every two hours with the default tcp_keepalive_interval setting. > > > >The webrev for this one is at: > > > >http://cr.opensolaris.org/~jgmills/ws-6263835/ > > > >We need this facility because of a firewall that disconnects idle TCP > >connections after one hour. We had to reduce tcp_keepalive_interval to > >30 minutes to prevent disconnection of terminal sessions. I would like to see a corresponding keepalive timer interval setting, though I don't think this project is strictly incomplete without one, it's certainly close to it. The default setting (two hours) is so much more than just a tad too long -- having to set it system-wide seems obnoxious to me. Nico -- _______________________________________________ networking-discuss mailing list [email protected]
