Gary Mills wrote:
>
> We've been using the keepalive option for some time, both on Solaris 9
> and Solaris 10, through a wrapper, only for telnet and rlogin. That's
> because we have a firewall that disconnects idle sessions after one
> hour. This works without complaints for HTTP connections but is
> extremely annoying for the few terminal connections that exist. The
> telnet and rlogin servers have no way to enable keepalives at any
> level. Yes, you can say that doing that is a misuse of the facility,
> although I'd prefer to call it a clever use. Bug 6263835, initiated
> by me, suggests adding the option to inetd so that the wrapper would
> no longer be necessary.
As you say, it's a clever misuse of the facility, but that's OK.
(It's a shame a firewall behaving in this way doesn't fake up its own
keepalives, shortly before it clears out the connection state.)
I would suggest some more guidance on it's use on the manpage, aimed at
sysadmin rather than networking expert level, because in most cases the
use of tcp keepalive actually does the exact opposite, and ensures death
of connections which would otherwise have not died (the naming is
somewhat misleading). Consider addition of something like:
This parameter may be useful to preserve idle
connections through a stateful firewall which
implements a short timeout, and it may be useful
to closedown connections from clients which fail
to closedown their connections when powered off.
However, it may cause idle connections to be
broken during periods of transitory network
outage, which would have survived the outage in
the absence of this parameter.
It's this last part which catches people out -- the parameter causes
death to connections during transitory network problems, which is
completely contrary to what you might assume from the parameter name.
--
Andrew
