IPFilter drops first syn packet while closed session entry is being left in its state table
(Doc ID 1106085.1)
Last updated on AUGUST 17, 2016
Applies to:Solaris SPARC Operating System - Version 8.0 and later
Oracle Solaris on SPARC (64-bit)
Oracle Solaris on x86-64 (64-bit)
This is a specification of ipfilter. Ipfilter keeps tcp status in short period after the last-ack.
With ipfilter patch Oracle Solaris patches 141505-09/141506-09 (actual change was in 141020-03), the timeout value is derived from the tunable parameter fr_tcplastack. Within this timeout period, a new syn packet is dropped if its part of the old TCP session.
An entry of the old session is flushed by this new syn packet and a second (retransmitted) syn packet is passed as new session. Typically, this just causes only about three seconds delay for the new session. This issue happens only when source port and destination port of new session are the same as for the previous session.
Consider the following filter rules on host 192.168.1.2. With these rules, this host allows TCP connection from 192.168.1.1 only when the target port is 443.
pass in log quick on ce0 proto tcp from 192.168.1.1/32 to 192.168.1.2/32 port = 443 keep state
block in log quick on ce0 from 192.168.1.1/32 to 192.168.1.2/32
Once the session is established and then closed, the state remains in the table like below on 'ipf -tC' output.
Source IP Destination IP ST PR #pkts #bytes ttl 192.168.1.1,12345 192.168.1.2,443 8/8 tcp 5 220 1:51
This lasts 120 seconds by default. During the time, if another syn packet comes from
192.168.1.1 with same source/destination port, the first syn packet is dropped by ipfilter.
ipmon[xxx]: [ID 702911 local0.warning] 08:54:45.563763 ce0 @0:3 b 192.168.1.1,12345 -> 192.168.1.2,443 PR tcp len 20 52 -S IN
ipmon[xxx]: [ID 702911 local0.notice] 08:54:48.950478 ce0 @0:1 p 192.168.1.1,12345 -> 192.168.1.2,443 PR tcp len 20 52 -S K-S IN
ipmon[xxx]: [ID 702911 local0.notice] 08:54:48.959985 ce0 @0:1 p 192.168.1.2,443 -> 192.168.1.1,12345 PR tcp len 20 52 -AS K-S OUT
ipmon[xxx]: [ID 702911 local0.notice] 08:54:48.960137 ce0 @0:1 p 192.168.1.1,12345 -> 192.168.1.2,443 PR tcp len 20 40 -A K-S IN
Then the retransmitted second syn packet is accepted as new state.
tcp_time_wait_interval set to less than 60000 (default value of 1 minute)
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!