IPFilter drops first syn packet while closed session entry is being left in its state table
(Doc ID 1106085.1)
Last updated on APRIL 24, 2020
Applies to:Solaris Operating System - Version 8.0 and later
Oracle Solaris on SPARC (64-bit)
Oracle Solaris on x86-64 (64-bit)
This is a specification of ipfilter. Ipfilter keeps tcp status in short period after the last-ack.
With ipfilter patch Oracle Solaris patches 141505-09/141506-09 (actual change was in 141020-03), the timeout value is derived from the tunable parameter fr_tcplastack. Within this timeout period, a new syn packet is dropped if its part of the old TCP session.
An entry of the old session is flushed by this new syn packet and a second (retransmitted) syn packet is passed as new session. Typically, this just causes only about three seconds delay for the new session. This issue happens only when source port and destination port of new session are the same as for the previous session.
Consider the following filter rules on host 192.168.1.2. With these rules, this host allows TCP connection from 192.168.1.1 only when the target port is 443.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document