Bug 13639
| Summary: | incorrect handling of TCP reset connection in libalias | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | david <david> | ||||||
| Component: | bin | Assignee: | ru <ru> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Only Me | ||||||||
| Priority: | Normal | ||||||||
| Version: | Unspecified | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
Responsible Changed From-To: freebsd-bugs->ru Over to the natd maintainer. Hi, David! What do you think of the following trivial patch? -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age State Changed From-To: open->closed Fixed in both -stable and -current. Thanks for the report! |
If an incoming connection is initiated through natd and deny_incoming is not set, then a new alias_link structure is created to handle the link. If there is nothing listening for the incoming connection, then the kernel responds with a RST for the connection. However, this is not processed correctly in libalias/alias.c:TcpMonitor{In,Out} and libalias/alias_db.c:SetState{In,Out} as it thinks a connection has been established and therefore applies a timeout of 86400 seconds to the link. If many of these half-connections are initiated (during, for example, a port scan of the host), then many thousands of unnecessary links are created and the resident size of natd balloons to 20MB or more. Fix: The following patch will tell libalias to realise that a connection hasn't, in fact, been completed and thus will give the newly created link a timeout of TCP_EXPIRE_DEAD: How-To-Repeat: Run natd without deny_incoming. Run a TCP port scanner against the machine.