| Summary: | pf does not respect timeout values at all | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Robert Schulze <rs> | ||||
| Component: | kern | Assignee: | freebsd-pf (Nobody) <pf> | ||||
| Status: | New --- | ||||||
| Severity: | Affects Only Me | CC: | emaste, kp | ||||
| Priority: | --- | ||||||
| Version: | 11.2-RELEASE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Created attachment 203189 [details] simple pf.conf Timeout values (global and per rule) are not recognised. This issue is present since at least 10.3, I'm now reporting since I have a test case on a machine with a recent version of FreeBSD (11.2-RELEASE-p8). Steps to reproduce: * load attached simple pf.conf * start local nc in listening mode on port 12345 * telnet inbound (from another machine) to port 12345 * disconnect telnet * see wrong timeouts in state list The global timeout for finwait/closing are set to 20/25, the per rule timeouts are set to 15/10. The timeouts applied can be check with the command: # pfctl -vvvss | grep -B2 'rule 2' 1) after establishing client connection: all tcp x.x.x.x:12345 <- y.y.y.y:53187 ESTABLISHED:ESTABLISHED [3217899334 + 29312] wscale 6 [1370442108 + 65537] wscale 7 age 00:00:02, expires in 23:59:58, 2:1 pkts, 112:60 bytes, rule 2 2) after closing client connection: all tcp x.x.x.x:12345 <- y.y.y.y:53187 FIN_WAIT_2:FIN_WAIT_2 [3217899335 + 29312] wscale 6 [1370442110 + 65664] wscale 7 age 00:00:04, expires in 00:01:29, 4:3 pkts, 216:164 bytes, rule 2 So clear to see: neither global timeout nor per rule timeout are applied here. Instead, the defaults are used (90s for closing).