Bug 236829 - pf does not respect timeout values at all
Summary: pf does not respect timeout values at all
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.2-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-pf mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-27 12:30 UTC by Robert Schulze
Modified: 2019-04-01 13:36 UTC (History)
2 users (show)

See Also:


Attachments
simple pf.conf (302 bytes, text/plain)
2019-03-27 12:30 UTC, Robert Schulze
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Schulze 2019-03-27 12:30:33 UTC
Created attachment 203189 [details]
simple pf.conf

Timeout values (global and per rule) are not recognised. This issue is present since at least 10.3, I'm now reporting since I have a test case on a machine with a recent version of FreeBSD (11.2-RELEASE-p8).

Steps to reproduce:

* load attached simple pf.conf
* start local nc in listening mode on port 12345
* telnet inbound (from another machine) to port 12345
* disconnect telnet
* see wrong timeouts in state list

The global timeout for finwait/closing are set to 20/25, the per rule timeouts are set to 15/10.

The timeouts applied can be check with the command:
# pfctl -vvvss | grep -B2 'rule 2'

1) after establishing client connection:

all tcp x.x.x.x:12345 <- y.y.y.y:53187       ESTABLISHED:ESTABLISHED
   [3217899334 + 29312] wscale 6  [1370442108 + 65537] wscale 7
   age 00:00:02, expires in 23:59:58, 2:1 pkts, 112:60 bytes, rule 2

2) after closing client connection:

all tcp x.x.x.x:12345 <- y.y.y.y:53187       FIN_WAIT_2:FIN_WAIT_2
   [3217899335 + 29312] wscale 6  [1370442110 + 65664] wscale 7
   age 00:00:04, expires in 00:01:29, 4:3 pkts, 216:164 bytes, rule 2

So clear to see: neither global timeout nor per rule timeout are applied here. Instead, the defaults are used (90s for closing).