On the freebsd-net mailing list there were reports that this results in problems with some hosts. They can be reproduced by using:
- curl -v http://220.127.116.11:80
- curl -v http://18.104.22.168:80
- curl -v http://22.214.171.124:80
- curl -v https://vitagramma.com
- curl -v https://126.96.36.199:443
- curl -v https://188.8.131.52:443
- curl -v https://184.108.40.206:443
- curl -v http://220.127.116.11:80
- curl -v https://volia.com
- curl -v https://moemisto.ua
- curl -v https://fotostrana.ru
By testing it seems:
- The problem occurs when the server sends a FIN-segment first, which means it ends up in TIMEWAIT.
- The SYN-segments with smaller TS.val than used before are dropped.
- The comparison of the TS.val is performed even when the client and server port numbers change. This means that a connections to the ssh server might impact connections to the web server.
Therefore a new sysctl-variable ts_offset_per_conn is introduced which will allow to change the computation to a per host pair offset (taking only the IP addresses into account).