From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.3) Gecko/20050104 Red Hat/1.4.3-3.0.7

Description of problem:
While investigating what appears to be a problem with our firewall, I discovered that the kernel does not sent a tcp reset packet after it times out waiting for the final ack while in the SYN_RECV state.  The probably well known TCP state transition diagram from Wright & Stevens' book "TCP/IP Illustrated" shows that if a socket times out in the SYN_RECV state and goes back to being CLOSED, it should send a reset to the remote end.

Version-Release number of selected component (if applicable):
kernel-2.4.21-27.0.2.EL

How reproducible:
Always

Steps to Reproduce:
1. Start a server listening with netcat:  nc -l -p 1234
2. Block the client's reply ack with iptables:
  iptables -t filter -A OUTPUT -p tcp -m tcp --dport 1234 --tcp-flags ALL ACK -j DROP
3. Watch the packet exchange as root:  tcpdump -i lo port 1234
4. Start a client with netcat:  nc localhost 1234
5. Watch the sockets with:  netstat -tp | grep 1234

Actual Results:  tcpdump shows the server repeatedly sending the syn-ack connection reply while netstat shows the server's socket waiting in the SYN_RECV state while the client believes that it has an established connection.  After a few minutes the server times out and returns to the LISTEN state and never sends a reset.  The client will indefinitely think it has an established connection and could be hung trying to read from its half-open socket.

Expected Results:  When the socket times out it should send a reset to the client which thinks it has an established connection, to notify it that it has closed the socket.


Additional info:

Obviously the problem is rare and would only happen with a broken network and/or firewall, but shouldn't a reset be sent when timing out on a socket in the SYN_RECV state?