| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Oct 2009 08:08:34 +0200 From: Willy Tarreau <w@....eu> To: David Miller <davem@...emloft.net> Cc: ja@....bg, netdev@...r.kernel.org, eric.dumazet@...il.com Subject: Re: TCP_DEFER_ACCEPT is missing counter update On Wed, Oct 14, 2009 at 03:43:49PM -0700, David Miller wrote: > For now I'm pushing Willy's change into Linus's tree. > > After more discussion we can revert if necessary. > > I won't submit this to -stable until the discussion is fully resolved. Makes sense, thanks David. BTW, I found a use case I didn't think about where current behaviour causes trouble : https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/134274 http://lkml.indiana.edu/hypermail/linux/kernel/0711.0/0461.html In summary, when front proxies establish pools of connections to an apache server making use of TCP_DEFER_ACCEPT, the connection never establishes on the apache server but silently expires in SYN_RECV state. The front proxy sees lots of SYN/ACKs and sends many ACKs trying to complete this connection and finally believes it got it since the server eventually becomes silent. However, when trying to send data over such a socket, the server immediately returns an RST. Such a problem would not happen if we would only drop the first X packets (X >= 1 is already fine), because the front proxy would establish the connection, send a second ACK in response to the second SYN/ACK and the connection would then really be established and would not have to expire early in SYN_RECV state. If we really want to behave as it does today, well, let's not fix it, but obviously, I fail to see what real world use it has, except causing random and hard to debug issues :-/ Reading the articles below clearly make it think it was designed to help with HTTP connections by skipping the first expected and useless ACK packet before waking up the task : http://httpd.apache.org/docs/1.3/misc/perf-bsd44.html http://articles.techrepublic.com.com/5100-10878_11-1050771.html and people still get caught : http://lkml.indiana.edu/hypermail/linux/kernel/0711.0/0416.html Maybe it was a bit over-engineered, in the end causing it to fail to satisfy the primary goal ? Regards, Willy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists