| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Apr 2011 10:36:45 -0700 From: "George B." <georgeb@...il.com> To: Daniel Baluta <daniel.baluta@...il.com> Cc: Eric Dumazet <eric.dumazet@...il.com>, Gaspar Chilingarov <gasparch@...il.com>, netdev <netdev@...r.kernel.org> Subject: Re: 'tcp: bind() fix when many ports are bound' problem On Wed, Jan 5, 2011 at 1:00 AM, Daniel Baluta <daniel.baluta@...il.com> wrote: > > On Tue, Jan 4, 2011 at 1:22 PM, Eric Dumazet <eric.dumazet@...il.com> wrote: > > Le mardi 04 janvier 2011 à 13:12 +0400, Gaspar Chilingarov a écrit : > >> Hi there! > >> > >> Well, that looks strange. > >> > >> On my own side I've just put workaround (manually binding to all ports > >> in sequence :) > >> and moved production code to FreeBSD as it has better scalable network stack. > >> > >> I can see the potential problem with that bind() problem on highly > >> loaded DNS servers/resolvers which establish tons of outgoing UDP > >> connections. > >> > >> In some cases that connections could fail and as not receiving the > >> answer it is normal condition for DNS this will go totally unnoticed. > >> > >> I don't think anyone will hit this bug in production environment > >> except the very high load applications. > > > > Dont mix TCP and UDP, they are not the same. > > > > Problem with TCP is you can have TIME_WAIT sockets, disallowing a port > > to be reused. Not with UDP. > > Isn't SO_REUSEADDR supposed to fix this problem? > > Anyhow, inet_csk_get_port the function used by bind(0) performs bad. > > Short reminder: > 100 IP addr - 70K sockets created => 700 sockets per IP. > bind(0) for all sockets will results in a large number of > (port, addr) duplicates although there are more than 30000 ports available. > > This wouldn't be so bad if you won't try to connect duplicates to the same > remote (addr, port) which will result in a connect failure. > > Eric's patch introduced the restriction 'forbid two reuse enabled sockets > to bind on same (addr, port) tuple with a (non ANY addr)'. > > Well, I think this will break rule #2 from inet_hastable.h: > " > If all sockets have sk->sk_reuse set, and none of them are in > TCP_LISTEN state, the port may be shared. > " > and also caused problem ([1]), don't really know if they are the same. > > An attempt, to fix this was to "always allow a reuse listen if > no other listen is already active on the same IP". > > The problem with this fix, is that at the moment of bind() we > don't know what will be the usage of this socket. It can be, > bind -> connect or bind -> listen. > > > > The connect() [without a previous bind()], or a sendto() [without a > > previous bind()] problem is more an API problem. > > Can you share your thoughts on this? > > Going back to my first email, are there any follow ups on your > "tcp: bind() fix when many ports are bound" patch. I've searched > netdev archives but no luck. I might have missed something. > > I really appreciate your help. > > thanks, > Daniel. > -- This is also causing a problem for me in a very high load application where more than 64K sockets are being sourced from multiple IP addresses. I, too, would like to know if this has been followed up on. The old patch that was reverted was actually working well for us, we never actually hit the TIME_WAIT problem but we are hitting the problem of not being able to source a connection from an IP when the global number of connections is >64K or so. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists