lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 9 Mar 2007 13:04:36 +0200
From:	Matti Aarnio <matti.aarnio@...iler.org>
To:	Niklaus <niklaus@...il.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: more than 65535 outbound connections

On Fri, Mar 09, 2007 at 01:49:34PM +0530, Niklaus wrote:
> Hi,
> 
> I could be wrong in the below description or might have misunderstood
> many of the concepts , please correct appropriately.
> 
> 65535 ports can allowed . So on a  machine namely C you can have max
> 65535 outbound connections

IP connections are quads (four-tuples), machine A and B IP addresses,
plus 16 bit port numbers at both ends.

You can have about  64 k * 3 G = 192 T  connections out from a machine
to any single port number out there to all existing IP addresses.

If  A.ip, B.ip, and B.port  stay the same, A can setup up to some
10 - 50 thousand parallel connections.  (Depending on allowed dynamic
source IP port number space at machine A.)

If either B.ip or B.port changes, A can reuse a port that is actively
connected to something. Resulting four-tuple is different -> connection
is different.

Does Linux reuse port numbers in this way ?
It most likely does, but I didn't verify.

> What i was thinking was to send to another machines A and B from the
> same port [X] and then when we get data from it to [X] we can the send
> it to the correct application using stateful mapping or storing some
> information . The machines A and B are unaware of this mapping from
> the C  machine.

You want to make a "L4 switch" -- a "load balancer" ?
That thing is a NAT-box, and is really not making buffered TCP flows,
but rather mapping IP/TCP header rewriters to divert the flows to new
destinations.

> Can we increase it by anymeans in the kernel. Does we have patches for the 
> above
> 
> i read on the web that terry lambert has got 1.6 million simultaneous
> connection ? how is the way it is done.
> 
> http://kerneltrap.org/node/277

With 50 thousand connections per single ( A.ip / B.ip / B.port ) set,
one needs only 32  B.ports or A.ip:s or B.ip:s to do that 1.6 million
parallel TCP streams.

Such does eat up lots and lots system kernel memory...

> Regs
> Nik

/Matti Aarnio

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ