[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1350646775.2293.497.camel@edumazet-glaptop>
Date: Fri, 19 Oct 2012 13:39:35 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Vijay Subramanian <subramanian.vijay@...il.com>
Cc: enh <enh@...gle.com>,
Venkat Venkatsubra <venkat.x.venkatsubra@...cle.com>,
netdev@...r.kernel.org
Subject: Re: listen(2) backlog changes in or around Linux 3.1?
On Fri, 2012-10-19 at 12:29 +0200, Eric Dumazet wrote:
> On Fri, 2012-10-19 at 02:14 -0700, Vijay Subramanian wrote:
> > > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> > > index ef998b0..0404926 100644
> > > --- a/net/ipv4/tcp_ipv4.c
> > > +++ b/net/ipv4/tcp_ipv4.c
> > > @@ -1507,7 +1507,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
> > > * clogging syn queue with openreqs with exponentially increasing
> > > * timeout.
> > > */
> > > - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
> > > + if (__sk_acceptq_is_full(sk, inet_csk_reqsk_queue_young(sk)))
> > > goto drop;
> > >
> >
> > For what its worth, I think the changes make sense. But is there any
> > reason to exclude old request_socks in the call to
> > __sk_acceptq_is_full().?
> > as in
> > if (__sk_acceptq_is_full(sk, inet_csk_reqsk_queue_len(sk)))
> > goto drop;
> >
> > I am not sure why the current code looks only at young request_socks.
> > Thanks,
> > Vijay
>
> Old requests are assumed to be unlikely to complete (SYN attack).
>
> young requests are assumed to have a reasonable chance to complete.
>
> Note that we drop the SYN packet, so its not a 'final' decision.
>
> Some other OSes send RST in case the listener queue is full
> (I tested FreeBSD 9.0 this morning.)
>
> Note also we probably have a bug elsewhere :
>
> If we send a SYNACK, then receive the ACK from client, and the acceptq
> is full, we should reset the connexion. Right now we have kind of stupid
> situation, were we drop the ACK, and leave the REQ in the SYN_RECV
> state, so we retransmit SYNACKS.
>
> I am working on this part as well.
>
Well, it seems a documented feature :
tcp_abort_on_overflow - BOOLEAN
If listening service is too slow to accept new connections,
reset them. Default state is FALSE. It means that if overflow
occurred due to a burst, connection will recover. Enable this
option _only_ if you are really sure that listening daemon
cannot be tuned to accept connections faster. Enabling this
option can harm clients of your server.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists