lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Oct 2013 10:06:17 -0700 From: Rick Jones <rick.jones2@...com> To: Chris Verges <cverges@...tient-energy.com> CC: Eric Dumazet <eric.dumazet@...il.com>, davem@...emloft.net, kuznet@....inr.ac.ru, jmorris@...ei.org, yoshfuji@...ux-ipv6.org, kaber@...sh.net, netdev@...r.kernel.org Subject: Re: Established sockets remain open after iface down or address lost On 10/01/2013 09:08 AM, Chris Verges wrote: > On Tue, Oct 01, 2013 at 08:44:17AM -0700, Rick Jones wrote: >> The protocol between client and server needs to have an >> application-layer "keepalive" mechanism added, and then the server >> will be able to detect a dangling connection without need of any >> further kernel modifications. >> >> If that is not possible, the server can/should set SO_KEEPALIVE and >> perhaps tweak the TCP keepalive settings. Not as good (IMO) as an >> application-layer keepalive because it only shows that the connection >> is good as far as TCP, but I suppose it could do in a pinch. > > I agree that some form of keepalives would solve the problem where > blocking reads need to be interrupted. However, this creates traffic > across the link -- directly proportional to the keepalive interval. > > The underlying physical layer is such that we pay for all traffic going > across it -- including any keepalives at either the application or TCP > layers. Paying for this keepalive traffic when the link is operational > is not desired. Pick your poison :) If the server application is in a "I know there should be (more) data arriving on this connection" mode, then you can simply have an application-layer timeout in the server code that does not rely on active probing the connection. Otherwise, even if you do get some sort of "nuke connections using a source IP matching an interface we just brought down" option into the kernel, you will still have the small matter of something else between the client and server going down that neither can see directly. rick jones -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists