Dropped connections with tcp_tw_recycle=1
Nils Goroll
slink at schokola.de
Tue Sep 22 14:33:50 CEST 2009
Sven,
> Right, you're saying that the srcaddr+srcport pair of a connection in
> TIME_WAIT should not be reused under this scheme (i.e. the SYN can be
> dropped), and I agree. Then I don't understand why a new connection
> originating from a *different* source port (although from the same
> source IP) is also considered a dupe and dropped.
Are you referring to this code?
if (tmp_opt.saw_tstamp &&
tcp_death_row.sysctl_tw_recycle &&
(dst = inet_csk_route_req(sk, req)) != NULL &&
(peer = rt_get_peer((struct rtable *)dst)) != NULL &&
peer->v4daddr == saddr) {
if (xtime.tv_sec < peer->tcp_ts_stamp + TCP_PAWS_MSL &&
(s32)(peer->tcp_ts - req->ts_recent) >
TCP_PAWS_WINDOW) {
NET_INC_STATS_BH(LINUX_MIB_PAWSPASSIVEREJECTED);
dst_release(dst);
goto drop_and_free;
}
}
Again, I cannot tell you what the intention of the implementors might have been,
but my interpretation is that they wanted to implement time stamp checking as a
(from the security standpoint positive) side effect of tw_recycle.
I haven't thought about how (or if) the tw_recycle code could be improved,
because I believe the benefits of TCP state reuse is overrated and the
disadvantages overweight the advantages. Also, my work focuses on OSes which
don't have this issue ;-)
Thanks, Nils
More information about the varnish-misc
mailing list