Dropped connections with tcp_tw_recycle=1
Nils Goroll
slink at schokola.de
Tue Sep 22 09:19:33 CEST 2009
Sven,
>>> tcp_tw_recycle is incompatible with NAT on the server side
>>
>> ... because it will enforce the verification of TCP time stamps.
>> Unless all clients behind a NAT (actually PAD/masquerading) device
>> use identical timestamps (within a certain range), most of them will
>> send invalid TCP timestamps so SYNs will get dropped.
>
> I've been digging a bit more. [...]
Thank you very much for your writeup regarding tcp_tw_recycle and timestamp
verification. This is the part which I think I had already understood ...
> tcp_tw_recycle and _reuse's actual reuse of tw buckets seems to happen
> when setting up outbound connections. I haven't looked at those yet.
... but this is the part which I don't have a good understanding of yet.
> The outer conditional verifies that the incoming SYN has a timestamp,
> that tcp_tw_recycle is enabled, and that the origin exists in our
> peer cache. Note that it only checks the IP of the origin. Doesn't it
> make sense to also match on port?
My understanding is that the fact that the connection is in TIME_WAIT implies
that the source port should not be reused at this time.
Nils
More information about the varnish-misc
mailing list