Dropped connections with tcp_tw_recycle=1

Nils Goroll slink at schokola.de
Tue Sep 22 14:33:50 CEST 2009


> Right, you're saying that the srcaddr+srcport pair of a connection in
> TIME_WAIT should not be reused under this scheme (i.e. the SYN can be
> dropped), and I agree. Then I don't understand why a new connection
> originating from a *different* source port (although from the same
> source IP) is also considered a dupe and dropped.

Are you referring to this code?

                 if (tmp_opt.saw_tstamp &&
                     tcp_death_row.sysctl_tw_recycle &&
                     (dst = inet_csk_route_req(sk, req)) != NULL &&
                     (peer = rt_get_peer((struct rtable *)dst)) != NULL &&
                     peer->v4daddr == saddr) {
                         if (xtime.tv_sec < peer->tcp_ts_stamp + TCP_PAWS_MSL &&
                             (s32)(peer->tcp_ts - req->ts_recent) >
                                                         TCP_PAWS_WINDOW) {
                                 goto drop_and_free;

Again, I cannot tell you what the intention of the implementors might have been, 
but my interpretation is that they wanted to implement time stamp checking as a 
(from the security standpoint positive) side effect of tw_recycle.

I haven't thought about how (or if) the tw_recycle code could be improved, 
because I believe the benefits of TCP state reuse is overrated and the 
disadvantages overweight the advantages. Also, my work focuses on OSes which 
don't have this issue ;-)

Thanks, Nils

More information about the varnish-misc mailing list