将tcp_orphan_retries设置为0是否意味着没有重试的限制,还是意味着它根本不会重试?
发布于 2011-05-26 21:05:09
这并不意味着“永远尝试”,而是“根本不要尝试”。这是服务器试图礼貌地告诉客户端,服务器正在准备关闭他的套接字,如果它能够有序地断开连接,或者发送更多的数据,那就太好了。它将尝试X次让客户端响应,在X之后,它将系统端的套接字收回。
将这个数字设置为0会让我觉得服务器被大量使用,对孤儿有零容忍策略。它也可能是对DDOS的响应:打开一个套接字连接,然后抓住它,不做任何事情,这是很多DDOS的工作。
发布于 2012-07-18 15:46:45
将tcp_orphan_retries设置为0是特例,请参阅tcp_timer.c
98 /* Calculate maximal number or retries on an orphaned socket. */
99 static int tcp_orphan_retries(struct sock *sk, int alive)
100 {
101 int retries = sysctl_tcp_orphan_retries; /* May be zero. */
102
103 /* We know from an ICMP that something is wrong. */
104 if (sk->sk_err_soft && !alive)
105 retries = 0;
106
107 /* However, if socket sent something recently, select some safe
108 * number of retries. 8 corresponds to >100 seconds with minimal
109 * RTO of 200msec. */
110 if (retries == 0 && alive)
111 retries = 8;
112 return retries;
113 }发布于 2011-05-26 21:08:56
很确定这意味着它不会再试了。这些来自内核源代码(tcp_timer.c)的注释支持:
/* Do not allow orphaned sockets to eat all our resources.
* This is direct violation of TCP specs, but it is required
* to prevent DoS attacks. It is called when a retransmission timeout
* or zero probe timeout occurs on orphaned socket.
*
* Criteria is still not confirmed experimentally and may change.
* We kill the socket, if:
* 1. If number of orphaned sockets exceeds an administratively configured
* limit.
* 2. If we have strong memory pressure.
*/https://serverfault.com/questions/274212
复制相似问题