tcp_orphan_retries设置为0是什么意思？

Question

将tcp_orphan_retries设置为0是否意味着没有重试的限制，还是意味着它根本不会重试？

Answer 1

这并不意味着“永远尝试”，而是“根本不要尝试”。这是服务器试图礼貌地告诉客户端，服务器正在准备关闭他的套接字，如果它能够有序地断开连接，或者发送更多的数据，那就太好了。它将尝试X次让客户端响应，在X之后，它将系统端的套接字收回。

将这个数字设置为0会让我觉得服务器被大量使用，对孤儿有零容忍策略。它也可能是对DDOS的响应:打开一个套接字连接，然后抓住它，不做任何事情，这是很多DDOS的工作。

Answer 2

将tcp_orphan_retries设置为0是特例，请参阅tcp_timer.c

 98 /* Calculate maximal number or retries on an orphaned socket. */
 99 static int tcp_orphan_retries(struct sock *sk, int alive)
 100 {
 101         int retries = sysctl_tcp_orphan_retries; /* May be zero. */
 102 
 103         /* We know from an ICMP that something is wrong. */
 104         if (sk->sk_err_soft && !alive)
 105                 retries = 0;
 106 
 107         /* However, if socket sent something recently, select some safe
 108          * number of retries. 8 corresponds to >100 seconds with minimal
 109          * RTO of 200msec. */
 110         if (retries == 0 && alive)
 111                 retries = 8;
 112         return retries;
 113 }

Answer 3

很确定这意味着它不会再试了。这些来自内核源代码(tcp_timer.c)的注释支持：

/* Do not allow orphaned sockets to eat all our resources.
 * This is direct violation of TCP specs, but it is required
 * to prevent DoS attacks. It is called when a retransmission timeout
 * or zero probe timeout occurs on orphaned socket.
 *
 * Criteria is still not confirmed experimentally and may change.
 * We kill the socket, if:
 * 1. If number of orphaned sockets exceeds an administratively configured
 *    limit.
 * 2. If we have strong memory pressure.
 */