Nils Goroll wrote:
The outer conditional verifies that the incoming SYN has
a timestamp, that tcp_tw_recycle is enabled, and that the origin
exists in our peer cache. Note that it only checks the IP of the
origin. Doesn't it make sense to also match on port?
My understanding is that the
Nils Goroll wrote:
tcp_tw_recycle is incompatible with NAT on the server side
... because it will enforce the verification of TCP time stamps.
Unless all clients behind a NAT (actually PAD/masquerading) device
use identical timestamps (within a certain range), most of them will
send invalid
I was recently debugging an issue where several clients experienced
sporadic problems connecting to a website cached by varnish. Every now
and then (say, something like every 20-50th TCP connection) would time
out, or sometimes take a few SYNs before being accepted.
Here's a typical example. It's
