Hi Michael and all, >>> tcp_tw_recycle is incompatible with NAT on the server side >> >> ... because it will enforce the verification of TCP time stamps. >> Unless all >> clients behind a NAT (actually PAD/masquerading) device use identical >> timestamps >> (within a certain range), most of them will send invalid TCP >> timestamps so SYNs >> will get dropped. > > Since you seem pretty knowledgeable on the subject, can you please > explain the difference between tcp_tw_reuse and tcp_tw_recycle?
I think I have understood the reason why tcp_tw_recycle does not work with NAT connections, but I must say I haven't fully devoured the linux TCP implementation to explain to you the design decisions regarding these two options. The very basic idea is to re-use tcp connections in TIME_WAIT state, saving the overhead of destroying and recreating TCP state. I remember that at one point I had thought to have understood the difference, but I can't recall at the moment. In short: I can tell you that you *must not* use tcp_tw_recycle for any machine talking to machines behind masquerading firewalls (iow, only use it inside isolated networks). But I cannot tell you what exactly it is supposed to do and what the difference is to tcp_tw_reuse. If anyone finds out, please let me know as well! Nils _______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc
