Sven, >>> tcp_tw_recycle is incompatible with NAT on the server side >> >> ... because it will enforce the verification of TCP time stamps. >> Unless all clients behind a NAT (actually PAD/masquerading) device >> use identical timestamps (within a certain range), most of them will >> send invalid TCP timestamps so SYNs will get dropped. > > I've been digging a bit more. [...]
Thank you very much for your writeup regarding tcp_tw_recycle and timestamp verification. This is the part which I think I had already understood ... > tcp_tw_recycle and _reuse's actual reuse of tw buckets seems to happen > when setting up outbound connections. I haven't looked at those yet. ... but this is the part which I don't have a good understanding of yet. > The outer conditional verifies that the incoming SYN has a timestamp, > that tcp_tw_recycle is enabled, and that the origin exists in our > peer cache. Note that it only checks the IP of the origin. Doesn't it > make sense to also match on port? My understanding is that the fact that the connection is in TIME_WAIT implies that the source port should not be reused at this time. Nils _______________________________________________ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc