Sven,
> Right, you're saying that the srcaddr+srcport pair of a connection in
> TIME_WAIT should not be reused under this scheme (i.e. the SYN can be
> dropped), and I agree. Then I don't understand why a new connection
> originating from a *different* source port (although from the same
> source IP) is also considered a dupe and dropped.
Are you referring to this code?
if (tmp_opt.saw_tstamp &&
tcp_death_row.sysctl_tw_recycle &&
(dst = inet_csk_route_req(sk, req)) != NULL &&
(peer = rt_get_peer((struct rtable *)dst)) != NULL &&
peer->v4daddr == saddr) {
if (xtime.tv_sec < peer->tcp_ts_stamp + TCP_PAWS_MSL &&
(s32)(peer->tcp_ts - req->ts_recent) >
TCP_PAWS_WINDOW) {
NET_INC_STATS_BH(LINUX_MIB_PAWSPASSIVEREJECTED);
dst_release(dst);
goto drop_and_free;
}
}
Again, I cannot tell you what the intention of the implementors might have
been,
but my interpretation is that they wanted to implement time stamp checking as a
(from the security standpoint positive) side effect of tw_recycle.
I haven't thought about how (or if) the tw_recycle code could be improved,
because I believe the benefits of TCP state reuse is overrated and the
disadvantages overweight the advantages. Also, my work focuses on OSes which
don't have this issue ;-)
Thanks, Nils
_______________________________________________
varnish-misc mailing list
[email protected]
http://projects.linpro.no/mailman/listinfo/varnish-misc
