TCP time_wait and port exhaustion for servers

Miquel van Smoorenburg mikevs at xs4all.net
Wed Dec 5 23:25:53 UTC 2012


In article <xs4all.20121205220127.7F6F12CA0F17 at drugs.dv.isc.org> you write:
>
>In message <CAP-guGW6oXo=UfTfg+SDiFjB4=qxPShO+YfK6vxnLkCC58PvgQ at mail.gmail.com>,
> William Herrin writes:
>> The thing is, Linux doesn't behave quite that way.
>> 
>> If you do an anonymous connect(), that is you socket() and then
>> connect() without a bind() in the middle, then the limit applies *per
>> destination IP:port pair*. So, you should be able to do 30,000
>> connections to 192.168.1.1 port 80, another 30,000 connections to
>> 192.168.1.2 port 80, and so on.
>
>The socket api is missing a bind + connect call which restricts the
>source address when making the connect.  This is needed when you
>are required to use a fixed source address.

William was talking about the destination address. Linux (and I would
hope any other network stack) can really open a million connections
from one source address, as long as it's not to one destination address
but to lots of different ones. It's not the (srcip,srcport) tuple that
needs to be unique; it's the (srcip,srcport,dstip,dstport) tuple.

Anyway, you can actually bind to a source address and still have a
dynamic source port; just use port 0. Lots of tools do this.

(for example, strace nc -s 127.0.0.2 127.0.0.1 22 and see what it does)

Mike.



More information about the NANOG mailing list