TCP time_wait and port exhaustion for servers

Ray Soucy rps at maine.edu
Thu Dec 6 13:31:32 UTC 2012


It does require a fixed source address.  The box is also a router and
firewall, so it has many IP addresses available to it.

On Wed, Dec 5, 2012 at 5:24 PM, William Herrin <bill at herrin.us> wrote:
> On Wed, Dec 5, 2012 at 5:01 PM, Mark Andrews <marka at isc.org> wrote:
>> In message <CAP-guGW6oXo=UfTfg+SDiFjB4=qxPShO+YfK6vxnLkCC58PvgQ at mail.gmail.com>,
>>  William Herrin writes:
>>> The thing is, Linux doesn't behave quite that way.
>>>
>>> If you do an anonymous connect(), that is you socket() and then
>>> connect() without a bind() in the middle, then the limit applies *per
>>> destination IP:port pair*. So, you should be able to do 30,000
>>> connections to 192.168.1.1 port 80, another 30,000 connections to
>>> 192.168.1.2 port 80, and so on.
>>
>> The socket api is missing a bind + connect call which restricts the
>> source address when making the connect.  This is needed when you
>> are required to use a fixed source address.
>
> Hi Mark,
>
> There are ways around this problem in Linux. For example you can mark
> a packet with iptables based on the uid of the process which created
> it and then you can NAT the source address based on the mark. Little
> messy but the tools are there.
>
> Anyway, Ray didn't indicate that he needed a fixed source address
> other than the one the machine would ordinarily choose for itself.
>
> Regards,
> Bill Herrin
>
>
> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004



-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net



More information about the NANOG mailing list