nanog mailing list archives
Re: TCP time_wait and port exhaustion for servers
From: Ray Soucy <rps () maine edu>
Date: Thu, 6 Dec 2012 08:31:32 -0500
It does require a fixed source address. The box is also a router and firewall, so it has many IP addresses available to it. On Wed, Dec 5, 2012 at 5:24 PM, William Herrin <bill () herrin us> wrote:
On Wed, Dec 5, 2012 at 5:01 PM, Mark Andrews <marka () isc org> wrote:In message <CAP-guGW6oXo=UfTfg+SDiFjB4=qxPShO+YfK6vxnLkCC58PvgQ () mail gmail com>, William Herrin writes:The thing is, Linux doesn't behave quite that way. If you do an anonymous connect(), that is you socket() and then connect() without a bind() in the middle, then the limit applies *per destination IP:port pair*. So, you should be able to do 30,000 connections to 192.168.1.1 port 80, another 30,000 connections to 192.168.1.2 port 80, and so on.The socket api is missing a bind + connect call which restricts the source address when making the connect. This is needed when you are required to use a fixed source address.Hi Mark, There are ways around this problem in Linux. For example you can mark a packet with iptables based on the uid of the process which created it and then you can NAT the source address based on the mark. Little messy but the tools are there. Anyway, Ray didn't indicate that he needed a fixed source address other than the one the machine would ordinarily choose for itself. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Current thread:
- Re: TCP time_wait and port exhaustion for servers, (continued)
- Re: TCP time_wait and port exhaustion for servers JÁKÓ András (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 05)
- Re: TCP time_wait and port exhaustion for servers joel jaeggli (Dec 05)
- Re: TCP time_wait and port exhaustion for servers William Herrin (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Owen DeLong (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 05)
- Re: TCP time_wait and port exhaustion for servers William Herrin (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
- Re: TCP time_wait and port exhaustion for servers William Herrin (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 06)
- Re: TCP time_wait and port exhaustion for servers Miquel van Smoorenburg (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
- Re: TCP time_wait and port exhaustion for servers William Herrin (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 05)
- Re: TCP time_wait and port exhaustion for servers JÁKÓ András (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Jon Lewis (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Fred Baker (fred) (Dec 05)
- Re: TCP time_wait and port exhaustion for servers David Conrad (Dec 05)
- RE: TCP time_wait and port exhaustion for servers Terry Baranski (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 05)