From: Rick Jones <rick.jones2@hp.com>
To: Mark Glines <mark@glines.org>
Cc: netdev@vger.kernel.org, davem@davemloft.net,
kuznet@ms2.inr.ac.ru, jmorris@namei.org, kaber@coreworks.de
Subject: Re: [patch] ip_local_port_range sysctl has annoying default
Date: Mon, 14 May 2007 11:47:05 -0700 [thread overview]
Message-ID: <4648AEA9.4040805@hp.com> (raw)
In-Reply-To: <20070514113328.7dcd4272@chirp>
> Note that the high-order bit is set for all ports above 32768, so this
> dragon would be stepped on pretty badly by Linux's default (and
> indeed, the default for most OS's).
>
> However, by "the very top", I think he was referring to the range
> 61000-65535, not all ports from 32768 up. Alan Cox clarified (in
> http://www.ussg.iu.edu/hypermail/linux/kernel/0705.1/2597.html), "The
> top space is reserved when using masquerading and used for the
> masquerading ports normally in that situation. Clipping them off avoids
> differing behaviour with masquerading on/off." So I think that's the
> dragon in question, and NAT is a big ugly scary dragon indeed.
NAT, why does there have to be NAT... :) yeah, it is big and ugly, shame we
cannot put a stake through its heart :(
> [snip]
>
>>Oddly enough, it seems that on a system with a 2.6.21.1 kernel, the
>>32768-61000 is already there:
>>
>>hpcpc102:~# sysctl -a | grep port
>>error: permission denied on key 'net.ipv4.route.flush'
>>net.ipv4.ip_local_port_range = 32768 61000
>
>
> Yes, Linux does use the range of 32768-61000 in most cases, and it
> works great. The problem is, this default is determined at runtime by
> tcp_init() (in net/ipv4/tcp.c), based on the bind hash size. If the
> bind hash size is above a certain threshold, it will use 32768-61000,
> which seems to be the common case these days. Otherwise, it will use a
> range of 3072-4999, 2048-4999, or 1024-4999, depending on how small the
> bind hash is.
Ah (insert suitable emily litella reference here) All the systems with which I
play are probably considered "large" - even the ones I consider "small."
> I have a box here with 128M of RAM, which, running the same kernel rev,
> *doesn't* have this default (because the bind hash size is too small),
> which causes problems because its range (2048-4999) stomps on NFS's UDP
> port (2049) by default. So I was getting a weird failure where nfsd
> wouldn't start when klive was running. But only on that machine. The
> same setup works great on all of my other machines.
Hmm, those small values feel like variations on the old BSD defaults theme. I
don't recall issues with NFS there, but it is very likely that NFS would have
been started well before most anything else so it would "win" the race to 2049.
> I think the range of 32768-61000 is smart, and I am hoping Linux can
> use this default range *everywhere* by default, regardless of the bind
> hash size. This is what my patch does.
>
> If the list doesn't like this idea, I will happily submit another patch
> which uses a dynamic range of the same size as before, but moves the
> beginning of that range up to 32768. (Or maybe moves the end of the
> range up to 61000.)
Unless the memory size changes the hash algorithm itself (which bits are used,
that sort of thing) I wouldn't think that the values in the port number range
would particularly matter.
>
>
>>Solaris:
>># ndd /dev/tcp tcp_smallest_anon_port
>>32768
>># ndd /dev/tcp tcp_largest_anon_port
>>65535
>># uname -a
>>SunOS competitive10 5.10 Generic_118833-36 sun4v sparc
>>SUNW,Sun-Fire-T200
>>
>>HP-UX:
>>
>># ndd /dev/tcp tcp_smallest_anon_port
>>49152
>># ndd /dev/tcp tcp_largest_anon_port
>>65535
>># uname -a
>>HP-UX loiter B.11.23 U ia64 4283463096 unlimited-user license
>>
>>no idea about AIX or BSD or Windows...
>
>
> Interesting!
>
> net.inet.ip.portrange.lowfirst: 1023
> net.inet.ip.portrange.lowlast: 600
> net.inet.ip.portrange.first: 1024
> net.inet.ip.portrange.last: 5000
> net.inet.ip.portrange.hifirst: 49152
> net.inet.ip.portrange.hilast: 65535
> DragonFly dfly181.tahoe 1.8.1-RELEASE DragonFly 1.8.1-RELEASE #2: Mon Mar 26 08:03:12 PDT 2007 root@:/usr/obj/usr/src/sys/GENERIC i386
>
> net.inet.ip.portrange.lowfirst: 1023
> net.inet.ip.portrange.lowlast: 600
> net.inet.ip.portrange.first: 49152
> net.inet.ip.portrange.last: 65535
> net.inet.ip.portrange.hifirst: 49152
> net.inet.ip.portrange.hilast: 65535
> net.inet.ip.portrange.reservedhigh: 1023
> net.inet.ip.portrange.reservedlow: 0
> FreeBSD fbsd62.tahoe 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>
> ...whatever that means.
>
> Mark
next prev parent reply other threads:[~2007-05-14 18:47 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-12 19:40 [patch] ip_local_port_range sysctl has annoying default Mark Glines
2007-05-14 17:08 ` Rick Jones
2007-05-14 18:33 ` Mark Glines
2007-05-14 18:47 ` Rick Jones [this message]
[not found] <fa.6ICeqRTz5I23Pq+Z0ov/n8wicZE@ifi.uio.no>
[not found] ` <fa.IaUwa4kCMzO0RD0lNwacYsRlgXk@ifi.uio.no>
2007-05-12 1:03 ` Mark Glines
-- strict thread matches above, loose matches on Subject: below --
2007-05-12 0:01 Mark Glines
2007-05-12 0:06 ` David Miller
2007-05-12 2:14 ` H. Peter Anvin
2007-05-12 3:18 ` Bernd Eckenfels
2007-05-14 20:19 ` Jan Engelhardt
2007-05-12 2:12 ` H. Peter Anvin
2007-05-12 19:10 ` Mark Glines
2007-05-12 19:12 ` H. Peter Anvin
2007-05-12 19:30 ` Mark Glines
2007-05-12 20:08 ` Alan Cox
2007-05-12 19:19 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4648AEA9.4040805@hp.com \
--to=rick.jones2@hp.com \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=kaber@coreworks.de \
--cc=kuznet@ms2.inr.ac.ru \
--cc=mark@glines.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.