From: John Heffner <jheffner@psc.edu>
To: Mark Huth <mhuth@mvista.com>
Cc: David Miller <davem@davemloft.net>,
dagriego@gmail.com, davem@davemloft.ne, netdev@vger.kernel.org
Subject: Re: [PATCH] NET: Add TCP connection abort IOCTL
Date: Tue, 27 Mar 2007 20:27:44 -0400 [thread overview]
Message-ID: <4609B680.7070601@psc.edu> (raw)
In-Reply-To: <4609A42A.4040304@mvista.com>
Mark Huth wrote:
>
>
> David Miller wrote:
>> From: dagriego@gmail.com (David Griego)
>> Date: Tue, 27 Mar 2007 14:47:54 -0700
>>
>>
>>> Adds an IOCTL for aborting established TCP connections, and is
>>> designed to be an HA performance improvement for cleaning up, failure
>>> notification, and application termination.
>>>
>>> Signed-off-by: David Griego <dagriego@gmail.com>
>>>
>>
>> SO_LINGER with a zero linger time plus close() isn't working
>> properly?
>>
>> There is no reason for this ioctl at all. Either existing
>> facilities provide what you need or what you want is a
>> protocol violation we can't do.
>>
> Actually, there are legitimate uses for this sort of API. The patch
> allows an administrator to kill specific connections that are in use by
> other applications, where the close is not available, since the socket
> is owned by another process. Say one of your large applications has
> hundreds or even thousands of open connections and you have determined
> that a particular connection is causing trouble. This API allows the
> admin to kill that particular connection, and doesn't appear to violate
> any RFC offhand, since an abort is sent to the peer.
>
> One may argue that the applications should be modified, but that is not
> always possible in the case of various ISVs. As Linux gains market
> share in the large server market, more and more applications are being
> ported from other platforms that have this sort of
> management/administrative interfaces.
>
> Mark Huth
I also believe this is a useful thing to have. I'm not 100% sure this
ioctl is the way to go, but it seems reasonable. This directly
corresponds to writing deleteTcb to the tcpConnectionState variable in
the TCP MIB (RFC 4022). I don't think it constitutes a protocol violation.
As a concrete example of a way I've used this type of feature is to
defend against a netkill [1] style attack, where the defense involves
making decisions about which connections to kill when memory gets
scarce. It makes sense to do this with a system daemon, since an admin
might have an arbitrarily complicated policy as to which applications
and peers have priority for the memory. This is too complicated to
distribute and enforce across all applications. You could do this in
the kernel, but why if you don't have to?
-John
[1] http://shlang.com/netkill/
next prev parent reply other threads:[~2007-03-28 0:33 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-27 21:47 [PATCH] NET: Add TCP connection abort IOCTL David Griego
2007-03-27 22:30 ` David Miller
2007-03-27 23:09 ` Mark Huth
2007-03-27 23:36 ` David Miller
2007-03-28 6:02 ` Eric Dumazet
2007-03-28 6:35 ` David Miller
2007-03-28 0:27 ` John Heffner [this message]
2007-03-28 0:34 ` John Heffner
2007-03-28 3:09 ` Herbert Xu
2007-03-28 1:52 ` David Miller
2007-03-28 0:04 ` Rick Jones
2007-03-29 14:56 ` Predrag Hodoba
2007-03-29 18:41 ` David Miller
2007-03-30 1:09 ` Stephen Hemminger
2007-03-30 15:10 ` Predrag Hodoba
2007-03-30 18:33 ` Stephen Hemminger
2007-03-30 19:09 ` Predrag Hodoba
2007-03-30 20:46 ` Rick Jones
2007-03-31 6:25 ` Predrag Hodoba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4609B680.7070601@psc.edu \
--to=jheffner@psc.edu \
--cc=dagriego@gmail.com \
--cc=davem@davemloft.ne \
--cc=davem@davemloft.net \
--cc=mhuth@mvista.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).