From: Eric Dumazet <dada1@cosmosbay.com>
To: Octavian Purdila <opurdila@ixiacom.com>
Cc: netdev@vger.kernel.org
Subject: Re: ports beeing reused too fast
Date: Sat, 09 May 2009 18:16:28 +0200 [thread overview]
Message-ID: <4A05AC5C.3020907@cosmosbay.com> (raw)
In-Reply-To: <4A059E75.7060008@cosmosbay.com>
Eric Dumazet a écrit :
> Octavian Purdila a écrit :
>> On Saturday 09 May 2009 09:58:25 Eric Dumazet wrote:
>>
>>>> I've looked over the code and it looks right, so maybe net_random() is
>>>> not random enough? Or maybe there are side effects because of the %
>>>> port_range?
>>> Random is random :)
>>> Probability a port can be reused pretty fast is not nul.
>>>
>> Thinking again about it... you are right :)
>>
>>> So yes, behavior you discovered is expected, when we switched port
>>> selection from a sequential one (not very secure btw) to a random one.
>>>
>>> Any strong reason why a firewall would drop a SYN because ports were used
>>> in a previous session ?
>> We don't know why the firewall (Cisco FWSM) is dropping the packets, may be a
>> bug, limitation or miss-configuration. We are trying to track this down with
>> the firewall vendor.
>
> Normally, the client machine should not reuse a port during the TIME_WAIT duration
> (TCP_TIMEWAIT_LEN being 60 seconds on linux). Port selection being random or sequential,
> it should avoid all ports recently used.
>
> Maybe this firewall has a longer TIME_WAIT enforcement (something like 2 minutes)
Another thing to consider is your client/server use or not tcp timestamps (RFC 1323)
# should allow client to use fast reuse of ports (and trigger a firewall problem)
echo 1 >/proc/sys/net/ipv4/tcp_timestamps
If both machines allow tcp timestamps, then same ports can be reused pretty fast.
If firewall doesnt fully understand RFC 1323, it might explain some problem
with port randomization and shortened time between port reuse.
next prev parent reply other threads:[~2009-05-09 16:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-08 20:11 ports beeing reused too fast Octavian Purdila
2009-05-09 6:58 ` Eric Dumazet
2009-05-09 13:11 ` Octavian Purdila
2009-05-09 15:17 ` Eric Dumazet
2009-05-09 16:16 ` Eric Dumazet [this message]
2009-05-09 19:31 ` Bill Fink
2009-05-09 19:41 ` Octavian Purdila
2009-05-09 22:45 ` Stephen Hemminger
2009-05-12 12:32 ` Octavian Purdila
2009-05-12 15:11 ` Stephen Hemminger
2009-05-12 15:52 ` Octavian Purdila
2009-05-14 20:29 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A05AC5C.3020907@cosmosbay.com \
--to=dada1@cosmosbay.com \
--cc=netdev@vger.kernel.org \
--cc=opurdila@ixiacom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).