[158638] in North American Network Operators' Group
Re: TCP time_wait and port exhaustion for servers
daemon@ATHENA.MIT.EDU (William Herrin)
Wed Dec 5 17:25:22 2012
In-Reply-To: <20121205220127.7F6F12CA0F17@drugs.dv.isc.org>
From: William Herrin <bill@herrin.us>
Date: Wed, 5 Dec 2012 17:24:47 -0500
To: Mark Andrews <marka@isc.org>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Dec 5, 2012 at 5:01 PM, Mark Andrews <marka@isc.org> wrote:
> In message <CAP-guGW6oXo=UfTfg+SDiFjB4=qxPShO+YfK6vxnLkCC58PvgQ@mail.gmail.com>,
> William Herrin writes:
>> The thing is, Linux doesn't behave quite that way.
>>
>> If you do an anonymous connect(), that is you socket() and then
>> connect() without a bind() in the middle, then the limit applies *per
>> destination IP:port pair*. So, you should be able to do 30,000
>> connections to 192.168.1.1 port 80, another 30,000 connections to
>> 192.168.1.2 port 80, and so on.
>
> The socket api is missing a bind + connect call which restricts the
> source address when making the connect. This is needed when you
> are required to use a fixed source address.
Hi Mark,
There are ways around this problem in Linux. For example you can mark
a packet with iptables based on the uid of the process which created
it and then you can NAT the source address based on the mark. Little
messy but the tools are there.
Anyway, Ray didn't indicate that he needed a fixed source address
other than the one the machine would ordinarily choose for itself.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
