| Message ID | 1477499277.7065.193.camel@edumazet-glaptop3.roam.corp.google.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
On Wed, Oct 26, 2016 at 12:27 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote: > From: Eric Dumazet <edumazet@google.com> > > Per listen(fd, backlog) rules, there is really no point accepting a SYN, > sending a SYNACK, and dropping the following ACK packet if accept queue > is full, because application is not draining accept queue fast enough. > > This behavior is fooling TCP clients that believe they established a > flow, while there is nothing at server side. They might then send about > 10 MSS (if using IW10) that will be dropped anyway while server is under > stress. > > Signed-off-by: Eric Dumazet <edumazet@google.com> > --- Acked-by: Neal Cardwell <ncardwell@google.com> Great. Thanks, Eric! neal
On Wed, Oct 26, 2016 at 11:39 AM, Neal Cardwell <ncardwell@google.com> wrote: > > On Wed, Oct 26, 2016 at 12:27 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote: > > From: Eric Dumazet <edumazet@google.com> > > > > Per listen(fd, backlog) rules, there is really no point accepting a SYN, > > sending a SYNACK, and dropping the following ACK packet if accept queue > > is full, because application is not draining accept queue fast enough. > > > > This behavior is fooling TCP clients that believe they established a > > flow, while there is nothing at server side. They might then send about > > 10 MSS (if using IW10) that will be dropped anyway while server is under > > stress. > > > > Signed-off-by: Eric Dumazet <edumazet@google.com> > > --- > > Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> It's too bad the git has no history of the extra young sockets check. it seemed to be some kind bandaid fix before syn-cookie was invented? > > Great. Thanks, Eric! > > neal
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Wed, 26 Oct 2016 09:27:57 -0700 > From: Eric Dumazet <edumazet@google.com> > > Per listen(fd, backlog) rules, there is really no point accepting a SYN, > sending a SYNACK, and dropping the following ACK packet if accept queue > is full, because application is not draining accept queue fast enough. > > This behavior is fooling TCP clients that believe they established a > flow, while there is nothing at server side. They might then send about > 10 MSS (if using IW10) that will be dropped anyway while server is under > stress. > > Signed-off-by: Eric Dumazet <edumazet@google.com> Applied.
diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h index 197a30d221e92b839e2e96fa37f4a796514ea461..146054ceea8e0566f79739b1ed115dea53423258 100644 --- a/include/net/inet_connection_sock.h +++ b/include/net/inet_connection_sock.h @@ -289,11 +289,6 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) return reqsk_queue_len(&inet_csk(sk)->icsk_accept_queue); } -static inline int inet_csk_reqsk_queue_young(const struct sock *sk) -{ - return reqsk_queue_len_young(&inet_csk(sk)->icsk_accept_queue); -} - static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) { return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog; diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index 345a3aeb8c7e36449a765298cd6512eab8cfef4b..a957acac2337680f619fef09f19660a3b4c309d3 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -588,13 +588,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) if (inet_csk_reqsk_queue_is_full(sk)) goto drop; - /* - * Accept backlog is full. If we have already queued enough - * of warm entries in syn queue, drop request. It is better than - * clogging syn queue with openreqs with exponentially increasing - * timeout. - */ - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) + if (sk_acceptq_is_full(sk)) goto drop; req = inet_reqsk_alloc(&dccp_request_sock_ops, sk, true); diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 3828f94b234c1104a3e745b3c0a76ab343aed4b6..32f9f1a189f8b8082bfdebd97baa04045562a3c6 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -325,7 +325,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) if (inet_csk_reqsk_queue_is_full(sk)) goto drop; - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) + if (sk_acceptq_is_full(sk)) goto drop; req = inet_reqsk_alloc(&dccp6_request_sock_ops, sk, true); diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index a27b9c0e27c08b4e4aeaff3d0bfdf3ae561ba4d8..f2c59c8e57ff195c803ac05e6897242a6b097d00 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6298,13 +6298,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, goto drop; } - - /* Accept backlog is full. If we have already queued enough - * of warm entries in syn queue, drop request. It is better than - * clogging syn queue with openreqs with exponentially increasing - * timeout. - */ - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) { + if (sk_acceptq_is_full(sk)) { NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); goto drop; }