Message ID | 20191030163620.140387-1-edumazet@google.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net] net: increase SOMAXCONN to 4096 | expand |
On Wed, Oct 30, 2019 at 09:36:20AM -0700, Eric Dumazet wrote: > SOMAXCONN is /proc/sys/net/core/somaxconn default value. > > It has been defined as 128 more than 20 years ago. > > Since it caps the listen() backlog values, the very small value has > caused numerous problems over the years, and many people had > to raise it on their hosts after beeing hit by problems. > > Google has been using 1024 for at least 15 years, and we increased > this to 4096 after TCP listener rework has been completed, more than > 4 years ago. We got no complain of this change breaking any > legacy application. > > Many applications indeed setup a TCP listener with listen(fd, -1); > meaning they let the system select the backlog. > > Raising SOMAXCONN lowers chance of the port being unavailable under > even small SYNFLOOD attack, and reduces possibilities of side channel > vulnerabilities. Just a quick question, I remember that when somaxconn is greater than tcp_max_syn_backlog, SYN cookies are never emitted, but I think it recently changed and there's no such constraint anymore. Do you confirm it's no more needed, or should we also increase this latter one accordingly ? Willy
On Wed, Oct 30, 2019 at 8:36 PM Willy Tarreau <w@1wt.eu> wrote: > > On Wed, Oct 30, 2019 at 09:36:20AM -0700, Eric Dumazet wrote: > > SOMAXCONN is /proc/sys/net/core/somaxconn default value. > > > > It has been defined as 128 more than 20 years ago. > > > > Since it caps the listen() backlog values, the very small value has > > caused numerous problems over the years, and many people had > > to raise it on their hosts after beeing hit by problems. > > > > Google has been using 1024 for at least 15 years, and we increased > > this to 4096 after TCP listener rework has been completed, more than > > 4 years ago. We got no complain of this change breaking any > > legacy application. > > > > Many applications indeed setup a TCP listener with listen(fd, -1); > > meaning they let the system select the backlog. > > > > Raising SOMAXCONN lowers chance of the port being unavailable under > > even small SYNFLOOD attack, and reduces possibilities of side channel > > vulnerabilities. > > Just a quick question, I remember that when somaxconn is greater than > tcp_max_syn_backlog, SYN cookies are never emitted, but I think it > recently changed and there's no such constraint anymore. Do you > confirm it's no more needed, or should we also increase this latter > one accordingly ? > There is no relationship like that. The only place somaxconn is use is in __sys_listen() to cap the user-provided backlog. somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn; if ((unsigned int)backlog > somaxconn) backlog = somaxconn; There is a second place in fastopen_queue_tune() but this is not relevant for this discussion.
On Wed, Oct 30, 2019 at 08:46:26PM -0700, Eric Dumazet wrote: > On Wed, Oct 30, 2019 at 8:36 PM Willy Tarreau <w@1wt.eu> wrote: > > Just a quick question, I remember that when somaxconn is greater than > > tcp_max_syn_backlog, SYN cookies are never emitted, but I think it > > recently changed and there's no such constraint anymore. Do you > > confirm it's no more needed, or should we also increase this latter > > one accordingly ? > > > > There is no relationship like that. > > The only place somaxconn is use is in __sys_listen() to cap the > user-provided backlog. > > somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn; > if ((unsigned int)backlog > somaxconn) > backlog = somaxconn; OK, thanks for checking. Willy
From: Eric Dumazet <edumazet@google.com> Date: Wed, 30 Oct 2019 09:36:20 -0700 > SOMAXCONN is /proc/sys/net/core/somaxconn default value. > > It has been defined as 128 more than 20 years ago. > > Since it caps the listen() backlog values, the very small value has > caused numerous problems over the years, and many people had > to raise it on their hosts after beeing hit by problems. > > Google has been using 1024 for at least 15 years, and we increased > this to 4096 after TCP listener rework has been completed, more than > 4 years ago. We got no complain of this change breaking any > legacy application. > > Many applications indeed setup a TCP listener with listen(fd, -1); > meaning they let the system select the backlog. > > Raising SOMAXCONN lowers chance of the port being unavailable under > even small SYNFLOOD attack, and reduces possibilities of side channel > vulnerabilities. > > Signed-off-by: Eric Dumazet <edumazet@google.com> Applied.
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index 49e95f438ed7571a93bceffdc17846c35dd64fca..ffa5f8892a66ed3bfcd53903cc6badf28dfa0f50 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -207,8 +207,8 @@ TCP variables: somaxconn - INTEGER Limit of socket listen() backlog, known in userspace as SOMAXCONN. - Defaults to 128. See also tcp_max_syn_backlog for additional tuning - for TCP sockets. + Defaults to 4096. (Was 128 before linux-5.4) + See also tcp_max_syn_backlog for additional tuning for TCP sockets. tcp_abort_on_overflow - BOOLEAN If listening service is too slow to accept new connections, diff --git a/include/linux/socket.h b/include/linux/socket.h index fc0bed59fc84ef8e6631d3c275853d52a46f84aa..4049d9755cf198bdda600a61485b36a888b9d879 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -263,7 +263,7 @@ struct ucred { #define PF_MAX AF_MAX /* Maximum queue length specifiable by listen. */ -#define SOMAXCONN 128 +#define SOMAXCONN 4096 /* Flags we can use with send/ and recv. Added those for 1003.1g not all are supported yet
SOMAXCONN is /proc/sys/net/core/somaxconn default value. It has been defined as 128 more than 20 years ago. Since it caps the listen() backlog values, the very small value has caused numerous problems over the years, and many people had to raise it on their hosts after beeing hit by problems. Google has been using 1024 for at least 15 years, and we increased this to 4096 after TCP listener rework has been completed, more than 4 years ago. We got no complain of this change breaking any legacy application. Many applications indeed setup a TCP listener with listen(fd, -1); meaning they let the system select the backlog. Raising SOMAXCONN lowers chance of the port being unavailable under even small SYNFLOOD attack, and reduces possibilities of side channel vulnerabilities. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Willy Tarreau <w@1wt.eu> Cc: Yue Cao <ycao009@ucr.edu> --- Documentation/networking/ip-sysctl.txt | 4 ++-- include/linux/socket.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)