A porta tcp da origem do Stretch Debian é * sempre * mesmo

8

Durante a depuração de um comportamento estranho com um balanceador de carga do Azure, notei que minha pilha local de Stretch TCP do Debian estava apenas estabelecendo conexões TCP com uma porta com numeração par. Eu não inicio um único handshake TCP com uma porta de origem estranha. Isso é pretendido?

    
por Olivier Dauby 19.07.2017 / 15:01

1 resposta

11

É para reduzir a contenção entre connect() e bind() (apareceu no Linux 4.2; Jessie tem 3.16 e o Stretch 4.9):

commit 07f4c90062f8fc7c8c26f8f95324cbe8fa3145a5
Author: Eric Dumazet 
Date:   Sun May 24 14:49:35 2015 -0700

    tcp/dccp: try to not exhaust ip_local_port_range in connect()

    A long standing problem on busy servers is the tiny available TCP port
    range (/proc/sys/net/ipv4/ip_local_port_range) and the default
    sequential allocation of source ports in connect() system call.

    If a host is having a lot of active TCP sessions, chances are
    very high that all ports are in use by at least one flow,
    and subsequent bind(0) attempts fail, or have to scan a big portion of
    space to find a slot.

    In this patch, I changed the starting point in __inet_hash_connect()
    so that we try to favor even [1] ports, leaving odd ports for bind()
    users.

    We still perform a sequential search, so there is no guarantee, but
    if connect() targets are very different, end result is we leave
    more ports available to bind(), and we spread them all over the range,
    lowering time for both connect() and bind() to find a slot.

    This strategy only works well if /proc/sys/net/ipv4/ip_local_port_range
    is even, ie if start/end values have different parity.

    Therefore, default /proc/sys/net/ipv4/ip_local_port_range was changed to
    32768 - 60999 (instead of 32768 - 61000)

    There is no change on security aspects here, only some poor hashing
    schemes could be eventually impacted by this change.

    [1] : The odd/even property depends on ip_local_port_range values parity

Você também pode querer ver o seguinte commit 1580ab63fc9a03593072cc5656167a75c4f1d173 .

    
por 20.07.2017 / 16:15