Changing tcp_fin_timeout and tcp_max_tw_buckets

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5

Issue

  • What is a range of net.ipv4.tcp_fin_timeout and net.ipv4.tcp_max_tw_buckets?
  • What is a system affected by the aboves?

Resolution

  • The range is 0 to 2147483.
  • If you set too large value to tcp_fin_timeout, the system may become out of port, file-descripter and memory. If you set too small value, the system may leak delayed packets.
  • If you set too large value to tcp_max_tw_buckets, the system may become out of port, file-descripter and memory. If you set too small value, the system may not communicate another host.

Root Cause

  • TCP(7)

           tcp_fin_timeout (integer; default: 60)
                  This  specifies  how many seconds to wait for a final FIN packet
                  before the socket is forcibly closed.  This is strictly a viola-
                  tion  of  the TCP specification, but required to prevent denial-
                  of-service attacks.  In Linux 2.2, the default value was 180.
    <snip>
           tcp_max_tw_buckets (integer; default: see below)
                  The  maximum number of sockets in TIME_WAIT state allowed in the
                  system.  This limit exists only to prevent simple denial-of-ser-
                  vice  attacks.   The  default  value  of  NR_FILE*2  is adjusted
                  depending on the memory  in  the  system.   If  this  number  is
                  exceeded, the socket is closed and a warning is printed.
    <snip>
           TCP_LINGER2
                  The  lifetime  of orphaned FIN_WAIT2 state sockets.  This option
                  can be used to override the system wide  sysctl  tcp_fin_timeout
                  on  this  socket.  This is not to be confused with the socket(7)
                  level option SO_LINGER.  This option should not be used in  code
                  intended to be portable.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments