Changing tcp_fin_timeout and tcp_max_tw_buckets
Environment
- Red Hat Enterprise Linux 5
Issue
- What is a range of net.ipv4.tcp_fin_timeout and net.ipv4.tcp_max_tw_buckets?
- What is a system affected by the aboves?
Resolution
- The range is 0 to 2147483.
- If you set too large value to tcp_fin_timeout, the system may become out of port, file-descripter and memory. If you set too small value, the system may leak delayed packets.
- If you set too large value to tcp_max_tw_buckets, the system may become out of port, file-descripter and memory. If you set too small value, the system may not communicate another host.
Root Cause
-
TCP(7)
tcp_fin_timeout (integer; default: 60)
This specifies how many seconds to wait for a final FIN packet
before the socket is forcibly closed. This is strictly a viola-
tion of the TCP specification, but required to prevent denial-
of-service attacks. In Linux 2.2, the default value was 180.
<snip>
tcp_max_tw_buckets (integer; default: see below)
The maximum number of sockets in TIME_WAIT state allowed in the
system. This limit exists only to prevent simple denial-of-ser-
vice attacks. The default value of NR_FILE*2 is adjusted
depending on the memory in the system. If this number is
exceeded, the socket is closed and a warning is printed.
<snip>
TCP_LINGER2
The lifetime of orphaned FIN_WAIT2 state sockets. This option
can be used to override the system wide sysctl tcp_fin_timeout
on this socket. This is not to be confused with the socket(7)
level option SO_LINGER. This option should not be used in code
intended to be portable.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments