NETSTAT
Zdenek Havelka
madloki na mail.cz
Neděle Listopad 4 05:29:20 CET 2001
On 02-Nov-2001 Ing. Pavel PaJaSoft Janousek wrote:
> Na TIME_WAIT kernel 2.2.X IMHO zadny parametr nema, 2.4.X mozna ano,
Viz /usr/src/linux/Documentation/networking/ip-sysctl.txt
kernel 2.4.*
tcp_max_orphans - INTEGER
Maximal number of TCP sockets not attached to any user file handle,
held by system. If this number is exceeded orphaned connections are
reset immediately and warning is printed. This limit exists
only to prevent simple DoS attacks, you _must_ not rely on this
or lower the limit artificially, but rather increase it
(probably, after increasing installed memory),
if network conditions require more than default value,
and tune network services to linger and kill such states
more aggressively. Let me to remind again: each orphan eats
up to ~64K of unswappable memory.
tcp_orphan_retries - INTEGER
How may times to retry before killing TCP connection, closed
by our side. Default value 7 corresponds to ~50sec-16min
depending on RTO. If you machine is loaded WEB server,
you should think about lowering this value, such sockets
may consume significant resources. Cf. tcp_max_orphans.
tcp_fin_timeout - INTEGER
Time to hold socket in state FIN-WAIT-2, if it was closed
by our side. Peer can be broken and never close its side,
or even died unexpectedly. Default value is 60sec.
Usual value used in 2.2 was 180 seconds, you may restore
it, but remember that if your machine is even underloaded WEB server,
you risk to overflow memory with kilotons of dead sockets,
FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1,
because they eat maximum 1.5K of memory, but they tend
to live longer. Cf. tcp_max_orphans.
kernel 2.2.*
tcp_retries1 - INTEGER
tcp_retries2 - INTEGER
tcp_max_delay_acks - INTEGER
tcp_fin_timeout - INTEGER
tcp_max_ka_probes - INTEGER
tcp_hoe_retransmits - INTEGER
Undocumented for now.
---
Zdenek Havelka
madloki na mail.cz
Další informace o konferenci Linux