是否将tcp_orphan_retries设置为0意味着重试没有限制,还是意味着它不会重试?
这并不意味着“永远尝试”,而是“不要尝试”。 这是服务器试图礼貌地告诉客户端,服务器正在准备closures他的套接字,如果它会请有序断开,或发送更多的数据,这将是美好的。 它会尝试X次来获得客户端的响应,在X之后,它会回收系统端的套接字。
将这个数字设置为0会告诉我,该服务器被大量使用,孤儿的零容忍政策。 它也可能是一个DDOS响应:很多DDOS的工作是打开套接字连接然后挂在它上面,什么也不做。
将tcp_orphan_retries设置为0是一个特例,请参阅tcp_timer.c
98 /* Calculate maximal number or retries on an orphaned socket. */ 99 static int tcp_orphan_retries(struct sock *sk, int alive) 100 { 101 int retries = sysctl_tcp_orphan_retries; /* May be zero. */ 102 103 /* We know from an ICMP that something is wrong. */ 104 if (sk->sk_err_soft && !alive) 105 retries = 0; 106 107 /* However, if socket sent something recently, select some safe 108 * number of retries. 8 corresponds to >100 seconds with minimal 109 * RTO of 200msec. */ 110 if (retries == 0 && alive) 111 retries = 8; 112 return retries; 113 } 很确定这意味着它不会重试。 内核源码(tcp_timer.c)的这些注释支持:
/* Do not allow orphaned sockets to eat all our resources. * This is direct violation of TCP specs, but it is required * to prevent DoS attacks. It is called when a retransmission timeout * or zero probe timeout occurs on orphaned socket. * * Criteria is still not confirmed experimentally and may change. * We kill the socket, if: * 1. If number of orphaned sockets exceeds an administratively configured * limit. * 2. If we have strong memory pressure. */