[PATCH net] net: increase SOMAXCONN to 4096

[PATCH net] net: increase SOMAXCONN to 4096

[Eric Dumazet]

SOMAXCONN is /proc/sys/net/core/somaxconn default value.

It has been defined as 128 more than 20 years ago.

Since it caps the listen() backlog values, the very small value has
caused numerous problems over the years, and many people had
to raise it on their hosts after beeing hit by problems.

Google has been using 1024 for at least 15 years, and we increased
this to 4096 after TCP listener rework has been completed, more than
4 years ago. We got no complain of this change breaking any
legacy application.

Many applications indeed setup a TCP listener with listen(fd, -1);
meaning they let the system select the backlog.

Raising SOMAXCONN lowers chance of the port being unavailable under
even small SYNFLOOD attack, and reduces possibilities of side channel
vulnerabilities.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Yue Cao <ycao009@ucr.edu>
---
 Documentation/networking/ip-sysctl.txt | 4 ++--
 include/linux/socket.h                 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 49e95f438ed7571a93bceffdc17846c35dd64fca..ffa5f8892a66ed3bfcd53903cc6badf28dfa0f50 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -207,8 +207,8 @@ TCP variables:
 
 somaxconn - INTEGER
 	Limit of socket listen() backlog, known in userspace as SOMAXCONN.
-	Defaults to 128.  See also tcp_max_syn_backlog for additional tuning
-	for TCP sockets.
+	Defaults to 4096. (Was 128 before linux-5.4)
+	See also tcp_max_syn_backlog for additional tuning for TCP sockets.
 
 tcp_abort_on_overflow - BOOLEAN
 	If listening service is too slow to accept new connections,
diff --git a/include/linux/socket.h b/include/linux/socket.h
index fc0bed59fc84ef8e6631d3c275853d52a46f84aa..4049d9755cf198bdda600a61485b36a888b9d879 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -263,7 +263,7 @@ struct ucred {
 #define PF_MAX		AF_MAX
 
 /* Maximum queue length specifiable by listen.  */
-#define SOMAXCONN	128
+#define SOMAXCONN	4096
 
 /* Flags we can use with send/ and recv.
    Added those for 1003.1g not all are supported yet
-- 
2.24.0.rc0.303.g954a862665-goog

Re: [PATCH net] net: increase SOMAXCONN to 4096

[Willy Tarreau]

On Wed, Oct 30, 2019 at 09:36:20AM -0700, Eric Dumazet wrote:
> SOMAXCONN is /proc/sys/net/core/somaxconn default value.
> 
> It has been defined as 128 more than 20 years ago.
> 
> Since it caps the listen() backlog values, the very small value has
> caused numerous problems over the years, and many people had
> to raise it on their hosts after beeing hit by problems.
> 
> Google has been using 1024 for at least 15 years, and we increased
> this to 4096 after TCP listener rework has been completed, more than
> 4 years ago. We got no complain of this change breaking any
> legacy application.
> 
> Many applications indeed setup a TCP listener with listen(fd, -1);
> meaning they let the system select the backlog.
> 
> Raising SOMAXCONN lowers chance of the port being unavailable under
> even small SYNFLOOD attack, and reduces possibilities of side channel
> vulnerabilities.

Just a quick question, I remember that when somaxconn is greater than
tcp_max_syn_backlog, SYN cookies are never emitted, but I think it
recently changed and there's no such constraint anymore. Do you
confirm it's no more needed, or should we also increase this latter
one accordingly ?

Willy

Re: [PATCH net] net: increase SOMAXCONN to 4096

[Eric Dumazet]

On Wed, Oct 30, 2019 at 8:36 PM Willy Tarreau <w@1wt.eu> wrote:
>
> On Wed, Oct 30, 2019 at 09:36:20AM -0700, Eric Dumazet wrote:
> > SOMAXCONN is /proc/sys/net/core/somaxconn default value.
> >
> > It has been defined as 128 more than 20 years ago.
> >
> > Since it caps the listen() backlog values, the very small value has
> > caused numerous problems over the years, and many people had
> > to raise it on their hosts after beeing hit by problems.
> >
> > Google has been using 1024 for at least 15 years, and we increased
> > this to 4096 after TCP listener rework has been completed, more than
> > 4 years ago. We got no complain of this change breaking any
> > legacy application.
> >
> > Many applications indeed setup a TCP listener with listen(fd, -1);
> > meaning they let the system select the backlog.
> >
> > Raising SOMAXCONN lowers chance of the port being unavailable under
> > even small SYNFLOOD attack, and reduces possibilities of side channel
> > vulnerabilities.
>
> Just a quick question, I remember that when somaxconn is greater than
> tcp_max_syn_backlog, SYN cookies are never emitted, but I think it
> recently changed and there's no such constraint anymore. Do you
> confirm it's no more needed, or should we also increase this latter
> one accordingly ?
>

There is no relationship like that.

The only place somaxconn is use is in __sys_listen() to cap the
user-provided backlog.

somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn;
if ((unsigned int)backlog > somaxconn)
       backlog = somaxconn;

There is a second place in fastopen_queue_tune() but this is not
relevant for this discussion.

Re: [PATCH net] net: increase SOMAXCONN to 4096

[Willy Tarreau]

On Wed, Oct 30, 2019 at 08:46:26PM -0700, Eric Dumazet wrote:
> On Wed, Oct 30, 2019 at 8:36 PM Willy Tarreau <w@1wt.eu> wrote:
> > Just a quick question, I remember that when somaxconn is greater than
> > tcp_max_syn_backlog, SYN cookies are never emitted, but I think it
> > recently changed and there's no such constraint anymore. Do you
> > confirm it's no more needed, or should we also increase this latter
> > one accordingly ?
> >
> 
> There is no relationship like that.
> 
> The only place somaxconn is use is in __sys_listen() to cap the
> user-provided backlog.
> 
> somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn;
> if ((unsigned int)backlog > somaxconn)
>        backlog = somaxconn;

OK, thanks for checking.

Willy

Re: [PATCH net] net: increase SOMAXCONN to 4096

[David Miller]

From: Eric Dumazet <edumazet@google.com>
Date: Wed, 30 Oct 2019 09:36:20 -0700

> SOMAXCONN is /proc/sys/net/core/somaxconn default value.
> 
> It has been defined as 128 more than 20 years ago.
> 
> Since it caps the listen() backlog values, the very small value has
> caused numerous problems over the years, and many people had
> to raise it on their hosts after beeing hit by problems.
> 
> Google has been using 1024 for at least 15 years, and we increased
> this to 4096 after TCP listener rework has been completed, more than
> 4 years ago. We got no complain of this change breaking any
> legacy application.
> 
> Many applications indeed setup a TCP listener with listen(fd, -1);
> meaning they let the system select the backlog.
> 
> Raising SOMAXCONN lowers chance of the port being unavailable under
> even small SYNFLOOD attack, and reduces possibilities of side channel
> vulnerabilities.
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Applied.