From: Eric Dumazet <edumazet@google.com>
To: Willy Tarreau <w@1wt.eu>
Cc: "David S . Miller" <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
Neal Cardwell <ncardwell@google.com>,
Yuchung Cheng <ycheng@google.com>, Yue Cao <ycao009@ucr.edu>
Subject: Re: [PATCH net] net: increase SOMAXCONN to 4096
Date: Wed, 30 Oct 2019 20:46:26 -0700 [thread overview]
Message-ID: <CANn89i+8FOTfq328Tv4YvhcTEn9fte6Wm4YizqubcRz=0gyiwQ@mail.gmail.com> (raw)
In-Reply-To: <20191031033632.GE29986@1wt.eu>
On Wed, Oct 30, 2019 at 8:36 PM Willy Tarreau <w@1wt.eu> wrote:
>
> On Wed, Oct 30, 2019 at 09:36:20AM -0700, Eric Dumazet wrote:
> > SOMAXCONN is /proc/sys/net/core/somaxconn default value.
> >
> > It has been defined as 128 more than 20 years ago.
> >
> > Since it caps the listen() backlog values, the very small value has
> > caused numerous problems over the years, and many people had
> > to raise it on their hosts after beeing hit by problems.
> >
> > Google has been using 1024 for at least 15 years, and we increased
> > this to 4096 after TCP listener rework has been completed, more than
> > 4 years ago. We got no complain of this change breaking any
> > legacy application.
> >
> > Many applications indeed setup a TCP listener with listen(fd, -1);
> > meaning they let the system select the backlog.
> >
> > Raising SOMAXCONN lowers chance of the port being unavailable under
> > even small SYNFLOOD attack, and reduces possibilities of side channel
> > vulnerabilities.
>
> Just a quick question, I remember that when somaxconn is greater than
> tcp_max_syn_backlog, SYN cookies are never emitted, but I think it
> recently changed and there's no such constraint anymore. Do you
> confirm it's no more needed, or should we also increase this latter
> one accordingly ?
>
There is no relationship like that.
The only place somaxconn is use is in __sys_listen() to cap the
user-provided backlog.
somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn;
if ((unsigned int)backlog > somaxconn)
backlog = somaxconn;
There is a second place in fastopen_queue_tune() but this is not
relevant for this discussion.
next prev parent reply other threads:[~2019-10-31 3:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-30 16:36 [PATCH net] net: increase SOMAXCONN to 4096 Eric Dumazet
2019-10-31 3:36 ` Willy Tarreau
2019-10-31 3:46 ` Eric Dumazet [this message]
2019-10-31 4:35 ` Willy Tarreau
2019-10-31 21:02 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANn89i+8FOTfq328Tv4YvhcTEn9fte6Wm4YizqubcRz=0gyiwQ@mail.gmail.com' \
--to=edumazet@google.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=w@1wt.eu \
--cc=ycao009@ucr.edu \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.