From owner-freebsd-net@FreeBSD.ORG Mon Aug 20 06:13:01 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8322816A417 for ; Mon, 20 Aug 2007 06:13:01 +0000 (UTC) (envelope-from is@rambler-co.ru) Received: from relay0.rambler.ru (relay0.rambler.ru [81.19.66.187]) by mx1.freebsd.org (Postfix) with ESMTP id 024AF13C442 for ; Mon, 20 Aug 2007 06:13:00 +0000 (UTC) (envelope-from is@rambler-co.ru) Received: from relay0.rambler.ru (localhost [127.0.0.1]) by relay0.rambler.ru (Postfix) with ESMTP id D7BB25E42; Mon, 20 Aug 2007 10:12:58 +0400 (MSD) Received: from localhost (is1.park.rambler.ru [81.19.64.121]) by relay0.rambler.ru (Postfix) with ESMTP id 9CD5E5D36; Mon, 20 Aug 2007 10:12:58 +0400 (MSD) Date: Mon, 20 Aug 2007 10:12:54 +0400 From: Igor Sysoev To: Mike Silbersack Message-ID: <20070820061254.GB11540@rambler-co.ru> References: <20070816142431.GO57126@rambler-co.ru> <20070819043748.I921@odysseus.silby.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070819043748.I921@odysseus.silby.com> User-Agent: Mutt/1.5.13 (2006-08-11) X-Virus-Scanned: No virus found Cc: freebsd-net@freebsd.org, robert Subject: Re: syncookie in 6.x and 7.x X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 06:13:01 -0000 On Sun, Aug 19, 2007 at 04:42:51AM -0500, Mike Silbersack wrote: > On Thu, 16 Aug 2007, Igor Sysoev wrote: > > >I have looked sources and found that in early versions the sent counter > >was simply not incremented at all. The patch attached. > > The patch looks ready to commit to me. Do you want me to commit or, or do > you have another committer lined up? Feel free to commit. > >After the patch has been applied I have found that 6 always sends > >syncookies too, however, 6 unlike 7 never receives them. Why ? > > Have you tried patching 6 so that the syncache is non-functional and > forced it to rely on syncookies? Last I checked (which was a long time > ago), syncookies worked on 6. Adding a sysctl like 7's > net.inet.tcp.syncookies_only to 6 might not be a bad idea, as long as it's > behind #ifdef DIAGNOSTIC or INVARIANTS. No, I have not tried. > The question you may really be asking is: Why does 7 *think* that it is > receiving syncookies all the time? :) > > I haven't tried to answer that question yet. I have found two 4.8's: 17460166 syncache entries added 106312 retransmitted 90435 dupsyn 0 dropped 17424177 completed 465 bucket overflow 0 cache overflow 21526 reset 13725 stale 0 aborted 0 badack 279 unreach 0 zone failures 0 cookies sent 6 cookies received 1671768 syncache entries added 63163 retransmitted 37566 dupsyn 0 dropped 1645430 completed 248 bucket overflow 0 cache overflow 13144 reset 12888 stale 0 aborted 0 badack 174 unreach 0 zone failures 0 cookies sent 116 cookies received and 4.11's: 5643772 syncache entries added 45993 retransmitted 41452 dupsyn 0 dropped 5630013 completed 298 bucket overflow 0 cache overflow 7374 reset 6030 stale 0 aborted 0 badack 93 unreach 0 zone failures 0 cookies sent 36 cookies received 141791272 syncache entries added 280354 retransmitted 273529 dupsyn 0 dropped 141703800 completed 206 bucket overflow 0 cache overflow 9847 reset 35570 stale 36034 aborted 0 badack 5854 unreach 0 zone failures 0 cookies sent 40 cookies received I have found one 6.1-PRERELEASE with 298 uptime: 2672792190 syncache entries added 83640383 retransmitted 77727918 dupsyn 282 dropped 2645872801 completed 0 bucket overflow 0 cache overflow 10974940 reset 15657014 stale 91 aborted 52 badack 287259 unreach 0 zone failures 0 cookies sent 8 cookies received 4.x have uptimes from week to month. On other 6.x with small uptime and do not see received cookies. And I have no 5.x at all. Anyway, 7 receives cookies much more - here is statistics from 3 days uptime: 52175610 syncache entries added 2092809 retransmitted 2021384 dupsyn 0 dropped 51681903 completed 0 bucket overflow 0 cache overflow 181311 reset 258220 stale 4 aborted 0 badack 18384 unreach 0 zone failures 52175610 cookies sent 16238 cookies received I have found that in 7 received cookies correlate with unreach. -- Igor Sysoev http://sysoev.ru/en/