将 tcp_orphan_retries 设置为 0 是否意味着重试次数没有限制,还是意味着根本不会重试?
答案1
它并不意味着“永远尝试”,而是“根本不尝试”。这是服务器试图礼貌地告诉客户端,服务器正准备关闭其套接字,如果它愿意按顺序断开连接或发送更多数据,那就太好了。它将尝试 X 次让客户端响应,X 次之后,它会在系统端回收套接字。
将该数字设置为 0 在我看来意味着该服务器使用率很高,对孤儿采取零容忍政策。这也可能是对 DDOS 的响应:许多 DDOS 的工作都是打开套接字连接然后挂起,什么也不做。
答案2
将 tcp_orphan_retries 设置为 0 是一种特殊情况,请参阅 tcp_timer.c
98 /* Calculate maximal number or retries on an orphaned socket. */
99 static int tcp_orphan_retries(struct sock *sk, int alive)
100 {
101 int retries = sysctl_tcp_orphan_retries; /* May be zero. */
102
103 /* We know from an ICMP that something is wrong. */
104 if (sk->sk_err_soft && !alive)
105 retries = 0;
106
107 /* However, if socket sent something recently, select some safe
108 * number of retries. 8 corresponds to >100 seconds with minimal
109 * RTO of 200msec. */
110 if (retries == 0 && alive)
111 retries = 8;
112 return retries;
113 }
答案3
很确定这意味着它根本不会重试。内核源代码 (tcp_timer.c) 中的这些注释支持这一点:
/* Do not allow orphaned sockets to eat all our resources.
* This is direct violation of TCP specs, but it is required
* to prevent DoS attacks. It is called when a retransmission timeout
* or zero probe timeout occurs on orphaned socket.
*
* Criteria is still not confirmed experimentally and may change.
* We kill the socket, if:
* 1. If number of orphaned sockets exceeds an administratively configured
* limit.
* 2. If we have strong memory pressure.
*/