Rootop 服务器运维与web架构

内核参数 tcp_syn_retries 参数

/proc/sys/net/ipv4/tcp_syn_retries 的值表示socket客户端进行s.connect()连接时,在服务端未返回SYN + ACK标识的情况下,也就是连接超时后,离第一次SYN包发送之后的重试次数,包括重试时间的计算。
tcp_syn_retries默认是6,本机主动发起SYN连接,如果一直收不到服务端返回的SYN + ACK,那么应用程序最大的超时时间就是127秒,也就是2^6次幂-1。

# 测试,服务端启动nginx,监听80端口
# 服务端通过iptables拒绝80端口的syn包
[root@centos ~]# iptables -A INPUT -p tcp --dport 80 --syn -j DROP

 

# 客户端查看tcp_syn_retries值
root@rootop:/proc/sys/net/ipv4# cat tcp_syn_retries 
6

 

# 客户端telnet连接
root@rootop:~# telnet 106.53.233.92 80

 

# 服务端抓包
[root@centos ~]# tcpdump -i eth0 -n src 101.32.23.53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
第一次访问  
11:00:35.015937 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2288999938 ecr 0,nop,wscale 7], length 0

# 重试第1次访问,间隔 2^0=1 秒
11:00:36.019825 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289000942 ecr 0,nop,wscale 7], length 0

# 重试第2次访问,间隔 2^1=2 秒
11:00:38.035884 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289002958 ecr 0,nop,wscale 7], length 0

# 重试第3次访问,间隔 2^2=4 秒
11:00:42.163811 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289007086 ecr 0,nop,wscale 7], length 0

# 重试第4次访问,间隔 2^3=8 秒
11:00:50.355830 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289015278 ecr 0,nop,wscale 7], length 0

# 重试第5次访问,间隔2^4=16 秒
11:01:06.483835 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289031406 ecr 0,nop,wscale 7], length 0

# 重试第6次访问,间隔2^5=32 秒
11:01:40.531835 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289065454 ecr 0,nop,wscale 7], length 0

 

# 客户端tcp_syn_retries改为10次
root@rootop:/proc/sys/net/ipv4# cat tcp_syn_retries 
10

再次访问并抓包

[root@centos ~]# tcpdump -i eth0 -n src 101.32.23.53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
第一次访问
12:23:01.071964 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293945993 ecr 0,nop,wscale 7], length 0

# 重试第1次访问,间隔 2^0=1 秒
12:23:02.100530 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293947022 ecr 0,nop,wscale 7], length 0

# 重试第2次访问,间隔 2^1=2 秒
12:23:04.116528 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293949038 ecr 0,nop,wscale 7], length 0

# 重试第3次访问,间隔 2^2=4 秒
12:23:08.340521 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293953262 ecr 0,nop,wscale 7], length 0

# 重试第4次访问,间隔 2^3=8 秒
12:23:16.532513 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293961454 ecr 0,nop,wscale 7], length 0

# 重试第5次访问,间隔2^4=16 秒
12:23:32.660578 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293977582 ecr 0,nop,wscale 7], length 0

# 重试第6次访问,间隔2^5=32 秒
12:24:06.452593 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294011374 ecr 0,nop,wscale 7], length 0

# 重试第7次访问,间隔2^6=64 秒
12:25:11.988544 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294076910 ecr 0,nop,wscale 7], length 0

# 重试第8次访问,间隔2^7=128 秒,实际约2分钟
12:27:12.820615 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294197742 ecr 0,nop,wscale 7], length 0

# 重试第9次访问,间隔2^7=128 秒,实际约2分钟
12:29:13.652590 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294318574 ecr 0,nop,wscale 7], length 0

# 重试第10次访问,间隔2^7=128 秒,实际约2分钟
12:31:14.484568 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294439406 ecr 0,nop,wscale 7], length 0

在实际中并不会让客户端重试这么多次,比如在socket连接中会定义超时时间。
超过时间,则不再发送syn。
# python 代码

import socket
import function.func as func

s = socket.socket()
s.settimeout(3) # 超时
print(func.now())
s.connect_ex(('106.53.233.92', 80))
# 注意是用的connect_ex()方法,而不是connect()方法
print(func.now())

# 返回值
2020-08-25 13:41:34
2020-08-25 13:41:37

# 服务器抓包结果

[root@centos ipv4]# tcpdump -i eth0 -n src 39.89.53.61 and port 80
13:41:35.421132 IP 39.89.53.61.54940 > 10.0.8.15.http: Flags [S], seq 1603668167, win 64240, options [mss 1404,nop,wscale 8,nop,nop,sackOK], length 0
13:41:36.440757 IP 39.89.53.61.54940 > 10.0.8.15.http: Flags [S], seq 1603668167, win 64240, options [mss 1424,nop,wscale 8,nop,nop,sackOK], length 0
13:41:38.421645 IP 39.89.53.61.54940 > 10.0.8.15.http: Flags [S], seq 1603668167, win 64240, options [mss 1424,nop,wscale 8,nop,nop,sackOK], length 0

可以看到设置超时3秒后,重试第一次和第二次加起来用了3秒,客户端超时后结束,抓包也不再打印内容。

原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/4846.html

作者:Venus

专注于 服务器运维与web架构 E-mail:venus#rootop.org

评论已关闭。