/proc/sys/net/ipv4/tcp_syn_retries 的值表示socket客户端进行s.connect()连接时,在服务端未返回SYN + ACK标识的情况下,也就是连接超时后,离第一次SYN包发送之后的重试次数,包括重试时间的计算。
tcp_syn_retries默认是6,本机主动发起SYN连接,如果一直收不到服务端返回的SYN + ACK,那么应用程序最大的超时时间就是127秒,也就是2^6次幂-1。
# 测试,服务端启动nginx,监听80端口 # 服务端通过iptables拒绝80端口的syn包 [root@centos ~]# iptables -A INPUT -p tcp --dport 80 --syn -j DROP
# 客户端查看tcp_syn_retries值 root@rootop:/proc/sys/net/ipv4# cat tcp_syn_retries 6
# 客户端telnet连接 root@rootop:~# telnet 106.53.233.92 80
# 服务端抓包 [root@centos ~]# tcpdump -i eth0 -n src 101.32.23.53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 第一次访问 11:00:35.015937 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2288999938 ecr 0,nop,wscale 7], length 0 # 重试第1次访问,间隔 2^0=1 秒 11:00:36.019825 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289000942 ecr 0,nop,wscale 7], length 0 # 重试第2次访问,间隔 2^1=2 秒 11:00:38.035884 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289002958 ecr 0,nop,wscale 7], length 0 # 重试第3次访问,间隔 2^2=4 秒 11:00:42.163811 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289007086 ecr 0,nop,wscale 7], length 0 # 重试第4次访问,间隔 2^3=8 秒 11:00:50.355830 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289015278 ecr 0,nop,wscale 7], length 0 # 重试第5次访问,间隔2^4=16 秒 11:01:06.483835 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289031406 ecr 0,nop,wscale 7], length 0 # 重试第6次访问,间隔2^5=32 秒 11:01:40.531835 IP 101.32.23.53.40838 > 10.0.8.15.http: Flags [S], seq 293412828, win 64240, options [mss 1424,sackOK,TS val 2289065454 ecr 0,nop,wscale 7], length 0
# 客户端tcp_syn_retries改为10次 root@rootop:/proc/sys/net/ipv4# cat tcp_syn_retries 10
再次访问并抓包
[root@centos ~]# tcpdump -i eth0 -n src 101.32.23.53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 第一次访问 12:23:01.071964 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293945993 ecr 0,nop,wscale 7], length 0 # 重试第1次访问,间隔 2^0=1 秒 12:23:02.100530 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293947022 ecr 0,nop,wscale 7], length 0 # 重试第2次访问,间隔 2^1=2 秒 12:23:04.116528 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293949038 ecr 0,nop,wscale 7], length 0 # 重试第3次访问,间隔 2^2=4 秒 12:23:08.340521 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293953262 ecr 0,nop,wscale 7], length 0 # 重试第4次访问,间隔 2^3=8 秒 12:23:16.532513 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293961454 ecr 0,nop,wscale 7], length 0 # 重试第5次访问,间隔2^4=16 秒 12:23:32.660578 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2293977582 ecr 0,nop,wscale 7], length 0 # 重试第6次访问,间隔2^5=32 秒 12:24:06.452593 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294011374 ecr 0,nop,wscale 7], length 0 # 重试第7次访问,间隔2^6=64 秒 12:25:11.988544 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294076910 ecr 0,nop,wscale 7], length 0 # 重试第8次访问,间隔2^7=128 秒,实际约2分钟 12:27:12.820615 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294197742 ecr 0,nop,wscale 7], length 0 # 重试第9次访问,间隔2^7=128 秒,实际约2分钟 12:29:13.652590 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294318574 ecr 0,nop,wscale 7], length 0 # 重试第10次访问,间隔2^7=128 秒,实际约2分钟 12:31:14.484568 IP 101.32.23.53.41694 > 10.0.8.15.http: Flags [S], seq 3047227869, win 64240, options [mss 1424,sackOK,TS val 2294439406 ecr 0,nop,wscale 7], length 0
在实际中并不会让客户端重试这么多次,比如在socket连接中会定义超时时间。
超过时间,则不再发送syn。
# python 代码
import socket import function.func as func s = socket.socket() s.settimeout(3) # 超时 print(func.now()) s.connect_ex(('106.53.233.92', 80)) # 注意是用的connect_ex()方法,而不是connect()方法 print(func.now()) # 返回值 2020-08-25 13:41:34 2020-08-25 13:41:37
# 服务器抓包结果
[root@centos ipv4]# tcpdump -i eth0 -n src 39.89.53.61 and port 80 13:41:35.421132 IP 39.89.53.61.54940 > 10.0.8.15.http: Flags [S], seq 1603668167, win 64240, options [mss 1404,nop,wscale 8,nop,nop,sackOK], length 0 13:41:36.440757 IP 39.89.53.61.54940 > 10.0.8.15.http: Flags [S], seq 1603668167, win 64240, options [mss 1424,nop,wscale 8,nop,nop,sackOK], length 0 13:41:38.421645 IP 39.89.53.61.54940 > 10.0.8.15.http: Flags [S], seq 1603668167, win 64240, options [mss 1424,nop,wscale 8,nop,nop,sackOK], length 0
可以看到设置超时3秒后,重试第一次和第二次加起来用了3秒,客户端超时后结束,抓包也不再打印内容。
原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/4846.html