sysctl_tcp_rfc1337 分析

tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb,
               const struct tcphdr *th)
{
----------------------------------------------------

    /*
     *    Now real TIME-WAIT state.
     *
     *    RFC 1122:
     *    "When a connection is [...] on TIME-WAIT state [...]
     *    [a TCP] MAY accept a new SYN from the remote TCP to
     *    reopen the connection directly, if it:
     *
     *    (1)  assigns its initial sequence number for the new
     *    connection to be larger than the largest sequence
     *    number it used on the previous connection incarnation,
     *    and
     *
     *    (2)  returns to TIME-WAIT state if the SYN turns out
     *    to be an old duplicate".
     */

    if (!paws_reject &&
        (TCP_SKB_CB(skb)->seq == tcptw->tw_rcv_nxt &&
         (TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq || th->rst))) {
        /* In window segment, it may be only reset or bare ack. */

        if (th->rst) {
            /* This is TIME_WAIT assassination, in two flavors.
             * Oh well... nobody has a sufficient solution to this
             * protocol bug yet.
             */
            if (sysctl_tcp_rfc1337 == 0) {
kill:
                inet_twsk_deschedule_put(tw);
                return TCP_TW_SUCCESS;
            }
        }
        ------------------
    }
----------------------------
}

核心问题是： 接收到了一个RESET也要保持TIME_WAIT状态，还是直接释放TIME_WAIT连接。

　　　　　　是否开启允许用RESET来终止一个TW状态的连接！！

查看一下 1337RFC:具体文档就不贴了！​​参考​​

tcp_rfc1337 - BOOLEAN
    If set, the TCP stack behaves conforming to RFC1337. If unset,
    we are not conforming to RFC, but prevent TCP TIME_WAIT
    assassination.
    Default: 0

The first problem is that old duplicate data may be accepted erroneously in new connections, leading to the sent data becoming corrupt.
The second problem is that connections may become desynchronized and get into an ACK loop because of old duplicate packets entering new connections, which will become desynchronized.
The third and last problem is that old duplicate packets may enter newly established connections erroneously and kill the new connection.

From what I read, to solve the problems, what the setting does is ignore the RST (reset) packets while the socket is in its TIME-WAIT state.

So, why isn't this setting enabled by default? What are the disadvantages of using this?

. ​​RFC 1337​​ is an Informational RFC only and not part of the TCP standard. To ensure that there isn't any unexpected changes in production networks, it makes sense to keep this feature disabled by default and leave it up to the network admins to decide if they would like to enable it for testing.

Dropping RST packets for sockets in TIME-WAIT wouldn't appear to have any negative consequences however that doesn't mean there aren't any - perhaps an odd edge case which hasn't been fully explored.

http代理服务器（3-4-7层代理）-网络事件库公共组件、内核kernel驱动 摄像头驱动 tcpip网络协议栈、netfilter、bridge 好像看过！！！！ 但行好事 莫问前程 --身高体重180的胖子