已完成连接队列(completed connection queue)
(1)三次握手已经完成,但还未被应用层接收(accept),但也处于ESTABLISHED状态.
(2)队列长度由listen的backlog参数和内核的 net.core.somaxconn 参数共同决定.
(3)当这个队列满了之后,不管未完成连接队列是否已满,是否启用syncookie,都不在接收新的SYN请求.(该特性跟内核版本有关)
(4)如果client端向已完成连接队列的socket发送包,内核将保存数据到socket的接收缓冲区,等应用层accept之后,传给应用层.
未完成连接队列(incomplete connection queue)
(1)半连接状态,处于SEND_RCVD状态.
(2)由内核参数 net.ipv4.tcp_max_syn_backlog 设置.
(3)如果启用了syncookie,在未完成连接队列满了之后,新的SYN请求将使用syncookie机制.
注:不同平台对于backlog的解释都不一样,这儿用的linux-2.6.18,还是有能力了看代码靠谱啊
---------------------------------------------------------------------------------------------------------------
int listen(int sockfd, int backlog);
The behaviour of the backlog parameter on TCP sockets changed with Linux 2.2. Now it specifies the queue length for completely established sockets waiting to be accepted,instead of the number of incomplete connection requests. The maximum length of the queue for incomplete sockets can be set using the tcp_max_syn_backlog sysctl. When syncookies are enabled there is no logical maximum length and this sysctl setting is ignored.See tcp(7) for more information.
If the socket is of type AF_INET, and the backlog argument is greater than the constant SOMAXCONN (128 in Linux2.0 & 2.2), it is silently truncated to SOMAXCONN.
tcp_max_syn_backlog (integer; default: see below)
The maximum number of queued connection requests which have still not received an acknowledgement from the connecting client. If this number is exceeded, the kernel will begin dropping requests. The default value of 256 is increased to 1024 when the memory present in the system is adequate or greater (>= 128Mb), and reduced to 128 for those systems with very low memory (<= 32Mb). It is recommended that if this needs to be increased above 1024, TCP_SYNQ_HSIZE in include/net/tcp.h be modified to keep TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog, and the kernel be recompiled.
tcp_syncookies (Boolean)
Enable TCP syncookies. The kernel must be compiled with CONFIG_SYN_COOKIES. Send out syncookies when the syn backlog queue of a socket overflows. The syncookies feature attempts to protect a socket from a SYN flood attack.
--------------------------------------------------------------------------------------------------------------
阅读(1884) | 评论(0) | 转发(0) |
