[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SLAPD_LISTEN increase





--On Wednesday, May 04, 2005 8:27 PM -0400 "J. Tingiris" <jtingiris@bellsouth.net> wrote:

This is related to the Solaris backlog/listen queue.
"Implementations may limit the length of the socket's listen queue.  If
backlog exceeds the implementation-dependent maximum queue length, the
length of the socket's listen queue will be set to the maximum supported
value."

For more information, man listen(3XNET).

It seems Sun's best practice is to set the listen() call's backlog
integer considerably higher than the (expected) system
tcp_conn_req_max_q/0 buffer lengths so that it is ultimately controlled
by the system's maximum configured value.  In a nutshell, this enables a
binary application to be tuned without constantly recompiling (by
dynamically changing the appropriate ndd values).

This is old, but still affects all versions of Solaris:

"increasing the length of the backlog queue [with ndd] will have no
effect unless you also make an adjustment involving the listen() call on
the affected port(s). That is, listening applications will need to be
rebuilt to increase the requested backlog value, so that the new
SOMAXCONN value is reflected in so_qlimit"

So it also seems apropriate to increase this value very high to also
harden slapd against SYN Floods (on Solaris).  See:

http://www.ciac.org/ciac/bulletins/h-02.shtml

Two birds, one stone.

I will note that this advisory is from 1996, so I'm not sure how much the SYN flood issue applies... Given the rather large targets painted on Stanford's servers, if it were an issue I'm fairly certain we'd have seen it before.


The ndd parameter listed has also changed names since the advisory was written. It is:

tcp_conn_req_max_q

now.


I personally tune my ndd settings already, although my tcp_conn_req_max_q is only 1024. I'm somewhat curious about the adb line, and if that has changed somewhat since then.


--Quanah


-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin