On Wed, Dec 12, 2007 at 10:11:05AM +0100, knitti wrote:
Interesting for me too, and most probably for others. It became an
interesting discussion of my CLOSE_WAIT "problem" after all...
To summarize (as I see it):
* pf "synproxy state" does not affect these CLOSE_WAIT sockets since
the SYN proxy is only active during connection establishement.
But it is a good to use anyway since it prevents IP spoofing.
* Reducing httpd.conf:KeepAliveTimeout decreases the number of
sockets in CLOSE_WAIT. I had it at 150 seconds (my mistake,
probably the problem origin). The default is 15 seconds.
My setting is now 10 seconds, problem probably solved.
Thanks to all contributing to the solution!
* A httpd server socket enters CLOSE_WAIT when the client
closes (or half-closes) its end and sends FIN to the
server TCP stack that replies ACK and enters CLOSE_WAIT.
The socket proceeds out of CLOSE_WAIT when httpd calls
close() on the socket.
So, the remaining question is why httpd does not close the socket.
Even though KeepAlive is in effect, since the client has closed its
end there can come no more request on it, and the server
should be able to notice that the client has closed its
socket end either by recv() returning 0, or from a poll()
return value. The server also should be able to know if
it has more data to send to complete the reply.
I see no reason to hold the socket in CLOSE_WAIT the whole
KeepAliveTimeout time, and am interested to learn why.
I have also learned to avoid hijacking threads.
--
Not the original thread poster,
but the one that hijacked the thread for my CLOSE_WAIT "problem",
and probably got mistaken for the original thread poster,
and thereby got accused of being to lazy/dumb to use pf,
and to not listen to advice.
and more...
/ Raimo Niskanen, Erlang/OTP, Ericsson AB
