net: increase SOMAXCONN to 4096

SOMAXCONN is /proc/sys/net/core/somaxconn default value.

It has been defined as 128 more than 20 years ago.

Since it caps the listen() backlog values, the very small value has
caused numerous problems over the years, and many people had
to raise it on their hosts after beeing hit by problems.

Google has been using 1024 for at least 15 years, and we increased
this to 4096 after TCP listener rework has been completed, more than
4 years ago. We got no complain of this change breaking any
legacy application.

Many applications indeed setup a TCP listener with listen(fd, -1);
meaning they let the system select the backlog.

Raising SOMAXCONN lowers chance of the port being unavailable under
even small SYNFLOOD attack, and reduces possibilities of side channel
vulnerabilities.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Yue Cao <ycao009@ucr.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2019-10-30 09:36:20 -07:00 committed by David S. Miller
parent 6d6f0383b6
commit 19f92a030c
2 changed files with 3 additions and 3 deletions

View File

@ -207,8 +207,8 @@ TCP variables:
somaxconn - INTEGER somaxconn - INTEGER
Limit of socket listen() backlog, known in userspace as SOMAXCONN. Limit of socket listen() backlog, known in userspace as SOMAXCONN.
Defaults to 128. See also tcp_max_syn_backlog for additional tuning Defaults to 4096. (Was 128 before linux-5.4)
for TCP sockets. See also tcp_max_syn_backlog for additional tuning for TCP sockets.
tcp_abort_on_overflow - BOOLEAN tcp_abort_on_overflow - BOOLEAN
If listening service is too slow to accept new connections, If listening service is too slow to accept new connections,

View File

@ -263,7 +263,7 @@ struct ucred {
#define PF_MAX AF_MAX #define PF_MAX AF_MAX
/* Maximum queue length specifiable by listen. */ /* Maximum queue length specifiable by listen. */
#define SOMAXCONN 128 #define SOMAXCONN 4096
/* Flags we can use with send/ and recv. /* Flags we can use with send/ and recv.
Added those for 1003.1g not all are supported yet Added those for 1003.1g not all are supported yet