0%

TCP发送FIN后收不到ACK会发生什么

如果接收不到

下列表格分为两部分:第一部分是客户端的FIN未能到达Server。第二部分是客户端接收不到服务端对FIN的ACK应答。

Server(111) Client(108) 说明
nc -l 9999 `cat /dev/zero nc 192.168.0.111 9999`
等待一段时间
iptables -A INPUT -p tcp -s 192.168.0.111 --tcp-flags ACK,FIN ACK -j DROP 把来自服务端的FIN=1 ACK=1报文DROP掉
killall nc 促使Client发送FIN请求(实际上会丢失)
ESTABLISHED FIN_WAIT1 说明Client的FIN并没有到达Server
ESTABLISHED 自动销毁 超时后不会进入TIME_WAIT,直接销毁
—- —-
nc -l 9999 nc -vn 192.168.0.111 9999
iptables -A INPUT -p tcp -s 192.168.0.111 --tcp-flags ACK ACK -j DROP 把来自服务端的ACK=1报文DROP掉
killall nc 促使Client发送FIN请求
LAST_ACK FIN_WAIT1
自动销毁 自动销毁

Linux下FIN_WAIT1,FIN_WAIT2超时时间

  • tcp_fin_timeout

tcp_fin_timeout (integer; default: 60; since Linux 2.2)
This specifies how many seconds to wait for a final FIN packet before the socket is forcibly closed. This is
strictly a violation of the TCP specification, but required to prevent denial-of-service attacks. In Linux 2.2,
the default value was 180.

  • tcp_orphan_retries
    • This value influences the timeout of a locally closed TCP connection,
      when RTO retransmissions remain unacknowledged.
      See tcp_retries2 for more details.  The default value is 8.
      
      If your machine is a loaded WEB server,
      you should think about lowering this value, such sockets
      may consume significant resources. Cf. tcp_max_orphans.
    • 这个参数表示如果一直都收不到针对FIN的ACK,那么在彻底销毁这个FIN_WAIT1的连接前,等待几轮RTO退避