From 072a596c6b78e06e0ade67aa30e5f5914bdd8dac Mon Sep 17 00:00:00 2001 From: Otto Date: Tue, 23 Mar 2021 16:10:37 +0100 Subject: [PATCH] Avoid flooding log on each connect by testing if fast-open-connect succeeds once on startup, as suggested by @rgacogne. Plus a few corrections in docs. --- pdns/lwres.cc | 2 +- pdns/pdns_recursor.cc | 17 +++++++++++++++-- pdns/recursordist/docs/performance.rst | 4 ++-- pdns/recursordist/docs/settings.rst | 2 +- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/pdns/lwres.cc b/pdns/lwres.cc index af5f651513..40da2f36c3 100644 --- a/pdns/lwres.cc +++ b/pdns/lwres.cc @@ -332,7 +332,7 @@ LWResult::Result asyncresolve(const ComboAddress& ip, const DNSName& domain, int s.setFastOpenConnect(); } catch (const NetworkError& e) { - g_log << Logger::Error << "tcp-fast-connect enabled but returned error: " << e.what() << endl; + // Ignore error, we did a pre-check in pdns_recursor.cc:checkTFOconnect() } } diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 921235a733..5d8b3c959f 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -3236,13 +3236,25 @@ static void checkFastOpenSysctl(bool active) } } else { - g_log << Logger::Error << "Cannot determine if kernel setting allow fast-open" << endl; + g_log << Logger::Notice << "Cannot determine if kernel settings allow fast-open" << endl; } #else - g_log << Logger::Error << "Cannot determine if kernel setting allow fast-open" << endl; + g_log << Logger::Notice << "Cannot determine if kernel settings allow fast-open" << endl; #endif } +static void checkTFOconnect() +{ + try { + Socket s(AF_INET, SOCK_STREAM); + s.setNonBlocking(); + s.setFastOpenConnect(); + } + catch (const NetworkError& e) { + g_log << Logger::Error << "tcp-fast-open-connect enabled but returned error: " << e.what() << endl; + } +} + static void makeTCPServerSockets(deferredAdd_t& deferredAdds, std::set& tcpSockets) { int fd; @@ -4698,6 +4710,7 @@ static int serviceMain(int argc, char*argv[]) if (SyncRes::s_tcp_fast_open_connect) { checkFastOpenSysctl(true); + checkTFOconnect(); } if(SyncRes::s_serverID.empty()) { diff --git a/pdns/recursordist/docs/performance.rst b/pdns/recursordist/docs/performance.rst index cdf9838d4b..15e4b48fea 100644 --- a/pdns/recursordist/docs/performance.rst +++ b/pdns/recursordist/docs/performance.rst @@ -115,7 +115,7 @@ On Linux systems, the recursor can use TCP Fast Open for passive (incoming, sinc TCP Fast Open allows the initial SYN packet to carry data, saving one network round-trip. For details, consult `:rfc:7413`. -To enable TCP Fast Open, it might be need change the value of the ``net.ipv4.tcp_fastopen`` sysctl. +To enable TCP Fast Open, it might be needed to change the value of the ``net.ipv4.tcp_fastopen`` sysctl. Value 0 means Fast Open is disabled, 1 is only use Fast Open for active connections, 2 is only for passive connections and 3 is for both. The operation of TCP Fast Open can be monitored by looking at these kernel metrics:: @@ -129,7 +129,7 @@ While developing active TCP Fast Open, it was needed to set ``net.ipv4.tcp_fasto At the moment of writing, the Google operated nameservers (both recursive and authoritative) indicate Fast Open support in the TCP handshake, but do not accept the cookie they sent previously and send a new one for each connection. We can only hope Google will fix this issue soon. -If you operate an anycast pool of machines, make them share the TCP Fast Open Key by setting the ``net.ipv4.tcp_fastopen_key`` sysctl, otherwise you wil create a similar issue the Google servers have. +If you operate an anycast pool of machines, make them share the TCP Fast Open Key by setting the ``net.ipv4.tcp_fastopen_key`` sysctl, otherwise you will create a similar issue the Google servers have. To determine a good value for the :ref:`setting-tcp-fast-open` setting, watch the ``TCPFastOpenListenOverflow`` metric. If this value increases often, the value might be too low for your traffic, but note that increasing it will use kernel resources. diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 73a511a34c..f4fc954d82 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1849,7 +1849,7 @@ The numerical value supplied is used as the queue size, 0 meaning disabled. See - Boolean - Default: no (disabled) -Enable TCP Fast Open Connect support, if available, on the outgoing connections to authoritatively servers. See :ref:`tcp-fast-open-support`. +Enable TCP Fast Open Connect support, if available, on the outgoing connections to authoritative servers. See :ref:`tcp-fast-open-support`. .. _setting-threads: -- 2.47.2