It unfortunately turns out that the clever TW recycle trick does not work.
It assumes that an IP address has a shared timestamp clock, but that is
not true with masquerading and NAT. The problem is that it arbitarily denies
service to masqueraded hosts when they're outside of the saved timestamp
window. Me and Alexey found no suitable way to fix that problem (there
is no way to detect NAT/masquerading), so I propose the following patch
to turn it off.
RCS file: /cvs/linux/net/ipv4/tcp_input.c,v
retrieving revision 1.193
diff -u -u -r1.193 tcp_input.c
--- net/ipv4/tcp_input.c 2000/04/20 14:41:16 1.193
+++ net/ipv4/tcp_input.c 2000/07/13 12:42:24
@@ -80,7 +80,7 @@
int sysctl_tcp_syncookies = SYNC_INIT;
-int sysctl_tcp_tw_recycle = 1;
+int sysctl_tcp_tw_recycle = 0;
int sysctl_tcp_abort_on_overflow = 0;
int sysctl_tcp_max_orphans = NR_FILE;
int sysctl_tcp_max_tw_buckets = NR_FILE*2;
This is like TV. I don't like TV.