> On Jul 1, 2016, at 18:39, Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
>
> On Fri, 1 Jul 2016 22:34:02 +0000
> Trond Myklebust <trondmy@xxxxxxxxxxxxxxx> wrote:
>
>
>> NACK. This ocde was removed on purpose because it is dangerous to
>> have the TCP state change callbacks queue up a new close(). The
>> connect code sometimes has to close sockets that are misbehaving, and
>> so we’ve seen races whereby the old socket closes and triggers an
>> autoclose for the new socket while it is connecting.
>
> OK fine. But can we please come up with a solution to get rid of the
> hidden port issue. It's very annoying that I get a message from
> rkhunter ever morning telling me "Please inspect this machine, because
> it may be infected.”
>
Can we look into why the socket disconnect is happening in the first place? It’s presumably not the server, since that _would_ trigger an autoclose when the socket hits TCP_CLOSE_WAIT. That puts the two top suspects being the TCP keepalive and the TCP_USER_TIMEOUT. Are there any tracepoints we could use to look at whether or not they are triggering a close?
Thanks
Trond
��.n��������+%�������w��{.n�����{��w����jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
