> On Jul 1, 2016, at 18:39, Steven Rostedt <rost...@goodmis.org> wrote: > > On Fri, 1 Jul 2016 22:34:02 +0000 > Trond Myklebust <tron...@primarydata.com> wrote: > > >> NACK. This ocde was removed on purpose because it is dangerous to >> have the TCP state change callbacks queue up a new close(). The >> connect code sometimes has to close sockets that are misbehaving, and >> so we’ve seen races whereby the old socket closes and triggers an >> autoclose for the new socket while it is connecting. > > OK fine. But can we please come up with a solution to get rid of the > hidden port issue. It's very annoying that I get a message from > rkhunter ever morning telling me "Please inspect this machine, because > it may be infected.” >
Can we look into why the socket disconnect is happening in the first place? It’s presumably not the server, since that _would_ trigger an autoclose when the socket hits TCP_CLOSE_WAIT. That puts the two top suspects being the TCP keepalive and the TCP_USER_TIMEOUT. Are there any tracepoints we could use to look at whether or not they are triggering a close? Thanks Trond
