I'm not an expert of kernel code... but that number came from tcp_orphan_count
(ref:
http://forums13.itrc.hp.com/service/...readId=1089165 )
net/ipv4/proc.c in a 2.6 kernel. At line 56-66 the following code:
Quote:
static int sockstat_seq_show(struct seq_file *seq, void *v)
{...
seq_printf(seq, "TCP: inuse %d orphan %d tw %d alloc %d mem %d\n",fold_prot_inuse(&tcp_prot), atomic_read(&tcp_orphan_count),tcp_tw_count, atomic_read(&tcp_sockets_allocated), atomic_read(&tcp_memory_allocated));
|
few usage I got are these (find in file): (kernel 2.6.15.5)
in tcp.c file:
Quote:
atomic_t tcp_orphan_count = ATOMIC_INIT(0); (declaration)
EXPORT_SYMBOL_GPL(tcp_orphan_count);
|
so tcp_orphan_count it is a
global counter variable initialized to 0 (
in tcp_ipv4.c)
Quote:
struct proto tcp_prot{
..
.orphan_count = &tcp_orphan_count
..
};
|
and this .orphan_count is replicated in each socket struct variable's sk->sk_prot member variable.
This global variable is incremented in listen call in function inet_csk_listen_stop(struct sock *sk) as:
Quote:
atomic_inc(sk->sk_prot->orphan_count);
|
and this function internally calls inet_csk_destroy_sock() given below,
It is decremented in inet_csk_destroy_sock(struct sock *sk):
Quote:
[after some validation check] ...
atomic_dec(sk->sk_prot->orphan_count);
|
So the global tcp orphan counter will increase only if during this synchronization is lost , due to bug/assert failure or due to TCP out of memory when malloc() fails somewhere and the socket is terminated prematurely .
There is a internal TCP timer that checks for some bug/error, and if it finds that the Orphan counter EXCEEDED a preconfigured limit then it starts to reclaim some memory by freeing some unused sockets.
One comment I found that highlights above point (in tcp_timer.c)
Quote:
/* Do not allow orphaned sockets to eat all our resources.
* This is direct violation of TCP specs, but it is required
* to prevent DoS attacks. It is called when a retransmission timeout
* or zero probe timeout occurs on orphaned socket.
*
* Criteria is still not confirmed experimentally and may change.
* We kill the socket, if:
* 1. If number of orphaned sockets exceeds an administratively configured
* limit.
* 2. If we have strong memory pressure.
*/
static int tcp_out_of_resources(struct sock *sk, int do_reset)
{
....
....
|
So to manually create orphan socket requires direct/indirect tampering of skb structure or DoS attack (
http://en.wikipedia.org/wiki/Denial-of-service_attack).