On Fri, 17 Jun 2011 19:51:59 +0200, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I looked at the glibc source code for getaddrinfo, and it looks like
> they do reliably set sin_port to zero when no service argument is
> provided, despite the above documentation statement. So that's why it
> works for me. But still, if you're on a non-Linux platform it seems
> possible that this is the mechanism for what's biting you.
Both client and server are Linux systems here and sin_port is 0 also
according to debug output I added. I cannot reproduce the problem reliably
(the users are much better testers it seems), so I'm a bit stuck with my
best guess being TIME_WAIT issues, perhaps FIN packets getting lost. I've
set
sysctl -w net.ipv4.tcp_tw_reuse=1
now and will post again if there is any change.
> (BTW, is it really sane to be using ident auth over a "high latency
> connection"? That would certainly suggest to me that you could be
> getting connections from untrustworthy machines ...)
Both endpoints are properly firewalled (the sane sysadmins say so) and for
this particular connection only one client IP address is allowed by
pg_hba.conf, the reason why we also use ident authentication is to allow
only a few select uid's on the client host to connect to certain DSNs.
Thanks for all the helpful info!
Regards,
Marinos