Public bug reported:
Hi,
I have a problem with establishing connections when using the synproxy module.
The problem occurs when a closed connection in a TIME_WAIT state exists in the
conntrack and a client tries to connect using the same quadruplet as before.
Synproxy responds with SYN-ACK, client sends ACK, but the service behind
synproxy doesn't get that connection. It's also not visible in the conntrack,
only the former TIME_WAIT one. Client is trying to retransmit ACK from the 3WHS
without success. It works well when I turn off synproxy. I can partially
mitigate this problem by setting low
net.netfilter.nf_conntrack_tcp_timeout_time_wait value, but it still exists in
a high client-server connection rate setup. In my opinion the connection should
be established the same way regardless of using synproxy or not.
root@front1:~# tcpdump -nni bond1 port 33333
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on bond1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:11:37.450919 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [S], seq 3004026282,
win 64240, options [mss 1460,sackOK,TS val 3112537041 ecr 0,nop,wscale 7],
length 0
11:11:37.450987 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [S.], seq 1444798319,
ack 3004026283, win 0, options [mss 1460,sackOK,TS val 4146581719 ecr
3112537041,nop,wscale 10], length 0
11:11:37.451064 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112537042 ecr 4146581719], length 0
11:11:37.451101 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 1, win 63,
options [nop,nop,TS val 4146581719 ecr 3112537042], length 0
11:11:39.469178 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 1, win 64,
options [nop,nop,TS val 4146583737 ecr 3112537042], length 0
11:11:39.469350 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112539060 ecr 4146581719], length 0
11:11:39.862859 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [P.], seq 1:3, ack 1,
win 502, options [nop,nop,TS val 3112539453 ecr 4146581719], length 2: HTTP
11:11:39.862894 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 3, win 64,
options [nop,nop,TS val 4146584130 ecr 3112539453], length 0
11:11:39.863256 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [P.], seq 1:5205, ack
3, win 64, options [nop,nop,TS val 4146584131 ecr 3112539453], length 5204:
HTTP: HTTP/1.1 404 Not Found
11:11:39.863273 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [F.], seq 5205, ack 3,
win 64, options [nop,nop,TS val 4146584131 ecr 3112539453], length 0
11:11:39.863339 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 4345, win 501,
options [nop,nop,TS val 3112539454 ecr 4146584131], length 0
11:11:39.863365 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 5205, win 501,
options [nop,nop,TS val 3112539454 ecr 4146584131], length 0
11:11:39.903983 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 5206, win 501,
options [nop,nop,TS val 3112539495 ecr 4146584131], length 0
11:11:41.909115 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 3, win 64,
options [nop,nop,TS val 4146586177 ecr 3112539495], length 0
11:11:41.909262 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 5206, win 501,
options [nop,nop,TS val 3112541500 ecr 4146584131], length 0
11:11:43.949198 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 3, win 64,
options [nop,nop,TS val 4146588217 ecr 3112541500], length 0
11:11:43.949352 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 5206, win 501,
options [nop,nop,TS val 3112543540 ecr 4146584131], length 0
11:11:45.209125 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [F.], seq 3, ack 5206,
win 501, options [nop,nop,TS val 3112544800 ecr 4146584131], length 0
11:11:45.209197 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 4, win 64,
options [nop,nop,TS val 4146589477 ecr 3112544800], length 0
^C
19 packets captured
19 packets received by filter
0 packets dropped by kernel
root@front1:~# conntrack -L | grep 33333
tcp 6 102 TIME_WAIT src=10.0.0.1 dst=10.0.0.65 sport=33333 dport=80
src=10.0.0.65 dst=10.0.0.1 sport=80 dport=33333 [ASSURED] mark=0 delta-time=25
use=1
conntrack v1.4.8 (conntrack-tools): 2404 flow entries have been shown.
root@front1:~# tcpdump -nni bond1 port 33333
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on bond1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:12:11.189763 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [S], seq 3531195415,
win 64240, options [mss 1460,sackOK,TS val 3112570780 ecr 0,nop,wscale 7],
length 0
11:12:11.189838 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [S.], seq 524590409,
ack 3531195416, win 0, options [mss 1460,sackOK,TS val 4043713595 ecr
3112570780,nop,wscale 10], length 0
11:12:11.189925 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112570781 ecr 4043713595], length 0
11:12:14.945002 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112574536 ecr 4043713595], length 0
11:12:15.353039 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112574944 ecr 4043713595], length 0
11:12:16.177025 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112575768 ecr 4043713595], length 0
11:12:17.841029 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112577432 ecr 4043713595], length 0
11:12:21.105039 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112580696 ecr 4043713595], length 0
11:12:27.569022 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112587160 ecr 4043713595], length 0
11:12:40.881037 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112600472 ecr 4043713595], length 0
root@front1:~# lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
root@front1:~# dpkg -l | grep linux-modules-6.8.0-41-generic
ii linux-modules-6.8.0-41-generic 6.8.0-41.41
amd64 Linux kernel extra modules for version 6.8.0 on 64 bit x86 SMP
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2083830
Title:
synproxy doesn't pass down established connection
Status in linux package in Ubuntu:
New
Bug description:
Hi,
I have a problem with establishing connections when using the synproxy
module. The problem occurs when a closed connection in a TIME_WAIT state exists
in the conntrack and a client tries to connect using the same quadruplet as
before. Synproxy responds with SYN-ACK, client sends ACK, but the service
behind synproxy doesn't get that connection. It's also not visible in the
conntrack, only the former TIME_WAIT one. Client is trying to retransmit ACK
from the 3WHS without success. It works well when I turn off synproxy. I can
partially mitigate this problem by setting low
net.netfilter.nf_conntrack_tcp_timeout_time_wait value, but it still exists in
a high client-server connection rate setup. In my opinion the connection should
be established the same way regardless of using synproxy or not.
root@front1:~# tcpdump -nni bond1 port 33333
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on bond1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:11:37.450919 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [S], seq 3004026282,
win 64240, options [mss 1460,sackOK,TS val 3112537041 ecr 0,nop,wscale 7],
length 0
11:11:37.450987 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [S.], seq 1444798319,
ack 3004026283, win 0, options [mss 1460,sackOK,TS val 4146581719 ecr
3112537041,nop,wscale 10], length 0
11:11:37.451064 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112537042 ecr 4146581719], length 0
11:11:37.451101 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 1, win 63,
options [nop,nop,TS val 4146581719 ecr 3112537042], length 0
11:11:39.469178 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 1, win 64,
options [nop,nop,TS val 4146583737 ecr 3112537042], length 0
11:11:39.469350 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112539060 ecr 4146581719], length 0
11:11:39.862859 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [P.], seq 1:3, ack 1,
win 502, options [nop,nop,TS val 3112539453 ecr 4146581719], length 2: HTTP
11:11:39.862894 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 3, win 64,
options [nop,nop,TS val 4146584130 ecr 3112539453], length 0
11:11:39.863256 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [P.], seq 1:5205, ack
3, win 64, options [nop,nop,TS val 4146584131 ecr 3112539453], length 5204:
HTTP: HTTP/1.1 404 Not Found
11:11:39.863273 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [F.], seq 5205, ack
3, win 64, options [nop,nop,TS val 4146584131 ecr 3112539453], length 0
11:11:39.863339 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 4345, win
501, options [nop,nop,TS val 3112539454 ecr 4146584131], length 0
11:11:39.863365 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 5205, win
501, options [nop,nop,TS val 3112539454 ecr 4146584131], length 0
11:11:39.903983 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 5206, win
501, options [nop,nop,TS val 3112539495 ecr 4146584131], length 0
11:11:41.909115 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 3, win 64,
options [nop,nop,TS val 4146586177 ecr 3112539495], length 0
11:11:41.909262 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 5206, win
501, options [nop,nop,TS val 3112541500 ecr 4146584131], length 0
11:11:43.949198 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 3, win 64,
options [nop,nop,TS val 4146588217 ecr 3112541500], length 0
11:11:43.949352 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 5206, win
501, options [nop,nop,TS val 3112543540 ecr 4146584131], length 0
11:11:45.209125 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [F.], seq 3, ack
5206, win 501, options [nop,nop,TS val 3112544800 ecr 4146584131], length 0
11:11:45.209197 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [.], ack 4, win 64,
options [nop,nop,TS val 4146589477 ecr 3112544800], length 0
^C
19 packets captured
19 packets received by filter
0 packets dropped by kernel
root@front1:~# conntrack -L | grep 33333
tcp 6 102 TIME_WAIT src=10.0.0.1 dst=10.0.0.65 sport=33333 dport=80
src=10.0.0.65 dst=10.0.0.1 sport=80 dport=33333 [ASSURED] mark=0 delta-time=25
use=1
conntrack v1.4.8 (conntrack-tools): 2404 flow entries have been shown.
root@front1:~# tcpdump -nni bond1 port 33333
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on bond1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:12:11.189763 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [S], seq 3531195415,
win 64240, options [mss 1460,sackOK,TS val 3112570780 ecr 0,nop,wscale 7],
length 0
11:12:11.189838 IP 10.0.0.65.80 > 10.0.0.1.33333: Flags [S.], seq 524590409,
ack 3531195416, win 0, options [mss 1460,sackOK,TS val 4043713595 ecr
3112570780,nop,wscale 10], length 0
11:12:11.189925 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112570781 ecr 4043713595], length 0
11:12:14.945002 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112574536 ecr 4043713595], length 0
11:12:15.353039 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112574944 ecr 4043713595], length 0
11:12:16.177025 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112575768 ecr 4043713595], length 0
11:12:17.841029 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112577432 ecr 4043713595], length 0
11:12:21.105039 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112580696 ecr 4043713595], length 0
11:12:27.569022 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112587160 ecr 4043713595], length 0
11:12:40.881037 IP 10.0.0.1.33333 > 10.0.0.65.80: Flags [.], ack 1, win 502,
options [nop,nop,TS val 3112600472 ecr 4043713595], length 0
root@front1:~# lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
root@front1:~# dpkg -l | grep linux-modules-6.8.0-41-generic
ii linux-modules-6.8.0-41-generic 6.8.0-41.41
amd64 Linux kernel extra modules for version 6.8.0 on 64 bit x86 SMP
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2083830/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
