Andre Oppermann <[email protected]> wrote: > On 10.07.2013 15:18, Fabian Keil wrote: > > Andre Oppermann <[email protected]> wrote: > > > >> We have a SYN cookie implementation for quite some time now but it > >> has some limitations with current realities for window scaling and > >> SACK encoding the in the few available bits. [...] > >> http://people.freebsd.org/~andre/syncookie-20130708.diff > > > > I've been using the patch for a couple of days and didn't notice any > > issues so far. Privoxy's regression tests continue to work as expected > > as well. > > Thanks for testing and reporting back. > > Could you test with net.inet.tcp.log_debug and net.inet.tcp.syncookies_only=1 > as well to bypass the syn cache entirely?
I haven't noticed any issues with net.inet.tcp.syncookies_only=1.
> It will give a bit of debug log output which is it telling you mostly about
> rounding to the next nearest index value. You can send the output privately
> to me to spot unexpected outliers, if any.
One unexpected outlier seems to be:
Jul 11 12:42:51 r500 kernel: [10947] TCP: [10.0.0.1]:62972 to [10.0.0.1]:8118
tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 27 bytes of data
after socket was closed, sending RST and removing tcpcb
Jul 11 12:42:51 r500 kernel: [10947] TCP: [10.0.0.1]:62972 to [10.0.0.1]:8118
tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE
authentication, segment rejected (probably spoofed)
This also seems to have resulted in two reset packets:
fk@r500 ~/test/wireshark $tcpdump -vv -n -r syncookie-test.pcap dst port 62972
reading from file syncookie-test.pcap, link-type NULL (BSD loopback)
12:42:47.033832 IP (tos 0x0, ttl 64, id 17522, offset 0, flags [DF], proto TCP
(6), length 60, bad cksum 0 (->e248)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [S.], cksum 0x8c5f (correct), seq
1633309846, ack 61471870, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS
val 4243589075 ecr 4051741531], length 0
12:42:47.138107 IP (tos 0x0, ttl 64, id 17582, offset 0, flags [DF], proto TCP
(6), length 52, bad cksum 0 (->e214)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xef2f (correct), seq 1,
ack 183, win 1275, options [nop,nop,TS val 4243589180 ecr 4051741536], length 0
12:42:47.785762 IP (tos 0x0, ttl 64, id 17592, offset 0, flags [DF], proto TCP
(6), length 120, bad cksum 0 (->e1c6)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7209 (correct), seq
1:69, ack 183, win 1275, options [nop,nop,TS val 4243589827 ecr 4051741536],
length 68
12:42:47.945156 IP (tos 0x0, ttl 64, id 17609, offset 0, flags [DF], proto TCP
(6), length 52, bad cksum 0 (->e1f9)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xe80f (correct), seq 69,
ack 325, win 1275, options [nop,nop,TS val 4243589987 ecr 4051742343], length 0
12:42:48.470035 IP (tos 0x0, ttl 64, id 17678, offset 0, flags [DF], proto TCP
(6), length 550, bad cksum 0 (->dfc2)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x3ce0 (correct), seq
69:567, ack 325, win 1275, options [nop,nop,TS val 4243590511 ecr 4051742343],
length 498
12:42:48.599754 IP (tos 0x0, ttl 64, id 17683, offset 0, flags [DF], proto TCP
(6), length 550, bad cksum 0 (->dfbd)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x0a10 (correct), seq
567:1065, ack 325, win 1275, options [nop,nop,TS val 4243590641 ecr
4051743067], length 498
12:42:48.699161 IP (tos 0x0, ttl 64, id 17688, offset 0, flags [DF], proto TCP
(6), length 2465, bad cksum 0 (->d83d)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x92bd (correct), seq
1065:3478, ack 325, win 1275, options [nop,nop,TS val 4243590741 ecr
4051743197], length 2413
12:42:48.824428 IP (tos 0x0, ttl 64, id 17706, offset 0, flags [DF], proto TCP
(6), length 52, bad cksum 0 (->e198)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xd2da (correct), seq
3478, ack 592, win 1275, options [nop,nop,TS val 4243590867 ecr 4051743216],
length 0
12:42:48.924148 IP (tos 0x0, ttl 64, id 17713, offset 0, flags [DF], proto TCP
(6), length 52, bad cksum 0 (->e191)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xd1dd (correct), seq
3478, ack 639, win 1275, options [nop,nop,TS val 4243590966 ecr 4051743323],
length 0
12:42:49.725732 IP (tos 0x0, ttl 64, id 17769, offset 0, flags [DF], proto TCP
(6), length 99, bad cksum 0 (->e12a)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7969 (correct), seq
3478:3525, ack 639, win 1275, options [nop,nop,TS val 4243591767 ecr
4051743323], length 47
12:42:49.833378 IP (tos 0x0, ttl 64, id 17784, offset 0, flags [DF], proto TCP
(6), length 52, bad cksum 0 (->e14a)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xc9a7 (correct), seq
3525, ack 882, win 1275, options [nop,nop,TS val 4243591876 ecr 4051744225],
length 0
12:42:50.436702 IP (tos 0x0, ttl 64, id 17801, offset 0, flags [DF], proto TCP
(6), length 550, bad cksum 0 (->df47)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x3f05 (correct), seq
3525:4023, ack 882, win 1275, options [nop,nop,TS val 4243592478 ecr
4051744225], length 498
12:42:50.539394 IP (tos 0x0, ttl 64, id 17847, offset 0, flags [DF], proto TCP
(6), length 5051, bad cksum 0 (->cd84)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x1b29 (correct), seq
4023:9022, ack 882, win 1275, options [nop,nop,TS val 4243592581 ecr
4051745037], length 4999
12:42:50.639133 IP (tos 0x0, ttl 64, id 17860, offset 0, flags [DF], proto TCP
(6), length 7204, bad cksum 0 (->c50e)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7f02 (correct), seq
9022:16174, ack 882, win 1275, options [nop,nop,TS val 4243592681 ecr
4051745137], length 7152
12:42:50.673745 IP (tos 0x0, ttl 64, id 17867, offset 0, flags [DF], proto TCP
(6), length 16384, bad cksum 0 (->a12b)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0x1f1d (correct), seq
16174:32506, ack 882, win 1275, options [nop,nop,TS val 4243592715 ecr
4051745137], length 16332
12:42:50.673796 IP (tos 0x0, ttl 64, id 17869, offset 0, flags [DF], proto TCP
(6), length 1244, bad cksum 0 (->dc4d)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xf717 (correct), seq
32506:33698, ack 882, win 1275, options [nop,nop,TS val 4243592715 ecr
4051745171], length 1192
12:42:50.769080 IP (tos 0x0, ttl 64, id 17883, offset 0, flags [DF], proto TCP
(6), length 16384, bad cksum 0 (->a11b)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0x6a4e (correct), seq
33698:50030, ack 882, win 1275, options [nop,nop,TS val 4243592811 ecr
4051745171], length 16332
12:42:50.769123 IP (tos 0x0, ttl 64, id 17885, offset 0, flags [DF], proto TCP
(6), length 2532, bad cksum 0 (->d735)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x4cde (correct), seq
50030:52510, ack 882, win 1275, options [nop,nop,TS val 4243592811 ecr
4051745267], length 2480
12:42:50.869118 IP (tos 0x0, ttl 64, id 17908, offset 0, flags [DF], proto TCP
(6), length 13592, bad cksum 0 (->abea)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xd9bf (correct), seq
52510:66050, ack 882, win 1275, options [nop,nop,TS val 4243592911 ecr
4051745367], length 13540
12:42:50.980382 IP (tos 0x0, ttl 64, id 17938, offset 0, flags [DF], proto TCP
(6), length 550, bad cksum 0 (->debe)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x9e13 (correct), seq
66050:66548, ack 882, win 1275, options [nop,nop,TS val 4243593022 ecr
4051745383], length 498
12:42:51.080184 IP (tos 0x0, ttl 64, id 17953, offset 0, flags [DF], proto TCP
(6), length 3538, bad cksum 0 (->d303)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xe297 (correct), seq
66548:70034, ack 882, win 1275, options [nop,nop,TS val 4243593122 ecr
4051745578], length 3486
12:42:51.126696 IP (tos 0x0, ttl 64, id 17960, offset 0, flags [DF], proto TCP
(6), length 1484, bad cksum 0 (->db02)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [FP.], cksum 0xd00a (correct), seq
70034:71466, ack 882, win 1275, options [nop,nop,TS val 4243593168 ecr
4051745578], length 1432
12:42:51.173301 IP (tos 0x0, ttl 64, id 17981, offset 0, flags [DF], proto TCP
(6), length 40, bad cksum 0 (->e091)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [R], cksum 0xb90f (correct), seq
1633381313, win 0, length 0
12:42:51.173330 IP (tos 0x0, ttl 64, id 17983, offset 0, flags [DF], proto TCP
(6), length 40, bad cksum 0 (->e08f)!)
10.0.0.1.8118 > 10.0.0.1.62972: Flags [R], cksum 0xb90f (correct), seq
1633381313, win 0, length 0
Client and server are running on the same system.
As I don't usually use net.inet.tcp.log_debug and haven't been able to
intentionally
reproduce the issue (but have seen it a few times), I'm not sure yet if the
behaviour
is actually related to the SYN cookie changes at all.
Fabian
signature.asc
Description: PGP signature
