iptables SYNPROXY small packet size transmission performance issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I setup SYNPROXY iptables rules as below for my  web server serving
one static simple page, then test the latency through
https://check-host.net/check-http?host=https://www.bpfire.net, there
are some country locations shows 4 - 5 seconds delay, which is caused
by server sending small packet size, see the capture screenshot:
https://github.com/vincentmli/xdp-tools/issues/7#issuecomment-2465554843

INTERFACE=eth0

sysctl -w net.ipv4.tcp_syncookies=2
sysctl -w net.ipv4.tcp_timestamps=1
sysctl -w net.netfilter.nf_conntrack_tcp_loose=0

iptables -t raw -I PREROUTING  -i $INTERFACE -p tcp -m tcp --syn
--dport 443 -j CT --notrack
iptables -t filter -A INPUT -i $INTERFACE -p tcp -m tcp -m state
--state INVALID,UNTRACKED --dport 443 -j SYNPROXY --sack-perm
--timestamp --wscale 7 --mss 1460

Initially this issue was reported to me when one user attach XDP
acceleration for iptables SYNPROXY, after I reproduced the latency and
did more testing here
https://github.com/vincentmli/xdp-tools/issues/7#issuecomment-2471174263,
it narrows down to 'iptables -t filter -A INPUT -i $INTERFAC -p tcp -m
tcp -m state --state INVALID,UNTRACKED --dport 443 -j SYNPROXY
--sack-perm --timestamp --wscale 7 --mss 1460', if I remove
'--sack-perm --timestamp --wscale 7 --mss 1460', the small packet size
transmission issue does not occur.

Any clue to solve this issue for iptables SYNPROXY?

Thanks

Vincent




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux