Hi everyone, currently I am trying to make the xdp synproxy work from the sample of linux kernel repository. I take the xdp kernel code from here: https://github.com/torvalds/linux/blob/master/tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c , and the xdp synproxy userspace program from here: https://github.com/torvalds/linux/blob/master/tools/testing/selftests/bpf/xdp_synproxy.c . I set up my testing environment with 3 network namespaces: ns1 as a server, ns2 as a router and ns3 as a client. I set 4 virtual ethernets: veth1 with peer veth2, veth3 with peer veth4 and add them to the different namespaces. To be specific, I use veth1 (192.168.1.1/24) for namespace ns1, veth2(192.168.1.2/24) and veth3(192.168.2.1/24) for namespace ns2, and veth4(192.168.2.2/24) for namespace ns3. For the namespace ns1, I enable tcp syncookie, tcp loose contract by using these command: sysctl -w net.ipv4.tcp_syncookies=2 sysctl -w net.ipv4.tcp_timestamps=1 sysctl -w net.netfilter.nf_conntrack_tcp_loose=0 Then I upload the xdp synproxy program to the veth1 using this command: ./xdp_synproxy --iface veth1 --ports 80 --single --mss4 1460 --mss6 1440 --wscale 7 --ttl 64 and upload the xdp dummy kernel program, which is just simple xdp_pass to the veth2 interface of namespace ns2 with this command: ip link set veth2 xdp object xdp_dummy_kern.bpf.o section xdp . Most of my setup is taken from the test program from linux kernel repository: https://github.com/torvalds/linux/blob/master/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c After that, I run the a simple http server at port 80 in namespace ns1. I use the netcat in network namespace ns3 to check for the tcp connect: # nc -v 192.168.1.1 80 nc: connect to 192.168.1.1 port 80 (tcp) failed: Connection reset by peer . I debug using tcpdump and xdpdump in both interface veth1 and veth2 and discover that the xdp synproxy program allow tcp ack packet to passthrough but does not notify the host which causes invalid tcp state and causes the server to respond with tcp reset flag. For more detail, here are the link to the Wireshark files of veth1 and veth2: https://www.dropbox.com/scl/fo/26kgk8sfozme1d6cc9zn4/h?rlkey=s1y9klybryilk5btylnp0dttg&dl=0 Why does this problem happen? What should I do to fix this problem? In addition, I notice that if the veth2 interface does not attach the xdp dummy program, it does not recognise the tcp syn-ack packet generated by xdp synproxy program. What could be the solution for this? Kind regard Minh.
|