syn_cookie check failed

[vincentmli]

I cloned the ali_lvs v3 beta and it seems the syn cookie check failed consistently, I turned on ipvs debug and added a few debug line as below, debug message:

Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_rr_schedule(): Scheduling... Jan 9 13:26:04 alilvs kernel: IPVS: RR: server 192.168.3.2:80 activeconns 0 refcnt 1 weight 1 Jan 9 13:26:04 alilvs kernel: IPVS: Bind-dest TCP c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 fwd:F s:0 conn->flags:185 conn->refcnt:1 dest->refcnt:2 Jan 9 13:26:04 alilvs kernel: IPVS: Schedule fwd:F c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 conn->flags:1C5 conn->refcnt:2 Jan 9 13:26:04 alilvs kernel: IPVS: save_xmit_info, netdevice:eth0 Jan 9 13:26:04 alilvs kernel: in syn_proxy_synack_rcv, seq = 3831808964 ack_seq = 2885093891 SA- cp->is_synproxy = 0 cp->state = 3 Jan 9 13:26:04 alilvs kernel: IPVS: eth1(): netdevice:ip_vs_save_xmit_inside_info Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_fast_response_xmit: send skb to client! Jan 9 13:26:04 alilvs kernel: IPVS: save_xmit_info, netdevice:eth0 Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_fast_xmit: send skb to RS! Jan 9 13:26:04 alilvs kernel: IPVS: Unbind-dest TCP c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 fwd:F s:1 conn->flags:5 conn->refcnt:1 dest->refcnt:2 Jan 9 13:26:04 alilvs kernel: IPVS: Unbind-laddr TCP c:208.85.211.199:44855 v:192.168.1.169:80 l:192.168.3.168:5002 d:192.168.3.2:80 fwd:F s:1 conn->flags:5 conn->refcnt:1 local->refcnt:2 Jan 9 13:26:04 alilvs kernel: syn_cookie check res=4294967295 <======= Jan 9 13:26:04 alilvs kernel: syn_cookie check failed seq=3831808964 <===== Jan 9 13:26:05 alilvs kernel: syn_cookie check res=4294967295 Jan 9 13:26:05 alilvs kernel: syn_cookie check failed seq=3831808964 Jan 9 13:26:07 alilvs kernel: syn_cookie check res=4294967295 Jan 9 13:26:07 alilvs kernel: syn_cookie check failed seq=3831808964

note the check_tcp_syn_cookie returns 4294967295 and matches if condition in syn_proxy_v4_cookie_check():

    if(res == (__u32)-1) /* count is invalid, jiffies' >> jiffies */
            goto out;

I can reproduce the issue consistently. please let me know what other information I can provide to resolve this issue.

[root@alilvs kernel]# git diff net/netfilter/ipvs/ip_vs_synproxy.c diff --git a/kernel/net/netfilter/ipvs/ip_vs_synproxy.c b/kernel/net/netfilter/ipvs/ip_vs_synproxy.c index 3f15ce3..d3796af 100644 --- a/kernel/net/netfilter/ipvs/ip_vs_synproxy.c +++ b/kernel/net/netfilter/ipvs/ip_vs_synproxy.c @@ -236,10 +236,15 @@ static int syn_proxy_v4_cookie_check(struct sk_buff skb, __u32 cookie, jiffies / (HZ \ 60), COUNTER_TRIES);

• IP_VS_DBG(6, "syn_cookie check res=%u\n", res);
  if(res == (__u32)-1) /* count is invalid, jiffies' >> jiffies */
         goto out;

• IP_VS_DBG(6, "syn_cookie check res=%u\n", res);

  + mssind = (res & IP_VS_SYNPROXY_MSS_MASK) >> IP_VS_SYNPROXY_MSS_BITS;

• IP_VS_DBG(6, "syn_cookie check mssind=%u\n", mssind);

• IP_VS_DBG(6, "syn_cookie check NUM_MSS=%lu\n", NUM_MSS);
  
  memset(opt, 0, sizeof(struct ip_vs_synproxy_opt));
  if ((mssind < NUM_MSS) && ((res & IP_VS_SYNPROXY_OTHER_MASK) == 0)) {

  @@ -250,11 +255,16 @@ static int syn_proxy_v4_cookie_check(struct sk_buff *skb, IP_VS_SYNPROXY_TSOK_BIT; opt->snd_wscale = (res & IP_VS_SYNPROXY_SND_WSCALE_MASK) >> IP_VS_SYNPROXY_SND_WSCALE_BITS;

  • IP_VS_DBG(6, "syn_cookie check snd_wscale=%u\n", opt->snd_wscale if (opt->snd_wscale > 0 &&
  • opt->snd_wscale <= IP_VS_SYNPROXY_WSCALE_MAX)
  • opt->snd_wscale <= IP_VS_SYNPROXY_WSCALE_MAX) { opt->wscale_ok = 1;
  • else if (opt->snd_wscale == 0)
  • IP_VS_DBG(6, "syn_cookie check wscale_ok=%u\n", opt->wsc
  • }
  • else if (opt->snd_wscale == 0) { opt->wscale_ok = 0;
  • IP_VS_DBG(6, "syn_cookie check wscale_ok=%u\n", opt->wsc
  • } else goto out;