A distribution of Linux Virtual Server with some advanced features. It introduces a new packet forwarding method - FULLNAT other than NAT/Tunneling/DirectRouting, and defense mechanism against synflooding attack - SYNPROXY.
I cloned the ali_lvs v3 beta and it seems the syn cookie check failed consistently, I turned on ipvs debug and added a few debug line as below, debug message:
Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_rr_schedule(): Scheduling...
Jan 9 13:26:04 alilvs kernel: IPVS: RR: server 192.168.3.2:80 activeconns 0 refcnt 1 weight 1
Jan 9 13:26:04 alilvs kernel: IPVS: Bind-dest TCP c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 fwd:F s:0 conn->flags:185 conn->refcnt:1 dest->refcnt:2
Jan 9 13:26:04 alilvs kernel: IPVS: Schedule fwd:F c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 conn->flags:1C5 conn->refcnt:2
Jan 9 13:26:04 alilvs kernel: IPVS: save_xmit_info, netdevice:eth0
Jan 9 13:26:04 alilvs kernel: in syn_proxy_synack_rcv, seq = 3831808964 ack_seq = 2885093891 SA- cp->is_synproxy = 0 cp->state = 3
Jan 9 13:26:04 alilvs kernel: IPVS: eth1(): netdevice:ip_vs_save_xmit_inside_info
Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_fast_response_xmit: send skb to client!
Jan 9 13:26:04 alilvs kernel: IPVS: save_xmit_info, netdevice:eth0
Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_fast_xmit: send skb to RS!
Jan 9 13:26:04 alilvs kernel: IPVS: Unbind-dest TCP c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 fwd:F s:1 conn->flags:5 conn->refcnt:1 dest->refcnt:2
Jan 9 13:26:04 alilvs kernel: IPVS: Unbind-laddr TCP c:208.85.211.199:44855 v:192.168.1.169:80 l:192.168.3.168:5002 d:192.168.3.2:80 fwd:F s:1 conn->flags:5 conn->refcnt:1 local->refcnt:2
Jan 9 13:26:04 alilvs kernel: syn_cookie check res=4294967295 <=======
Jan 9 13:26:04 alilvs kernel: syn_cookie check failed seq=3831808964 <=====
Jan 9 13:26:05 alilvs kernel: syn_cookie check res=4294967295
Jan 9 13:26:05 alilvs kernel: syn_cookie check failed seq=3831808964
Jan 9 13:26:07 alilvs kernel: syn_cookie check res=4294967295
Jan 9 13:26:07 alilvs kernel: syn_cookie check failed seq=3831808964
note the check_tcp_syn_cookie returns 4294967295 and matches if condition in syn_proxy_v4_cookie_check():
I cloned the ali_lvs v3 beta and it seems the syn cookie check failed consistently, I turned on ipvs debug and added a few debug line as below, debug message:
Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_rr_schedule(): Scheduling... Jan 9 13:26:04 alilvs kernel: IPVS: RR: server 192.168.3.2:80 activeconns 0 refcnt 1 weight 1 Jan 9 13:26:04 alilvs kernel: IPVS: Bind-dest TCP c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 fwd:F s:0 conn->flags:185 conn->refcnt:1 dest->refcnt:2 Jan 9 13:26:04 alilvs kernel: IPVS: Schedule fwd:F c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 conn->flags:1C5 conn->refcnt:2 Jan 9 13:26:04 alilvs kernel: IPVS: save_xmit_info, netdevice:eth0 Jan 9 13:26:04 alilvs kernel: in syn_proxy_synack_rcv, seq = 3831808964 ack_seq = 2885093891 SA- cp->is_synproxy = 0 cp->state = 3 Jan 9 13:26:04 alilvs kernel: IPVS: eth1(): netdevice:ip_vs_save_xmit_inside_info Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_fast_response_xmit: send skb to client! Jan 9 13:26:04 alilvs kernel: IPVS: save_xmit_info, netdevice:eth0 Jan 9 13:26:04 alilvs kernel: IPVS: ip_vs_fast_xmit: send skb to RS! Jan 9 13:26:04 alilvs kernel: IPVS: Unbind-dest TCP c:208.85.211.199:44855 v:192.168.1.169:80 d:192.168.3.2:80 fwd:F s:1 conn->flags:5 conn->refcnt:1 dest->refcnt:2 Jan 9 13:26:04 alilvs kernel: IPVS: Unbind-laddr TCP c:208.85.211.199:44855 v:192.168.1.169:80 l:192.168.3.168:5002 d:192.168.3.2:80 fwd:F s:1 conn->flags:5 conn->refcnt:1 local->refcnt:2 Jan 9 13:26:04 alilvs kernel: syn_cookie check res=4294967295 <======= Jan 9 13:26:04 alilvs kernel: syn_cookie check failed seq=3831808964 <===== Jan 9 13:26:05 alilvs kernel: syn_cookie check res=4294967295 Jan 9 13:26:05 alilvs kernel: syn_cookie check failed seq=3831808964 Jan 9 13:26:07 alilvs kernel: syn_cookie check res=4294967295 Jan 9 13:26:07 alilvs kernel: syn_cookie check failed seq=3831808964
note the check_tcp_syn_cookie returns 4294967295 and matches if condition in syn_proxy_v4_cookie_check():
I can reproduce the issue consistently. please let me know what other information I can provide to resolve this issue.
[root@alilvs kernel]# git diff net/netfilter/ipvs/ip_vs_synproxy.c diff --git a/kernel/net/netfilter/ipvs/ip_vs_synproxy.c b/kernel/net/netfilter/ipvs/ip_vs_synproxy.c index 3f15ce3..d3796af 100644 --- a/kernel/net/netfilter/ipvs/ip_vs_synproxy.c +++ b/kernel/net/netfilter/ipvs/ip_vs_synproxy.c @@ -236,10 +236,15 @@ static int syn_proxy_v4_cookie_check(struct sk_buff skb, __u32 cookie, jiffies / (HZ \ 60), COUNTER_TRIES);
+ mssind = (res & IP_VS_SYNPROXY_MSS_MASK) >> IP_VS_SYNPROXY_MSS_BITS;
@@ -250,11 +255,16 @@ static int syn_proxy_v4_cookie_check(struct sk_buff *skb, IP_VS_SYNPROXY_TSOK_BIT; opt->snd_wscale = (res & IP_VS_SYNPROXY_SND_WSCALE_MASK) >> IP_VS_SYNPROXY_SND_WSCALE_BITS;