in-kernel PM: listen socket: support "behind a NAT" use case

[shockx2]

Currently, if the server is behind a NAT/LB/..., adding an endpoint with a "public" (exposed) IP and a custom port would fail because the in-kernel PM will try to create a listening socket with an IP not allocated on the system: -99: Cannot assign requested address.

It is possible to work around that by adding the exposed IP on the loopback interface but the listen socket created by the in-kernel PM will be useless as it will bind on the "public" (exposed) IP, not the "private" (internal) one.

A solution could be to extend the current API to allow something like:

ip mptcp endpoint add <exposed address> dev <NIC> listen <internal address or 0.0.0.0> port <port> signal

listen will need port (and signal).

(no-listen flag could also be use not to create a listening socket automatically when a port is given)

---

Original bug report:

Hello I'm very interested in all about MPTCP. Thank you MPTCP team.

And, I experiment to apply MPTCP for video streaming. The simple command is proof of concept of availability of MPTCP for streaming. But, MPTCP is fallback to single TCP. Other applications e.g. iperf3 that works very well.

Environments

• Host A: MPTCP client (linux v6.2.0-rc4) 10.0.0.2 10.0.1.2 ip mptcp endpoint 10.0.0.2 id 1 subflow dev h1-eth0 10.0.1.2 id 2 subflow dev h1-eth1

• Host B: MPTCP server (linux v6.2.0-rc4) 10.0.2.2

Command: Host A(Client): mptcpize run -d gst-launch-1.0 videotestsrc ! tcpclientsink host=10.0.2.2 port=40000 Host B(Server): mptcpize run -d gst-launch-1.0 tcpserversrc host=0.0.0.0 port=40000 ! filesink location=./output Run Host B first, and Host A later. Then the server saves output file for receiving data. But, MPTCP is not working. second subflow is reset.

Result: wireshark

1   0.000000000 10.0.0.2    10.0.2.2    MPTCP   80  50036 → 40000 [SYN] Seq=0 Win=42340 Len=0 MSS=1460 SACK_PERM=1 TSval=630985339 TSecr=0 WS=512
2   0.000046971 10.0.2.2    10.0.0.2    MPTCP   88  40000 → 50036 [SYN, ACK] Seq=0 Ack=1 Win=43440 Len=0 MSS=1460 SACK_PERM=1 TSval=4012900360 TSecr=630985339 WS=512
3   0.000068303 10.0.0.2    10.0.2.2    MPTCP   88  50036 → 40000 [ACK] Seq=1 Ack=1 Win=42496 Len=0 TSval=630985339 TSecr=4012900360
4   0.001566001 10.0.0.2    10.0.2.2    MPTCP   7212    50036 → 40000 [PSH, ACK] Seq=1 Ack=1 Win=42496 Len=7120 TSval=630985341 TSecr=4012900360 [TCP segment of a reassembled PDU]
5   0.001598651 10.0.2.2    10.0.0.2    MPTCP   80  40000 → 50036 [ACK] Seq=1 Ack=7121 Win=39936 Len=0 TSval=4012900362 TSecr=630985341
6   0.001723756 10.0.1.2    10.0.2.2    MPTCP   88  52019 → 40000 [SYN] Seq=0 Win=42496 Len=0 MSS=1460 SACK_PERM=1 TSval=1966134748 TSecr=0 WS=512 ###
7   0.002074009 10.0.2.2    10.0.1.2    TCP 56  40000 → 52019 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 ###
8   0.006433137 10.0.0.2    10.0.2.2    TCP 7212    50036 → 40000 [PSH, ACK] Seq=7121 Ack=1 Win=42496 Len=7120 TSval=630985341 TSecr=4012900360 [TCP segment of a reassembled PDU]
9   0.006466182 10.0.2.2    10.0.0.2    MPTCP   80  40000 → 50036 [ACK] Seq=1 Ack=14241 Win=39936 Len=0 TSval=4012900367 TSecr=630985341
10  0.012425790 10.0.0.2    10.0.2.2    TCP 7212    50036 → 40000 [PSH, ACK] Seq=14241 Ack=1 Win=42496 Len=7120 TSval=630985341 TSecr=4012900362 [TCP segment of a reassembled PDU]
11  0.012471922 10.0.2.2    10.0.0.2    MPTCP   80  40000 → 50036 [ACK] Seq=1 Ack=21361 Win=39936 Len=0 TSval=4012900373 TSecr=630985341

And iperf3 result below Command: Host B: mptcpize run -d iperf3 -s Host A: mptcpize run -d iperf3 -c 10.0.2.2

Result: It works well.

1   0.000000000 10.0.0.2    10.0.2.2    MPTCP   80  53982 → 5201 [SYN] Seq=0 Win=42340 Len=0 MSS=1460 SACK_PERM=1 TSval=631071184 TSecr=0 WS=512
2   0.000092389 10.0.2.2    10.0.0.2    MPTCP   88  5201 → 53982 [SYN, ACK] Seq=0 Ack=1 Win=43440 Len=0 MSS=1460 SACK_PERM=1 TSval=4012986205 TSecr=631071184 WS=512
3   0.000148964 10.0.0.2    10.0.2.2    MPTCP   88  53982 → 5201 [ACK] Seq=1 Ack=1 Win=42496 Len=0 TSval=631071184 TSecr=4012986205
4   0.000277911 10.0.0.2    10.0.2.2    MPTCP   129 53982 → 5201 [PSH, ACK] Seq=1 Ack=1 Win=42496 Len=37 TSval=631071184 TSecr=4012986205
5   0.000357607 10.0.2.2    10.0.0.2    MPTCP   80  5201 → 53982 [ACK] Seq=1 Ack=38 Win=43520 Len=0 TSval=4012986205 TSecr=631071184
6   0.000419136 10.0.2.2    10.0.0.2    MPTCP   97  5201 → 53982 [PSH, ACK] Seq=1 Ack=38 Win=43520 Len=1 TSval=4012986205 TSecr=631071184
7   0.000471001 10.0.0.2    10.0.2.2    MPTCP   80  53982 → 5201 [ACK] Seq=38 Ack=2 Win=42496 Len=0 TSval=631071184 TSecr=4012986205
8   0.000591673 10.0.0.2    10.0.2.2    MPTCP   100 53982 → 5201 [PSH, ACK] Seq=38 Ack=2 Win=42496 Len=4 TSval=631071184 TSecr=4012986205
9   0.000794230 10.0.1.2    10.0.2.2    MPTCP   88  51285 → 5201 [SYN] Seq=0 Win=42496 Len=0 MSS=1460 SACK_PERM=1 TSval=1966220591 TSecr=0 WS=512
10  0.000855521 10.0.2.2    10.0.1.2    MPTCP   92  5201 → 51285 [SYN, ACK] Seq=0 Ack=1 Win=43440 Len=0 MSS=1460 SACK_PERM=1 TSval=408156345 TSecr=1966220591 WS=512
11  0.000908853 10.0.1.2    10.0.2.2    MPTCP   92  51285 → 5201 [ACK] Seq=1 Ack=1 Win=42496 Len=0 TSval=1966220592 TSecr=408156345
12  0.000993630 10.0.2.2    10.0.1.2    MPTCP   80  [TCP Window Update] 5201 → 51285 [ACK] Seq=1 Ack=1 Win=43520 Len=0 TSval=408156345 TSecr=1966220592
13  0.042926949 10.0.2.2    10.0.0.2    MPTCP   80  5201 → 53982 [ACK] Seq=2 Ack=42 Win=43520 Len=0 TSval=4012986248 TSecr=631071184

Thank you again!!

[matttbe]

Hi @shockx2

Do you know if your GST server close the listening socket after having accepted the first connection? (e.g. do you have to relaunch the server after the client got disconnected?) strace should be able to explain what's going on.

For MPTCP, we need to have a socket listening to accept more subflows.

If it is the case and if you cannot modify your app, a way to work around this is to have another app doing a listen() on the same port and specific to the second interface. mptcpd should be able to do that: https://github.com/intel/mptcpd/issues/223 Or try with Python for example to create an MPTCP socket and bind on the specific IP/Port of the second interface, e.g.

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_MPTCP)
s.bind(("10.0.2.2", 40000))
s.listen(1)

(Mmh, but that's the same IP as the initial subflow, the server only has one IP :-/)

[pabeni]

strace shows that gst-launch-1.0 closes the listener socket just after accepting the first subflow. As guess by Mat, that is the root cause of the failure.

An alternative workaround, beyond the already proposed ones would be adding on the server side a port-based endpoint:

ip mptcp endpoint add 10.0.2.2 port 12345 signal

set the 'fullmesh' flag on the client endpoints, and increases max subflow limit:

ip mptcp limit set subflows 4 ip mptcp endpoint add 10.0.0.2 dev h1-eth0 subflow fullmesh ip mptcp endpoint add 10.0.1.2 dev h1-eth1 subflow fullmesh

Side note: could you please share your routing configuration, too? e.g. the output of ip addr; ip route on both the client and the server.

[shockx2]

Very thank you. @matttbe @pabeni It' almost resolved. I try the workaroud. But, it does't work. So, I make some modify. And, it works!

• Host B (Server): ip mptcp limits set add_addr_accepted 4 subflows 4 ip mptcp endpoint add 10.0.2.2 port 12345 signal
• Host A (Client): ip mptcp limits set add_addr_accepted 4 subflows 4 ip mptcp endpoint add 10.0.0.2 dev h1-eth0 fullmesh ip mptcp endpoint add 10.0.1.2 dev h1-eth1 fullmesh

I try the solution to AWS EC2 instance(Server), and my local PC(Client). Server instance has public IP and private IP. ip mptcp endpoint add <public IP> port 12345 signal result is Cannot assign requested address ip mptcp endpoint add <private IP> port 12345 signal is good.

But, 2nd endpoint advertising is not working. I think, it is cause by NAT.

@pabeni my routing configuration is (this is mininet environment)

• Server

  $ ip addr
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 scope host lo
     valid_lft forever preferred_lft forever
  inet6 ::1/128 scope host 
     valid_lft forever preferred_lft forever
  2: h2-eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UP group default qlen 1000
  link/ether 0a:d7:8d:d0:ab:f7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
  inet 10.0.2.2/24 brd 10.0.2.255 scope global h2-eth0
     valid_lft forever preferred_lft forever
  inet6 fe80::8d7:8dff:fed0:abf7/64 scope link 
     valid_lft forever preferred_lft forever

  $ ip route
  default via 10.0.2.1 dev h2-eth0 
  10.0.2.0/24 dev h2-eth0 proto kernel scope link src 10.0.2.2 

• Client

  ip addr
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 scope host lo
     valid_lft forever preferred_lft forever
  inet6 ::1/128 scope host 
     valid_lft forever preferred_lft forever
  2: h1-eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UP group default qlen 1000
  link/ether ba:b7:51:fe:91:21 brd ff:ff:ff:ff:ff:ff link-netnsid 0
  inet 10.0.0.2/24 brd 10.0.0.255 scope global h1-eth0
     valid_lft forever preferred_lft forever
  inet6 fe80::b8b7:51ff:fefe:9121/64 scope link 
     valid_lft forever preferred_lft forever
  3: h1-eth1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UP group default qlen 1000
  link/ether 4e:9f:d0:4b:29:3f brd ff:ff:ff:ff:ff:ff link-netnsid 0
  inet 10.0.1.2/24 brd 10.0.1.255 scope global h1-eth1
     valid_lft forever preferred_lft forever
  inet6 fe80::4c9f:d0ff:fe4b:293f/64 scope link 
     valid_lft forever preferred_lft forever

  $ ip route
  default via 10.0.0.1 dev h1-eth0 
  10.0.0.0/24 dev h1-eth0 proto kernel scope link src 10.0.0.2 
  10.0.1.0/24 dev h1-eth1 proto kernel scope link src 10.0.1.2 

Thank you.

[matttbe]

Server instance has public IP and private IP. ip mptcp endpoint add <public IP> port 12345 signal result is Cannot assign requested address ip mptcp endpoint add <private IP> port 12345 signal is good.

But, 2nd endpoint advertising is not working. I think, it is cause by NAT.

@shockx2 you need then to announce the public IP to be reachable from the client side.

Mmh yes, the in-kernel PM doesn't create a new socket with "freebind". This could be changed I suppose.

While trying workarounds, can you first try to add the public IP to the loopback interface?

ip addr add <public IP>/32 dev lo

Then add the new endpoint using the public IP?

You will need to add an IP rule and route to use the right interface when the source IP is the one linked to the "second" interface

https://multipath-tcp.org/pmwiki.php/Users/ConfigureRouting

Something like this I suppose:

ip rule add from <public IP> table 42
ip route add default via 10.0.1.2 dev h1-eth1 table 42

But maybe you will need to has a SNAT rule to change public IP to source IP... :-)

[shockx2]

Thank you, very much @matttbe

I am understanding that the "freebind" means that it makes PM can announces public IP to client. right?

I think another workaround that the announcing packet modification by eBPF to send public IP. I will try that. How do you think?

Thank you.

[matttbe]

I am understanding that the "freebind" means that it makes PM can announces public IP to client. right?

It would allow the kernel to create a listening socket on an IP it doesn't own. It could be needed in some cases but in yours, that will partly help you:

• the command will succeed
• an ADD_ADDR with the right IP will be sent
• the kernel will listen on packets arriving with the public IP (and specified port): the kernel will not see such packets if there is a NAT before.

I see two solutions (that could be combined) for your case (being a NAT and an app closing the listening socket after the accept()):

• the in-kernel PM should not fail if it is not able to create a listening socket
• a flag can be added not to create a listening socket

(@pabeni: what do you think?)

In both cases, it means you will have to create the listening socket, e.g. with Python:

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 262)
s.bind(("<private IP>", <port>))
s.listen(1024)

while True:
  ss = s.accept()
  print(ss)
  ss[0].close()

I think another workaround that the announcing packet modification by eBPF to send public IP.

It is not easy because there is an HMAC to avoid having this address being modified by someone else (or "injected").

With the current situation, I think the best is either to:

• announce the Public IP with the same port:
  • add the endpoint (signal) with the public IP
  • create a listening socket on the private IP + the same port as the app
• announce the Public IP with a different port:
  • add the public IP on the loopback interface (this step would not be needed if the kernel is modified with at least one of the two solutions I proposed here above)
  • add the endpoint (signal) with the public IP + a new port
  • create a listening socket on the private IP + the same port

Does it work for you?

[pabeni]

I see two solutions (that could be combined) for your case (being a NAT and an app closing the listening socket after the accept()):

* the in-kernel PM should not fail if it is not able to create a listening socket

* a flag can be added not to create a listening socket

(@pabeni: what do you think?)

both option will fail ?!? if the listener socket is not created, and the server closes the port after connect, I don't see how the subflow created by the client could fail. Since this thing looks very specific to NAT, and the admin need to know the NAT details (exposed address, local address) I think we could change the in-kernel PM to listen on a different address other then the signaled one, something alike:

ip mptcp endpoint add <exposed address> dev <NIC> listen <internal address or 0.0.0.0> signal

[pabeni]

side note: the client routing configuration looks broken. Specifically I don't see how the client could connect from h1-eth1/10.0.1.2 towards the server, since it lacks a suitable route. e.g.

ping -I h1-eth1 <server public IP>

from the client should fail - while it should be successful from h1-eth0

[matttbe]

@pabeni thank you for your reply!

both option will fail ?!? if the listener socket is not created, and the server closes the port after connect, I don't see how the subflow created by the client could fail.

Yes indeed. But it is possible to work around this issue by creating this listening socket as suggested with the Python code, no?

Since this thing looks very specific to NAT, and the admin need to know the NAT details (exposed address, local address) I think we could change the in-kernel PM to listen on a different address other then the signaled one, something alike:

ip mptcp endpoint add <exposed address> dev <NIC> listen <internal address or 0.0.0.0> signal

Indeed, it would be cleaner and clearer.

I can update the ticket to switch to "feature request"

[shockx2]

I am understanding that the "freebind" means that it makes PM can announces public IP to client. right?

It would allow the kernel to create a listening socket on an IP it doesn't own. It could be needed in some cases but in yours, that will partly help you:

• the command will succeed
• an ADD_ADDR with the right IP will be sent
• the kernel will listen on packets arriving with the public IP (and specified port): the kernel will not see such packets if there is a NAT before.

I see two solutions (that could be combined) for your case (being a NAT and an app closing the listening socket after the accept()):

• the in-kernel PM should not fail if it is not able to create a listening socket
• a flag can be added not to create a listening socket

(@pabeni: what do you think?)

In both cases, it means you will have to create the listening socket, e.g. with Python:

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 262)
s.bind(("<private IP>", <port>))
s.listen(1024)

while True:
  ss = s.accept()
  print(ss)
  ss[0].close()

I think another workaround that the announcing packet modification by eBPF to send public IP.

It is not easy because there is an HMAC to avoid having this address being modified by someone else (or "injected").

With the current situation, I think the best is either to:

• announce the Public IP with the same port:

  • add the endpoint (signal) with the public IP
  • create a listening socket on the private IP + the same port as the app

• announce the Public IP with a different port:

  • add the public IP on the loopback interface (this step would not be needed if the kernel is modified with at least one of the two solutions I proposed here above)
  • add the endpoint (signal) with the public IP + a new port
  • create a listening socket on the private IP + the same port

Does it work for you?

Thank you @matttbe I tried the workaround. But, it doesn't work.

1. I tested by iperf3 that does not close listening socket. It can be clear to resolve NAT issue.
2. In server, changed the loopback address from 127.0.0.1 to public IP
3. In server, add endpoint with public ip and port (ip mptcp endpoint add 5.38.112.212 port 12345 signal) is good!!
4. In client, add endpoint (192.168.0.52 id 1 fullmesh dev wlp0s20f3) But, server sends RST (twice) I tested client with single interface(single fullmesh endpoint), because I want to understand about fullmesh mechanism. I expected that the client fullmesh endpoint makes 2 subflow with server's application listening socket and signal endpoint(port 12345) But, it does no work. (Server: Kernel v6.0.0, Client: Kernel v6.2.0-rc4)

Client's wireshark

3535    66.936254272    5.38.112.212    192.168.0.52    MPTCP   86  5201 → 41764 [SYN, ACK] Seq=0 Ack=1 Win=62643 Len=0 MSS=1460 SACK_PERM=1 TSval=1270292065 TSecr=2434907681 WS=128
3536    66.936316755    192.168.0.52    5.38.112.212    MPTCP   86  41764 → 5201 [ACK] Seq=1 Ack=1 Win=42496 Len=0 TSval=2434907687 TSecr=1270292065
3537    66.936405351    192.168.0.52    5.38.112.212    MPTCP   127 41764 → 5201 [PSH, ACK] Seq=1 Ack=1 Win=42496 Len=37 TSval=2434907687 TSecr=1270292065
3541    66.943542084    5.38.112.212    192.168.0.52    MPTCP   78  5201 → 41764 [ACK] Seq=1 Ack=38 Win=62720 Len=0 TSval=1270292073 TSecr=2434907687
3542    66.943542355    5.38.112.212    192.168.0.52    MPTCP   95  5201 → 41764 [PSH, ACK] Seq=1 Ack=38 Win=62720 Len=1 TSval=1270292073 TSecr=2434907687
3543    66.943542406    5.38.112.212    192.168.0.52    MPTCP   86  [TCP Dup ACK 3541#1] 5201 → 41764 [ACK] Seq=2 Ack=38 Win=62720 Len=0 TSval=1270292073 TSecr=2434907687
3544    66.943603566    192.168.0.52    5.38.112.212    MPTCP   78  41764 → 5201 [ACK] Seq=38 Ack=2 Win=42496 Len=0 TSval=2434907694 TSecr=1270292073
3545    66.943648239    192.168.0.52    5.38.112.212    MPTCP   78  [TCP Dup ACK 3544#1] 41764 → 5201 [ACK] Seq=38 Ack=2 Win=42496 Len=0 TSval=2434907694 TSecr=1270292073
3546    66.943701675    192.168.0.52    5.38.112.212    MPTCP   86  38873 → 12345 [SYN] Seq=0 Win=42496 Len=0 MSS=1460 SACK_PERM=1 TSval=2434907695 TSecr=0 WS=512
3547    66.943815783    192.168.0.52    5.38.112.212    MPTCP   98  41764 → 5201 [PSH, ACK] Seq=38 Ack=2 Win=42496 Len=4 TSval=2434907695 TSecr=1270292073
**3548  66.951025150    5.38.112.212    192.168.0.52    TCP 54  12345 → 38873 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0**
3549    66.951115913    192.168.0.52    5.38.112.212    MPTCP   194 41764 → 5201 [PSH, ACK] Seq=42 Ack=2 Win=42496 Len=100 TSval=2434907702 TSecr=1270292073
3550    66.957025451    5.38.112.212    192.168.0.52    MPTCP   78  5201 → 41764 [ACK] Seq=2 Ack=142 Win=62720 Len=0 TSval=1270292086 TSecr=2434907695
3551    66.957067340    192.168.0.52    5.38.112.212    MPTCP   198 41764 → 5201 [PSH, ACK] Seq=142 Ack=2 Win=42496 Len=104 TSval=2434907708 TSecr=1270292086
3552    66.957103906    5.38.112.212    192.168.0.52    MPTCP   95  5201 → 41764 [PSH, ACK] Seq=2 Ack=142 Win=62720 Len=1 TSval=1270292086 TSecr=2434907695
3553    66.957338796    192.168.0.52    5.38.112.212    MPTCP   78  41772 → 5201 [SYN] Seq=0 Win=42340 Len=0 MSS=1460 SACK_PERM=1 TSval=2434907708 TSecr=0 WS=512
3554    66.963632852    5.38.112.212    192.168.0.52    MPTCP   86  5201 → 41772 [SYN, ACK] Seq=0 Ack=1 Win=62643 Len=0 MSS=1460 SACK_PERM=1 TSval=1270292093 TSecr=2434907708 WS=128
3555    66.963696106    192.168.0.52    5.38.112.212    MPTCP   86  41772 → 5201 [ACK] Seq=1 Ack=1 Win=42496 Len=0 TSval=2434907715 TSecr=1270292093
3556    66.963806293    192.168.0.52    5.38.112.212    MPTCP   127 41772 → 5201 [PSH, ACK] Seq=1 Ack=1 Win=42496 Len=37 TSval=2434907715 TSecr=1270292093
3557    66.969415121    5.38.112.212    192.168.0.52    MPTCP   86  [TCP Window Update] 5201 → 41772 [ACK] Seq=1 Ack=1 Win=62720 Len=0 TSval=1270292099 TSecr=2434907715
3558    66.969431544    192.168.0.52    5.38.112.212    MPTCP   78  41772 → 5201 [ACK] Seq=38 Ack=1 Win=42496 Len=0 TSval=2434907720 TSecr=1270292099
3559    66.969440281    5.38.112.212    192.168.0.52    MPTCP   78  5201 → 41772 [ACK] Seq=1 Ack=38 Win=62720 Len=0 TSval=1270292099 TSecr=2434907715
3560    66.969464162    192.168.0.52    5.38.112.212    MPTCP   86  49303 → 12345 [SYN] Seq=0 Win=42496 Len=0 MSS=1460 SACK_PERM=1 TSval=2434907720 TSecr=0 WS=512
**3561  66.976147257    5.38.112.212    192.168.0.52    TCP 54  12345 → 49303 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0**
3562    66.998854885    192.168.0.52    5.38.112.212    MPTCP   78  41764 → 5201 [ACK] Seq=246 Ack=3 Win=42496 Len=0 TSval=2434907750 TSecr=1270292086
3563    67.006231584    5.38.112.212    192.168.0.52    MPTCP   96  5201 → 41764 [PSH, ACK] Seq=3 Ack=246 Win=62720 Len=2 TSval=1270292134 TSecr=2434907708
3564    67.006246149    192.168.0.52    5.38.112.212    MPTCP   78  41764 → 5201 [ACK] Seq=246 Ack=5 Win=42496 Len=0 TSval=2434907757 TSecr=1270292134
3565    67.006273710    192.168.0.52    5.38.112.212    MPTCP   7210    41772 → 5201 [PSH, ACK] Seq=38 Ack=1 Win=42496 Len=7120 TSval=2434907757 TSecr=1270292099```

[matttbe]

Hello,

Thank you @matttbe I tried the workaround. But, it doesn't work.

1. I tested by iperf3 that does not close listening socket. It can be clear to resolve NAT issue.

If your app doesn't close the listening socket, you don't need the workaround that force creating a listening socket. All you need is to add the signal endpoint on the server using the public IP: it will send an ADD_ADDR with the public IP and the server should accept the MP_JOIN from the client, no?

2. In server, changed the loopback address from 127.0.0.1 to public IP

You should keep 127.0.0.1 but add a new one.

3. In server, add endpoint with public ip and port (ip mptcp endpoint add 5.38.112.212 port 12345 signal) is good!!

Yes but the listening socket will only listen on the public IP. But the server will receive the packet modified by the NAT: with the private IP.

4. In client, add endpoint (192.168.0.52 id 1 fullmesh dev wlp0s20f3)
   But, server sends RST (twice)
   I tested client with single interface(single fullmesh endpoint), because I want to understand about fullmesh mechanism.
   I expected that the client fullmesh endpoint makes 2 subflow with server's application listening socket and signal endpoint(port 12345)
   But, it does no work.
   (Server: Kernel v6.0.0, Client: Kernel v6.2.0-rc4)

Client's wireshark

Do you have the packet trace instead? (export the trace and zip it to join it here) We don't have all the details.