netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Mysql has problem with synproxy
@ 2019-11-19  8:10 İbrahim Ercan
  2019-11-22 12:32 ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: İbrahim Ercan @ 2019-11-19  8:10 UTC (permalink / raw)
  To: netfilter-devel, netfilter

Hi.
We are having problem with mysql and synproxy. While other tcp apps
working fine on same server, mysql server seems not working properly
when we activated synproxy.

This is the handshake packets while synproxy deactivated. 10.0.0.1 is
the server.

14:28:57.344688 IP 10.0.0.2.59924 > 10.0.0.1.3336: Flags [S], seq
2738839797, win 29200, options [mss 1460,sackOK,TS val 1776041 ecr
0,nop,wscale 7], length 0
14:28:57.344836 IP 10.0.0.1.3336 > 10.0.0.2.59924: Flags [S.], seq
3873797148, ack 2738839798, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 3220882344 ecr 1776041], length 0
14:28:57.344961 IP 10.0.0.2.59924 > 10.0.0.1.3336: Flags [.], ack 1,
win 229, options [nop,nop,TS val 1776041 ecr 3220882344], length 0

Here client is able to connect without any problem. Server has wscale
6 and mss 1460, so we added synproxy rules as below

iptables -t raw -A PREROUTING -i enp12s0f0 -p tcp --syn -j CT --notrack
iptables -t filter -A FORWARD  -i enp12s0f0 -p tcp -m state --state
INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --mss 1460
--wscale 6
iptables -t filter -A FORWARD -i enp12s0f0 -p tcp -m state --state
INVALID -j DROP

After synproxy activated, server send reset and reject connection.
Here is the packets we captured between client to firewall and
firewall to server

Between client and firewall
14:28:12.343253 IP 10.0.0.2.59586 > 10.0.0.1.3336: Flags [S], seq
1356993242, win 29200, options [mss 1460,sackOK,TS val 1731041 ecr
0,nop,wscale 7], length 0
14:28:12.343280 IP 10.0.0.1.3336 > 10.0.0.2.59586: Flags [S.], seq
2278099588, ack 1356993243, win 0, options [mss 1460,sackOK,TS val
1423321111 ecr 1731041,nop,wscale 6], length 0
14:28:12.343439 IP 10.0.0.2.59586 > 10.0.0.1.3336: Flags [.], ack 1,
win 229, options [nop,nop,TS val 1731042 ecr 1423321111], length 0
14:28:12.343611 IP 10.0.0.1.3336 > 10.0.0.2.59586: Flags [.], ack 1,
win 1023, options [nop,nop,TS val 1423321111 ecr 1731042], length 0
14:28:12.343692 IP 10.0.0.1.3336 > 10.0.0.2.59586: Flags [R], seq
2278099589, win 0, length 0

Between firewall and server
14:28:12.343459 IP 10.0.0.2.59586 > 10.0.0.1.3336: Flags [S], seq
1356993242, win 229, options [mss 1460,sackOK,TS val 1731042 ecr
1423321111,nop,wscale 7], length 0
14:28:12.343583 IP 10.0.0.1.3336 > 10.0.0.2.59586: Flags [S.], seq
1666149016, ack 1356993243, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 109930553 ecr 1731042], length 0
14:28:12.343602 IP 10.0.0.2.59586 > 10.0.0.1.3336: Flags [.], ack 1,
win 229, options [nop,nop,TS val 1731042 ecr 3091507291], length 0
14:28:12.343686 IP 10.0.0.1.3336 > 10.0.0.2.59586: Flags [R], seq
1666149017, win 0, length 0

Here mysql runs on freebsd and since it is a real system that makes it
harder to debug. Any idea what causes this?

Regards.

--
İbrahim Ercan

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Mysql has problem with synproxy
  2019-11-19  8:10 Mysql has problem with synproxy İbrahim Ercan
@ 2019-11-22 12:32 ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2019-11-22 12:32 UTC (permalink / raw)
  To: İbrahim Ercan; +Cc: netfilter-devel, netfilter

İbrahim Ercan <ibrahim.metu@gmail.com> wrote:
> iptables -t raw -A PREROUTING -i enp12s0f0 -p tcp --syn -j CT --notrack
> iptables -t filter -A FORWARD  -i enp12s0f0 -p tcp -m state --state
> INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --mss 1460
> --wscale 6
> iptables -t filter -A FORWARD -i enp12s0f0 -p tcp -m state --state
> INVALID -j DROP

Does it work when you omit --timestamp?

> Between firewall and server
> 14:28:12.343459 IP 10.0.0.2.59586 > 10.0.0.1.3336: Flags [S], seq 1356993242, win 229, options [mss 1460,sackOK,TS val 1731042 ecr 1423321111,nop,wscale 7], length 0

Oh, this is a bug, but I don't know if that is the reason for the
failure.  ecr should be 0 reset to 0.

I susepct this patch would fix it:

diff --git a/net/netfilter/nf_synproxy_core.c
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -174,6 +174,7 @@ synproxy_check_timestamp_cookie(struct synproxy_options *opts)
        opts->options |= opts->tsecr & (1 << 4) ?
	NF_SYNPROXY_OPT_SACK_PERM : 0;
 
        opts->options |= opts->tsecr & (1 << 5) ?
	NF_SYNPROXY_OPT_ECN : 0;
+       opts->tsecr = 0;
 }
 
> 14:28:12.343583 IP 10.0.0.1.3336 > 10.0.0.2.59586: Flags [S.], seq 1666149016, ack 1356993243, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 109930553 ecr 1731042], length 0
> 14:28:12.343602 IP 10.0.0.2.59586 > 10.0.0.1.3336: Flags [.], ack 1, win 229, options [nop,nop,TS val 1731042 ecr 3091507291], length 0

I assume the 'ack 1' is tcpdump being too helpful? (-S to disable).
I can't see anything wrong here, sorry.


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-11-22 12:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-19  8:10 Mysql has problem with synproxy İbrahim Ercan
2019-11-22 12:32 ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).